Legacy Workbench Asset Filters

Note: This topic describes filters available for assets within the legacy workbench Legacy Workbench Assets section. To view filters available for assets in the Explore section, see Explore Asset Filters.

You can use asset attributes to filter data in asset views and dashboards. For more information, see:

Tenable-provided Filters
Guidelines for Tenable-provided Filters
Tag Filters

In Tenable.io, you can use asset filters in tables and dashboards, and to create tag rules, as follows:

Type	Created By	Filter Tables	Filter Dashboards	Create Tag Rules
Tenable-provided filters	Tenable	Yes	Yes	Yes
Tag filters	users	Yes	No	Yes

Tenable-provided Filters

Note: To optimize performance, Tenable limits the number of filters that you can apply to any Explore > Findings or Assets views (including Group By tables) to 18.

Attribute	Description	Supported in Tag Rules?
ACR Score	(Requires Lumin license) The asset's ACR.	No
ACR Severity	(Requires Lumin license) The ACR category of the ACR calculated for the asset.	No
AES	(Requires Lumin license) The Asset Exposure Score (AES) calculated for the asset.	No
AES Severity	(Requires Lumin license) The AES category of the AES calculated for the asset.	No
Asset Assessed	Specifies whether the asset has been assessed for vulnerabilities. For a list of conditions that cause an asset to be assessed, see How Assets are Counted. Once assessed, the asset is always categorized as assessed, even if it ages out of the license count.	Yes
Asset ID	The asset's UUID.	No
AWS Availability Zone	The name of the Availability Zone where AWS hosts the virtual machine instance. For more information, see Regions and Availability Zones in the AWS documentation.	Yes
AWS EC2 AMI ID	The unique identifier of the Linux AMI image in Amazon Elastic Compute Cloud (Amazon EC2). For more information, see the Amazon Elastic Compute Cloud Documentation.	Yes
AWS EC2 Instance ID	The unique identifier of the Linux instance in Amazon EC2. For more information, see the Amazon Elastic Compute Cloud Documentation.	Yes
AWS EC2 Name	The name of the virtual machine instance in Amazon EC2.	Yes
AWS EC2 Product Code	The product code associated with the AMI used to launch the virtual machine instance in Amazon EC2.	Yes
AWS Instance State	The state of the virtual machine instance in AWS at the time of the scan. For possible values, see API Instance State in the Amazon Elastic Compute Cloud Documentation.	Yes
AWS Instance Type	The type of virtual machine instance in Amazon EC2. Amazon EC2 instance types dictate the specifications of the instance (for example, how much RAM it has). For a list of possible values, see Amazon EC2 Instance Types in the AWS documentation.	Yes
AWS Owner	A UUID for the Amazon AWS account that created the virtual machine instance. For more information, see AWS Account Identifiers in the AWS documentation. This attribute contains a value for Amazon EC2 instances only. For other asset types, this attribute is empty.	Yes
AWS Region	The region where AWS hosts the virtual machine instance, for example, us-east-1. For more information, see Regions and Availability Zones in the AWS documentation.	Yes
AWS Security Group	The AWS security group (SG) associated with the Amazon EC2 instance.	Yes
AWS Subnet ID	The unique identifier of the AWS subnet where the virtual machine instance was running at the time of the scan.	Yes
AWS VPC ID	The unique identifier of the public cloud that hosts the AWS virtual machine instance. For more information, see the Amazon Virtual Private Cloud User Guide.	Yes
Azure Location	The location of the resource in the Azure Resource Manager. For more information, see the Azure Resource Manager Documentation.
Azure Resource Group	The name of the resource group in the Azure Resource Manager. For more information, see the Azure Resource Manager Documentation.
Azure Resource ID	The unique identifier of the resource in the Azure Resource Manager. For more information, see the Azure Resource Manager Documentation.	Yes
Azure Resource Type	The resource type of the resource in the Azure Resource Manager. For more information, see the Azure Resource Manager Documentation.
Azure Subscription ID	The unique subscription identifier of the resource in the Azure Resource Manager. For more information, see the Azure Resource Manager Documentation.
Azure VM ID	The unique identifier of the Microsoft Azure virtual machine instance. For more information, see Accessing and Using Azure VM Unique ID in the Microsoft Azure documentation.	Yes
Belongs to Access Group	Specifies whether or not the asset belongs to an Access Group.
BigFix Asset ID	The unique identifiers of the asset in IBM BigFix. For more information, see the IBM BigFix documentation.	No
Deleted Date	The time and date when a user deleted the asset record. When a user deletes an asset record, Tenable.io retains the record until the asset ages out of the license count.
