Tenable Identity Exposure 2023 Release Notes

Tenable Identity Exposure 3.55 (2023-09-20)

Tenable Identity Exposure version 3.55 contains the following bug fixes:

Bug Fix Defect ID
Indicators of Exposure (IoE) no longer contain references to deleted objects. N/A
The Indicator of Attack engine now has support for IPv4-mapped IPv6 addresses. N/A
The IoE Unlinked, Disabled, or Orphan Group Policy Object (GPO) is now more effective in managing scenarios with removed GPOs. N/A
The relay now shuts down when it receives an order from the SaaS platform, even if it cannot connect to an alerts server. When it restarts, the relay processes any unsent alerts. N/A

Tenable Identity Exposure Tenable One Platform Updates (2023-9-20)

The Workspace page appears when you log in to Tenable. In addition, administrators can change which custom roles can access which Tenable One apps.

  • To set a default app on the Workspace page, click on the app tile and select Make Default Login. This app now appears when you log in.

  • To remove a default app on the Workspace page, click on the app tile and select Remove Default Login Page. The Workspace page now appears when you log in.

  • (Tenable One-only) To control which custom roles can access which Tenable One apps, use new role settings. For more information, see Create a Custom Role.

Tenable Identity Exposure 3.54 (2023-09-11)

Tenable Identity Exposure version 3.54 contains the following bug fixes:

Bug Fix Defect ID
Tenable Identity Exposure successfully addressed and resolved issues related to the Secure Relay installation. N/A
The Trail Flow can now effectively manage customers with extensive event histories. N/A
The Entra ID (previously known as Azure AD) findings date column now clearly indicates the date/time format. N/A
Tenable Identity Exposure resolved several memory leaks in the collector service. N/A
The Indicator of Attack (IoA) computer mapping now shows the latest DNS entry rather than displaying all of them. N/A
Tenable Identity Exposure now removes DNS entries used in IoAs when they are deleted from the Active Directory. N/A

Tenable Identity Exposure 3.53 (2023-08-23)

  • Detection of Password Weaknesses — A new Tenable Identity Exposure Indicator of Attack checks for robust passwords to ensure the security of Active Directory authentication. Weak passwords arise from factors such as insufficient complexity, outdated hashing algorithms, shared passwords, and exposure in leaked databases. Attackers exploit these weaknesses to mimic accounts, particularly concerning privileged ones, enabling unauthorized access within the Active Directory.

Tenable Identity Exposure version 3.53 contains the following bug fixes:

Bug Fix Defect ID
The health check status no longer switches to "Unknown" after the product runs for 30 minutes. N/A
Tenable Identity Exposure corrected another correlation logic that had an impact on the following IoAs: NTDS Extraction and DC Password Change. N/A
Tenable Identity Exposure now removes any permission for "NT AUTHORITY\Authenticated Users" on the installation folder when installing the Secure Relay. N/A

Tenable Identity Exposure 3.52 (2023-08-09)

  • Updated legal terms in Tenable Identity Exposure to reflect the Tenable Legal Policy for 2023.

Tenable Identity Exposure version 3.52 contains the following bug fixes:

Bug Fix Defect ID
Tenable Identity Exposure fixed a correlation logic that had an impact on the following Indicators of Attack (IoA): DCSync, DCShadow, DPAPI Domain Extraction, DC Suspicious Password Change, DNSAdmins Exploitation, Massive Computers Reconnaissance, NTDS Extraction, OS Credential Dumping: LSASS Memory, SAMaccountName Impersonation, and Zerologon Exploitation. N/A
Privileged Analysis now supports Active Directory with an SID history containing the domain administrator (not recommended). N/A
The IoA engine has improved to support PTR and CNAME DNS records when performing event logs correlation. N/A
When filtering a specific domain and showing all Indicators of Exposure (IoEs), the IoE page no longer shows all IoEs. N/A
The migration from the SaaS-VPN platform to SaaS Secure Relay now removes previous unused resources reported in health checks. N/A

Tenable Identity Exposure 3.51 (2023-07-31)

  • DFS Misconfiguration — A new Indicator of Exposure checks that SYSVOL uses Distributed File System Replication (DFSR), a mechanism that replaced the File Replication Service (FRS) for better robustness, scalability, and replication performance.

