Findings Filters
On the Findings page, you can filter and view analytics for the following findings types:
You can save a set of commonly used filters as a saved filter to access later or share with other members of your team.
Note: To optimize performance, Tenable limits the number of filters that you can apply to any Explore > Findings or Assets views (including Group By tables) to 18.
Note: When Tenable Vulnerability Management identifies the same finding on multiple scans, it only stores the most recent result. For example, if an Agent scan identifies a finding and then a later Tenable Nessus scan identifies the same finding, that finding is associated with the Tenable Nessus scan. If you can't locate a known finding with a filter such as Source, search for the finding directly.
Vulnerabilities Filters
| Option | Description |
|---|---|
| Asset ID | The UUID of the asset where a scan detected the finding. This value is unique to Tenable Vulnerability Management. |
| Asset Name |
The name of the asset where a scan detected the vulnerability. This value is unique to Tenable Vulnerability Management. This filter is case-sensitive, but you can use the wildcard character to turn this off. |
| Asset Tags |
Asset tags, entered in pairs of category and value (for example Network: Headquarters). This includes the space after the colon (:). If there is a comma in the tag name, insert a backslash (\) before the comma. If your tag name includes double quotation marks (" "), use the UUID instead. You can add a maximum of 100 tags. For more information, see Tags. |
| Bugtraq ID | The Bugtraq ID for the plugin that identified the vulnerability. |
| Canvas Exploit | The name of the CANVAS exploit pack that includes the vulnerability. |
| CERT Advisory ID | The ID of the CERT advisory related to the vulnerability. |
| CERT Vulnerability ID | The ID of the vulnerability in the CERT Vulnerability Notes Database. |
| CISA KEV Due Date |
The date on which Cybersecurity and Infrastructure Security Agency (CISA) Known Exploitable Vulnerability (KEV) remediation is due, as per Binding Operational Directive 22-01. Searches by the earliest due date for KEVs associated with the plugin. For more information, see the Known Exploited Vulnerabilities Catalog. |
| CORE Exploit Framework | Indicates whether an exploit for the vulnerability exists in the CORE Impact framework. |
| CPE |
The Common Platform Enumeration (CPE) numbers for vulnerabilities that the plugin identifies. (200 value limit) |
| CVE |
The Common Vulnerability and Exposure (CVE) IDs for the vulnerabilities that the plugin identifies. (200 value limit) |
| CVSSv2 Base Score |
The CVSSv2 base score (intrinsic and fundamental characteristics of a vulnerability that are constant over time and user environments). |
| CVSSv2 Temporal Score | The CVSSv2 temporal score (characteristics of a vulnerability that change over time but not among user environments). |
| CVSSv2 Temporal Vector | CVSSv2 temporal metrics for the vulnerability. |
| CVSSv2 Vector |
The raw CVSSv2 metrics for the vulnerability. For more information, see CVSSv2 documentation. |
| CVSSv3 Base Score | The CVSSv3 base score (intrinsic and fundamental characteristics of a vulnerability that are constant over time and user environments). |
| CVSSv3 Temporal Score | The CVSSv3 temporal score (characteristics of a vulnerability that change over time but not among user environments). |
| CVSSv3 Temporal Vector | CVSSv3 temporal metrics for the vulnerability. |
| CVSSv3 Vector | More CVSSv3 metrics for the vulnerability. |
| CWE | The Common Weakness Enumeration (CWE) for the vulnerability. |
| Default/Known Account | Indicates whether the plugin that identified the vulnerability checks for default accounts. |
| Elliot Exploit | The name of the exploit for the vulnerability in the D2 Elliot Web Exploitation framework. |
| Exploit Database ID | The ID of the vulnerability in the Exploit Database. |
