Findings Filters
On the Findings page, you can filter and view analytics for the following findings types:
You can save a set of commonly used filters as a saved filter to access later or share with other members of your team.
Note: To optimize performance, Tenable limits the number of filters that you can apply to any Explore > Findings or Assets views (including Group By tables) to 18.
Note: You can also right-click on values within a table cell to use the Filter By option. For more information, see Right-Click Filtering.

Option | Description |
---|---|
Asset ID | The UUID of the asset where a scan detected the finding. This value is unique to Tenable Vulnerability Management. |
Asset Name |
The name of the asset where a scan detected the vulnerability. This value is unique to Tenable Vulnerability Management. |
Asset Tags |
A unique filter that searches tag (category: value) pairs. When you type a tag value, you must use the category: value syntax, including the space after the colon (:). You can use commas (,) to separate values. If there is a comma in the tag name, insert a backslash (\) before the comma. For more information, see tags. Note: If your tag name includes double quotation marks (" "), you must use the UUID instead. |
Bugtraq ID | The Bugtraq ID for the plugin that identified the vulnerability. |
Canvas Exploit | The name of the CANVAS exploit pack that includes the vulnerability. |
CERT Advisory ID | The ID of the CERT advisory related to the vulnerability. |
CERT Vulnerability ID | The ID of the vulnerability in the CERT Vulnerability Notes Database. |
CISA KEV Due Date |
The date on which Cybersecurity and Infrastructure Security Agency (CISA) Known Exploitable Vulnerability (KEV) remediation is due, as per Binding Operational Directive 22-01. Searches by the earliest due date for KEVs associated with the plugin. For more information, see the Known Exploited Vulnerabilities Catalog. |
CORE Exploit Framework | Indicates whether an exploit for the vulnerability exists in the CORE Impact framework. |
CPE |
The Common Platform Enumeration (CPE) numbers for vulnerabilities that the plugin identifies. (200 value limit) |
CVE |
The Common Vulnerability and Exposure (CVE) IDs for the vulnerabilities that the plugin identifies. (200 value limit) |
CVSSv2 Base Score |
The CVSSv2 base score (intrinsic and fundamental characteristics of a vulnerability that are constant over time and user environments). |
CVSSv2 Temporal Score | The CVSSv2 temporal score (characteristics of a vulnerability that change over time but not among user environments). |
CVSSv2 Temporal Vector | CVSSv2 temporal metrics for the vulnerability. |
CVSSv2 Vector |
The raw CVSSv2 metrics for the vulnerability. For more information, see CVSSv2 documentation. |
CVSSv3 Base Score | The CVSSv3 base score (intrinsic and fundamental characteristics of a vulnerability that are constant over time and user environments). |
CVSSv3 Temporal Score | The CVSSv3 temporal score (characteristics of a vulnerability that change over time but not among user environments). |
CVSSv3 Temporal Vector | CVSSv3 temporal metrics for the vulnerability. |
CVSSv3 Vector | More CVSSv3 metrics for the vulnerability. |
CWE | The Common Weakness Enumeration (CWE) for the vulnerability. |
Default/Known Account | Indicates whether the plugin that identified the vulnerability checks for default accounts. |
Elliot Exploit | The name of the exploit for the vulnerability in the D2 Elliot Web Exploitation framework. |
Exploit Database ID | The ID of the vulnerability in the Exploit Database. |
Exploitability Ease | A description of how easy it is to exploit the vulnerability. |
Exploited By Malware | Indicates whether the vulnerability is known to be exploited by malware. |
Exploited By Nessus | Indicates whether Tenable Nessus exploited the vulnerability during the process of identification. |
Exploit Hub | Indicates whether an exploit for the vulnerability exists in the ExploitHub framework. |
Finding ID |
The unique ID for the individual finding. Note: You can view the ID for a finding by accessing the Findings Details page for the findings and checking the page URL. The finding ID is the alpha-numeric text that appears in the path between details and asset. |
First Seen |
The date when a scan first found the vulnerability on an asset. |
IAVA ID | The ID of the information assurance vulnerability alert (IAVA) for the vulnerability. |
IAVB ID | The ID of the information assurance vulnerability bulletin (IAVB) for the vulnerability. |
IAVM Severity | The severity of the vulnerability in Information Assurance Vulnerability Management (IAVM). |
