Tag Rules Filters
Note: If there is a typo in the tag rule, an error appears in the Rules box with a description of the issue.
Note: Tenable Vulnerability Management supports a maximum of 1,000 rules per tag. This limit means that you can specify a maximum of 1,000 and or or conditions for a single tag value. Additionally, Tenable Vulnerability Management supports a maximum of 1,024 values per individual tag rule.
On the Tags page, you can select from the following filters to create rules for an automatic tag:
| Filter | Description |
|---|---|
| Account ID | The unique identifier assigned to the asset resource in the cloud service that hosts the asset. |
| ACR |
(Requires Tenable Lumin license) The asset's ACR (Asset Criticality Rating). |
| ACR Severity |
(Requires Tenable Lumin license) The ACR category of the ACR calculated for the asset. |
| AES |
(Requires Tenable Lumin license)The Asset Exposure Score (AES) calculated for the asset. |
| AES Severity |
(Requires Tenable Lumin license) The AES category of the AES calculated for the asset. |
| Agent Name |
The name of the Tenable Nessus agent that scanned and identified the asset. |
| ARN | The Amazon Resource Name (ARN) for the asset. |
| ASN | The Autonomous System Number (ASN) for the asset. |
| Assessed vs. Discovered |
Specifies whether Tenable Vulnerability Management scanned the asset for vulnerabilities or if Tenable Vulnerability Management only discovered the asset via a discovery scan. Possible values are:
|
| Asset ID |
The asset's UUID. |
| AWS Availability Zone |
The name of the Availability Zone where AWS hosts the virtual machine instance. For more information, see Regions and Availability Zones in the AWS documentation. |
| AWS EC2 AMI ID |
The unique identifier of the Linux AMI image in Amazon Elastic Compute Cloud (Amazon EC2). For more information, see the Amazon Elastic Compute Cloud Documentation. |
| AWS EC2 Instance ID |
The unique identifier of the Linux instance in Amazon EC2. For more information, see the Amazon Elastic Compute Cloud Documentation. |
| AWS EC2 Name |
The name of the virtual machine instance in Amazon EC2. |
| AWS EC2 Product Code |
The product code associated with the AMI used to launch the virtual machine instance in Amazon EC2. |
| AWS Instance State |
The state of the virtual machine instance in AWS at the time of the scan. For possible values, see API Instance State in the Amazon Elastic Compute Cloud Documentation. |
| AWS Instance Type |
The type of virtual machine instance in Amazon EC2. Amazon EC2 instance types dictate the specifications of the instance (for example, how much RAM it has). For a list of possible values, see Amazon EC2 Instance Types in the AWS documentation. |
| AWS Owner ID |
A UUID for the Amazon AWS account that created the virtual machine instance. For more information, see AWS Account Identifiers in the AWS documentation. This attribute contains a value for Amazon EC2 instances only. For other asset types, this attribute is empty. |
| AWS Region |
The region where AWS hosts the virtual machine instance, for example, us-east-1. For more information, see Regions and Availability Zones in the AWS documentation. |
| AWS Security Group |
The AWS security group (SG) associated with the Amazon EC2 instance. |
| AWS Subnet ID |
The unique identifier of the AWS subnet where the virtual machine instance was running at the time of the scan. |
| AWS VPC ID |
The unique identifier of the public cloud that hosts the AWS virtual machine instance. For more information, see the Amazon Virtual Private Cloud User Guide. |
| Azure Resource Group | The name of the resource group in the Azure Resource Manager. For more information, see the Azure Resource Manager Documentation. |
| Azure Resource ID |
The unique identifier of the resource in the Azure Resource Manager. For more information, see the Azure Resource Manager Documentation. |
| Azure Resource Type | The resource type of the resource in the Azure Resource Manager. For more information, see the Azure Resource Manager Documentation. |
| Azure Subscription ID | The unique subscription identifier of the resource in the Azure Resource Manager. For more information, see the Azure Resource Manager Documentation. |
| Azure VM ID |
The unique identifier of the Microsoft Azure virtual machine instance. For more information, see Accessing and Using Azure VM Unique ID in the Microsoft Azure documentation. |
| BIOS ID |
The NetBIOS name for the asset. |
| Cloud Provider | The name of the cloud provider that hosts the asset. |
| Created Date | The time and date when Tenable Vulnerability Management created the asset record. |
| Custom Attribute |
A filter that searches for custom attributes via a category-value pair. For more information about custom attributes, see the Tenable Developer Portal. |
| Deleted | Specifies whether the asset has been deleted. |
| Deleted Date | The date when a user deleted the asset record or the number of days since a user deleted the asset. When a user deletes an asset record, Tenable Vulnerability Management retains the record until the asset ages out of the license count. |
| DNS (FQDN) |
The fully-qualified domain name of the asset host. Note: This does not apply to Web Application assets, for which you must use the Name filter.
