Manage Sensors

Required Tenable Vulnerability Management User Role: Scan Manager or Administrator

Required Tenable Web App Scanning User Role: Scan Manager or Administrator

Use the following procedures to manage your linked sensors in Tenable Vulnerability Management. For more general information about sensors, see Sensors.

Link a Sensor

This procedure describes how to link a sensor to Tenable Vulnerability Management.

Linking a sensor to Tenable Vulnerability Management represents a one-time event in managing a sensor, unless you remove the sensor. After you link the sensor, the sensor connects to Tenable Vulnerability Management using unique credentials.

Once you copy the linking key in Tenable Vulnerability Management, you must paste the linking key in the appropriate location of the sensor user interface (for example, the Tenable Agent CLI or the Tenable Network Monitor Cloud Settings section). Expand the following sections for specific details.

Note: If you use the Tenable Vulnerability Management FedRAMP environment, Tenable recommends reviewing the following documents before you link sensors:

Note: If you use domain allowlists for firewalls, Tenable recommends adding:
  • * cloud.tenable.com (Commercial)
  • *.fedcloud.tenable.com (FedRAMP)
(with the wildcard character) to the allowlist. This ensures communication with sensor.fed/cloud.tenable.com, which the scanner uses to communicate with Tenable Vulnerability Management. If you are connecting to Tenable Vulnerability Management through Tenable Nessus scanners, Tenable Agents, Tenable Web App Scanning scanners, or Tenable Network Monitors (NNM) located in mainland China, you must connect through sensor.cloud.tenablecloud.cn instead of sensor.cloud.tenable.com.
Note: Under certain circumstances, you may need to regenerate the linking key. See Regenerate a Linking Key for more information. To learn more about the sensor security and linking keys, see Sensor Security.

To navigate to Sensors:

  1. In the left navigation, click Sensors.

    The Sensors page appears. By default, the Nessus Scanners tab is active and Linked Scanners is selected in the drop-down box.

Link a Tenable Nessus Scanner

For a demonstration on installing and linking a Tenable Nessus scanner, see the following video:

  1. Click the Nessus Scanners tab.

  2. Click Add Nessus Scanner.

    The Add Nessus plane appears.

  3. Do one of the following:

    • To install and link Tenable Nessus manually:

      1. In the Linking Key section, click Copy.

        A Linking key copied to clipboard confirmation message appears.

      2. Access the Tenable Nessus instance that you want to link to Tenable Vulnerability Management.
      3. Use the copied linking key in the Tenable Nessus user interface to link the sensor. For more information, see the Link to Tenable Vulnerability Management in the Tenable Nessus User Guide.

    • (Windows only) To use a single command to install and link a Tenable Nessus scanner:

      1. Under the One-Line Installation instructions, copy the command.

        The command contains the linking key and syntax required to install the scanner, link the scanner to Tenable Vulnerability Management, change the scanner name, and add the scanner to a scanner group. For example:

        Invoke-WebRequest -Uri "https://cloud.tenable.com/install/scanner/installer/ms-install-script.ps1" -OutFile "./ms-install-script.ps1"; & "./ms-install-script.ps1" -key "51cc161bfa7c62dd7fc90a63561a256306cda982e3edba9d7ebadc05f6a2118c" -type "scanner" -name "<scanner name>" -groups "<list of groups>"; Remove-Item -Path "./ms-install-script.ps1"

        Tip: For Tenable FedRAMP Moderate environments, use "fedcloud.tenable.com".

      2. In the command, replace <scanner-name> with the scanner name.

        Tip: If you do not want to set a custom scanner name, remove -name "<scanner-name>". If you do not set a custom name, Tenable names the scanner using the hostname of the machine on which you installed the scanner.

      3. In the command, replace <list of groups> with the scanner group name.

        Note: The scanner group name is case-sensitive and must match exactly.

        Tip: If you do not want to add the scanner to a scanner group, remove -groups "<list of groups>".

      4. As a user with administrative privileges, access the CLI of the Windows machine on which you want to install the scanner.

