Tenable Identity Exposure 2026 Release Notes

Tip: You can subscribe to receive alerts for Tenable documentation updates.

These release notes are listed in reverse chronological order.

Tenable Identity Exposure 3.112 (2026-02-04)

  • BadSuccessor Dangerous dMSA Permissions Indicator of Exposure: The text now aligns with the Microsoft patch from August 2025 to ensure accurate reporting in post-patch management.

Tenable Identity Exposure 3.111 (2026-01-22)

  • Improved Indicator of Attack Filtering and Syslog Correlation

    • Traceability: All IoA detected attacks now show a unique Attack ID in a dedicated column in the IoA page.

    • Search: You can filter the IoA page using this specific ID for instant lookups.

    • Export: Syslog messages now include the Attack ID for easier cross-reference of logs in your SIEM.

Bug Fixes
Indicators of Exposure now correctly display all Microsoft Active Directory UI references in the appropriate localized languages.
Compression and Removal log tasks now initialize reliably across all folder naming formats to maintain consistent disk space.
Tenable Identity Exposure now accurately tracks and reports container license usage for all active instances.
Secure websocket connections between Tenable One and Tenable Identity Exposure are successfully established when using SAML authentication.
The Tenable Identity Exposure documentation link now points to the most current resources.
Tenable Identity Exposure optimized the user interface by removing the megaphone icon menu button.

Tenable Identity Exposure 3.110 (2026-01-08)

  • Installation — You can now use additional Indicator of Attack installation script parameters (certificate output, file signature, and timer) to authorize the script within your EDR and allow the deployment to proceed.

    New parameters are:

    • OutputCertificate: Allows the output the Tenable certificate in the current directory (useful when necessary to allowlist it in EDR/AV). This parameter is optional.

    • GetSignatureToWhitelist: Allows the display the hash of deployed listenerLauncher.ps1 script to allowlist it in the EDR/AV prior to the deployment.

    • TimerInMinutes: Sets a delay (in minutes) before starting the IoA deployment. Use this timer during installation to pause the process before the deployment begins.

    See Indicators of Attack Installation Script in the Tenable Identity Exposure User Guide for the procedure and list of parameters.

Bug Fixes
In the Exposure Center, the creation of exclusions now works with group memberships.
Tenable Identity Exposure updated the Tenable App Switcher in the top header to stay consistent with Tenable One.
It is now mandatory to provide an 'Event-change expression' when saving or editing a Syslog alert.
The Indicator of Attack date picker uses local time instead of UTC time.
Tenable Identity Exposure displays the correct error message when it encounters invalid Tenable Cloud keys.
Tenable Identity Exposure uses the correct Tenable logo in email alerts.
Domain connectivity testing works as expected.