SecurityCenter 4.8 User Guide PDF

SecurityCenter 4.
8 User Guide
December 16, 2014
(Revision 7)
Table of Contents
Introduction ......................................................................................................................................... 5
Standards and Conventions........................................................................................................................... 5
Abbreviations ................................................................................................................................................. 6
Changes in SecurityCenter 4.8 .......................................................................................................... 6

New and Enhanced Features ........................................................................................................................ 6
SecurityCenter Functional Overview ................................................................................................ 6

System Status ............................................................................................................................................... 7
Configure the Dashboard ............................................................................................................................... 7
Define Support Objects.................................................................................................................................. 8
Assets ........................................................................................................................................................ 8
Audit Files .................................................................................................................................................. 8
Credentials................................................................................................................................................. 8
Queries ...................................................................................................................................................... 9
Scan Policies ............................................................................................................................................. 9
Manage Users ............................................................................................................................................... 9
Roles ......................................................................................................................................................... 9
User Access Control ................................................................................................................................ 10
Groups ..................................................................................................................................................... 10
Manage Scanning ........................................................................................................................................ 10
Active Vulnerability Scanning ................................................................................................................... 10
Credentialed Scanning ............................................................................................................................. 11
Continuous Passive Discovery ................................................................................................................. 11
Analyze Data ............................................................................................................................................... 11
Generate Reports ........................................................................................................................................ 11
Manage Workflow ........................................................................................................................................ 11
Manage Plugins ........................................................................................................................................... 11
Getting Started .................................................................................................................................. 11

SecurityCenter Web Interface ...................................................................................................................... 11
System Functions ........................................................................................................................................ 12
Preferences ............................................................................................................................................. 12
Basic ........................................................................................................................................................ 13
Notifications ............................................................................................................................................. 13
Logs ......................................................................................................................................................... 14
Attribute Sets ........................................................................................................................................... 14
Feed ........................................................................................................................................................ 15
SecurityCenter Functions ................................................................................................................ 15

Dashboard ................................................................................................................................................... 15
Working with Dashboards ........................................................................................................................ 16
Adding Dashboards ................................................................................................................................. 16
Editing Dashboards.................................................................................................................................. 18
Add Components ..................................................................................................................................................... 18
Working with Custom Components .......................................................................................................... 20

Multiselect ................................................................................................................................................................ 26
Conditions ................................................................................................................................................................ 26
Creating a Simple Matrix Component ...................................................................................................................... 27
Copyright 2014. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.
Copy Component Options ........................................................................................................................ 34

Navigating the Dashboard Components................................................................................................... 35
Vulnerability Analysis ................................................................................................................................... 36
Cumulative vs. Mitigated .......................................................................................................................... 37
Filter History............................................................................................................................................. 38
Right-Click Functionality........................................................................................................................... 38
Analysis Tools .......................................................................................................................................... 41
Add Risk Recast/Acceptance Rule .......................................................................................................................... 47
Load Query .............................................................................................................................................. 49

Additional Vulnerability Analysis Options ..................................................................................................... 49
Save Query .............................................................................................................................................. 49
Save Asset............................................................................................................................................... 50
Open Ticket ............................................................................................................................................. 51
More Options ........................................................................................................................................... 52
Export as CSV .......................................................................................................................................................... 52
Create Report ........................................................................................................................................................... 52
Vulnerability Filters................................................................................................................................... 52
Mobile Analysis............................................................................................................................................ 58
Event Analysis ............................................................................................................................................. 59
Raw Syslog Events .................................................................................................................................. 60
Filter History............................................................................................................................................. 61
Date Selection ......................................................................................................................................... 62
Right-Click Functionality........................................................................................................................... 62
Active vs. Archived................................................................................................................................... 63
Analysis Tool ........................................................................................................................................... 63
Load Query .............................................................................................................................................. 68
Additional Event Analysis Options ............................................................................................................... 68
Save Query .............................................................................................................................................. 68
Save Asset............................................................................................................................................... 69
Open Ticket ............................................................................................................................................. 70
More Options ........................................................................................................................................... 71
Save Watchlist ......................................................................................................................................................... 71
Export as CSV .......................................................................................................................................................... 72
Create Report ........................................................................................................................................................... 72
Event Filters ............................................................................................................................................. 73

Scanning ..................................................................................................................................................... 76
Scans....................................................................................................................................................... 76
Basic Options ........................................................................................................................................................... 77
Policy and Credential Options .................................................................................................................................. 78
Policy Options .......................................................................................................................................................... 78
Plugin Preferences ................................................................................................................................................... 81
Post Scan ................................................................................................................................................................. 96
Scan Progress ......................................................................................................................................... 98

Scan Results............................................................................................................................................ 98
Blackout Windows.................................................................................................................................... 99
Reporting ................................................................................................................................................... 102
Reports .................................................................................................................................................. 103
Report Results ....................................................................................................................................... 115
Report Images ....................................................................................................................................... 115
Report Import and Export ....................................................................................................................... 116
Support ...................................................................................................................................................... 117
Assets .................................................................................................................................................... 117
Dynamic Asset Discovery ...................................................................................................................................... 117
Adding Assets ........................................................................................................................................................ 118
Audit Files .............................................................................................................................................. 124

Credentials............................................................................................................................................. 126
Queries .................................................................................................................................................. 127
Scan Policies ......................................................................................................................................... 136
Add a Scan Policy .................................................................................................................................. 137
Basic ....................................................................................................................................................................... 138
Audit Files............................................................................................................................................................... 140
Plugins.................................................................................................................................................................... 142
Preferences ............................................................................................................................................................ 144
Additional Scan Policy Options .............................................................................................................. 144

Users ......................................................................................................................................................... 144
Users ..................................................................................................................................................... 144
Add User ................................................................................................................................................................ 145
Edit ......................................................................................................................................................................... 147
Detail ...................................................................................................................................................................... 147
Delete ..................................................................................................................................................................... 147
Roles ..................................................................................................................................................... 147

Add Role................................................................................................................................................................. 148
Edit ......................................................................................................................................................................... 150
Detail ...................................................................................................................................................................... 150
Delete ..................................................................................................................................................................... 150
Groups ................................................................................................................................................... 150

Add Group .............................................................................................................................................................. 151
Edit ......................................................................................................................................................................... 152
Detail ...................................................................................................................................................................... 152
Delete ..................................................................................................................................................................... 152
Workflow.................................................................................................................................................... 152
Alerts ..................................................................................................................................................... 152
Tickets ................................................................................................................................................... 156
Accept Risk Rules .................................................................................................................................. 158
Recast Risk Rules.................................................................................................................................. 158
Plugins ...................................................................................................................................................... 158
Update Plugins ...................................................................................................................................... 159
Upload Plugins ....................................................................................................................................... 159
Other Plugin Options.............................................................................................................................. 160
About Tenable Network Security ................................................................................................... 160
Introduction
This document provides instructions for using Tenable Network Securitys SecurityCenter 4.8 and related components.
Since many of Tenables customers have requirements to maintain separation of duties, the SecurityCenter 4.8
documentation has been separated into the following documents to better organize the material based on organizational
roles. Note that there is some overlap in roles as well as content provided with each of the following guides:
SecurityCenter 4.8 Installation Guide This document provides instructions for the installation of
SecurityCenter 4.8. The target audience for this document is system administrators who need to install the
SecurityCenter application. Included in this document are quick instructions for the admin user to add a Nessus
scanner and create a user account to launch a test scan to ensure SecurityCenter is correctly installed.
SecurityCenter 4.8 Upgrade Guide This document describes the process of upgrading to version 4.8 of
SecurityCenter.
SecurityCenter 4.8.x Upgrade Guide This document describes the process of upgrading to version 4.8.x of
SecurityCenter.
SecurityCenter 4.8 Administration Guide This document provides instructions for the administration of
SecurityCenter by the admin user. The admin user is the first user to log into the SecurityCenter after the initial
installation and is responsible for configuration tasks such as defining organizations, repositories, Nessus scanners,
LCE servers and PVS sensors. The admin user does not have the ability to create and launch Nessus scans.
SecurityCenter 4.8 User Guide This document provides instructions for using SecurityCenter from a Security
Manager user or lesser account.
Please email any comments and suggestions to support@tenable.com.

A basic understanding of Linux/Unix, Windows, vulnerability scanning with Nessus, intrusion detection and log analysis is
assumed.
Standards and Conventions

Throughout the documentation, filenames, daemons, and executables are indicated with a courier bold font such as
gunzip, httpd, and /etc/passwd.
Command line options and keywords are also indicated with the courier bold font. Command line examples may or
may not include the command line prompt and output text from the results of the command. Command line examples will
display the command being run in courier bold to indicate what the user typed while the sample output generated by
the system will be indicated in courier (not bold). Following is an example running of the Unix pwd command:
# pwd
/opt/sc4/daemons
#
Important notes and considerations are highlighted with this symbol and grey text boxes.
Tips, examples, and best practices are highlighted with this symbol and white on blue text.
Abbreviations
The following abbreviations are used throughout this documentation:
LCE
Log Correlation Engine
PVS
Passive Vulnerability Scanner
SC
SecurityCenter
SSH
Secure Shell
IDS
Intrusion Detection System
Changes in SecurityCenter 4.8

This section provides an overview of some of the new features and changes that are of particular interest to current
SecurityCenter 4 customers. For more details on these features and changes, please refer to the appropriate
SecurityCenter 4.8 document as described in the Introduction.
New and Enhanced Features
Updated user model to a more common grouping method vs the previously used hierarchal model
Combination asset support adds the ability to create a new dynamic asset list based on exiting asset lists
Combination asset filtering is supported when creating filters to apply set logic against multiple assets
Defining User Responsibility by associating an asset list with a user
Database Credentials are now created in SecurityCenter for ease of reuse and assigned to a scan policy versus
the previous method of adding the database credentials to each scan policy individually
Dynamic asset lists now support Perl Compatible Regular Expressions allowing for negative operators in addition
to positive operators
Full Perl Compatible Regular Expressions (PCRE) support is now available when filtering on vulnerability text.
This can be used in all areas of SecurityCenter where vulnerability queries are used including Vulnerability
Analysis, Dashboard, Reporting, and Alerts.
To support Nessus functionality, the ability for a user to select .k5login has been added as an option in the
privilege escalation dropdown for SSH credentials
Communication between SecurityCenter and PVS uses XMLRPC only. All attached PVS scanners must be 4.0 or
newer
Increased the default file upload size to 500MB
SecurityCenter Functional Overview

This section provides a high-level overview of SecurityCenter (US Patent No. 7,926,113 B1, System and Method for
Managing Network Vulnerability Analysis Systems) user functions. The order in which these functions are described
follows the logical order that tasks would typically be performed in, not necessarily the order in which the tabs are
displayed on the SecurityCenter dashboard. For example, in a new SecurityCenter deployment, the first step is usually to
define asset lists, followed by reviewing available repositories. This information is then used in configuring users who are
assigned assets, repositories, and other resources based on organizational needs. Once the users are configured, the
daily SecurityCenter tasks can be performed: scanning, data analysis, reporting, workflow management, and plugin
maintenance. These tasks are briefly described in this section for the benefit of users who are new to SecurityCenter.
Details on how to configure and manage these functions are provided in the section titled SecurityCenter Functions. If
you are already familiar with SecurityCenter functions, you may wish to proceed directly to the Getting Started section.
System Status
The Job Scheduler process is restarted by logging in as an admin user and using the Stop/Start options
available to that user in this interface. The Stop/Start options are not available for non-admin users, but they
are able to view the status.
The SecurityCenter status is displayed from the web management interface. Simply click on the status circle in the lower
right-hand corner of the web page. A pop-up similar to the one below is displayed:
SecurityCenter Status
Within the system status are the current plugin feed status, SecurityCenter (SC) feed status, license status, and Job
Scheduler service state.
Configure the Dashboard

The dashboard is the first screen displayed when you login to the SecurityCenter user interface and displays vulnerability
or event data using various predefined components. The dashboard can also be displayed by selecting Dashboard from
the Home tab.
The dashboard is configured with one or more tabs that contain different views and layouts populated with multiple
components including tables and custom charts (e.g., bar, line, area, and pie). The dashboard tables and charts are fully
customizable and allow data to be retrieved from various sources using a wide variety of configurations. Dashboard
elements can also be shared between users or exported/imported to another SecurityCenter as required.
The Dashboard contains three configured tabs by default. These are titled Vulnerability Overview, Executive 7 Day, and
Executive Summary, and contain preconfigured charts and tables. Dashboard templates are available in SecurityCenter to
provide an easy starting point for creating dashboards. They are created and maintained by Tenable and are based on
industry standards, trends, and customer requests. Templates are added and updated via the SecurityCenter feed.
Define Support Objects

SecurityCenter support objects (assets, audit files, credentials, queries, and scan policies) are defined from the Support
tab on the dashboard. This section provides a brief description of these objects.
Assets
SecurityCenter supports a flexible dynamic asset discovery system that can also import static asset lists from many
commercial and open source systems. This allows high level asset lists to be constructed as well as very detailed lists of
specific items. Some examples of assets to be grouped together include, but are not limited to, hardware device types,
particular service types, certain vulnerability types, machines with outdated software, OS types, and other lists based on
discovered information. There are many Asset templates available by default in SecurityCenter and, if configured,
templates are automatically updated and added to by Tenable.
To create a static list of assets in SecurityCenter, users can either manually enter IP addresses into the Addresses field
or upload a text file that contains IP addresses, ranges of IP addresses, or CIDR notation. Once uploaded, the asset list is
named and can be immediately used.
SecurityCenter can implement rules that consider discovered information for dynamic asset discovery. These rules are
run against the vulnerability data and results in assigning an IP address to one or more asset lists. For example,
SecurityCenter could create a rule stating that any Windows system that belongs to the CORPORATE-NY domain be
placed on an asset list named New York Domain. Another example would be any host discovered to have LimeWire
software running (Nessus plugin 11427 or PVS plugin 4110) could be assigned to a dynamic asset list for special review.
Tenable also provides a variety of asset templates that may be used as is or may be customized for the local
environment.
Audit Files
A configuration audit is one where the auditors verify that servers and devices are configured according to an established
standard and maintained with an appropriate procedure. SecurityCenter can perform configuration audits on key assets
through the use of Nessus local checks that can log directly onto a Unix or Windows server without an agent.
SecurityCenter supports a variety of audit standards. Some of these come from best practice centers like the PCI Security
Standards Council and the SANS Institute. Some of these are based on Tenables interpretation of audit requirements to
comply with specific industry standards such as PCI DSS or legislation such as Sarbanes-Oxley.
In addition to the base audits, it is easy to create customized audits for the particular requirements of any organization.
These customized audits can be loaded into the SecurityCenter and made available to anyone performing configuration
audits within an organization.
NIST SCAP files can be uploaded and used in the same manner as an audit file. Navigate to NISTs SCAP website
(http://scap.nist.gov) and under the SCAP Content section, download the desired SCAP security checklist zip file. The
file may then be uploaded to SecurityCenter and selected for use in Nessus scan jobs.
Once the audit policies have been configured in SecurityCenter, they can be repeatedly used with little effort.
SecurityCenter can also perform audits intended for specific assets. Through the use of audit policies and asset lists, a
SecurityCenter user can quickly determine the compliance posture for any specified asset.
Credentials
Credentials are reusable objects that facilitate a login to a scan target. Various types of credentials can be configured for use
within scan policies. Credentials may be shared between users for scanning purposes. Available credential types include:
Windows
SSH
SNMP community string
Kerberos
Database
SecurityCenter supports the use of one SSH credential set, one Kerberos credential set, one Database credential set, up
to four Windows credential sets, and four SNMP credential sets per scan configuration.
Queries
Queries allow SecurityCenter users to save custom views of vulnerability or event data for repeated access. This enables
SecurityCenter users to quickly update data for a particular query type without having to configure complex query
parameters each time.
Scan Policies
Scan policies consist of configuration options related to performing a vulnerability scan. These options include, but are not
limited to:
Parameters that control technical aspects of the scan such as timeouts, number of hosts, type of port scanner,
and more
Granular plugin family or individual plugin based scan specifications
Compliance policy checks (Windows, Linux, Database, etc.), report verbosity, service detection scan settings,
audit files, patch management systems, and more
Manage Users
The Users screen provides the ability to add, edit, delete, or view the details of SecurityCenter user accounts. Users are
assigned roles and groups to determine the level of access they have and are also assigned assets, depending on the
level of access required. The list of users and actions is limited to the Organization and the permissions of the user
viewing the list.
Roles
SecurityCenter users can be created with default or customized roles. Roles are adjustable and allow for user creation
based on specific business/security models and needs. User accounts created by other users inherit the creating users
permissions or a subset of the permissions as desired while not exceeding the access or permissions of the creating user.
This granular user control and customization enables large organizations to comply with regulations and standards that
mandate separation of duties and layers of control.
There are several pre-defined Organizational roles including:
Security Manager
A Security Manager is the account within an organization that has a broad range of responsibilities. This is the role assigned
to the initial user that is created when a new organization is created. They have the ability to launch scans, configure users
(except for administrator user roles), vulnerability policies, and other objects belonging to their organization. Each
organization has a Security Manager account that cannot be deleted without deleting the entire Organization.
Auditor
The Auditor role can access summary information to perform third party audits. An Auditor can view dashboards, reports,
and logs, but cannot perform scans or analyze vulnerability or event data.
Credential Manager
The Credential Manager role can be used specifically for handling credentials. A Credential Manager can create and
share credentials without revealing the contents of the credential. This can be used by someone outside the security team
to keep scanning credentials up to date.
Executive
The Executive role is intended for users who are interested in a high-level overview of their security posture and risk profile.
Executives would most likely browse dashboards and review reports, but would not be concerned with monitoring running
scans or managing users. Executives would also be able to assign tasks to other users using the ticketing interface.
No Role
This role is available as a catch-all role if a role is deleted. It has virtually no permissions.
Security Analyst
The Security Analyst role has permissions to perform all actions at the Organizational level except managing groups and
users. A Security Analyst is most likely an advanced user who can be trusted with some system related tasks such as
setting blackout windows or updating plugins.
Vulnerability Analyst
The Vulnerability Analyst role can perform basic tasks within the application. A Vulnerability Analyst is allowed to view
security data, perform scans, share objects, view logs, and work with tickets.
User Access Control

Within the defined user roles, granular permissions are defined that enable users to perform specific tasks. Custom roles
can be created with any combination of desired roles based on enterprise needs.
Groups
User Groups are a way to group rights to objects within an Organization for quick assignment to one or more users. When
a user creates various objects such as reports, scan policies, dashboards, and other similar items, they are automatically
shared among the members if the Group permissions allow the view and control.
When creating a new Group, the basic information includes giving a name and description of the Group being created. In
addition, selecting the Repositories, LCEs, and Viewable IPs that are available to the Group are made on the Basic tab.
On the Group Sharing tab, shared Assets, Dashboards, Credentials, Policies, and Queries are selected.
After the Groups initial creation, it may be edited, deleted, or have its details viewed from the main Groups page list.
Manage Scanning
Scans are managed from the Scanning tab on the dashboard. There are three basic categories of scans: active
vulnerability scanning, credentialed scanning, and continuous passive discovery. Using all three types provides a
comprehensive view of the organizations security posture and reduces false positives. SecurityCenter can manage one
or more Nessus vulnerability scanners. Scan policies that discover new hosts, new applications, and new vulnerabilities
can be scheduled and automatically distributed to multiple scanners for load balancing. SecurityCenter manages which
Nessus scanners are best suited to scan a particular host. There are a large number of scanning options, including the
ability to specify the maximum length of time a scan is allowed to run. If a scan exceeds the limit, the un-scanned targets
are captured in a rollover scan that can be run manually or scheduled for a later time. This feature is very useful for
organizations that have a limited scanning window available, enabling them to pick up a scan where it left off.
Active Vulnerability Scanning

In active vulnerability scanning, the Nessus scanner sends packets to a remote target to provide a snapshot of network
services and applications. These are compared to a plugin database to determine if any vulnerabilities are present.
SecurityCenter can also use a Nessus scanner located outside the local network to simulate what an external entity might
see.
10
Credentialed Scanning
Nessus credentialed scans can be leveraged to perform highly accurate and rapid patch, configuration, and vulnerability
audits on Unix, Windows, Cisco, and database systems by actually logging in to the target system with provided
credentials. Credentialed scans can also enumerate all UDP and TCP ports in just a few seconds. SecurityCenter can
securely manage these credentials across thousands of different systems and also share the results of these audits only
with users who have a need to know.
For more information on Nessus credentialed scanning, please refer to the Nessus Credentialed Checks for
Unix and Windows document available from https://support.tenable.com.
Continuous Passive Discovery

SecurityCenter can manage one or more Tenable Passive Vulnerability Scanners (PVS). The PVS provides continuous
discovery of new hosts, new applications, and new vulnerabilities. It runs 24x7 and discovers highly accurate client and
server vulnerability information. SecurityCenter fuses this information with the active or credentialed scan results from
Nessus.
Analyze Data
The Analysis tab on the SecurityCenter dashboard provides a great many filters to analyze vulnerability, mobile, and
event data.
Generate Reports
Tenable provides extremely flexible and simplified reporting through an assortment of report templates and a user-friendly
report creation interface. Supported report types include the well-known standard formats of PDF, RTF, and CSV
standards for a high level of compatibility and ease of use. For specialized needs, CyberScope, DISA ASR, and DISA
ARF types are available as well. Reports can be run as part of a post-scan process, scheduled by time, or run on demand
and the results automatically emailed or shared to multiple recipients who have an interest in the report details.
To see a list of templated and scheduled reports to be run, click on the Reporting tab from the dashboard and then
Reports. To see a list of completed reports, click the Reporting tab from the dashboard and then Report Results.
Manage Workflow
The Workflow tab contains options for alerting, ticketing, and managing risk rules. These functions allow users to be
notified of and properly handle vulnerabilities and events as they are identified.
Manage Plugins
The Plugins tab provides the ability to perform a wide variety of plugin-related functions including updating active,
passive and event plugins, upload custom plugins, view plugin details/source, and search for specific plugins.
Plugins are scripts used by Nessus, the Passive Vulnerability Scanner, and the Log Correlation Engine to collect and
interpret vulnerability data. For ease of operation, active and passive plugins are managed centrally by SecurityCenter
and pushed out to their respective scanners.
Getting Started
New users to SecurityCenter may find the rich functionality a bit daunting at first. The first steps are to ensure you have
the correct browser settings and to establish system settings specific to your account.
SecurityCenter Web Interface

