Basic Settings in Vulnerability Management Scans

Note: This topic describes Basic settings you can set in individual scans. For Basic settings in user-defined templates, see Basic Settings in User-Defined Templates.

You can use Basic settings to specify organizational and security-related aspects of a scan configuration. This includes specifying the name of the scan, its targets, whether the scan is scheduled, and who has access to the scan.

The Basic settings include the following sections:

General

The general settings for a scan.

Setting Default Value Description

Name

None

Specifies the name of the scan.

Description

None

(Optional) Specifies a description of the scan.

Scan Results

Show in dashboard

Specifies whether the results of the scan should appear in dashboards or be kept private.

When set to Keep private, you must access the scan directly to view the results.

Note: Show in dashboard is always enabled for triggered scans.

Folder

My Scans

Specifies the folder where the scan appears after being saved.

You cannot specify a folder when you launch a remediation scan. All remediation scans appear in the Remediation Scans folder only.

Agent Groups None

(Agent scans only) Specifies the agent group or groups you want the scan to target. In the drop-down box, select an existing agent group, or create a new agent group.

Scan Type Scan Window

(Agent scans only) (Required) Specifies whether the agent scans occur based on a scan window or triggers:

  • Scan Window — Specifies the time frame during which agents must report in order to be included and visible in vulnerability reports. Use the drop-down box to select an interval of time, or click to type a custom scan window.

    Window scans must be explicitly launched or scheduled to launch at a particular time.

  • Triggered Scan — Specifies the triggers that cause agents to report in. Use the drop-down boxes to select from the following trigger types:

    • Interval — The time interval (hours) between each scan (for example, every 12 hours).

    • File Name — The file name that triggers the agent scan. The scan triggers when the file name is detected in /opt/nessus_agent/var/nessus/triggers.

    Tip: You can set multiple triggers for a single scan, and the scan searches for the triggers in their listed order (i.e. if the scan isn't triggered by the first trigger, it searches for the second trigger).

    Triggered scans are automatically performed by agents, and do not require an admin to explicitly launch or schedule them to launch at a particular time

Scanner

Auto-Select

Specifies the scanner that performs the scan.

Select a scanner based on the location of the targets you want to scan. For example:

  • Select a linked scanner to scan non-routable IP addresses.

    Note: Auto-select is not available for cloud scanners.

  • Select a scanner group if you want to:

    • Improve scan speed by balancing the scan load among multiple scanners.
    • Rebuild scanners and link new scanners in the future without having to update scanner designations in scan configurations.
  • Select Auto-Select to enable scan routing for the targets.
IP Selection Internal

(Required) Select whether to run an Internal or External tag-based scan. Tenable.io evaluates the identifiers to determine a single target in the following order:

External: Public routable IP addresses. Tenable.io evaluates the identifiers to determine a single target in the following order:

  • Most recent IPv4

  • Most recent IPv6

  • Last Scan Target

  • Most recent FQDN added

Internal: Privately routable IP addresses (RFC 1918). Tenable.io evaluates the identifiers in the same order as External.

Note: This option determines the type of scan run of assets within the tag(s). For example, if you are using a cloud scanner but want to scan the public targets in the tag, you must change the IP selection to External.

Scan routing is available for linked scanners only.

Tags None Select one or more tags to scan all assets that have any of the specified tags applied. To see a list of assets identified by the specified tags, click View Assets. For more information, see Example: Tag-Based Scanning.

Target Groups

None

You can select or add a new target group to which the scan applies. Assets in the target group are used as scan targets.

Policy None

This setting appears only when the scan owner edits an existing scan that is based on a user-defined scan template.

Note: After scan creation, you cannot change the Tenable-provided scan template on which a scan is based.

In the drop-down box, select a user-defined scan template on which to base the scan. You can select user-defined scan templates for which you have Can View or higher permissions.

In most cases, you set the user-defined scan template at scan creation, then keep the same template each time you run the scan. However, you may want to change the user-defined scan template when troubleshooting or debugging a scan. For example, changing the template makes it easy to enable or disable different plugin families, change performance settings, or apply dedicated debugging templates with more verbose logging.

When you change the user-defined scan template for a scan, the scan history retains the results of scans run under the previously-assigned template.

Targets

None

Specifies one or more targets to be scanned. If you select a target group or upload a targets file, you are not required to specify additional targets.

Targets can be specified using a number of different formats.

The targets you specify must be appropriate to the scanner you select for the scan. For example, cloud scanners cannot scan non-routable IP addresses. Select an internal scanner instead.