Tenable Identity Exposure version 3.51 contains the following bug fixes:

Bug Fix Defect ID
Tenable Identity Exposure provides localized resources in regional languages when users request Microsoft Entra ID-related tabs, such as IoEs, deviances, and more. N/A
Tenable Identity Exposure now excludes the files that the Indicator of Attack uses from regular SYSVOL crawling. N/A
Tenable Identity Exposure improved the stability of the Secure Relay lifecycle. N/A
The Secure Relay health check now provides information even if the corresponding relay is not started and/or reachable. N/A
Tenable Identity Exposure enhanced the scheduling process for scans for Microsoft Entra ID tenants to ensure fairness. N/A
Tenable Identity Exposure performs Secure Relay health checks even when these relays are not linked to an Active Directory domain. N/A
When rolling back an upgrade, the Secure Relay feature now also restores the auto-upgrade scheduled task. N/A
Tenable Identity Exposure renewed the code signing certificate for the Secure Relay. N/A
Migration from the cloud VPN infrastructure to cloud Secure Relay now removes previous resources that are now unused from the health check reports. N/A
Tenable Identity Exposure updated the Attack Path module to filter out new entities associated with passwordHash to resolve Attack Path issues. N/A
Tenable Identity Exposure restored the ability to send unencrypted emails over SMTP. N/A
Tenable Identity Exposure can retrieve sensitive data even with renamed Active Directory Domains.  

Dangerous Sensitive Privileges Indicator of Exposure:

  • Now recognizes sAMAccountNames and UPNs before raising deviances.

  • No longer tries to resolve sAMAccountNames and UPNs as SIDs.

 N/A

Tenable Identity Exposure 3.50 (2023-07-12)

  • Trail FlowTenable Identity Exposure now allows you to filter trail flow events by both date and time.

Tenable Identity Exposure version 3.50 contains the following bug fixes:

Bug Fix Defect ID
The Indicator of Attack security analysis can once again correlate incoming Windows event logs with stored security events. N/A
Tenable Identity Exposure regained the ability to retrieve information from a SYSVOL source using the FRS protocol. N/A
Tenable Identity Exposure improved the resiliency of the LDAP connection to the domain controller. N/A

Tenable Identity Exposure 3.49 (2023-06-28)

  • Platform health check capabilitiesTenable Identity Exposure lists the platform health checks it performed in a consolidated view to enable you to investigate and resolve configuration anomalies promptly. For more information, see Health Checks in the Tenable Identity Exposure Administrator Guide.

  • Reporting Center — This feature offers a way to export important data as reports to key stakeholders in an organization using a streamlined report creation process. For more information, see the Reporting Center in the Tenable Identity Exposure Administrator Guide.

  • Indicators of Exposure (IoE) — Exclusion allowed for deviant objects in selected IoEs, including:

    • Group: Logon Restrictions for Privileged Users

    • Operating System: Computers Running an Obsolete OS

    • Organizational Unit: Logon Restrictions for Privileged Users, Computers Running an Obsolete OS, Application of Weak Password Policies on Users, Dormant Accounts, User Account Using Old Password

  • Dashboard templates — Ready-to-use templates help you focus on the priority issues that concern your organization such as compliance, risk, password management, and user/admin monitoring. For more information, see Dashboards in the Tenable Identity Exposure User Guide.

  • Workspace — The Workspace feature allows you to see and access all of your Tenable products in one location. For more information, see Workspace in the Tenable Identity Exposure User Guide.

Tenable Identity Exposure version 3.49 contains the following bug fixes:

Bug Fix Defect ID
Customers using Tenable Identity Exposure with an IPSEC VPN infrastructure can now see health checks. N/A
When users change their password, Tenable Identity Exposure invalidates all of their sessions. N/A
For the ADCS Dangerous Misconfigurations IoE, it is now possible to exclude the trustees from other AD domains using their samAccountName or userPrincipalName from the certificates templates analysis. N/A

Tenable Identity Exposure 3.48 (2023-06-14)

  • Built-in health check capabilities — Health checks provide you with real-time visibility into the configuration of your domains and service accounts in one consolidated view, from which you can drill down to investigate and remedy any configuration anomalies leading to connectivity or other issues in your infrastructure. For more information, see Health Checks in the Tenable Identity Exposure Administrator Guide.