To navigate within the SecurityCenter user interface, use the menu on the web interface screen, not the browsers back
and forward buttons.
11
Adobe Flash Player must be installed to use the SecurityCenter web interface. It can be obtained at
http://get.adobe.com/flashplayer/.
The minimum recommended browser window size is 1024x580. Resizing the browser window below this size
when viewing the SecurityCenter web interface causes some objects to display incorrectly.
To launch SecurityCenter, bring up a web browser on a system that has access to the SecurityCenters network address
space and enter the URL in the following format:
https://<SERVER ADDRESS OR NAME>/
The SecurityCenter web interface must be accessed using a secure web connection (https). SecurityCenter
does not listen on port 80 by default. TLS 1.0 must be enabled by the browser in order to complete the secure
connection to SecurityCenter.
This will present a SecurityCenter login screen:
SecurityCenter Login Screen
Log in using the credentials provided by the user who created your account.
System Functions
System functions in SecurityCenter are managed from the System tab, displayed in the upper right-hand corner of the
SecurityCenter user interface. This tab allows users to create custom preferences for their account.
Preferences
The Preferences option enables basic options and notifications to be modified to customize the user experience.
12
Basic
The Basic tab modifies several location and workflow options. First, it enables the user to modify the time zone
displayed within the SecurityCenter user interface. This does not affect the underlying event or vulnerability time stamps,
which are set by the server system time. The user can also configure the Email on Ticket Assignment option, which
ensures that an email is sent by the system to the currently logged in user for all newly assigned tickets. No additional
configuration is required.
Basic Preferences
Notifications
Notifications are a feature of SecurityCenter that allows specified events to display a pop-up in the lower right-hand corner
of the SecurityCenter user interface.
Sample Notifications
Current notifications can be viewed by clicking on the left-hand circle at the lower right-hand corner of the SecurityCenter
web page. Unread notifications will have a blue circle to the left of the notification text. Clicking on Mark All as Read
removes the blue circle from all displayed notifications. To view notification details, click on the highlighted title to expand
the notification details.
13
Notifications can also be deleted by clicking on the X to the right of the notification text or clicking on the Delete All
command button within the Notification dialog box. User configurable notifications are shown in the screen capture below:
Notification Preferences
Logs
The Logs menu is only available to users with the View Organizational Logs permission set.
SecurityCenter logs contain detailed functionality to troubleshoot unusual system or user activity. The logs include filters
that allow the user to search logs based on parameters such as date, user, module, severity and keywords. An example
keyword and user search is displayed below:
SecurityCenter Logging
Attribute Sets
This section allows users with the appropriate permission to create and manage operational attribute sets to apply to
CyberScope Lightweight Asset Summary Results Schema (LASR) reports and Defense Information Systems Agency
14
(DISA) Asset Report Format (ARF) report types. Each operational attribute set contains a name and optional description
of the set. Two options are available within the Type drop-down box: ARF and CyberScope.
When DISA ARF is selected, there are six attribute sections displayed. These must be filled in to correctly populate
certain fields in DISA ARF reports. These sections include owning unit, owning service, administration unit, administration
POC, CND service provider, and location.
When CyberScope is selected, attributes for ReportingComponent, ComponentBureau, and Enclaves are available.
These fields are available to complete the CyberScope fields by entering the organizations name, FISMA reporting entity,
and enclave within the FISMA reporting entity.
Once saved, the Attribute Set will be available by its name in a drop-down menu for selection in CyberScope or DISA
reports as appropriate to the format.
Feed
The Feed option allows the user to update the SecurityCenter feed with new templates for reports, assets, and
dashboards from Tenable. A file may be selected for upload or a direct connection to Tenables website may be made if
the SecurityCenter has appropriate connectivity.
SecurityCenter Functions
The SecurityCenter task bar contains eight major elements: Home, Analysis, Scanning, Reporting, Support, Users,
Workflow, and Plugins. Each of these elements provides a drop-down menu for subsections, which may also contain a
number of options. The Table of Contents of this document provides a listing of the functions that may be helpful in
searching for a particular capability.
Dashboard
The dashboard is the first screen displayed when you login to the SecurityCenter user interface and displays vulnerability
and event data using various predefined components. The Dashboard can also be displayed by selecting Dashboard
from the Dashboard tab.
Because components draw from vulnerability, event, and other data sources, it is advisable to create and
configure the data sources before adding any components.
15
Sample SecurityCenter Dashboard
The dashboard is configured with one or more tabs that contain different views and layouts populated with multiple
components including tables and custom charts (e.g., bar, line, area, pie, and matrix). The dashboard tables and charts
are fully customizable and allow data to be retrieved from various sources using a wide variety of configurations. Each of
these component types allows the user to view the vulnerability, event, ticket, user, and alert data in a way that provides
instant analysis of the important data anomalies with the ability to drill into the underlying data set for further evaluation
(vulnerability and event data only).
SecurityCenter utilizes a matrix layout that provides for customizable displays based on the intersection of row and
column data. These displays can integrate if-then-else logic to vary the display depending on the current state of the
underlying data set.
There are many dashboard templates provided with SecurityCenter. The SecurityCenter feed provides new and updated
dashboard templates created by Tenables team based on industry standards and customer requests.
For some good examples of SecurityCenter dashboards, please visit the SecurityCenter Dashboard blog at
http://blog.tenable.com/sc4dashboards/.
Working with Dashboards

Dashboards allow SecurityCenter users to organize and consolidate components by named collections. For example,
instead of having twenty discrete dashboard components on the initial login display, it is helpful to create multiple
dashboards grouped by function, each with a subset of the components. One dashboard could contain five components
that are related to active scanning, a second one could contain seven more related to passive scanning, and so on. This
collection of components allows for a more focused security analysis with the ability to drill into the desired data quickly
and without confusion.
Adding Dashboards
To create a new dashboard, simply click on the Add Dashboard tab on the left side of the Dashboard page, which is
located at the bottom of the list of tabs.
16
A new window displays the list of available dashboard template categories, along with options to create a custom
dashboard or import a dashboard.
17
The categories may be selected by clicking on the box, which displays a list of available dashboards. Once chosen, a
selection of template names and descriptions are listed and a choice of sub-categories is available to further narrow the
list. Selection of an individual template will add the dashboard.
If Import Dashboard is selected, a dialog window will be displayed. This window provides options to name the
dashboard and browse to the dashboard file to be imported from the local computer. After the selections are completed,
clicking the Import button will create the new dashboard.
If Create Custom Component is selected, a window opens to provide the name, description, and layout of the new
dashboard. After submitting that information, the dashboard template selection window is displayed and individual
components may be added to the new dashboard. The components may be selected from the templates already provided
or by creating a custom component.
Please refer to the Working with Components section below for information about how to create, edit, and delete custom
dashboard components.
Editing Dashboards
To modify the dashboard configuration, simply click on the arrow next to the Dashboard title in the upper left-hand corner
of the dashboard screen and select the desired option from the drop-down items:
Add Components
Click on Add Components to display the list of available dashboard component template categories. The categories
may be selected by clicking on the box, which displays a list of available components. Once chosen, a selection of
template names and descriptions are listed and a choice of sub-categories is available to further narrow the list. Selection
of an individual template will add the component to the currently selected dashboard. If Create Custom Component is
selected, the created component will appear on the current dashboard.
18
SecurityCenter Dashboard Component Selection
Please refer to the Working with Components section below for information about how to create, edit, and delete custom
dashboard components.
The table below contains a detailed description of the available dashboard options.
Table 1 Tab Options
Tab Option
Description
Add Components
This option allows you to add individual components to the selected dashboard.
Components may be added using available templates or creating a custom component.
Edit Dashboard
This option allows the user to edit an existing dashboard based on the options
available in the dashboard configuration. These include the name, description, and
layout of the dashboard.
Export Dashboard
Dashboards can be exported as XML files for use on other SecurityCenter systems.
This is particularly useful where complex component definitions have been created
and must be used in other locations. This function provides three options for
component objects:
1. Remove All References all object references will be removed, altering the
19
definitions of the components. Importing users will not need to make any
changes for components to be useable.
2. Keep All References object references will be kept intact. Importing users
must be in the same organization and have access to all relevant objects for
the components to be useable.
3. Replace With Placeholders object references will be removed and replaced
with their respective names. Importing users will see the name of the reference
object, but will need to replace it with an applicable object within their
organization before the component is useable.
Due to changes in the dashboard XML file formats over SecurityCenter
versions, exported dashboards are not always compatible for import
between SecurityCenter versions.
Share Dashboard
Use this function to share a dashboard with any Group in your current Organization.
Revoking a previously shared tab may also be performed using this option.
Send to Report
This option creates a report based on the dashboard components. When selected, a
window offers options to customize the name and description, and define the schedule
for when the report is run or if it is created as a report template.
Delete Dashboard
Delete the selected dashboard.
Working with Custom Components

Custom components can be created from the Add Component option. The components to be created are various types
of charts; Table, Bar, Pie, Line, Area, and Matrix. After selecting the desired component, options for data source and
display must be entered to complete the process. The tables below show available options for each component type:
Table 2 Table Options
Chart Option
Description
Name
Chart name
Description
Chart description
Update Frequency
Frequency with which the component polls the data source to obtain updates.
Available frequency options include: 15 minutes, 20 minutes, 30 minutes, hourly, 2
hours, 4 hours, 6 hours, 8 hours, 12 hours, daily (default), weekdays, weekends, once
a week, once a month (by day or date), and never.
Excessively frequent tab updates may cause the application to become
less responsive due to the added processing load imposed on the host
OS.
Data Type
Vulnerability, Mobile, Event, Ticket, Alert, or User
Source
(Vulnerability Data Type only) Sources include Cumulative or Mitigated depending

on the desired data source. For event type, the source defaults to Active.
20
The Source option is not available because only active event data is
permitted for event-based components.
Query
Predefined query used to further narrow down the data source options. If a query does
not exist or is not desired, it may be left unselected. The query may be used as is or as
a template on which to base the Filters option.
Filters
Additional filters to use on the data source. For more information on these filters, see
the Vulnerability Filters, Mobile Filters, Event Filters, Ticket Query, Alert Query, and
User Query sections.
Results Displayed
The number of displayed results (Table Chart maximum: 999). If the Viewport Size
setting is smaller than this setting, the results display is limited to the Viewport Size
setting with a scrollbar to display the additional results.
Viewport Size
The number of records (maximum: 50) to display along with a scrollbar to handle
additional records. For example, if Results Displayed is set to 100 and Viewport Size
is 15, fifteen records are displayed with a scrollbar to view the additional 85 records.
Sort Column
(Except Event Data Type) Column that the results are sorted by.
Sort Direction
(Except Event Data Type) Descending (default) or Ascending
Display Columns
Desired columns shown in the component output.
Table 3 Bar Chart Options
Chart Option
Description
Name
Chart name
Description
Chart description
Update Frequency
OS.
Data Type
Vulnerability, Mobile, Event, or Ticket
Source
(Vulnerability Data Type only) Sources include Cumulative or Mitigated depending

on the desired data source. For event type, the source defaults to Active.
21
Query
Filters
Additional filters to use on the data source. For more information on these filters, see
the Vulnerability Filters, Mobile Filters, Event Filters, Ticket Query, Alert Query, and
User Query sections.
Results Displayed
The number of displayed results (Bar Chart maximum: 100).
Sort Column
(Vulnerability/Ticket Data Type only) Column that the results are sorted by.
Sort Direction
(Vulnerability/Ticket Data Type only) Descending (default) or Ascending
Display Columns
Table 4 Pie Chart Options
Chart Option
Description
Name
Pie chart name
Description
Pie chart description
Update Frequency
OS.
Data Type
Vulnerability, Mobile, Event, or Ticket
Source
(Vulnerability Data Type only) If Data Type of Vulnerability is chosen, sources

include: Cumulative or Mitigated depending on the desired data source. For even type,
the source defaults to Active.
Query
Filters
Vulnerability, Event or Ticket filters used to narrow down the series source. For more
information on these filters see the Vulnerability Filters, Mobile Filters, Event Filters,
and Ticket Query sections.
22
Results Displayed
The number of displayed results (default: 10).
Sort Column
Column that the results are sorted by.
Sort Direction
Descending (default) or Ascending
Display Columns
Table 5 Line/Area Chart Options
Chart Option
Description
Name
Chart name
Description
Chart description
Update Frequency
OS.
Time (x-axis)
Relative Includes time relative to the current time. Available options include:
Last Minutes 15, 20, 30

Last Hours 1, 2, 4, 6, 12, 24 (default), 48, 72
Last Days 5, 7, 25, 50
Last Months 3, 6, 12
Absolute This option allows one to select a from and to date range.
Add/Edit Series
Label
Data Type
Series label
For line/area charts, vulnerability data analysis often requires that the
underlying repository be a trending repository. If the selected repository is
not a trending repository, no historical analysis will be available.
Vulnerability or Event
Query
23
Filters
Filters used to narrow down the series source. For more information on these filters
see the Vulnerability Filters and Event Filters sections.
Series Data
Data to display in the chart (Total, Info, Low, Medium, High, Critical).
Table 6 Matrix Options
Chart Option
Description
Name
Matrix component name
Description
Matrix component description
Add Column
(max 10)
Columns are normally used to define a group of vulnerability, mobile, event, ticket,
user, or alert data. For example, five columns could be used in a matrix component,
one each for critical, high, medium, low, and informational vulnerabilities. Hovering the
cursor over the right-hand side of the top cell of a column enables a drop-down similar
to the screen capture below:
Click on Column Settings to set the column name and update frequency. The
update frequency determines how often the underlying data set is refreshed.
Refreshing the data more often is useful for seeing a more current view of the data;
however, it can have a detrimental effect on system performance. Matrix columns are
updated as clusters and not individually. For example if column A and C have an
update frequency of Daily and column B has an update frequency of Every 12 Hours,
columns A and C will be updated together and column B will be updated by itself. What
this means is that if there is a missing query in column A, column C will not update.
However, if there is a missing query in column B, columns A and C will update.
When adding a column, an option called Intersect Settings is available for selection.
When chosen, the new column will analyze the existing cells across the rows and
populate the new cells with the information common to the existing cells.
For example, if all of the previous columns have a severity of High but differing asset
lists, the newly created columns cells will have a condition specifying the High severity
level, but no asset list designation. This feature improves the speed with which matrix
elements can be created by reusing previously used configuration options and
eliminating repetitive manual steps.
Add Row
(max 10)
Rows are another grouping element, used to define the operations being performed
against each column element for that row. For example, if each column determines the
vulnerability type (critical, high, medium, low, and informational), a row could be
created labelled ratio. Each cell in that row could be used to calculate the ratio of the
particular vulnerability type count against the total vulnerability count.
24
Matrix Ratio Display
Hovering the cursor over the right-hand side of the first cell in a row entry enables a
drop-down similar to the screen capture below:
When adding a row, an option called Intersect Settings is available for selection. When
chosen, the new column will analyze the existing cells across the columns and populate
the new cells with the information common to the existing cells. For example, if all of the
previous rows have a severity of High but differing asset lists, the newly created rows
cells will have a condition specifying the High severity level, but no asset list designation.
This feature improves the speed with which matrix elements can be created by reusing
previously used configuration options and eliminating repetitive manual steps.
Cells
Cells contain the actual data operations. Cells are defined by query and condition
options. The options are described below:
Query Options
Option
Description
Data Type
Available data types include vulnerability, mobile, event, ticket,

alert, and user. The query value rules displayed in the condition
section are dynamically defined by the data type used. For
example, if a data type of Event is chosen, query value rules
include Event Count, IP Count, or Port Count.
Query
Choose data based on a predefined query. All cell queries must

be active for the matrix component to function. For example, if a
component has ten underlying queries, and one is deleted, that
query will need to be replaced for the entire component to update.
Filters
Filter the data based on specific parameters
Conditions
Option
Description
Type
Available types include: Query Value, Static Text, Icon, Bar, and
Ratio
Rule
Bar and Ratio charts use ratios rather than counts

in the lists below.
25
Vulnerability: IP Count, Port Count, Score Count, and

Vulnerability Count
Mobile: Vulnerability Count, Device Count, and Score Count
Event: IP Count, Port Count, Score Count, and Event Count
Ticket: Ticket Count
Alert: Alert Count
User: User Count
Display Options
The display options determine the background and foreground

colors along with any custom text if applicable.
Multiselect
Cells in a matrix component can be edited across rows and columns by selecting a single cell, and then dragging the
cursor over other cells until the entire range to be edited is highlighted. After doing this an Edit Cells dialog is displayed
for the highlighted range. In the example below, the highlighted ranges all use the same repository, but differing
vulnerability severity levels and asset lists. Edit the data type, query and filters as needed.
Multiselect Options
Conditions
There are two basic types of conditions in a matrix cell definition: the default (or fallback) condition and conditions that are
added. By default, a single editable condition is added to each cell definition. This condition cannot be deleted and
describes what will be displayed in the cell if no other conditions have been defined or triggered. A default condition looks
similar to the following:
Default Query Value
26
This condition can be edited to display any of the available display options. Added conditions may look similar to the
following:
IP Count Query Value
The first two buttons on the left hand side of the condition are up and down arrows that allow the conditions to be moved
up or down in review order. These are followed by an edit button and a delete button.
Conditions are reviewed from top to bottom and will trigger the display condition on the first condition match. Once a
condition triggers, none of the subsequent conditions are reviewed. If none of the added conditions match, the default
condition is automatically performed.
Creating a Simple Matrix Component
The matrix component has a great deal of power and functionality. The section below contains steps used to create the
matrix display shown below:
Matrix Component
This display shows IPs grouped by operating system and displayed with three columns:
Pass/Fail displays an icon that varies between red or green depending on the number of high vulnerabilities (>
1 in our sample).
Failure IP Count Total number of IPs in the dynamic asset list that contain at least one high vulnerability.
Total IP Count Total number of IPs in the dynamic asset list.
27
Modify and use the steps below based on your dashboard needs.
1. Create a dynamic asset list for each operating system type desired. An example dynamic asset list is displayed
below. This asset list captures only those hosts whose operating system is based on the Linux 2.6x kernel. This
asset list is used for the Total IP Count fields and is used to generate the query created in step 2.
Dynamic Asset OS Condition
2. Create a query based on each asset list that contains only those assets with a High vulnerability. Note that in the
query below, we chose only those hosts that resided in the New IPv6 repository. Adjust the query to select hosts
from the desired repository.
28
High Severity Query for the Linux_2_6 Asset
3. Hover over the desired tab and click the arrow to display the drop-down containing the tab options. Select Add
Component. Choose the Matrix component type.
4. Enter the desired name and description. The name is displayed as the component title, while the description is
displayed as a tooltip when hovering the cursor over the component.
5. Click the first row and select Set Row Name to define the first row. Name the row Linux 2.6. This row will be
copied in future row additions to save time.
6. Click the three columns and select Column Settings to define three columns: Pass/Fail, Failure IP Count, and
Total IP Count.
29
Matrix with Blank Cells
7. Hover over the cell below Pass/Fail and click Set Cell. Choose data type of Vulnerability and then the
Linux_2_6 query under the query drop-down. Next, choose Add Condition and select values as shown in the
screen capture below:
Matrix High Condition
This condition specifies that if at least one IP in the specified asset list has a vulnerability severity value of High,
we will display the red icon. Next we will create a default condition (else statement) for cases where an IP has
no High severity vulnerabilities:
Matrix Low Condition
30
The complete cell condition statement looks like the screen capture below:
Matrix Sample Conditions
Submit the changes made so far.

Click on the cell under Failure IP Count. In this cell we will display counts of IPs for the same query (Linux 2.6
kernel with High vulnerabilities). Select the desired query to populate the desired filters. Click Add Condition
and choose Query Value with a rule of IP Count. Leave the background and foreground options at default
values for this example.
Matrix Display Conditions
31
The resulting cell values will look like the screen capture below:
Matrix Sample Conditions
Submit the changes made so far.

8. Click Set Cell under the Total IP Count column. Under the query options, we are choosing the desired
Repository and Asset list options. Note: these parameters could have easily been configured under an additional
query and selected that way if desired:
Matrix Filter Options
32
Under condition options, choose a type of Query Value and a rule of IP Count. Leave the background and
foreground options at default values for this example. The resulting cell parameters will look similar to the screen
capture below:
Matrix Cell Conditions
Submit the changes made so far. Add additional conditions as desired. For example, having a condition where a
red icon is displayed if the IP count is >=1 and a second condition where a green icon is displayed where the IP
count is zero would be a common condition configuration.
9. Add new rows for each operating system type. When adding the new rows, choose Intersect Settings to
duplicate the previous rows parameters. Adjust the row name based on the asset list and adjust each column
based on the new query and asset list.
33
10. Once completed, the matrix definitions will look similar to the screen capture below:
Matrix Cell Display
Click on the Submit button to submit all changes.

