Manage Scanner Groups

Required Tenable Vulnerability Management User Role: Scan Manager or Administrator

Use the following procedures to manage your scanner groups. For general information about scanner groups, see Scanner Groups.

Create a Scanner Group

To create a scanner group:

  1. In the left navigation, click Sensors.

    The Sensors page appears. By default, the Nessus Scanners tab is active and Linked Scanners is selected in the drop-down box.

  2. In the drop-down box, select Scanner Groups.

    The list of existing scanner groups you have permission to use or manage appears.

  3. Click Add Scanner Group.

    The Add Scanner Group plane appears.

  4. In the Group Name field, type a name for the group.

  5. (Optional) In the Targets for Scan Routing box, type a comma-separated list of scan routing targets.

    Targets in the list must be in the supported formats.

    This list specifies the targets that scanners in this scanner group can scan if a scan is configured to use the Auto-Select scanner. For more information, see Example: Scan Routing.

    Note: You can specify up to 10,000 individual scan routing targets for an individual scanner group. For example, 192.168.0.1, example.com, *.example.net, 192.168.0.0/24 specifies four scan routing targets. To condense a scan routing target list, Tenable recommends using wildcard and range formats, instead of individual IP addresses.

  6. (Optional) Configure user permissions for a scanner group.

    By default, in any new scanner group, Tenable Vulnerability Management assigns the system-generated All Users group Can Use permissions.

  7. Click Save.

    If Targets for Scan Routing specifies more than the maximum number of targets, an error message appears. Condense the scan routing targets by using wildcard and range formats instead of individual IP addresses, then try again to save the scanner group.

    In all other cases, the new group appears in the Scanner Groups list.

Edit a Scanner Group

To edit a scanner group:

  1. In the left navigation, click Sensors.

    The Sensors page appears. By default, the Nessus Scanners tab is active and Linked Scanners is selected in the drop-down box.

  2. In the drop-down box, select Scanner Groups.

    The list of existing scanner groups you have permission to use or manage appears.

  3. (Optional) Search the table for the group you want to modify. See Search the Table.
  4. In the scanner group table, do one of the following:
    • In the Actions column of the scanner group you want to modify, click the button.

      The action options appear in the row.

    • Right-click the scanner group you want to modify.

      The action options appear next to your cursor.

  5. Click Edit.

    The Edit Scanner Group plane appears.

  6. Modify any of the following settings:

    Setting Action
    Name Type a new name.
    User and Group Permissions Configure user permissions for the scanner group.

  7. (Optional) In the Targets for Scan Routing box, type a comma-separated list of scan routing targets.

    Targets in the list must be in the supported formats.

    This list specifies the targets that scanners in this scanner group can scan if a scan is configured to use the Auto-Select scanner. For more information, see Example: Scan Routing.

    Note: You can specify up to 10,000 individual scan routing targets for an individual scanner group. For example, 192.168.0.1, example.com, *.example.net, 192.168.0.0/24 specifies four scan routing targets. To condense a scan routing target list, Tenable recommends using wildcard and range formats, instead of individual IP addresses.

  8. Click Save.

    If Targets for Scan Routing specifies more than the maximum number of targets, an error message appears. Condense the scan routing targets by using wildcard and range formats instead of individual IP addresses, then try again to save the scanner group.

    In all other cases, Tenable Vulnerability Management updates the scanner group with your changes.

Assign Scanners to a Scanner Group

  1. In the upper-left corner, click the Menu button.

    The left navigation plane appears.

  2. In the left navigation plane, click Settings.

    The Settings page appears.

  3. Click the Sensors tile.

    The Sensors page appears. By default, the Nessus Scanners tab is active and Linked Scanners is selected in the drop-down box.

  4. (Optional) For Tenable Web App Scanning, click the Web App Scanners tab.

    The Web App Scanners tab appears and Linked Scanners is selected in the drop-down box.

  5. In the drop-down box, select Scanner Groups.

    The list of existing scanner groups you have permission to use or manage appears.

  6. In the scanner groups table, click the row of the scanner group where you want to add scanners.

    The Group Details page appears.

  7. Click Assign Scanners.

    The Assign Scanner page appears.