  • Search — The search function is now available for Relay Management and Roles Management.

Tenable Identity Exposure version 3.48 contains the following bug fixes:

Bug Fix Defect ID
Tenable Identity Exposure now reads event log files in gz format with fewer retry attempts to address potential issues caused by open file handles on these files. N/A
Enhanced security analysis for Indicators of Attack (IoAs) can better handle RabbitMQ failures to ensure greater resilience. N/A
When on the dashboard page and using the browser's previous page button, the dashboard now correctly populates with the relevant data. N/A
The last digit on the widget abscissa is now fully visible. N/A
The application switcher now uses an appropriate token to retrieve the list of available Tenable applications. N/A
Tenable Identity Exposure now compresses and rotates Secure Relay logs for optimal storage and easier management. N/A
When there is no IoA module installed, Tenable Identity Exposure does not report an error. N/A

Indicators of Exposure (IoE)

  • Application of Weak Password Policies on Users shows improved performance when carrying out the initial security check.

  • Insufficient Hardening Against Ransomware has improved resilience when raising deviances.

  • Dangerous Sensitive Privileges has improved analysis performance.

 N/A
Alerting using the SYSLOG protocol supports non-English characters such as Japanese. N/A
A newly implemented mechanism enhances the resilience of the database when there are numerous attribute modifications. N/A
The IoA security analysis now falls back to a previous Windows event log version when necessary. N/A
The security analysis now limits the generation of error logs when it encounters an incorrect regular expression from an IoE option. N/A

Tenable Identity Exposure 3.47 (2023-05-31)

DC Password Change — Related to Zerologon Exploitation, this new Indicator of Attack focuses on a specific post-exploitation activity that attackers commonly use in conjunction with the Netlogon vulnerability: the modification of the Domain Controller machine account password. For more information, see the Tenable Identity Exposure Indicators of Attack Reference Guide.

Tenable Identity Exposure version 3.47 contains the following bug fixes:

Bug Fix Defect ID
Transcript files that the Indicator of Attack module produces on domain controllers can now replicate with complete information. N/A
Tenable Identity Exposure detects whether or not the SMTP server is configured. N/A

Tenable Identity Exposure 3.46 (2023-05-17)

Zerologon — A new Indicator of Attack detects a failure in the Netlogon authentication process which indicates that attackers are trying to exploit the Zerologon vulnerability to gain privileges on the domain. For more information, see the Tenable Identity Exposure Indicators of Attack Reference Guide.

Tenable Identity Exposure version 3.46 contains the following bug fixes:

Bug Fix Defect ID
The custom CA certificate trash bin removes the certificates as designed. N/A
A profile is now mandatory when configuring SYSLOG alerts for Indicators of Attack. N/A
An additional parameter, -EventLogsFileWriteFrequency X, in the Indicator of Attack deployment script allows you to address potential issues with slow or broken Distributed File System (DFS) replication that you may experience. For more information, see DFS Replication Issues Mitigation in the Administrator Guide. N/A

Tenable Identity Exposure 3.45 (2023-05-03)

Secure Relay — The Secure Relay now supports Syslog and SMTP alerting. For more information, see Secure Relay in the Tenable Identity Exposure Administrator Guide.

Syslog and SMTP alertings can now send alerts to private servers through a Secure Relay. When creating an alert, Secure Relay platforms now ask you to select a Relay. You can set up Relays and use them for either domain monitoring and alerting, or both.

If you use Secure Relay and have existing alerts, the Tenable Identity Exposure 3.45 update automatically assigns a Relay to them for service continuity. You can edit this Relay for reasons related to your Relay-VM network rules or your preferences.

Tenable Identity Exposure version 3.45 contains the following bug fixes:

Bug Fix Defect ID
Indicators of Attack — The customization of Tenable Identity Exposure IoAs now works as expected. N/A

Secure Relay Updater — Can now launch itself without an open user session.

 N/A
AlertingTenable Identity Exposure no longer shows a drop-down menu to VPN users that was intended for Secure Relay users only. N/A

User Interface

  • Fixed the tooltip for the description of "Future Automatic Updates" on the Indicator of Attack configuration page.