      5. Run the command.

        Tenable Nessus installs on your Windows machine, links to your instance of Tenable Vulnerability Management, and updates the scanner name and scanner group if necessary.

    • (Linux only) To use a single command to install and link a Tenable Nessus scanner:

      1. Under the One-Line Installation instructions, copy the command.

        The command contains the linking key and syntax required to install the scanner, link the scanner to Tenable Vulnerability Management, change the scanner name, and add the scanner to a scanner group. For example:

        curl -H 'X-Key: abcd1234efgh5678ijkl9012mnop3456qrst7890uvwx1234yz5678abcd1234ef' 'https://cloud.tenable.com/install/scanner?name=scanner-name&groups=scanner-group'| bash

        Tip: For Tenable FedRAMP Moderate environments, use "fedcloud.tenable.com".

      2. In the command, replace scanner-name with the scanner name.

        Tip: If you do not want to set a custom scanner name, remove name=scanner-name. If you do not set a custom name, Tenable names the scanner using the hostname of the machine on which you installed the scanner.

      3. In the command, replace scanner-group with the scanner group name.

        Note: The scanner group name is case-sensitive and must match exactly.

        Tip: If you do not want to add the scanner to a scanner group, remove groups=scanner-group.

      4. As a user with administrative privileges, access the CLI of the Linux machine on which you want to install the scanner.

      5. Run the command.

        Tenable Nessus installs on your Linux machine, links to your instance of Tenable Vulnerability Management, and updates the scanner name and scanner group if necessary.

Link a Tenable Agent

For a demonstration on installing and linking a Tenable Agent sensor, see the following video:

Note: For troubleshooting agents in environments where Zscaler is used, see the Difficulties with Nessus Agents when Zscaler is in useTenable community article.

  1. Click the Nessus Agents tab.

  2. Click Add Agent.

    The Add Agent plane appears.

  3. Do one of the following:

    • To install and link Tenable Agent manually:

      1. In the Linking Key section, click Copy.

        A Linking key copied to clipboard confirmation message appears.

      2. Access the Tenable Agent instance that you want to link to Tenable Vulnerability Management.
      3. Use the copied linking key in the Tenable Agent CLI to link the sensor. For more information, see Install Tenable Agent in the Tenable Agent Deployment and User Guide.

    • (Windows only) To use a single command to install and link Tenable Agent:

      1. Under the Installing Agent on Windows platforms header, copy the command.

        The command contains the linking key and syntax required to install the agent, link the agent to Tenable Vulnerability Management, change the agent name, and add the agent to an agent group. For example:

        Invoke-WebRequest -Uri “https://cloud.tenable.com/install/

        {sensorType}/installer/ms-install-script.ps1” -OutFile “./ms-install-script.

        ps1"; & “./ms-install-script.ps1” -key “{linkingKey}” -type

        “{sensorType}” -name “<agent name>” -groups “<list of groups>“;

        Remove-Item -Path “./ms-install-script.ps1”

        Tip: For Tenable FedRAMP Moderate environments, use "fedcloud.tenable.com".

      2. In the command, replace <agent name> with the agent name.

        Tip: If you do not want to set a custom agent name, remove -name "<agent name>". If you do not set a custom name, Tenable names the agent using the hostname of the machine on which you installed the agent.

      3. In the command, replace <list of groups> with the agent group name or names.

        Note: The agent group name is case-sensitive and must match exactly. You must encase the agent group name in quotation marks (for example, --groups="My Group").

        Tip: If you do not want to add the agent to an agent group, remove -groups "<list of groups>".

      4. As a user with administrative privileges, access the CLI of the Windows machine on which you want to install the agent.

      5. Run the command.

        Tenable Agent installs on your Windows machine, links to your instance of Tenable Vulnerability Management, and updates the agent name and agent group if necessary.