  8. (Optional) Search the table for the scanner you want to assign. See Search the Table.
  9. In the scanners table, select the check boxes next to the scanner or scanners you want to add to the scanner group.

  10. Click Assign.

    If the assignment is successful, Tenable Vulnerability Management adds the scanner to the scanner group, and the Group Details page appears.
    If Tenable Vulnerability Management encounters any problems during processing, the Assign Scanners page remains active, and one of the following messages appears in the Assignment column of the affected scanner:

    Possible Error Messages Action
    This sensor already exists in the scanner group. Click Cancel to close the page.
    An error occurred adding this sensor to the scanner group. Click Assign again. If the processing still fails, contact Tenable Support.

Configure User Permissions for a Scanner Group

You can configure scanner group permissions for individual users or a user group. If you configure scanner group permissions for a user group, you assign all users in that group the same permissions. For more information, see User Groups.

Important! Scanner group permissions do not override existing individual scanner permissions. For example, if you add a scanner with Can Use permissions to a scanner group with Can Manage permissions, that scanner retains its Can Use permissions.

You can assign the following scanner group permissions to a user or user group:

  • No Access — (All Users user group only) No users (except for users or groups you specifically assign permissions) can use the scanner group in scan configurations.
  • Can Use — The user or user group can use the scanner group in scan configurations. The user or user group (assuming they have the Scan Manager or Administrator user role) can view but not edit the scanner group configuration.

  • Can Manage — The user or user group can use the scanner group in scan configurations. The user or user group (assuming they have the Scan Manager or Administrator user role) can view and edit the scanner group configuration.

    Note: All users with the Scan Manager user role have Can Manage permissions for scanner groups, regardless of the scanner group permission they are assigned.

To configure user permissions for a scanner group:

  1. Create or edit a scanner group.
  2. During scanner group configuration, in the Users & Groups section, do any of the following:

    • Edit permissions for the All Users user group.

      1. Next to the permission drop-down for the All Users group, click the button.

      2. Select a permissions level.

    • Add a user or user group to the scanner group.

      1. In the User & Groups heading, click the Add button.

        The Add Users & Group plane appears.

      2. In the Search field, type or click the drop-down to find and add a user or group.

        Tip: Tenable recommends assigning permissions to user groups, rather than individual users, to minimize maintenance as individual users leave or join your organization.

        Added users and groups appear below the Search field.

      3. Click the Add button.

        The scanner group plane appears.

        By default, Tenable Vulnerability Management assigns the added user or user group Can Use permissions.

    • Edit permissions for an existing user or user group.

      1. Next to the permissions drop-down for the user or user group you want to edit, click the button.

      2. Select a permissions level.

    • Remove a user or user group from the scanner group.

      1. Roll over the user or group you want to remove.

      2. Click the Delete button next to the user or user group.

        The user or group disappears from the Users & Groups list.

  3. Click Save.

    Tenable Vulnerability Management saves your changes to the scanner group.

Delete a Scanner Group

To delete one or more scanner groups:

  1. In the left navigation, click Sensors.

    The Sensors page appears. By default, the Nessus Scanners tab is active and Linked Scanners is selected in the drop-down box.

  2. In the drop-down box, select Scanner Groups.

    The list of existing scanner groups you have permission to use or manage appears.

  3. In the scanner groups table, select one or more scanner groups to delete:

    Scope Action
    To delete a single scanner group

    1. In the scanner groups table, do one of the following:

      • Select the check box for the scanner group you want to delete.

        The action bar appears at the top of the table.

      • Right-click the scanner group you want to delete.

        The action options appear next to your cursor.

      • In the Actions column, click the button for the scanner group you want to delete.

        The action options appear in the row.

    2. Click Delete.

      A confirmation window appears.
    To delete multiple scanner groups

    1. In the scanner groups table, select the check boxes next to the scanner groups you want to delete.

      The action bar appears at the bottom of the page.

    2. In the action bar, click the Delete button.

      A confirmation window appears.

  4. In the confirmation window, click the Delete button.

    Tenable Vulnerability Management deletes the group or groups you selected.