  • No longer enables the "See Procedure" button on the Indicator of Attack configuration page if there is no domain configured in Tenable Identity Exposure.

 N/A

Tenable Identity Exposure 3.44 (2023-04-19)

Tenable Identity Exposure version 3.44 contains the following bug fixes:

Bug Fix Defect ID
Tenable Identity Exposure updated its password policy to require a minimum password length of 12 characters. This update ensures consistency across all cases, as some previously only required 8 characters. N/A
The alerting screens now hide in-development information. N/A
Tenable Identity Exposure now allows you to delete custom trusted Certificate Authorities (CAs). N/A
The email alerting tab shows the correct name. N/A
Tenable Identity Exposure removes the AD objects from the Tenable Cloud platform when you delete the corresponding directory in Tenable Identity Exposure. N/A
If the Recycle bin is enabled, the relevance of the event type in the Trail Flow increases when you delete a user. N/A
The active user count now counts restored AD objects. N/A
Tenable Identity Exposure should now always display attack names in the Indicator of Attack investigation view. N/A
The Tenable Identity Exposure IoA GPO audit.csv file now gets generated using results from Windows APIs instead of auditpol.exe output (which is localizable). N/A
It is now faster to export deviances from Indicators of Exposure. N/A
The Secure Relay updater now verifies its configuration before validating any updates and rolls back the update if the configuration check fails. N/A

Tenable Identity Exposure 3.43 (2023-03-22)

  • Secure Relay — The Secure Relay now supports HTTP proxy without authentication if your network requires a proxy server to reach the internet. For more information, see Secure Relay in the Tenable Identity Exposure Administrator Guide.

  • Onboarding — For enhanced security, the onboarding process now requires that users change the default credentials provided for the initial login when they log in for the first time. Tenable Identity Exposure also enhanced the rules for a new password.

  • ScalabilityTenable Identity Exposure improved the performance of Indicators of Attack on the service side to handle events of interest on a greater scale for better IoA accuracy and latency.

  • New Indicator of Attack — A new IoA called Unauthenticated Kerberoasting detects stealthy Kerberoasting attacks that bypass numerous detections.

Tenable Identity Exposure version 3.43 contains the following bug fixes:

Bug Fix Defect ID
Tenable Identity Exposure improved the Indicator of Exposure Application of Weak Password Policies on Users for heavy workload scenarios. N/A
Tenable Identity Exposure removed the RBAC permission related to workload quota. N/A
It is now possible to install the Relay on virtual machine servers that do not have Internet Explorer. N/A
The IoA setup script now handles edge cases where a Resultant Set of Policy (RSOP) computation is not possible for the user running the script. N/A
The IoA NTDS Extraction can now exclude any configured process from its analysis. N/A

Tenable Identity Exposure 3.42 (2023-03-08)

  • Dashboard data availability — Enables reporting on compliance scores, deviances count, and users count values over a new maximum 1-year time span (from one month).

Tenable Identity Exposure version 3.42 contains the following bug fixes:

Bug Fix Defect ID

Indicators of Exposure

  • Application of Weak Password Policies on Users introduces two new reasons to explain better two cases where you may think the GPO applies but in fact does not:

    • An Organizational Unit that contains computers may block the GPO inheritance.

    • A security filtering prevents the GPO from applying to computers.

  • Verify AAD SSO Account Password Last Change now resolves deviances when they apply to deleted AD objects.

  • Dangerous Kerberos Delegation now handles existing but empty Resource-Based Constrained Delegation (RBCD) attributes.

 N/A

Indicators of Attack

  • Reduced false positives/negatives for Tenable Identity Exposure attacks for the following IoAs: sAMAccountName Impersonation, Kerberoasting, OS Credential Dumping: LSASS Memory, DCShadow, and DPAPI Domain Backup Key Extraction.

  • OS Credential Dumping: LSASS Memory — shows more accurate process and username information when displaying the information in the user interface and alerts.

 N/A

Secure Relay

  • Tenable Identity Exposure corrected an issue that disrupted the Relay's ability to send data and update itself.