|
| Domain | The domain which has been added as a source or discovered by ASM as belonging to a user. |
| First Seen |
The date and time when a scan first identified the asset. |
| Google Cloud Instance ID |
The unique identifier of the virtual machine instance in Google Cloud Platform (GCP). |
| Google Cloud Project ID |
The customized name of the project to which the virtual machine instance belongs in GCP. For more information, see Creating and Managing Projects in the GCP documentation. |
| Google Cloud Zone |
The zone where the virtual machine instance runs in GCP. For more information, see Regions and Zones in the GCP documentation. |
| Has Plugin Results | Specifies whether the asset has plugin results associated with it. |
| Host Name (Domain Inventory) | The host name for assets found during attack surface management scans; only for use with Domain Inventory assets. |
| Hosting Provider | The hosting provider for the asset. |
| IaC Resource Type | The Infrastructure as Code (IAC) resource type of the asset. |
| Installed Software |
A list of Common Platform Enumeration (CPE) values that represent software applications a scan identified as present on an asset. This field supports the CPE 2.2 format. For more information, see the Component Syntax section of the CPE Specification documentation, Version 2.2. For assets identified in Tenable scans, this field contains data only if a scan using Tenable Nessus Plugin ID 45590 has evaluated the asset. Note: If no scan detects an application within 30 days of the scan that originally detected the application, Tenable Vulnerability Management considers the detection of that application expired. As a result, the next time a scan evaluates the asset, Tenable Vulnerability Management removes the expired application from the Installed Software attribute. This activity is logged as a remove type of attribute change in the asset activity log. |
| IPv4 Address |
The IPv4 address associated with the asset record.. This filter supports multiple asset identifiers as a comma-separated list (for example, hostname_example, example.com, 192.168.0.0). For IP addresses, you can specify individual addresses, CIDR notation (for example, 192.168.0.0/24), or a range (for example, 192.168.0.1-192.168.0.255). Note: A CIDR mask of /0 is not supported for this parameter, because that value would match all IP addresses. If you submit a /0 value for this parameter, Tenable Vulnerability Management returns a 400 Bad Request error message. Note: Ensure the tag filter value does not end in a period. |
| IPv6 Address |
An IPv6 address that a scan has associated with the asset record. This filter supports multiple asset identifiers as a comma-separated list. The IPV6 address must be an exact match. (for example, 0:0:0:0:0:ffff:c0a8:0). Note: Ensure the tag filter value does not end in a period. |
| Is Attribute | Specifies whether the asset is an attribute. |
| Is Auto Scale | Specifies whether the asset scales automatically. |
| Is Unsupported | Specifies whether the asset is unsupported in Tenable Vulnerability Management. |
| Last Audited | The time and date at which the asset was last audited. |
| Last Authenticated Scan |
The date and time of the last authenticated scan run against the asset. An authenticated scan that only uses discovery plugins updates the Last Authenticated Scan field, but not the Last Licensed Scan field. |
| Last Licensed Scan |
The date and time of the last scan in which the asset was considered "licensed" and counted towards Tenable's license limit. A licensed scan uses non-discovery plugins and can identify vulnerabilities. Unauthenticated scans that run non-discovery plugins update the Last Licensed Scan field, but not the Last Authenticated Scan field. For more information on licensed assets, see Tenable Vulnerability Management Licenses. |
| Last Seen | The date and time of the scan that most recently identified the asset. |
| Licensed |
Specifies whether the asset is included in the asset count for the Tenable Vulnerability Management instance. |
| MAC Address |
A MAC address that a scan has associated with the asset record. |
| Mitigation Last Detected | The date and time of the scan that last identified mitigation software on the asset. |
| Name |
The asset identifier that Tenable Vulnerability Management assigns based on the presence of certain asset attributes in the following order:
For example, if scans identify a NetBIOS name and an IPv4 address for an asset, the NetBIOS name appears as the Asset Name. |
| NetBIOS Name |
The NetBIOS name for the asset. |
| Network | The name of the network object associated with scanners that identified the asset. The default name is Default. For more information, see Networks. |
| Open Ports | Open ports on the asset. |
| Operating System | The operating system that a scan identified as installed on the asset. |
| Port | The port associated with the asset. |
| Public | Specifies whether the asset is available on a public network. |
| Record Type | The asset type. |
| Region | The cloud region where the asset runs. |
| Repositories | Any code repositories associated with the asset. |
| Resource Category | The name of the category to which the cloud resource type belongs (for example, object storage or virtual network). |
| Resource Tags (By Key) | Tags synced from a cloud source, such as Amazon Web Services (AWS), matched by the tag key (for example, Name). |
| Resource Tags (By Value) | Tags synced from a cloud source, such as Amazon Web Services (AWS), matched by the tag value. |
| Resource Type | The asset's cloud resource type (for example, network, virtual machine). |
| ServiceNow Sys ID |
Where applicable, the unique record identifier of the asset in ServiceNow. For more information, see the ServiceNow documentation. |
| Source |
The source of the scan that identified the asset. Possible filter values are:
|
| SSL/TLS | Specifies whether the application on which the asset is hosted uses SSL/TLS public-key encryption. |
| System Type |
The system types as reported by Plugin ID 54615. For more information, see Tenable Plugins. |
| Tags |
A unique filter that searches tag (category: value) pairs. When you type a tag value, you must use the category: value syntax, including the space after the colon (:). You can use commas (,) to separate values. If there is a comma in the tag name, insert a backslash (\) before the comma. For more information, see tags. Note: If your tag name includes double quotation marks (" "), you must use the UUID instead. |
| Target Groups |
The target group to which the asset belongs. This attribute is empty if the asset does not belong to a target group. For more information, see Target Groups. |
| Tenable ID |
The UUID of the agent present on the asset. |
| Terminated | Specifies whether or not the asset is terminated. |
| Type |
The system type on which the asset is managed. Possible filter values are:
|
| Updated Date | The time and date when a user last updated the asset. |
| VPC | The unique identifier of the public cloud that hosts the AWS virtual machine instance. For more information, see the Amazon Virtual Private Cloud User Guide. |