Tag Rules Filters

This topic describes the performance of or functionality for a new feature in Tenable.io Key Enhancements. For more information, see Tenable.io Key Enhancements.

Note: If there is a typo in the tag rule, an error will appear in the Rules box with a description of the issue.

On the Tags page, you can select from the following filters to create rules for an automatic tag:

Filter Description UI Element Number of values per filter
ACR

(Requires Lumin license) The asset's ACR (Asset Criticality Rating).

text box 1
ACR Severity

(Requires Lumin license) The ACR category of the ACR calculated for the asset.

check box (multi-selection) 5
AES

(Requires Lumin license)The Asset Exposure Score (AES) calculated for the asset.

text box 1
AES Severity

(Requires Lumin license) The AES category of the AES calculated for the asset.

check box (multi-selection) 5
Asset ID

The asset's UUID.

text box 5
AWS Availability Zone

The name of the Availability Zone where AWS hosts the virtual machine instance. For more information, see Regions and Availability Zones in the AWS documentation.

check box (multi-selection) 5
AWS EC2 AMI ID

The unique identifier of the Linux AMI image in Amazon Elastic Compute Cloud (Amazon EC2). For more information, see the Amazon Elastic Compute Cloud Documentation.

text box 5
AWS EC2 Instance ID

The unique identifier of the Linux instance in Amazon EC2. For more information, see the Amazon Elastic Compute Cloud Documentation.

text box 5
AWS EC2 Name

The name of the virtual machine instance in Amazon EC2.

text box 1
AWS EC2 Product Code

The product code associated with the AMI used to launch the virtual machine instance in Amazon EC2.

text box 1
AWS Instance State

The state of the virtual machine instance in AWS at the time of the scan. For possible values, see API Instance State in the Amazon Elastic Compute Cloud Documentation.

check box (multi-selection) 5
AWS Instance Type

The type of virtual machine instance in Amazon EC2. Amazon EC2 instance types dictate the specifications of the instance (for example, how much RAM it has). For a list of possible values, see Amazon EC2 Instance Types in the AWS documentation.

check box (multi-selection) 5
AWS Owner ID

A UUID for the Amazon AWS account that created the virtual machine instance. For more information, see AWS Account Identifiers in the AWS documentation.

This attribute contains a value for Amazon EC2 instances only. For other asset types, this attribute is empty.

text box 500
AWS Region

The region where AWS hosts the virtual machine instance, for example, us-east-1. For more information, see Regions and Availability Zones in the AWS documentation.

check box (multi-selection) 5
AWS Security Group

The AWS security group (SG) associated with the Amazon EC2 instance.

text box 5
AWS Subnet ID

The unique identifier of the AWS subnet where the virtual machine instance was running at the time of the scan.

text box 5
AWS VPC ID

The unique identifier of the public cloud that hosts the AWS virtual machine instance. For more information, see the Amazon Virtual Private Cloud User Guide.

text box 5
Azure Resource ID

The unique identifier of the resource in the Azure Resource Manager. For more information, see the Azure Resource Manager Documentation.

text box 5
Azure VM ID

The unique identifier of the Microsoft Azure virtual machine instance. For more information, see Accessing and Using Azure VM Unique ID in the Microsoft Azure documentation.

text box 5
BIOS ID

The NetBIOS name for the asset.

text box 5
Created Date The time and date when Tenable.io created the asset record.

calendar drop-down box

-or -

text box

1
Custom Attribute

A filter that searches for custom attributes via a category-value pair. For more information about custom attributes, see the Tenable Developer Portal.

key-value filter text box 10
Deleted

Specifies whether the asset has been deleted.

option (single selection) 1
Deleted Date The date when a user deleted the asset record or the number of days since a user deleted the asset. When a user deletes an asset record, Tenable.io retains the record until the asset ages out of the license count.

calendar drop-down box

-or -

text box

1
DNS

The fully-qualified domain name of the asset host.

text box 1024
First Seen

The date and time when a scan first identified the asset.

calendar drop-down box

-or -

text box

1
Google Cloud Instance

The unique identifier of the virtual machine instance in Google Cloud Platform (GCP).

text box 5
Google Cloud Project ID

The customized name of the project to which the virtual machine instance belongs in GCP. For more information, see Creating and Managing Projects in the GCP documentation.

text box 500
Google Cloud Zone

The zone where the virtual machine instance runs in GCP. For more information, see Regions and Zones in the GCP documentation.

check box (multi-selection) 5
Has Plugin Results Specifies whether the asset has plugin results associated with it. option (single selection) 1
Installed Software

A list of Common Platform Enumeration (CPE) values that represent software applications a scan identified as present on an asset. This field supports the CPE 2.2 format. For more information, see the Component Syntax section of the CPE Specification documentation, Version 2.2. For assets identified in Tenable scans, this field contains data only if a scan using Nessus Plugin ID 45590 has evaluated the asset.