Tip: You can force Tenable.io to use a given host name for a server during a scan by using the hostname[ip] syntax (e.g., www.example.com[192.168.1.1]). However, you cannot use this approach if you enable scan routing for the scan.

Note: You cannot apply more than 300,000 IP address targets to a scan.

Upload Targets

None

Uploads a text file that specifies targets.

The targets file must be formatted in the following manner:

  • ASCII file format
  • Only one target per line
  • No extra spaces at the end of a line
  • No extra lines following the last target

Note: Unicode/UTF-8 encoding is not supported.

Schedule

The scan schedule settings.

By default, scans are not scheduled. When you first access the Schedule section, the Enable Schedule setting appears, set to Off. To modify the settings listed on the following table, click the Off button. The rest of the settings appear.

Note: Scheduled scans do not run if they are in the scan owner's Trash folder.

Setting Default Value Description

Frequency

Once

Specifies how often the scan is launched.

  • Once: Schedule the scan at a specific time.
  • Daily: Schedule the scan to occur every 1-20 days, at a specific time.
  • Weekly: Schedule the scan to occur every 1-20 weeks, by time and day(s) of the week.
  • Monthly: Schedule the scan to occur every 1-20 months, by:
    • Day of Month: The scan repeats on a specific day of the month at the selected time.
    • Week of Month: The scan repeats monthly on the week you begin the scan. For example, if you select a start date of October 3rd, and that falls on the first week of the month, then the scan repeats the first week of each subsequent month at the selected time.

    Note: If you schedule your scan to recur monthly and by time and day of the month, Tenable recommends setting a start date no later than the 28th day. If you select a start date that does not exist in some months (e.g., the 29th), Tenable.io cannot run the scan on those days.

  • Yearly: Schedule the scan to occur every 1-20 years, by time and date.

Starts

Varies

Specifies the exct date and time when a scan launches.

The starting date defaults to the date when you are creating the scan. The starting time is the nearest half-hour interval. For example, if you create your scan on 09/31/2018 at 9:12 AM, the default starting date and time is set to 09/31/2018 and 09:30.

Timezone

Zulu

Specifies the timezone of the value set for Starts.

Repeat Every Varies Specifies the interval at which a scan is relaunched. The default value of this item varies based on the frequency you choose.
Repeat On Varies

Specifies what day of the week a scan repeats. This item appears only if you specify Weekly for Frequency.

The value for Repeat On defaults to the day of the week on which you create the scan.

Repeat By Day of the Month Specifies when a monthly scan is relaunched. This item appears only if you specify Monthly for Frequency.

Summary

N/A

Provides a summary of the schedule for your scan based on the values you have specified for the available settings.

Notifications

The notification settings for a scan.

The following feature is not supported in Tenable.io Federal Risk and Authorization Management Program (FedRAMP) environments. For more information, see the FedRAMP Product Offering.

Setting Default Value Description

Email Recipient(s)

None Specifies zero or more email addresses, separated by commas, that are alerted when a scan completes and the results are available.

Result Filters

None Defines the type of information to be emailed.

User Permissions

You can share the scan with other users by setting permissions for users or groups. When you assign a permission to a group, that permission applies to all users within the group.

Tip: Tenable recommends assigning permissions to user groups, rather than individual users, to minimize maintenance as individual users leave or join your organization.

Permission Description
No Access

(Default user only) Groups and users set to this permission cannot interact with the scan in any way.

Can View Groups and users with this permission can view the results of the scan, export the scan results, and move the scan to the Trash folder. They cannot view the scan configuration or permanently delete the scan.
Can Control

In addition to the tasks allowed by Can View, groups and users with this permission can launch, pause, and stop a scan. They cannot view the scan configuration or permanently delete the scan.

Note: In addition to Can Control permissions for the scan, users running a scan must have Can Scan permissions in an access group for the specified target, or the scanner does not scan the target.

Can Configure

In addition to the tasks allowed by Can Control, groups and users with this permission can view the scan configuration and modify any setting for the scan except scan ownership. They can also delete the scan.

Note: Only the scan owner can change scan ownership.

Note: User roles override scan permissions in the following cases:

  • A basic user cannot run a scan or configure a scan, regardless of the permissions assigned to that user in the individual scan.

  • An administrator always has the equivalent of Can Configure permissions, regardless of the permissions set for the administrator account in the individual scan. This does not apply to user-defined scan templates.