Basic Settings in Tenable Vulnerability Management Scans
Note: This topic describes Basic settings you can set in individual scans. For Basic settings in user-defined templates, see Basic Settings in User-Defined Templates.
You can use Basic settings to specify organizational and security-related aspects of a scan configuration. This includes specifying the name of the scan, its targets, whether the scan is scheduled, and who has access to the scan.
Note: To learn more about scan limitations in Tenable Vulnerability Management, see Scan Limitations.
The Basic settings include the following sections:
The general settings for a scan.
Setting | Default Value | Description |
---|---|---|
Name |
None |
Specifies the name of the scan. |
Description |
None |
(Optional) Specifies a description of the scan. |
Scan Results |
Show in dashboard |
Specifies whether the results of the scan should appear in workbenches, dashboards, and reports, or be kept private. When set to Keep private, the scan results Last Seen dates do not update and you must access the scan directly to view the results. Private scan results do not show new Active findings in the workbenches, dashboards, and reports, and they do not transition the vulnerability states of previously discovered findings to Fixed or Resurfaced. Note: Show in dashboard is always enabled for triggered scans. |
Folder |
My Scans |
Specifies the folder where the scan appears after being saved. You cannot specify a folder when you launch a remediation scan. All remediation scans appear in the Remediation Scans folder only. |
Agent Groups | None |
(Tenable Nessus Agent templates only) Specifies the agent group or groups you want the scan to target. In the drop-down box, select an existing agent group, or create a new agent group. |
Scanner Type | Internal Scanner | Specifies whether a local, internal scanner or a cloud-managed scanner performs the scan, and determines whether the Scanner field lists local or cloud-managed scanners to choose from. |
Scanner |
Auto-Select |
Specifies the scanner that performs the scan. Select a scanner based on the location of the targets you want to scan. For example:
|
Network | Default |
Select the network of scanners and asset that you want to scan with. Unless your organization has created and uses custom networks for specific business needs (for example, scanning different sub-organizations, differentiating between external and internal asset scanning, or differentiating between ephemeral and static asset scanning), Tenable recommends using the Default network, which all scanners and scanner groups are assigned to by default. For more information about networks, see Networks. |
Tags | None | Select one or more tags to scan all assets that have any of the specified tags applied. To see a list of assets identified by the specified tags, click View Assets. |
IP Selection | Internal |
(Required) Select whether to run a tag-based scan on Internal or External IP addresses.
Note: You can use your organization's non-cloud scanners to scan both Internal and External targets. Cloud scanners can only be used to scan External targets. Tip: If you need to scan both External and Internal targets with the same tag or tags, create two different scan configurations; one scan that targets External IPs, and one scan that targets Internal IPs. Tenable Vulnerability Management evaluates the identifiers to determine a single target in the following order:
Note: Scan routing is available for linked scanners only.
|
Use Tag Rules as Targets | Existing tagged assets only |
(Required) Specifies whether Tenable Vulnerability Management scans tagged assets only, or any assets that which the selected tags' rules apply to.
For example, you create a scan policy that scans for a tag with a tag rule that specifies a certain IPv4 range. The example tag name is My IPv4s.
