Triggered Agent Scans

When you configure a Tenable Nessus Agent scan in Tenable Vulnerability Management, Tenable Vulnerability Management offers two agent scan types: Scan Window and Triggered Scan.

For window scans, Tenable Vulnerability Management creates a timeframe (for example, the default is three hours) in which an agent group must report in order to be included in the scan results. You must schedule Tenable Vulnerability Management to launch window scan at a scheduled time, or you must manually launch the scan from the Tenable Vulnerability Management user interface (for example, if you schedule a three-hour agent window scan for every Monday, Tenable Vulnerability Management pulls data updates from the agent group for three hours every Monday).

Triggered scans differ from window agent scans in that the agent or agent group launches the scan without any Tenable Vulnerability Management or user intervention. Agents can launch triggered scans using three different methods:

  • Interval trigger — Configure agents to scan at a certain time interval (for example, every 12 hours or every 24 hours).

  • File Name trigger — Configure agents to scan whenever a file with a specific file name is added to the agent trigger directory. The trigger file disappears after the scan begins. The agent trigger directory location varies by operating system:

    Operating System Location
    Windows C:\ProgramData\Tenable\Nessus Agent\nessus\triggers
    macOS /Library/NessusAgent/run/var/nessus/triggers
    Linux /opt/nessus_agent/var/nessus/triggers
  • Nessuscli trigger — Launch an existing triggered scan manually by running the following command in the Tenable Nessus Agent nessuscli utility:

    # nessuscli scan-triggers --start --UUID=<scan-uuid>

You can also set multiple triggers for a single scan, and the scan searches for the triggers in their listed order (in other words, if the first trigger does not trigger the scan, it searches for the second trigger).

Note: Tenable Vulnerability Management ignores triggered agent scan data that is older than 14 days. This ensures that Tenable Vulnerability Management is not processing stale data from agents that have been offline for extended periods of time.

Triggered vs. Window Scans

Tenable recommends using triggered agent scans over window agent scans in many cases. Due to the scanning independence from Tenable Vulnerability Management or user intervention and the multiple trigger options, triggered scanning offers more flexibility to meet the needs of your workflow, especially if you have a mobile workforce in multiple time zones.

Triggered scans can provide more consistent coverage than window scans and help overcome connectivity issues between Tenable Vulnerability Management and linked agents. While window scans can create gaps in data coverage due to unresponsive or offline agents, triggered scans allow agents to scan and send data to Tenable Vulnerability Management whenever the triggers occur; Tenable Vulnerability Management accepts and processes data from triggered scans at any time.

Tenable recommends using scan windows if you need to export individual scan results, as you can only export triggered scan data by using the bulk vulnerability export API.

Find Triggered Scan Details

To view triggered scan results, see View Tenable Vulnerability Management Scan Details.

Note: For triggered scan histories, Tenable Vulnerability Management shows a scan history entry for each 12-hour window of the past 7 days. Tenable Vulnerability Management only retains up to 15 triggered scan histories at a time for each scan.

In addition to managing triggered scans from Tenable Vulnerability Management, you can view triggered scan details by running the following command in the Tenable Nessus Agent nessuscli utility:

# nessuscli scan-triggers --list

The --list command returns the agent's triggered scan details. These details include:

  • Scan name

  • Status (for example, uploaded)

  • Time of last activity (shown next to the status)

  • Scan description

  • Time of last policy modification

  • Time of last run

  • Scan trigger description

  • Scan configuration template

    For more information about the Tenable Nessus Agent nessuscli utility, see Nessuscli Agent in the Tenable Nessus User Guide.

You can also view your agent trigger information in the agent trigger directory:

Operating System Location
Windows C:\ProgramData\Tenable\Nessus Agent\nessus\triggers
macOS /Library/NessusAgent/run/var/nessus/triggers
Linux /opt/nessus_agent/var/nessus/triggers