In the display above, note that some of the cells have a green background with the label Cell Set, while
some have a yellow background with the label Target Set. A third possibility is a yellow background with the
words Query Set. Filter types include the following items:
Query Filters: plugin, vulnerability and date

Target Filters: asset list, IP address and repository
Cell Set indicates that both target and query filters have been configured. Target Set indicates that only
target filters (in this case the asset list IPs) have been configured. Query Set means that you have selected a
query filter, but no target filters. Any one of these three settings is a valid cell configuration.
The matrix element will display and refresh daily as configured.
For more information about configuring matrix components and downloadable samples that you may find useful, please
visit the Tenable SecurityCenter Dashboards blog at: http://blog.tenable.com/sc4dashboards/.
Copy Component Options

In addition to adding and editing components, components can be copied to the current or a new tab on the dashboard.
Click on the arrow in the upper right-hand corner of the component and choose Copy Component to bring up an edit
component tab similar to the one below:
34
Copy Table Component
The Copy Component options are the same as the Edit Component tab except that the user is given the option of
choosing the destination tab where the component will be copied.
Navigating the Dashboard Components

SecurityCenter users are presented with several icon options via the dashboard component display. The screen capture
below displays the icon options shown in the upper right-hand corner of each component:
The left-hand Browse Component Data icon gives the user the ability to drill into the dataset behind the dashboard
view and display the data for further analysis.
Various dashboards do not provide this option because their underlying data snapshot source does not
support browse capability.
For example, the screen capture below contains a vulnerability summary view displayed after clicking on the Browse
Component Data icon:
35
Browse Component Data
Notice the white arrow on the left-hand portion of this screen next to Load Query. Clicking this arrow or anywhere along
the grey bar returns the user to the initial dashboard view.
The center Refresh Component Data icon refreshes the component data based on the most recent underlying data.
After first login, it may be necessary for the user to initially manually refresh the dashboard component to
obtain the most current data set.
There is a blue arrow icon to indicate when the component is updating, and a red exclamation mark icon to indicate when
something has gone wrong. Hovering over the icon will show a tooltip with more details on what went wrong. For example,
if the underlying query behind a dashboard component becomes disabled (e.g., asset lists that were shared with the user
are no longer shared), the refresh will fail and the user will be presented with the tooltip notification of why it failed.
The right-hand arrow icon gives the user more options that are described above including: Edit Component, Copy
Component, Delete Component, and Export PNG. The Export PNG option allows for saving a PNG image of the
dashboard element to facilitate the use of the elements displayed results outside of SecurityCenter.
Vulnerability Analysis
The Vulnerabilities display screen is the focal point for the display and analysis of vulnerabilities from either the
cumulative or mitigated vulnerability database. Vulnerability data is displayed at varying levels and views ranging from the
highest level summary down to a detailed vulnerability list data. Clicking through Analysis and Vulnerabilities
displays a screen with information from the cumulative vulnerability database using the selected default filter. The
Vulnerability Summary filter is shown here:
36
Vulnerability Data Screen Default View
This screen displays vulnerabilities in both a table and graphical view for rapid analysis and mitigation.
Cumulative vs. Mitigated

At the top of the vulnerability display screen are two options: Cumulative and Mitigated. This selection determines
which database to pull vulnerability data from, cumulative or mitigated. The Cumulative database contains current
vulnerabilities, including those that have been recast, accepted, or mitigated and found vulnerable on rescan. The
Mitigated database contains vulnerabilities that are no longer vulnerable based on scan information.
37
Filter History
Below the Cumulative/Mitigated tabs is a listing of previously loaded filter options. Hover the cursor over a previously
selected filter to display a white dot to the right of the analysis tool type name for each filter option along with a pop-up
window to the right with the filter parameters. Notice in the example screen capture above, there are three white dots to
the right of the highlighted filter, one for Address, one for Repository, and one for Plugin ID.
Click on the desired filter to change the view to use the previously selected filter. Click on Clear to remove all previously
loaded filters from the history panel.
Right-Click Functionality
Right-Click Options
Selecting and right-clicking on a particular vulnerability in the vulnerabilities screen gives the user additional options that
are useful in the content of the highlighted vulnerability. Available options include: Copy To Clipboard, Add To
Scratch Pad, Recast Risk, Accept Risk, and Launch Remediation Scan. These options are described in more
detail in the table below:
38
Table 7 Right-Click Options
Type
Description
Copy To Clipboard
Use this option to copy the vulnerability details to your clipboard for reuse elsewhere.
For example, you could copy the vulnerability details to the clipboard and then paste
them into an email if so desired.
Add To Scratch Pad
The Scratch Pad allows users to store the current drilldown value as a filter option.
For example, if the current view allows for a plugin drilldown, selecting a vulnerability
with a particular plugin, right-clicking and choosing Add to Scratch Pad will add that
plugin ID to the Scratch Pad. This allows the user to quickly switch back and forth
between scratch pad items for rapid analysis. Scratch Pad filters also persist between
different analysis tool views, allowing the user to apply the same Scratch Pad filter to
more than one desired view.
Recast Risk
Apply a new risk level to the selected vulnerability. For example, a particular
vulnerability may be rated as CVSS 7.5 (high) based on the overall scoring; however,
due to local variables could be recast as a critical risk. This would impact the overall
vulnerability scoring of hosts whose vulnerabilities have been recast.
There can be a short delay between clicking on Add Rule and
vulnerabilities showing the recast risk. Navigate away from the page and
then back to it to view the applied changes.
Deletion of recast risk rules is performed only by a SecurityCenter admin user and is
described in detail in the SecurityCenter 4.8 Administration Guide available on the
Tenable Support Portal.
Accept Risk
Any vulnerabilities that match the chosen criteria will be automatically accepted and
not show in a vulnerability search unless the Accepted Risk filter flag is set.
There can be a short delay between clicking on Add Rule and
vulnerabilities showing the new risk acceptance. Navigate away from the
page and then back to it to view the applied changes.
Deletion of accept risk rules is performed only by a SecurityCenter admin user and is
described in detail in the SecurityCenter 4.8 Administration Guide available on the
Tenable Support Portal.
Launch Remediation Scan
This option provides the user with the ability to launch a new remediation scan based
on the selected vulnerability. This option is only available through the Vulnerability
List and Vulnerability Summary analysis tools.
39
Remediation Scan Options
The screen capture above contains available scan options. Based on the results of this
remediation scan, the vulnerability will be either kept in the cumulative database or
moved to the mitigated database. For more information on the available scan options,
please refer to the Scanning section of this document.
40
Analysis Tools
A wide variety of analysis tools are available for comprehensive vulnerability analysis. Clicking on the analysis tool dropdown displays a list of available tools.
Vulnerability Analysis Tools
Vulnerability filters can be reset at any time by clicking on the Clear link. If multiple filters are currently in use, filters can
be individually removed without affecting other filters by clicking on the X next to the individual filter under the Active
Filters section.
The table below contains detailed descriptions of all available analysis tools:
Table 8 Vulnerability Analysis Tools
Analysis Tool
Description
IP Summary
SecurityCenter has four tools for summarizing information by
41
vulnerable IP addresses. These include summary by IP, Class A,

Class B, and Class C.
Class A Summary
Class B Summary
Class C Summary
The IP Summary tool lists the matching addresses, their

vulnerability score, the repository the data is stored in, the OS
Common Platform Enumeration (CPE) value, vulnerability count,
and a breakdown of the individual severity counts.
The IP Summary tool displays a list of IP addresses along with
summary information. Clicking on an IP address displays a Host
Detail window for that IP address. SecurityCenter 4.8 calculates
and loads Host Detail assets incrementally to enhance system
performance. The System Information box displays information
about the NetBIOS Name (if known), DNS Name (if known), MAC
address (if known), OS (if known), Score, Repository, Last Scan,
Passive Data, Compliance Data, and Vulnerabilities. The Assets
box displays which asset lists the IP address belongs to. The
Useful Links box contains a list of resources that can be queried
by IP address. Clicking on one of the Resource links causes the
resource to be queried with the current IP address. For example, if
the current IP address was a publicly registered address, clicking
on the ARIN link causes the ARIN database to be queried for the
registration information for that address. If custom resources have
been added by the administrative user (via the Manage IP
Address Information Links selection under the Customization
tab), they will be displayed here.
Starting out with a Class A or Class B summary can identify more
active network ranges for networks with a large number of active IP
addresses.
The vulnerability score for an address is computed by adding up
the number of vulnerabilities at each severity level and multiplying it
with the organizations severity score.
The default severity scores at each level are:
Info - 0
Low 1
Medium 3
High 10
Critical 40
Severity scores for Low, Medium, High, and Critical

are configured for each organization by the
administrator user.
The OS CPE value may be used to determine the operating system
reported on the target host.
All displayed columns can be sorted for more useful views.
DNS Name Summary
SecurityCenter 4.8 includes the ability to summarize information by

vulnerable DNS name. The DNS Name Summary lists the
matching hostnames, their vulnerability score, vulnerability count,
42
and a breakdown of the individual severity counts.

Clicking on Total for a DNS name will display the complete list of
discovered vulnerabilities for that particular host.
Remediation Summary
The Remediation Summary tool provides a list of remediation

actions that may be taken to prioritize tasks that will have the
greatest effect to reduce vulnerabilities in systems. This list
provides a solution to resolve a particular CPE on a given OS
platform. The data provided includes the risk reduction percentage,
how many hosts are affected, and the number of vulnerabilities,
CVEs, and MS Bulletins that will be resolved across the hosts, as
applicable.
Severity Summary
This tool considers all of the matching vulnerabilities and then

charts the total number of info, low, medium, high, and critical
vulnerabilities. A pie chart is produced to represent the data.
Clicking on any of the counts or severities in the chart will display
the Class C Summary chart filtered with the matched
vulnerabilities.
Vulnerability Summary
All matching vulnerabilities are sorted by plugin ID count and listed

in a chart. Columns of plugin ID, Total, and Severity can be sorted
by clicking on the column header.
Clicking on the plugin ID will produce a pop-up window containing a
description of the vulnerability check.
CVE Summary
This view groups vulnerabilities based on their CVE ID, Hosts

Total, and vulnerability count.
MS Bulletin Summary
This tool filters vulnerabilities based on Microsoft Bulletin ID.

Displayed are the IDs, Vulnerability Totals, Host Total, and
Severity. This view is particularly useful in cases where Microsoft
releases a new bulletin and a quick snapshot of vulnerable hosts is
required.
Asset Summary
This tool summarizes the scores and counts of vulnerabilities for all
dynamic or static asset lists.
A breakdown of each assets specific vulnerabilities and counts for
each severity level is also included.
Clicking on any of the counts displays a Vulnerability List screen
with the corresponding filter.
User Responsibility Summary
This displays a list of the users who are assigned responsibility for
the vulnerability based on the users assigned asset list. Multiple
users with the same responsibility are displayed on the same line.
Users without any assigned responsibilities are not displayed in the
list.
43
CCE Summary
This displays a summary of hosts which have Common

Configuration Enumeration (CCE) vulnerabilities.
Clicking on the count for any of CCE IDs hosts or vulnerability
counts will display an appropriate summary page, which is used to
further examine the data.
Port Summary
A summary of the top ports in use is displayed for all matched

vulnerabilities. Each port has its count of vulnerabilities as well as a
breakdown for each severity level. Clicking on any count displays
the IP Summary screen with the corresponding filter.
Plugin Family Summary
This tool will chart each present the Nessus, PVS, or Event plugin
family as well as their relative counts based on severity level for all
matching vulnerabilities.
Clicking on any of the counts will display a Vulnerability List
page filtered by the selected plugin family.
Protocol Summary
This tool summarizes the detected IP protocols such as TCP, UDP,

and ICMP. The tool also breaks out the different counts for each
protocols severity levels.
Clicking on any of the counts will display the IP Summary screen
with the corresponding filter.
Vulnerability List
This tool lists out the Plugin ID, Severity, NetBIOS Name, DNS
Name, MAC Address, Repository Name, Vulnerability Name, and
Family for each matching vulnerability.
Clicking on any IP address will open a window that shows the
Detailed Vulnerability List for that IP address.
List OS
SecurityCenter understands both actively and passively

fingerprinted operating systems. This tool lists what has been
discovered.
The method (active, passive, or event) of discovery is also
indicated.
Clicking on the count displays the IP Summary screen with the
corresponding filter.
List Software
The Nessus scanner plugins 22869 and 20811 attempt to

fingerprint any software it encounters. SecurityCenter can process
this information and create a summary of unique software
packages discovered by Nessus.
List Services
The Nessus scanner plugin ID 22964 attempts to fingerprint any

service it encounters. SecurityCenter can process this information
and create a summary of unique services discovered by Nessus.
44

List Web Clients
The SecurityCenter understands PVS plugin ID 1735, which

passively detects the web client in use. This tool lists the unique
web clients detected.
Clicking on the count displays the IP Summary screen of
matching addresses using that web client.
List Web Servers
This tool takes the passive output from PVS plugin ID 1442 and the
active output from Nessus plugin ID 10107 and creates a unique
list of known web servers.
The method of discovery (active or passive) is also indicated in the
tool.
matching addresses using that web server.
Not all web servers run on port 80 or 443. Do not be
surprised if you encounter web servers running on
unexpected ports.
List Mail Clients
If SecurityCenter is using a PVS scanner, this tool uses plugin ID

1100 to determine a unique list of email clients.
Each of these detections will be labeled as a PASSIVE detection.
List SSH Servers
This tool takes the passive output from PVS plugin ID 1967 and the
active output from Nessus plugin ID 10267 and creates a unique
list of known SSH servers.
The method of discovery (active or passive) is also indicated in the
tool.
matching addresses using that SSH server.
Not all SSH servers run on port 22. Do not be
surprised if you encounter SSH servers running on
unexpected ports.
Detailed Vulnerability List
This view shows the actual results of a vulnerability scan. Nessus,

PVS, and LCE will often return very detailed results from their
analysis of network systems.
Important fields include CVSS score, CVSS temporal score,
availability of public exploit, CVE/BID/other references, synopsis,
description, and solution.
Scroll arrows are displayed on the right and left-hand sides of the
45
screen for ease of browsing between vulnerabilities (similar to the

Nessus 4.2.x and higher vulnerability display). In addition, clickable
colored rectangles at the bottom of the screen indicate the
vulnerability severity level of the corresponding vulnerabilities.
Clicking on an IP address displays a Host Detail window for that
IP address similar to that described in detail for the IP Summary
view above. SecurityCenter 4.8 calculates and loads Host Detail
assets incrementally to enhance system performance.
If there are any Common Vulnerability Enumeration (CVE) or
Bugtraq IDs (BIDs), they will be listed for further research as
desired. In addition, hovering the cursor over the severity icon will
display CVSS Base Score information relevant to the vulnerability.
A pop-up similar to the following is displayed:
CVSS Scoring
As indicated by the text, clicking on the severity icon opens a

CVSS calculator that links to the NIST web site with a more
detailed breakdown of the CVSS scoring metrics.
This display has links to accept this risk, open a ticket, recast it to a
different severity level (cumulative database vulnerabilities only),
and launch a remediation scan for active vulnerabilities.
If a particular vulnerability has been already recast, a box with the
letter R in it is displayed to the right of the severity. Clicking on the
R opens a pop-up that displays all applicable rules applied to the
vulnerability.
Recast Risk Option
Similarly, if a risk has been accepted, a box with the letter A in it

is displayed. Click on the A to display a pop-up with all applicable
rules.
46
Add Risk Recast/Acceptance Rule

Vulnerabilities can be recast or accepted based on situational requirements.
To add a Risk Recast Rule, right click on the vulnerability within the Vulnerability Summary or Vulnerability List
screens and choose Recast Risk or click Recast Risk in the upper right-hand corner of the Detailed Vulnerability
List screen. A pop-up similar to the one below is displayed:
Add Recast Risk Rule
Choose the new risk to assign to the current vulnerability and the selected filter options (Repository, Targets, Ports, and
Protocol). If any of the selected options are modified, they will filter what vulnerabilities will inherit the new risk rating. In
addition, a comment can be added to describe why the risk is being recast.
There can be a short delay between clicking on Add Rule and vulnerabilities showing the new risk. It may be
necessary to reload the filters to view the applied changes.
Similar to recasting risks, risk acceptance is performed from the same screens and displays a pop-up similar to the one
below:
47
Add Risk Acceptance Rule
The Acceptance Rule has the ability to have an expiration date added to it. This adds a method to accept a risk on a
temporary basis. Any vulnerabilities that match the chosen criteria will be automatically accepted and not show in a
vulnerability search unless the Accepted Risk filter flag is set.
There can be a short delay between clicking on Add Rule and vulnerabilities showing the new risk
acceptance. It may be necessary to reload the filters to view the applied changes.
Deletion of both accept and recast risk rules is performed only by a SecurityCenter admin user and is described in detail
in the SecurityCenter Administration Guide available on the Tenable Support Portal.
48
Load Query
The Load Query option enables users to load a predefined query and display the current dataset against that query.
Click on Load Query to display a box with all available queries. The first line is a text search box that will narrow the list
of queries to the text entered. The query names are displayed with their associated group (if assigned to one) in blue.
After clicking on an individual query, the vulnerability view is changed to match the query view for the current dataset.
Additional Vulnerability Analysis Options

The following options are available in the upper right-hand corner of the event analysis screen:
Additional Vulnerability Analysis Options
Save Query
This option, available in the upper right-hand corner of the web interface, saves the current vulnerability view as a query
for reuse. If this link is clicked, a dialog similar to the one below is displayed:
Vulnerability Query Options
49
The table below describes the available query options:

Table 9 Query Options
Option
Description
Name
Query name
Tag
This option provides a tag for organizing created query objects. Tag names can be
reused as desired. This reduces lengthy lists of queries with no logical grouping.
Objects shared with new users will retain the tag specified by the creator.
Description
This option enables users to provide a description of the query.
Save Asset
Vulnerability results can be saved to an asset list for later use by clicking on the Save Asset link in the upper right-hand
side of the screen.
Save as Asset Options
The table below describes the available asset options:

Table 10 Asset Options
Option
Description
Name
Asset name
Tag
A logical grouping for created asset objects. Tag names can be reused as desired.
This reduces lengthy lists of assets with no logical grouping. Objects shared with new
users will retain the tag specified by the creator.
Description
Asset description
50
Open Ticket
Ticket Options
Tickets are used within SecurityCenter to assist with the assessment and remediation of vulnerabilities and security
events. Use this option to open a ticket based on the current event view. Click on the Open Ticket link and complete the
relevant fields as described below:
Table 11 Ticket Options
Option
Description
Name
Ticket name
Description
Ticket description
Notes
Notes to be used within the ticket and read by the ticket assignee.
Assign To
Ticket assignee
Classification
Information, Configuration, Patch, Disable, Firewall, Schedule, IDS, Accept Risk,

Recast Risk, Re-scan Request, False Positive, System Probe, External Probe,
Investigation Needed, Compromised System, Virus Incident, Bad Credentials,
Unauthorized Software, Unauthorized System, Unauthorized User, or Other.
51
More Options
Export as CSV
Vulnerability results can be exported to a comma-separated file for detailed analysis outside of SecurityCenter by clicking
on the More link and then the Export as CSV option.
If the record count (rows displayed) of any CSV export is greater than 1,000 records, a pop-up is displayed that prompts
for the name of the CSV report to be generated. When complete, the report can be downloaded from the Report Results
screen.
Create Report
This option is used to create a report based on the existing vulnerability view.
Report Launch Dialog
More information about SecurityCenter reports is available in this document in the Reporting section of this document.
Vulnerability Filters
Filters limit the results of the vulnerability display and can be added, modified or reset as desired. The screen capture
below shows a search based on a Cumulative database filtering on vulnerabilities from the selected repositories with an
available exploit and High and Critical severity levels.
52
Cumulative Database Filter Options
The Mitigated database filter does not contain the Accepted Risk or Recast Risk options under the
Workflow Filters tab.
53
The screen capture below displays results from the previous Cumulative database search:
Filtered Vulnerability Results
The Severity (set to High and Critical in this example) and Exploit Available filters are displayed in the lower left-hand
corner of the screen and can be reset by clicking the X icon next to the filter name. In addition, clicking on the view title
(Detailed Vulnerability List) in the upper left-hand corner of the screen navigates to the previously used Detailed
Vulnerability List view and filters. The table below describes the options available with the Edit Filters command
button.
Table 12 Vulnerability Filter Options
Filters
Description
Analysis Tool Filter