Device Type	(Requires Lumin license) The device_type key driver value that influenced the asset's calculated ACR score.	No
DNS	The fully-qualified domain name of the host that the vulnerability was detected on.	Yes
First Seen	The date and time when a scan first identified the asset.	No
Google Cloud Instance ID	The unique identifier of the virtual machine instance in Google Cloud Platform (GCP).	Yes
Google Cloud Project ID	The customized name of the project to which the virtual machine instance belongs in GCP. For more information, see Creating and Managing Projects in the GCP documentation.	Yes
Google Cloud Zone	The zone where the virtual machine instance runs in GCP. For more information, see Regions and Zones in the GCP documentation.	Yes
Has Plugin Results	Specifies whether the asset has plugin results associated with it.	Yes
Hostname/IP Address	Use this filter to limit assets by the following asset identifiers: hostname FQDN IPv4 address This filter supports multiple asset identifiers as a comma-separated list (for example, hostname_example, example.com, 192.168.0.0). For IP addresses, you can specify individual addresses, CIDR notation (for example, 192.168.0.0/24), or a range (for example, 192.168.0.1-192.168.0.255). Note: You cannot filter assets by IPv6 address. Note: Ensure the search query does not end in a period and does not include any hyphens.	No
Installed Software	A list of Common Platform Enumeration (CPE) values that represent software applications a scan identified as present on an asset. This field supports the CPE 2.2 format. For more information, see the Component Syntax section of the CPE Specification documentation, Version 2.2. For assets identified in Tenable scans, this field contains data only if a scan using Nessus Plugin ID 45590 has evaluated the asset. Note: If no scan detects an application within 30 days of the scan that originally detected the application, Tenable.io considers the detection of that application expired. As a result, the next time a scan evaluates the asset, Tenable.io removes the expired application from the Installed Software attribute. This activity is logged as a remove type of attribute change in the asset activity log.	Yes
IPv4 Address	An IPv4 address that a scan has associated with the asset record. This filter supports multiple asset identifiers as a comma-separated list (for example, hostname_example, example.com, 192.168.0.0). For IP addresses, you can specify individual addresses, CIDR notation (for example, 192.168.0.0/24), or a range (for example, 192.168.0.1-192.168.0.255). Note: Tenable.io does not support a CIDR mask of /0 for this parameter, because that value would match all IP addresses. If you submit a /0 value for this parameter, Tenable.io returns a 400 Bad Request error message Note: Ensure the search query does not end in a period.	Yes
IPv6 Address	An IPv6 address that a scan has associated with the asset record. This filter supports multiple asset identifiers as a comma-separated list. The IPV6 address must be an exact match. (for example, 0:0:0:0:0:ffff:c0a8:0). Note: Ensure the search query does not end in a period.	Yes
Is Deleted	Specifies whether the asset has been deleted.	No
Is Licensed (VM)	Specifies whether the asset is included in the asset count for the Tenable.io instance.	No
Is Licensed (WAS)	Specifies whether the asset is included in the asset count for the Tenable.io Web Application Scanning instance. An asset is licensed if it meets the following criteria: The scan results for the asset do not include discovery plugin results. The scan results for the asset do not include Tenable.io Web Application Scanning sources (e.g., results from Nessus scanners, Agents, Nessus Network Monitor). The asset has not been terminated.	No
Is Terminated	Specifies whether the virtual instance of the asset has been terminated.	No
Last Assessed	A Tenable-provided time period during which an assessment scan ran against the asset. Supported values are: 7 Days Ago 14 Days Ago 30 Days Ago 90 Days Ago	No
Last Assessed Date	The start date of a user-defined period during which an assessment scan ran against the asset. The implicit end date is the current date.	No
Last Authenticated Scan	The date and time of the last authenticated scan run against the asset. An authenticated scan that only uses discovery plugins updates the Last Authenticated Scan field, but not the Last Licensed Scan field. Note: This filter supports the following operators: Earlier than — Returns any asset that meets either of the following conditions: Tenable.io has never run a credentialed scan for the asset. The most recent credentialed scan of the asset ran earlier than 12 AM on the selected date. For example, if, on June 15, you select the date range 30 Days Ago, the credentialed scan must have started to run before 12 AM on May 16. In other words, the filter returns assets from May 15 or earlier. Earlier than (strict) — Returns the same assets as Earlier than, except that it excludes assets for which Tenable.io has never run a credentialed scan on. Later than — Returns the most recent credentialed scan of the asset. Includes only scans run later than 12 AM on the selected date. For example, if, on June 15, you select the date range 30 Days Ago, the credentialed scan must have started after 12 AM on May 16. In other words, the filter returns assets from May 16 or later.	No
