Example: Tag-Based Scanning
You can configure scans to target assets based on one or more tags you have assigned to the assets. For example, you might want to run more frequent scans of assets running a Windows operating system. Rather than manually configuring a scan to target a static group of Windows assets, you can configure Tenable.io to automatically apply a tag to any asset that a scan identifies as running Windows. Then, you can configure a scan to evaluate any asset with that tag on an appropriate frequency.
Depending on scan findings, an asset record can contain multiple identifiers—that is, multiple IPv4 addresses, IPv6 addresses, and full-qualified domain names (FQDNs). When you configure a scan to target assets based on tags, Tenable.io examines the identifiers associated with the asset in order to resolve multiple possible identifiers to a single target. For more information, see How Tenable.io Resolves Asset Tags to Targets for Scanning.
To scan assets based on tags:
- Review the configuration guidelines and limitations for tag-based scans.
- Create and launch a discovery scan on the network assets where you want to target the tag-based scan.
- Create asset tags that reflect your business context.
- Assign tags to assets manually or automatically via tag rules.
- Create a scan and select Tags to target all assets to which any of the tags apply.
When configuring tag-based scans, observe the following guidelines:
Keep the number of assets included in a single tag-based scan as small as possible to improve performance. To do so, make the criteria for applying tags as specific as you can. For example, rather than automatically apply a tag based on multiple operating systems you want to monitor (for example, Windows, Linux, and Mac), apply the tag based on a single operating system (for example, Windows). You can also combine multiple tags in a single scan to refine the asset list.
- Tag-based scans can target only assets that have already been identified in at least one previous scan (for example, a discovery scan), because asset identifiers must be present for assets to be evaluated for inclusion in the scan.
- When you run a Nessus scan, Tenable.io notes the FQDN or IP address that was used to scan an asset. Tenable.io uses this last-scanned FQDN or IP address for efficient lookup when re-scanning assets. Tenable recommends that you run regular discovery scans to keep the attribute updated in your asset records.
- You can configure a single scan to use tag-based targets in combination with custom targets and target groups. Tenable.io combines all targets (tag-based, custom, or target-grouped) into a single target list, then de-duplicates the targets before sending the list to the scanner.
When configuring tag-based scans, keep in mind the following limitations:
- You cannot configure agent scans based on asset tags.
- You cannot use any of the following scan templates when configuring a tag-based scan: Audit Cloud Infrastructure, MDM Config Audit, Mobile Device Scan, or Offline Config Audit.
- You cannot configure tag-based scans for use by pre-authorized scanners in the AWS Marketplace. However, you can configure tag-based scans for BYOL scanners in the AWS Marketplace.
To resolve a tag to a scan target, Tenable.io does the following:
Tenable.io matches a tag that you set in the scan to any asset where that tag is applied.
For each matching asset record, Tenable.io determines whether the asset was previously scanned by Nessus and has the last-scanned FQDN or IP address noted.
- If Tenable.io can identify the asset's last-scanned FQDN or IP address, Tenable.io uses that as the target for the tag-based scan.
- If Tenable.io is unable to determine the asset's last-scanned FQDN or IP address, Tenable.io determines which asset identifiers are present in the record. Asset identifiers include FQDN, IPv4 address, or IPv6 address. Depending on scan findings, an asset record can contain multiple identifiers.
If multiple identifiers are present in the asset record, Tenable.io evaluates the identifiers in the following order to determine a single target:
If one or more FQDNs are present, the scan target is the FQDN most recently added to the record.
If no FQDNs are present, and one or more IPv4 addresses are present, the scan target is the IPv4 address most recently added to the record.
If no FQDNS or IPv4 addresses are present, and one or more IPv6 addresses are present, the scan target is the IPv6 address most recently added to the record.
Note: When evaluating IPv4 and IPv6 addresses, Tenable.io excludes any local or broadcast addresses from consideration.