Analysis Tool
This drop-down is used to choose the analysis tool used by the filter. This is the same
as selecting the desired analysis tool from the Analysis -> Vulnerabilities dialog.
These tools are described in detail in the Analysis Tools section.
Active Filters
This field displays the existing filters and allows the user to selectively remove filters as
needed. In the example below, the Active Filters displayed are Severity and Exploit
Available. Clicking the X next to any one of these filters will remove that filter from the
displayed vulnerabilities and reset that field to its default options.
54
Vulnerability Filter Options
Target Filters
Address
This filter specifies an IPv4 or IPv6 address, range, or CIDR block to limit the viewed
vulnerabilities. For example, entering 192.168.10.0/24 and/or 2001:DB8::/32 limits any
of the web tools to only show vulnerability data from the selected network(s).
Addresses can be comma separated or separate lines.
DNS Name
This filter specifies a DNS name to limit the viewed vulnerabilities. For example,
entering host.example.com limits any of the web tools to only show vulnerability data
from that DNS name.
Repository
Display vulnerabilities from the chosen repositories.
Asset
This filter displays systems from the chosen asset list. If more than one asset list
contains the systems from the primary asset list (i.e., there is an intersect between the
asset lists), those asset lists are displayed as well. The operand NOT, OR, and/or
AND may be used to exclude unwanted asset lists from the view.
Output Assets (only

available in the Asset
Summary analysis tool)
This filter displays only the desired asset list systems.
Port
This filter is in two parts. First the equality operator is specified to allow matching
vulnerabilities with the same ports, different ports, all ports less than or all ports greater
than the port filter. The port filter allows a comma separated list of ports. For the larger
than or less than filters, only one port may be used.
All host-based vulnerability checks are reported with a port of 0 (zero).
Protocol
This filter provides check boxes to select TCP, UDP, or ICMP-based vulnerabilities.
55
Responsible Users
Allows selection of one or more users who are responsible for the vulnerabilities.
Plugin Family
This filter chooses a Nessus or PVS plugin family. Only vulnerabilities from that family
will be shown.
Plugin Name
Enter all or a portion of the actual plugin name. For example, entering MS08-067 in
the plugin name filter will display vulnerabilities using the plugin named MS08-067:
Microsoft Windows Server Service Crafted RPC Request Handling Remote Code
Execution (958644) (uncredentialed check). Similarly, entering the string
uncredentialed will display a list of vulnerabilities with that string in the plugin name.
Vulnerability Text
Displays vulnerabilities containing the entered text (e.g., php 5.3).
Scan Policy
This filter chooses a scan policy. Only vulnerabilities from that scan policy will be
shown.
Audit File
This filter displays vulnerabilities detected when a scan was performed using the
chosen .audit file.
Plugin Type
Select whether to view all plugin types or passive, active, event, or compliance
vulnerabilities.
Severity
Displays vulnerabilities with the selected severity (Info, Low, Medium, High, Critical)
CVSS Score
Displays vulnerabilities within the chosen CVSS score range.
Exploit Available
If set to yes, displays only vulnerabilities for which a known public exploit exists.
CPE
Allows a text string search to match against available CPEs. The filter may be set to
search based on a contains or is equal to filter.
ID Filters
Plugin ID
Enter the plugin ID desired or range based on a plugin ID. Available operators are
equal to (=), not equal to (!=), greater than or equal (>=) and less than or equal to (<=).
CVE ID
Displays vulnerabilities based on the chosen single CVE ID (e.g., CVE-2010-1128) or

multiple CVE IDs separated by commas (e.g., CVE-2011-3348,CVE-2011-3268,CVE2011-3267).
CCE ID
Displays results based on the entered CCE ID.
MS Bulletin ID
Displays vulnerabilities based on the chosen Microsoft Bulletin ID (e.g., MS09-001)

or multiple Microsoft Bulletin IDs separated by commas (e.g., MS10-012,MS10054,MS11-020).
IAVM ID
Displays vulnerabilities based on the chosen IAVM ID (e.g., 2011-A-0007) or multiple

IVAM IDs (e.g., 2011-A-0005,2011-A-0007,2012-A-0004).
56
Date Filters
Vulnerability Last Observed
(Cumulative only)
This filter allows the user to see when the vulnerability was last observed by Nessus,
LCE, or PVS.
The observation date is based on when the vulnerability was most
recently imported into SecurityCenter. For PVS, this will not match the
exact vulnerability discovery as there is normally a lag between the time
that PVS discovers a vulnerability and the import occurs.
Vulnerability Mitigated
(Mitigated only)
This filter allows the user to filter results based on when the vulnerability was
mitigated.
Days To Mitigate (Mitigated

only)
This filter allows the user to track the number of days since a vulnerability was moved
to the mitigated database.
Vulnerability Discovered
SecurityCenter tracks when each vulnerability was first discovered. This filter allows
the user to see when vulnerabilities were discovered less than, more than or within a
specific count of days.
The discovery date is based on when the vulnerability was first imported
into SecurityCenter. For PVS, this will not match the exact vulnerability
discovery time as there is normally a lag between the time that PVS
discovers a vulnerability and the import occurs.
Days are calculated based on 24-hour periods prior to the current time
and not calendar days. For example, if the report run time was 1/8/2012
at 1 PM, using a 3-day count would include vulnerabilities starting
1/5/2012 at 1 PM and not from 12:00 AM.
Plugin Published
Tenable plugins contain information about when a plugin was first published. This filter
allows users to search based on when a particular plugin was created; less than, more
than, or within a specific count of days.
Plugin Modified
Tenable plugins contain information about when a plugin was last modified. This filter
allows users to search based on when a particular plugin was modified; less than,
more than, or within a specific count of days.
Vulnerability Published
When available, Tenable plugins contain information about when a vulnerability was
published. This filter allows users to search based on when a particular vulnerability
was published; less than, more than, or within a specific count of days.
Patch Published
When available, Tenable plugins contain information about when a patch was
published for a vulnerability. This filter allows the user to search based on when a
patch became available; less than, more than, or within a specific count of days.
Workflow
Mitigated Status
Display vulnerabilities that were at one time mitigated, but have been discovered again
in a subsequent scan. This option is not used in conjunction with other options unless all
options within the selected combination are set (e.g., selecting the Was Mitigated
checkbox will return no results if both the Was Mitigated and the Accepted Risk flags
are set).
57
Accepted Risk Status

(Cumulative Only)
Display vulnerabilities based on their Accepted Risk workflow status. Available

choices include Accepted Risk or Non-Accepted Risk. Choosing both options
displays all vulnerabilities regardless of acceptance status.
Recast Risk Status

(Cumulative Only)
Display vulnerabilities based on their Recast Risk workflow status. Available choices
include Recast Risk or Non-Recast Risk. Choosing both options displays all
vulnerabilities regardless of recast risk status.
Mobile Analysis
The Mobile analysis display screen contains a list of vulnerabilities discovered by scanning an ActiveSync, Apple Profile
Manager, AirWatch, Good, and/or MobileIron MDM servers.
The table below indicates the options available for mobile queries:
Table 13 Mobile Filter Options
Option
Description

Analysis Tool
as selecting the desired analysis tool from the Analysis -> Mobile dialog.
Active Filters
needed. In the example below, the Active Filters displayed are MDM Type, Model,
Plugin Output, and Days Since Observation. Clicking the X next to any one of these
filters will remove that filter from the filter list.
Mobile Filters
Target Filters
Repository
58
Device Filters
Identifier
This is a text based search filter that looks at the Identifier field in the repository.
Model
This is a text based search filter that looks at the Model field in the repository.
Operating System CPE
This is a text based search filter that looks at the Operating System CPE field in the
repository.
Version
This is a text based search filter that looks at the OS Version field in the repository.
Serial Number
This is a text based search filter that looks at the Serial Number field in the repository.
MDM Type
The MDM type field is a drop-down menu to select the MDM server type of
ActiveSync, Apple Profile Manager, Good, AirWatch, and MobileIron MDM server.
Username
This is a text based search filter that looks at the User field in the repository.
Plugin ID
Enter the Plugin ID to filter results on.
Plugin Output
Filter results based on a text search of plugin output.
Severity
Displays vulnerabilities with the selected severity (Info, Low, Medium, High, Critical).
Date Filters
(Cumulative only)
This filter allows the user to see when the vulnerability was last observed.
Event Analysis
The Events display screen contains an aggregation of security events from a variety of sources including LCE, IDS/IPS,
and syslog servers. Events can be viewed in a list format with options similar to the Vulnerability interface. Clicking
through Analysis and Events displays a high-level view screen similar to the following:
59
Event Analysis Type Summary Screen
Raw Syslog Events
SecurityCenter includes a Search bar above the results of the Events display screen. The Search bar can be used to
narrow down the scope of a set of events, and supports the use of keyword searches for active filters. In the example
above, a mix of collapsed and expanded events are seen. Selecting the Collapse Logs or Expand Logs option from the
top right will perform that action for all of the results en masse. By hovering over a particular event a + or - icon will be
displayed on the right side of the event to expand or collapse that one event.
A search for an IP address of 192.168.0.5 with associated text of window has been used to narrow down the results of a
Raw Syslog Events view. The text used to search is displayed in red within the results. If a specifier such as ip= or type=
60
is not used, the Search bar will use text= as the default search method and display all results that match the exact string
used in the search. If the text to search on contains a space, the text must be enclosed in quotes, such as PHP Warning.
In order to create the search, the search criteria may be entered in different ways. Manually typing in the search is the first
option. Once entered, clicking the check icon to the right of the search box will display the filtered results.
Another option to search the Raw Syslog Events is to highlight a term to search for in a currently displayed and expanded
log entry. In the above screen capture the search has been narrowed down to the text of IP address 192.168.20.240. That
IP address has been selected from within one of the expanded results. When a text string from the results has been
highlighted with a mouse, a magnifying glass icon is shown on the information line. When clicked, this provides one or
both options as described in the following table.
Table 14 Search Options
Option
Description
Search Events
Performs a text search against the currently filtered results and returns the more
narrowly filtered event results.
View IP Information
When an IP address is highlighted in the results Host Detail, information may be

viewed about the relevant IP address by selecting this option.
Filter History
61
Below the Active/Archived tabs is a listing of previously loaded filter options. Hovering the cursor over a previously
selected filter displays a pop-up window to the right that contains the filter parameters. Notice in the example screen
capture above, there are three white dots to the right of the highlighted filter, one for Type, one for Normalized Event
and one for Timeframe.
Click on the desired filter to change the view to use the previously selected filter. Click on Clear to remove all previously
loaded filters from the history panel.
Date Selection
Clicking on the date field directly below the analysis tool (in the example above, List of Events) opens up a dialog that
allows the user to specify a new timeframe for the event view. When the user selects Explicit, depicted as E on the
slider, as shown in the screen capture above, a checkmark and X icon are displayed to the right of the date selection.
Clicking the checkmark icon applies the specified timeframe. Clicking the X icon abandons the most recent changes that
were not applied using the checkmark icon and closes the time frame window.
If the slider is used, the user is presented with incremented date ranges from the Last 15 minutes to All, depicted as
A on the slider. In this example, Last 72 Hours is selected. Closing this dialog allows the event view to be navigated
and shows all events under the current filter that have been received in the last 72 hours. In addition, an Initial
Timeframe checkbox is made available. This checkbox allows users to set a default time range based on the slider
selection when navigating to the Raw Syslog page in the future.
Right-Click Functionality
Right-Click Options
Selecting and right-clicking on a particular event in the events screen gives the user additional options that are useful in
the content of the highlighted event. Available options include: Copy To Clipboard and Add To Scratch Pad. These
options are described in more detail in the table below:
62
Table 15 Right-Click Options
Type
Description
Copy To Clipboard
Use this option to copy the displayed event information to your clipboard for reuse
elsewhere. For example, you could copy the event name to the clipboard and then
paste it into an email if so desired.
Add To Scratch Pad
The Scratch Pad allows users to store the current drilldown value as a filter option.
For example, if the current view allows for an event drilldown, selecting an event with a
particular normalized event, right-clicking and choosing Add to Scratch Pad will add
that search to the Scratch Pad. This allows the user to quickly switch back and forth
between Scratch Pad items for rapid analysis.
Active vs. Archived

At the top of the event display screen are two options: Active and Archived. This selection determines whether the
displayed events are pulled from the active or an archived event database. The Active view is the default one that
displays all currently active events. The Archived view prompts for an Archive Silo from which the event data will be
displayed. In the screen capture below, the LCE and Silo date range are displayed to help the user choose the correct
archive data for analysis.
The save-database and accompanying location options must be uncommented in the lce.conf file for the
LCE to store archive data for future retrieval.
Archive Silo Selection
Analysis Tool
A wide variety of analysis tools are available for comprehensive event analysis. Clicking on the current view (Type
Summary by default) displays an analysis tool:
63
Analysis Tool Options
Loading one of the analysis filters generates an event filter that may be reset at any time by clicking on the Clear link.
The table below contains detailed descriptions of all available analysis tools:
Table 16 Event Analysis Tools
Tool
Description
Type Summary
The Type Summary tool displays the matching unique event

types and the number of corresponding events for each.
The unique event types are based on normalized logs or events
such as firewall, system, correlated, network and IDS. These types
are high-level types used to describe event types (e.g., login or
lce).
Clicking on any of the event counts displays a list of matching
events.
Normalized Event Summary
This tool summarizes a listing of all normalized events and their

count for the chosen time period. Normalized events are lowerlevel events that have been assigned a Tenable name based on
LCE scripts parsing of the log records (e.g., Snort-HTTP_Inspect).
Clicking on the event name displays the event information, including
the script that fired to cause the event. Clicking on the event count
displays a Normalized Event view for the selected category.
64
Detailed Event Summary
The Detailed Event Summary tool displays a summary of the

various events based on their full event name and count. Clicking
on either the count or timeline displays a Detailed Event view.
List of Events
This tool displays a line of data for each matching event. The line
includes many pieces of information such as time, event name,
number of correlated vulnerabilities and involved IP addresses and
sensor.
Two links of great use are available. First, if the IDS event
correlates with a particular systems vulnerabilities, clicking on the
number of vulnerabilities will switch the user to the cumulative
vulnerability display for that host. This is very useful to determine a
target systems profile.
Second, if an LCE is present, links are generated that can take the
user to a log analysis query based on the source or destination
addresses of the IDS event. This filter is applied to all searched
LCEs. These queries are available for the 30-minute window or 24hour window surrounding the IDS event. This is a very efficient way
to find an IDS event of interest and see if the target or the attacker
has generated any other system logs of interest.
Other links of interest in the List of Events view include time,
event name, and source/destination IP address Clicking on the
event name adds a filter to only display events matching that event
name. Finally, clicking on the source or destination IP address
loads a system information summary of data available for the IP
address in question.
65
Sensor Summary
The Sensor Summary displays the unique event counts for any
query from unique sensor types.
In Log Analysis mode, the LCE attempts to learn any system
names of the remote devices through log analysis. Not all remote
log sources will have detectable sensor names.
Event Trend
This analysis tool displays an event trend area graph with total
events over the last 24 hours. Modify the filters for this graph to
display the desired event trend view.
Date Summary
When analyzing large amounts of data, it is often useful to get a

quick summary of how the data set manifests itself across several
dates.
For example, when analyzing a suspected attackers IP address,
creating a filter for that IP and looking at the type of events is
simple enough. However, displaying that same data over the last
few days or weeks can paint a much more interesting picture of a
potential attackers activity.
Asset Summary
This tool can be used to see how certain types of activity, remote
attackers, or non-compliant events have occurred across different
asset groups.
Clicking on the Total count for the listed asset displays a Type
Summary page that shows the event type, total number of each
event, and a plot that displays the event occurrences over the
queried time period.
User Summary
This tool displays the matching unique event types and the number
of corresponding events for each user when user tracking is
enabled in LCE.
The unique event types are based on normalized logs such as
firewall, system, correlated, network, and IDS.
Clicking on any of the event counts under the Total column will
display a Type Summary of matching events.
66
Port Summary
A port summary can be invoked. This tool produces a table of the

top used ports and combines counts for source and destination
ports into one overall count.
Clicking on the event count will display a Type Summary of
events filtered for that port.
Port 0 events are host-based events that are not
specific to any particular TCP/UDP port.
Protocol Summary
This tool summarizes counts of events based on IP protocols.

Clicking on the event total displays a Type Summary view of
events filtered by the selected protocol.
IP Summary
Class A Summary
Class B Summary
Class C Summary
SecurityCenter provides the ability to quickly summarize matching

IP addresses by single IP, Class A, Class B and Class C
addresses.
The IP Summary tool displays the associated LCE server along
with the IP address of the reporting system and about the event
count for that system. For example, if an LCE system with the IPv4
address of 192.168.10.10 has been named as Tier1LCE and is
reporting on events from IPv4 address of 192.168.20.30, the
information in the IP Address field will display
Tier1LCE/192.168.20.30 for that system.
Clicking on an IP address displays a Host Detail window for that IP
address. SecurityCenter 4.8 calculates and loads Host Detail
assets incrementally to enhance system performance. The System
Information box displays information about the NetBIOS Name (if
known), DNS Name (if known), MAC address (if known), OS (if
known), Score, Repository, Last Scan, Passive Data, Compliance
Data, and Vulnerabilities. The Assets box displays which asset
lists the IP address belongs to. The Useful Links box contains a
list of resources that can be queried by IP address. Clicking on one
of the Resource links causes the resource to be queried with the
current IP address. For example, if the current IP address was a
publicly registered address, clicking on the ARIN link causes the
ARIN database to be queried for the registration information for that
address. If custom resources have been added by the
administrative user (via the Manage IP Address Information Links
selection under the Customization tab), they will be displayed
here.
The Sum by Class A, B, and C tools work by displaying matching
addresses. Clicking on the number displayed in the Total column
will display the Type Summary for that IP range.
Raw Syslog Events
Users can choose to view the original log message or IDS event for
full forensic analysis.
67
It is recommended that users attempt some sort of filtering match

first before attempting to find their desired event. Users will typically
sort their results and drill into the list until they find what they are
looking for before attempting to view the raw data.
Load Query
This option loads a predefined query and displays the current dataset against that query. Click on Load Query to display
a box with all available queries and their group name (if applicable) next to it. Entering text in the search box will narrow
the list to the matching criteria. After clicking on an individual query, the event view is changed to match that query view
for the current dataset.
Additional Event Analysis Options

The following options are available in the upper right-hand corner of the event analysis screen:
Additional Event Analysis Options
Save Query
This option, available in the upper right-hand corner of the web interface, saves the current event view as a query for
reuse. If this link is clicked, a dialog similar to the one below is displayed:
Event Query Options
The table below describes the available query options:
68
Table 17 Query Options
Option
Description
Name
Query name
Tag
This option provides a logical grouping for created query objects. Tag names can be
reused as desired. This reduces lengthy lists of queries with no logical grouping.
Objects shared with new users will retain the tag specified by the creator.
Description
This option enables users to provide a description of the query.
Visibility
Visibility may be specified as User or Organizational. If User is specified, only the

current user has access to the saved query, otherwise, all users within the
organization have query access.
Save as [Timeframe]
When the query is run subsequently, use the relative event time frame currently in use
rather than the explicit time frame in use. For example, the relative time frame ranges
is set to the last 72 hours. The explicit time frame is 11/5/2012 at 1pm through
11/8/2012 at 1pm. Checking this box will save the query as the last 72 hours from the
time it is selected. Leaving the box unchecked will save the query from 11/5/2012 at
1pm through 11/8/2012 at 1pm.
Save Asset
Event results can be saved to an asset list for later use by clicking on the Save Asset link in the upper right-hand side of
the screen.
Save as Asset Options
69
The table below describes the available asset options:

Table 18 Asset Options
Option
Description
Name
Asset name
Tag
This reduces lengthy lists of assets with no logical grouping. Objects shared with new
users will retain the tag specified by the creator.
Description
Asset description
Visibility
User or Organizational. If User is specified, only the current user has access to the
saved query, otherwise, all users within the organization have query access.
Open Ticket
Ticket Options
Tickets are used within SecurityCenter to assist with the assessment and remediation of vulnerabilities and security
events. Use this option to open a ticket based on the current event view. Click on the Open Ticket link and complete the
relevant fields as described below:
70
Option
Description
Name
Ticket name
Description
Ticket description
Notes
Notes to be used within the ticket and read by the ticket assignee.
Assign To
Ticket assignee
Classification
Information, Configuration, Patch, Disable, Firewall, Schedule, IDS, Accept Risk,

Recast Risk, Re-scan Request, False Positive, System Probe, External Probe,
Investigation Needed, Compromised System, Virus Incident, Bad Credentials,
Unauthorized Software, Unauthorized System, Unauthorized User, or Other.
More Options
Save Watchlist
A watchlist is an asset list that is used to maintain lists of IPs not in the users managed range of IP addresses. The
screen capture below demonstrates a sample watchlist configuration:
Watchlist Options
IPs from a watchlist can be filtered on regardless of your IP range configuration. This proves to be beneficial when
analyzing event activity originating outside of the users managed range. For example, if a block of IP addresses is a
known source of malicious activity, it could be added to a watchlist called malicious IPs and added to a custom query.
If Exclude Managed Ranges is selected, the watchlist will encompass the IPs within the current view, except those that
are part of the organizations managed ranges. Otherwise, the watchlist will encompass all IPs within the current view.
71
Export as CSV
Event results can be exported to a comma-separated file for detailed analysis outside of SecurityCenter by clicking on the
More link and then the Export as CSV option.
If the record count (rows displayed) of any CSV export is greater than 1,000 records, a pop-up is displayed that prompts
for the name of the CSV report to be generated. When complete, the report can be downloaded from the Report Results
screen. For CSV exports of under 1,000 records, the browsers standard Save As dialog window is displayed.
Save CSV Report
Create Report
This option is used to create a report based on the existing event view.
Report Launch Dialog
72
Event Filters
Clicking on Edit Filters displays a page similar to one available for searching vulnerability data:
Event Filter Options
See the table below for detailed descriptions of these options:

All filter search fields are case-sensitive. For example, to search for the string Open Port, both words must
be capitalized in the search string.
Table 20 Event Filter Options
Filter
Description

Analysis Tool
as selecting the desired analysis tool from the Analysis -> Events dialog. These
tools are described in detail in the Analysis Tools section.
Active Filters
needed. In the example below, the Active Filters displayed are Timeframe, Type, and
Targeted IDS Events. Clicking the X next to any one of these filters will remove that
filter from the displayed events.
73
Event Filters
Target Filters
Address
Specifies an IP address, range, or CIDR block to limit the displayed events. For
example, entering 192.168.10.0/24 limits any of the web tools to only show event data
from that network. Addresses can be entered on separate lines or comma separated.
Port
This filter is in two parts. First the type of filter can be specified to allow matching
vulnerabilities with the specified ports (=) or excluding ports (!=). The port filter may
specify a single port, comma separated list of ports, or range of ports (e.g., 8000-8080).
Protocol
Specify the protocol of the event (Any, TCP, UDP, ICMP, or Unknown).
Direction
Filter by event direction (Any, Inbound, Outbound, and Internal).
Asset
Filter the event by asset list. Select an asset list from those available. To narrow down
the number of displayed asset lists, enter text to filter on in the search box.
Output Assets (only

