Findings

Every attack path contains one or more attack techniques. Every network includes multiple attack paths. Tenable helps you to focus on the most important paths by highlighting:

• Attack paths that lead to critical assets.

• Assets with an ACR greater than 7.

• Other Tenable defined static identifiers, such as Domain Admins.

A Finding is an attack technique that exists in one or more attack paths that lead to one or more critical assets. The Findings tab in Attack Path Analysis takes your data and pairs it with advanced graph analytics and the MITRE ATT&CK^® Framework to create Findings, which allow you to understand and act on the unknowns that enable and amplify threat impact on your assets and information.

Before you begin:

Ensure you have the following:

• Tenable Vulnerability Management Basic Network Scan with credentials.

• One of the following:

  • A Tenable Vulnerability Management basic scan using the Active Directory Identity scan template. This scan type requires fewer permissions, and provides a basic overview of your active directory entities.

    Note: You can run this scan type on its own, or as part of a Basic Network Scan. In a Basic scan, you must ensure the Collect Identity Data from Active Directory option is enabled in the Discovery section.

  • Tenable Identity Exposure SaaS deployed.

  Note: Because the plugin only supports up to 7,000 identities, the Active Directory Identity scan template is not designed for large environments, but is instead intended to help small customers kick start their use of Attack Path Analysis. Tenable recommends that larger customers deploy Tenable Identity Exposure.

• A default Tenable Web App Scanning scan, including injection plugins.

• An AWS connection with a Tenable Cloud Security scan policy including all vulnerabilities and available AWS resources.

• Tenable recommends the following:

  • Have at least 60% of assets scanned via an authenticated scan.

  • Select maximum verbosity in the Basic Network Scan.

  • When using Tenable Identity Exposure, enable privileged analysis. This option highlights key attack vectors used by hackers and gives you a better understanding of your attack surface, including credential auditing and password analysis.

  • A scan frequency of at least once a week.

• At least one attack technique found within Attack Path Analysis.

• At least one attack path generated within Attack Path Analysis.

• Attack paths that use the previously mentioned attack technique and lead to at least one critical asset.

To access the Findings tab:

1. In the upper-left corner of the page, click the button.

2. In the Analytics section, click Attack Path Analysis.

   Attack Path Analysis appears. By default, the Findings tab is active.

   

On the Findings tab, you can:

• View Findings tiles:

  • Open Findings — View the total number of open findings within Attack Path Analysis. Also, view the number of open findings in each priority level.

  • Archived Findings —View the total number of archived findings within Attack Path Analysis. Also, view the number of archived findings in each priority level.

  • Total — View the total number of findings within Attack Path Analysis. Also, view the number of total findings in each priority level.

  Click on a tile to filter the Findings list by that type of finding.

• View the Findings list, where you can:

  • Filter the Findings list:

    1. At the top of the Findings list, click inside the search box.

       The Choose your filter drop-down box appears where you can use the following filters:

       Filter	Description
       Priority	Filters by priority: critical, high, medium, or low.
       Status	Filters by status: To Do, In Progress, In Review, and Done.
       Source	Filters by the attack path source.
       Target	Filters by the attack path target.
       CVE	Filters by specific CVEs.
       Mitigations	Filters by mitigations for the attack techniques.
       Tactic	Filters attack techniques with similar tactics.
       Technique	Filters by attack techniques. For more information about attack techniques, see Attack Path Analysis Techniques.

    2. Select the filter you want to use to filter the Findings list.

       The Choose operator drop-down box appears.

    3. Select the operator you want to use to filter the Findings list.

       The Choose value drop-down box appears.

    4. Select the value you want to use to filter the Findings list.

    5. Click Apply.

       The Attack Path Analysis filters the Findings list based on your criteria.

  • Show/hide columns in the Findings list:

    1. In the upper-right corner of the Findings list, click the button.

       A drop-down menu appears.

    2. Select or deselect the check box next to the column you want to show or hide in the Findings list.

       The Findings list updates based on your selection.

  • Export a finding.

  • Archive a finding.

  • Change the status of a finding.

    Tip: See View Log History for more information about finding statuses.

  • Click View Path to navigate to the Discover tab, where you can view a graphical representation of the attack path and interact with more attack path data.

  • View the following finding information:

    • New — A New tag appears whenever Attack Path Analysis detects a new finding. The Findings page retains the New tag only for findings not older than 5 days or until a user clicks on the finding.

    • Priority — The priority, or criticality, of the finding, for example, Critical.

      Note: By default, the Findings list sorts findings by highest priority first.

    • MITRE ATT&CK Id — The MITRE ATT&CK identification number for the finding. Click an identification number to navigate directly to the MITRE ATT&CK listing for the finding.

    • Technique — The MITRE ATT&CK technique associated with the finding.

    • From — The origin of the finding.

    • To — The target of the finding.

    • Status — The status to indicate the action taken on the finding, for example, In Progress.

  • Click on a finding to view additional finding details.