Tenable Identity Exposure 2024 Release Notes

Tip: You can subscribe to receive alerts for Tenable documentation updates.

These release notes are listed in reverse chronological order.

Tenable Identity Exposure 3.82 (2024-11-13)

  • Dashboard templateTenable Identity Exposure now offers a dashboard template to help you gain visibility into the recent report from the "Five Eyes" alliance and their associated civilian agencies. This report provides guidance on detecting and mitigating Active Directory compromises.

  • Service Accounts Misconfigurations — A new Indicator of Exposure lists the bad practices and misconfigurations that can affect domain service accounts.

  • ADCS Dangerous Misconfigurations — An improvement in this IoE helps to identify issuance policies (enterprise OIDs) that allow principals to become member of AD groups implicitly.

Tenable Identity Exposure version 3.82 contains the following bug fixes:

Bug Fix
Tenable Identity Exposure recalculates correctly the active user count in the license. Widgets using this value in dashboards remain unaffected.
The Suspicious DC Password Change Indicator of Attack now takes into account the previous "Last Password Change", when the Active Directory attribute is available, to compute the "Password Change Interval".
Tenable Identity Exposure now correctly tests the connectivity to cloud.tenable.com.
Identities with accounts on multiple configured Tenable Identity Exposure tenants (AD directories or Entra ID tenants) no longer disappear from the list of identities.
When Tenable Identity Exposure is configured to appear in Spanish, Entra ID IoE descriptions appear in U.S. English.
The Secure Relay Scheduled Task now has the valid parameter -AfadRolePath. During an upgrade, Tenable Identity Exposure removes and re-creates the Scheduled Tasks.
TCP Syslog alerting works as expected on Windows Server 2016.
The data collection health check now accurately reports status when the Relay is connected to multiple domains.
In certain edge cases, Tenable Identity Exposure cannot analyze password hashes.
The findings of a Microsoft Entra ID deviance now correctly match the selected tenant.
After an LDAP connectivity issue, the Directory Listener automatically restarts after 12 hours to re-sync with any potentially missed ADObject states.
When platforms require a Secure Relay, the LDAP and SMTP configurations now enforce the selection of a specific Secure Relay to use.
UDP Syslog alerting now truncates the payload once it reaches the MTU size.
The "Unsafe permissions set on the computer object" reason in the Local Administrative Account Management IoE now appears correctly in non-US English languages.

Tenable Identity Exposure 3.81.2 (2024-10-29)

Tenable Identity Exposure version 3.81.2 contains the following bug fix:

Bug Fix
The Indicator of Attack listener now supports non-ASCII encoding.

Tenable Identity Exposure 3.81 (2024-10-21)

  • Domain Without Computer-Hardening GPOs Indicator of Exposure:

    • New reason related to the Windows Defender Credential Guard security feature used to protect in-memory credentials.

    • New reason related to the "Point and Print" feature of Windows: hardening for print drivers installation and updates.

    • New reason related to LDAP session signing and channel binding, to mitigate MiTM and replay attacks.

  • Dormant Accounts Indicator of Exposure has a new reason to report domain controllers that have not performed any authentication (based on the lastLogonTimestamp attribute) in the last 45 days. This period is customizable via a new option.

  • Root Objects Permissions Allowing DCSync-Like Attacks Indicator of Exposure now includes a new option, "Keep MSOL_* accounts," which allows you to exclude those accounts and reduce false positives. By default, this option is disabled in the security profile, so the IOE does not flag MSOL_* accounts as deviant.

  • NTDS Extraction Indicator of Attack renamed "Allowed processes" to clarify its use in "aggressive" mode only and removed the unused "Allowed NTDS destination paths" option.

  • PerformanceTenable Identity Exposure improved internal monitoring capabilities.