Event Filters
Timeframe
A shortcut to this configuration item is available by clicking on the date

field directly below the Analysis Tool as described in this document here.
An explicit timeframe is displayed by default. Specify either an explicit or relative

timeframe for the event filter. Choosing explicit opens up a calendar dialog allowing the
user to select the from and to dates and times. Relative timeframes range from the
last 15 minutes to the last 12 months and All.
74
Normalized Event
The Normalized Event is the name given to the event by the LCE after the LCE runs
its PRM and TASL scripts against it.
Detailed Event
This is the detailed event name given by the IDS vendor. For example, an event
received from a Snort sensor can have a detailed event name of DOUBLE DECODING
ATTACK, which means that HTTP_INSPECT 119:2:1 fired and was sent to the LCE.
Type
Clicking in this box generates a drop-down that allows one to select the event type
(e.g., error, lce, login, intrusion, etc.).
Sensor
Filter the events by sensor using the equal (=) or not equal (!=) operators.
User
Specify only events tied to a particular username.
Targeted IDS Events
This filter checkbox selects IDS events that have targeted systems and ports with
vulnerabilities likely to be exploited by the detected attack. This is determined by
comparing the hosts vulnerabilities (CVE, etc.) against those tied to the actual IDS
event.
Syslog Text
(Raw Syslog Events Analysis Tool) String to search for within the filtered event. When
using LCE server version 4.0.1 and newer, the text search is case-insensitive and
Boolean operators may be used. For example:
text="(drive AND serial) OR utilization"
This filter is case-sensitive when using LCE version 4.0.0 and earlier.
Advanced Filters
LCEs
Specify the LCEs to obtain events from. Use <CTRL> or <Shift> + click to select more
than one.
Repositories
Specify the Repositories to obtain events from. Use <CTRL> or <Shift> + click to
select more than one.
Source Address
Specifies an IP address or CIDR block to limit the displayed events based on source.
For example, entering 192.168.10.0/24 limits any of the web tools to only show event
data with source IPs in that block. Addresses can be comma separated.
Destination Address
Specifies an IP address or CIDR block to limit the displayed events based on

destination. For example, entering 192.168.10.0/24 limits any of the web tools to only
show event data with destination IPs in that block. Addresses can be comma separated.
Source Port
events with the same ports (=) or different ports (!=). The port filter may specify a
single, comma separated list of ports or range of ports (e.g., 8000-8080).
Destination Port
events with the same ports (=) or different ports (!=). The port filter may specify a
single, comma separated list of ports or range of ports (e.g., 8000-8080).
Source Asset
Events originating from the defined source asset list.
75
Destination Asset
Events originating from the defined destination asset list.
Clicking on Reset View causes the display to return to the default screen.
Scanning
The Scans function of the SecurityCenter provides the ability to create, view, configure, control, and schedule Nessus
scans. Clicking on Scans under the Scanning tab displays a list of all available Nessus scans along with their
associated Policy Name/Plugin ID, Start Time, Status, Group/Owner, and Schedule:
SecurityCenter Scan Listing
Scans
Authorized users can create a scan by clicking on Add under the Scans tab or by copying an existing scan template.
Newly created scans are shared to everyone within the same user group when users have the appropriate permissions. A
menu selection similar to the screen capture below is displayed showing five page tabs: Basic, Policy and Credential,
Policy, Plugin Preferences, and Post Scan. While adding a new scan, if a required field is omitted, the user interface will
display the omitted field with a red border and not allow for the page submission to occur until a valid entry has been added.
Add Scan Dialog Box
76
Basic Options
The table below describes options available on the Basic tab.
Table 21 Basic Scan Options
Parameter
Description
Name
The scan name will be associated with the scans results and may be any name or
phrase (e.g., SystemA, DMZ Scan, Daily Scan of the Web Farm, etc.).
Description
Descriptive information related to the scan.
Schedule
The drop down menu provides the ability to schedule a scan for Now, Once, Daily,
Weekly, Monthly(Day), Monthly(Date), Template, or Dependent. The
Template selection provides the ability to create a scan template that may be
launched manually at any time. The Dependent selection enables the scan to be
scheduled after the completion of a scan selected from the displayed drop down menu.
Import Repository
Specifies the repository where the scan results will be imported. Select a repository to
receive IPv4 or IPv6 results appropriate to the scan being conducted.
When scanning one or more asset lists, the asset list must contain IPs in
the repository IP ranges or the following error is displayed: Entered IPs
and Assets are empty. Log in as the administrator user to view the
contents and associated repositories of an asset list.
Scan Targets
The scan can target one or more of a users Asset Lists or manually entered Targets.
IPv4 or IPv6 addresses or hostnames entered into the Targets box must be complete
IP addresses, network ranges, CIDR blocks, or DNS hostnames. The addresses or
hostnames entered into the Targets box will be merged with any selected asset lists,
preventing scanning of unauthorized targets.
Scanning both IPv4 and IPv6 addresses in the same scan is not
supported due to the ability to only select one Import Repository.
77
Policy and Credential Options

From this tab the scan type, scan zone, and authentication settings are configured.
Policy and Credentials Screen
The scan policy contains plugin settings and advanced directives used during the course of the Nessus scan. Within the
Scan Type section, two radio buttons are available, Policy and Plugin. If the Policy radio button is selected, the side
tabs for Policy and Plugin Preferences are grayed out. If the Plugin radio tab is selected, both options are available for
further configuration.
If Scan Zone is set to Selectable for the user, a drop-down box will be available to allow for the selection of the scan
zone to be used for the scan. If All Zones are selected, the Scan Zone that most closely matches the host or range of
hosts to be scanned will be selected from the zones available. When Scan Zone is set to forced, the Scan Zone box is
greyed out and is not able to be modified.
The Authentication section allows users to select pre-configured credential sets for authenticated scanning.
SecurityCenter supports the use of up to four Windows credential sets, four SNMP credential sets, a SSH credential set,
one Database credential set, and a Kerberos credential set per scan.
Policy Options
This tab is only available if a single plugin scan was selected in the Policy and Credential tab. Scan policies
are modified by navigating to Support -> Scan Policies.
78
Scan Policy Configuration Page
The table below contains a description of all available options on the Policy configuration page.
Table 22 Scan Options
Option
Description
Safe Checks
Nessus can attempt to identify remote vulnerabilities by interpreting banner information

and attempting to exercise a vulnerability. This is not as reliable as a full probe, but is
less likely to negatively impact a targeted system.
Silent Dependencies
If this option is checked, the list of dependencies is not included in the report. To
include the list of dependencies in the report, uncheck the box.
Consider Unscanned Ports

as Closed
With this setting enabled, ports that are not enumerated by the port scan will not be
tested. For example, scanning ports 21, 22, and 23 will only test those ports and not
any other port.
The Port Scanners frame controls which methods of port scanning should be enabled for the scan:
Table 23 Port Scanners Options
Option
Description
TCP Scan
Use Nessus built-in TCP scanner to identify open TCP ports on the targets. This
scanner is optimized and has some self-tuning features.
On some platforms (e.g., Windows and Mac OS X), if the operating
system is causing serious performance issues using the TCP scanner,
Nessus will launch the SYN scanner.
79
UDP Scan
This option engages Nessus built-in UDP scanner to identify open UDP ports on the
targets.
UDP is a stateless protocol, meaning that communication is not done
with handshake dialogues. UDP-based communication is not always
reliable, and because of the nature of UDP services and screening
devices, they are not always remotely detectable. Scans using the UDP
scanner will take significantly longer to complete.
SYN Scan
Use Nessus built-in SYN scanner to identify open TCP ports on the targets. SYN
scans are a popular method for conducting port scans and generally considered to be
a bit less intrusive than TCP scans. The scanner sends a SYN packet to the port, waits
for SYN-ACK reply and determines port state based on a reply, or lack of reply.
SNMP Scan
Direct Nessus to scan targets for a SNMP service. Nessus will guess relevant SNMP
settings during a scan. If the settings are provided by the user under Preferences,
this will allow Nessus to better test the remote host and produce more detailed audit
results. For example, there are many Cisco router checks that determine the
vulnerabilities present by examining the version of the returned SNMP string. This
information is necessary for these audits.
Netstat SSH Scan
This option uses netstat to check for open ports from the local machine. It relies on
the netstat command being available via a SSH connection to the target. This scan
is intended for Unix-based systems and requires authentication credentials.
Netstat WMI Scan
the netstat command being available via a WMI connection to the target. This scan
is intended for Windows-based systems and requires authentication credentials.
Ping Host
This option enables the pinging of remote hosts on multiple ports to determine if they
are alive.
The Port Scan Options frame directs the scanner to target a specific range of ports. The following values are allowed
for the Port Scan Range option:
Table 24 Values for Port Scan Options
Value
Description
default
Using the keyword default, Nessus will scan approximately 4,789 common ports
(found in the nessus-services file).
Custom List
A custom range of ports can be selected by using a comma delimited list of ports or
port ranges. For example, 21,23,25,80,110 or 1-1024,8080,9000-9200 are allowed.
Specifying 1-65535 will scan all ports.
The range specified for a port scan will be applied to both TCP and UDP scans.
The Performance frame provides two options that control how many scans will be launched. These options are perhaps
the most important when configuring a scan as they have the biggest impact on scan times and network activity.
80
Table 25 Performance Options
Option
Description
Max Checks Per Host
This setting limits the maximum number of checks a Nessus scanner will perform
against a single host at one time.
Max Hosts Per Scanner
This setting limits the maximum number of hosts that a Nessus scanner will scan at
the same time. If the scan is using a zone with multiple scanners, each scanner will
accept up to the amount specified in the Max Hosts Per Scan option. For example, if
the Max Hosts Per Scan is set to 5 and there are five scanners per zone, each
scanner will accept five hosts to scan, allowing a total of 25 hosts to be scanned
between the five scanners.
Max Scan Time (hours)
This setting limits the length of time a scan is allowed to run. If a scan reaches this
limit, the unscanned targets are captured in a new rollover scan that can be run
manually or scheduled at a later time.
Max TCP Connections
This setting limits the maximum number of TCP sessions established by any of the
active scanners while scanning a single host.
Plugin Preferences
The Plugin Preferences tab includes means for granular control over scan settings. Selecting an item from the dropdown menu will display further configuration items for the selected category. Note that this is a dynamic list of
configuration options that is dependent on the plugin feed, audit policies, and additional functionality that the connected
Nessus scanner has access to. This list may also change as plugins are added or modified.
Scan Plugin Preferences
The Antivirus Software Check (plugin 16193) option determines the delay in the number of days of reporting the
software as being outdated. The valid values are between 0 (no delay, default) and 7.
The Cisco IOS Compliance Checks (plugin 46689) options determine the Cisco IOS configuration file to audit. The
available options are Saved, Running, or Startup. Only one type of configuration file may be selected.
81
If a secure method of performing credentialed checks is not available, users can force Nessus to attempt to perform
checks over insecure protocols by configuring the Cleartext protocols settings (plugin 21744) drop-down menu item.
The cleartext protocols supported for this option are telnet, rsh, and rexec. The unsafe! warning serves as a reminder
that the information is being sent across the network in an unencrypted manner.
Plugin 21744: Cleartext protocols settings
The Database settings (plugin 33815) is not used in SecurityCenter 4.8 and newer. Database credentials and settings
are now a part of the Credentials setting under the Support tab.
Dell Force10 FTOS Compliance Checks (plugin 72461) allows for assigning up to 5 compliance policy files to check the
configuration file uploaded after exporting from a Dell Force10 FTOS device.
Do not scan fragile devices (plugin 22481) instructs the Nessus scanner to scan network printers or Novell Netware
hosts if unselected. Since both of these technologies are more prone to denial of service conditions, Nessus can skip
scanning them once identified. This is particularly recommended if scanning is performed on production networks.
Plugin 22481: Do not scan fragile devices
Global variable settings (plugin 12288) contains a wide variety of configuration options for the Nessus server.
82
Plugin 12288: Global variable settings

Table 26 Global Variable Settings
Option
Description
Probe services on every

port
Attempts to map each open port with the service that is running on that port. Note that in
some rare cases, this might disrupt some services and cause unforeseen side effects.
Do not log in with user

accounts not specified in
the policy
Used to prevent account lockouts if the password policy is set to lock out accounts
after several invalid attempts.
Enable CGI scanning
Activates CGI checking. Disabling this option will greatly speed up the audit of a local
network.
Network type
Specifies if the network type uses public routable IPs, private non-internet routable IPs
or a mix of these. Select Mixed if using RFC 1918 addresses and there are multiple
routers within the network.
Enable experimental
scripts
Causes plugins that are considered experimental to be used in the scan. Do not
enable this setting while scanning a production network.
Tenable does not release scripts flagged as experimental in either
plugin feed.
Thorough tests (slow)
Causes various plugins to work harder. For example, when looking through SMB file
shares, a plugin can analyze 3 levels deep instead of 1. This could cause much more
network traffic and analysis in some cases. Note that by being more thorough, the
scan will be more intrusive and is more likely to disrupt the network, while potentially
83
having better audit results.

Report verbosity
Some plugins will try to capture output during a scan to prove that a vulnerability
exists. The Normal setting (default) uses the plugin settings to determine how much
output to capture. The Quiet setting disables capturing of most data. The Verbose
setting removes most of the high limits of the data capture settings and reports the
entire contents of the file.
Report paranoia
In some cases, Nessus cannot remotely determine whether a flaw is present or not. If
the report paranoia is set to Paranoid (more false alarms) then a flaw will be
reported every time, even when there is a doubt about the remote host being affected.
Conversely, a paranoia setting of Avoid false alarm will cause Nessus to not report
any flaw whenever there is a hint of uncertainty about the remote host. The default
option (Normal) is a middle ground between these two settings.
HTTP User-Agent
Specifies which type of web browser Nessus will impersonate while scanning.
SSL certificate to use
Allows Nessus to use a client-side SSL certificate for communicating with a remote host.
SSL CA to trust
Specifies a Certificate Authority (CA) that Nessus will trust.
SSL key to use
Specifies a local SSL key to use for communicating with the remote host.
SSL password for SSL key
The password for managing the SSL key specified.
Hosts File Whitelisted Entries (plugin 73980) allows entries in a customized hosts file to be upload and whitelisted
against plugins that check for abnormalities in the hosts file on scanned systems.
HTTP cookies import (plugin 42893) facilitates web application testing. Nessus can import HTTP cookies from another
piece of software (web browser, web proxy, etc.) with these settings. A cookie file can be uploaded so that Nessus uses
the cookies when attempting to access a web application. The cookie file must be in Netscape format.
The HTTP login page (plugin 11149) settings provide control over where authenticated testing of a custom web-based
application begins. See this whitepaper for more details about configuring web applications that require authentication.
84
Plugin 11149: HTTP login page

Table 27 HTTP Login Page Settings
Option
Description
Login page
The base URL to the login page of the application.
Login form
The action parameter for the form method. For example, the login form for <form
method="POST" name="auth_form" action="/login.php"> would be /login.php.
This option is not required if the Automated login page search option
specified below is used.
Login form fields
Specify the authentication parameters (e.g., login=%USER%&password=%PASS%). If

the keywords %USER% and %PASS% are used, they will be substituted with values
supplied on the Login configurations drop-down menu.
Login form method
Specify POST or GET based on the login form requirements.

85
Automated login page

search
Gives Nessus the option to parse the login page for form options and attempt to login
based on detected fields. This option works in conjunction with the HTTP cookies
import (plugin 42893) to simplify form-based authentication.
If more than one form is available on a web page (uncommon), use the
manual login form parameters specified above instead.
Re-authenticate delay
(seconds)
The time delay between authentication attempts. This is useful to avoid triggering brute
force lockout mechanisms.
Check authentication on
page
The URL of a protected web page that requires authentication, to better assist Nessus
in determining authentication status.
Follow 30x redirections

(# of levels)
If a 30x redirect code is received from a web server, this directs Nessus to follow the
link provided or not.
Authenticated regex
A regex pattern to look for on the login page. Simply receiving a 200 response code is
not always sufficient to determine session state. Nessus can attempt to match a given
string such as Authentication successful!
Invert test (disconnected if

regex matches)
A regex pattern to look for on the login page, that if found, tells Nessus authentication
was not successful (e.g., Authentication failed!).
Match regex on HTTP

headers
Rather than search the body of a response, Nessus can search the HTTP response
headers for a given regex pattern to better determine authentication state.
Case insensitive regex
The regex searches are case sensitive by default. This instructs Nessus to ignore case.
Abort web application tests

if login fails
If authentication fails to the web page, further actions by the plugin will be halted.
Huawei VRP Compliance Checks (plugin 73157) allows for assigning up to 5 compliance policy files to check the
configuration file uploaded after exporting from a Huawei VRP device.
IBM iSeries Credentials (plugin 57861) are used to specify the credentials for an IBM iSeries system to be tested.
The ICCP/COTP TSAP Addressing (plugin 23812) menu deals specifically with SCADA checks. It determines a Connection
Oriented Transport Protocol (COTP) Transport Service Access Points (TSAP) value on an Inter-Control Center
Communications Protocol (ICCP) server by trying possible values. The start and stop values are set to 8 by default.
LDAP Domain Admins Group Membership Enumeration (plugin 58038) allows for the entry of an LDAP user and
password to be used to attempt to enumerate the members of the Domain Admins group on an LDAP server search
base, which is identified using the LDAP Crafted Search Request Server Information Disclosure plugin (25701). The Max
Results setting limits the enumeration of users to the number entered (1,000 by default).
Login configurations (plugin 10870) allows the Nessus scanner to use credentials when testing HTTP, NNTP, FTP,
POP2, POP3 or IMAP. By supplying credentials, Nessus may have the ability to do more extensive checks to determine
vulnerabilities. HTTP credentials supplied here will be used for Basic and Digest authentication only. For configuring
credentials for a custom web application, use the HTTP login page pull-down menu. Two checkboxes are available on
this page, Never send SMB credentials in clear text and Only use NTLMv2. Both of these settings affect the security of
credentials sent out during Nessus scans.
Using cleartext credentials in any fashion is not recommended! If the credentials are sent remotely, via a
Nessus scan or e-mailing a policy to another administrator, the credentials could be intercepted by anyone
with access to the network. Use encrypted authentication mechanisms whenever possible.
86
Plugin 10870: Login configurations
Malicious Process Detection (plugin 59275) allows you to upload a custom list of MD5 hashes to identify running
processes on scanned hosts when plugin 65548 is enabled. The format of the file is one MD5 hash per line without any
surrounding whitespace. Optionally a description may be added by putting a comma after the hash and the text of the
description to be displayed in the scan results. Lines beginning with a # symbol are treated as comments and are ignored.
All other items are considered invalid.
# hashes for the foobar malware
11b95ccc1427be5f6c7f0e547bde34e6,foobar malware 1.0
333459378f2d53d861ed2819b8b298af,foobar malware 1.1
f80a405f55c2cd651e58a8fc59550830,foobar malware 1.2
# example.exe
4f8793a9c7560af2cb48f062cd7879af
The Modbus/TCP Coil Access (plugin 23817) drop-down menu item is dynamically generated by the SCADA plugins.
Modbus uses a function code of 1 to read coils in a Modbus slave. Coils represent binary output settings and are
typically mapped to actuators. The ability to read coils may help an attacker profile a system and identify ranges of
registers to alter via a write coil message. The defaults for this are 0 for the Start reg and 16 for the End reg.
Nessus SYN scanner (plugin 11219) and Nessus TCP scanner (plugin 10335) options allow you to better tune the
native SYN and TCP scanner to detect the presence of a firewall.
87
Table 28 Nessus SYN and TCP Scanner Settings
Value
Description
Automatic (normal)
This option can help identify if a firewall is located between the scanner and the target
(default).
Disabled (softer)
Disables the Firewall detection feature.
Do not detect RST rate

limitation (soft)
Disables the ability to monitor how often resets are set and to determine if there is a
limitation configured by a downstream network device.
Ignore closed ports

(aggressive)
Will attempt to run plugins even if the port appears to be closed. It is recommended
that this option not be used on a production network.
Oracle settings (plugin 22076) allows the user to enter the Oracle database SID to specify which database to test. In
addition, Test default accounts (slow) enables the Nessus scan to probe for default accounts within the remote database
for vulnerabilities.
Palo Alto Networks PAN-OS Settings (plugin 64286) allows you to set the Username and Password for logging into a
Palo Alto device. Additionally the Port may be customized and the ability to verify the SSL certificate presented.
Patch Management: IBM Tivoli Endpoint Manager Server Settings (plugin 62558) allows the user to enter credentials
for an IBM Tivoli Endpoint Manager Server.
Patch Management: Red Hat Satellite Server Settings (plugin 57063) allows users to enter credentials for Red Hat
Satellite servers. When a Red Hat host is scanned without local credentials, the Satellite server will be queried for and
report the current patch status for the scanned host.
Patch Management: SCCM Server Settings (plugin 57029) allows users to enter credentials for a SCCM server. When
a machine is scanned without local credentials, the SCCM server will be queried for and report the current patch status for
the scanned host.
Patch Management: VMware Go Server Settings (plugin 57026) allows users to enter credentials for a VMware Go
Server. When a machine is scanned without local credentials, the VMware Go server will be queried for and report the
current patch status for the scanned host.
Patch Management: WSUS Server Settings (plugin 57031) allows users to enter credentials for a WSUS server. When
a machine is scanned without local credentials, the WSUS server will be queried for and report the current patch status for
the scanned host.
Patch Report (plugin 66334) allows the user to display superseded patches in the scan report when available. This
setting is turned on by default.
When the preference Display the superseded patches in the report for plugin 66334 is disabled,
vulnerabilities for superseded patches will not appear in SecurityCenter scan results. Disabling this preference
could result in an appearance of mitigated vulnerabilities due to the consolidation of patches as reported by
SecurityCenter.
88
Ping the remote host (plugin 10180) options allow for granular control over Nessus ability to ping hosts during discovery
scanning. This can be done via ARP ping, TCP ping, ICMP ping or applicative UDP ping.
Plugin 10180: Ping the remote host

