Asset Filters

You can use asset attributes to filter data in asset views and dashboards. For more information, see:

In Tenable.io, you can use asset filters in tables and dashboards, and to create tag rules, as follows:

Type Created By Filter Tables Filter Dashboards Create Tag Rules
Tenable-provided filters Tenable Yes Yes Yes
Tag filters users Yes No Yes

Tenable-provided Filters

Note: To optimize performance, Tenable limits the number of filters that you can apply to any Explore > Findings or Assets views (including Group By tables) to four.

Attribute Description Supported in Tag Rules?
ACR Score

(Requires Lumin license) The asset's ACR.

No
ACR Severity

(Requires Lumin license) The ACR category of the ACR calculated for the asset.

No
AES

(Requires Lumin license) The Asset Exposure Score (AES) calculated for the asset.

No
AES Severity

(Requires Lumin license) The AES category of the AES calculated for the asset.

No
Asset Assessed

Specifies whether the asset has been assessed for vulnerabilities. For a list of conditions that cause an asset to be assessed, see How Assets are Counted. Once assessed, the asset is always categorized as assessed, even if it ages out of the license count.

Yes
Asset ID

The asset's UUID.

No
AWS Availability Zone

The name of the Availability Zone where AWS hosts the virtual machine instance. For more information, see Regions and Availability Zones in the AWS documentation.

Yes
AWS EC2 AMI ID

The unique identifier of the Linux AMI image in Amazon Elastic Compute Cloud (Amazon EC2). For more information, see the Amazon Elastic Compute Cloud Documentation.

Yes
AWS EC2 Instance ID

The unique identifier of the Linux instance in Amazon EC2. For more information, see the Amazon Elastic Compute Cloud Documentation.

Yes
AWS EC2 Name

The name of the virtual machine instance in Amazon EC2.

Yes
AWS EC2 Product Code

The product code associated with the AMI used to launch the virtual machine instance in Amazon EC2.

Yes
AWS Instance State

The state of the virtual machine instance in AWS at the time of the scan. For possible values, see API Instance State in the Amazon Elastic Compute Cloud Documentation.

Yes
AWS Instance Type

The type of virtual machine instance in Amazon EC2. Amazon EC2 instance types dictate the specifications of the instance (for example, how much RAM it has). For a list of possible values, see Amazon EC2 Instance Types in the AWS documentation.

Yes
AWS Owner

A UUID for the Amazon AWS account that created the virtual machine instance. For more information, see AWS Account Identifiers in the AWS documentation.

This attribute contains a value for Amazon EC2 instances only. For other asset types, this attribute is empty.

Yes
AWS Region

The region where AWS hosts the virtual machine instance, for example, us-east-1. For more information, see Regions and Availability Zones in the AWS documentation.

Yes
AWS Security Group

The AWS security group (SG) associated with the Amazon EC2 instance.

Yes
AWS Subnet ID

The unique identifier of the AWS subnet where the virtual machine instance was running at the time of the scan.

Yes
AWS VPC ID

The unique identifier of the public cloud that hosts the AWS virtual machine instance. For more information, see the Amazon Virtual Private Cloud User Guide.

Yes
Azure Resource ID

The unique identifier of the resource in the Azure Resource Manager. For more information, see the Azure Resource Manager Documentation.

Yes
Azure VM ID

The unique identifier of the Microsoft Azure virtual machine instance. For more information, see Accessing and Using Azure VM Unique ID in the Microsoft Azure documentation.

Yes
BigFix Asset ID

The unique identifiers of the asset in IBM BigFix. For more information, see the IBM BigFix documentation.

No
Created Date

The time and date when Tenable.io created the asset record.

No
Deleted Date

The time and date when a user deleted the asset record. When a user deletes an asset record, Tenable.io retains the record until the asset ages out of the license count.

No
Device Type

(Requires Lumin license) The device_type key driver value that influenced the asset's calculated ACR score.

No
DNS

The fully-qualified domain name of the host that the vulnerability was detected on.

Yes
First Seen

The date and time when a scan first identified the asset.