Tenable Identity Exposure version 3.81 contains the following bug fixes:

Bug Fix
The Secure Relay Scheduled Task now has the valid parameter -AfadRolePath. During an upgrade, Tenable Identity Exposure removes and re-creates the Scheduled Tasks.
Envoy now resolves using IPv4 first and fall back to IPv6, correcting the previous configuration, which prioritized the opposite.
Tenable Identity Exposure now adapts to analyze Windows Event Logs ingested with a delay.
Tenable Identity Exposure now ensures header visibility remains intact after login.
Tenable Identity Exposure resolved the loading error in Identity Explorer.
Tenable Identity Exposure enhanced the loading performance of the Attack Alert blade.
The Secure Relay no longer sends LDAP query results in a loop that the Directory Listener no longer needs.
The "Allowed Users" option in the Protected Users Group Not Used Indicator of Exposure now allows you to allowlist users by User Principal Name (UPN), SID, and sAMAccountName, instead of just Distinguished Name as previously.

Tenable Identity Exposure 3.80 (2024-10-03)

  • RSOP-based Indicators of Exposure (IoE) — To enhance overall product performance, Tenable Identity Exposure now performs RSOP checks for a small number of IoEs every 30 minutes instead of real time. For more information, see RSOP-based Indicators of Exposure.

Tenable Identity Exposure version 3.80 contains the following bug fixes:

Bug Fix
The option 'Permitted trustees list' now allows the use of the SID format of an account in addition to the previous format (DN format).
The "Dangerous Kerberos Delegation" Indicator of Exposure now enforces the whitelisting for disabled objects.
Incriminating attributes now display detailed values when localized.
Indicators of Exposures (IoE) now show improved accuracy of the latest detection date.
Tenable Identity Exposure shows a successful description on health check issues with unknown status.
Tenable Identity Exposure correctly parses trust attributes (even when they are missing in rare scenarios) to show the topology view without issues.
After exiting the deviance detail view, the page correctly returns to the previous Active Directory or Microsoft Entra ID tab.
Tenable Identity Exposure added the `UserNameVariants` field to DCSyncData, allowing format-agnostic whitelisting of usernames (SID, UPN, sAMAccountName). Currently, this change applies only to the DCSync attack Indicator of Attack (IoA).
Tenable Identity Exposure now provides correct attack vectors for PetitPotam through an improved correlation engine. You must redeploy the IoA event listener.
The DCSync IoA now accounts for the edge case where the 'samAccountName' of the Tenable service account exceeds 20 characters, ensuring that alerts do not trigger when the Privileged Analysis feature is enabled.

Tenable Identity Exposure 3.79 (2024-09-16)

Tenable Identity Exposure version 3.79 contains the following bug fixes:

Bug Fix
The decoder for the dnsProperty attribute now accurately parses the binary data associated with dynamic updates.
The Indicator of Exposure details pane now appears correctly when there are no deviances found.
Tenable Identity Exposure disables Tenable cloud configuration for users without edit permissions for the Tenable Cloud Service.
For certain edge cases, Tenable Identity Exposure now ensures a successful construction of the Tier0 asset graph.
The security analysis service experiences high CPU usage during intensive tasks like security checks, as it processes large datasets to ensure thorough threat detection. While this may cause CPU spikes, it ensures comprehensive security coverage.
Tenable Identity Exposure now ensures correct CSV exports by escaping double quotes ("), improving the accuracy of the exported data.
The accuracy of the latest detection date for IoEs has improved.
Tenable Identity Exposure now correctly closes previously raised deviances associated with the OrphanGPO reason.
The "Privileged AD User Accounts Synchronized to Microsoft Entra ID" IoE no longer requires the option "Whitelist computers".
The "Conflicting Security Principals" IoE reduced excessive checks during the security analysis service startup to resolve high CPU consumption.
Tenable Identity Exposure raised RMQ memory limit to prevent performance slowdown.
Tenable Identity Exposure enhanced the displayed names of certain AD objects, with a particular focus on technical objects such as GPOs and dnsNodes.
Tenable Identity Exposure improved the display of samAccountName and made it searchable.

