Tenable Identity Exposure 2024 Release Notes

Tip: You can subscribe to receive alerts for Tenable documentation updates.

These release notes are listed in reverse chronological order.

Tenable Identity Exposure 3.76 (2024-07-25)

  • Conflicting Security Principals Indicator of Exposure (IoE) — A new IoE checks that there are no duplicated (conflicting) objects such as users, computers, or groups.

  • Dangerous Kerberos Delegation IoE — A new reason reports all accounts where the attribute used by the constrained delegation (msDS-AllowedToDelegateTo) refers to a Service Principal Name (SPN) that does not exist.

  • Active DirectoryTenable Identity Exposure increased the size limit for the AD objects it manages.

Tenable Identity Exposure version 3.76 contains the following bug fixes:

Bug Fix
In the Identity Explorer, the "Search a tenant" label now shows the correct localization in French.
The Shadow Credentials IoE now handles correctly false positives from orphan key credentials.
When installing the Secure Relay on a domain-joined machine using a Domain Admin account, a pop-up message appears to instruct you to use a Local Admin account.
Tenable Identity Exposure updated permissions behaviors related to the Indicators of Exposure pages.
There are no longer logging issues in the NTDS Extraction Indicator of Attack (IoA) that prevented it from working properly in certain edge cases.

Tenable Identity Exposure 3.75 (2024-07-16)

  • Shadow Credentials Indicator of Exposure (IoE) — A new IoE detects backdoors and misconfigurations of shadow credentials in the "Windows Hello for Business" feature and its associated key credentials.

  • User Primary Group IoE — An additional reason reports on all accounts where the primaryGroupID attribute appears empty due to insufficient rights.

  • Password Spraying Indicator of Attack (IoA) — In some scenarios, this IoA caused system performance issues, including memory overload, but it now groups alerts related to the same attack into a single alert to resolve these issues.

  • These IoAs no longer trigger alerts in the following cases:

    • DC Sync— When the source is a user or hostname related to the Azure ADConnect tool (basic mode only).

    • NTDS Extraction — When the source tool is either VSS Requestor or Veeam (legitimate backup tools).

    • Enumeration of Local Administrators — When the IoA cannot find the source user SID (basic mode only).

    • Petit Potam — When the IoA cannot retrieve the associated logon event.

    • Golden Ticket — When the IoA cannot fetch the source vectors (basic mode only).

Tenable Identity Exposure version 3.75 contains the following bug fixes:

Bug Fix
The Password Guessing IoA's option "Detection time interval" now shows the correct label.
The Application of Weak Password Policies on Users IoE now links to resources in the correct language.
The Identity Explorer page now loads the Identity data more rapidly.

Tenable Identity Exposure 3.74 (2024-06-26)

  • DC Sync, NTDS Extraction, Enumeration of Local Administrators Indicators of Attack (IoA) — The "Basic" mode no longer raises alerts in the following scenarios:

    • When the IoA detects event loss or a significant delay in event ingestion.

    • When the IoA cannot identify the source of an attack due to missing event data.

  • NTDS Extraction IoA — A new active option in "basic" and "aggressive" mode called "Whitelisted Processes" exempts legitimate processes flagged during attacks.

Tenable Identity Exposure version 3.74 contains the following bug fixes:

Bug Fix
A new mechanism ensures that the database is resilient to having too many modifications in the badPwdCount attribute. In certain edge cases, the service responsible for managing the rate of bad password count events experienced a disconnection from the message queue manager, causing interruptions in event handling.
Activity logs no longer report internal services activity.

Tenable Identity Exposure 3.73 (2024-06-13)

Tenable Identity Exposure version 3.73 contains the following bug fixes:

Bug Fix
Tenable Identity Exposure enhanced its ability to prevent SQL queries from executing indefinitely on small SaaS platforms, ensuring reliable database accessibility.
The Workspace menu (App Switcher) now occupies less space in the user interface to provide more room to showcase page content.