Add a Scanner to a Scanner Group

You can add the following types of sensors to a scanner group:

Sensor Type Supported?
On-premises Tenable Nessus yes
On-premises Tenable Web App Scanning yes
Tenable Vulnerability Management cloud no
Tenable Nessus sensor for Amazon Web Services (AWS) no
Tenable Network Monitor (NNM) no
Tenable Agent no (see Agent Groups)

To add sensor to one or more scanner groups:

  1. In the left navigation, click Sensors.

    The Sensors page appears. By default, the Nessus Scanners tab is active and Linked Scanners is selected in the drop-down box.

  2. (Optional) Search for the scanner you want to add to a scanner group. See Search the Table.

  3. Select the scanners you want to add and the groups you want to add the scanners to:

    Scope Action
    Add a single scanner to a group or groups

    1. In the scanner group table, do one of the following:

      • Right-click the sensor you want to add to a scanner group.

        The action options appear next to the cursor.

      • In the Actions column, click the button for the sensor you want to add to a scanner group.

        The action options appear in the row.

      • Select the check box for the sensor you want to add to a scanner group.

        Tenable Vulnerability Management enables Add selected to Groups in the action bar.

    2. Click Add to Groups.

      The Add to Groups plane appears.

    3. In the search box, type the name of the scanner group where you want to add the scanner.
    4. In the drop-down box of matching groups, click a group.
    5. (Optional) Repeat steps c and d to add additional scanner groups.
    Add multiple scanners to a group or groups

    1. In the scanner table, select the check boxes next to the scanners you want to add to scanner groups.

      The action bar appears at the bottom of the page.

    2. Click the Add selected to Groups button.

      The Add to Groups plane appears.

    3. In the search box, type the name of the scanner group where you want to add the scanner.
    4. In the drop-down list of matching groups, click a group.
    5. (Optional) Repeat steps c and d to add additional scanner groups.
  4. Click Save to save your changes.

    Tenable Vulnerability Management adds the scanner or scanners to the selected group or groups and closes the Add to Groups plane.

Export a Scanner from a Scanner Group

To export a scanner from a scanner group:

  1. In the left navigation, click Sensors.

    The Sensors page appears. By default, the Nessus Scanners tab is active and Linked Scanners is selected in the drop-down box.

  2. In the drop-down box, select Scanner Groups.

    The list of existing scanner groups you have permission to use or manage appears.

  3. (Optional) Search the table for the group you want to export from. See Search the Table.

  4. In the scanner group table, click the scanner group you want to export from.

    The Group Details page appears. This page contains a table listing sensors assigned to this group.

  5. (Optional) Search for the sensor you want to export. See Search the Table.

  6. Select the scanners you want to export:

    Export Scope Action
    A single linked scanner

    To export a single linked scanner from the Group Details page:

    1. In the linked scanners table, right-click the row for the linked scanner you want to export.

      -or-

      In the linked scanners table, in the Actions column, click the button in the row for the linked scanner you want to export.

      The action buttons appear in the row.

      -or-

      Select the check box for the linked scanner you want to export.

      The action bar appears at the top of the table.

    2. Click Export.

    To export from the Details page:

    1. In the linked scanners table, click the row for the linked scanner you want to export.

      The Details page appears.

    2. In the upper-right corner, click the Export button.
    Multiple linked scanners

    To export multiple selected linked scanners:

    1. In the scanners table, select the check box for each linked scanner you want to export.

      The action bar appears at the top of the table.

    2. In the action bar, click Export.

      Note: The Export link is available for up to 200 selections. If you want to export more than 200 scanners, select all the scanners in the list and then click Export.

  7. The Export plane appears. This plane contains:

    • A text box to configure the export file name.
    • A list of available export formats.
    • A table of configuration options for fields to include in the exported file.

      • Note: By default, all fields are selected.

    • A text box to set the number of days before the export expires.
    • A toggle to configure the export schedule.
    • A toggle to configure the email notification.
  8. In the Name box, type a name for the export file.

  9. Click the export format you want to use:

    Format Description
    CSV

    A CSV text file that contains a list of linked scanners.

    Note: If your .csv export file includes a cell that begins with any of the following characters (=, +, -, @), Tenable Vulnerability Management automatically inputs a single quote (') at the beginning of the cell. For more information, see the related knowledge base article.
    JSON

    A JSON file that contains a nested list of linked scanners.