    • (Linux only) To use a single command to install and link Tenable Agent:

      1. Under the Installing Agent on Linux platforms header, copy the command.

        The command contains the linking key and syntax required to install the agent, link the agent to Tenable Vulnerability Management, change the agent name, and add the agent to an agent group. For example:

        curl -H 'X-Key: abcd1234efgh5678ijkl9012mnop3456qrst7890uvwx1234yz5678abcd1234ef' 'https://cloud.tenable.com/install/agent?name=agent-name&groups=agent-group' | bash

        Note: For Tenable FedRAMP Moderate environments, use "fedcloud.tenable.com".

      2. In the command, replace agent-name with the agent name.

        Tip: If you do not want to set a custom agent name, remove name=agent-name. If you do not set a custom name, Tenable names the agent using the hostname of the machine on which you installed the agent.

      3. In the command, replace agent-group with the agent group name.

        Note: The agent group name is case-sensitive and must match exactly. You must encase the agent group name in quotation marks (for example, --groups="My Group").

        Tip: If you do not want to add the agent to an agent group, remove groups=agent-group.

      4. As a user with administrative privileges, access the CLI of the Linux machine on which you want to install the agent.

      5. Run the command.

        Tenable Agent installs on your Linux machine, links to your instance of Tenable Vulnerability Management, and updates the agent name and agent group if necessary.

Link a Tenable Network Monitor

  1. Click the Nessus Network Monitors tab.

  2. Click Add Nessus Network Monitor.

    The Add Nessus Network Monitor plane appears.

  3. In the Linking Key section, click Copy.

    A Linking key copied to clipboard confirmation message appears.

  4. Access the Tenable Network Monitor instance that you want to link to Tenable Vulnerability Management.
  5. Use the copied linking key in the Tenable Network Monitor user interface to link the sensor. For more information, see the Tenable Network Monitor User Guide.

Link a Tenable OT Security Connector

  1. Click the OT Connectors tab.

  2. Click Add OT Connector.

    The Add OT Connector window appears.

  3. Click Generate.

    Tenable Vulnerability Management shows the appropriate cloud site to link the Tenable OT Security connector to and generates an OT linking key.

    Note: You can use the linking key to link one Tenable connector, and you must use the linking key within two hours of generation. To link additional OT connectors, generate and use a new linking key for each connector.

  4. Use the cloud site and linking key to link the connector to Tenable Vulnerability Management from the OT Security user interface. For more information, see the OT Security User Guide.

Link a Tenable Web App Scanning Scanner

  1. Click the Web Application Scanners tab.

  2. Click Add Web Application Scanner.

    The Add Web Application Scanner plane appears.

  3. In the Linking Key section, click Copy.

    A Linking key copied to clipboard confirmation message appears.

  4. Access the Tenable Core + Tenable Web App Scanning instance that you want to link to Tenable Vulnerability Management.
  5. Use the copied linking key in the Tenable Core + Tenable Web App Scanning user interface to link the sensor. For more information, see the Tenable Core+Tenable Web App Scanning User Guide.

What to do next:

Edit Sensor Settings

You can edit certain settings for the following types of linked sensors:

  • Tenable Network Monitor
  • Tenable Nessus for Amazon Web Service (AWS)

To edit sensor settings:

  1. In the left navigation, click Sensors.

    The Sensors page appears. By default, the Nessus Scanners tab is active and Linked Scanners is selected in the drop-down box.

  2. Click the appropriate sensor type tab.

    The sensor table appears.

  3. If the sensor is a Nessus Scanner, do one of the following:
    • In the drop-down box, select the Cloud Scanners tab to view cloud scanners connected to Tenable Vulnerability Management. For more information, see Cloud Sensors.
    • In the drop-down box, select the Linked Scanners tab to view scanners linked to Tenable Vulnerability Management. For more information, see Linked Scanners

  4. In the table of linked sensors, click the sensor for which you want to edit settings.

    The sensor details appear. By default, the Overview tab is active.

  5. Click the Settings tab.

    The sensor settings appear.

  6. Edit the sensor settings:

    Setting Sensor Type Description
    Report Frequency NNM Specifies the frequency, in minutes, that you want the sensor to report information to Tenable Vulnerability Management.
    Software Update Type NNM (5.6.1 and later only)

    Specifies which components, if any, you want Tenable Network Monitor to automatically update.