Tenable Identity Exposure 3.72 (2024-05-30)

  • Users can now set the event gathering duration for Indicators of Attack (IoA) before triggering analysis, with values ranging from 30 seconds to 9 minutes (a trade-off between latency and accuracy).

  • Golden Ticket IoA — To reduce false positives, Tenable Identity Exposure implemented a 10-hour deferral period during which it automatically allowlists legitimate users.

Tenable Identity Exposure version 3.72 contains the following bug fixes:

Bug Fix
Tenable Identity Exposure introduced a mechanism during the Relay startup to perform a network check between the Relay and the platform. If the platform is not yet operational, the Relay startup process waits to ensure a stable connection before proceeding.
The authentication service now automatically restores communication channels in the event of disruptions to ensure reliable authentication capabilities.
Tenable Identity Exposure implemented a security mechanism to address the user enumeration capability during account lockouts.
The tenant filtering functionality now works correctly, allowing users to filter and view Indicators of Exposure specific to their tenant when dealing with Entra ID-related incidents.

Tenable Identity Exposure 3.71 (2024-05-22)

Note: The enhancements and bug fixes for Tenable Identity Exposure 3.70 are included in the 3.71 version.

  • Indicators of Attack (IoA)

  • DC Sync:

  • The default value for the "Defer Time" option increased from 1 h to 12 h to allow a larger window to filter out legitimate events.

  • The default value for the "Allow Unknown Source" option changed from False to True to prevent a false negative caused by the default profile's inability to customize this option.

  • Golden Ticket — Detection of Windows Event Log loss to prevent triggering false positives in certain cases.

  • Enumeration of Local Administrators — Managed service accounts undergo filtering processes to reduce the occurrence of false positive detections.

  • Indicators of Exposure (IoE)

    • Protected Users Group Not Used — An additional reason in the IoE reports all privileged users who are not in this group.

    • Last Password Change on KRBTGT Account — Support for the krbtgt_AzureAD account in Windows Hello for Business (Cloud Trust deployment).

Tenable Identity Exposure version 3.71 contains the following bug fixes:

Bug Fix

Indicators of Attack (IoA):

  • Credential Dumping: LSASS Memory

    • A change in the correlation for the process name in the attack vector of this IoA to decrease the number of unknowns.

    • Improvement to the deny list filtering in basic mode.

  • NTDS Extraction — Improvement to the deny list filtering in basic mode.
Last Password Change on KRBTGT account Indicator of Exposure — Removed the options 'Keep Disabled Accounts' and 'Keep Deleted Accounts' from the security profile customization.
There are no longer occasional interruptions of IoA and IoE analysis for an hour or longer.
Tenable Identity Exposure improved the data quality on the Identity Explorer page.
The Relay now ensures reliable Syslog message delivery across networks with latency.
The web application now supports uploading an ECC CA certificate to use for validation of TLS connections, including LDAPS authentication, SMTPS, and more.

Tenable Identity Exposure 3.69 (2024-04-18)

  • New Indicators of Exposure (IoEs)

    • Managed Service Accounts Dangerous Misconfigurations — Ensures the proper deployment and configuration of Managed Service Accounts.

    • Enabled Guest Account — Checks that the built-in guest account is disabled.

  • Indicators of Exposure Enhancements

    • Domain Without Computer-Hardening GPOs — Integrated new checks designed to address null sessions, which all domain computers should explicitly deactivate.

    • Native Administrative Group Members — Added "Exchange Servers", "Exchange Windows Permissions", and "Exchange Trusted Subsystem" groups to the allowlist for custom groups. This modification applies to the default security profile only and not to existing custom security profiles.

    • User Account Using Old Password — Added two reasons to distinguish between privileged users and regular users.

  • To boost throughput, LDAP search requests now batch results between the Relay and the Ceti service.

Tenable Identity Exposure version 3.69 contains the following bug fixes:

Bug Fix
The enhanced detection algorithm in the Golden Ticket Indicator of Attack reduces false negatives and false positives.
Deviance remediation for the Accounts Using a Pre-Windows 2000 Compatible Access Control IoE now appears correctly.
The Domain Without Computer-Hardening GPOs IoE now accurately detects findings.

