Web App Scanning Analysis Filter Components

Required Additional License: Tenable Web App Scanning

Required Tenable Nessus Version: 10.6.1 or later

Filters limit the results of the displayed web app vulnerability data and can be added, modified, or reset as desired. For more information, see Filters.

Filter Component Description
Asset Criticality Rating (ACR)

(Requires Tenable Security Center+ license) Filters for vulnerabilities on hosts within the specified ACR range, between 0 and 10.

For more information, see Asset Criticality Rating in the Tenable Vulnerability Management User Guide.

Tip: To edit the ACR for an asset, see Edit an ACR Manually.
Asset Exposure Score (AES)

(Requires Tenable Security Center+ license) Filters for hosts within the specified AES range, between 0 and 1000.

For more information, see Asset Exposure Score in the Tenable Vulnerability Management User Guide.
AES Severity

(Requires Tenable Security Center+ license) Filters for hosts with the specified AES severity.

For more information, see Asset Exposure Score in the Tenable Vulnerability Management User Guide.

Accept Risk

Displays web app vulnerabilities based on their Accepted Risk workflow status. Available choices include Accepted Risk or Non-Accepted Risk. Choosing both options displays all vulnerabilities regardless of acceptance status.

Address

This filter specifies an IPv4 or IPv6 address, range, or CIDR block to limit the viewed vulnerabilities. For example, entering 198.51.100.28/24 and/or 2001:DB8::/32 limits any of the web tools to show vulnerability data from the specified networks. You can enter addresses in a comma-separated list or on separate lines.
Agent ID

Displays results matching the specified agent UUID (Tenable UUID). An agent UUID uniquely identifies:

  • Agent-detected assets that may share a common IP address.

  • OT Security assets that may not have an IP address. For more information, see OT Security Instances.

Application CPE

Allows a text string search to match against available CPEs. The filter may be set to search based on a contains, Exact Match, or Regex Filter filter. The Regex Filter is based on Perl-compatible regular expressions (PCRE).

Asset

This filter displays systems from the assets you select. If more than one asset contains the systems from the primary asset (i.e., there is an intersect between the asset lists), those assets are displayed as well.

Tip: Use NOT, OR, and AND operators to exclude unwanted assets from the view.

Audit File

Filters vulnerabilities by plugin IDs associated with the audit file used to perform a scan.

CCE ID

Displays results matching the entered CCE ID.

CVE ID

Displays vulnerabilities based on one or more CVE IDs. Type multiple IDs as a comma-separated list (e.g., CVE-2011-3348,CVE-2011-3268,CVE-2011-3267).

CVSS v2 Score

Displays vulnerabilities within the chosen Common Vulnerability Scoring System version 2 (CVSS v2) score range.

CVSS v2 Vector

Filters results based on a search against the CVSS v2 vector information.
CVSS v3 Score Displays vulnerabilities within the chosen Common Vulnerability Scoring System version 3 (CVSS v3) score range.
CVSS v3 Vector

Filters results based on a search against the CVSS v3 vector information.

Cross References

Filters results based on a search against the cross reference information in a vulnerability.

DNS Name

This filter specifies a DNS name to limit the viewed vulnerabilities. For example, entering host.example.com limits any of the web tools to only show vulnerability data from that DNS name.
Data Format Displays results matching the specified data type: IPv4, IPv6, or Agent.

Exploit Available

If set to yes, displays only vulnerabilities for which a known public exploit exists.

Exploit Frameworks

When set, the text option can be equal to or contain the text entered in the option.
Host ID Displays the host ID of the discovered asset.

IAVM ID

Displays vulnerabilities based on one or more IVAM IDs. Type multiple IDs as a comma-separated list (e.g., 2011-A-0005,2011-A-0007,2012-A-0004).
Input Name If the asset is vulnerable to injection attacks, this displays the name of the asset component where an attacker could inject malicious code.
Input Type If the asset is vulnerable to injection attacks, this displays the component of the asset where an attacker could inject malicious code (for example, a form or session cookie).

