Manage Tag-Based Scans

You can configure scans to target assets based on tags you have assigned to the assets. For example, you might want to run more frequent scans of assets running a Windows operating system. Rather than manually configuring a scan to target a static group of Windows assets, you can configure Vulnerability Management to automatically apply a tag to any asset that a scan identifies as running Windows. Then, you can configure a scan to evaluate any asset with that tag on an appropriate frequency.

Depending on scan findings, an asset record can contain multiple identifiers—that is, multiple IPv4 addresses, IPv6 addresses, and full-qualified domain names (FQDNs). When you configure a scan to target assets based on tags, Vulnerability Management examines the identifiers associated with the asset in order to resolve multiple possible identifiers to a single target. For more information, see How Vulnerability Management Resolves Asset Tags to Targets for Scanning.

To scan assets based on tags:

  1. Review the configuration guidelines and limitations for tag-based scans.
  2. Create and launch a discovery scan on the network assets where you want to target the tag-based scan.
  3. Create asset tags that reflect your business context.
  4. Assign tags to assets manually or automatically via tag rules.
  5. Create a scan with the tag_targets parameter set to an array of tag UUIDs.

Configuration Guidelines

When configuring tag-based scans, observe the following guidelines:

  • Keep the number of assets included in a single tag-based scan as small as possible to improve performance. To do so, make the criteria for applying tags as specific as you can. For example, rather than automatically apply a tag based on multiple operating systems you want to monitor (for example, Windows, Linux, and Mac), apply the tag based on a single operating system (for example, Windows). You can also combine multiple tags in a single scan to refine the asset list.
  • Tag-based scans can target only assets that have already been identified in at least one previous scan (for example, a discovery scan), because asset identifiers must be present for assets to be evaluated for inclusion in the scan.
  • When you run a Nessus scan, Vulnerability Management updates the last_scan_target attribute for each asset evaluated in the scan. The last_scan_target attribute is the FQDN, IPv4 address, or IPv6 address that the scanner last used to target the asset. Vulnerability Management uses this attribute for efficient lookup when re-scanning assets. Tenable recommends that you run regular tag-based discovery scans to keep the last_scan_target attribute updated in your asset records.
  • You can configure a single scan to use tag-based targets in combination with custom targets and target groups. Vulnerability Management combines all targets (tag-based, custom, or target-grouped) into a single target list, then de-duplicates the targets before sending the list to the scanner.
  • Assign appropriate scan permissions to users you want to run or configure the scan. For all scan types, including tag-based scans, you can assign scan permissions either in individual scan settings or in target groups.

Configuration Limitations

When configuring tag-based scans, keep in mind the following limitations:

  • You cannot configure agent scans based on asset tags.
  • You cannot use any of the following scan templates when configuring a tag-based scan:
    • Audit Cloud Infrastructure
    • MDM Config Audit
    • Mobile Device Scan
    • Offline Config Audit
  • You cannot configure tag-based scans for use by pre-authorized scanners in the AWS Marketplace. However, you can configure tag-based scans for Bring-Your-Own-License (BYOL) scanners in the AWS Marketplace.

How Vulnerability Management Resolves Asset Tags to Targets for Scanning

To resolve a tag to a scan target, Vulnerability Management does the following:

  1. Vulnerability Management matches a tag from the tags_target parameter of the scan to any asset record where that tag is applied.
  2. For each matching asset record, Vulnerability Management determines whether the last_scan_target attribute (the FQDN or IP address a scanner last used to scan the target) is present in the identified asset record:
    • If the last_scan_target attribute is present in the asset record, Vulnerability Management communicates that value as the target to the scanner for the tag-based scan.
    • If the last_scan_target attribute is absent from the asset record, Vulnerability Management determines which asset identifiers are present in the record. Asset identifiers include fully-qualified domain name (FQDN), IPv4 address, or IPv6 address. Depending on scan findings, an asset record can contain multiple identifiers.
  3. If multiple identifiers are present in the asset record, Vulnerability Management evaluates the identifiers in the following order to determine a single target:
    • If one or more IPv4 addresses are present, the scan target is a randomly chosen IPv4 address.
    • If no IPv4 addresses are present, and one or more IPv6 addresses are present, the scan target is a randomly chosen IPv6 address.
    • If no IPv4 or IPv6 addresses are present, and one or more FQDNs addresses are present, the scan target is a randomly chosen FQDN address.

📘

Note

When evaluating IPv4 and IPv6 addresses, Vulnerability Management excludes any local or broadcast addresses from consideration.

Example: Scan Creation Request Message

The example below is a request body for a POST /scans request message.

{
  "uuid": "238060f2-5640-4f6c-9e31-9cdfb6fc4560d24bd260ef5f9e66",
  "settings": {
    "name": "western-region-assets",
    "enabled": true,
    "starttime": "20190617T130000",
    "rrules": "FREQ=WEEKLY;INTERVAL=1;BYDAY=MO",
    "timezone": "US/Mountain",
    "tag_targets": [
      "31e9a613-1b05-40a8-ad42-b05b6715a93a",
      "bfb3bbd0-8dd4-48b4-8f4c-a0053032b3d9"
    ],
    "emails": "[email protected],[email protected]",
    "acls": [
      {
        "permissions": 0,
        "owner": null,
        "display_name": null,
        "name": null,
        "id": null,
        "type": "default"
      },
      {
        "permissions": 16,
        "owner": 0,
        "display_name": "Analyst Group",
        "name": "Analyst Group",
        "id": 1,
        "type": "group"
      },
      {
        "permissions": 128,
        "owner": 1,
        "display_name": "[email protected]",
        "name": "[email protected]",
        "id": 2,
        "type": "user"
      }
    ]
  }
}