Create Recast Rules from the Findings Page

On the Findings page, you can create rules which change the status of Vulnerabilities or Host Audits or hide them. You can also create rules from Settings > Recast, as described in Create Recast Rules from Settings.

Tip: To learn more about when to create rules and how to manage them, see Recast Rules.

Here, you can create the following rule types:

Rule Description
Recast In the Vulnerabilities tab, modify the severity of vulnerability findings based on their Plugin ID.
Accept (for host vulnerabilities) In the Vulnerabilities tab, accept the risk of vulnerability findings and hide them from the Findings workbench.
Change Result In the Host Audits tab, modify the Result of host audit findings, for example by changing Failed results to Passed.
Accept (for host audits) In the Host Audits tab, accept the Result of host audit findings and hide them from the the Findings workbench.

Add a Recast or Accept Rule

To add a Recast or Accept rule from the Findings page:

  1. In the left navigation, click Explore (Preview) > Findings

    The Findings page appears.

  2. In the table, in the row for the finding for which you want to create a rule, click the button.

    A menu appears.

  3. Click Recast.

    The Add Recast Rule window appears.

  4. Configure the following options:

    Option Description
    Action Click Accept or Recast. To learn about these rule types, see About Recast and Accept Rules.
    Description Optionally, type a brief description of the rule.
    Vulnerability Plugin ID Type the Tenable Plugin ID for the vulnerability, for example 70658.
    New Severity (Recast rules only) Select the severity you want to change the corresponding vulnerability to, for example Low. For more information, see Vulnerability Severity Indicators.
    Targets

    Select All or Custom. If the rule will override other rules, a warning appears. The most recently created rule trumps other rules.
    Target Hosts

    For Custom targets, enter up to 1000 comma-separated IPv4 addresses or ranges, hostnames, Classless Inter-Domain Routing (CIDR) notations, or fully qualified domain names (FQDNs).

    Caution: If you target findings by IP address and have multiple networks, the rule matches findings on all your networks. For more information, see Networks.
    Expires Select After or Exact Date. Then, type a number of days or a date when the rule will expire.
    Comments Type comments to provide rule details.
    Report as False Positive to Tenable (Optional) (Accept rules only) Turn on this toggle when a plugin generates inaccurate findings and you want Tenable to review the results.

  5. Click Save.

    The system processes the rule, which may take time. When complete, the Findings page updates and the rule appears in Settings > Recast.

    Tip: For more information about Recast in Settings, see Recast Rules

Add a Change Result or Accept Rule

Note: For best performance, the system supports a maximum of 5000 Change Result and Accept rules in each container, total.

To add a Change Result or Accept rule:

  1. In the left navigation, click Explore (Preview) > Findings.

    The Findings page appears.

  2. In the left navigation, click Host Audits.

  3. In the table, in the row for the finding for which you want to create a rule, click the button.

    A menu appears.

  4. Click Add Recast Rule.

    The Add Change Result Rule window appears.

  5. Configure the following options:

    Option Description
    Action Click Accept or Change Result. To learn about these rule types, see About Change Result and Accept Rules.
    Category Select a category for the new rule, for example, Windows.
    Audit File

    Select an audit file to run against your assets, for example, CIS_MS_Windows_11_Enterprise_Level_1_v1.0.0.audit.
    Audit Name

    Type an audit name, for example, 9.3.1 Ensure 'Windows Firewall: Public: Firewall state' is set to 'On (recommended)'.
    Original Result

    Select the original result of the host audit, for example, Failed.
    New Result (Change Result rules only) Select the result to change the targeted findings to.
    Targets (Optional) Select Custom. If the rule will override other rules, a warning appears. The most recently created rule trumps other rules.
    Target Hosts

    For Custom targets, type a comma-separated list of IPv4 addresses or ranges, hostnames, Classless Inter-Domain Routing (CIDR) notation, or fully qualified domain names (FQDNs). The system supports up to 100 items.
    Expires (Optional) Select After or Exact Date. Then, type a number of days or a date when the rule will expire.
    Comments Type comments to provide rule details.

  6. Click Save.

    The system processes the rule, which may take time. When complete, the the Findings page updates and the rule appears in Settings > Recast.