Asset Tags

Tenable Security Center asset tags are lists of devices (for example, laptops, servers, tablets, or phones) within a Tenable Security Center organization. Asset Tags can be shared with one or more users based on local security policy requirements.

You can add an asset tag to group devices that share common attributes. Then, you can use the asset tag during scan configuration to target the devices in the asset tag. Examples of common attributes include:

  • IP address ranges

  • hardware types

  • vulnerabilities

  • outdated software versions

  • operating systems

Tenable Security Center supports template-based and custom asset tag. For more information, see Add a Template-Based Asset Tag and Add a Custom Asset Tag. To view details for any of your asset tag, see View Asset Tag Details.

To view details about individual hosts that appear in your asset tags, see View Hosts and View Host Details.

Note: When a scan import completes, it queues a job to calculate all dynamic and combination asset tags for the import repository. The next scan import does not begin until the previous scan import asset tag job completes. Usually the asset tag job runs quickly, but delays can occur due to extremely large repositories, a large quantity of asset tags, a backlogged job queue, or other system issues. This does not affect running scans.

Asset tag lists are calculated for each repository, and updating one repository does not affect other repositories.

Template-Based Asset Tags

Tenable provides asset tag templates that you can customize for your environment. Tenable-provided asset tag templates are updated via the Tenable Security Center feed and visible depending on other configurations.

Custom Asset Tags

Tenable Security Center supports the following custom asset tag types: Static Asset Tags, DNS Name List Asset Tags,LDAP Query Asset Tags,Combination Asset Tags, Dynamic Asset Tags, Watchlist Asset Tags, and Import Asset Tags.

Static Asset Tags

Static asset tags are lists of IP addresses. You can use static asset tags immediately after configuration.

For example, if your organization assigns laptops within a defined IP address range, you can create a custom static asset tag for laptops using that IP address range.

Option

Description

Name

A name for the asset tag.

Description

A description for the asset tag.

Label

A label for the asset tag. For more information, see Labels.

IP Addresses

IP addresses to include within the asset tag (50,000 character limit).

  • Type a comma-separated list of IP addresses, CIDR addresses, or ranges.

  • Upload a .txt file containing a comma-separated list of IP addressees, CIDR addresses, or ranges.

DNS Name List Asset Tags

Note: You cannot select a DNS name list asset as the target of an agent scan or an agent synchronization job.

Option

Description

Name

A name for the asset tag.

Description

A description for the asset tag.

DNS Names

The DNS hostnames for the asset tag to be based on.

LDAP Query Asset Tags

Note: You cannot select an LDAP query asset tag as the target of an agent scan or an agent synchronization job.

The LDAP query asset tag type appears if your organization includes a configured LDAP server.

Option

Description

Name

A name for the asset tag.

Description

A description for the asset tag.

LDAP Server

The LDAP server where you want to perform the query.

Note: If the LDAP server uses a different DNS server than Tenable Security Center, Tenable Security Center cannot resolve hostnames retrieved from the LDAP server.

Note:Tenable Security Center cannot retrieve more than one page of LDAP results. If Tenable Security Center asset or user authentication queries are not retrieving all expected results, consider modifying your LDAP pagination control settings to increase the results per page.

Search Base

The LDAP search base used as the starting point to search for specific LDAP data.

Search String

Modify this string to create a search based on a location or filter other than the default search base or attribute.

Generate Preview

Click to display a preview query in the Results Preview section. The preview lists the LDAP data that matches the defined search string.

Combination Asset Tags

Combination asset tags allow you to create an asset tag based on existing asset tags and the AND, OR, and NOT operators.

Combination asset tags can include agent IDs if the asset tag contains exclusively dynamic asset tags. You may experience unexpected asset tag behavior if your combination asset tag contains other asset tag types and interacts with agent repository data.

Option

Description

Name

A name for the asset tag.

Description

A description for the asset tag.

Combination

This option accepts multiple existing asset tags utilizing the operators AND, OR, and NOT. You can use these operators and multiple existing asset tags to create new unique asset tags . If the source asset tags change, the Combination asset tag updates to match the new conditions.

To configure the query:

  1. Click inside the Combination box.

    A list of asset tags appears.

  2. Click one of the options in the list to select it.

  3. Press Space.

  4. Continue selecting options and pressing space to describe the combination asset tag you want to configure.

Tip: A red border around a combination option indicates there is a problem in the query logic.

Dynamic Asset Tags

Dynamic asset tags are flexible groups of condition statements that Tenable Security Center uses to retrieve a list of devices meeting the conditions. Tenable Security Center refreshes dynamic asset tag lists using the results from Tenable Security Center scans. You cannot use dynamic asset tags until after Tenable Security Center performs an initial discovery scan and retrieves a list of devices.

