Tenable.ad 3.11 Release Notes (On-prem & SaaS) (2021-12-01)
New Features (SaaS)
Tenable.ad version 3.11 includes the following new features:
-
A new indicator of exposure lists dangerous permissions and misconfigured parameters related to the Windows Public Key Infrastructure (PKI).
New Features (dedicated for on-premises)
-
Secure communications between components via TLS using Tenable.ad's self-signed auto-generated certificate or a custom certificate.
-
A dedicated MSI for the security probe installation.
New Features (on-premises, previously available for SaaS)
-
A lockout policy to mitigate brute force attacks against authentication mechanisms. It aims to lock out user accounts after too many failed login attempts.
-
A product licensing feature to allow you to update your Tenable.ad license.
-
Ability to disable certain indicators of exposure without restarting the security engine node.
-
Support for the localization process.
-
Single domain recrawling to force the refreshing of data for a domain.
-
Use of native Server Message Block (SMB) mapping.
-
Upgrade of Node.js to v16.
Bug Fixes
Tenable.ad version 3.11 contains the following bug fixes:
Bug Fix | Defect ID |
---|---|
Tenable.ad purges the previous version's events from internal queues after each upgrade. | N/A |
The analytics service successfully reconnects to the RabbitMQ server after failures. | N/A |
The indicator of exposure C-PASSWORD-POLICY is more resilient against a specific corner case. | N/A |
Tenable.ad ignores InheritOnly ACEs when it checks ACLs to avoid false positives. | N/A |
The trail flow no longer freezes. | N/A |
The indicators of attack requiring Sysmon tolerate better versions of Windows event, which strengthens detection. | N/A |
Patches

Tenable.ad version 3.11.7 contains the following patches.
Patch | Defect ID |
---|---|
Tenable.ad correctly flushes out Login event (4624) from its cache memory after a Logoff event (4634). | N/A |
Tenable.ad displays attacks that occur on the 1st day of the month in the correct month. | N/A |
When you remove a GPO, Tenable.ad only displays the deleted event. | N/A |
When the SYSVOL connection breaks, Tenable.ad renews the connection to allow the listener to fetch new events. | N/A |
The allow lists for Credentials Roaming users and groups now accept the samAccountName format. | N/A |
This patch also updates OpenSSL-related software to address the security issue CVE-2022-0778.

Tenable.ad version 3.11.6 contains the following patches.
Patch | Defect ID |
---|---|
SQL services are running when upgrading from version 3.11.3. | N/A |
Split architecture installations include TLS options. | N/A |
Rabbit MQ correctly resumes after upgrading from version 3.1.5 to 3.11.3. | N/A |
Event insertion no longer affects performance. | N/A |
Events for Indicators of Attack do not consume too many memory resources. | N/A |

Tenable.ad version 3.11.4 contains the following patches.
Patch | Defect ID |
---|---|
The Tenable.ad installer pre-fills values for IP/ports from variables during an upgrade. | N/A |
The upgrade correctly considers existing certificates. | N/A |
The SQL service account can now access local certificates. | N/A |
Tenable.ad updates group members when they change Organizational Units (OU). | N/A |
The Security Probe installer completes after a reinstallation. | N/A |
The Tenable.ad installer verifies that the PFX certificates are valid. | N/A |