  • Tenable Identity Exposure Secure Relay services have an increased resiliency to account for disruptive Windows updates that impacted event processing.

  • Tenable Identity Exposure now allows the reuse of the name of a formerly deleted relay.

 N/A
Tenable Identity Exposure no longer pushes an IoA configuration on the PDC in a deleted GPO. It now uses the installed IoA configuration for a more robust IoA automatic update experience. N/A
The Tenable Identity Exposure (Compliance) Score through the Public API now excludes deactivated checkers for the provided profile. This had led to an incorrect score via the Public API. This is now improved and consistent with the Compliance Score available in the Tenable Identity Exposure user interface. N/A
After deleting a directory, the Attack Path now refreshes its Tier 0 graph. N/A
Tenable Identity Exposure improved the resiliency of the IoA setup script for subsequent installations of the script. N/A

Tenable Identity Exposure 3.41 (2023-02-23)

Tenable Identity Exposure version 3.41 contains the following bug fixes:

Bug Fix Defect ID

The renaming of the Tenable Identity Exposure GPO no longer has an impact on the automatic update feature of the Tenable Identity Exposure Indicator of Attack configuration.

 N/A
Tenable Identity Exposure now requires fewer permissions to obtain the same Indicator of Attack analysis. N/A
The Indicator of Attack PDF report no longer shows an erroneous header on the cover page. N/A
Elimination of false positives on the Tenable Identity Exposure GPO for these Indicators of Exposure: Verify Sensitive GPO Objects and Files Permissions and Domain Controllers Managed by Illegitimate Users. N/A

Tenable Identity Exposure 3.40 (2023-02-13)

  • LDAPS connectionTenable Identity Exposure can use the LDAPS (TCP/636) port to connect to your Active Directory in the Secure Relay architecture. This configuration is not possible in the IPSEC VPN environment.

Tenable Identity Exposure version 3.40 contains the following bug fixes:

Bug Fix Defect ID

Secure Relay:

  • Improved reliability in handling access-denied Indicator of Attack (IoA) SYSVOL files.

  • Enhanced memory handling for greater stability.

  • Permissions for Relay tasks appear in Tenable Identity Exposure's "Roles Management" tab only if your platform uses the Secure Relay architecture and not IPSEC VPN.

 N/A
AuthenticationTenable Identity Exposure now logs a successful login attempt after it validates it. N/A

Indicators of Attack:

  • Tenable Identity Exposure attack detection is now more accurate and reduces false negatives and false positives.

  • The IoA installation reestablishes security events logging.

 N/A

Tenable Identity Exposure 3.39 (2023-01-25)

  • Quicker and easier deployment of Indicators of AttackTenable Identity Exposure can now add or remove Indicators of Attack automatically from configured domain controllers without any manual intervention. For more information, see Install Indicators of Attack in Tenable Identity Exposure Administrator Guide.

  • Roles — Role configuration now allows you to set access to the Relay configuration.

Tenable Identity Exposure version 3.39 contains the following bug fixes:

Bug Fix Defect ID

Attack Path:

  • The page now shows a single menu bar.

  • Improved performance when computing Tier 0 access.

 N/A
Security — GraphQL suggestions no longer appear. N/A
Relay — The Relay can now resolve domains FQDNs. This allows you to use Kerberos on Secure Relay environments, if you also use it with a username in the UPN format in the Forest configuration. N/A
Bug Fix Defect ID

The event log consumption and other Relay events now occur in parallel to avoid memory leak issues.

 N/A
The Relay uninstaller no longer stops the Tenable Nessus Agent service. N/A

Relay installer:

  • Forces the use of TLS 1.2 for its connectivity test instead of the default TLS version.

  • Checks that the relay name is unique and asks you to select another name if it is not.

  • Checks that it can reach cloud.tenable.com before it installs the relay.

 N/A

Tenable Identity Exposure 3.38 (2023-01-11)

Tenable Identity Exposure version 3.38 contains the following bug fixes:

Bug Fix Defect ID
Tenable Identity Exposure dashboard widgets now show "0" instead of "No data" when it does not detect any deviants. N/A
Bug Fix Defect ID
Tenable Identity Exposure now checks for Secure Relay automatic updates every 15 minutes instead of daily. N/A