Example: Identify Assets That Have Not Been Assessed

Video: Measuring Scan Coverage in Tenable.io

Tenable.io can discover, or see, assets without assessing the assets for vulnerabilities (for example, via a host discovery scan, Nessus Network Monitor running in discovery mode, or connectors). Assets that have been seen but not assessed do not count towards your asset license limit. For a list of conditions that cause an asset to be assessed, see How Assets are Counted. However, once assessed, the asset is always categorized as assessed, even if it ages out of the license count.

This licensing exception allows you to discover assets on your network without the large number of assets counting towards your license limit. After you discover your assets, you can then identify which assets have not yet been assessed for vulnerabilities, and choose which of those assets you want to scan and manage going forward.

To identify assets that have not been assessed:

  1. Discover assets using any of the following methods:

    Assets discovered by these methods do not count towards your asset license limit until they have been assessed for vulnerabilities.

  2. Filter for assets that have not been assessed.

    1. In the assets table, create a filter with the following settings:
      • In the Category box, select Asset Assessed.

      • In the Operator box, select is equal to.
      • In the Value box, select false.

    2. Click Apply.

      Tenable.io filters for assets that have not yet been assessed for vulnerabilities.

      Note: Unassessed assets (where Asset Assessed is equal to false) can differ from unlicensed assets (where Is Licensed (VM) is equal to false). Once you scan an asset for vulnerabilities, Tenable.io categorizes the asset as assessed from that point on, but the licensing status of an asset can change over time as assets are deleted or age out of your organization's license count.

    3. (Optional) Save the search for later use.
  3. (Optional) Tag assets to identify assets that have not been assessed.

    1. Create an asset tag to identify assets that have not been assessed.

      For example, Assets:NotYetAssessed.

    2. Manually apply the tag to assets, or create tag rules that automatically filter for assets that have not been assessed.

      For example, to create a dynamic tag for assets that have not yet been assessed, set the tag rules to filter for Asset Assessed is equal to false.

  4. (Optional) Create a scan to target assets using the tag you created.

    For more information, see Example: Tag-Based Scanning.