Table 29 Ping the Remote Host Settings
Option
Description
TCP ping destination

port(s)
Specifies the list of ports that will be checked via TCP ping. If you are not sure of the
ports, leave this setting to the default of built-in.
Do an ARP ping
Utilize the ARP protocol for pings.
Do a TCP ping
Utilize the TCP protocol for pings.
Do an ICMP ping
Utilize the ICMP protocol for pings.
Number of retries (ICMP)
Allows you to specify the number of attempts to try to ping the remote host. The default
is set to 2.
Do an applicative UDP ping

(DNS, RPC)
Perform a UDP ping against specific UDP-based applications including DNS (port 53),
RPC (port 111), NTP (port 123), and RIP (port 520).
Make the dead hosts

appear in the report
If this option is selected, hosts that did not reply to the ping request will be included in
the security report as dead hosts.
89
Log live hosts in the report
Select this option to specifically report on the ability to successfully ping a remote host.
Test the local Nessus host
This option allows you to include or exclude the local Nessus host from the scan. This
is used when the Nessus host falls within the target network range for the scan.
Fast network discovery
By default, when Nessus pings a remote IP and receives a reply, it performs extra
checks to make sure that it is not a transparent proxy or a load balancer that would
return noise but no result (some devices answer to every port 1-65535 but there is no
service behind). Such checks can take some time, especially if the remote host is
firewalled. If the fast network discovery option is enabled, Nessus will not perform
these checks.
Interpret ICMP unreach

from gateway
When a ping is sent to a host that is down, its gateway may return an ICMP unreach
message. When enabled, this option will consider this to mean the host is dead. This is
to help speed up discovery on some networks.
Note that some firewalls and packet filters use this same behavior for hosts that are up
but are connecting to a port or protocol that is filtered. With this option enabled, this will
lead to the scan considering the host is down when it is indeed up.
Port scanner settings (plugin 33812) provide two options for further controlling port scanning activity.
Table 30 Port Scanner Settings
Option
Description
Check open TCP ports

found by local port
enumerators
If a local port enumerator (e.g., WMI or netstat) finds a port, Nessus will also verify it is
open remotely. This helps determine if some form of access control is being used
(e.g., TCP wrappers, firewall).
Only run network port

scanners if local port
enumeration failed
Otherwise, rely on local port enumeration first.
SMB Registry: Start the Registry Service during the scan (plugin 35703) enables the service to facilitate some of the
scanning requirements for machines that may not have the Remote Registry service running all the time. The
administrative shares may be enabled during the scan if they are not enabled at the beginning of the scan.
Under the SMB Scope (plugin 10917) menu, if the option Request information about the domain is set, then domain
users will be queried instead of local users.
SMB Use Domain SID to Enumerate Users (plugin 10399) specifies the SID range to use to perform a reverse lookup
on usernames on the domain. The default setting (1000 to 1200) is recommended for most scans.
SMB Use Host SID to Enumerate Local Users (plugin 10860) specifies the SID range to use to perform a reverse
lookup on local usernames. The default setting (1000 to 1200) is recommended for most scans.
SMTP settings (plugin 11038) specify options for SMTP (Simple Mail Transport Protocol) tests that run on all devices
within the scanned domain that are running SMTP services. Nessus will attempt to relay messages through the device to
the specified Third party domain. If the message sent to the Third party domain is rejected by the address specified
in the To address field, the spam attempt failed. If the message is accepted, then the SMTP server was successfully
used to relay spam.
90
Plugin 11038 SMTP settings

Table 31 SMTP Settings
Option
Description
Third party domain
Nessus will attempt to send spam through each SMTP device to the address listed in
this field. This third party domain address must be outside the range of the site being
scanned or the site performing the scan. Otherwise, the test might be aborted by the
SMTP server.
From address
The test messages sent to the SMTP server(s) will appear as if they originated from
the address specified in this field.
To address
Nessus will attempt to send messages addressed to the mail recipient listed in this
field. The postmaster address is the default value since it is a valid address on most
mail servers.
SNMP settings (plugin 19762) allow you to configure Nessus to connect and authenticate to the SNMP service of the
target. During the course of scanning, Nessus will make some attempts to guess the community string and use it for
subsequent tests. If Nessus is unable to guess the community string and/or password, it may not perform a full audit
against the service.
Plugin 19762 SNMP Settings
91
Table 32 SNMP Settings
Option
Description
UDP port
Direct Nessus to scan a different port should SNMP be running on a port other than 161.
SNMPv3 user name
The username for a SNMPv3 based account.
SNMPv3 authentication
password
The password for the username specified.
SNMPv3 authentication
algorithm
Select MD5 or SHA1 based on which algorithm the remote service supports.
SNMPv3 privacy password
A password used to protect encrypted SNMP communication.
SNMPv3 privacy algorithm
The encryption algorithm to use for SNMP traffic.
SSH settings (plugin 14273) Users can select SSH settings from the drop-down menu and enter a known_hosts
file for scanning Unix systems. There is also a field for entering the Preferred SSH Port. By default, Nessus will use the
standard TCP port 22 for credentialed Unix scans; however, this setting enables the user to specify a non-standard port
for SSH login attempts.
Service Detection (plugin 22964) controls how Nessus will test SSL based services; known SSL ports (e.g., 443), all
ports or none. Testing for SSL capability on all ports may be disruptive for the tested host.
Unix File Contents Compliance Checks (plugin 72095) audits Unix systems for non-compliant content utilizing a
compliance check.
VMware SOAP API Settings (plugin 57395) provides Nessus with the credentials required to authenticate to VMware
ESX, ESXi, and vSphere Hypervisor management systems via their own SOAP API, as SSH access has been
deprecated. This API is intended for auditing vSphere 4.x / 5.x, ESXi, and ESX hosts, not the virtual machines running on
the hosts. This authentication method can be used to perform credentialed scans or perform compliance audits.
VMware vCenter SOAP API Settings (plugin 63060) provides Nessus with the credentials required to authenticate to
VMware vCenter management systems via their own SOAP API. The API is intended for auditing vCenter, not the virtual
machines running on the hosts. This authentication method can be used to perform credentialed scans or perform
compliance audits.
Wake-on-LAN (plugin 52616) controls which hosts to send WOL magic packets to before performing a scan and how
long to wait (in minutes) for the systems to boot. The list of MAC addresses for WOL is entered using an uploaded text file
with one host MAC address per line.
92
For example:
00:11:22:33:44:55
aa:bb:cc:dd:ee:ff
Web Application Tests Settings (plugin 39471) tests the arguments of the remote CGIs (Common Gateway Interface)
discovered in the web mirroring process by attempting to pass common CGI programming errors such as cross-site
scripting, remote file inclusion, command execution, traversal attacks or SQL injection. Enable this option by selecting the
Enable web applications tests checkbox.
These tests are not intended to target web applications implementing client-side technologies such as AJAX
or Flash.
The following web application related plugins depend on plugin 39471:
11139 CGI Generic SQL Injection Vulnerability (CGI abuses)

39465 CGI Generic Command Execution Vulnerability (CGI abuses)
39466 CGI Generic Cross-Site Scripting Vulnerability (quick test) (CGI abuses: XSS)
39467 CGI Generic Path Traversal Vulnerability (CGI abuses)
39468 CGI Generic Header Injection Vulnerability (CGI abuses: XSS)
39469 CGI Generic Remote File Inclusion Vulnerability (CGI abuses)
40406 CGI Generic Tests HTTP Errors (CGI abuses)
42054 CGI Generic SSI Injection Vulnerability (CGI abuses)
42055 CGI Generic Format String Vulnerability (CGI abuses)
42056 CGI Generic Local File Inclusion Vulnerability (CGI abuses)
42423 CGI Generic SSI Injection Vulnerability (HTTP headers) (CGI abuses)
42424 CGI Generic SQL Injection (blind) (CGI abuses)
42425 CGI Generic Persistent Cross-Site Scripting Vulnerability (CGI abuses: XSS)
42426 CGI Generic SQL Injection Vulnerability (HTTP Cookies) (CGI abuses)
42427 CGI Generic SQL Injection Vulnerability (HTTP Headers) (CGI abuses)
42479 CGI Generic SQL Injection Vulnerability (2nd pass) (CGI abuses)
42872 CGI Generic Local File Inclusion Vulnerability (2nd pass) (CGI abuses)
43160 CGI Generic SQL Injection (blind, time based)(CGI abuses)
44134 CGI Generic Unseen Parameters Discovery (CGI abuses)
44136 CGI Generic Cookie Injection Scripting (CGI abuses)
44670 Web Application SQL Backend Identification (CGI abuses)
44967 CGI Generic Command Execution Vulnerability (time based) (CGI abuses)
46193 CGI Generic Cross Site Scripting (HTTP Headers) (CGI abuses: XSS)
46194 CGI Generic Path Traversal Vulnerability (write test) (CGI abuses)
46195 CGI Generic Path Traversal Vulnerability (extended test) (CGI abuses)
46196 CGI Generic XML Injection (CGI abuses)
47830 CGI Generic Injectable Parameter Weakness (CGI abuses)
47831 CGI Generic Cross-Site Scripting Vulnerability (extended test) (CGI abuses: XSS)
47832 CGI Generic On Site Request Forgery Vulnerability (CGI abuses)
47834 CGI Generic Redirection Vulnerability (CGI abuses)
48926 CGI Generic 2nd Order SQL Injection Detection (potential) (CGI abuses)
48927 CGI Generic SQL Injection Detection (potential, 2nd order, 2nd pass) (CGI abuses)
49067 CGI Generic HTML Injections (quick test) (CGI abuses : XSS)
49218 Web Application Session Cookies Not Marked Secure (Web Servers)
50418 CGI Generic Fragile Parameters Detection (Potential) (CGI abuses)
50494 CGI Generic Path Traversal (quick test) (CGI abuses)
93
The screen capture below is the Web Application Tests Settings input page:
Plugin 39471: Web Application Tests Settings

Table 33 Web Application Tests Settings
Option
Description
Enable web applications

tests
This check box enables web application tests and causes the settings below to be
evaluated during the test.
Maximum run time (min)
This option manages the amount of time in minutes spent per NASL script performing
web application tests. These NASL scripts are listed above. At the time of this writing,
there are 25 web application test NASLs. The run time of each script varies widely,
however the following generic formula applies to the Maximum_run_time:
scan_time = (num_scripts/max_checks)*Maximum_run_time
For example:
(25/5) * 60 = 300 minutes
This option defaults to 60 minutes and applies to all ports and CGIs for a given web
site.
Try all HTTP methods
By default, the Nessus web application tests will only use GET requests, unless this
option is enabled. Generally, more complex applications use the POST method when
a user submits data to the application. This setting provides more thorough testing, but
may considerably increase the time required. When selected, Nessus will test each
script/variable with both GET and POST requests.
Combinations of
arguments values
This option manages the combination of argument values used in the HTTP requests.
This drop-down has five options:
one value This tests one parameter at a time with an attack string, without trying
non-attack variations for additional parameters. For example, Nessus would attempt
/test.php?arg1=XSS&b=1&c=1 where b and c allow other values, without testing
each combination. This is the quickest method of testing with the smallest result set
94
generated.
some pairs Like all pairs testing, this will try to test a representative data set based
on the All-pairs method. However, for each parameter discovered, Nessus will only
test using a maximum of three valid input variables.
all pairs (slower but efficient) This form of testing is slightly slower but more
efficient than the one value test. While testing multiple parameters, it will test an
attack string, variations for a single variable and then use the first value for all other
variables. For example, Nessus would attempt /test.php?a=XSS&b=1&c=1&d=1
and then cycle through the variables so that one is given the attack string, one is
cycled through all possible values (as discovered during the mirror process) and any
other variables are given the first value. In this case, Nessus would never test for
/test.php?a=XSS&b=3&c=3&d=3 when the first value of each variable is 1.
some combinations Like all combinations testing, this will perform tests using a
combination of attack strings and valid input. However, for each parameter discovered,
Nessus will only test using a maximum of three valid input variables.
all combinations (extremely slow) This method of testing will do a fully exhaustive
test of all possible combinations of attack strings with valid input to variables. Where
All-pairs testing seeks to create a smaller data set as a tradeoff for speed, all
combinations makes no compromise on time and uses a complete data set of tests.
This testing method may take a long time to complete.
HTTP Parameter Pollution
When performing web application tests, attempt to bypass any filtering mechanisms by
injecting content into a variable while supplying the same variable with valid content as
well. For example, a normal SQL injection test may look like
/target.cgi?a='&b=2. With HTTP Parameter Pollution (HPP) enabled, the
request may look like /target.cgi?a='&a=1&b=2.
Stop at first flaw
This option determines when a new flaw is targeted. The drop-down has four options:
per CGI (default) As soon as a flaw is found on a CGI by a script, Nessus switches
to the next known CGI on the same server, or if there is no other CGI, to the next
port/server.
per port (quicker) As soon as a flaw is found on a web server by a script, Nessus
stops and switches to another web server on a different port. This applies at the script
level; finding an XSS flaw will not disable searching for SQL injection or header
injection, but you will have at most one report for each type on a given port.
per parameter (slow) As soon as one flaw is found in a parameter of a CGI, Nessus
stops and switches to the next parameter of the same script.
look for all flaws (slower) Perform extensive tests regardless of flaws found. This
option can take a long time and is not recommend in most cases.
Test embedded web

servers
Embedded web servers are often static and contain no customizable CGI scripts. In
addition, embedded web servers may be prone to crash or become non-responsive
when scanned. Tenable recommends scanning embedded web servers separately
from other web servers using this option.
URL for Remote File

Inclusion
During Remote File Inclusion (RFI) testing, this option specifies a file on a remote host
to use for tests. By default, Nessus will use a safe file hosted on Tenables web server
for RFI testing. If the scanner cannot reach the Internet, using an internally hosted file
is recommended for more accurate RFI testing.
95
Web mirroring (plugin 10662) sets configuration parameters for Nessus native web server content mirroring utility. Nessus
will mirror web content to better analyze the contents for vulnerabilities and help minimize the impact on the server.
Plugin 10662 Web mirroring

Table 34 Web Mirroring Settings
Option
Description
Number of pages to mirror
The maximum number of pages to mirror.
Maximum depth
Limit the number of links Nessus will follow for each start page.
Start page
The URL of the first page that will be tested. If multiple pages are required, use a colon
delimiter to separate them (e.g., /:/php4:/base).
Excluded items regex
Enable exclusion of portions of the web site from being crawled. For example, to
exclude the /manual directory and all Perl CGI, set this field to:
(^/manual)|(\.pl(\?.*)?$).
Note that in the example above, the period (.) in front of pl is escaped
out with a backslash to prevent it from being interpreted as a regex
metacharacter and not as a literal period.
Follow dynamic pages
If this checkbox is selected, Nessus will follow dynamic links and may exceed the other
Web mirroring parameters.
When all of the options have been configured as desired, click Next to progress to the post scan options.
Post Scan
These options determine what will occur immediately after the scan has completed. The table below describes the post
scan options available to users:
96
Table 35 - Post Scan Options
Option
Description
Post Scan Email

Send an email to me when
the scan is launched
This option generates an email to the user launching the scan as soon as the scan is
launched.
Send an email to me when

the scan is finished
This option generates an email to the user launching the scan after the scan has
completed.
Post Scan Processing

Remove vulnerabilities
from scanned hosts that
have been inactive for
This option removes vulnerabilities from the scanned host that have been inactive for
the specified period. Use the drop-down to select the time frame ranging from Now to
360 days. This option is useful in cases where hosts may have been removed from the
network and should not appear on the vulnerability report.
Track computers which

have been re-issued IP
addresses
This option uses the DNS name, NetBIOS name, and MAC address (if known), in that
order, of the computer to track it when the IP address of the computer may have
changed. Once a match has been made, SecurityCenter will not search further for
matches. For example, if a DNS name is not matched, but a NetBIOS name is, the
MAC address will not be checked. Networks using DHCP require that this option be
set to properly track hosts.
Scanning Virtual Hosts
This option treats new DNS entries for an IP address as a virtual host as opposed to a
DNS name update. When selected, this option will result in two DNS name/IP address
entries in the IP Summary analysis tool if a new DNS name is found for an IP address.
If this option is not selected and a new DNS name is found for an IP address,
vulnerability data for the two DNS names will be merged into the single IP address
entry in the IP Summary analysis tool.
Scan Recovery
Scan Timeout Action
Provides a drop-down selection of three options in the event a scan is not completed.
Import Results With Rollover is the default option, and will import the results from the
scan into the database and create a rollover scan that may be launched at a later time
to complete the scan. Import Current Results will import the results of the current
scan and discard the information for the unscanned hosts. Discard will not import any
of the results obtained by the scan to the database.
Rollover Option
When the Scan Timeout Action is set to Import results with Rollover, this option
determines through a drop-down menu how to handle the rollover scan. The rollover
scan may be created as a template to launch manually or scheduled at a specific time.
The second option is to configure the rollover scan to launch the next day at the same
start time as the just completed scan.
Auto-Run Reports
Auto-Run Reports
This field provides a list of report templates available to the user. Selecting the
checkbox next to one or more reports will launch that report once the scan has
completed. Additionally, the report generated may be based on the current scans
results or the results in the Cumulative database.
97
In a case where report results are desired based on both the current scan
and the cumulative database, simply make a copy of the report from the
reports page, and select both reports and the appropriate desired results.
Scan Progress
On the Scans page, selecting a scan while in progress will allow the Detail button to be selected. The Detailed Scan
Progress screen is then displayed allowing the scan progress to be monitored as it occurs. The available information is
the name of the scan, the status, the scan progress bar, and the scanner summary.
The completed hosts are colored in green and the hosts currently being scanned are colored in blue. The Scan Progress
bar shows the number of hosts completed, in progress, and yet to be scanned in grey. The senor summary lists the
Nessus scanners being used in the scan, the number of completed and in-progress hosts. The boxes are dynamically
sized and when there are too many hosts scanned/being scanned will display an appropriate message.
Scan Results
Clicking on Scan Results under the Scanning tab displays the status of completed scans. Results are displayed in a
list view with the ability to drill down into individual scan details. If a scan is launched on behalf of another user, the scan
results show in the list of the other user. An example screen capture of this page is shown below:
Scan Results Listing
98
Filters are available at the top of the screen to allow the user to view only desired scan results. Filter parameters include
the Name, Owner (by username, group, or all), Status, and Finish Time. To return to the original scan result view,
click on the Reset button to the right of the filter options.
The results of individual scans are viewable by double-clicking on the desired scan or highlighting the scan and using the
Browse button. This option displays a subset of the Analysis vulnerability data covered by the selected scan. In
addition, Nessus scans performed from other systems can be uploaded to SecurityCenter using the Upload Nessus
Results command button. The scan results can be either raw .nessus or compressed (.zip) with one .nessus file per
archive before uploading. This allows for scan results from scans run in remote locations without network connectivity to
be imported into SecurityCenter. If uploads greater than 500MB are required, upload_max_filesize in
/opt/sc4/support/etc/php.ini must be modified to accommodate the larger uploads.
Nessus v2 scan results with hostnames have the hostname converted during import and display both the IP
address and hostname. IPv6 addresses are only contained in Nessus v2 files.
The Share button is used to share a selected report result with other users who do not have access to it by default.
Selecting a Group from the drop-down list displays a list of users from that Group. One or more users may be selected
from that list. Also email addresses may be entered into the Email Addresses field to have a copy of the report sent to a
user(s) outside of the SecurityCenter environment.
The Download button may be used to download the results of the selected scan. On a standard scan, a Nessus results
file may be downloaded. If the scan contains SCAP results, there is an additional option to download the SCAP results.
The Import button is used for manually importing scans that are listed in the scan results screen. This is useful for cases
where a scan may have not fully imported after it completed. For example, if a scan was blocked because it would have
exceeded the licensed IP count, after increasing the IP count, the import option could be used to import the scan results
previously not imported.
Selecting the Report button will allow an on-demand report to be created based on the results of the selected scan.
After selecting a scan result from the list and clicking the button, a window opens with a report template selection box and
a space for a report name and description. This will launch a report to be run immediately. The report progress may be
seen in the Reports screen, and the completed result may be obtained from the Report Results screen when completed.
Scan result details are available using the Detail button or by right-clicking on the scan and selecting Detail Scan
Result. For example, if a scan fails and more information is required, click on the details to find a more complete
summary of the root cause.
Finally, scans may be removed from SecurityCenter using the Delete button. For more information about navigating this
interface, refer to the Analysis Tools section of this document.
Blackout Windows
Currently running scans are stopped at the beginning of the blackout window period.
The blackout window in SecurityCenter specifies a timeframe where new scans are prohibited from launching. This
prevents remediation or ad-hoc scans from being performed during timeframes when they are not desired, such as
production hours.
99
Add Blackout Window
During a blackout window, the Scans window indicates the active window in red in the upper left-hand corner and no
new scans can be run during this time:
Active Blackout Window
100
To see all available blackout windows and their current status, click the Blackout Window box and a dialog similar to the
one below is displayed:
Blackout Window Schedule
Alternatively, click on Scans and then Blackout Windows to see the current status of or manage existing blackout
windows. When the system is no longer in a blackout window condition, the box changes back to indicate the inactive state:
Inactive Blackout Window
Blackout windows are organizational and will affect all scans in the creating users organization. Only users with the
Manage Blackout Windows permission can perform blackout window additions.
To create a blackout window, click on Scanning, Blackout Windows and then Add.
101
Add Blackout Window
Next, enter in the desired name and description. Make sure Enabled is checked and enter in the desired schedule and
blackout time range and then click Submit. The next time that date/time window occurs, no new scans will be permitted.
To disable a blackout window without actually removing it, click Edit to modify the desired window and deselect
Enabled. Click Submit to apply the changes. These blackout windows will show with a state of Disabled in the
blackout window display list.
Click Detail to see existing blackout window details and click Delete to remove any blackout windows that are no
longer required for the Organization.
Reporting
Tenable provides extremely flexible and simplified reporting through an assortment of report templates and user-friendly
report creation interface. Quick reporting options are also available while browsing data by clicking on the More option in
the upper right-hand corner of the screen and selecting Create Report. Supported report types include the well-known
PDF, RTF, and CSV standards for a high level of compatibility and ease of use. For some specialized needs, additional
DISA ASR, DISA ARF, and CyberScope reporting options are available. These specialized reporting types are enabled or
disabled by an admin user of the SecurityCenter. Reports can be scheduled and automatically emailed, shared to one or
more specified SecurityCenter users and/or published to one or more sites on completion. Reports can be copied and
reused as required. When configuring a scan, an existing report template can also be set to run on completion.
102
Reports
To see a list of available reports, click on Reporting and then Reports.
Reports Listing
When creating a new report, the first step is to click the Add button. A window opens and lists high-level categories for
available report templates from the SecurityCenter feed. Each category is represented by a name and description and
lists the number of templates available in the category.
From the Add Report screen, the templates may be searched by keyword in the Search Template field across all the
categories or by clicking the high-level category name. Selecting a category such as Monitoring displays a list of the
report templates and a list of tags that each of the available reports belongs to. Selecting a tag will further narrow the list
of templates and list of tags to only those applicable to the prior selection. The remaining tags will become a lighter shade
of blue. At any time in the search, the Search Templates text entry may be used to filter on keywords. Selecting any of
the report templates will provide a screen with information about the report and a selectable list of chapters to disable as
desired before adding the template.
103
Once a report template is added to the list of reports, it may be modified from the Edit Report screen to customize the
report. The reports are created as a template report and may be scheduled as desired.
If an existing template does not satisfy the need, a custom report may be created. From the initial Add Report screen
select Create Custom Report at the bottom. The screen captures below show each page of the Create Custom
Report dialog:
104
Reports General Tab
Reports Definition Tab
105
Reports Schedule Tab
These tabs allow the user to configure, define and schedule custom vulnerability and event reports. The tables below
describe available reporting options.
Table 36 Report Options
Option
Description
General
Name
Name assigned to the report.
Description
Descriptive text for the report.
Type
PDF, RTF, and CSV. These three types are the most commonly used formats.
DISA ASR, DISA ARF, and CyberScope. These three specialized reporting types are
enabled or disabled by an admin user of the SecurityCenter.
Available options depend on the report type chosen. Many of the options
listed below are not available for reports other than PDF.
Report Style (PDF, RTF)
Report paper type/orientation. Available report types are selected from the drop-down
shown in the image below and affect the reports printability.
106
Report Styles Drop-down
If a Classification Type banner has been set by the SecurityCenter