Tenable Identity Exposure 3.78 (2024-08-27)

  • Indicators of Exposure

    • Unsecured Configuration of Netlogon Protocol - Tenable Identity Exposure now sets the default value of the "Skip registry key check" option to "true". This change assumes that users have applied the February 9, 2021 updates. This modification applies only to the default profile, leaving custom profiles unaffected.

    • Computers Running an Obsolete OS - Tenable Identity Exposure added last the logon information for active obsolete computers.

  • Indicators of Exposure for Entra ID: The following Entra ID IoEs now ignore disabled users and service principals.

    • Dangerous API Permissions Affecting the Tenant

    • First-Party Service Principal With Credentials

    • High Number of Administrators

    • Missing MFA for Privileged Account

    • Missing MFA for Non-Privileged Account

      This is because attackers cannot immediately exploit them. As for MFA IoEs, the Microsoft Graph API incorrectly returns the MFA status for disabled users.

  • Indicators of Attack

    • DCSync does not trigger an alert if its source comes from a username with a prefix MSOL_ (hardcoded and valid for basic mode only).

    • Enumeration of Local Administrators does not trigger an alert if the target IP is unknown.

    • Golden Ticket only triggers an alert if an attacker authenticated after forging a TGT (basic mode only).

    • OS Credential Dumping: LSASS Memory does not trigger an alert if the tool belongs to Arctic Wolf Network (basic mode only).

  • Email alerting now only supports valid encryption protocols, such as TLS 1.2 and 1.3. If you overrode your Secure Relay to force a deprecated SMTP encryption standard, like SSL v3, you must remove the override. The only allowed values are now "Tls12", "Tls13", or "Tls12, Tls13" (for automatic switching based on the server version). Using an unsupported value prevents the relay from starting.

Tenable Identity Exposure version 3.78 contains the following bug fixes:

Bug Fix
Pendo features are now active in certain Tenable Identity Exposure environments.
The Tenable Identity Exposure user interface no longer loads twice when accessing the base URL of the Tenable Identity Exposure environment (<environment>.tenable.ad).
Tenable Identity Exposure updated the Secure Relay installer to improve the way it checks if the current user is a local administrator, enabling the installer to function on domain-joined machines.
Tenable Identity Exposure improved the internal request/response flow between services to prevent deadlocks during event ingestion.

Closing the Deviant Objects pane in Entra ID Indicators of Exposure (IoE) now correctly redirects you to the appropriate Entra ID IoE list, with filtering preferences preserved. This enhancement is due to a change in the URL structure of Deviant Objects, which now includes "ad" or "meid," depending on the tab you were viewing when you initially accessed the IoE list.
The Indicator of Attack (IoA) deadlock issue no longer occurs on the machine hosting the security analysis service.
For an inbound trust, the data necessary for Tenable Identity Exposure calculations is not stored locally, but in the other domain. If this other domain is included in the product, it is properly monitored and "protected." From the perspective of that domain, this trust relationship would be considered an outbound trust. If this trust is deemed dangerous, Tenable Identity Exposure would detect a deviance in that domain for this particular trust.
The Unlinked, Disabled, or Orphan GPO IoE now handles scenarios involving removed GPOs more effectively.
Tenable Identity Exposure reduced 504 errors between the Secure Relay and the Directory Listener to enhance performance and prevent product disruptions.

Tenable Identity Exposure 3.76 (2024-07-25)

  • Conflicting Security Principals Indicator of Exposure (IoE) — A new IoE checks that there are no duplicated (conflicting) objects such as users, computers, or groups.

  • Dangerous Kerberos Delegation IoE — A new reason reports all accounts where the attribute used by the constrained delegation (msDS-AllowedToDelegateTo) refers to a Service Principal Name (SPN) that does not exist.

