Create Recast Rules from Findings

On the Findings workbench in Vulnerabilities or Host Audits, you can create rules to change the status of findings or hide them. You can also create rules from Settings > Recast, as described in Create Recast Rules from Settings.

Tip: To learn more about when to create rules and how to manage them, see Recast Rules.

Create a Recast or Accept Rule

To create a Recast or Accept rule:

In the left navigation, click Findings.

The Findings workbench appears.
Click the Vulnerabilities tab.

A table of results containing your host vulnerabilities appears.
In the Actions column for the finding to target, click .

A drop-down appears.

In the drop-down, click Recast.

A plane of options appears. Set these options as follows:

Option	Description
Action	Click Accept or Recast. To learn about these rule types, see About Recast and Accept Rules.
Vulnerability Plugin ID	Type the Tenable Plugin ID for the vulnerability, for example 70658.
New Severity	(Recast rules only) Select the severity you want to change the corresponding vulnerability to, for example Low.
Targets	Select All or Custom. If the rule will override other rules, a warning appears. The most recently created rule trumps other rules.
Target Hosts	For Custom targets, enter up to 1000 comma-separated IPv4 addresses or ranges, hostnames, Classless Inter-Domain Routing (CIDR) notations, or fully qualified domain names (FQDNs). Caution: If you target findings by IP address and have multiple networks, the rule matches findings on all your networks. For more information, see Networks.
Expires	Select After or Exact Date. Then, type a number of days or a date when the rule will expire.
Comments	Type comments to provide rule details.
Report as False Positive to Tenable	(Optional) (Accept rules only) Turn on this toggle when a plugin generates inaccurate findings and you want Tenable to review the results.

Click Save.

The system processes the rule, which may take time if many findings are targeted. When complete, the the Findings workbench is updated and the rule appears in Settings > Recast.

Create a Change Result or Accept Rule

Caution: For best performance, the system supports a maximum of 5000 Change Result and Accept rules in each container, total.

To create a Change Result or Accept rule:

In the left navigation, click Findings.

The Findings workbench appears.
Click the Host Audits tab.

A table of results containing your host audit findings appears.
In the Actions column for the finding to target, click .

A drop-down appears.

Click Add Recast Rule.

A plane of options appears. Set these options as follows:

Option	Description
Action	Click Accept or Change Result. To learn about these rule types, see About Change Result and Accept Rules.
Category	Select a category for the new rule, for example, Windows.
Audit File	Select an audit file to run against your assets, for example, CIS_MS_Windows_11_Enterprise_Level_1_v1.0.0.audit.
Audit Name	Type an audit name, for example, 9.3.1 Ensure 'Windows Firewall: Public: Firewall state' is set to 'On (recommended)'.
Original Result	Select the original result of the host audit, for example, Failed.
New Result	(Change Result rules only) Select the result to change the targeted findings to.
Targets	(Optional) Select Custom. If the rule will override other rules, a warning appears. The most recently created rule trumps other rules.
Target Hosts	For Custom targets, type a comma-separated list of IPv4 addresses or ranges, hostnames, Classless Inter-Domain Routing (CIDR) notation, or fully qualified domain names (FQDNs). The system supports up to 100 items.
Expires	(Optional) Select After or Exact Date. Then, type a number of days or a date when the rule will expire.
Comments	Type comments to provide rule details.

Click Save.

The system processes the rule, which may take time if many findings are targeted. When complete, the the Findings workbench is updated and the rule appears in Settings > Recast.