DocumentationAPI ExplorerRecipesCommunityChangelogRSS
Back to All
added

Vulnerability Management: Nessus Agent Info-level Reporting

about 1 month ago by Lance Duvall

A new scan setting called Info-level Reporting is now available for Nessus Agent vulnerability scan templates. The setting specifies how often an agent scan should report unchanged info-level vulnerability findings. There are several new parameters that can be used when creating or updating a scan to support this new feature.

📘

Note

The Info-level Reporting setting can only be used by agents version 10.5.0 and later. Any agents on earlier versions always perform baseline scans.

Background

Info-level findings can account for up to 90% of agent scan findings. Most info-level findings do not change from scan to scan and have minimal impact on your overall network exposure. Configuring info-level reporting can help minimize your scan processing times by decreasing the number of unchanged info-level findings that Tenable Vulnerability Management processes after every agent scan.

After you configure an agent scan, the first execution of that scan always reports all detected findings regardless of severity level. This is known as a baseline scan. Subsequent scans return all vulnerability findings with a severity of Low or higher and any new or changed info-level findings. Agents do not re-report existing, unchanged info-level findings to Tenable Vulnerability Management until a new baseline scan is performed.

New Parameters

To enable info-level reporting for agent scans through the API, Tenable has added several new body parameters that can be specified in the settings object when creating or updating a scan. The new parameters are described in the following table:

Body ParameterData TypeDescription
refresh_reporting_typestring

For Nessus Agent scans, specifies how often the agent should report unchanged info-level vulnerability findings. This setting corresponds to Info-level Reporting in Basic Settings in the user interface. For more information about info-level reporting, see Info-level Reporting in the Tenable Vulnerability Management User Guide.

You can configure agent scans to launch a new baseline scan after a certain interval, either number of scans or number of days. By default, Tenable Vulnerability Management uses the scans interval. Scheduled Nessus Agent scans can use either the scans or days type, but triggered Nessus Agent scans can only use the scans type.

  • scans—The agent scan reports all findings every x number of scans. You can choose any integer from 2 to 10. By default, Tenable Vulnerability Management uses a value of 5.
  • days—The agent scan reports all findings after a set number of days after the previous day on which the scan last reported all findings. You can choose any integer from 1 to 7. By default, Tenable Vulnerability Management uses a value of 7.

Note: This setting for info-level reporting can only be used by agents version 10.5.0 and later. Any agents on earlier versions always perform baseline scans.

refresh_reporting_frequency_scansintegerDetermines the number of scans after which the Nessus Agent scan reports all findings. This setting applies to Nessus Agent scans with the info-level reporting type (refresh_reporting_type) set to scans.
refresh_reporting_frequency_daysintegerDetermines the number of days after which the Nessus Agent scan reports all findings. This setting applies to Nessus Agent scans with the info-level reporting type (refresh_reporting_type) set to days.
disable_refresh_reportingstring

Indicates whether or not the Nessus Agent should force a refresh of all info-level findings on the next scan. After the next scan completes and reports all findings, the refresh_reporting_type setting determines how often the scan reports info-level findings.

Note: All vulnerability findings with a severity of low or higher and new or changed info-level vulnerabilities are always reported after every scan.

These new parameters can be used with the following endpoints:

EndpointNameDescription
POST /scansCreate scanCreates a scan configuration.
POST /scans/{scan_id}Update scanUpdates the specified scan configuration.

New Response Properties

In addition to the new parameters, the scan details and scan history endpoints now return a reporting_mode property for agent scans that specifies whether the agent scan was a baseline, differential, or null (normal) scan.

PropertyData TypeDescription
reporting_modestringIndicates the reporting mode for Nessus Agent scans:
  • baseline—A scan that always reports all detected findings regardless of severity level. For baseline scans, the Nessus Agent creates a local cache of the plugin outputs generated by the scan. The cache is then used as the base for differential comparisons in subsequent scans.
  • differential—A scan that produces smaller results by removing plugin outputs that have not changed since the last scan.
  • null—A normal Nessus Agent scan that does not support baseline or differential reporting modes.

This new property is returned by the following endpoints:

EndpointNameDescription
GET /scans/{scan_id}Get scan detailsReturns scan details and history for the specific scan.
GET /scans/{scan_id}/historyGet scan historyReturns a list of objects, each of which represent an individual run of the specified scan.
GET /scans/{scan_id}/history/{history_uuid}Get scan history detailsReturns the details of a previous run of the specified scan. Scan details include information about when and where the scan ran, as well as the scan results for the target hosts.