  • Active DirectoryTenable Identity Exposure increased the size limit for the AD objects it manages.

Tenable Identity Exposure version 3.76 contains the following bug fixes:

Bug Fix
In the Identity Explorer, the "Search a tenant" label now shows the correct localization in French.
The Shadow Credentials IoE now handles correctly false positives from orphan key credentials.
When installing the Secure Relay on a domain-joined machine using a Domain Admin account, a pop-up message appears to instruct you to use a Local Admin account.
Tenable Identity Exposure updated permissions behaviors related to the Indicators of Exposure pages.
There are no longer logging issues in the NTDS Extraction Indicator of Attack (IoA) that prevented it from working properly in certain edge cases.

Tenable Identity Exposure 3.75 (2024-07-16)

  • Shadow Credentials Indicator of Exposure (IoE) — A new IoE detects backdoors and misconfigurations of shadow credentials in the "Windows Hello for Business" feature and its associated key credentials.

  • User Primary Group IoE — An additional reason reports on all accounts where the primaryGroupID attribute appears empty due to insufficient rights.

  • Password Spraying Indicator of Attack (IoA) — In some scenarios, this IoA caused system performance issues, including memory overload, but it now groups alerts related to the same attack into a single alert to resolve these issues.

  • These IoAs no longer trigger alerts in the following cases:

    • DC Sync— When the source is a user or hostname related to the Azure ADConnect tool (basic mode only).

    • NTDS Extraction — When the source tool is either VSS Requestor or Veeam (legitimate backup tools).

    • Enumeration of Local Administrators — When the IoA cannot find the source user SID (basic mode only).

    • Petit Potam — When the IoA cannot retrieve the associated logon event.

    • Golden Ticket — When the IoA cannot fetch the source vectors (basic mode only).

Tenable Identity Exposure version 3.75 contains the following bug fixes:

Bug Fix
The Password Guessing IoA's option "Detection time interval" now shows the correct label.
The Application of Weak Password Policies on Users IoE now links to resources in the correct language.
The Identity Explorer page now loads the Identity data more rapidly.

Tenable Identity Exposure 3.74 (2024-06-26)

  • DC Sync, NTDS Extraction, Enumeration of Local Administrators Indicators of Attack (IoA) — The "Basic" mode no longer raises alerts in the following scenarios:

    • When the IoA detects event loss or a significant delay in event ingestion.

    • When the IoA cannot identify the source of an attack due to missing event data.

  • NTDS Extraction IoA — A new active option in "basic" and "aggressive" mode called "Whitelisted Processes" exempts legitimate processes flagged during attacks.

Tenable Identity Exposure version 3.74 contains the following bug fixes:

Bug Fix
A new mechanism ensures that the database is resilient to having too many modifications in the badPwdCount attribute. In certain edge cases, the service responsible for managing the rate of bad password count events experienced a disconnection from the message queue manager, causing interruptions in event handling.
Activity logs no longer report internal services activity.

Tenable Identity Exposure 3.73 (2024-06-13)

Tenable Identity Exposure version 3.73 contains the following bug fixes:

Bug Fix
Tenable Identity Exposure enhanced its ability to prevent SQL queries from executing indefinitely on small SaaS platforms, ensuring reliable database accessibility.
The Workspace menu (App Switcher) now occupies less space in the user interface to provide more room to showcase page content.

Tenable Identity Exposure 3.72 (2024-05-30)

  • Users can now set the event gathering duration for Indicators of Attack (IoA) before triggering analysis, with values ranging from 30 seconds to 9 minutes (a trade-off between latency and accuracy).

  • Golden Ticket IoA — To reduce false positives, Tenable Identity Exposure implemented a 10-hour deferral period during which it automatically allowlists legitimate users.

