Tag Rules Filters

Note: If there is a typo in the tag rule, an error appears in the Rules box with a description of the issue.

Note: Tenable Vulnerability Management supports a maximum of 35 rules per tag. This limit means that you can specify a maximum of 35 and or or conditions for a single tag value. Additionally, Tenable Vulnerability Management supports a default maximum of 25 values per individual tag rule. For IPv4, IPv6, and FQDNs, Tenable Vulnerability Management supports a maximum of 1,024 values per individual tag rule.

On the Tags page, you can select from the following filters to create rules for an automatic tag:

Filter Description
Account ID The unique identifier assigned to the asset resource in the cloud service that hosts the asset.
ACR

(Requires Tenable Lumin license) The asset's ACR (Asset Criticality Rating).

ACR Severity

(Requires Tenable Lumin license) (Requires Tenable One or Tenable Lumin license) The ACR category of the ACR calculated for the asset.

AES

(Requires Tenable Lumin license)The Asset Exposure Score (AES) calculated for the asset.

AES Severity

(Requires Tenable Lumin license) (Requires Tenable Lumin license) The AES category of the AES calculated for the asset.

Agent Name

The name of the Tenable Nessus agent that scanned and identified the asset.

ARN The Amazon Resource Name (ARN) for the asset.
ASN The Autonomous System Number (ASN) for the asset.
Assessed vs. Discovered

Specifies whether Tenable Vulnerability Management scanned the asset for vulnerabilities or if Tenable Vulnerability Management only discovered the asset via a discovery scan. Possible values are:

  • Assessed

  • Discovered Only

Asset ID

The asset's unique identifier.

AWS Availability Zone

The name of the Availability Zone where AWS hosts the virtual machine instance. For more information, see Regions and Zones in the AWS documentation.

AWS EC2 AMI ID

The unique identifier of the Linux AMI image in Amazon Elastic Compute Cloud (Amazon EC2). For more information, see the Amazon Elastic Compute Cloud Documentation.

AWS EC2 Instance ID

The unique identifier of the Linux instance in Amazon EC2. For more information, see the Amazon Elastic Compute Cloud Documentation.

AWS EC2 Name

The name of the virtual machine instance in Amazon EC2.

AWS EC2 Product Code

The product code associated with the AMI used to launch the virtual machine instance in Amazon EC2.

AWS Instance State

The state of the virtual machine instance in AWS at the time of the scan. For possible values, see InstanceState in the Amazon Elastic Compute Cloud Documentation.

AWS Instance Type

The type of virtual machine instance in Amazon EC2. Amazon EC2 instance types dictate the specifications of the instance (for example, how much RAM it has). For a list of possible values, see Amazon EC2 Instance Types in the AWS documentation.

AWS Owner ID

A UUID for the Amazon AWS account that created the virtual machine instance. For more information, see View AWS Account Identifiers in the AWS documentation.

This attribute contains a value for Amazon EC2 instances only. For other asset types, this attribute is empty.

AWS Region

The region where AWS hosts the virtual machine instance, for example, us-east-1.

AWS Security Group

The AWS security group (SG) associated with the Amazon EC2 instance.

AWS Subnet ID

The unique identifier of the AWS subnet where the virtual machine instance was running at the time of the scan.

AWS VPC ID

The unique identifier of the public cloud that hosts the AWS virtual machine instance. For more information, see the Amazon Virtual Private Cloud Documentation.

Azure Resource Group The name of the resource group in the Azure Resource Manager. For more information, see the Azure Resource Manager Documentation.
Azure Resource ID

The unique identifier of the resource in the Azure Resource Manager. For more information, see the Azure Resource Manager documentation.

Azure Resource Type The resource type of the resource in the Azure Resource Manager. For more information, see the Azure Resource Manager Documentation.
Azure Subscription ID The unique subscription identifier of the resource in the Azure Resource Manager. For more information, see the Azure Resource Manager Documentation.
Azure VM ID

The unique identifier of the Microsoft Azure virtual machine instance. For more information, see the Azure Resource Manager documentation.

BIOS ID

The NetBIOS name for the asset.

Cloud Provider The name of the cloud provider that hosts the asset.
Created Date The time and date when Tenable Vulnerability Management created the asset record.
Custom Attribute

A filter that searches for custom attributes via a category-value pair. For more information about custom attributes, see the Tenable Developer Portal.

Deleted Specifies whether the asset has been deleted.
Deleted Date The date when a user deleted the asset record or the number of days since a user deleted the asset. When a user deletes an asset record, Tenable Vulnerability Management retains the record until the asset ages out of the license count.
DNS (FQDN)

The fully-qualified domain name of the asset host.

Note: This does not apply to Web Application assets, for which you must use the Name filter.
Domain The domain which has been added as a source or discovered by ASM as belonging to a user.
First Seen

The date and time when a scan first identified the asset.

Google Cloud Instance ID

The unique identifier of the virtual machine instance in Google Cloud Platform (GCP).

Google Cloud Project ID

The customized name of the project to which the virtual machine instance belongs in GCP. For more information, see Creating and Managing Projects in the GCP documentation.

Google Cloud Zone

The zone where the virtual machine instance runs in GCP. For more information, see Regions and Zones in the GCP documentation.