    All components includes web server, HTML client, plugins, and engine.
    Updates instances every (minutes) AWS Specifies the frequency, in minutes, that you want the AWS sensor to report information to Tenable Vulnerability Management about the instances it has access to.
  7. In the lower-right corner of the page, click Save.

Edit Sensor Permissions

You can set the following Tenable Vulnerability Management user permissions levels in your sensor configuration:

  • No Access — The user or group cannot use the scanner in scan configurations or edit the scanner configuration.
  • Can Use — The user or group can use the scanner in scan configurations, but cannot edit the scanner configuration.
  • Can Manage — The user or group can use the scanner in scan configurations and edit the scanner configuration.

Note: Cloud scanners always have the Can Use permission regardless of how you configure them.

To edit sensor permissions:

  1. In the left navigation, click Sensors.

    The Sensors page appears. By default, the Nessus Scanners tab is active and Linked Scanners is selected in the drop-down box.

  2. Click the appropriate sensor type tab.

    A sensors table appears.

  3. If the sensor is a Nessus Scanner, click the Linked Scanners tab to view on-premises scanners linked to Tenable Vulnerability Management. For more information, see Linked Scanners.

  4. In the table of linked sensors, click the sensor for which you want to set permissions.

    The Details page appears. For all sensors except agents, the Overview tab is active by default.

  5. Click the Permissions tab.

    Note: By default, any user in your Tenable Vulnerability Management instance can use the scanner.

  6. Do any of the following:

    • To select a permissions level from the drop-down box for the Default user.

    • To specify permissions for an individual user or user group:

      1. In the Add users or user groups text box, type the name of a user or user group.

        As you type, Tenable Vulnerability Management searches for matches to existing users or user groups.

      2. In the search results, select a user or user group.

      3. In the permissions drop-down, select a permissions level for the user or user group you added.
  7. In the lower-right corner of the page, click Save.

Enable or Disable a Sensor

To enable or disable a sensor:

  1. In the left navigation, click Sensors.

    The Sensors page appears. By default, the Nessus Scanners tab is active and Linked Scanners is selected in the drop-down box.

  2. Click the appropriate sensor type tab.

    The sensors table appears.

  3. (Optional) If the sensor is a Nessus Scanner, select Linked Scanners in the drop-down box to view on-premises scanners linked to Tenable Vulnerability Management. For more information, see Linked Scanners.

  4. In the table of linked sensors, do one of the following:

    • Right-click the sensor you want to enable or disable.

      The action options appear next to your cursor.

    • In the Actions column, click the button you want to enable or disable.

      The action options appear in the row.

  5. Do one of the following:

    • To enable a sensor, click the Enable button.
    • To disable a sensor, click the Disable button.

    Tenable Vulnerability Management enables or disables the sensor.

Remove a Sensor

Note: You cannot remove cloud sensors.

To remove a sensor:

  1. In the left navigation, click Sensors.

    The Sensors page appears. By default, the Nessus Scanners tab is active and Linked Scanners is selected in the drop-down box.

  2. Click the appropriate sensor type tab.

    The sensor table appears.

  3. For Nessus Scanners, select Linked Scanners in the drop-down box to view on-premises scanners linked to Tenable Vulnerability Management. For more information, see Linked Scanners.

  4. In the table of linked sensors, do one of the following roll over the sensor you want to remove.

    Scope Action
    Remove a sensor

    1. In the sensors table, do one of the following:

      • Right-click the sensor you want to remove.

        The action options appear next to the cursor.

      • In the Actions column, click the button for the sensor you want to remove.

        The action options appear in the row.

      • Select the check box next to the sensor you want to remove.

        The action bar appears at the top of the table.

    2. Click Delete.

    A confirmation window appears.
    Remove multiple sensors

    1. In the sensors table, select the check box for the sensors you want to remove. The action bar appears at the top of the table.

    2. Click Delete.

      A confirmation window appears.

  5. Click Delete to confirm the removal.

    Tenable Vulnerability Management removes the sensor from the list.