Tenable Identity Exposure version 3.72 contains the following bug fixes:

Bug Fix
Tenable Identity Exposure introduced a mechanism during the Relay startup to perform a network check between the Relay and the platform. If the platform is not yet operational, the Relay startup process waits to ensure a stable connection before proceeding.
The authentication service now automatically restores communication channels in the event of disruptions to ensure reliable authentication capabilities.
Tenable Identity Exposure implemented a security mechanism to address the user enumeration capability during account lockouts.
The tenant filtering functionality now works correctly, allowing users to filter and view Indicators of Exposure specific to their tenant when dealing with Entra ID-related incidents.

Tenable Identity Exposure 3.71 (2024-05-22)

Note: The enhancements and bug fixes for Tenable Identity Exposure 3.70 are included in the 3.71 version.

  • Indicators of Attack (IoA)

  • DC Sync:

  • The default value for the "Defer Time" option increased from 1 h to 12 h to allow a larger window to filter out legitimate events.

  • The default value for the "Allow Unknown Source" option changed from False to True to prevent a false negative caused by the default profile's inability to customize this option.

  • Golden Ticket — Detection of Windows Event Log loss to prevent triggering false positives in certain cases.

  • Enumeration of Local Administrators — Managed service accounts undergo filtering processes to reduce the occurrence of false positive detections.

  • Indicators of Exposure (IoE)

    • Protected Users Group Not Used — An additional reason in the IoE reports all privileged users who are not in this group.

    • Last Password Change on KRBTGT Account — Support for the krbtgt_AzureAD account in Windows Hello for Business (Cloud Trust deployment).

Tenable Identity Exposure version 3.71 contains the following bug fixes:

Bug Fix

Indicators of Attack (IoA):

  • Credential Dumping: LSASS Memory

    • A change in the correlation for the process name in the attack vector of this IoA to decrease the number of unknowns.

    • Improvement to the deny list filtering in basic mode.

  • NTDS Extraction — Improvement to the deny list filtering in basic mode.
Last Password Change on KRBTGT account Indicator of Exposure — Removed the options 'Keep Disabled Accounts' and 'Keep Deleted Accounts' from the security profile customization.
There are no longer occasional interruptions of IoA and IoE analysis for an hour or longer.
Tenable Identity Exposure improved the data quality on the Identity Explorer page.
The Relay now ensures reliable Syslog message delivery across networks with latency.
The web application now supports uploading an ECC CA certificate to use for validation of TLS connections, including LDAPS authentication, SMTPS, and more.

Tenable Identity Exposure 3.69 (2024-04-18)

  • New Indicators of Exposure (IoEs)

    • Managed Service Accounts Dangerous Misconfigurations — Ensures the proper deployment and configuration of Managed Service Accounts.

    • Enabled Guest Account — Checks that the built-in guest account is disabled.

  • Indicators of Exposure Enhancements

    • Domain Without Computer-Hardening GPOs — Integrated new checks designed to address null sessions, which all domain computers should explicitly deactivate.

    • Native Administrative Group Members — Added "Exchange Servers", "Exchange Windows Permissions", and "Exchange Trusted Subsystem" groups to the allowlist for custom groups. This modification applies to the default security profile only and not to existing custom security profiles.

    • User Account Using Old Password — Added two reasons to distinguish between privileged users and regular users.

  • To boost throughput, LDAP search requests now batch results between the Relay and the Ceti service.

Tenable Identity Exposure version 3.69 contains the following bug fixes:

Bug Fix
The enhanced detection algorithm in the Golden Ticket Indicator of Attack reduces false negatives and false positives.
Deviance remediation for the Accounts Using a Pre-Windows 2000 Compatible Access Control IoE now appears correctly.
The Domain Without Computer-Hardening GPOs IoE now accurately detects findings.

Tenable Identity Exposure 3.68 (2024-04-08)

Indicators of Exposure (IoEs) enhancements:

  • Dormant Accounts — Two new reasons to distinguish between privileged users and regular users.

