Findings

Every attack path contains one or more attack techniques. Every network includes multiple attack paths. Tenable helps you to focus on the most important paths by highlighting:

  • Attack paths that lead to critical assets.

  • Assets with an ACR greater than 7.

  • Other Tenable defined static identifiers, such as Domain Admins.

A Finding is an attack technique that exists in one or more attack paths that lead to one or more critical assets. The Findings tab in Attack Path Analysis takes your data and pairs it with advanced graph analytics and the MITRE ATT&CK® Framework to create Findings, which allow you to understand and act on the unknowns that enable and amplify threat impact on your assets and information.

Before you begin:

For Attack Path Analysis, ensure you have the following:

  • Tenable Vulnerability Management Basic Network Scan with credentials.
  • One of the following:

    • A Tenable Vulnerability Management basic scan using the Active Directory Identity scan template. This scan type requires fewer permissions, and provides a basic overview of your active directory entities.

      Note: You can run this scan type on its own, or as part of a Basic Network Scan. In a Basic scan, you must ensure the Collect Identity Data from Active Directory option is enabled in the Discovery section.
    • Tenable Identity Exposure SaaS deployed.

    Note: Because the plugin only supports up to 7,000 identities, the Active Directory Identity scan template is not designed for large environments, but is instead intended to help small customers kick start their use of Attack Path Analysis. Tenable recommends that larger customers deploy Tenable Identity Exposure.
  • Tenable recommends the following:

    • Have at least 60% of assets scanned via an authenticated scan.

    • Select maximum verbosity in the Basic Network Scan.

    • A default Tenable Web App Scanning scan, including injection plugins.

    • An AWS connection with a Tenable Cloud Security scan policy including all vulnerabilities and available AWS resources.

    • When using Tenable Identity Exposure, enable privileged analysis. This option highlights key attack vectors used by hackers and gives you a better understanding of your attack surface, including credential auditing and password analysis.

    • A scan frequency of at least once a week.

  • At least one attack technique found within Attack Path Analysis.

  • At least one attack path generated within Attack Path Analysis.

  • Attack paths that use the previously mentioned attack technique and lead to at least one critical asset.

To access the Findings tab:

  1. In the upper-left corner of the page, click the button.

  2. In the Analytics section, click Attack Path Analysis.

    Attack Path Analysis appears. By default, the Findings tab is active.

On the Findings tab, you can:

  • View Findings tiles:

    • Open Findings — View the total number of open findings within Attack Path Analysis. Also, view the number of open findings in each priority level.

    • Archived Findings —View the total number of archived findings within Attack Path Analysis. Also, view the number of archived findings in each priority level.

    • Total — View the total number of findings within Attack Path Analysis. Also, view the number of total findings in each priority level.

    Click on a tile to filter the Findings list by that type of finding.

  • View the Findings list, where you can:

    • Export a finding.

    • Archive a finding.

    • Change the status of a finding.

      Tip: See View Log History for more information about finding statuses.
    • Click View Path to navigate to the Discover tab, where you can view a graphical representation of the attack path and interact with more attack path data.

    • View the following finding information:

      • New — A New tag appears whenever Attack Path Analysis detects a new finding. The Findings page retains the New tag only for findings not older than 5 days or until a user clicks on the finding.
      • Priority — The priority, or criticality, of the finding, for example, Critical.

        Note: By default, the Findings list sorts findings by highest priority first.

        Note: When calculating the priority, Attack Path Analysis considers the following:
        • The number of attack paths where the finding is present compared to the total number of attack paths.
        • The number of critical assets to which these attack paths lead compared to the total number of critical assets.
        • The tactic used, for example, lateral movement or privilege escalation.
      • MITRE ATT&CK Id — The MITRE ATT&CK identification number for the finding. Click an identification number to navigate directly to the MITRE ATT&CK listing for the finding.

      • Technique — The MITRE ATT&CK technique associated with the finding.

      • From — The origin of the finding.

      • To — The target of the finding.

      • Status — The status to indicate the action taken on the finding, for example, In Progress.

    • Click on a finding to view additional finding details.