Tag Rules Filters
Note: If there is a typo in the tag rule, an error appears in the Rules box with a description of the issue.
To ensure optimal performance and system stability, the following limits apply to the Boolean Filter Conditions within a Tag Rule:
- Maximum Boolean Filter Conditions: 40
- A single Tag Rule can consist of up to 40 individual filter conditions joined by AND or OR operators.
- Maximum Values per Filter Property: 1024
- Each specific filter property (for example, Operating System, Hostname, or IP Address) supports up to 1,024 unique values.
On the Tags page, you can select from the following filters to create rules for an automatic tag:
| Filter | Description |
|---|---|
| Account ID | The unique identifier assigned to the asset resource in the cloud service that hosts the asset. |
| ACR |
(Requires Tenable One / Tenable Lumin license) The asset's ACR (Asset Criticality Rating). |
| ACR Severity |
(Requires Tenable One / Tenable Lumin license) (Requires Tenable One / Tenable Lumin license) The ACR category of the ACR calculated for the asset. |
| AES |
(Requires Tenable One / Tenable Lumin license)The Asset Exposure Score (AES) calculated for the asset. |
| AES Severity |
(Requires Tenable One / Tenable Lumin license) (Requires Tenable One / Tenable Lumin license) The AES category of the AES calculated for the asset. |
| Agent Name |
The name of the Tenable Nessus agent that scanned and identified the asset. |
| ARN | The Amazon Resource Name (ARN) for the asset. |
| ASN | The Autonomous System Number (ASN) for the asset. |
| Assessed vs. Discovered |
Specifies whether Tenable Vulnerability Management scanned the asset for vulnerabilities or if Tenable Vulnerability Management only discovered the asset via a discovery scan. Possible values are:
|
| Asset ID |
The UUID of the asset where a scan detected the finding. This value is unique to Tenable Vulnerability Management. |
| AWS Availability Zone |
The name of the Availability Zone where AWS hosts the virtual machine instance. For more information, see Regions and Zones in the AWS documentation. |
| AWS EC2 AMI ID |
The unique identifier of the Linux AMI image in Amazon Elastic Compute Cloud (Amazon EC2). For more information, see the Amazon Elastic Compute Cloud Documentation. |
| AWS EC2 Instance ID |
The unique identifier of the Linux instance in Amazon EC2. For more information, see the Amazon Elastic Compute Cloud Documentation. |
| AWS EC2 Name |
The name of the virtual machine instance in Amazon EC2. |
| AWS EC2 Product Code |
The product code associated with the AMI used to launch the virtual machine instance in Amazon EC2. |
| AWS Instance State |
The state of the virtual machine instance in AWS at the time of the scan. For possible values, see InstanceState in the Amazon Elastic Compute Cloud Documentation. |
| AWS Instance Type |
The type of virtual machine instance in Amazon EC2. Amazon EC2 instance types dictate the specifications of the instance (for example, how much RAM it has). For a list of possible values, see Amazon EC2 Instance Types in the AWS documentation. |
| AWS Owner ID |
A UUID for the Amazon AWS account that created the virtual machine instance. This attribute only appears for Amazon EC2 instances. For more information, see View AWS Account Identifiers in the AWS documentation |
| AWS Region |
The region where AWS hosts the virtual machine instance, for example, us-east-1. |
| AWS Security Group |
The AWS security group (SG) associated with the Amazon EC2 instance. |
| AWS Subnet ID |
The unique identifier of the AWS subnet where the virtual machine instance was running at the time of the scan. |
| AWS VPC ID |
The unique identifier of the public cloud that hosts the AWS virtual machine instance. For more information, see the Amazon Virtual Private Cloud Documentation. |
| Azure Resource Group | The name of the resource group in the Azure Resource Manager. For more information, see the Azure Resource Manager Documentation. |
| Azure Resource ID |
The unique identifier of the resource in the Azure Resource Manager. For more information, see the Azure Resource Manager documentation. |
| Azure Resource Type | The resource type of the resource in the Azure Resource Manager. For more information, see the Azure Resource Manager Documentation. |
| Azure Subscription ID | The unique subscription identifier of the resource in the Azure Resource Manager. For more information, see the Azure Resource Manager Documentation. |
| Azure VM ID |
The unique identifier of the Microsoft Azure virtual machine instance. For more information, see the Azure Resource Manager documentation. |
| BIOS ID |
The NetBIOS name for the asset. |
| Cloud Provider | The name of the cloud provider that hosts the asset. |
| Created Date | The time and date when Tenable Vulnerability Management created the asset record. |
| Custom Attribute |
A filter that searches for custom attributes via a category-value pair. For more information about custom attributes, see the Tenable Developer Portal. |
| Deleted | Specifies whether the asset has been deleted. |
| Deleted Date | The date when a user deleted the asset record or the number of days since a user deleted the asset. When a user deletes an asset record, Tenable Vulnerability Management retains the record until the asset ages out of the license count. |
| DNS (FQDN) |
The fully-qualified domain name of the asset host. Note: This does not apply to Web Application assets, for which you must use the Name filter.