  • Computers Running an Obsolete OS — A new value 'lastLogonTimestamp' to show the timestamp of the last successful user logon in the "Inactive obsolete OS" deviances.

  • Domain Without Computer-Hardening GPOs

    • New checks related to hardened UNC paths configured for domain controllers (SYSVOL/NETLOGON shares).

    • New checks related to the print spooler service that should remain disabled on domain controllers.

    • An enhancement to ensure proper Server Message Block (SMB) signing enforcement on domain controllers and other servers. It validates the "Default Domain Controllers Policy" parameter and checks for correct GPO configuration on other servers.

  • Resultant Set of Policy (RSoP) IoEs — For the re-execution of RSoP IoEs with up-to-date cache, Tenable Identity Exposure now aggregates the buffered events over a short duration to reduce the number of changes to analyze (by default 1 minute and only for the "Logon Restrictions for Privileged Users" IoE).

Tenable Identity Exposure version 3.68 contains the following bug fixes:

Bug Fix
It is now possible to update the Indicator of Attack (IoA) option on a customized security profile created before the introduction of new IoA options.
Public API endpoint /export/profile/:profileId/checkers/:checkerId now work correctly without options.

Tenable Identity Exposure 3.67 (2024-03-21)

  • Computers cannot appear as deviant due to the reason "Not protected against delegation." Tenable Identity Exposure addresses and resolves any existing deviances related to this issue.

  • Indicator of Exposure (IoE) enhancement — In the Kerberos Configuration on User Account IoE, users with smartcards are immune to the AS-REP Roasting attack and Tenable Identity Exposure no longer flags them as a security issue.

  • Indicators of Attack (IoA) enhancements:

    • Password Guessing — A new option "Password spraying detection time interval" specifies the number of minutes over which each failed login attempt classifies as a potential attack in progress.

    • Enumeration of Local Administrators

      • A new option "Filtered access rights in aggressive mode" considers only specified access rights fetched from the event 'A network share object was checked' to classify a potential attack in progress. This list only applies in aggressive mode.

      • The default value for the option "Heuristic for Domain Controllers using versions before Windows Server 2016" is now "False".

    • DCSync — The default value for the option "Allow unknown source" is now "False".

    • NTDS Extraction — New "Deny list" in "Basic mode": diskshadow, ntdsutil, esentutl, esentutldefrag mode, vssown, copy-vss, wmi-based technique, psexec_ntds_grab, wmiprvse, vssadmin, vss, impacket-secretsdump, vss_requestor, VeeamGuestHelper, WMI-based technique.

    • Credential Dumping LSASS Memory — New "Deny list" in "Basic mode": mimikatz, taskmgr, ipconfig, arp, powershell, net, auditpol, whoami, cmd, route, processhacker, net1, csc, procdump, osqueryi.

Tenable Identity Exposure version 3.67 contains the following bug fixes:

Bug Fix

Tenable Identity Exposure now correctly updates security profiles when you modify the following options for the following IoA configurations:

  • Credential Dumping LSASS Memory: — "Aggressive mode" and "Attack tools"

  • DCSync: "Aggressive mode" and "Defer time"

  • Golden Ticket: "Defer time"
If you have a Tenable One license, the user creation takes place in Tenable Vulnerability Management and propagates to Tenable Identity Exposure. In this case, when you click the "Create user" button in Tenable Identity Exposure, a message appears to direct you to Tenable Vulnerability Management to create users.
Tenable Identity Exposure now shows all Entra ID IoEs on the IoE pane.
The MSI log file is now available in C:\Tenable\Logs after the installation or an upgrade.

Tenable Identity Exposure 3.66 (2024-03-11)

Indicators of Attack (IoA) — New options for the following IoAs to limit false positives. For more information, see the Indicators of Attack Reference Guide.

Note: Beginning with this release, all IoAs on every security profile have the "Aggressive mode" option set to "False" by default. You can switch this option to "True" for each IoA in individual security profiles.

