Findings Filters

(Requires Tenable One or Tenable Lumin license) The Tenable-defined Asset Criticality Rating (ACR) as an integer from 1 to 10.

(Requires Tenable One or Tenable Lumin license) The Tenable-defined Asset Exposure Score as an integer from 0 to 1000.

The name of the asset where a scan detected the vulnerability. This value is unique to Tenable Vulnerability Management. This filter is case-sensitive, but you can use the wildcard character to turn this off.

The date on which Cybersecurity and Infrastructure Security Agency (CISA) Known Exploitable Vulnerability (KEV) remediation is due, as per Binding Operational Directive 22-01. Searches by the earliest due date for KEVs associated with the plugin. For more information, see the Known Exploited Vulnerabilities Catalog.

A vulnerability's common name, for example Log4Shell. Not all vulnerabilities have a common name.

An ID for correlating results with other results that meet a certain benchmark recommendation. You can use this filter to identify checks in the audit portal.

The Common Platform Enumeration (CPE) numbers for vulnerabilities that the plugin identifies.

(200 value limit)

The Common Vulnerability and Exposure (CVE) IDs for the vulnerabilities identified by the plugin and corresponding to a specific finding.

(200 value limit)

The Common Vulnerability and Exposure (CVE) IDs for the vulnerabilities on the product where the finding was identified.

The category of a vulnerability, as described in Vulnerability Categories.

A numeric value between 0.0 and 10.0 that represents the intrinsic characteristics of a vulnerability independent of any specific environment.

The raw CVSSv2 metrics for the vulnerability. For more information, see the CVSSv2 documentation on the FIRST website.

The attack complexity, which defines how difficult it is to use a vulnerability in an attack. Options are High or Low.

The attack vector, which defines an attack's location. Options are Adjacent, Network, Local, or Physical.

Quantifies the impact on the availability of the affected asset. Options are High (the asset is completely unavailable), Low (some reduced performance or interruption in availability), or None (no impact on the availability of the asset).

A numeric value between 0.0 and 10.0 that represents the intrinsic characteristics of a vulnerability independent of any specific environment.

The expected impact of the affected asset's information confidentiality loss. Options are High, Low, or None. For example, an affected asset with High confidentiality may have a catastrophic adverse effect on your organization or customers.

The expected impact of the affected asset's data integrity loss. Options are High, Low, or None.

The permission level attackers require to exploit the vulnerability. Options are High, Low, or None. For example, None means attackers need no permissions in your environment and can exploit the vulnerability while unauthorized.

If a vulnerability allows attackers to compromise resources beyond an affected asset's normal authorization privileges. Options are Unchanged or Changed. For example, Changed means the vulnerability increases the affected asset's privileges.

If a vulnerability requires other users (such as end users) for attackers to be able to use it. Options are Required or None. None is more severe since it means no additional user interaction is required.

The conditions beyond the attacker's control that must exist to exploit the vulnerability.

The resources, access, or specialized conditions required for an attacker to exploit the vulnerability.

The context where vulnerability exploitation is possible, such as Network or Local.

A numeric value between 0.0 and 10.0 that represents the intrinsic characteristics of a vulnerability independent of any specific environment.

The level of privileges an attacker must possess to exploit the vulnerability.

The impact on the availability of systems that can be impacted after the vulnerable system is exploited.

The impact on the confidentiality of systems that can be impacted after the vulnerable system is exploited.

The impact on the integrity of systems that can be impacted after the vulnerable system is exploited.

The level of user involvement required for an attacker to exploit the vulnerability.

The impact on the availability of the vulnerable system when successfully exploited.

The impact on the confidentiality of the vulnerable system when successfully exploited.

The impact on the integrity of the vulnerable system when successfully exploited.

The percentage likelihood that a vulnerability will be exploited, based on the third-party Exploit Prediction Scoring System (EPSS). Type a number from

0 to 100 with up to three decimal places, for example, 75.599.

The exploit maturity based on sophistication and availability. This information is drawn from Tenable’s own research as well as key external sources. Options are High, Functional, PoC, or Unproven.

The unique Tenable ID for the finding. To view the ID for a finding, click its details and check the page URL in your browser's address bar for an alphanumeric string between details and asset.

The date the vulnerability corresponding to a finding was first identified.

The date a vulnerability was first known to be exploited.

The date a vulnerability's first proof of concept was found.

The date when a scan first found the vulnerability on an asset.

If a fix is available for the corresponding vulnerability. Options are Yes or No.

The time and date that a credentialed scan was last performed on the asset.

The last time a previously detected vulnerability was scanned and noted as no longer present on an asset.

The date when a scan last found the vulnerability on an asset.

The name of the network object associated with scanners that identified the asset. The default name is Default. For more information, see Networks.

The vulnerability's CVSS-based severity when a scan first detected the finding. For more information, see CVSS vs. VPR.

The date on which the vendor published a patch for the vulnerability.

The description of the Tenable plugin that identified the vulnerability.

The family of the plugin that identified the vulnerability.

(200 value limit)

The ID of the plugin that identified the vulnerability.

(200 value limit)

The date at which the plugin that identified the vulnerability was last updated.

The name of the plugin that identified the vulnerability.