Tenable Identity Exposure 3.68 (2024-04-08)

Indicators of Exposure (IoEs) enhancements:

  • Dormant Accounts — Two new reasons to distinguish between privileged users and regular users.

  • Computers Running an Obsolete OS — A new value 'lastLogonTimestamp' to show the timestamp of the last successful user logon in the "Inactive obsolete OS" deviances.

  • Domain Without Computer-Hardening GPOs

    • New checks related to hardened UNC paths configured for domain controllers (SYSVOL/NETLOGON shares).

    • New checks related to the print spooler service that should remain disabled on domain controllers.

    • An enhancement to ensure proper Server Message Block (SMB) signing enforcement on domain controllers and other servers. It validates the "Default Domain Controllers Policy" parameter and checks for correct GPO configuration on other servers.

  • Resultant Set of Policy (RSoP) IoEs — For the re-execution of RSoP IoEs with up-to-date cache, Tenable Identity Exposure now aggregates the buffered events over a short duration to reduce the number of changes to analyze (by default 1 minute and only for the "Logon Restrictions for Privileged Users" IoE).

Tenable Identity Exposure version 3.68 contains the following bug fixes:

Bug Fix
It is now possible to update the Indicator of Attack (IoA) option on a customized security profile created before the introduction of new IoA options.
Public API endpoint /export/profile/:profileId/checkers/:checkerId now work correctly without options.

Tenable Identity Exposure 3.67 (2024-03-21)

  • Computers cannot appear as deviant due to the reason "Not protected against delegation." Tenable Identity Exposure addresses and resolves any existing deviances related to this issue.

  • Indicator of Exposure (IoE) enhancement — In the Kerberos Configuration on User Account IoE, users with smartcards are immune to the AS-REP Roasting attack and Tenable Identity Exposure no longer flags them as a security issue.

  • Indicators of Attack (IoA) enhancements:

    • Password Guessing — A new option "Password spraying detection time interval" specifies the number of minutes over which each failed login attempt classifies as a potential attack in progress.

    • Enumeration of Local Administrators

      • A new option "Filtered access rights in aggressive mode" considers only specified access rights fetched from the event 'A network share object was checked' to classify a potential attack in progress. This list only applies in aggressive mode.

      • The default value for the option "Heuristic for Domain Controllers using versions before Windows Server 2016" is now "False".

    • DCSync — The default value for the option "Allow unknown source" is now "False".

    • NTDS Extraction — New "Deny list" in "Basic mode": diskshadow, ntdsutil, esentutl, esentutldefrag mode, vssown, copy-vss, wmi-based technique, psexec_ntds_grab, wmiprvse, vssadmin, vss, impacket-secretsdump, vss_requestor, VeeamGuestHelper, WMI-based technique.

    • Credential Dumping LSASS Memory — New "Deny list" in "Basic mode": mimikatz, taskmgr, ipconfig, arp, powershell, net, auditpol, whoami, cmd, route, processhacker, net1, csc, procdump, osqueryi.

Tenable Identity Exposure version 3.67 contains the following bug fixes:

Bug Fix

Tenable Identity Exposure now correctly updates security profiles when you modify the following options for the following IoA configurations:

  • Credential Dumping LSASS Memory: — "Aggressive mode" and "Attack tools"

  • DCSync: "Aggressive mode" and "Defer time"

  • Golden Ticket: "Defer time"
If you have a Tenable One license, the user creation takes place in Tenable Vulnerability Management and propagates to Tenable Identity Exposure. In this case, when you click the "Create user" button in Tenable Identity Exposure, a message appears to direct you to Tenable Vulnerability Management to create users.
Tenable Identity Exposure now shows all Entra ID IoEs on the IoE pane.
The MSI log file is now available in C:\Tenable\Logs after the installation or an upgrade.