  • Suspicious DC Password Change — New options:

    • "Aggressive mode":

  • True: Detects the attack whether or not the user is authenticated.

  • False (default): Detects only authenticated users.

  • "Password change interval": In "Aggressive mode", this option specifies the period between two password changes (30 days by default).

  • DCSync — New option:

  • "Aggressive mode":

    • True: Triggers all attacks based on the IoA rules that can generate numerous false positives.

    • False (default): Triggers an attack only if the machine is not in the domain. This detects fewer attacks but avoids false positives.

Enhancements

  • Optimized the computation duration for Indicators of Exposure dependent on Resultant Set of Policy (RSoP), resulting in slower deviance computation related to the RSoP. For more information, see RSoP-Based Indicators of Exposure in the Tenable Identity Exposure User Guide.

  • Added support for limiting data visibility for Entra ID tenants in roles permissions management.

Tenable Identity Exposure version 3.66 contains the following bug fixes:

Bug Fix
OS Credential Dumping LSASS IoA — Tenable Identity Exposure now considers the allowlist specified for the "Aggressive mode" option.
Tenable Identity Exposure implemented a new mechanism to enhance the database's resilience in handling numerous modifications to the badPwdCount attribute using throttling measures to limit changes.
Tenable Identity Exposure updated the naming conventions for the Chinese language.

Tenable Identity Exposure 3.65 (2024-02-27)

Indicators of Attack (IoA) — New default values for the following IoAs to limit false positives. For more information, see the Indicators of Attack Reference Guide.

  • Golden Ticket — New "Aggressive Mode" option:

    • False (basic, default): Triggers an attack only if the targeted user is a domain controller or a user belonging to the Domain Admins group.

    • True: Allows attacks even if the target username is not a member of the "Domain Admins" group or a domain controller. It also allows attacks even if some domain controllers are not monitored (in other words, they do not emit any Windows Event Log).

  • SAMAccountName Impersonation — New "Aggressive Mode" option:

    • False (basic, default): Does not trigger an attack if the TargetUserName is not a domain controller (DC).

    • True: Triggers all attacks based on the IoA rules that can generate numerous false positives.

  • OS Credential Dumping: LSASS Memory — New options:

    • "Aggressive Mode":

    • False (basic, default): The IoA recognizes the tool and considers only the predefined processes as non-legitimate.

    • True: The IoA considers all attack tools as non-legitimate unless they are in the allowlist.

    • "Allowed processes in aggressive mode": Optional and applies only if the "Aggressive Mode" option = True.

    • "Basic Mode - Deny list": In basic mode, only the specified tools can trigger attacks.

  • NTDS Extraction— New options:

    • "Aggressive Mode":

  • False (basic, default): The IoA recognizes the tool and considers only the predefined processes as non-legitimate.

  • True: The IoA considers all attack tools as non-legitimate unless they are in the allowlist.

  • "Basic Mode - Deny list": On basic mode, only the specified tools can trigger attacks.

  • "Basic Mode Attack Whitelisted Processes" (formerly "Whitelisted Processes"): Optional and applies only if the "Aggressive Mode" option = True.

  • Massive Computers Reconnaissance— New default values for options:

    • Number of computers — 5000

    • Minimum number of computers — 100

    • Percentage of computers — 95

    • Sliding window — 240

    • Waiting time between attacks — 240

  • Password Guessing— New default value for option:

    • Number of accounts with failed attempts — 10 000

  • Enumeration of Local Administrators — The option "Heuristic for Domain Controllers using versions prior to Windows Server 2016" is now set to "False" by default.

Indicators of Exposure (IoE)

  • New IoEs

  • Privileged Authentication Silo Configuration — Provides a step-by-step guide on the configuration of an authentication silo for privileged (Tier-0) accounts.