No
Google Cloud Instance ID

The unique identifier of the virtual machine instance in Google Cloud Platform (GCP).

Yes
Google Cloud Project ID

The customized name of the project to which the virtual machine instance belongs in GCP. For more information, see Creating and Managing Projects in the GCP documentation.

Yes
Google Cloud Zone

The zone where the virtual machine instance runs in GCP. For more information, see Regions and Zones in the GCP documentation.

Yes
Has Plugin Results

Specifies whether the asset has plugin results associated with it.

Yes
Hostname/IP Address

Use this filter to limit assets by the following asset identifiers:

  • hostname
  • FQDN
  • IPv4 address

This filter supports multiple asset identifiers as a comma-separated list (for example, hostname_example, example.com, 192.168.0.0). For IP addresses, you can specify individual addresses, CIDR notation (for example, 192.168.0.0/24), or a range (for example, 192.168.0.1-192.168.0.255).

Note: You cannot filter assets by IPv6 address.

Note: Ensure the search query does not end in a period and does not include any hyphens.

No
Installed Software

A list of Common Platform Enumeration (CPE) values that represent software applications a scan identified as present on an asset. This field supports the CPE 2.2 format. For more information, see the Component Syntax section of the CPE Specification documentation, Version 2.2. For assets identified in Tenable scans, this field contains data only if a scan using Nessus Plugin ID 45590 has evaluated the asset.

Note: If no scan detects an application within 30 days of the scan that originally detected the application, Tenable.io considers the detection of that application expired. As a result, the next time a scan evaluates the asset, Tenable.io removes the expired application from the Installed Software attribute. This activity is logged as a remove type of attribute change in the asset activity log.

Yes
IPv4 Address

An IPv4 address that a scan has associated with the asset record.

This filter supports multiple asset identifiers as a comma-separated list (for example, hostname_example, example.com, 192.168.0.0). For IP addresses, you can specify individual addresses, CIDR notation (for example, 192.168.0.0/24), or a range (for example, 192.168.0.1-192.168.0.255).

Note: Tenable.io does not support a CIDR mask of /0 for this parameter, because that value would match all IP addresses. If you submit a /0 value for this parameter, Tenable.io returns a 400 Bad Request error message

Note: Ensure the search query does not end in a period.

Yes
Is Licensed (VM)

Specifies whether the asset is included in the asset count for the Tenable.io instance.

No
Is Licensed (WAS)

Specifies whether the asset is included in the asset count for the Tenable.io Web Application Scanning instance.

An asset is licensed if it meets the following criteria:

  • The scan results for the asset do not include discovery plugin results.

  • The scan results for the asset do not include Tenable.io Web Application Scanning sources (e.g., results from Nessus scanners, Agents, Nessus Network Monitor).

  • The asset has not been terminated.

No
Is Deleted

Specifies whether the asset has been deleted.

 

No
Is Terminated

Specifies whether the virtual instance of the asset has been terminated.

No
Last Assessed

A Tenable-provided time period during which an assessment scan ran against the asset. Supported values are:

  • 7 Days Ago
  • 14 Days Ago
  • 30 Days Ago
  • 90 Days Ago
No
Last Assessed Date

The start date of a user-defined period during which an assessment scan ran against the asset. The implicit end date is the current date.

No
Last Authenticated Scan

The time and date of the last credentialed scan run on the asset.

Note: This filter supports the following operators:

  • Earlier than — Returns any asset that meets either of the following conditions:
    • Tenable.io has never run a credentialed scan for the asset.
    • The most recent credentialed scan of the asset ran earlier than 12 AM on the selected date.

    For example, if, on June 15, you select the date range 30 Days Ago, the credentialed scan must have started to run before 12 AM on May 16. In other words, the filter returns assets from May 15 or earlier.

  • Earlier than (strict) — Returns the same assets as Earlier than, except that it excludes assets for which Tenable.io has never run a credentialed scan on.
  • Later than — Returns the most recent credentialed scan of the asset. Includes only scans run later than 12 AM on the selected date.