Tenable Identity Exposure 3.66 (2024-03-11)

Indicators of Attack (IoA) — New options for the following IoAs to limit false positives. For more information, see the Indicators of Attack Reference Guide.

Note: Beginning with this release, all IoAs on every security profile have the "Aggressive mode" option set to "False" by default. You can switch this option to "True" for each IoA in individual security profiles.

  • Suspicious DC Password Change — New options:

    • "Aggressive mode":

  • True: Detects the attack whether or not the user is authenticated.

  • False (default): Detects only authenticated users.

  • "Password change interval": In "Aggressive mode", this option specifies the period between two password changes (30 days by default).

  • DCSync — New option:

  • "Aggressive mode":

    • True: Triggers all attacks based on the IoA rules that can generate numerous false positives.

    • False (default): Triggers an attack only if the machine is not in the domain. This detects fewer attacks but avoids false positives.

Enhancements

  • Optimized the computation duration for Indicators of Exposure dependent on Resultant Set of Policy (RSoP), resulting in slower deviance computation related to the RSoP. For more information, see RSoP-Based Indicators of Exposure in the Tenable Identity Exposure User Guide.

  • Added support for limiting data visibility for Entra ID tenants in roles permissions management.

Tenable Identity Exposure version 3.66 contains the following bug fixes:

Bug Fix
OS Credential Dumping LSASS IoA — Tenable Identity Exposure now considers the allowlist specified for the "Aggressive mode" option.
Tenable Identity Exposure implemented a new mechanism to enhance the database's resilience in handling numerous modifications to the badPwdCount attribute using throttling measures to limit changes.
Tenable Identity Exposure updated the naming conventions for the Chinese language.

Tenable Identity Exposure 3.65 (2024-02-27)

Indicators of Attack (IoA) — New default values for the following IoAs to limit false positives. For more information, see the Indicators of Attack Reference Guide.

  • Golden Ticket — New "Aggressive Mode" option:

    • False (basic, default): Triggers an attack only if the targeted user is a domain controller or a user belonging to the Domain Admins group.

    • True: Allows attacks even if the target username is not a member of the "Domain Admins" group or a domain controller. It also allows attacks even if some domain controllers are not monitored (in other words, they do not emit any Windows Event Log).

  • SAMAccountName Impersonation — New "Aggressive Mode" option:

    • False (basic, default): Does not trigger an attack if the TargetUserName is not a domain controller (DC).

    • True: Triggers all attacks based on the IoA rules that can generate numerous false positives.

  • OS Credential Dumping: LSASS Memory — New options:

    • "Aggressive Mode":

    • False (basic, default): The IoA recognizes the tool and considers only the predefined processes as non-legitimate.

    • True: The IoA considers all attack tools as non-legitimate unless they are in the allowlist.

    • "Allowed processes in aggressive mode": Optional and applies only if the "Aggressive Mode" option = True.

    • "Basic Mode - Deny list": In basic mode, only the specified tools can trigger attacks.

  • NTDS Extraction— New options:

    • "Aggressive Mode":

  • False (basic, default): The IoA recognizes the tool and considers only the predefined processes as non-legitimate.

  • True: The IoA considers all attack tools as non-legitimate unless they are in the allowlist.

  • "Basic Mode - Deny list": On basic mode, only the specified tools can trigger attacks.

  • "Basic Mode Attack Whitelisted Processes" (formerly "Whitelisted Processes"): Optional and applies only if the "Aggressive Mode" option = True.

  • Massive Computers Reconnaissance— New default values for options:

    • Number of computers — 5000

    • Minimum number of computers — 100

    • Percentage of computers — 95

    • Sliding window — 240

    • Waiting time between attacks — 240

  • Password Guessing— New default value for option:

    • Number of accounts with failed attempts — 10 000

  • Enumeration of Local Administrators — The option "Heuristic for Domain Controllers using versions prior to Windows Server 2016" is now set to "False" by default.

Indicators of Exposure (IoE)

  • New IoEs

  • Privileged Authentication Silo Configuration — Provides a step-by-step guide on the configuration of an authentication silo for privileged (Tier-0) accounts.

