Access Group Rule Filters

Tenable is retiring access groups. Moving forward, Tenable recommends that you use permissions to manage user and group access to resources on your Tenable.io instance and that you convert your existing access groups into permission configurations. For more information, see Transition to Permission Configurations.

You can use the filters described in the following sections to create rules for access groups. For more information, see:

Tenable-provided Filters

The last two columns in the following table indicate whether you can use the filter with the Manage Assets or Scan Targets group type.

Filter Description Manage Assets Scan Targets
AWS Account ID The canonical user identifier for the Amazon Web Services (AWS) account associated with the asset. For more information, see "AWS Account Identifiers" in the AWS documentation. yes no
AWS Availability Zone The name of the Availability Zone where AWS hosts the virtual machine instance. For more information, see "Regions and Availability Zones" in the AWS documentation. yes no
AWS EC2 AMI ID The unique identifier of the Linux AMI image in Amazon Elastic Compute Cloud (Amazon EC2). For more information, see the Amazon Elastic Compute Cloud Documentation. yes no
AWS EC2 Instance ID The unique identifier of the Linux instance in Amazon EC2. For more information, see the Amazon Elastic Compute Cloud Documentation. yes no
AWS EC2 Name The name of the virtual machine instance in Amazon EC2. yes no
AWS EC2 Product Code The product code associated with the AMI used to launch the virtual machine instance in Amazon EC2. yes no
AWS Region The region where AWS hosts the virtual machine instance, for example, 'us-east-1'. For more information, see "Regions and Availability Zones" in the AWS documentation. yes no
AWS Security Group The security group to which you have assigned the virtual machine instance in Amazon EC2. For more information, see Security Groups in the Amazon Virtual Private Cloud User Guide. yes no
AWS Subnet ID The unique identifier of the AWS subnet where the virtual machine instance was running at the time of the scan. yes no
AWS VPC ID The unique identifier of the public cloud that hosts the AWS virtual machine instance. For more information, see the Amazon Virtual Private Cloud User Guide. yes no
Azure Resource ID The unique identifier of the resource in the Azure Resource Manager. For more information, see the Azure Resource Manager Documentation. yes no
Azure VM ID The unique identifier of the Microsoft Azure virtual machine instance. For more information, see "Accessing and Using Azure VM Unique ID" in the Microsoft Azure documentation. yes no
FQDN/Hostname

One of the following:

  • The fully-qualified domain name of the asset.
  • The hostname of the asset.
yes yes
Google Cloud Instance ID The unique identifier of the virtual machine instance in Google Cloud Platform (GCP). yes no
Google Cloud Project ID The customized name of the project to which the virtual machine instance belongs in GCP. For more information, see "Creating and Managing Projects" in the GCP documentation. yes no
Google Cloud Zone The zone where the virtual machine instance runs in GCP. For more information, see "Regions and Zones" in the GCP documentation. yes no
IPv4 Address An IPv4 address for the asset. For this filter, you can use CIDR notation (e.g., 192.168.0.0/24), a range (e.g., 192.168.0.1-192.168.0.255), or a comma-separated list (e.g., 192.168.0.0, 192.168.0.1). yes yes
IPv6 Address An IPv6 address for the asset. no yes
MAC Address The MAC address of the asset. yes no
NetBIOS Name The NetBIOS name for the asset. yes no
Network Name The name of the network to which the asset belongs. yes no
Operating System The operating system installed on the asset. yes no
Qualys Asset ID The Asset ID of the asset in Qualys. For more information, see the Qualys documentation. yes no
Qualys Host ID The Host ID of the asset in Qualys. For more information, see the Qualys documentation. yes no
ServiceNow Sys ID The unique record identifier of the asset in ServiceNow. For more information, see the ServiceNow documentation. yes no

Guidelines for Tenable-provided Filters

  • When configuring rules for Scan Targets access groups, the asset attribute type must match the target format used in the related scan. For example, if a Scan Targets access group rule filters on the FQDN/Hostname attribute, the related scan succeeds if the scan target is specified in FQDN or hostname format, but fails if the scan target is specified in IPv4 address format.

Tag Filters

In Tenable.io, tags allow you to add descriptive metadata to assets that helps you group assets by business context. For more information, see Tags.

You can use the tags you create to assign assets to Manage Assets access groups.

To add a tag filter to a rule:

  1. In the Category drop-down box, select Tags.
  2. In the Operator drop-down box, select contains.
  3. In the text box, type the tag category and value you want to search for in the following format:

    Category Name:Value Name

  4. Continue creating rules and/or save the access group as described in Create an Access Group.

Note: Tag categories with 100,000 or more associated values cannot be applied as a rule to access groups.