TOC & Recently Viewed

Recently Viewed Topics


Path: Workflow > Alerts

SecurityCenter can be configured to perform actions, such as email alerts, for select vulnerability or alert occurrences to various users regardless of whether the events correlate to a local vulnerability or not. Other alert actions include UI notification, ticket creation/assignment, remediation scans, launching a report, email notification, and syslog alerting. Many actions can be assigned per ticket.

Click the menu to add an Alert from the main Alerts page. Here you can, Edit, Evaluate, View (view details of), and Delete alerts. The Evaluate option allows an alert to be tested whether it has met the configured time criteria or not. Clicking on an alert will take the user to the Edit Alert page for the selected alert.

Alert Option Description


Alert name


Descriptive text for the alert


The setting will determine how often the alert checks for the conditions to be matched. Selections vary in frequency from 15 minutes to monthly. Selecting the option of Never will create the alert to be launched only on demand.


If set to alert on the first occurrence, the alert will only trigger when the condition initially changes from false to true. The other option is to trigger on each detection of the true condition.


Vulnerability, Event, or Ticket.


  • IP Count – Trigger on vulnerabilities or events whose IP address count matches the given parameters.
  • Unique Vulnerability/Event Count – Trigger an alert when the vulnerability/event count matches the given parameters. This option is set to Unique Vulnerability Count for vulnerability alerts and Event Count for event alerts.
  • Port Count – Trigger an alert when the events/vulnerabilities using a certain port number match the given parameters.


The dataset to which the trigger condition will be compared.


Apply advanced filters to the vulnerability or event data. The complete filter set may be created here, or if a Query was selected those parameters may be edited.

For more information, see Filters.

Add Actions

Adding actions will determine what the alert does with triggered events. The options are Assign Ticket, Email, Generate Syslog, Launch Scan, Launch Report, or Notify Users. Multiple actions may be triggered for each alert.

For more information, see Alert Actions.

Alert Actions

Tip: Use email alerts to interface with third-party ticketing systems by adding variables in the message option.

Action Option Description



Subject line of the alert email.


Message of the alert email. Within the message body, the following variables can be defined for email message customization:

  • Alert ID – Designated with the variable: %alertID%, this specifies the unique identification number assigned to the alert by SecurityCenter.
  • Alert name – Designated with the variable: %alertName%, this specifies the name assigned to the alert (e.g., “Test email alert”).
  • Trigger Name – Designated with the variable: %triggerName%, this specifies if the trigger is IP address count, Vulnerability count, or Port count.
  • Trigger Operator – Designated with the variable: %triggerOperator%, this specifies which operator was used for the count: >=, =, >= or !=
  • Trigger value – Designated with the variable: %triggerValue%, this specifies the specific threshold value set that will trigger the alert.
  • Calculated value – Designated with the variable: %calculatedValue%, this specifies the actual value that triggered the alert.
  • Alert Name – Designated with the variable: %alertName%, this specifies the name given to the alert within SecurityCenter.
  • Alert owner – Designated with the variable: %owner%, this specifies the user that created the alert.
  • SC URL – Designated with the variable: %url%, this specifies the URL that the SecurityCenter can be accessed with. This is useful where the URL that users can access SecurityCenter with differs from the URL known by SecurityCenter.

The sample email alert below contains some of these keywords embedded into an HTML email:


Alert <strong>%alertName%</strong> (id #%alertID%) has triggered.


<strong>Alert Definition:</strong> %triggerName% %triggerOperator% %triggerValue%

<strong>Calculated Value:</strong> %calculatedValue%


Please visit your SecurityCenter (<a href="%url%">%url%</a>) for more information.

This e-mail was automatically generated by SecurityCenter as a result of alert <strong>%alertName%</strong> owned by <strong>%owner%</strong>.


If you do not wish to receive this email, contact the alert owner.

Include Results

If this box is checked, the query results (maximum of 500) that triggered the alert are included in the email.


Users who will be emailed. The user email address is used with this function.

Tip: If a user is configured within the email action and that user is deleted, the action option within the alert turns red. In addition, a notification is displayed for the new alert owner with the new alert status. To resolve this, edit the alert action definitions and choose “Edit Action” to apply the correct users(s).

Email Addresses

Additional email addresses to send the alert to. For multiple recipients, add one email address per line or use a comma-separated list.

Notify Users


Custom notification message to generate when the alert triggers.


Users who will receive the notification message.

Generate Syslog


Host that will receive the syslog alert.


UDP port used by the remote syslog server.


Severity level of the syslog messages (Critical, Warning, or Notice).


Message to include within the syslog alert.

Assign Ticket


Name assigned to the ticket


Ticket description


User who will receive the ticket



Scan template to be used for the alert scan. Allows the user to select from a list of available scan templates to launch a scan against a triggered host.

Note: The scanned host will be the host that triggered the scan and not the host within the scan template itself. IPs used for the scan targets are limited to the top 100 results of the alert query.


Report Template

Allows the user to select an existing report template and generate the report based on triggered alert data.

Copyright © 2019 Tenable, Inc. All rights reserved. Tenable,, Tenable Network Security, Nessus, SecurityCenter, SecurityCenter Continuous View and Log Correlation Engine are registered trademarks of Tenable, Inc.., Lumin, Assure, and the Cyber Exposure Company are trademarks of Tenable, Inc. All other products or services are trademarks of their respective owners.