Tenable Identity Exposure 2023 Release Notes
Tenable Identity Exposure 3.46 (2023-05-17)

Zerologon — A new Indicator of Attack detects a failure in the Netlogon authentication process which indicates that attackers are trying to exploit the Zerologon vulnerability to gain privileges on the domain. For more information, see the Tenable Identity Exposure Indicators of Attack Reference Guide.

Tenable Identity Exposure version 3.46 contains the following bug fixes:
Bug Fix | Defect ID |
---|---|
The custom CA certificate trash bin removes the certificates as designed. | N/A |
A profile is now mandatory when configuring SYSLOG alerts for Indicators of Attack. | N/A |
An additional parameter, -EventLogsFileWriteFrequency X, in the Indicator of Attack deployment script allows you to address potential issues with slow or broken Distributed File System (DFS) replication that you may experience. For more information, see DFS Replication Issues Mitigation in the Administrator Guide. | N/A |
Tenable Identity Exposure 3.45 (2023-05-03)

Secure Relay — The Secure Relay now supports Syslog and SMTP alerting. For more information, see Secure Relay in the Tenable Identity Exposure Administrator Guide.
Syslog and SMTP alerting can now send alerts to private servers through a Secure Relay. When creating an alert, Secure Relay platforms now ask you to select a Relay. You can set up Relays and use them for either domain monitoring and alerting, or both.
If you use Secure Relay and have existing alerts, the Tenable Identity Exposure 3.45 update automatically assigns a Relay to them for service continuity. You can edit this Relay for reasons related to your Relay-VM network rules or your preferences.

Tenable Identity Exposure version 3.45 contains the following bug fixes:
Bug Fix | Defect ID |
---|---|
Indicators of Attack — The customization of Tenable Identity Exposure IoAs now works as expected. | N/A |
Secure Relay Updater — Can now launch itself without an open user session. |
N/A |
Alerting — Tenable Identity Exposure no longer shows a drop-down menu to VPN users that was intended for Secure Relay users only. | N/A |
User Interface
|
N/A |
Tenable Identity Exposure 3.44 (2023-04-19)

-
Domain Backup Key Extraction — A new Indicator of Attack detects a wide variety of attack tools that use LSA RPC calls to access backup keys. For more information, see the Tenable Identity Exposure Indicators of Attack Reference Guide.
-
Calibration for Indicator of Attacks — New recommendations on how to adapt IoAs to your environment based on the size of your Active Directory and authorized known tools, etc. For complete information, see the Tenable Identity Exposure Indicators of Attack Reference Guide.

Tenable Identity Exposure version 3.44 contains the following bug fixes:
Bug Fix | Defect ID |
---|---|
Tenable Identity Exposure updated its password policy to require a minimum password length of 12 characters. This update ensures consistency across all cases, as some previously only required 8 characters. | N/A |
The alerting screens now hide in-development information. | N/A |
Tenable Identity Exposure now allows you to delete custom trusted Certificate Authorities (CAs). | N/A |
The email alerting tab shows the correct name. | N/A |
Tenable Identity Exposure removes the AD objects from the Tenable Cloud platform when you delete the corresponding directory in Tenable Identity Exposure. | N/A |
If the Recycle bin is enabled, the relevance of the event type in the Trail Flow increases when you delete a user. | N/A |
The active user count now takes into account restored AD objects. | N/A |
Tenable Identity Exposure should now always display attack names in the Indicator of Attack investigation view. | N/A |
The Tenable Identity Exposure IoA GPO audit.csv file now gets generated using results from Windows APIs instead of auditpol.exe output (which is localizable). | N/A |
It is now faster to export deviances from Indicators of Exposure. | N/A |
The Secure Relay updater now verifies its configuration before validating any updates and rolls back the update if the configuration check fails. | N/A |
Tenable Identity Exposure 3.43 (2023-03-22)

-
Secure Relay — The Secure Relay now supports HTTP proxy without authentication if your network requires a proxy server to reach the internet. For more information, see Secure Relay in the Tenable Identity Exposure Administrator Guide.
- Onboarding — For enhanced security, the onboarding process now requires that users change the default credentials provided for the initial login when they log in for the first time. Tenable Identity Exposure also enhanced the rules for a new password.
-
Scalability — Tenable Identity Exposure improved the performance of Indicators of Attack on the service side to handle events of interest on a greater scale for better IoA accuracy and latency.
-
New Indicator of Attack — A new IoA called Unauthenticated Kerberoasting detects stealthy Kerberoasting attacks that bypass numerous detections.