For more information about tags and tag rules, see Tags and Tag Rules. |
Scan Window | Disabled |
(Tenable Nessus Scanner templates only) Specifies the timeframe after which the scan automatically stops. Use the drop-down box to select an interval of time, or click to type a custom scan window. Note: The scan window timeframe only applies to the scan job. After the scan job completes within the timeframe, or once the scan job stops due to the scan window ending, Tenable Vulnerability Management may still need to index the scan job. This can cause the scan not to show as Completed after the scan window is complete. Once Tenable Vulnerability Management indexes the scan, it shows as Completed. |
Scan Type | Scan Window |
(Tenable Nessus Agent templates only) (Required) Specifies whether the agent scans occur based on a scan window or triggers:
|
Info-level Reporting |
Triggered agent scans — After 10 scans Scan Window agent scans — After 10 days Note: Tenable highly recommends using the default values. Only lower the value if doing so is necessary for your organization. |
(Tenable Nessus Agent vulnerability templates only) (Required) Specifies how often the agent scan should report unchanged Info-severity vulnerability findings. To learn more about this setting, see Info-level Reporting. You can configure the agent scan to report all severity findings by launching a new baseline scan after one of the following intervals:
|
Target Groups |
None |
You can select or add a new target group to which the scan applies. Assets in the target group are used as scan targets. Note: Tenable plans to deprecate target groups in the near future. Currently, you can still create and manage target groups. However, Tenable recommends that you instead use tags to group and scan assets on your Tenable Vulnerability Management instance. |
None |
Specifies one or more targets to be scanned. If you select a target group or upload a target file, you are not required to specify additional targets. Targets can be specified using The targets you specify must be appropriate to the scanner you select for the scan. For example, cloud scanners cannot scan non-routable IP addresses. Select an internal scanner instead. Tip: You can force Tenable Vulnerability Management to use a given hostname for a server during a scan by using the Note: You cannot apply more than 300,000 IP address targets to a scan. To learn more about scan limitations in Tenable Vulnerability Management, see Scan Limitations. Note: See Permissions for more information on how permissions affect targets. |
|
Upload Targets |
None |
Uploads a text file that specifies the targets. The targets file must be formatted in the following manner:
Note: Unicode/UTF-8 encoding is not supported. |
Policy | None |
This setting appears only when the scan owner edits an existing scan that is based on a user-defined scan template. Note: After scan creation, you cannot change the Tenable-provided scan template on which a scan is based. In the drop-down box, select a user-defined scan template on which to base the scan. You can select user-defined scan templates for which you have Can View or higher permissions. In most cases, you set the user-defined scan template at scan creation, then keep the same template each time you run the scan. However, you may want to change the user-defined scan template when troubleshooting or debugging a scan. For example, changing the template makes it easy to enable or disable different plugin families, change performance settings, or apply dedicated debugging templates with more verbose logging. When you change the user-defined scan template for a scan, the scan history retains the results of scans run under the previously assigned template. |
By default, scans are not scheduled. When you first access the Schedule section, the Enable Schedule setting appears, set to Off. To modify the settings listed on the following table, click the Off button. The rest of the settings appear.
Note: Scheduled scans do not run if they are in the scan owner's Trash folder.
Setting | Default Value | Description |
---|---|---|
Frequency |
Once |
Specifies how often the scan is launched.
|
Starts |
Varies |
Specifies the exact date and time when a scan launches. The starting date defaults to the date when you are creating the scan. The starting time is the nearest half-hour interval. For example, if you create your scan on 09/08/2023 at 9:16 AM, the default starting date and time is set to 09/08/2023 and 09:30. |
Timezone |
|
Specifies the timezone of the value set for Starts. |
Repeat Every | Varies | Specifies the interval at which a scan is relaunched. The default value of this item varies based on the frequency you choose. |
Repeat On | Varies |
Specifies what day of the week a scan repeats. This item appears only if you specify Weekly for Frequency. The value for Repeat On defaults to the day of the week on which you create the scan. |
Repeat By | Day of the Month | Specifies when a monthly scan is relaunched. This item appears only if you specify Monthly for Frequency. |
Summary |
N/A |
Provides a summary of the schedule for your scan based on the values you have specified for the available settings. |
The notification settings for a scan.
Setting | Default Value | Description |
---|---|---|
Email Recipient(s) |
None | Specifies zero or more email addresses (separated by commas) that are alerted when a scan completes and the results are available. |
Result Filters |
None | Defines the type of information to be emailed. |
You can share the scan with other users by setting permissions for users or groups. When you assign a permission to a group, that permission applies to all users within the group.
Tip: Tenable recommends assigning permissions to user groups, rather than individual users, to minimize maintenance as individual users leave or join your organization.
Permission | Description |
---|---|
No Access |
(Default user only) Groups and users set to this permission cannot interact with the scan in any way. |
Can View | Groups and users with this permission can view the results of the scan, export the scan results, and move the scan to the Trash folder. They cannot view the scan configuration or permanently delete the scan. |
Can Execute |
In addition to the tasks allowed by Can View, groups and users with this permission can launch, pause, and stop a scan. They cannot view the scan configuration or permanently delete the scan. Note: In addition to Can Execute permissions for the scan, users running a scan must have Can Scan permissions in an access group for the specified target, or the scanner does not scan the target. |
Can Edit |
In addition to the tasks allowed by Can Execute, groups and users with this permission can view the scan configuration and modify any setting. They cannot change the scan's ownership (only the scan owner can change scan ownership) or permanently delete the scan. Note: User roles override scan permissions in the following cases:
|