Has Plugin Results Specifies whether the asset has plugin results associated with it.
Host Name (Domain Inventory) The host name for assets found during attack surface management scans; only for use with Domain Inventory assets.
Hosting Provider The hosting provider for the asset.
IaC Resource Type The Infrastructure as Code (IAC) resource type of the asset.
Installed Software

A list of Common Platform Enumeration (CPE) values that represent applications identified on an asset from a scan. This field supports the CPE 2.2 format. For more information, see the Component Syntax section of the CPE Specification documentation. For assets identified in Tenable scans, this field only contains data when a scan using Tenable Nessus Plugin 45590 has evaluated the asset.

IPv4 Address

The IPv4 address associated with the asset record..

This filter supports multiple asset identifiers as a comma-separated list (for example, hostname_example, example.com, 192.168.0.0). For IP addresses, you can specify individual addresses, CIDR notation (for example, 192.168.0.0/24), or a range (for example, 192.168.0.1-192.168.0.255).

Note: A CIDR mask of /0 is not supported for this parameter, because that value would match all IP addresses. If you submit a /0 value for this parameter, Tenable Vulnerability Management returns a 400 Bad Request error message.

Note: Ensure the tag filter value does not end in a period.

IPv6 Address

An IPv6 address that a scan has associated with the asset record.

This filter supports multiple asset identifiers as a comma-separated list. The IPV6 address must be an exact match. (for example, 0:0:0:0:0:ffff:c0a8:0).

Note: Ensure the tag filter value does not end in a period.

Is Attribute Specifies whether the asset is an attribute.
Is Auto Scale Specifies whether the asset scales automatically.
Is Unsupported Specifies whether the asset is unsupported in Tenable Vulnerability Management.
Last Audited The time and date at which the asset was last audited.
Last Authenticated Scan

The date and time of the last authenticated scan run against the asset. An authenticated scan that only uses discovery plugins updates the Last Authenticated Scan field, but not the Last Licensed Scan field.

Last Licensed Scan

The date and time of the last scan in which the asset was considered "licensed" and counted towards Tenable's license limit. A licensed scan uses non-discovery plugins and can identify vulnerabilities. Unauthenticated scans that run non-discovery plugins update the Last Licensed Scan field, but not the Last Authenticated Scan field. For more information on how licenses work, see Tenable Vulnerability Management Licenses.

Last Seen The date and time of the scan that most recently identified the asset.
Licensed

Specifies whether the asset is included in the asset count for the Tenable Vulnerability Management instance.

MAC Address

A MAC address that a scan has associated with the asset record.

Mitigation Last Detected The date and time of the scan that last identified mitigation software on the asset.
Name

The asset identifier that Tenable Vulnerability Management assigns based on the presence of certain asset attributes in the following order:

  1. Agent Name (if agent-scanned)

  2. NetBIOS Name

  3. FQDN

  4. IPv6 address

  5. IPv4 address

For example, if scans identify a NetBIOS name and an IPv4 address for an asset, the NetBIOS name appears as the Asset Name.

NetBIOS Name

The NetBIOS name for the asset.

Network The name of the network object associated with scanners that identified the asset. The default name is Default. For more information, see Networks.
Open Ports Open ports on the asset.
Operating System The operating system that a scan identified as installed on the asset.
Port The port associated with the asset.
Public Specifies whether the asset is available on a public network.
Record Type The asset type.
Region The cloud region where the asset runs.
Repositories Any code repositories associated with the asset.
Resource Category The name of the category to which the cloud resource type belongs (for example, object storage or virtual network).
Resource Tags (By Key) Tags synced from a cloud source, such as Amazon Web Services (AWS), matched by the tag key (for example, Name).
Resource Tags (By Value) Tags synced from a cloud source, such as Amazon Web Services (AWS), matched by the tag value.
Resource Type The asset's cloud resource type (for example, network, virtual machine).
ServiceNow Sys ID

Where applicable, the unique record identifier of the asset in ServiceNow. For more information, see the ServiceNow documentation.

Source

The source of the scan that identified the asset. Possible filter values are:

  • AWS
  • AWS FA
  • Azure
  • AZURE FA
  • Cloud Connector
  • Cloud IAC
  • Cloud Runtime
  • GCP
  • Nessus Agent
  • Nessus Scan
  • NNM
  • ServiceNow
  • WAS
SSL/TLS Specifies whether the application on which the asset is hosted uses SSL/TLS public-key encryption.
System Type

The system types as reported by Plugin ID 54615. For more information, see Tenable Plugins.

Tags

Asset tags, entered in pairs of category and value (for example Network: Headquarters). This includes the space after the colon (:). If there is a comma in the tag name, insert a backslash (\) before the comma. If your tag name includes double quotation marks (" "), use the UUID instead. You can add a maximum of 100 tags.

For more information, see Tags.

Target Groups

The target group to which the asset belongs. This attribute is empty if the asset does not belong to a target group. For more information, see Target Groups.

Tenable ID

The UUID of the agent present on the asset.

Terminated Specifies whether or not the asset is terminated.
Type

The system type on which the asset is managed. Possible filter values are:

  • Cloud Resource

  • Container

  • Host

  • Cloud

Updated Date The time and date when a user last updated the asset.
VPC The unique identifier of the public cloud that hosts the AWS virtual machine instance. For more information, see the Amazon Virtual Private Cloud User Guide.