    Empty fields are not included in the JSON file.

  10. In the Expiration box, type the number of days before the export file expires.

    Note: Tenable Vulnerability Management allows you to set a maximum of 30 calendar days for export expiration.

  11. (Optional) To set a schedule for your export to repeat:

    • Click the Schedule toggle.

      • The Schedule section appears.

    • In the Start Date and Time section, select the date and time on which you want the export schedule to start.
    • In the Time Zone drop-down box, select the time zone to which you want the schedule to adhere.
    • In the Repeat drop-down box, select how often you want the export to repeat.
    • In the Repeat Ends drop-down, select the date on which you want the schedule to end.
      Note: If you select never, the schedule repeats until you modify or delete the export schedule.

  12. (Optional) To send email notifications on completion of the export:

    Note: You can enable email notifications with or without scheduling exports.

    • Click the Email Notification toggle.

      The Email Notification section appears.

    • In the Add Recipients box, type the email addresses to which you want to send the export notification.

    • (Required) In the Password box, type a password for the export file. You must share this password with the recipients to allow them to download the file.

      Note: Tenable Vulnerability Management sends an email to the recipients and from the link in the email, the recipients can download the file by providing the correct password.

  13. Click Export.

    Tenable Vulnerability Management begins processing the export. Depending on the size of the exported data, Tenable Vulnerability Management may take several minutes to process the export.

    When processing completes, Tenable Vulnerability Management downloads the export file to your computer. Depending on your browser settings, your browser may notify you that the download is complete.

  14. Access the export file via your browser's downloads directory. If you close the export plane before the download finishes, then you can access your export file in the Export Management View.

Remove a Scanner from a Scanner Group

To remove a sensor from a scanner group:

  1. In the left navigation, click Sensors.

    The Sensors page appears. By default, the Nessus Scanners tab is active and Linked Scanners is selected in the drop-down box.

  2. In the drop-down box, select Scanner Groups.

    The list of existing scanner groups you have permission to use or manage appears.

  3. (Optional) Search the table for the group you want to modify. For more information, see Tables in Tenable Vulnerability Management.

  4. In the scanner group table, click the scanner group you want to modify.

    The Group Details page appears. This page contains a table listing sensors assigned to this group.

  5. (Optional) Search for the sensor you want to remove. See Search the Table.

  6. Select the scanners you want to remove:

    Scope Action
    Remove a single sensor

    1. In the sensors table, do one of the following:

      • Right-click the sensor you want to remove.

        The action options appear next to your cursor.

      • In the Actions column, click the button for the sensor you want to remove.

        The action options appear in the row.

      • Select the check box for the sensor you want to remove.

        The action buttons appear at the top of the table.

    2. Click the Remove from Group button.

      A confirmation window appears.
    Remove multiple sensors
    1. In the sensors table, select the check box for each sensor you want to remove from the group.

      The action bar appears at the bottom of the page.

    2. In the action bar, click the Remove from Group button.

      A confirmation window appears.
  7. In the confirmation window, click Remove.

    Tenable Vulnerability Management removes the sensor or sensors from the scanner group.

View Sensors in a Scanner Group

Important! Scanner group permissions do not override existing individual scanner permissions. For example, if you add a scanner with Can Use permissions to a scanner group with Can Manage permissions, that scanner retains its Can Use permissions.

To view sensors assigned to a scanner group: 

  1. In the left navigation, click Sensors.

    The Sensors page appears. By default, the Nessus Scanners tab is active and Linked Scanners is selected in the drop-down box.

  2. In the drop-down box, select Scanner Groups.

    The list of existing scanner groups you have permission to use or manage appears.

  3. (Optional) Search the table for the group you want to view. See Search the Table.

  4. In the scanner group table, click the scanner group you want to view.

    The Group Details page appears. This page contains a table listing sensors assigned to this group.

View All Running Scans for a Sensor

Note: You can only view all scans for sensors in Tenable Nessus scanner groups.

To view all running scans for a sensor: 

  1. View the sensors in the appropriate scanner group.

  2. In the sensors table, click the sensor for which you want to view all scans.

    The scanner Details page appears.

  3. Click the Manage Scans tab.

    Tenable Vulnerability Management shows a list of all scans the sensor is currently running.