Last Seen	The date and time of the scan that most recently identified the asset.	No
MAC Address	A MAC address that a scan has associated with the asset record.	Yes
Mitigation	An umbrella filter that, when selected, filters on the following criteria: Mitigation - Detected: Specifies whether a scan has identified a mitigation on the asset. Mitigation - Last Detected: The date range within which a scan identified a mitigation on the asset. Possible values are earlier than or later than: 7 Days ago 14 Days Ago 30 Days Ago 90 Days Ago Mitigation - Product Name: The name of the mitigation software identified on the asset. Lumin defines mitigations as security agent software running on endpoint assets, which include antivirus software, Endpoint Protection Platforms (EPPs), or Endpoint Detection and Response (EDR) solutions. Mitigation - Vendor Name: The name of the vendor for the mitigation that a scan identified on the asset. Mitigation - Version: The version of the mitigation that a scan identified on the asset.	No
NetBIOS Name	The NetBIOS name for the asset.	Yes
Network Name	The name of the network object associated with scanners that identified the asset. The default network name is Default. For more information about networks, see Networks.	Yes
Operating System	The operating system that a scan identified as installed on the asset.	Yes
Qualys Asset ID	The Asset ID of the asset in Qualys. For more information, see the Qualys documentation This field contains a value only for assets associated with Qualys vulnerabilities you import via the Tenable.io API. For more information, see the Tenable Developer Portal.	Yes
Qualys Host ID	The Host ID of the asset in Qualys. For more information, see the Qualys documentation. This field contains a value only for assets associated with Qualys vulnerabilities you import via the Tenable.io API. For more information, see Tenable Developer Portal.	Yes
Scan Frequency	The number of times the asset was scanned within the past 90 days.	No
Scan ID	The unique scan identifier associated with the asset.
ServiceNow Sys ID	Where applicable, the unique record identifier of the asset in ServiceNow. For more information, see the ServiceNow documentation.	Yes
Source	The source of the scan that identified the asset. Possible values are: Agent (Nessus Agent) Nessus (Nessus scan) PVS/NNM (Nessus Network Monitor) WAS (Web Application Scanning) AWS Connector Azure Connector GCP Connector Qualys Connector	Yes
Tag (Category: Value)	A unique filter that searches tags (category: value) pairs. For more information, see tags.	No
Target Group	The target group to which the asset belongs. This attribute is empty if the asset does not belong to a target group. For more information, see Target Groups.	No
Tenable UUID	The UUID of the agent present on the asset. This attribute is empty if no agent is present on the asset.	Yes
Terminated Date	The date on which the virtual instance of the asset was terminated.	No

Guidelines for Tenable-provided Filters

Tenable recommends using human-readable strings when using the contains or does not contain operator for the following filters:

ACR Drivers
DNS (FQDN)
Hostname/IP Address
Installed Software
NetBIOS Name
Operating System

Note: When using the contains or does not contain operators, do not use periods in your search values. Also, the search values are case-sensitive.

For example, when filtering on Operating System, use "Windows" instead of "Win." Tenable also recommends filtering on characters at the beginning of search strings, instead of characters in the middle or end of search strings. For example, when trying to match on an asset with the hostname "localhost", filtering on "local," instead of "host" or "h," returns better results.

Tag Filters

In Tenable.io, tags allow you to add descriptive metadata to assets that helps you group assets by business context. For more information, see Tags.

On the Assets page, you can filter vulnerabilities by tags applied to the related assets.

In the Category drop-down box for a filter, your organization's tags appear at the bottom of the list, after the Tenable-provided filters.

If you want to export vulnerabilities for assets filtered by tag, use the CSV export format. Tenable.io does not support tag filters in other export formats.

Note: If you exceed the current asset query limitation of 25,000, a message appears in your interface. Refine the query to a tag that returns fewer than 25,000 assets.

You can also use tag filters to create tag rules.