Asset Tags
Tenable Security Center asset tags are lists of devices (for example, laptops, servers, tablets, or phones) within a Tenable Security Center organization. Asset Tags can be shared with one or more users based on local security policy requirements.
You can add an asset tag to group devices that share common attributes. Then, you can use the asset tag during scan configuration to target the devices in the asset tag. Examples of common attributes include:
-
IP address ranges
-
hardware types
-
vulnerabilities
-
outdated software versions
-
operating systems
Tenable Security Center supports template-based and custom asset tag. For more information, see
To view details about individual hosts that appear in your asset tags, see
Note: When a scan import completes, it queues a job to calculate all dynamic and combination asset tags for the import repository. The next scan import does not begin until the previous scan import asset tag job completes. Usually the asset tag job runs quickly, but delays can occur due to extremely large repositories, a large quantity of asset tags, a backlogged job queue, or other system issues. This does not affect running scans.
Asset
Template-Based Asset Tags
Tenable provides asset tag templates that you can customize for your environment. Tenable-provided asset tag templates are updated via the Tenable Security Center feed and visible depending on other configurations.
Custom Asset Tags
Tenable Security Center supports the following custom asset tag types: Static Asset Tags, DNS Name List Asset Tags,
Static Asset Tags
Static asset tags are lists of IP addresses. You can use static asset tags immediately after configuration.
For example, if your organization assigns laptops within a defined IP address range, you can create a custom static asset tag for laptops using that IP address range.
|
Option |
Description |
|---|---|
|
Name |
A name for the asset tag. |
|
Description |
A description for the asset tag. |
|
Label |
A label for the asset tag. For more information, see |
|
IP Addresses |
IP addresses to include within the asset tag (
|
LDAP Query Asset Tags
Note: You cannot select an LDAP query asset tag as the target of an agent scan or an agent synchronization job.
The LDAP query asset tag type appears if your organization includes a configured LDAP server.
|
Option |
Description |
|---|---|
|
Name |
A name for the asset tag. |
|
Description |
A description for the asset tag. |
|
LDAP Server |
The LDAP server where you want to perform the query. Note: If the LDAP server uses a different DNS server than Tenable Security Center, Tenable Security Center cannot resolve hostnames retrieved from the LDAP server. Note:Tenable Security Center cannot retrieve more than one page of LDAP results. If Tenable Security Center asset or user authentication queries are not retrieving all expected results, consider modifying your LDAP pagination control settings to increase the results per page. |
|
Search Base |
The LDAP search base used as the starting point to search for specific LDAP data. |
|
Search String |
Modify this string to create a search based on a location or filter other than the default search base or attribute. |
|
Generate Preview |
Click to display a preview query in the Results Preview section. The preview lists the LDAP data that matches the defined search string. |
Combination Asset Tags
Combination asset tags allow you to create an asset tag based on existing asset tags and the AND, OR, and NOT operators.
Combination asset tags can include agent IDs if the asset tag contains exclusively dynamic asset tags. You may experience unexpected asset tag behavior if your combination asset tag contains other asset tag types and interacts with agent repository data.
|
Option |
Description |
|---|---|
|
Name |
A name for the asset tag. |
|
Description |
A description for the asset tag. |
|
Combination |
This option accepts multiple existing asset tags utilizing the operators AND, OR, and NOT. You can use these operators and multiple existing asset tags to create new unique asset tags . If the source asset tags change, the Combination asset tag updates to match the new conditions. To configure the query:
Tip: A red border around a combination option indicates there is a problem in the query logic. |
Dynamic Asset Tags
Dynamic asset tags are flexible groups of condition statements that Tenable Security Center uses to retrieve a list of devices meeting the conditions. Tenable Security Center refreshes dynamic asset tag lists using the results from Tenable Security Center scans. You cannot use dynamic asset tags until after Tenable Security Center performs an initial discovery scan and retrieves a list of devices.
Note: Before a scan can target a dynamic asset tag list, you must first run a host discovery scan in the associated repository. For more information, see the troubleshooting article.
Note: If a dependent scan uses a dynamic asset tag list, the asset list will update before the scan runs.
Dynamic asset tags can include agent IDs.