Tenable Identity Exposure version 3.43 contains the following bug fixes:
Bug Fix | Defect ID |
---|---|
Tenable Identity Exposure improved the Indicator of Exposure Application of Weak Password Policies on Users for heavy workload scenarios. | N/A |
Tenable Identity Exposure removed the RBAC permission related to workload quota. | N/A |
It is now possible to install the Relay on VM servers that do not have Internet Explorer. | N/A |
The IoA setup script now handles edge cases where a Resultant Set of Policy (RSOP) computation is not possible for the user running the script. | N/A |
The IoA NTDS Extraction can now exclude any configured process from its analysis. | N/A |
Tenable Identity Exposure 3.42 (2023-03-08)

Tenable Identity Exposure version 3.42 contains the following bug fixes:
Bug Fix | Defect ID |
---|---|
Indicators of Exposure
|
N/A |
Indicators of Attack
|
N/A |
Secure Relay
|
N/A |
Tenable Identity Exposure no longer pushes an IoA configuration on the PDC in a deleted GPO. It now uses the installed IoA configuration for a more robust IoA automatic update experience. | N/A |
The Tenable Identity Exposure (Compliance) Score through the Public API now excludes deactivated checkers for the provided profile. This had led an incorrect score via the Public API. This is now improved and consistent with the Compliance Score available in the Tenable Identity Exposure UI. | N/A |
After deleting a directory, the Attack Path now refreshes its Tier0 graph. | N/A |
Tenable Identity Exposure improved the resiliency of the IoA setup script for subsequent installations of the script. | N/A |
Tenable Identity Exposure 3.41 (2023-02-23)

Tenable Identity Exposure version 3.41 contains the following bug fixes:
Bug Fix | Defect ID |
---|---|
The renaming of the Tenable Identity Exposure GPO no longer has an impact on the automatic update feature of the Tenable Identity Exposure Indicator of Attack configuration. |
N/A |
Tenable Identity Exposure now requires fewer permissions to obtain the same Indicator of Attack analysis. | N/A |
The Indicator of Attack PDF report no longer shows an erroneous header on the cover page. | N/A |
Elimination of false positives on the Tenable Identity Exposure GPO for these Indicators of Exposure: Verify Sensitive GPO Objects and Files Permissions and Domain Controllers Managed by Illegitimate Users. | N/A |
Tenable Identity Exposure 3.40 (2023-02-13)

-
LDAPS connection — Tenable Identity Exposure can use the LDAPS (TCP/636) port to connect to your Active Directory in the Secure Relay architecture. This configuration is not possible in the IPSEC VPN environment.

Tenable Identity Exposure version 3.40 contains the following bug fixes:
Bug Fix | Defect ID |
---|---|
Secure Relay:
|
N/A |
Authentication — Tenable Identity Exposure now logs a successful login attempt after it validates it. | N/A |
Indicators of Attack:
|
N/A |
Tenable Identity Exposure 3.39 (2023-01-25)

-
Quicker and easier deployment of Indicators of Attack — Tenable Identity Exposure can now add or remove Indicators of Attack automatically from configured domain controllers without any manual intervention. For more information, see Install Indicators of Attack in Tenable Identity Exposure Administrator Guide.
-
Roles — Role configuration now allows you to set access to the Relay configuration.

Tenable Identity Exposure version 3.39 contains the following bug fixes:
Bug Fix | Defect ID |
---|---|
Attack Path:
|
N/A |
Security — GraphQL suggestions no longer appear. | N/A |
Relay — The Relay can now resolve domains FQDNs. This allows you to use Kerberos on Secure Relay environments, if you also use it with a username in the UPN format in the Forest configuration. | N/A |

Bug Fix | Defect ID |
---|---|
The event log consumption and other Relay events now occur in parallel to avoid memory leak issues. |
N/A |
The Relay uninstaller no longer stops the Tenable Nessus Agent service. | N/A |
Relay installer:
|
N/A |
Tenable Identity Exposure 3.38 (2023-01-11)

Tenable Identity Exposure version 3.38 contains the following bug fixes:
Bug Fix | Defect ID |
---|---|
Tenable Identity Exposure dashboard widgets now show "0" instead of "No data" when it does not detect any deviants. | N/A |

Bug Fix | Defect ID |
---|---|
Tenable Identity Exposure now checks for Secure Relay automatic updates every 15 minutes instead of daily. | N/A |