| Exploitability Ease | A description of how easy it is to exploit the vulnerability. |
| Exploited By Malware | Indicates whether the vulnerability is known to be exploited by malware. |
| Exploited By Nessus | Indicates whether Tenable Nessus exploited the vulnerability during the process of identification. |
| Exploit Hub | Indicates whether an exploit for the vulnerability exists in the ExploitHub framework. |
| Finding ID |
The unique ID for the individual finding. Note: You can view the ID for a finding by accessing the Findings Details page for the findings and checking the page URL. The finding ID is the alpha-numeric text that appears in the path between details and asset. |
| First Seen |
The date when a scan first found the vulnerability on an asset. |
| IAVA ID | The ID of the information assurance vulnerability alert (IAVA) for the vulnerability. |
| IAVB ID | The ID of the information assurance vulnerability bulletin (IAVB) for the vulnerability. |
| IAVM Severity | The severity of the vulnerability in Information Assurance Vulnerability Management (IAVM). |
| IAVT ID | The ID of the information assurance vulnerability technical bulletin (IAVT) for the vulnerability. |
| In The News | Indicates whether this plugin has received media attention (for example, ShellShock, Meltdown). |
| IPv4 Address | The IPv4 address for the affected asset. You can add up to 256 IP addresses to this filter. |
| IPv6 Address | The IPv6 address for the affected asset. |
| Last Fixed |
The last time a previously detected vulnerability was scanned and noted as no longer present on an asset. |
| Last Seen |
The date when a scan last found the vulnerability on an asset. |
| Malware | Indicates whether the plugin that identified the vulnerability checks for malware. |
| Metasploit Exploit | The name of the related exploit in the Metasploit framework. |
| Microsoft Bulletin | The Microsoft security bulletin that the plugin, which identified the vulnerability, covers. |
| Original Severity |
The vulnerability's CVSS-based severity when a scan first detected the finding. For more information, see CVSS vs. VPR. |
| OSVDB ID | The ID of the vulnerability in the Open Sourced Vulnerability Database (OSVDB). |
| Patch Published |
The date on which the vendor published a patch for the vulnerability. |
| Plugin Description |
The description of the Tenable plugin that identified the vulnerability. |
| Plugin Family |
The family of the plugin that identified the vulnerability. (200 value limit) |
| Plugin ID |
The ID of the plugin that identified the vulnerability. (200 value limit) |
| Plugin Modification Date |
The date at which the plugin that identified the vulnerability was last modified. |
| Plugin Name |
The name of the plugin that identified the vulnerability. |
| Plugin Output |
Use this filter to return findings with plugin output you specify. Search for plugin output that contains a value or does not contain it, as described in Use Filters. If your search is too broad, the system suggests adding Plugin ID and Last Seen to refine the results and then displays the top ten plugins from that search. For example, to search for output that contains “Kernel,” in Advanced mode, type: Plugin Output contains Kernel Note: Manually enable this filter in Settings > General Search > Enable Plugin Output Search. If you do not use this filter for 35 days, it is disabled again.
Plugin Output search best practices...
Since plugin outputs can be large, broad searches may cause system timeouts! For the best results, combine the Plugin Output filter with the Plugin ID and Last Seen filters. Limit the number of plugin IDs you search at once. Specify plugin ID(s) to search for plugins or exclude them. These approaches apply to different use cases. For example, include plugins when searching for software listings by operating system. Exclude plugins from exploratory searches where the top plugins appear too frequently.