Note: Before a scan can target a dynamic asset tag list, you must first run a host discovery scan in the associated repository. For more information, see the troubleshooting article.

Note: If a dependent scan uses a dynamic asset tag list, the asset list will update before the scan runs.

Dynamic asset tags can include agent IDs.

For example, in the asset tag above, Tenable Security Center retrieves a list of Linux systems listening on TCP Port 80.

Option

Description

Name

A name for the asset tag.

Description

A description for the asset tag.

Asset Definition

Defines the rules for creating a dynamic asset tag list. Hover over an existing rule to display the options to add, edit, or delete a group or a rule.

Dynamic Asset Tag Rule Logic

Valid Operators

Effect

Plugin ID

is equal to

Value must be equal to value specified.

not equal to

Value must be not equal to value specified.

is less than

Value must be less than the value specified.

is greater than

Value must be greater than the value specified.

Plugin Text

is equal to

Value must be equal to value specified.

not equal to

Value must be not equal to value specified.

contains the pattern

Value must contain the text specified (for example, ABCDEF contains ABC).

Posix regex

Any valid Posix regex pattern contained within “/” and “/” (example: /.*ABC.*/).

Perl compatible regex

Any valid Perl compatible regex pattern.

Operating System

is equal to

Value must be equal to value specified.

not equal to

Value must be not equal to value specified.

contains the pattern

Value must contain the text specified (for example, ABCDEF contains ABC).

Posix regex

Any valid Posix regex pattern contained within “/” and “/” (for example, /.*ABC.*/).

Perl compatible regex

Any valid Perl compatible regex pattern.

IP Address

is equal to

Value must be equal to value specified.

not equal to

Value must be not equal to value specified.

DNS, NetBIOS Host, NetBIOS Workgroup, MAC, SSH v1 Fingerprint, SSH v2 Fingerprint

is equal to

Value must be equal to value specified.

not equal to

Value must be not equal to value specified.

contains the pattern

Value must contain the text specified (for example, 1.2.3.124 contains 124).

Posix regex

Any valid Posix regex pattern contained within “/” and “/” (for example, /.*ABC.*/).

Perl compatible regex

Any valid Perl compatible regex pattern.

Port, TCP Port, UDP Port

is equal to

Value must be equal to value specified.

not equal to

Value must be not equal to value specified.

is less than

Value is less than value specified.

is greater than

Value is greater than the value specified.

Days Since Discovery, Days Since Observation

is equal to

Value must be equal to value specified (maximum 365).

not equal to

Value must be not equal to value specified (maximum 365).

is less than

Value is less than value specified (maximum 365).

is greater than

Value is greater than the value specified (maximum 365).

where Plugin ID is

Any valid plugin ID number. You can enter multiple plugin IDs using a range or comma-separated plugin IDs (for example, 3, 10189, 34598, 50000-55000, 800001-800055).

Severity

is equal to

Value must be equal to value specified: Info, Low, Medium, High, or Critical.

not equal to

Value must be not equal to value specified: Info, Low, Medium, High, or Critical.

is less than

Value must be less than the value specified: Info, Low, Medium, High, or Critical.

is greater than

Value must be greater than the value specified: Info, Low, Medium, High, or Critical.

where Plugin ID is

Any valid plugin ID number. You can enter multiple plugin IDs using a range or comma-separated plugin IDs (for example, 3, 10189, 34598, 50000-55000, 800001-800055).

Exploit Available

Is

Click True or False in the drop-down box.

Exploit Frameworks

is equal to

Value must be equal to value specified.

Is not equal to

Value must not be equal to value specified.

contains the pattern

Value must contain the pattern entered.

XRef

Value must be in the XRef option.

Watchlist Asset Tags

You can use a watchlist asset tag to maintain lists of IPs that are not in the user’s managed range of IP addresses. You can filter for IPs from a watchlist regardless of your IP address range configuration to help analyze event activity originating outside of the user’s managed range. For example, if a block of IP addresses is a known source of malicious activity, you could add it to a Malicious IPs watchlist and to a custom query.

Note: Watchlists only use event data to create the asset tag list.

Option

Description

Name

A name for the asset tag.

Description

A description for the asset tag.

IP Addresses

IP addresses to include within the asset tag list (20,000 character limit). You can enter one address, CIDR address, or range per line.

Click Choose File to import a list of IP addresses from a saved file.

Import Asset Tags

Option

Description

Name

The asset tag name.

Asset Tag

Click Choose File to choose the asset tag that was previously exported for import into Tenable Security Center.