About Accept Rules

On the Recast page in the Vulnerabilities, Host Audits and Web Applications tabs, you can create Accept rules. Accept rules hide findings from Explore > Findings. These rules do not modify scan results.

Why would I use these?

Imagine you have an asset with a vulnerability on an FTP service. You no longer need FTP, so you shut down the service. Now, Tenable Vulnerability Management cannot verify the vulnerability as patched, so it continues to appear in your Findings list. You can use an accept rule to ignore this vulnerability finding without needing to delete the asset and begin a fresh scan.

Accept Rules

Accept rules accept the risk and hide the findings that are captured by the criteria filter that you define. You can set accept rules to expire. Accept rules hide findings instead of changing their results —useful when you want to keep a clean audit list with actionable items.You can apply accept rules to to some or all assets and set them to expire. When accept rules expire, targeted findings reappear on the Explore > Findings table.

Important: Accept rules have no impact on scoring

  • VPR is Immutable: The Vulnerability Priority Rating (VPR) is a dynamic score calculated by Tenable for the vulnerability itself. It is never altered by any accept rule you apply.

  • Impact on AES and Vulnerability Density: Accept rules do not alter the AES score.

  • Impact on CES: The Cyber Exposure Score (CES) is an aggregated, organizational score. Accept rules do not alter the CES score.

View Findings and Assets Affected by an Accept Rule

Once an accept rule is active, you can view the specific findings and assets that it impacts. This is the most effective way to verify that your accept query criteria (filters) are targeting the correct data set.

You can view findings and assets affected by an accept rule in three ways:

  • Inspect individual accept rules in the recast rule table.

  • Use the Recast Rule Details pane.

  • Identify findings in Explore > Findings by querying the findings table.

View Affected Findings or Assets from the Recast Table

To view findings or assets that are affected by an accept rule via the recast table:

  1. Select any of the Vulnerabilities, Host Audits, or Web Applications tabs in Recast.

  2. Look for any row with Accept in the Rule Type column or use this query in the query builder: Rule Type is equal to Accept.

  3. On the left side of the row with Accept in the Rule Type column click the button.

    A table appears.

  4. Click the Assets or Findings tab.

    A table appears with the list of assets and findings that meet the criteria for that rule.

View Affected Findings or Assets from the Recast Rule Details Pane

To view findings or assets that are affected by an accept rule via the recast rule details pane:

  1. Select any of the Vulnerabilities, Host Audits, or Web Applications tabs in Recast.

  2. Look for any row with Accept in the Rule Type column or use this query in the query builder: Rule Type is equal to Accept.

  3. Double-click on any row of the table with Accept in the Rule Type column .

    A recast rule details pane appears with the Summary tab showing by default.

  4. Click the Assets tab or the Findings tab.

    A table appears with either the list of assets or the list of findings that meet the criteria for that rule.

    For more information, see Recast Rule Details.

View Affected Findings or Assets from Explore

To view findings or assets that are affected via Explore:

  1. In the left navigation, click Explore > Findings.

    The Findings page appears.

  2. Do one of the following:

    • Click on Host Audits on the left side of the view and build this query in the query builder: Result Modified is equal to Accepted.

      A table appears with the list of findings whose Result has been modified by an accept rule. These findings show an Accept icon (such as ) along with a tooltip (such as Passed-Accepted) in the Result column of the findings table.

    • Click on Vulnerabilities or Web Applications on the left side of the view and build this query in the query builder: Risk Modified is equal to Accepted.

      A table appears with the list of findings whose severity has been modified by an accept rule. These findings show a recast icon (such as ) along with a tooltip (such as Medium - Accepted) in the Severity column of the findings table.

Note: If a finding is Accepted, this rule won't impact the VPR, AES, or CES scores of any findings.

Example Accept Rules

Example 1. For the same internal servers using self-signed SSL certificates, let's say you want to hide any findings for plugin 51192. Instead of lowering the severity of the vulnerability, you create the following rule:

  • Action — Accept

  • Name — Accept - Plugin ID: 51192

  • Criteria — Plugin ID is equal to 51192

  • Expires — Never

Example 2. In the following example, you create a rule to accept host audit findings for Windows machines with disabled built-in firewalls, since your endpoint security package provides its own firewall:

  • Action — Accept

  • Category — Windows

  • Audit File — CIS_Microsoft_Windows_11_Enterprise_v3.0.0_L1.audit

  • Audit Name —Hide Windows Firewall Findings

  • Original Result — Failed

  • Targets — All

  • Expires — Never