IAVT ID | The ID of the information assurance vulnerability technical bulletin (IAVT) for the vulnerability. |
In The News | Indicates whether this plugin has received media attention (for example, ShellShock, Meltdown). |
IPv4 Address | The IPv4 address for the affected asset. You can add up to 100 IP addresses to this filter. |
IPv6 Address | The IPv6 address for the affected asset. |
Last Fixed | The last time a previously detected vulnerability was scanned and noted as no longer present on an asset. |
Last Seen |
The date when a scan last found the vulnerability on an asset. |
Malware | Indicates whether the plugin that identified the vulnerability checks for malware. |
Metasploit Exploit | The name of the related exploit in the Metasploit framework. |
Microsoft Bulletin | The Microsoft security bulletin that the plugin, which identified the vulnerability, covers. |
Original Severity |
The vulnerability's CVSS-based severity when a scan first detected the finding. For more information, see CVSS vs. VPR. |
OSVDB ID | The ID of the vulnerability in the Open Sourced Vulnerability Database (OSVDB). |
Patch Published |
The date on which the vendor published a patch for the vulnerability. |
Plugin Description |
The description of the Tenable plugin that identified the vulnerability. |
Plugin Family |
The family of the plugin that identified the vulnerability. (200 value limit) |
Plugin ID |
The ID of the plugin that identified the vulnerability. (200 value limit) |
Plugin Modification Date |
The date at which the plugin that identified the vulnerability was last modified. |
Plugin Name |
The name of the plugin that identified the vulnerability. |
Plugin Output |
Specify a regular expression (regex) value that must appear in the plugin output for all results. Note: The Plugin Output filter must be manually enabled in Settings and cannot be disabled once enabled. For information about how to enable the filter and use it, see Plugin Output filter. |
Plugin Published |
The date on which the plugin that identified the vulnerability was published. |
Plugin Type |
The general type of plugin check. Possible options are:
|
Port | Information about the port the scanner used to connect to the asset where the scan detected the vulnerability. (200 value limit) |
Protocol | The protocol the scanner used to communicate with the asset where the scan detected the vulnerability. |
Risk Modified |
The risk modification applied to the vulnerability's severity. Possible options are:
For more information, see Recast/Accept Rules. |
Scan Origin |
The scanner that detected the finding. |
Secunia ID | The ID of the Secunia research advisory related to the vulnerability. |
See Also |
Links to external websites that contain helpful information about the vulnerability. |
Severity |
The vulnerability's CVSS-based severity. For more information, see CVSS vs. VPR. This filter appears in the filters plane by default, with Critical, High, Medium, and Low selected. |
Solution |
A brief summary of how you can remediate the vulnerability. |
Source |
The source of the scan that identified the asset. Possible values are:
|
State |
The state of the vulnerability. For more information, see Vulnerability States. This filter appears in the filters plane by default, with Active and Resurfaced selected. |
Stig Severity | The STIG severity associated with the finding. |
Synopsis | A brief description of the plugin or vulnerability. |
Target Groups | A target group or groups associated with the scan that identified the vulnerability. For more information, see Target Groups. |
Unsupported by Vendor | Software found by this plugin is unsupported by the software's vendor (for example, Windows 95 or Firefox 3). |
VPR |
The Vulnerability Priority Rating Tenable calculated for the vulnerability. |
Vulnerability Published |
The date when the vulnerability definition was first published (for example, the date that the CVE was published). |

Cloud Misconfiguration Filters
Option | Description | |
---|---|---|
Filters | ||
Account ID | The unique identifier assigned to the asset resource in the cloud service that hosts the asset on which a scan detected the finding. | |
ARN | The Amazon Resource Name (ARN) for the asset on which a scan detected the finding. | |
Asset ID | The UUID of the asset on which a scan detected the finding. This value is unique to Tenable Vulnerability Management. | |
Benchmark | The benchmark associated with the finding. | |
Cluster | The cluster associated with the finding. | |
Created Time | The time and date when Tenable Vulnerability Management created the asset record on which a scan detected the finding. | |
