Findings Filters

(Requires Tenable One or Tenable Lumin license) The Tenable-defined Asset Criticality Rating (ACR) as an integer from 1 to 10.

(Requires Tenable One or Tenable Lumin license) The Tenable-defined Asset Exposure Score as an integer from 0 to 1000.

The name of the asset where a scan detected the vulnerability. This value is unique to Tenable Vulnerability Management. This filter is case-sensitive, but you can use the wildcard character to turn this off.

Asset tags, entered in pairs of category and value (for example Network: Headquarters). This includes the space after the colon (:). If there is a comma in the tag name, insert a backslash (\) before the comma. If your tag name includes double quotation marks (" "), use the UUID instead. You can add a maximum of 100 tags.

For more information, see Tags.

The date on which Cybersecurity and Infrastructure Security Agency (CISA) Known Exploitable Vulnerability (KEV) remediation is due, as per Binding Operational Directive 22-01. Searches by the earliest due date for KEVs associated with the plugin. For more information, see the Known Exploited Vulnerabilities Catalog.

A vulnerability's common name, for example Log4Shell. Not all vulnerabilities have a common name.

The Common Platform Enumeration (CPE) numbers for vulnerabilities that the plugin identifies.

(200 value limit)

The Common Vulnerability and Exposure (CVE) IDs for the vulnerabilities identified by the plugin and corresponding to a specific finding.

(200 value limit)

The Common Vulnerability and Exposure (CVE) IDs for the vulnerabilities on the product where the finding was identified.

The category of a vulnerability, as described in Vulnerability Categories.

A numeric value between 0.0 and 10.0 that represents the intrinsic characteristics of a vulnerability independent of any specific environment.

The raw CVSSv2 metrics for the vulnerability. For more information, see the CVSSv2 documentation on the FIRST website.

The attack complexity, which defines how difficult it is to use a vulnerability in an attack. Choose from High or Low.

The attack vector, which defines an attack's location. Choose from Adjacent, Network, Local, or Physical.

The affected asset's availability. Choose from High, Low, or None. For example, High means an asset is completely unavailable.

A numeric value between 0.0 and 10.0 that represents the intrinsic characteristics of a vulnerability independent of any specific environment.

The expected impact of the affected asset's information confidentiality loss. Choose from High, Low, or None. For example, an affected asset with High confidentiality may have a catastrophic adverse effect on your organization or customers.

The expected impact of the affected asset's data integrity loss. Choose from High, Low, or None.

The permission level attackers require to exploit the vulnerability. Choose from High, Low, or None. None means attackers need no permissions in your environment and can exploit the vulnerability while unauthorized.

If a vulnerability allows attackers to compromise resources beyond an affected asset's normal authorization privileges. Choose from Unchanged or Changed. Changed means the vulnerability increases the affected asset's privileges.

If a vulnerability requires other users (such as end users) for attackers to be able to use it. Choose from Required or None. None is more severe since it means no additional user interaction is required.

The conditions beyond the attacker's control that must exist to exploit the vulnerability.

The resources, access, or specialized conditions required for an attacker to exploit the vulnerability.

The context where vulnerability exploitation is possible, such as Network or Local.

A numeric value between 0.0 and 10.0 that represents the intrinsic characteristics of a vulnerability independent of any specific environment.

The level of privileges an attacker must possess to exploit the vulnerability.

The impact on the availability of systems that can be impacted after the vulnerable system is exploited.

The impact on the confidentiality of systems that can be impacted after the vulnerable system is exploited.

The impact on the integrity of systems that can be impacted after the vulnerable system is exploited.

The level of user involvement required for an attacker to exploit the vulnerability.

The impact on the availability of the vulnerable system when successfully exploited.

The impact on the confidentiality of the vulnerable system when successfully exploited.

The impact on the integrity of the vulnerable system when successfully exploited.

The percentage likelihood that a vulnerability will be exploited, based on the third-party Exploit Prediction Scoring System (EPSS). Type a number from

0 to 1 with up to five decimal places, for example, 0.505.