  • Privileged AD User Accounts Synchronized to Microsoft Entra ID — Checks that privileged Active Directory user accounts are not synchronized to Microsoft Entra ID.

  • Enhancements

    • Dangerous Kerberos Delegation IoE — Introduces a new reason to detect the current configuration of Kerberos delegation on Microsoft Entra Connect account (AZUREADSSOACC).

    • Reversible Passwords IoE — Validates passwords configured for storage in a reversible format based on the settings defined by the msDS-PasswordReversibleEncryptionEnabled attribute within the Password Settings Object (PSO).

    • Local Administrative Account Management IoE — Adds support for the new Microsoft Local Administrator Password Solution (LAPS) with a new option called "LAPS version installed" and validates the LAPS version configuration based on the user's selections.

Tenable Identity Exposure version 3.65 contains the following bug fixes:

Bug Fix
Tenable Identity Exposure addressed an issue related to Microsoft Entra ID tenant deletion. Previously, when clicking on the deletion bin icon, certain previously acquired assets might persist. The current resolution ensures the complete deletion of all assets during this process.
Tenable Identity Exposure resolved an injection vulnerability in which a low-privileged local user could modify application files on the Tenable Identity Exposure Secure Relay host.
Tenable Identity Exposure fixed an issue with unsuccessful queries due to a null value, likely stemming from data inconsistency in the database. For instance, this could occur if a compact entitlement is directed at an asset that has not yet reached the necessary Software Factory (SF).
Tenable Identity Exposure enhanced the attack path functionality to prevent potential crashes during the initialization process in certain rare scenarios.
Tenable Identity Exposure implemented a new mechanism to ensure the database can handle multiple modifications to the badPwdCount attribute without compromising its integrity or performance.

Tenable Identity Exposure 3.64 (2024-02-07)

Tenable Identity Exposure version 3.64 contains the following bug fixes:

Bug Fix
The Indicator of Attack Suspicious DC Password Change resolved false positives related to Windows Server 2008 R2 systems that change their passwords every 30 days by default.

Tenable Identity Exposure 3.63 (2024-01-24)

  • Indicators of Attack — The "Allowed Processes" option in the Indicators of Attack Credential Dumping: LSASS Memory and NTDS Extraction includes processes known to raise false positives.

Tenable Identity Exposure version 3.63 contains the following bug fixes:

Bug Fix
Tenable Identity Exposure no longer shows topology domains after the removal of their associated domain.
Microsoft Entra ID's current scan status now indicates the error for a scan failure, even if previous scans were successful.
Tenable Identity Exposure now correctly refreshes CA certificates following a Syslog alert configuration update.
Tenable Identity Exposure's internal technical data no longer gets transmitted as assets to Tenable Cloud when this feature is active.
Deviances related to password reuse from the Detection of Password Weaknesses Indicator of Exposure now expose the incriminating password hash prefixes.
When analyzing a 4776 event lacking a hostname resulting in an "Unknown" source, Tenable Identity Exposure now filters out this deviance according to the "Allow Unknown Source" option in the Password Spraying Indicator of Attack.

Tenable Identity Exposure 3.62 (2024-01-10)

Tenable Identity Exposure version 3.62 contains the following bug fixes:

Bug Fix
Tenable Identity Exposure now computes SYSVOL files when creating an attribute with a name exceeding 500 characters.
The Secure Relay now reflects the modifications made to SYSLOG configurations to re-enable the flow of SYSLOG messages to the SIEM.
The Indicator of Exposure (IoE) Insufficient Hardening Against Ransomware now correctly manages allowlist exclusions.
Tenable Identity Exposure resolved an issue that was impacting the accurate qualification of Privileged Groups in these IoEs: AdminCount Attribute Set on Standard Users, Disabled Accounts in Privileged Groups, Privileged Accounts Running Kerberos Services, and Mapped Certificates on Accounts.
Microsoft EntraID scan statuses are now more accurate, providing clearer indications when an issue arises.