Criticality | The criticality of the vulnerability finding. | |
Exists in Cloud | Indicates whether the affected cloud resource exists in a cloud environment. | |
Exists in IAC | Indicates whether the affected asset was created via Infrastructure as Code (IaC). | |
Finding ID |
The unique ID for the individual finding. Note: You can view the ID for a finding by accessing the Findings Details page for the findings and checking the page URL. The finding ID is the alpha-numeric text that appears in the path between details and asset. |
|
First Seen |
The date when Tenable Vulnerability Management first scanned the affected asset. |
|
Found in TF State |
Indicates whether or not the finding was discovered in a TF state. |
|
First Seen |
The date when Tenable Vulnerability Management first scanned the affected asset. |
|
IaC Resource Type | The Infrastructure as Code (IAC) resource type of the asset. | |
IaC Type | The Infrastructure as Code (IAC) type of the asset. | |
Ignored | Indicates whether Tenable Vulnerability Management ignored the policy violation when calculating the finding's severity. | |
Immutable Drift | Indicates whether the asset has immutable drifts. For more information, see Set up Drift Analysis in the Tenable Cloud Security User Guide. | |
Is Attribute | Specifies whether the asset is an attribute. | |
Last Fixed | The date when the finding was last fixed. | |
Last Scan Time | The date when a scan was last run against the finding. | |
Last Seen |
The date when Tenable Vulnerability Management last scanned the affected asset. |
|
Managed By | The name of the person, group, or company that manages the affected asset. | |
Policy Category | The policy category associated with the finding. | |
Policy ID | The unique ID for the cloud policy associated with the affected asset. | |
Policy Name | The unique ID for the cloud policy associated with the affected asset. | |
Policy Type | The unique ID for the cloud policy associated with the affected asset. | |
Project | The project associated with the finding. | |
Provider | The third-party provider associated with the finding. | |
Region | The cloud region where the affected asset runs. | |
Repositories | Any code repositories associated with the affected asset. | |
Resource Category | The category of the asset resource in the cloud service that hosts the affected asset. | |
Resource ID | The ID of the asset resource in the cloud service that hosts the affected asset. | |
Resource Name | The name of the asset resource in the cloud service that hosts the affected asset. | |
Resource Type | The type of the asset resource in the cloud service that hosts the affected asset. | |
Result |
The outcome of the scan. Possible options are:
|
|
Rule ID | The unique ID for the security rule for which the scanner found a violation. | |
Rule Reference ID | The reference ID for the security rule for which the scanner found a violation. | |
Severity |
The vulnerability's CVSS-based severity. For more information, see CVSS vs. VPR. This filter appears in the filters plane by default, with Critical, High, Medium, and Low selected. |
|
Source Line | The source line associated with the finding. | |
Updated Time |
The time and date when the asset record was last updated. |
|
Version |
The version associated with the finding. |
|
VPC |
The unique identifier of the public cloud that hosts the AWS virtual machine instance. For more information, see the Amazon Virtual Private Cloud User Guide. |

Option | Description |
---|---|
Filters | |
Asset ID |
The UUID of the asset where a scan detected the finding. This value is unique to Tenable Vulnerability Management. |
Asset Name |
The name of the asset on which the scanner performed an audit check. This value is unique to Tenable Vulnerability Management. |
Asset Tags |
A unique filter that searches tag (category: value) pairs. When you type a tag value, you must use the category: value syntax, including the space after the colon (:). You can use commas (,) to separate values. If there is a comma in the tag name, insert a backslash (\) before the comma. For more information, see tags. Note: If your tag name includes double quotation marks (" "), you must use the UUID instead. |
Audit File | The name of the audit file the scanner used to perform the audit scan. |
Audit Name |
The name Tenable assigned to the audit. |
Control ID | The UUID of the control instance applied on the system that hosts the impacted asset. This value is unique to Tenable Vulnerability Management. |
First Audited | The date on which a scan first audited the asset. |
Last Audited |
The date on which a scan last audited the asset. |
Last Fixed | The date when the finding was last fixed. |
