Asset Tracking in Tenable Security Center Director

Assets in Tenable Security Center Director are tracked by several attributes, depending on the asset repository and scan configuration of the sensors that identify the assets.

• Assets in universal repositories are tracked by asset attribute.

• Assets in IPv4 and IPv6 repositories are tracked by IP address.

• Assets in agent repositories are tracked by agent UUID.

When you import asset data, if Tenable Security Center Director cannot find an existing asset that matches the imported host, the asset is added to Tenable Security Center Director as a new asset.

For more information about repositories in Tenable Security Center Director, see Repositories.

Universal Repositories

The following identification attributes (IA) are considered in determining whether or not an imported asset matches an existing one, in descending order of priority:

1. Tenable UUID (from credentialed scans of managed hosts, Tenable Nessus Agents, or imported Tenable OT Security data)

2. BIOS UUID

3. MAC Address

4. NetBIOS Name

5. Fully Qualified Domain Name (FQDN)

6. IP Address (IPv4 and IPv6)

Similar to Tenable Vulnerability Management, Tenable Security Center Director verifies that there are no conflicting higher priority attributes when it finds a match. For example, if there is a MAC Address match, but the Tenable UUID is different, the assets will not merge. When a unique asset is discovered, the following informational message will appear in /opt/sc/admin/logs/YYMMdd.log (sc-logs.txt in a Tenable Security Center Director debug zip).

Possible root causes for duplicate assets include, but are not limited to:

• different scan types for the same asset, such as Agent scans and non-credentialed Tenable Nessus scans or, similarly, credentialed Tenable Nessus scans with the Create unique identifier on hosts scanned using credentials (host_tagging) setting disabled in the Advanced settings of the scan policy. While Agent scans have access to the local Tenable UUID, the same is not true for a non-credentialed or equivalent scan. If an asset was duplicated as a result of a non-credentialed or equivalent scan after a credentialed one, the assets will not merge until the next credentialed or equivalent scan.

• different network interfaces of an asset scanned in one or more non-credentialed scans. Because each network interface is associated with a different MAC Address, and the Tenable UUID cannot be accessed in a non-credentialed scan, a unique asset will be created for each network interface.

For more information about universal repositories, see Universal Repositories.

IPv4 and IPv6 Repositories

If the Track hosts which have been issued new IP address setting is enabled (default), assets are tracked using the following IAs in this order:

1. DNS Name

2. NetBIOS Name

3. Tenable UUID (from credentialed scans of managed hosts)

4. MAC Address

5. IP Address (IPv4 or IPv6, based on repository type)

If the Track hosts which have been issued new IP address setting is disabled, assets are tracked only by IP address.

During scan import, Tenable Security Center Director checks the targeted repository for the scan job for the above listed IAs.

• If the IP has the attributes mentioned above, Tenable Security Center Director migrates all of the vulnerabilities in the cumulative results to the IP seen in the scan result.

• If the IP does not have any of the attributes mentioned above, Tenable Security Center Director considers this a new asset.

• Once a match has been made, Tenable Security Center Director does not search for more matches.

For example, if Tenable Security Center Director does not match a DNS name, but it does match a NetBIOS name, the system does not check the Agent UUID or MAC address.

For more information about IPv4 and IPv6 repositories, see IPv4/IPv6 Repositories.

Agent Repositories

Assets in agent repositories are tracked by UUID, because all assets in agent repositories have UUIDs.

For more information about agent repositories, see Agent Repositories.