For example, in the asset tag above, Tenable Security Center retrieves a list of Linux systems listening on TCP Port 80.
|
Option |
Description |
|---|---|
|
Name |
A name for the asset tag. |
|
Description |
A description for the asset tag. |
|
Asset Definition |
Defines the rules for creating a dynamic asset tag list. Hover over an existing rule to display the options to add, edit, or delete a group or a rule. |
Dynamic Asset Tag Rule Logic
|
Valid Operators |
Effect |
|---|---|
|
Plugin ID |
|
|
is equal to |
Value must be equal to value specified. |
|
not equal to |
Value must be not equal to value specified. |
|
is less than |
Value must be less than the value specified. |
|
is greater than |
Value must be greater than the value specified. |
|
Plugin Text |
|
|
is equal to |
Value must be equal to value specified. |
|
not equal to |
Value must be not equal to value specified. |
|
contains the pattern |
Value must contain the text specified (for example, ABCDEF contains ABC). |
|
Posix regex |
Any valid Posix regex pattern contained within “/” and “/” (example: /.*ABC.*/). |
|
Perl compatible regex |
Any valid Perl compatible regex pattern. |
|
Operating System |
|
|
is equal to |
Value must be equal to value specified. |
|
not equal to |
Value must be not equal to value specified. |
|
contains the pattern |
Value must contain the text specified (for example, ABCDEF contains ABC). |
|
Posix regex |
Any valid Posix regex pattern contained within “/” and “/” (for example, /.*ABC.*/). |
|
Perl compatible regex |
Any valid Perl compatible regex pattern. |
|
IP Address |
|
|
is equal to |
Value must be equal to value specified. |
|
not equal to |
Value must be not equal to value specified. |
|
DNS, NetBIOS Host, NetBIOS Workgroup, MAC, SSH v1 Fingerprint, SSH v2 Fingerprint |
|
|
is equal to |
Value must be equal to value specified. |
|
not equal to |
Value must be not equal to value specified. |
|
contains the pattern |
Value must contain the text specified (for example, 1.2.3.124 contains 124). |
|
Posix regex |
Any valid Posix regex pattern contained within “/” and “/” (for example, /.*ABC.*/). |
|
Perl compatible regex |
Any valid Perl compatible regex pattern. |
|
Port, TCP Port, UDP Port |
|
|
is equal to |
Value must be equal to value specified. |
|
not equal to |
Value must be not equal to value specified. |
|
is less than |
Value is less than value specified. |
|
is greater than |
Value is greater than the value specified. |
|
Days Since Discovery, Days Since Observation |
|
|
is equal to |
Value must be equal to value specified (maximum 365). |
|
not equal to |
Value must be not equal to value specified (maximum 365). |
|
is less than |
Value is less than value specified (maximum 365). |
|
is greater than |
Value is greater than the value specified (maximum 365). |
|
where Plugin ID is |
Any valid plugin ID number. You can enter multiple plugin IDs using a range or comma-separated plugin IDs (for example, 3, 10189, 34598, 50000-55000, 800001-800055). |
|
Severity |
|
|
is equal to |
Value must be equal to value specified: Info, Low, Medium, High, or Critical. |
|
not equal to |
Value must be not equal to value specified: Info, Low, Medium, High, or Critical. |
|
is less than |
Value must be less than the value specified: Info, Low, Medium, High, or Critical. |
|
is greater than |
Value must be greater than the value specified: Info, Low, Medium, High, or Critical. |
|
where Plugin ID is |
Any valid plugin ID number. You can enter multiple plugin IDs using a range or comma-separated plugin IDs (for example, 3, 10189, 34598, 50000-55000, 800001-800055). |
|
Exploit Available |
|
|
Is |
Click True or False in the drop-down box. |
|
Exploit Frameworks |
|
|
is equal to |
Value must be equal to value specified. |
|
Is not equal to |
Value must not be equal to value specified. |
|
contains the pattern |
Value must contain the pattern entered. |
|
XRef |
|
|
Value must be in the XRef option. |
|
Watchlist Asset Tags
You can use a watchlist asset tag to maintain lists of IPs that are not in the user’s managed range of IP addresses. You can filter for IPs from a watchlist regardless of your IP address range configuration to help analyze event activity originating outside of the user’s managed range. For example, if a block of IP addresses is a known source of malicious activity, you could add it to a Malicious IPs watchlist and to a custom query.
Note: Watchlists only use event data to create the asset tag list.
|
Option |
Description |
|---|---|
|
Name |
A name for the asset tag. |
|
Description |
A description for the asset tag. |
|
IP Addresses |
IP addresses to include within the asset tag list (20,000 character limit). You can enter one address, CIDR address, or range per line. Click Choose File to import a list of IP addresses from a saved file. |