Plugin Name |
The name of the plugin that identified the audit finding. |
Result |
The outcome of the audit scan. Possible options are:
This filter appears in the filters plane by default. |
Severity |
The vulnerability's CVSS-based severity. For more information, see CVSS vs. VPR. This filter appears in the filters plane by default, with Critical, High, Medium, and Low selected. |
State |
The state of the vulnerability. Possible options are:
This filter appears in the filters plane by default, with Active and Resurfaced selected. |

Option | Description |
---|---|
Asset ID | The UUID of the asset where a scan detected the vulnerability. This value is unique to Tenable Vulnerability Management. |
Asset Name |
The name of the asset where the scanner detected the vulnerability. This value is unique to Tenable Vulnerability Management. This filter appears on the filter plane by default. |
Bugtraq ID | The Bugtraq ID for the plugin that identified the vulnerability. |
CPE |
The Common Platform Enumeration (CPE) numbers for vulnerabilities that the plugin identifies. (200 value limit) |
CVE |
The Common Vulnerability and Exposure (CVE) IDs for the vulnerabilities that the plugin identifies. (200 value limit) |
CVSSv2 Base Score | The CVSSv2 base score (intrinsic and fundamental characteristics of a vulnerability that are constant over time and user environments). |
CVSSv2 Vector |
The raw CVSSv2 metrics for the vulnerability. For more information, see CVSSv2 documentation. |
CVSSv3 Base Score | The CVSSv3 base score (intrinsic and fundamental characteristics of a vulnerability that are constant over time and user environments). |
CVSSv3 Vector | More CVSSv3 metrics for the vulnerability. |
CWE | The Common Weakness Enumeration (CWE) for the vulnerability. |
First Seen |
The date when a scan first found the vulnerability on an asset. |
Input Name | The name of the specific web application component that the vulnerability exploits. |
Input Type | The web application component type (for example, form, cookie, header) that the vulnerability exploits. |
IPv4 Address | The IPv4 address for the affected asset. You can add up to 100 IP addresses to this filter. |
Last Fixed | The date when the finding was last fixed. |
Last Seen | The date when a scan last observed the finding. |
Original Severity |
The vulnerability's CVSS-based severity when a scan first detected the finding. For more information, see CVSS vs. VPR. |
OWASP 2010 | The Open Web Application Security Project (OWASP) 2010 category for the vulnerability targeted by the plugin. |
OWASP 2013 |
The Open Web Application Security Project (OWASP) 2013 category for the vulnerability targeted by the plugin. |
OWASP 2017 | The Open Web Application Security Project (OWASP) 2017 category for the vulnerability targeted by the plugin. |
OWASP 2021 | The Open Web Application Security Project (OWASP) 2021 category for the vulnerability targeted by the plugin. |
OWASP API 2019 |
The Open Web Application Security Project (OWASP) 2019 category for the API vulnerability targeted by the plugin. Possible options are:
|
Plugin Description |
The description of the Tenable plugin that identified the vulnerability. |
Plugin Family |
The family of the plugin that identified the vulnerability. (200 value limit) |
Plugin ID |
The ID of the plugin that identified the vulnerability. (200 value limit) |
Plugin Modification Date |
The date on which the plugin was last modified. |
Plugin Name |
The name of the plugin that identified the audit finding. |
Plugin Published |
The date on which the plugin that identified the vulnerability was published. |
Risk Modified |
The risk modification applied to the vulnerability's severity. Possible options are:
For more information, see Recast/Accept Rules. |
See Also | Links to external websites that contain helpful information about the vulnerability. |
Severity |
The CVSS score-based severity. For more information, see CVSS Scores vs. VPR in the Tenable Vulnerability Management User Guide. This filter appears in the filters plane by default, with Critical, High, Medium, and Low selected. |
Solution |
A brief summary of how you can remediate the vulnerability. |
State |
The state of the vulnerability detected in the finding. For more information, see Vulnerability States. This filter appears in the filters plane by default, with Active and Resurfaced selected. |
Url |
The complete URL on which the scanner detected the vulnerability. This filter appears in the filters plane by default. |
WASC |
The Web Application Security Consortium (WASC) category associated with the vulnerability targeted by the plugin. |