    For example, if, on June 15, you select the date range 30 Days Ago, the credentialed scan must have started after 12 AM on May 16. In other words, the filter returns assets from May 16 or later.

No
Last Seen

The date and time of the scan that most recently identified the asset.

No
MAC Address

A MAC address that a scan has associated with the asset record.

Yes
Mitigation

An umbrella filter that, when selected, filters on the following criteria:

  • Mitigation - Detected: Specifies whether a scan has identified a mitigation on the asset.
  • Mitigation - Last Detected: The date range within which a scan identified a mitigation on the asset. Possible values are earlier than or later than:
    • 7 Days ago
    • 14 Days Ago
    • 30 Days Ago
    • 90 Days Ago
  • Mitigation - Product Name: The name of the mitigation software identified on the asset. Lumin defines mitigations as security agent software running on endpoint assets, which include antivirus software, Endpoint Protection Platforms (EPPs), or Endpoint Detection and Response (EDR) solutions.
  • Mitigation - Vendor Name: The name of the vendor for the mitigation that a scan identified on the asset.
  • Mitigation - Version: The version of the mitigation that a scan identified on the asset.
No
NetBIOS Name

The NetBIOS name for the asset.

Yes
Network Name

The name of the network object associated with scanners that identified the asset. The default network name is Default. For more information about networks, see Networks.

Yes
Operating System

The operating system that a scan identified as installed on the asset.

Yes
Qualys Asset ID

The Asset ID of the asset in Qualys. For more information, see the Qualys documentation

This field contains a value only for assets associated with Qualys vulnerabilities you import via the Tenable.io API. For more information, see the Tenable Developer Portal.

Yes
Qualys Host ID

The Host ID of the asset in Qualys. For more information, see the Qualys documentation.

This field contains a value only for assets associated with Qualys vulnerabilities you import via the Tenable.io API. For more information, see Tenable Developer Portal.

Yes
Scan Frequency

The number of times the asset was scanned within the past 90 days.

No
ServiceNow Sys ID

The unique record identifier of the asset in ServiceNow. For more information, see the ServiceNow documentation.

Yes
Source

The source of the scan that identified the asset. Possible values are:

  • Agent (Nessus Agent)
  • Nessus (Nessus scan)
  • PVS/NNM (Nessus Network Monitor)
  • WAS (Web Application Scanning)
  • AWS Connector
  • Azure Connector
  • GCP Connector
  • Qualys Connector
Yes
Tag (Category: Value)

A unique filter that searches tags (category: value) pairs. For more information, see tags.

No
Target Groups

The target group to which the asset belongs. This attribute is empty if the asset does not belong to a target group. For more information, see Target Groups.

No
Tenable UUID

The UUID of the agent present on the asset. This attribute is empty if no agent is present on the asset.

Yes
Terminated Date

The date on which the virtual instance of the asset was terminated.

No

Guidelines for Tenable-provided Filters

Tenable recommends using human-readable strings when using the contains or does not contain operator for the following filters:

  • ACR Drivers
  • DNS (FQDN)
  • Hostname/IP Address
  • Installed Software
  • NetBIOS Name
  • Operating System

Note: When using the contains or does not contain operators, do not use periods in your search values. Also, the search values are case-sensitive.

For example, when filtering on Operating System, use "Windows" instead of "Win." Tenable also recommends filtering on characters at the beginning of search strings, instead of characters in the middle or end of search strings. For example, when trying to match on an asset with the hostname "localhost", filtering on "local," instead of "host" or "h," returns better results.

Tag Filters

In Tenable.io, tags allow you to add descriptive metadata to assets that helps you group assets by business context. For more information, see Tags.

On the Assets page, you can filter vulnerabilities by tags applied to the related assets.

In the Category drop-down box for a filter, your organization's tags appear at the bottom of the list, after the Tenable-provided filters.

If you want to export vulnerabilities for assets filtered by tag, use the CSV export format. Tenable.io does not support tag filters in other export formats.

Note: If you exceed the current asset query limitation of 25,000, a message appears in your interface. Refine the query to a tag that returns fewer than 25,000 assets.

You can also use tag filters to create tag rules.