|
| Plugin Published |
The date on which the plugin that identified the vulnerability was published. |
| Plugin Type |
The general type of plugin check. Possible options are:
|
| Port | Information about the port the scanner used to connect to the asset where the scan detected the vulnerability. (200 value limit) |
| Protocol | The protocol the scanner used to communicate with the asset where the scan detected the vulnerability. |
| Resurfaced Date | The most recent date that a scan detected a Resurfaced vulnerability which was previously Fixed. If a vulnerability is Resurfaced multiple times, only the most recent date appears. |
| Risk Modified |
The risk modification applied to the vulnerability's severity. Possible options are:
For more information, see Recast/Accept Rules. |
| Scan Origin |
The scanner that detected the finding. |
| Secunia ID | The ID of the Secunia research advisory related to the vulnerability. |
| See Also |
Links to external websites that contain helpful information about the vulnerability. |
| Severity |
The vulnerability's CVSS-based severity. For more information, see CVSS vs. VPR. This filter appears in the filters plane by default, with Critical, High, Medium, and Low selected. |
| Solution |
A brief summary of how you can remediate the vulnerability. |
| Source |
The source of the scan that identified the asset. Possible values are:
|
| State |
The state of the vulnerability detected in the finding. Appears in the filters plane by default, with Active, Resurfaced, and New selected. For more information, see Vulnerability States. |
| Stig Severity | The STIG severity associated with the finding. |
| Synopsis | A brief description of the plugin or vulnerability. |
| Target Groups | A target group or groups associated with the scan that identified the vulnerability. For more information, see Target Groups. |
| Time Taken to Fix |
How long it took your organization to fix a vulnerability identified on a scan, in hours or days. Only appears for Fixed vulnerabilities. Use this filter along with the State filter set to Fixed for more accurate results. |
| Unsupported by Vendor | Software found by this plugin is unsupported by the software's vendor (for example, Windows 95 or Firefox 3). |
| VPR |
The Vulnerability Priority Rating Tenable calculated for the vulnerability. |
| Vulnerability Published |
The date when the vulnerability definition was first published (for example, the date that the CVE was published). |
Cloud
Cloud Misconfiguration Filters
| Option | Description | |
|---|---|---|
| Filters | ||
| Account ID | The unique identifier assigned to the asset resource in the cloud service that hosts the asset on which a scan detected the finding. | |
| ARN | The Amazon Resource Name (ARN) for the asset on which a scan detected the finding. | |
| Asset ID | The UUID of the asset on which a scan detected the finding. This value is unique to Tenable Vulnerability Management. | |
| Benchmark | The benchmark associated with the finding. | |
| Cluster | The cluster associated with the finding. | |
| Created Time | The time and date when Tenable Vulnerability Management created the asset record on which a scan detected the finding. | |
| Criticality | The criticality of the vulnerability finding. | |
| Exists in Cloud | Indicates whether the affected cloud resource exists in a cloud environment. | |
| Exists in IAC | Indicates whether the affected asset was created via Infrastructure as Code (IaC). | |
| Finding ID |
The unique ID for the individual finding. Note: You can view the ID for a finding by accessing the Findings Details page for the findings and checking the page URL. The finding ID is the alpha-numeric text that appears in the path between details and asset. |
|
| First Seen |
The date when Tenable Vulnerability Management first scanned the affected asset. |
|
| Found in TF State |
Indicates whether or not the finding was discovered in a TF state. |
|
| First Seen |
The date when Tenable Vulnerability Management first scanned the affected asset. |
|
| IaC Resource Type | The Infrastructure as Code (IAC) resource type of the asset. | |
| IaC Type | The Infrastructure as Code (IAC) type of the asset. | |
| Ignored | Indicates whether Tenable Vulnerability Management ignored the policy violation when calculating the finding's severity. | |
| Immutable Drift | Indicates whether the asset has immutable drifts. For more information, see Set up Drift Analysis in the Legacy Tenable Cloud Security User Guide. | |
| Is Attribute | Specifies whether the asset is an attribute. | |
| Last Fixed | The date when the finding was last fixed. | |
| Last Scan Time | The date when a scan was last run against the finding. | |
| Last Seen |
The date when Tenable Vulnerability Management last scanned the affected asset. |
|
| Managed By | The name of the person, group, or company that manages the affected asset. | |
| Policy Category | The policy category associated with the finding. | |