MS Bulletin ID

Displays vulnerabilities based on one or more Microsoft Bulletin IDs. Type multiple IDs as a comma-separated list (e.g., MS10-012,MS10-054,MS11-020).

Mitigated

Displays vulnerabilities for a specific mitigation status:

  • Previously Mitigated — the vulnerability was previously mitigated but it reappeared in a scan and is currently vulnerable

  • Never Mitigated — the vulnerability is currently vulnerable and has never been mitigated

For more information about mitigation, see Mitigated Vulnerabilities.
NetBIOS Name

Displays vulnerabilities that match the specified NetBIOS name.

In the drop-down, select Exact Match, Contains, or Regex Match. Regex Match is based on Perl-compatible regular expressions (PCRE).

Note: This filter searches for exact matches only. Type the NetBIOS name as workgroup \ NetBIOS name.

Operating System

The operating system that a scan identified as installed on the asset.

Patch Published

Some plugins contain information about when a patch was published for a vulnerability. This filter allows the user to search based on when a vulnerability's patch became available:

  • None (displays vulnerabilities that do not have a patch available)

  • Within the last day
  • Within the last 7 days
  • Within the last 30 days
  • More than 7 days ago
  • More than 30 days ago
  • Current Month
  • Last Month
  • Current Quarter (during the current calendar year quarter)
  • Last Quarter (during the previous calendar year quarter)
  • Current Year
  • Last Year
  • Custom Range (during a specific range you specify)
  • Explicit (at a specific time you specify)

Plugin Family

This filter chooses a Nessus or Tenable Nessus Network Monitor plugin family. Only vulnerabilities from that family display.

Plugin ID

Type the plugin ID desired or range based on a plugin ID. Available operators are equal to (=), not equal to (!=), greater than or equal (>=) and less than or equal to (<=).

Plugin Modified

Tenable plugins contain information about when a plugin was last modified. This filter allows users to search based on when a particular plugin was modified:

  • Within the last day
  • Within the last 7 days
  • Within the last 30 days
  • More than 7 days ago
  • More than 30 days ago
  • Current Month
  • Last Month
  • Current Quarter (during the current calendar year quarter)
  • Last Quarter (during the previous calendar year quarter)
  • Current Year
  • Last Year
  • Custom Range (during a specific range you specify)
  • Explicit (at a specific time you specify)

Plugin Name

Using the Contains option, type all or a portion of the actual plugin name. For example, entering MS08-067 in the plugin name filter displays vulnerabilities using the plugin named MS08-067: Microsoft Windows Server Service Crafted RPC Request Handling Remote Code Execution (958644) (uncredentialed check). Similarly, entering the string uncredentialed displays a list of vulnerabilities with that string in the plugin name.

Use the Regex Match option to filter plugin names based on Perl-compatible regular expressions (PCRE).

Plugin Published

Tenable plugins contain information about when a plugin was first published. This filter allows users to search based on when a particular plugin was created:

  • Within the last day
  • Within the last 7 days
  • Within the last 30 days
  • More than 7 days ago
  • More than 30 days ago
  • Current Month
  • Last Month
  • Current Quarter (during the current calendar year quarter)
  • Last Quarter (during the previous calendar year quarter)
  • Current Year
  • Last Year
  • Custom Range (during a specific range you specify)
  • Explicit (at a specific time you specify)

Plugin Type

Select whether to view all plugin types or passive, active, event, or compliance vulnerabilities.

Port

This filter is in two parts. First the equality operator is specified to allow matching vulnerabilities with the same ports, different ports, all ports less than or all ports greater than the port filter. The port filter allows a comma separated list of ports. For the larger than or less than filters, only one port may be used.

Note: All host-based vulnerability checks are reported with a port of 0 (zero).

Protocol

This filter provides boxes to select TCP, UDP, or ICMP-based vulnerabilities.

Recast Risk

Displays vulnerabilities based on their Recast Risk workflow status. Available choices include Recast Risk or Non-Recast Risk. Choosing both options displays all vulnerabilities regardless of recast risk status.