The exploit maturity based on sophistication and availability. This information is drawn from Tenable’s own research as well as key external sources. Choose from High, Functional, PoC, or Unproven.

The unique Tenable ID for the finding. To view the ID for a finding, click its details and check the page URL in your browser's address bar for an alphanumeric string between details and asset.

The date the vulnerability corresponding to a finding was first identified.

The date a vulnerability was first known to be exploited.

The date a vulnerability's first proof of concept was found.

The date when a scan first found the vulnerability on an asset.

If a fix is available for the corresponding vulnerability. Choose from Yes or No.

The last time a previously detected vulnerability was scanned and noted as no longer present on an asset.

The date when a scan last found the vulnerability on an asset.

The name of the network object associated with scanners that identified the asset. The default name is Default. For more information, see Networks.

The vulnerability's CVSS-based severity when a scan first detected the finding. For more information, see CVSS vs. VPR.

The date on which the vendor published a patch for the vulnerability.

The description of the Tenable plugin that identified the vulnerability.

The family of the plugin that identified the vulnerability.

(200 value limit)

The ID of the plugin that identified the vulnerability.

(200 value limit)

The date at which the plugin that identified the vulnerability was last modified.

The name of the plugin that identified the vulnerability.

Use this filter to return findings with plugin output you specify. Search for plugin output that contains a value or does not contain it, as described in Use Filters. If your search is too broad, the system suggests adding Plugin ID and Last Seen to refine the results and then displays the top ten plugins from that search.

For example, to search for output that contains “Kernel,” in Advanced mode, type:

Plugin Output contains Kernel

Plugin Output search best practices...

Since plugin outputs can be large, broad searches may cause system timeouts! For the best results, combine the Plugin Output filter with the Plugin ID and Last Seen filters. Limit the number of plugin IDs you search at once.

Specify plugin ID(s) to search for plugins or exclude them. These approaches apply to different use cases. For example, include plugins when searching for software listings by operating system. Exclude plugins from exploratory searches where the top plugins appear too frequently.

• Search for output from one plugin:

  Plugin Output contains Kernel AND Plugin ID is equal to 110483

• Search for output from multiple plugins:

  Plugin Output contains Chrome AND Plugin ID is equal to 45590, 10456

• Search for output from any plugin but the ones listed:

  Plugin Output contains Chrome AND Plugin ID is not equal to 45590, 10456

The date on which the plugin that identified the vulnerability was published.

The general type of plugin check. Possible options are Local, Remote, and Local & Remote.

If a vulnerability currently has a Tenable plugin that detects it. Choose from Yes or No.

(200 value limit)

The risk modification applied to the vulnerability's severity. Possible options are Recasted, Accepted, and None. To learn more, see Recast Rules.

The scanner that detected the finding.

Links to external websites that contain helpful information about the vulnerability.

The vulnerability's CVSS-based severity. For more information, see CVSS vs. VPR.

A brief summary of how you can remediate the vulnerability.

The source of the scan that identified the asset. Possible values include Agent for Tenable Agent, Nessus for Tenable Nessus, PVS/NNM for Tenable Network Monitor, and WAS for Tenable Web App Scanning.

The state of the vulnerability detected in the finding. Appears in the filters plane by default, with Active, Resurfaced, and New selected. For more information, see Vulnerability States.

How long it took your organization to fix a vulnerability identified on a scan, in hours or days. Only appears for Fixed vulnerabilities. Use this filter along with the State filter set to Fixed for more accurate results. When exported, this field is shown in milliseconds.

The Vulnerability Priority Rating Tenable calculated for the vulnerability.

A vulnerability's Tenable-calculated threat intensity based on the number and frequency of threat events. Choose from Very Low, Low, Medium, High, or Very High.

The date when the vulnerability definition was first published (for example, the date that the CVE was published).

If a vulnerability is judged to be ready for use in a cyberattack. Choose from Advanced Persistent Threat, Botnet, Malware, Ransomware, or Rootkit.