| Policy ID | The unique ID for the cloud policy associated with the affected asset. | |
| Policy Name | The unique ID for the cloud policy associated with the affected asset. | |
| Policy Type | The unique ID for the cloud policy associated with the affected asset. | |
| Project | The project associated with the finding. | |
| Provider | The third-party provider associated with the finding. | |
| Region | The cloud region where the affected asset runs. | |
| Repositories | Any code repositories associated with the affected asset. | |
| Resource Category | The category of the asset resource in the cloud service that hosts the affected asset. | |
| Resource ID | The ID of the asset resource in the cloud service that hosts the affected asset. | |
| Resource Name | The name of the asset resource in the cloud service that hosts the affected asset. | |
| Resource Type | The type of the asset resource in the cloud service that hosts the affected asset. | |
| Result |
The outcome of the scan. Possible options are:
|
|
| Rule ID | The unique ID for the security rule for which the scanner found a violation. | |
| Rule Reference ID | The reference ID for the security rule for which the scanner found a violation. | |
| Severity |
The vulnerability's CVSS-based severity. For more information, see CVSS vs. VPR. This filter appears in the filters plane by default, with Critical, High, Medium, and Low selected. |
|
| Source Line | The source line associated with the finding. | |
| Updated Time |
The time and date when the asset record was last updated. |
|
| Version |
The version associated with the finding. |
|
| VPC |
The unique identifier of the public cloud that hosts the AWS virtual machine instance. For more information, see the Amazon Virtual Private Cloud Documentation. |
Host Audit Filters
| Option | Description |
|---|---|
| Filters | |
| Asset ID |
The UUID of the asset where a scan detected the finding. This value is unique to Tenable Vulnerability Management. |
| Asset Name |
The name of the asset on which the scanner performed an audit check. This value is unique to Tenable Vulnerability Management. |
| Asset Tags |
Asset tags, entered in pairs of category and value (for example Network: Headquarters). This includes the space after the colon (:). If there is a comma in the tag name, insert a backslash (\) before the comma. If your tag name includes double quotation marks (" "), use the UUID instead. You can add a maximum of 100 tags. For more information, see Tags. |
| Audit File | The name of Audit file the scanner used to perform the audit. Audit files are XML-based text files that contain the specific configuration, file permission, and access control tests to be performed. |
| Audit Check Name | The name Tenable assigned to the audit. In some cases, the compliance control may be listed as the prefix within the name. |
| Benchmark |
Benchmarks are published best practices released from source authorities, such as Center for Internet Security (CIS), United States Defense Information Systems Agency (DISA), and Microsoft. This filter provides a list of the supported benchmarks and the version of the benchmark. |
| Benchmark Specification Name | The benchmark name. |
| Benchmark Version |
The benchmark version.
Note: Use this filter with the Benchmark filter.
|
| Compliance Control |
There are a series of designations within the compliance frameworks that Tenable calls controls. For example: CSF:DE.CM-3, 800-53:AU-12c, STIG-ID:WN10-AU-000045, and so on. This is a text-based field to filter on the specific control(s).
Note: Use this filter in conjunction with the Compliance Framework filter.
|
| Compliance Family Name |
There are a series of designations within compliance frameworks that Tenable calls control. For example: ISO/IEC-27001:A.12.4.1, or CSF:DE.CM-1. This filter groups the controls into families for easier and more efficient queries. For example: A12 - Operations security or CSF:Detect.
Note: Use this filter in conjunction with the Compliance Framework filter.
|
| Compliance Framework | Tenable audits configuration compliance with a variety of standards including GDPR, ISO 27000, HIPAA, NIST 800-53, PCI DSS, and so on. This filter allows searching based on the respective framework. |
| Control ID | An ID that can correlate results with other results that meet a certain benchmark recommendation. You can use this filter to identify checks in the audit portal. |
| First Audited | Identifies the first date the audit check was performed on the asset. |
| FQDNs | The fully qualified domain names (FQDNs) for the asset. |
| IPv4 Address | The IPv4 address for the affected asset. You can add up to 256 IP addresses to this filter. |
| IPv6 Address | The IPv6 address for the affected asset. |
| Last Audited | Identifies the date of the most recent audit check performed on the asset. |
| Last Fixed | The date when the finding was last fixed. |
| Last Seen | The date when a scan last observed the finding. |
| Original Result | The result from the initial audit. |
