Add Recast or Accept Rules in Findings
In Tenable Vulnerability Management, you can create rules for your vulnerability findings to customize how they present risk. While Recast rules change the severity of your findings, Accept rules accept their risk without modifying severity.
Tip: This topic describes how to create rules from the Findings workbench, but you can also create rules from the Tenable Vulnerability Management Settings. For more information, including examples on when to create rules, see Recast/Accept Rules.
Note: If a rule is targeted by IP address, that rule applies to the specified IP in each network in which it is found. For more information, see Networks.
Create a Recast Rule in Findings
To create a Recast rule from the Findings workbench:
-
In the upper-left corner, click the button.
The left navigation plane appears.
- In the left navigation plane and the Explore section, click Findings.
The Findings page appears with the Vulnerabilities tab active and your findings shown in a table view.
-
(Optional) Click Web Application Findings.
The Web Application Findings tab appears.
-
In the row for the finding to create a rule for, click the button.
A drop-down menu appears.
-
Click Recast.
The Add Rule plane appears.
-
In the Rule Information section, complete the following options:
- Vulnerability Plugin ID – Type the ID of the plugin to recast, if different than the one preselected. For example, 51192.
Note: If the plugin ID corresponds to a Tenable Nessus plugin, the Original Severity indicator changes to match the default severity of the vulnerability.
-
New Severity – Select the desired severity level for the vulnerability.
-
Targets – Select All to target all assets or Custom to specify targets that you want the rule to run against.
Note: If you set the Targets drop-down to All, a warning appears indicating that this option may override existing rules.
-
Target Hosts – Type one or more custom targets for the rule, if necessary. You can type a comma-separated list that includes any combination of IP addresses, IP ranges, CIDR, and hostnames.
Caution: You can only specify 1000 comma-separated custom entries. If you want to target a larger number of custom entries, create multiple rules.
-
(Optional) Expires – Select when you want the rule to expire.
-
(Optional) Comments – Type a description of the rule. This option is only visible when the rule is modified.
- Vulnerability Plugin ID – Type the ID of the plugin to recast, if different than the one preselected. For example, 51192.
-
Click Save.
Tenable Vulnerability Management starts applying the rule to existing findings. This process may take some time, depending on the system load and the number of matching findings. Tenable Vulnerability Management updates your dashboards, where a label appears to indicate how many instances of affected findings were recast.
Note: A recast rule does not affect the historical results of a scan.
Create an Accept Rule in Findings
To create an Accept rule from the Findings workbench:
-
In the upper-left corner, click the button.
The left navigation plane appears.
- In the left navigation plane and the Explore section, click Findings.
The Findings page appears with the Vulnerabilities tab active and your findings shown in a table view.
-
(Optional) Click Web Application Findings.
The Web Application Findings tab appears.
-
In the row for the finding to create a rule for, click the button.
A drop-down menu appears.
-
Click Recast.
The Add Recast Rule plane appears.
-
On the Add Recast Rule plane, in the Action section, click Accept.
-
In the Rule Information section, complete the following options:
- Vulnerability Plugin ID – Type the ID of the plugin to accept, if different than the one preselected. For example, 51192.
Note: If the plugin ID corresponds to a Tenable Nessus plugin, the Original Severity indicator changes to match the default severity of the vulnerability.
-
Targets – Select All to target all assets or Custom to specify targets that you want the rule to run against.
-
Target Hosts – Type one or more custom targets for the rule, if necessary. You can type a comma-separated list that includes any combination of IP addresses, IP ranges, CIDR, and hostnames.
Caution: You can only specify 1000 comma-separated custom entries. If you want to target a larger number of custom entries, create multiple rules.
-
(Optional) Expires – Select when you want the rule to expire.
-
(Optional) Comments – Type a description of the rule. This option is only visible when the rule is modified.
- Vulnerability Plugin ID – Type the ID of the plugin to accept, if different than the one preselected. For example, 51192.
-
(Optional) To report the vulnerability as a false positive:
- Enable the Report as false positive toggle.
A Message To Tenable box appears.
- In the Message to Tenable box, type a description of the false positive.
- Enable the Report as false positive toggle.
-
Click Save.
Tenable Vulnerability Management starts applying the rule to existing findings. This process may take some time, depending on the system load and the number of matching findings.