DocumentationAPI ExplorerRecipesConnectChangelogRSSSubscribe
Documentation

Manage Tag-Based Scans

Suggest Edits

You can configure scans to target assets based on tags you have assigned to the assets.

For example, you might want to run more frequent scans of assets running a Windows operating system. Instead of manually configuring a scan to target a static group of Windows assets, you can configure Vulnerability Management to automatically apply a tag to any asset that a scan identifies as running Windows. You can then configure a scan to evaluate all assets with that tag on an appropriate schedule.

Depending on scan findings, an asset record can contain multiple identifiers, including fully-qualified domain names (FQDNs), IPv4 addresses, and IPv6 addresses. When you configure a scan to target assets based on tags, Vulnerability Management evaluates the identifiers associated with each asset to resolve them to a single scan target.

For more information, see How Vulnerability Management Resolves Asset Tags to Targets for Scanning.

To scan assets based on tags:

  1. Review the configuration guidelines and limitations for tag-based scans.
  2. Ensure that each asset has been scanned at least once (for example, via a discovery scan or any other scan type that collects asset identifiers). Tag-based scans can only target assets whose identifiers (IPv4, IPv6, or FQDN) already exist in Vulnerability Management.
  3. Create asset tags that reflect your business context.
  4. Assign tags to assets manually or automatically via tag rules.
  5. Create a scan with the tag_targets parameter set to an array of tag UUIDs.

Configuration Guidelines

When configuring tag-based scans, observe the following guidelines:

  • Keep the number of assets included in a single tag-based scan as small as possible to improve performance. Make tag criteria as specific as possible. For example, instead of applying a single tag for multiple operating systems (Windows, Linux, and Mac), create separate tags for each operating system.
  • Tag-based scans can target only assets that have been identified in at least one previous scan, because asset identifiers must exist for assets to be included in the scan.
  • When you run a Nessus scan, Vulnerability Management updates the last_scan_target attribute for each evaluated asset. The last_scan_target attribute represents the FQDN, IPv4 address, or IPv6 address most recently used to scan the asset. Vulnerability Management uses this value to efficiently determine the preferred scan target for subsequent scans. Tenable recommends running periodic discovery scans to help ensure that asset identifiers and the last_scan_target attribute remain current.
  • You can configure a single scan to use tag-based targets in combination with custom targets and target groups. Vulnerability Management combines all specified targets into a single list and removes duplicates before sending the targets to the scanner.
  • Assign appropriate scan permissions to users you want to run or configure the scan. For all scan types, including tag-based scans, you can assign permissions in individual scan settings or within target groups.

Configuration Limitations

When configuring tag-based scans, keep in mind the following limitations:

  • You cannot use any of the following scan templates when configuring a tag-based scan:
    • Audit Cloud Infrastructure
    • MDM Config Audit
    • Mobile Device Scan
    • Offline Config Audit
  • You cannot configure tag-based scans for use with pre-authorized scanners in the AWS Marketplace. However, you can configure tag-based scans for Bring-Your-Own-License (BYOL) scanners in the AWS Marketplace.

How Vulnerability Management Resolves Asset Tags to Targets for Scanning

To resolve a tag to a scan target, Vulnerability Management performs the following steps:

  1. It matches each tag specified in the tag_targets parameter to asset records where that tag is applied.
  2. For each matching asset record, it determines whether the last_scan_target attribute is present:
    • If last_scan_target attribute is present, Vulnerability Management uses that value as the scan target.
    • If last_scan_target attribute is absent, Vulnerability Management evaluates the asset identifiers stored in the record. Identifiers may include FQDNs, IPv4 addresses, and IPv6 addresses.
  3. If multiple identifiers are present, Vulnerability Management selects a single target using the following order of preference:
    • If one or more IPv4 addresses are present, a randomly selected IPv4 address is used.
    • If no IPv4 addresses are present and one or more IPv6 addresses are present, a randomly selected IPv6 address is used.
    • If no IPv4 or IPv6 addresses are present and one or more FQDNs are present, a randomly selected FQDN is used.

📘

Note

When evaluating IPv4 and IPv6 addresses, Vulnerability Management excludes local and broadcast addresses.

Example: Scan Creation Request Message

The example below shows a request body for a POST /scans request.

{
  "uuid": "238060f2-5640-4f6c-9e31-9cdfb6fc4560d24bd260ef5f9e66",
  "settings": {
    "name": "western-region-assets",
    "enabled": true,
    "starttime": "20190617T130000",
    "rrules": "FREQ=WEEKLY;INTERVAL=1;BYDAY=MO",
    "timezone": "US/Mountain",
    "tag_targets": [
      "31e9a613-1b05-40a8-ad42-b05b6715a93a",
      "bfb3bbd0-8dd4-48b4-8f4c-a0053032b3d9"
    ],
    "emails": "[email protected],[email protected]",
    "acls": [
      {
        "permissions": 0,
        "owner": null,
        "display_name": null,
        "name": null,
        "id": null,
        "type": "default"
      },
      {
        "permissions": 16,
        "owner": 0,
        "display_name": "Analyst Group",
        "name": "Analyst Group",
        "id": 1,
        "type": "group"
      },
      {
        "permissions": 128,
        "owner": 1,
        "display_name": "[email protected]",
        "name": "[email protected]",
        "id": 2,
        "type": "user"
      }
    ]
  }
}

Updated 5 days ago