| Plugin ID | The Nessus Plugin ID used to perform the audit check. |
| Plugin Name | The Nessus Plugin Name used to perform the audit check. |
| Plugin Name |
The name of the plugin that identified the audit finding. |
| Result | The current or modified result from the audit check. |
| Result Modified |
Rules can be created to accept or modify the results of an audit check. This filter allows you to report modified results. |
| Severity |
The vulnerability's CVSS-based severity. For more information, see CVSS vs. VPR. This filter appears in the filters plane by default, with Critical, High, Medium, and Low selected. |
| State |
The state of the vulnerability detected in the finding. Appears in the filters plane by default, with Active, Resurfaced, and New selected. For more information, see Vulnerability States. |
Web Application Vulnerabilities Filters
| Option | Description |
|---|---|
| Asset ID | The UUID of the asset where a scan detected the vulnerability. This value is unique to Tenable Vulnerability Management. |
| Asset Name |
The name of the asset where the scanner detected the vulnerability. This value is unique to Tenable Vulnerability Management. This filter appears on the filter plane by default. |
| Bugtraq ID | The Bugtraq ID for the plugin that identified the vulnerability. |
| CPE |
The Common Platform Enumeration (CPE) numbers for vulnerabilities that the plugin identifies. (200 value limit) |
| CVE |
The Common Vulnerability and Exposure (CVE) IDs for the vulnerabilities that the plugin identifies. (200 value limit) |
| CVSSv2 Base Score | The CVSSv2 base score (intrinsic and fundamental characteristics of a vulnerability that are constant over time and user environments). |
| CVSSv2 Vector |
The raw CVSSv2 metrics for the vulnerability. For more information, see CVSSv2 documentation. |
| CVSSv3 Base Score | The CVSSv3 base score (intrinsic and fundamental characteristics of a vulnerability that are constant over time and user environments). |
| CVSSv3 Vector | More CVSSv3 metrics for the vulnerability. |
| CWE | The Common Weakness Enumeration (CWE) for the vulnerability. |
| First Seen |
The date when a scan first found the vulnerability on an asset. |
| Input Name | The name of the specific web application component that the vulnerability exploits. |
| Input Type | The web application component type (for example, form, cookie, header) that the vulnerability exploits. |
| IPv4 Address | The IPv4 address for the affected asset. You can add up to 256 IP addresses to this filter. |
| Last Fixed | The date when the finding was last fixed. |
| Last Seen | The date when a scan last observed the finding. |
| Original Severity |
The vulnerability's CVSS-based severity when a scan first detected the finding. For more information, see CVSS vs. VPR. |
| OWASP 2010 | The Open Web Application Security Project (OWASP) 2010 category for the vulnerability targeted by the plugin. |
| OWASP 2013 |
The Open Web Application Security Project (OWASP) 2013 category for the vulnerability targeted by the plugin. |
| OWASP 2017 | The Open Web Application Security Project (OWASP) 2017 category for the vulnerability targeted by the plugin. |
| OWASP 2021 | The Open Web Application Security Project (OWASP) 2021 category for the vulnerability targeted by the plugin. |
| OWASP API 2019 |
The Open Web Application Security Project (OWASP) 2019 category for the API vulnerability targeted by the plugin. Possible options are:
|
| Plugin Description |
The description of the Tenable plugin that identified the vulnerability. |
| Plugin Family |
The family of the plugin that identified the vulnerability. (200 value limit) |
| Plugin ID |
The ID of the plugin that identified the vulnerability. (200 value limit) |
| Plugin Modification Date |
The date on which the plugin was last modified. |
| Plugin Name |
The name of the plugin that identified the audit finding. |
| Plugin Published |
The date on which the plugin that identified the vulnerability was published. |
| Risk Modified |
The risk modification applied to the vulnerability's severity. Possible options are:
For more information, see Recast/Accept Rules. |
| See Also | Links to external websites that contain helpful information about the vulnerability. |
| Severity |
The CVSS score-based severity. For more information, see CVSS Scores vs. VPR in the Tenable Vulnerability Management User Guide. This filter appears in the filters plane by default, with Critical, High, Medium, and Low selected. |
| Solution |
A brief summary of how you can remediate the vulnerability. |
| State |
The state of the vulnerability detected in the finding. Appears in the filters plane by default, with Active, Resurfaced, and New selected. For more information, see Vulnerability States. |
| Url |
The complete URL on which the scanner detected the vulnerability. This filter appears in the filters plane by default. |
| WASC |
The Web Application Security Consortium (WASC) category associated with the vulnerability targeted by the plugin. |