|
| Domain | The domain which has been added as a source or discovered by ASM as belonging to a user. |
| First Seen |
The date and time when a scan first identified the asset. |
| Google Cloud Instance ID |
The unique identifier of the virtual machine instance in Google Cloud Platform (GCP). |
| Google Cloud Project ID |
The customized name of the project to which the virtual machine instance belongs in GCP. For more information, see Creating and Managing Projects in the GCP documentation. |
| Google Cloud Zone |
The zone where the virtual machine instance runs in GCP. For more information, see Regions and Zones in the GCP documentation. |
| Has Plugin Results | Specifies whether the asset has plugin results associated with it. |
| Host Name (Domain Inventory) | The host name for assets found during attack surface management scans; only for use with Domain Inventory assets. |
| Hosting Provider | The hosting provider for the asset. |
| IaC Resource Type | The Infrastructure as Code (IAC) resource type of the asset. |
| Installed Software |
Installed Software contains a list of Common Platform Enumeration (CPE) values, allowing for granular inventory of applications, operating systems, and hardware identified on an asset. This filter uses the CPE 2.3 format, for example, cpe:2.3:a:apache:http_server:2.4.63, allowing you to search for specific software versions. For scanned assets, this field is populated by Tenable Nessus Plugin 45590 (Common Platform Enumeration (CPE)). For more information, see the CPE Specification documentation or the Official CPE Dictionary. Note: To see vulnerabilities associated with these applications, use the cpe findings filter in Findings Filters. |
| IPv4 Address |
The IPv4 address associated with the asset record.. This filter supports multiple asset identifiers as a comma-separated list (for example, hostname_example, example.com, 192.168.0.0). For IP addresses, you can specify individual addresses, CIDR notation (for example, 192.168.0.0/24), or a range (for example, 192.168.0.1-192.168.0.255). Note: A CIDR mask of /0 is not supported for this parameter, because that value would match all IP addresses. If you submit a /0 value for this parameter, Tenable Vulnerability Management returns a 400 Bad Request error message. Note: Ensure the tag filter value does not end in a period. |
| IPv6 Address |
An IPv6 address that a scan has associated with the asset record. This filter supports multiple asset identifiers as a comma-separated list. The IPV6 address must be an exact match. (for example, 0:0:0:0:0:ffff:c0a8:0). Note: Ensure the tag filter value does not end in a period. |
| Is Attribute | Specifies whether the asset is an attribute. |
| Is Auto Scale | Specifies whether the asset scales automatically. |
| Is Unsupported | Specifies whether the asset is unsupported in Tenable Vulnerability Management. |
| Last Authenticated Scan |
The date and time of the last authenticated scan run against the asset. An authenticated scan that only uses discovery plugins updates the Last Authenticated Scan field, but not the Last Licensed Scan field. |
| Last Licensed Scan |
The date and time of the last scan in which the asset was considered "licensed" and counted towards Tenable's license limit. A licensed scan uses non-discovery plugins and can identify vulnerabilities. Unauthenticated scans that run non-discovery plugins update the Last Licensed Scan field, but not the Last Authenticated Scan field. For more information on how licenses work, see Tenable Vulnerability Management Licenses. |
| Last Seen | The date and time of the scan that most recently identified the asset. |
| Licensed |
Specifies whether the asset is included in the asset count for the Tenable Vulnerability Management instance. |
| MAC Address |
A MAC address that a scan has associated with the asset record. |
| Mitigation Last Detected | The date and time of the scan that last identified mitigation software on the asset. |
| Name |
The asset identifier that Tenable Vulnerability Management assigns based on the presence of certain asset attributes in the following order:
For example, if scans identify a NetBIOS name and an IPv4 address for an asset, the NetBIOS name appears as the Asset Name. |
| NetBIOS Name |
The NetBIOS name for the asset. |
| Network | The name of the network object associated with scanners that identified the asset. The default name is Default. For more information, see Networks. |
| Open Ports | Open ports on the asset. |
| Operating System | One of the operating system(s) that a scan identified on the asset. |
| Port | The port associated with the asset. |
| Public | Specifies whether the asset is available on a public network. |
| Record Type | The asset type. |
| Region | The cloud region where the asset runs. |
| Repositories | Any code repositories associated with the asset. |
| Resource Category | The name of the category to which the cloud resource type belongs (for example, object storage or virtual network). |
| Resource Tags (By Key) | Tags synced from a cloud source, such as Amazon Web Services (AWS), matched by the tag key (for example, Name). |
| Resource Tags (By Value) | Tags synced from a cloud source, such as Amazon Web Services (AWS), matched by the tag value. |
| Resource Type | The asset's cloud resource type (for example, network, virtual machine). |
| ServiceNow Sys ID |
Where applicable, the unique record identifier of the asset in ServiceNow. For more information, see the ServiceNow documentation. |
| Source |
The source of the scan that identified the asset. Possible filter values are:
|
| SSL/TLS | Specifies whether the application on which the asset is hosted uses SSL/TLS public-key encryption. |
| System Type |
The system types as reported by Plugin ID 54615. For more information, see Tenable Plugins. |
| Tags |
Filter and organize assets into logical groups (e.g., Network: Headquarters) for easier management and reporting. This filter is case-sensitive. You can add a maximum of 100 tags. For more information, see Tags. |
| Target Groups |
The target group to which the asset belongs. This attribute is empty if the asset does not belong to a target group. For more information, see Target Groups. |
| Tenable ID |
The UUID of the agent present on the asset. |
| Terminated | Specifies whether or not the asset is terminated. |
| Type |
The system type on which the asset is managed. Possible filter values are:
|
| Updated Date | The time and date when a user last updated the asset. |
| VPC | The unique identifier of the public cloud that hosts the AWS virtual machine instance. For more information, see the Amazon Virtual Private Cloud User Guide. |