Note: If no scan detects an application within 30 days of the scan that originally detected the application, Tenable.io considers the detection of that application expired. As a result, the next time a scan evaluates the asset, Tenable.io removes the expired application from the Installed Software attribute. This activity is logged as a remove type of attribute change in the asset activity log.

text box 1
IPv4 Address

The IPv4 address associated with the asset record..

This filter supports multiple asset identifiers as a comma-separated list (for example, hostname_example, example.com, 192.168.0.0). For IP addresses, you can specify individual addresses, CIDR notation (for example, 192.168.0.0/24), or a range (for example, 192.168.0.1-192.168.0.255).

Note: A CIDR mask of /0 is not supported for this parameter, because that value would match all IP addresses. If you submit a /0 value for this parameter, Tenable.io returns a 400 Bad Request error message.

Note: Ensure the tag filter value does not end in a period.

text box 1024
IPv6 Address

An IPv6 address that a scan has associated with the asset record.

This filter supports multiple asset identifiers as a comma-separated list. The IPV6 address must be an exact match. (for example, 0:0:0:0:0:ffff:c0a8:0).

Note: Ensure the tag filter value does not end in a period.

text box 5
Last Authenticated Scan

The date and time of the last credentialed scan run on the asset.

calendar drop-down box

-or -

text box

1
Last Licensed Scan

The date and time of the last scan that identified the asset as licensed. For more information about licensed assets, see Vulnerability Management Licenses.

calendar drop-down box

-or -

text box

1
Last Seen The date and time of the scan that most recently identified the asset.

calendar drop-down box

-or -

text box

1
Licensed

Specifies whether the asset is included in the asset count for the Tenable.io instance.

option (single selection) 1
MAC Address

A MAC address that a scan has associated with the asset record.

text box 5
Name

The asset identifier that Tenable.io assigns based on the presence of certain asset attributes in the following order:

  1. Agent Name (if agent-scanned)

  2. NetBIOS Name

  3. FQDN

  4. IPv6 address

  5. IPv4 address

For example, if scans identify a NetBIOS name and an IPv4 address for an asset, the NetBIOS name appears as the Asset Name.

text box 1024
NetBIOS Name

The NetBIOS name for the asset.

text box 1024
Network The name of the network object associated with scanners that identified the asset. The default network name is Default. For more information about networks, see Networks. drop-down check box (multi-selection) 100
Operating System The operating system that a scan identified as installed on the asset. text box 20
Public Specifies whether the asset is available on a public network. option (single selection) 1
ServiceNow Sys ID

The unique record identifier of the asset in ServiceNow. For more information, see the ServiceNow documentation.

text box 5
Source

The source of the scan that identified the asset. Possible filter values are:

  • AWS
  • AWS FA
  • Azure
  • AZURE FA
  • Cloud Connector
  • Cloud IAC
  • Cloud Runtime
  • GCP
  • Nessus Agent
  • Nessus Scan
  • NNM
  • ServiceNow
  • WAS
check box (multi-selection) 5
SSL/TLS Specifies whether the application on which the asset is hosted uses SSL/TLS public-key encryption. option (single selection) 1
System Type

The system types as reported by Plugin ID 54615. For more information, see Tenable Plugins.

check box (multi-selection) 5
Tags

A unique filter that searches tag (category: value) pairs. When you type a tag value, you must use the category: value syntax, including the space after the colon (:). You can use commas (,) to separate values. If there is a comma in the tag name, insert a backslash (\) before the comma. You can add a maximum of 100 tags.

For more information, see tags.

Note: If your tag name includes double quotation marks (" "), you must use the UUID instead.

key-value filter drop-down box 500
Tenable ID

The UUID of the agent present on the asset.

text box 1024
Type

The system type on which the asset is managed. Possible filter values are:

  • Cloud Resource

  • Container

  • Host

  • Cloud

option (single selection) 1
Updated Date The time and date when a user last updated the asset.

calendar drop-down box

-or -

text box

1