Add Recast Rules

Using Recast, you can create rules to modify or accept severities for vulnerabilities and web applications. Similarly, you can change or accept results of host audits. You can also create these rules directly from the Findings table, as described in Create Recast Rules from Findings.

The types of rules you can create are as follows:

Rule Description
Recast In the Vulnerabilities and Web Applications tabs, modify the severity findings based on query criteria.
Accept In the Vulnerabilities, Host Audits and Web Applications tabs, accept the risk of vulnerability findings for Vulnerabilities and Web Applications or accept the Original Result of host audit findings and hide them from the Findings table.
Change Result In the Host Audits tab, change the Original Result of host audit findings, for example, by changing Failed to Passed.

Create a Recast or Accept Rule

To create a Recast or Accept rule:

  1. In the left navigation, click Recast.

    The Recast page appears.

  2. Click either the Vulnerabilities or Web Applications tab.

  3. Above the table, click Add Rule.

    The Add Recast Rule pane appears.

  4. Configure the following options:

    Option Description
    Action (required) Click Accept or Recast. To learn about these rule types, see About Recast and Accept Rules.
    Name (required) Type a name for this recast rule.
    Description Type a description for this recast rule.
    Criteria (required)

    Use this query bar to define the precise set of assets and/or findings to which this Recast rule will apply. You can construct a query using filters available in Recast Filters such as IPv4 Address, Plugin ID, FQDN, and Tags.

    When you select a filter, you can select the desired Operator and Values for your query.

    As you build your query, the system provides dynamic, real-time feedback by automatically displaying the exact number of Assets and Findings that match your specified criteria, allowing you to accurately scope your rule before final submission. These values appear in the Current matches to entered query below the Criteria query bar.

    Tip: For more information on tags and how to create and manage them, see Tags.
    Tip: Use the AND / OR boolean operators to apply multiple filters to the rule.
    Original Severity Shows the original severity identified by Tenable Vulnerability Management.
    New Severity (Recast rules only) Select the severity you want to change the corresponding vulnerability to, for example Low.
    Expires Type a date when the rule will expire or click the icon and select a date.
    Additional Comments Type comments to provide rule details.
    Report as false positive to Tenable (Accept rules only) Turn on this toggle when a plugin generates inaccurate findings and you want Tenable to review the results.

  5. Click Save.

    The system processes the rule, which may take time if many findings are targeted. When complete, the rule appears in either the Vulnerabilities or Web Applications table and the system updates the Findings table.

Create a Change Result or Accept Rule

Caution: For best performance, the system supports a maximum of 5000 Change Result and Accept rules in each container, total.

To create a Change Result or Accept rule:

  1. In the left navigation, click Recast.

    The Recast page appears.

  2. Click the Host Audits tab.

  3. Above the table, click Add Rule.

    The Add Change Result Rule pane appears.

  4. Configure the following options:

    Option Description
    Action Click Accept or Change Result. To learn about these rule types, see About Change Result and Accept Rules.
    Category Select a category for the new rule, for example, Windows.
    Audit File

    Select an audit file to run against your assets, for example, CIS_MS_Windows_11_Enterprise_Level_1_v1.0.0.audit.
    Audit Name

    Type an audit name, for example, 9.3.1 Ensure 'Windows Firewall: Public: Firewall state' is set to 'On (recommended)'.
    Original Result

    Select the original result of the host audit, for example, Failed.
    New Result (Change Result rules only) Select the desired final status for the targeted host audit findings. This option is available only when creating a Change Result rule, which is used to override a scan's result when you have confirmed a mitigation is in place but the scanner cannot verify it. Your options are Passed, Failed, Warning.
    Targets (Optional) Select Custom. If the rule will override other rules, a warning appears. The newest rule takes precedence over all conflicting earlier rules.
    Target Hosts

    For Custom targets, type a comma-separated list of IPv4 or IPv6 addresses or ranges, hostnames, Classless Inter-Domain Routing (CIDR) notation, or fully qualified domain names (FQDNs). The system supports up to 100 items.
    Expires (Optional) Select After or Exact Date. Then, type a date when the rule expires or click the icon and select a date.
    Comments Type comments to provide rule details.

  5. Click Save.

    The system processes the rule, which may take time if many findings are targeted. When complete, the rule appears in the Host Audits table and the system updates the Findings table.