Asset Tracking in Tenable Security Center

Assets in Tenable Security Center are tracked by several attributes, depending on the asset repository and scan configuration of the sensors that identify the assets.

• Assets in universal repositories are tracked by asset attribute.

• Assets in IPv4 and IPv6 repositories are tracked by IP address.

• Assets in agent repositories are tracked by agent UUID.

When you import asset data, if Tenable Security Center cannot find an existing asset that matches the imported host, the asset is added to Tenable Security Center as a new asset.

For more information about repositories in Tenable Security Center, see Repositories.

Universal Repositories

The following identification attributes (IA) are considered in determining whether or not an imported asset matches an existing one, in descending order of priority:

1. Tenable UUID (from credentialed scans of managed hosts, Tenable Nessus Agents, or imported Tenable OT Security data)

2. BIOS UUID

3. MAC Address

4. NetBIOS Name

5. Fully Qualified Domain Name (FQDN)

6. IP Address (IPv4 and IPv6)

Similar to Tenable Vulnerability Management, Tenable Security Center verifies that there are no conflicting higher priority attributes when it finds a match. For example, if there is a MAC Address match, but the Tenable UUID is different, the assets will not merge. When a unique asset is discovered, the following informational message will appear in /opt/sc/admin/logs/YYMMdd.log (sc-logs.txt in a Tenable Security Center debug zip).

Possible root causes for duplicate assets include, but are not limited to:

• different scan types for the same asset, such as Agent scans and non-credentialed Tenable Nessus scans or, similarly, credentialed Tenable Nessus scans with the Create unique identifier on hosts scanned using credentials (host_tagging) setting disabled in the Advanced settings of the scan policy. While Agent scans have access to the local Tenable UUID, the same is not true for a non-credentialed or equivalent scan. If an asset was duplicated as a result of a non-credentialed or equivalent scan after a credentialed one, the assets will not merge until the next credentialed or equivalent scan.

• different network interfaces of an asset scanned in one or more non-credentialed scans. Because each network interface is associated with a different MAC Address, and the Tenable UUID cannot be accessed in a non-credentialed scan, a unique asset will be created for each network interface.

For more information about universal repositories, see Universal Repositories.

IPv4 and IPv6 Repositories

If the Track hosts which have been issued new IP address setting is enabled (default), assets are tracked using the following IAs in this order:

1. DNS Name

2. NetBIOS Name

3. Tenable UUID (from credentialed scans of managed hosts)

4. MAC Address

5. IP Address (IPv4 or IPv6, based on repository type)

If the Track hosts which have been issued new IP address setting is disabled, assets are tracked only by IP address.

During scan import, Tenable Security Center checks the targeted repository for the scan job for the above listed IAs.

• If the IP has the attributes mentioned above, Tenable Security Center migrates all of the vulnerabilities in the cumulative results to the IP seen in the scan result.

• If the IP does not have any of the attributes mentioned above, Tenable Security Center considers this a new asset.

• Once a match has been made, Tenable Security Center does not search for more matches.

For example, if Tenable Security Center does not match a DNS name, but it does match a NetBIOS name, the system does not check the Agent UUID or MAC address.

For more information about IPv4 and IPv6 repositories, see IPv4/IPv6 Repositories.

Agent Repositories

Assets in agent repositories are tracked by UUID, because all assets in agent repositories have UUIDs.

For more information about agent repositories, see Agent Repositories.