Repositories

Displays vulnerabilities from the chosen repositories.
STIG Severity Displays vulnerabilities with the chosen STIG severity in the plugins database.

Scan Policy Plugins

Displays vulnerabilities found by the currently enabled plugins in the scan policy. For more information, see The Plugins tab specifies which plugins are used during the policy’s Tenable Nessus scan. You can enable or disable plugins in the plugin family view or in the plugin view for more granular control..
Security End of Life Date

When available, Tenable plugins contain information about software end of life dates. This filter allows users to search based on when a particular software is end of life:

  • Within the last day
  • Within the last 7 days
  • Within the last 30 days
  • More than 7 days ago
  • More than 30 days ago
  • Current Month
  • Last Month
  • Current Quarter (during the current calendar year quarter)
  • Last Quarter (during the previous calendar year quarter)
  • Current Year
  • Last Year
  • Custom Range (during a specific range you specify)
  • Explicit (at a specific time you specify)

Severity

Displays vulnerabilities with the selected severity. For more information, see CVSS vs. VPR.

Users

Allows selection of one or more users who are responsible for the vulnerabilities.

Vulnerability Discovered

Tenable Security Center tracks when each vulnerability was first discovered. This filter allows you to see when vulnerabilities were discovered:

  • Within the last day
  • Within the last 7 days
  • Within the last 30 days
  • More than 7 days ago
  • More than 30 days ago
  • Current Month
  • Last Month
  • Current Quarter (during the current calendar year quarter)
  • Last Quarter (during the previous calendar year quarter)
  • Current Year
  • Last Year
  • Custom Range (during a specific range you specify)
  • Explicit (at a specific time you specify)

Note: The discovery date is based on when the vulnerability was first imported into Tenable Security Center. For Tenable Nessus Network Monitor, this date does not match the exact vulnerability discovery time as there is normally a lag between the time that Tenable Nessus Network Monitor discovers a vulnerability and the import occurs.

Note: Days are calculated based on 24-hour periods prior to the current time, not calendar days. For example, if the report run time was 1/8/2019 at 1:00 PM, using a 3-day count would include vulnerabilities starting 1/5/2019 at 1:00 PM and not from 12:00 AM.
Vulnerability ID The ID for the vulnerability. The authority that identifies a given vulnerability determines the vulnerability's ID format.

Vulnerability Last Observed

This filter allows the user to see when the vulnerability was last observed by Tenable Nessus, Tenable Log Correlation Engine, or Tenable Nessus Network Monitor:

  • Within the last day
  • Within the last 7 days
  • Within the last 30 days
  • More than 7 days ago
  • More than 30 days ago
  • Current Month
  • Last Month
  • Current Quarter (during the current calendar year quarter)
  • Last Quarter (during the previous calendar year quarter)
  • Current Year
  • Last Year
  • Custom Range (during a specific range you specify)
  • Explicit (at a specific time you specify)

Note: The observation date is based on when the vulnerability was most recently imported into Tenable Security Center. For Tenable Nessus Network Monitor, this date does not match the exact vulnerability discovery as there is normally a lag between the time that Tenable Nessus Network Monitor discovers a vulnerability and the import occurs.
Vulnerability Priority Rating (VPR)

Displays vulnerabilities within the chosen VPR range. For more information, see CVSS vs. VPR.

Vulnerability Published

When available, Tenable plugins contain information about when a vulnerability was published. This filter allows users to search based on when a particular vulnerability was published:

  • All
  • Within the last day
  • Within the last 7 days
  • Within the last 30 days
  • More than 7 days ago
  • More than 30 days ago
  • Current Month
  • Last Month
  • Current Quarter (during the current calendar year quarter)
  • Last Quarter (during the previous calendar year quarter)
  • Current Year
  • Last Year
  • Custom Range (during a specific range you specify)
  • Explicit (at a specific time you specify)

Vulnerability Text

Displays vulnerabilities containing the entered text (e.g., php 5.3) or regex search term.
Web App URL The URL for the discovered web application associated with the vulnerability. Separate multiple URLs with single quotations and commas.