  • Privileged AD User Accounts Synchronized to Microsoft Entra ID — Checks that privileged Active Directory user accounts are not synchronized to Microsoft Entra ID.

  • Enhancements

    • Dangerous Kerberos Delegation IoE — Introduces a new reason to detect the current configuration of Kerberos delegation on Microsoft Entra Connect account (AZUREADSSOACC).

    • Reversible Passwords IoE — Validates passwords configured for storage in a reversible format based on the settings defined by the msDS-PasswordReversibleEncryptionEnabled attribute within the Password Settings Object (PSO).

    • Local Administrative Account Management IoE — Adds support for the new Microsoft Local Administrator Password Solution (LAPS) with a new option called "LAPS version installed" and validates the LAPS version configuration based on the user's selections.

Tenable Identity Exposure version 3.65 contains the following bug fixes:

Bug Fix
Tenable Identity Exposure addressed an issue related to Microsoft Entra ID tenant deletion. Previously, when clicking on the deletion bin icon, certain previously acquired assets might persist. The current resolution ensures the complete deletion of all assets during this process.
Tenable Identity Exposure resolved an injection vulnerability in which a low-privileged local user could modify application files on the Tenable Identity Exposure Secure Relay host.
Tenable Identity Exposure fixed an issue with unsuccessful queries due to a null value, likely stemming from data inconsistency in the database. For instance, this could occur if a compact entitlement is directed at an asset that has not yet reached the necessary Software Factory (SF).
Tenable Identity Exposure enhanced the attack path functionality to prevent potential crashes during the initialization process in certain rare scenarios.
Tenable Identity Exposure implemented a new mechanism to ensure the database can handle multiple modifications to the badPwdCount attribute without compromising its integrity or performance.

Tenable Identity Exposure 3.64 (2024-02-07)

Tenable Identity Exposure version 3.64 contains the following bug fixes:

Bug Fix
The Indicator of Attack Suspicious DC Password Change resolved false positives related to Windows Server 2008 R2 systems that change their passwords every 30 days by default.

Tenable Identity Exposure 3.63 (2024-01-24)

  • Indicators of Attack — The "Allowed Processes" option in the Indicators of Attack Credential Dumping: LSASS Memory and NTDS Extraction includes processes known to raise false positives.

Tenable Identity Exposure version 3.63 contains the following bug fixes:

Bug Fix
Tenable Identity Exposure no longer shows topology domains after the removal of their associated domain.
Microsoft Entra ID's current scan status now indicates the error for a scan failure, even if previous scans were successful.
Tenable Identity Exposure now correctly refreshes CA certificates following a Syslog alert configuration update.
Tenable Identity Exposure's internal technical data no longer gets transmitted as assets to Tenable Cloud when this feature is active.
Deviances related to password reuse from the Detection of Password Weaknesses Indicator of Exposure now expose the incriminating password hash prefixes.
When analyzing a 4776 event lacking a hostname resulting in an "Unknown" source, Tenable Identity Exposure now filters out this deviance according to the "Allow Unknown Source" option in the Password Spraying Indicator of Attack.

Tenable Identity Exposure 3.62 (2024-01-10)

Tenable Identity Exposure version 3.62 contains the following bug fixes:

Bug Fix
Tenable Identity Exposure now computes SYSVOL files when creating an attribute with a name exceeding 500 characters.
The Secure Relay now reflects the modifications made to SYSLOG configurations to re-enable the flow of SYSLOG messages to the SIEM.
The Indicator of Exposure (IoE) Insufficient Hardening Against Ransomware now correctly manages allowlist exclusions.
Tenable Identity Exposure resolved an issue that was impacting the accurate qualification of Privileged Groups in these IoEs: AdminCount Attribute Set on Standard Users, Disabled Accounts in Privileged Groups, Privileged Accounts Running Kerberos Services, and Mapped Certificates on Accounts.
Microsoft EntraID scan statuses are now more accurate, providing clearer indications when an issue arises.