Use this filter to return findings with plugin output that you specify. Search for a value in the plugin output using the contains or does not contain operator, as described in Use Filters.

Caution: Due to technical constraints in how the underlying system processes large data in JSON format, only the first 20,000,000 characters of raw plugin data are available when searching plugin output.

If your search is too broad, the system suggests adding Plugin ID and Last Seen to refine the results and then displays the top ten plugins from that search.

For example, to search for output that contains “Kernel,” in Advanced mode, type:

Plugin Output contains Kernel

Plugin Output search best practices...

Since plugin outputs can be large, broad searches may cause system timeouts! For the best results, combine the Plugin Output filter with the Plugin ID and Last Seen filters. Limit the number of plugin IDs you search at once.

Specify plugin ID(s) to search for plugins or exclude them. These approaches apply to different use cases. For example, include plugins when searching for software listings by operating system. Exclude plugins from exploratory searches where the top plugins appear too frequently.

• Search for output from one plugin:

  Plugin Output contains Kernel AND Plugin ID is equal to 110483

• Search for output from multiple plugins:

  Plugin Output contains Chrome AND Plugin ID is equal to 45590, 10456

• Search for output from any plugin but the ones listed:

  Plugin Output contains Chrome AND Plugin ID is not equal to 45590, 10456

The date on which the plugin that identified the vulnerability was published.

The general type of plugin check. Options are Local, Remote, Local & Remote, Summary, Settings, Reputation, and/or Third Party.

If a vulnerability currently has a Tenable plugin that detects it. Options are Yes or No.

(200 value limit)

The risk modification applied to the vulnerability's severity. Options are Recast, Accepted, and None. To learn more, see Recast Rules.

The scanner that detected the finding.

Links to external websites that contain helpful information about the vulnerability.

The vulnerability's CVSS-based severity. For more information, see CVSS vs. VPR.

A brief summary of how you can remediate the vulnerability.

The source of the scan that identified the asset. Possible values include Agent for Tenable Agent, Nessus for Tenable Nessus, PVS/NNM for Tenable Network Monitor, and WAS for Tenable Web App Scanning.

The state of the vulnerability detected in the finding. Options are Fixed, Resurfaced, Active, New. Appears in the vulnerability findings query builder by default, with Active, Resurfaced and New selected. For more information, see Vulnerability States.

Asset tags, entered in pairs of category and value (for example Network: Headquarters). This includes the space after the colon (:). If there is a comma in the tag name, insert a backslash (\) before the comma. If your tag name includes double quotation marks (" "), use the UUID instead. You can add a maximum of 100 tags.

For more information, see Tags.

How long it took your organization to fix a vulnerability identified on a scan in days. Only appears for Fixed vulnerabilities. Use this filter along with the State filter set to Fixed for more accurate results. When exported, this field is shown in milliseconds.

The Vulnerability Priority Rating that Tenable calculated for the vulnerability.

Filter on a specific CVE ID for the CVE that is a primary contributor to the calculated VPR (Beta) score for a vulnerability.

Allows filtering on CVEs that are part of an exploit chain.

Filter on current availability and maturity of exploit code. Options are High, Functional, POC, and Unproven.

Filter on the probability of exploitation produced by the VPR (Beta) threat model for the CVE.

Allows filtering on the volume of news reporting on the CVE within the last 30 days. Options are Very Low, Low, Medium, High, Very High.

Allows filtering on the recency of news sources reporting on the CVE. Options are No Recorded Events, 60 to 180 days, 30 to 60 days, 14 to 30 days, 7 to 14 days, 0 to 7 days.

Filter on categories of news sources that have referenced the CVE within the last 30 days. Select from one or more of Academic and Research Institutions, Blogs and Individual Researchers, Code Repositories, Cybersecurity News Media, Cybersecurity Vendors, Forums and Community Platforms, Government and Regulatory, Mainstream News and Media, Security Research, Technology Companies, Tools and Resources, Other.

Filter on the volume of observed malware exploiting the CVE within the last 30 days. Options are Very Low, Low, Medium, High, Very High.

Filter on the recency of observed malware exploiting the CVE. Options are No Recorded Events, 60 to 180 days, 30 to 60 days, 14 to 30 days, 7 to 14 days, 0 to 7 days.

Filter on whether the CVE is listed on the CISA Known Exploited Vulnerabilities list. Options are Yes, No.

Allows filtering on specific industries where attacks leveraging the CVE have been observed. Sample options include Banking, Technology, Government.

Allows filtering on specific geographic regions where attacks leveraging the CVE have been observed.

Filter on the VPR (Beta) score percentile ranking of the CVE, indicating its position relative to other vulnerabilities.

Filter on the VPR (Beta) severity categorization of the CVE. Options are Critical, High, Medium, Low, Info.

The numerical VPR (Beta) score itself. Allows filtering by specific ranges or values of the updated vulnerability priority rating.

A vulnerability's Tenable-calculated threat intensity based on the number and frequency of threat events. Options are Very Low, Low, Medium, High, or Very High.

The date when the vulnerability definition was first published (for example, the date that the CVE was published).

If a vulnerability is judged to be ready for use in a cyberattack. Options are Advanced Persistent Threat, Botnet, Malware, Ransomware, or Rootkit.