administrator, only the Plain report styles will be listed.
Report Schedule
Determines how often the report will be run. Options are Template, Now, Once, Daily,
Weekly, or Monthly (Day or Date). The schedule may be altered by editing the report.
Include Cover Page (PDF

and RTF)
Include a cover page in the report. A sample cover page is displayed below:
Sample Vulnerability Report Cover Page
107
Cover Logo (PDF only)
Choose the logo to display on the cover page (lower right-hand corner).
Include Header (PDF only)
Include a predefined header in the report.
Include Footer (PDF only)
Include a predefined footer in the report.
Footer Logo (PDF only)
Choose the logo to display on the cover page (lower center).
Watermark (PDF only)
Add a Confidential or other custom uploaded watermark to each page of the report.
Include Table of Contents

(PDF and RTF)
Include a table of contents with the report.
Include Index (PDF and

RTF)
Include an Index with the report.
Encrypt PDF (PDF only)
Protect the PDF with a password. This password must be used to open the report and
view its contents. For more information about this encryption mechanism, please refer
to the following URL: http://xmlgraphics.apache.org/fop/0.95/pdfencryption.html.
Operational Attribute Set

(DISA ARF or CyberScope)
A drop-down list of available predefined operational attributes for adding required

information to DISA ARF or CyberScope report types. Only the attribute set defined for
the appropriate report will display in the drop-down.
ASR Content (DISA ASR

only)
When creating a report, this drop-down offers a selection of Benchmark, IAVM, CVE,
or Plugin ID to be included.
ASR Record Format (DISA

ASR only)
This drop-down determines the format (Summary or Detail) of the DISA ASR report.
Include ARF (DISA ASR

only)
When enabled, allows for the inclusion of a DISA ARF attribute set for the report.
Benchmarks
Benchmarks are generated after a scan using certain audit files that have been
successfully run against at least one target system.
Definition
To determine what data will show up in your report, browse to the desired data view using the Analysis
Tool and locate the desired data set. Save the data set as a query and then select the query as a data
source for your report element (chart, table, etc.).
The definition will appear differently for different report types.
CSV reports will offer a drop-down to define a data type of Vulnerability, Event, Alert, Ticket, or User, and the ability to
define an appropriate filter set or to use a predefined query. A selection to define the columns and number of results to
appear in the report is then available for configuration.
DISA ARF, DISA ASR, and CyberScope reports offer a Vulnerability data filter or predefined Query selection from
which the report may be defined.
When PDF and RTF reports are selected, this section allows the user to define report elements such as charts, tables and
chapters along with their underlying data sources. Each element described below can be used more than once to create
108
multifunction reports with great flexibility. A sample definition section for PDF and RTF reports is displayed below:
Sample Report Definition

Chapter (PDF and RTF)
Click the chapter button to add a chapter element to the report. A chapter is used to
group elements by arbitrary characteristics such as compliance benchmark, repository,
plugin type, etc.
The chapter level filter is only a means of specifying a default query that
is used to populate any new elements added to the report when building
the report initially. It is not saved or intended to be used to make global
changes to its sub-elements.
Template (PDF and RTF)
Templates provide predefined report configurations based on known standards and are
a good way to become familiar with SecurityCenter reporting. Click the template button
to add a predefined template to the report. More than one template can be used in each
report. The screen capture below shows the initial category view of available reports.
Report Template Listing
The templates provide reports based on SANS CAG, PCI DSS, CIS, FISMA, OWASP,
HIPAA, and generic security best practices. A detailed description of the report source
and parameters is displayed in the Description field when a particular template is
selected. Once selected for the report, the template objects may be edited for the
109
particular data desired by utilizing a variety of filters.

Group (PDF and RTF)
Click the group button to add a group element to the report. Grouping will attempt to
keep associated elements on the same page, but does not affect the content of the
report.
Section (PDF and RTF)
Click to add a section and section title to the report.
Iterator (PDF and RTF)
Click to add an iterator to the report. Iterators are grouping elements that determine
the field a report is grouped by. For example, if an Iterator Type of Port is chosen
for a vulnerability report, the report is displayed with vulnerability data grouped by
detected ports.
To use an iterator, click the iterator button. When adding elements to the report, the
iterator may be selected for the location defined in the element. The resulting iterator
grouping will look similar to the screen capture below:
An example of medium vulnerabilities using the port iterator is shown below:
Iterator Example Output
Notice that the count is of medium vulnerabilities (the filtered field) grouped by TCP
port (the iterator). In the example below, the same vulnerability filter is chosen, with an
iterator of IP Address using an IPv6 address. This groups vulnerabilities based on IP
address.
110
IP Iterator
If an iterator is not selected, the hosts and vulnerabilities are listed in the report
individually.
Table (PDF and RTF)
Click to add a table element to the report (max results displayed: 999).
111
Report Table Add Dialog
The underlying data set has a big effect on the report display. The default view for most
reports is host-centric and SecurityCenter presents the user with the ability to choose a
vulnerability-centric report (a listing of vulnerabilities with all associated hosts).
Sample Vulnerability-Centric Report
To select this view, perform the following steps:

1. From within the Add Table dialog, choose Edit Filters.
2. Click the Analysis Tool drop-down to view all available analysis tools.
3. Select Vulnerability Summary IP List or Vulnerability Summary IP
Detail.
The Vulnerability Summary IP List report provides a listing of all vulnerabilities that
meet the filter parameters along with host IP addresses affected by the vulnerability.
The Vulnerability Summary IP Detail view has the same information along with
details about each host including the MAC address and host DNS name.
Paragraph (PDF and RTF)
Click to add a paragraph element to the report. A paragraph is simply descriptive text
that can be inserted anywhere into the report. Use this option to describe table
elements or report output for the viewer.
Matrix (PDF and RTF)
Click to add a Matrix chart to the report. Matrix charts have a variety of useful methods
112
to display data in a chart layout within a report.
Pie Chart (PDF and RTF)
Click to add a pie chart element to the report. A sample pie chart is displayed below:
Sample Report Pie Chart
Bar Chart (PDF and RTF)
Click to add a bar chart element to the report. A sample bar chart is displayed below:
Sample Report Bar Chart
113
Area Chart (PDF and RTF)
Click to add an area chart element to the report. A sample area chart is displayed below:
Sample Report Area Chart
Area charts are defined by time (x-axis) and series data (y-axis). When selecting the
time, available options include Relative time and Absolute time. One or more series
data elements can be chosen and displayed as a stackable view for easy comparison.
Line Chart (PDF and RTF)
Click to add a line chart element to the report. A sample line chart is displayed below:
Sample Report Line Chart
Line charts are defined by time (x-axis) and series data (y-axis). When selecting the
time, available options include Relative time and Absolute time. One or more series
data elements can be chosen and displayed as discrete lines for easy comparison.
Distribution
Email on Completion
When a report has run, an email will be sent to selected users (with a defined email
address) and additionally specified email address.
Share on Completion
When a report has run, the completed report will be shared in SecurityCenter with
other users within the Organization. This is useful if emailing potentially sensitive data
is prohibited by organizational policies.
Publish on Completion
Upon completion of the report, it may be uploaded to one or more defined publishing
sites selected from the list.
114
Report Results
Either the Oracle Java JRE or OpenJDK along with their accompanying dependencies must be installed on
the system hosting the SecurityCenter for PDF reporting to function.
Clicking on Report Results opens a view to the status of running or completed reports. Results are displayed in a list
view with the ability to drill down into individual report details. An example screen capture of this page is shown below:
Report Results Listing
Filters are available at the top of the screen to allow the user to view only desired report results. Filter parameters include
the Name, Owner, Status, and Finish Time. The Owner filter allows you to view reports owned by your user,
shared with your group, or any users managed by your user. Status allows you to view any or only completed reports
and Finish Time gives you the ability to filter reports for the finish time (today, last seven days, last 30 days, specific
month). To return to the original report result view, click on the Reset button to the right of the filter options.
The results of individual reports are available by highlighting the report and using the Download button. The report is
downloaded as a PDF, RTF, CSV, DISA ARF, DISA ASR, or CyberScope file as it was originally created. The Share
button will allow sharing a selected report with other SecurityCenter Organization users, groups, or sharing the report via
email by entering the individual email address(es). The Send button allows you to send a completed report to a defined
publishing site. Basic report parameters are available using the Details button. Finally, reports may be removed from
SecurityCenter using the Delete button.
Report Images
Report Images Listing
Image files must be of type .png or .jpg. Images used must be consistent when selecting the bit depth (8bit, 16-bit, 24-bit, etc.). Otherwise, errors may be encountered when generating reports.
115
The Report Images interface allows a user with permissions to add, edit, or delete PDF report images. Two types of
images are managed from this interface: logos and watermarks. Logos are displayed at the bottom of each page, while
watermarks are displayed prominently across the center of the report page.
Table 37 Report Image Options
Option
Description
Add
Add a new logo or watermark image. Note that only PNG and JPEG formats are
supported. The default image sizes are as follows, all at 300 DPI:
Cover page logo 1287x347
Footer logo 458x123
Watermark 887x610
While there are no set limitations on image size or resolution, using images that are
different from these specifications can have a negative impact on report appearance.
Edit
Edit any of the selected images fields, including name, description, type and file.
Detail
View image details including: name, description, date uploaded, last modified and type.
Delete
Delete the highlighted image.
Report Import and Export

SecurityCenter supports importing and exporting report definitions via the SecurityCenter web interface. Buttons for both
options are found under the Reporting -> Reports tab:
Clicking Import Report displays the following dialog box:
116
The Import Report button allows users to import a report definition exported from another SecurityCenter. This is useful
for Organizations running multiple SecurityCenters to provide consistent reports without duplicating the work needed to
create the definition templates. Clicking Export brings up the following dialog box:
The Export button allows users to export the report definition for use by other SecurityCenter users in other Organizations.
This allows one user to create a report and other users to import it for consistency in reporting across their Organization.
Support
SecurityCenter support objects (assets, audit files, credentials, queries, and scan policies) are defined from the Support
tab on the dashboard. This section provides details on configuring these objects.
Assets
This option lists the available asset lists along with their defined parameters and attributes. Asset lists are dynamically or
statically generated lists of assets within the Organization. Asset lists can be shared with one or more users based on
local security policy requirements.
Assets can be defined as a grouping of devices (laptops, servers, tablets, phones, etc.), that are grouped together using
common search terms within SecurityCenter. A network that assigns a departments laptops by a defined IP range can
create a static asset list using that block of IP addresses. A dynamic asset list can be created based on Plugin ID 21642,
Session Initiation Protocol Detection, and Plugin ID 6291, SIP Server Detection. Any devices with a positive for these IDs
will be added to the asset list automatically.
SecurityCenter makes use of an asset list type known as a Watchlist. A watchlist is an asset list, intended only for
events, that is used to maintain lists of IPs not in the users managed range of IP addresses. This proves beneficial when
analyzing event activity originating outside of the users managed range. For example, if a block of IP addresses is a
known source of malicious activity, they could be added to a watchlist called malicious IPs and added to a custom query.
Dynamic Asset Discovery
SecurityCenter has the ability to parse the results of Nessus, PVS, or event data obtained to build dynamic lists of assets.
For example, a dynamic rule can be created that generates a list of IP addresses that each have ports 25 and 80 open.
These rules can be very sophisticated and take into account addressing, open ports, specific vulnerability IDs, and
discovered vulnerability content. SecurityCenter ships with a number of example rule templates and new rules are
generated easily with a web-based wizard.
117
Example Dynamic Asset Configuration
Dynamic asset lists take advantage of the flexible grouping of condition statements to obtain lists of systems on the
network that meet those conditions. For example, in the asset above, we are looking for Linux systems (operating system
contains the pattern inux) listening on TCP Port 80 and the number of days since it was observed is greater than 7.
Adding Assets
There are two methods for adding asset lists: selecting from Tenable-provided templates or creating a Custom Asset.
Tenable assets are updated via the SecurityCenter feed. They are searchable by using the text search field on the Add
Asset page or selecting the major category and selecting from the list presented. Once a list of asset templates is
displayed, it may be searched by refining the original text query or selecting from the category tags. Clicking on the title of
the asset list displays details of the criteria used to build the asset list. Once added to the list of assets, the entry may be
edited to refine the criteria for particular requirements.
118
The table below outlines available fields for adding a Custom Asset List.
Table 38 Asset List Fields
Option
Description
Static/Watchlist Asset List

Name
The asset list name.
Tag
This reduces lengthy lists of asset lists with no logical grouping. Objects shared with
new users will retain the tag specified by the creator. For example, if the Security
Manager creates an Organizational asset and assigns it to the DMZ tag, all users will
now have a DMZ tag containing that Organizational asset. Asset tag names are
entered by selecting the text field and typing a new tag name or selecting from the
drop-down menu of previously used tag names.
Description
Descriptive text for the asset list.
Addresses
IP addresses to include within the asset list (20 K character limit). One address, CIDR
address, or range can be entered per line.
Using the Expand link will open a window to enter octets in a range and expand them
for appropriate use in the Addresses field. The list may then be copied to the
clipboard for pasting into the field.
Assets
A listing of currently configured asset lists is available, from which a new asset list may
be created. One or more asset lists may be selected.
Merging Addresses and

Assets
It may be desirable to create an asset list from some combination of an existing asset
list and a new selection of addresses. The available options for these selections are:
Union
Combines Addresses and Asset lists, discarding duplicates
Intersection
Removes Addresses that are not present in the selected Asset list(s)
Difference
Combines the Addresses and selected Asset lists, then removes the
common addresses
Compliment
Removes Addresses that are in the selected Asset list(s)
119
Watchlist Upload
Name
Tag
Description
File
File that contains the IP address(es) to include within the asset list.
Addresses
IP address(es) that will be used with the asset list. (20 K character limit).
DNS
Name
Tag
then have a DMZ tag containing that Organizational asset. Asset tag names are
Description
DNS Names
The DNS hostnames for the asset list to be based upon.
Static Upload Multiple

File
File that contains the IP address(es) to include within the asset list.
Uploaded Lists
IP address(es) that will be used with the asset list. (20K character limit).
"Asset1","Description","group","visibility","IP Address(es)"
...
For example:
"Internal","Int IPs","ranges","user","10.0.0.1,10.0.0.2"
"External","Ext IPs","ranges","user","9.9.9.9-9.9.9.10"
120
Double quotes are required within the uploaded file around all fields.
The visibility field (user or organizational). This field must be entered in

lower-case.
Dynamic
Name
Tag
Description
Combination
Name
Tag
Description
Combination Parameters
This field accepts multiple existing asset lists utilizing the operators AND, OR, and
NOT. Using these operators and multiple existing asset lists, new unique asset lists
may be created. If the source asset lists change, the Combination asset list will change
to match the new conditions.
When this field is initially selected, the options of NOT and a list of existing asset lists
are displayed. Selecting one of those options followed by a space will display the next
valid option for building the asset list and continue until the selections are complete. A
green circle with a check mark will appear after the fields title to indicate the query is
valid, while a red circle with an X will be displayed if there is an error.
LDAP Query
Name
121
Tag
Description
Search Base
This is the LDAP search base used as the starting point to search for the user
information.
Search String
This string may be modified to create a search based on a location or filter other than
the default search base or attribute.
Preview Query
The preview query is displayed after selecting the Generate Preview button. The
preview lists the LDAP objects that match the defined search string.
This table describes what type of logic can be used when writing a dynamic rule.
Table 39 Dynamic Rule Logic
Valid Operators
Effect
Plugin ID
is equal to
Field value must be equal to value specified.
not equal to
Field value must be not equal to value specified.
is less than
Field value must be less than the value specified.
is greater than
Field value must be greater than the value specified.
Plugin Text
is equal to
not equal to
contains the pattern
Field value must contain the text specified (e.g., ABCDEF contains ABC).
regex
Any valid regex pattern contained within / and / (example: /.*ABC.*/).
where Plugin ID is
Any valid Plugin ID number.
122
Operating System
is equal to
not equal to
Field value must contain the text specified (e.g., ABCDEF contains ABC).
regex
Any valid regex pattern contained within / and / (example: /.*ABC.*/).
Address
is equal to
not equal to
DNS, NetBIOS Host, NetBIOS Workgroup, MAC, SSH v1 Fingerprint, SSH v2 Fingerprint
is equal to
not equal to
Field value must contain the text specified (e.g., 1.2.3.124 contains 124).
regex
Any valid regex pattern contained within / and / (example: /.*124.*/).
Port, TCP Port, UDP Port

is equal to
not equal to
is less than
Field value is less than value specified.
is greater than
Field value is greater than the value specified.
Days Since Discovery, Days Since Observation

is equal to
Field value must be equal to value specified. Scroll arrows are provided to allow for
entry selection or the value can be manually entered. Max 365.
not equal to
Field value must be not equal to value specified. Scroll arrows are provided to allow for
123
is less than
Field value is less than value specified. Scroll arrows are provided to allow for entry
selection or the value can be manually entered. Max 365.
is greater than
Field value is greater than the value specified. Scroll arrows are provided to allow for
Severity
is equal to
Field value must be equal to value specified (info, low, medium, high, or critical).
not equal to
Field value must be not equal to value specified (info, low, medium, high, or critical).
is less than
Field value must be less than the value specified (info, low, medium, high, or critical).
is greater than
Field value must be greater than the value specified (info, low, medium, high, or
critical).
where Plugin ID is
Any valid Plugin ID number.
Audit Files
The Nessus vulnerability scanner includes the ability to perform compliance audits of numerous platforms including, but
not limited to, databases, Linux, Unix, Cisco IOS, IBM iSeries, and Windows server configurations as well as sensitive
data discovery based on regex contained in audit files. Audit files are text files that contain the specific configuration, file
permission and access control tests to be performed. Additionally, NIST SCAP security checklist files may be uploaded in
the same manner as a standard audit file.
Tenable provides a wide range of audit files and new ones are easy to write. These audit files are maintained on the
Tenable Support Portal for users who wish to perform compliance and configuration auditing.
NIST SCAP security checklist files may be obtained from NISTs site at http://scap.nist.gov under the link for SCAP
Content and then Security checklists. Links under the Resources column to the SCAP content files will take you to the
appropriate page to download the checklist zip file. Only Tier IV files are supported by Tenable for this process. The
complete .zip file obtained from the NIST site is needed for use with SecurityCenter.
The screen capture below contains a listing of an audit file page with PCI and CIS-based audits.
Audit Files Listing
Audit files are added, edited, downloaded, viewed, and deleted from this web interface. Clicking on Add an Add Audit
File dialog screen similar to the following:
124
Audit File Add Dialog
Available fields include:

Table 40 Audit File Fields
Option
Description
Name
A descriptive name assigned to the audit file (not the actual file name).
Description
Descriptive text about the audit file.
File
An interface that allows you to browse on your local system for the actual audit file
itself. When selecting an audit file, no further options are available and the audit file
may be submitted. If a SCAP file is to be uploaded, the complete .zip file acquired from
the NIST SCAP website must be uploaded and additional options are presented.
Benchmark (SCAP Only)
When selecting a NIST SCAP file as an audit resource, the Benchmark field is
displayed with a drop-down menu of the available benchmarks. Select an appropriate
benchmark for the purpose of the audit. SecurityCenter attempts to determine if the file
is for SCAP Windows or SCAP Linux. This is not always possible due to different
SCAP file versions; a benchmark OS version must be manually selected from the
drop-down menu if one is not automatically determined by SecurityCenter.
Tailoring (SCAP Only)
As of SCAP version 1.2, an XML tailoring file may be selected to customize certain
results based on the local environment. If needed, a tailoring file may be uploaded
through this option.
Once an audit or SCAP file has been uploaded, it may be referenced from within scan policies for enhanced security
policy auditing. It may also be downloaded for review or uploaded to another SecurityCenter or Nessus scanner to ensure
the same audit file is being used throughout the Organization.
SCAP based scans requires sending an executable to the remote host. For systems that run security software
(e.g., McAfee Host Intrusion Prevention), they may block or quarantine the executable required for auditing.
For those systems, an exception must be made for the either the host or the executable sent.
125
Credentials
Credentials are reusable objects that facilitate scan target login. Various types of credentials can be configured for use
within scan policies. Additionally, credentials may be shared between users for scanning purposes. When shared, the
other users cannot see a cleartext version of the passwords. This enables sensitive credential sets to be shared in a more
secure manner. Available credential types include:
Windows Nessus has vulnerability checks that can use a Microsoft Windows domain account to find local
information from a remote Windows host. For example, using credentials enables Nessus to determine if
important security patches have been applied. To use this feature, enter the Username, Password, and Domain in
the text boxes.
SSH (password with optional privilege escalation and key-based) SSH credentials are used to obtain local
information from remote Unix and Cisco IOS systems for patch auditing or compliance checks. There is a field for
entering the SSH user name for the account that will perform the checks on the target system, along with either
the SSH password or the SSH public key and private key pair. There is also a field for entering the Passphrase
for the SSH key, if it is required. In case of invalid or expired SSH keys, use the Clear button to remove the
current SSH keys.
The most effective credentialed scans are those with root privileges (enable privileges for Cisco IOS). Since many
sites do not permit a remote login as root, a Nessus user account can invoke a variety of privilege escalation
options including: su, sudo, su+sudo, DirectAuthorize dzdo, Powerbroker pbrun, k5login, and Cisco
enable.
Scans run using su+sudo allow users to login to the remote host with a non-privileged account and then scan
with sudo privileges on the remote host. This is important for locations where remote privileged login is
prohibited.
Scans run using sudo vs. the root user do not always return the same results because of the different
environmental variables applied to the sudo user and other subtle differences. Please refer to the sudo man
pages or the following web page for more information:
http://www.sudo.ws/sudo/sudo.man.html#Security%20Notes
To direct the Nessus scanner to use privilege escalation, click on the drop-down menu labeled Privilege
Escalation and select the appropriate option for your target system. Enter the escalation information in the
provided box.
If an SSH known_hosts file is available and provided as part of the scan policy (located within the SSH Settings
in the scan policy preferences), Nessus will only attempt to log into hosts in this file. This ensures that the same
username and password used to audit your known SSH servers is not used to attempt a login to a system that
may not be under your control.
SNMP community string Enter the appropriate private or public SNMP community string used for authentication.
Kerberos The Kerberos IP, Port, Protocol, and Realm are available for this type of authentication.
Database This setting defines the login credentials and other information such as port, SID, type, and other
specific settings determined by the database type selection. The currently available database types are DB2,
Informix/DRDA, MSSQL Server, MySQL, Oracle, and PostgreSQL.
126
An example Windows credential with options is displayed below:
Credential Add Dialog
For more information on Nessus credentialed scanning, please refer to the Nessus Credentialed Checks for
Unix and Windows document available from https://support.tenable.com.
Queries
Queries provide the ability to save custom views of vulnerability, event, ticket, user, and alert data for repeated access.
Common fields for all query types are described in the following table:
Table 41 Common Query Options
Option
Description
Name
The name used to describe the query.
Tag
A logical grouping for created query objects. Tag names can be reused as desired.
Manager creates an organizational query and assigns it to the DMZ tag, all users will
now have a DMZ tag containing that organizational query.
Description
Descriptive text for the query.
Type
This option specifies whether the query will use vulnerability, mobile, event, ticket,
user, or alert data.
127
The table below indicates other options available for vulnerability queries:
Table 42 Vulnerability Query Options
Option
Description
Target Filters
Address
This filter specifies an IPv4 or IPv6 address, range, or CIDR block to limit the viewed
vulnerabilities. For example, entering 192.168.10.0/24 and/or 2001:DB8::/32 limits any
of the web tools to only show vulnerability data from the selected network(s).
Addresses can be comma separated or on separate lines.
DNS Name
This filter specifies a DNS name to limit the viewed vulnerabilities. For example,
entering host.example.com limits any of the web tools to only show vulnerability data
from that DNS name.
Repository
Asset
This filter displays systems from the chosen asset list. If more than one asset list
contains the systems from the primary asset list (i.e., there is an intersect between the
asset lists), those asset lists are displayed as well.
Output Assets (only

Port
The equality operator is specified to allow matching vulnerabilities with the same ports,
different ports, all ports less than, or all ports greater than the port filter. The port filter
allows a comma separated list of ports. For the larger than or less than filters, only
one port may be used.
Protocol
This filter provides check boxes to select TCP, UDP, or ICMP-based vulnerabilities.
Responsible Users
Allows selection of one or more users who are responsible for the vulnerabilities.
Plugin Family
This filter allows for the selection of a Nessus or PVS plugin family. Only vulnerabilities
from the selected family will be shown.
Plugin Name
Enter all or a portion of the actual plugin name. For example, entering MS08-067 in
the plugin name filter will display vulnerabilities using the plugin named: MS08-067:
Microsoft Windows Server Service Crafted RPC Request Handling Remote Code
Execution (958644) (uncredentialed check). Similarly, entering the string
uncredentialed will display a list of vulnerabilities with that string in their plugin name.
Vulnerability Text
Displays vulnerabilities containing the entered text (e.g., php 5.3).
128
Scan Policy
This filter allows for the selection of a scan policy. Only vulnerabilities from the
selected scan policy will be shown.
Audit File
This filter displays vulnerabilities detected when a scan was performed using the
chosen .audit file.
Plugin Type
Select whether to view passive, active, lce, compliance, or all vulnerabilities.
Severity
CVSS Score
Displays vulnerabilities within the chosen CVSS score range.
Exploit Available
If set to yes, displays only vulnerabilities for which a known public exploit exists.
CPE
Allows a text string search to match against available CPEs. The filter may be set to
search based on a contains or is equal to filter.
ID Filters
Plugin ID
Enter the plugin ID desired or range based on a plugin ID. Available operators are
equal to (=), not equal to (!=), greater than or equal (>=) and less than or equal to (<=).
CVE ID
Displays vulnerabilities based on the chosen single CVE ID (e.g., CVE-2010-1128) or

multiple CVE IDs separated by commas (e.g., CVE-2011-3348,CVE-2011-3268,CVE2011-3267).
CCE ID
Displays results based on the entered CCE ID.
MS Bulletin ID
Displays vulnerabilities based on the chosen Microsoft Bulletin ID (e.g., MS09-001)

or multiple Microsoft Bulletin IDs separated by commas (e.g., MS10-012,MS10054,MS11-020).
IAVM ID
Displays vulnerabilities based on the chosen IAVM ID (e.g., 2011-A-0007) or multiple

IAVM IDs (e.g., 2011-A-0005,2011-A-0007,2012-A-0004).
Date Filters
(Cumulative only)
This filter allows the user to see when the vulnerability was last observed by Nessus or
PVS.
The observation date is based on when the vulnerability was most
recently imported into SecurityCenter. For PVS, this will not match the
exact vulnerability discovery as there is normally a lag between the time
that PVS discovers a vulnerability and when the import occurs.
Days Since Mitigation

(Mitigated only)
This filter allows the user to track the number of days since a vulnerability was moved
to the mitigated database.
Vulnerability Discovered
SecurityCenter tracks when each vulnerability was first discovered. This filter allows
the user to see when vulnerabilities were discovered less than, more than or within a
specific count of days.
129
The discovery date is based on when the vulnerability was first imported
into SecurityCenter. For PVS, this will not match the exact vulnerability
discovery time as there is normally a lag between the time that PVS
discovers a vulnerability and when the import occurs.
Days are calculated based on 24-hour periods prior to the current time
and not calendar days. For example, if the report run time was 11/8/2012
at 1 PM, using a 3-day count would include vulnerabilities starting
11/5/2012 at 1 PM and not from 12:00 AM.
Plugin Published
Tenable plugins contain information about when a plugin was published. This filter
allows the user to search based on when a particular plugin was created; less than,
more than or within a specific count of days.
Plugin Modified
Tenable plugins contain information about when a plugin was last modified. This filter
allows the user to search based on when a particular plugin was modified; less than,
more than or within a specific count of days.
Vulnerability Published
When available, Tenable plugins contain information about when a vulnerability was
published. This filter allows the user to search based on when a particular vulnerability
was published; less than, more than, or within a specific count of days.
Patch Published
When available, Tenable plugins contain information about when a patch was
published for a vulnerability. This filter allows the user to search based on when a
patch became available; less than, more than or within a specific count of days.
Workflow
Mitigated Status
Display vulnerabilities that were at one time mitigated, but have been discovered again
in a subsequent scan. This option is not used in conjunction with other options unless
all options within the selected combination are set (e.g., selecting the Was Mitigated
checkbox will return no results if both the Was Mitigated and the Accepted Risk
flags are set).
Accepted Risk Status

(Cumulative Only)
Display vulnerabilities based on their Accepted Risk workflow status. Available

choices include Accepted Risk or Non-Accepted Risk. Choosing both options
displays all vulnerabilities regardless of acceptance status.
Recast Risk Status

Cumulative Only)
Display vulnerabilities based on their Recast Risk workflow status. Available choices
include Recast Risk or Non-Recast Risk. Choosing both options displays all
vulnerabilities regardless of recast risk status.
The table below indicates the options available for mobile queries:
Table 43 Mobile Query Options
Option
Description

Analysis Tool
as selecting the desired analysis tool from the Analysis -> Mobile dialog.
130
Active Filters
needed. In the example below, the Active Filters displayed are MDM Type, Model,
Plugin Output, and Days Since Observation. Clicking the X next to any one of these
filters will remove that filter from the filter list.
Mobile Filters
Target Filters
Repository
Device Filters
Identifier
This is a text based search filter that looks at the Identifier field in the repository.
Model
This is a text based search filter that looks at the Model field in the repository.
Operating System CPE
This is a text based search filter that looks at the Operating System CPE field in the
repository.
Version
This is a text based search filter that looks at the OS Version field in the repository.
Serial Number
This is a text based search filter that looks at the Serial Number field in the repository.
MDM Type
The MDM type field is a drop-down menu to select the MDM server type of
ActiveSync, Apple Profile Manager, Good, AirWatch, or MobileIron.
Username
This is a text based search filter that looks at the User field in the repository.
Plugin ID
Enter the Plugin ID to filter results on.
131
Plugin Output
Filter results based on a text search of plugin output.
Severity
Date Filters
(Cumulative only)
This filter allows the user to see when the vulnerability was last observed.
The table below indicates the options available for event queries:
Table 44 Event Query Options
Filter
Description

Analysis Tool
as selecting the desired analysis tool from the Analysis -> Events dialog. These
tools are described in detail in the Analysis Tools section.
Active Filters
needed. In the example below, the Active Filters displayed are Timeframe, Type, and
Targeted IDS Events. Clicking the X next to any one of these filters will remove that
filter from the displayed events.
Event Filters
Target Filters
Address
Specifies an IP address, range, or CIDR block to limit the displayed events. For
example, entering 192.168.10.0/24 limits any of the web tools to only show event data
from that network. Addresses can be entered on separate lines or comma separated.
Port
This filter type of filter can be specified to allow matching vulnerabilities with the
specified ports (=) or excluding ports (!=). The port filter may specify a single port,
comma separated list of ports, or range of ports (e.g., 8000-8080).
132
Protocol
Specify the protocol of the event (Any, TCP, UDP, ICMP, or Unknown).
Direction
Filter by event direction (Any, Inbound, Outbound, and Internal).
Asset
Filter the event by asset list. Select an asset list from those available. To narrow down
the number of displayed asset lists, enter text to filter on in the search box.
Output Assets (only

Event Filters
Timeframe
A shortcut to this configuration item is available by clicking on the date

field directly below the Analysis Tool.
An explicit timeframe is displayed by default. Specify either an explicit or relative

timeframe for the event filter. Choosing explicit opens up a calendar dialog allowing the
user to select the from and to dates and times. Relative timeframes range from the
last 15 minutes to the last 12 months, and All.
Normalized Event
The Normalized Event is the name given to the event by the LCE after the LCE runs
its PRM and TASL scripts against it.
Detailed Event
This is the detailed event name given by the IDS vendor. For example, an event
received from a Snort sensor can have a detailed event name of DOUBLE DECODING
ATTACK, which means that HTTP_INSPECT 119:2:1 fired and was sent to the LCE.
Type
Clicking in this box generates a drop-down that allows one to select the event type
(e.g., error, lce, login, intrusion, etc.).
Sensor
Filter the events by sensor using the equal (=) or not equal (!=) operators.
User
Specify only events tied to a particular username.
Targeted IDS Events
This filter checkbox selects IDS events that have targeted systems and ports with
vulnerabilities likely to be exploited by the detected attack. This is determined by
comparing the hosts vulnerabilities (CVE, etc.) against those tied to the actual IDS
event.
Syslog Text
(Raw Syslog Events Analysis Tool) String to search for within the filtered event. When
using LCE server version 4.0.1 and newer, the text search is case insensitive and
Boolean operators may be used. For example:
text="(drive AND serial) OR utilization"
133
This filter is case-sensitive when using LCE version 4.0.0 and earlier.
Advanced Filters
LCEs
Specify which LCEs to obtain events from. Use <CTRL> or <Shift> + click to select
more than one.
Repositories
Specify which Repositories to obtain events from. Use <CTRL> or <Shift> + click to
select more than one.
Source Address
Specifies an IP address or CIDR block to limit the displayed events based on source.
For example, entering 192.168.10.0/24 limits any of the web tools to only show event
data with source IPs in that block. Addresses can be comma separated.
Destination Address
Specifies an IP address or CIDR block to limit the displayed events based on

destination. For example, entering 192.168.10.0/24 limits any of the web tools to only
show event data with destination IPs in that block. Addresses can be comma separated.
Source Port
This type of filter can be specified to allow matching events with the same ports (=) or
different ports (!=). The port filter may specify a single, comma separated list of ports
or range of ports (e.g., 8000-8080).
Destination Port
This type of filter can be specified to allow matching events with the same ports (=) or
different ports (!=). The port filter may specify a single, comma separated list of ports
or range of ports (e.g., 8000-8080).
Source Asset
Events originating from the defined source asset list.
Destination Asset
Events originating from the defined destination asset list.
Ticket queries are a useful way of determining what tickets to alert against. For example, if you want to be alerted when a
user named Joe is assigned a ticket, you could create a query with a ticket filter based on the Assignee value of Joe.
You could then create an alert to email you when Joe was assigned a ticket. The table below contains a list of the ticket
query options.
Table 45 Ticket Query Options
Option
Description

Analysis Tool
Chooses the analysis tool used by the query.
Ticket Filters
Name
Ticket name to filter against
Status
Ticket status to filter against.
134
Classification
The ticket classification to filter against.
Owner
The manager (owner) of the ticket assignee.
Assignee
The ticket assignee to filter against.
Created Timeframe
Ticket creation date/time to filter against. Either specify an explicit timeframe, including
the start and end time or choose one of the predefined periods (e.g., last 15 minutes,
last hour, etc.)
Assigned Timeframe
Ticket assigned date/time to filter against. Either specify an explicit timeframe,

including the start and end time or choose one of the predefined periods (e.g., last 15
minutes, last hour, etc.)
Modified Timeframe
Ticket modified date/time to filter against. Either specify an explicit timeframe, including
last hour, etc.)
Resolved Timeframe
Ticket resolution date/time to filter against. Either specify an explicit timeframe,

including the start and end time or choose one of the predefined periods (e.g., last 15
minutes, last hour, etc.)
Closed Timeframe
Ticket closed date/time to filter against. Either specify an explicit timeframe, including
last hour, etc.)
User queries are useful for reporting, dashboards and alerts based on user actions. For example, it can be used for
tracking and alerting on user logins and locked accounts. It could also be used to track user logins from accounts not
authorized on the monitored systems.
Table 46 User Query Options
Option
Description

Analysis Tool
Chooses the analysis tool used by the query.
User Filters
First Name
User first name to filter against.
Last Name
User last name to filter against.
Username
Actual username to filter against.
Group
Filter against the group the user(s) belong to.
Role
Filters against users who have the specified role.
135
Email
Filters against users based on their email address.
Last Login Timeframe
Filters against users whose last login was that the timeframe specified. Either specify
an explicit timeframe, including the start and end time or choose one of the predefined
periods (e.g., last 15 minutes, last hour, etc.).
Account State
Filters against the user account state (locked vs. unlocked).
The Alert query is useful for reporting, dashboards and alerting when an alert has triggered. This is useful for situations
where a report, dashboard element or conditional alert is required after the specified alert filter conditions have been met.
For example, a daily report could be scheduled containing a query of all active alerts and their details.
Table 47 Alert Query Options
Option
Description

Analysis Tool
Chooses the analysis tool used by the filter.
Alert Filters
Name
Filter against alerts with the specified name.
Description
Filter against alerts with the specified description.
State
Choose from All, Triggered, or Not Triggered.
Created Timeframe
Filters against the alert creation timeframe specified. Either specify an explicit
timeframe, including the start and end time or choose one of the predefined periods
(e.g., last 15 minutes, last hour, etc.).
Modified Timeframe
Filters against the most recent alert modification timeframe specified. Either specify an
explicit timeframe, including the start and end time or choose one of the predefined
Last Triggered Timeframe
Filters against the most recent alert trigger timeframe specified. Either specify an
Last Evaluated Timeframe
Filters against the most recent alert evaluation timeframe specified. Either specify an
Scan Policies
The scan policy contains plugin settings and advanced directives used during the course of the Nessus scan. Click on
Support and then Scan Policies to display a listing of all currently available policies. Tabs at the upper-right hand
portion of this page give the user the ability to Add, Copy, Edit, Share, Download, Detail (view details of), and Delete
existing policies.
136
Scan Policies Listing
Add a Scan Policy

Clicking on Add opens the following screen that is used to configure the new scan policy. Four tabs are displayed
including:
Basic
Audit Files
Plugins
Preferences
Basic Scan Policy Settings
137
Basic
The Basic tab contains basic scan policy settings and allows the user to load a predefined scan policy template if desired.
The Load Policy Template option is a command button located in the upper right-hand corner of the Basic tab
page and allows the user to load scan policy options based on a variety of predefined scan policy templates. Available
templates include: Web Safe Scan, FTP Safe Scan, SMTP Safe Scan, Cisco Safe Scan, Full Safe Scan All
Ports, Full Safe Scan Common Ports, Microsoft Scan, PCI DSS Scan, Topology Scan, Peer-To-Peer Scan,
Virus Check Scan, Operating System Identification, Patch Audit and Local Security Checks, and Netstat Port Scan.
These templates use optimized plugin and configuration settings for their specified scan type.
The tables below contain detailed descriptions of options available on each of the five frames displayed under the Basic
tab:
Table 48 Basic Options
Option
Description
Name
Unique policy name
Description
Policy description (optional)
Tag
Policy tag name (optional) to organize various policies to make searching for similar
policies easy.
Type
Family or Plugin. If Family is chosen then when plugin updates occur, new plugins
will automatically be enabled for plugin families that are enabled. If Plugin is enabled,
only the currently enabled plugins are enabled. New plugins must be manually enabled
by the user. This is beneficial where strict control over new plugins is required.
Changing from Family to Plugin, or vice-versa, clears all currently
enabled plugins. Please make a note of all enabled plugins before
changing this option so that they can be enabled afterwards.
The Scan frame controls basic scan options for the scan:
Table 49 - Scan Options
Option
Description
Safe Checks
Nessus can attempt to identify remote vulnerabilities by interpreting banner information

and attempting to exercise a vulnerability. This is not as reliable as a full probe, but is
less likely to negatively impact a targeted system.
Silent Dependencies
If this option is checked, the list of dependencies is not included in the report. If you
want to include the list of dependencies in the report, uncheck this box.
Consider Unscanned Ports

as Closed
With this setting enabled, ports that are not enumerated by the port scan will not be
tested. For example, scanning ports 21, 22 and 23 will only test those ports and not
any other port.
138
The Port Scanners frame controls which methods of port scanning should be enabled for the scan:
Table 50 Port Scanner Options
Option
Description
TCP Scan
Use Nessus built-in TCP scanner to identify open TCP ports on the targets. This
scanner is optimized and has some self-tuning features.
On some platforms (e.g., Windows and Mac OS X), if the operating
system is causing serious performance issues using the TCP scanner,
Nessus will launch the SYN scanner.
UDP Scan
This option engages Nessus built-in UDP scanner to identify open UDP ports on the
targets.
UDP is a stateless protocol, meaning that communication is not done
with handshake dialogues. UDP based communication is not always
reliable, and because of the nature of UDP services and screening
devices, they are not always remotely detectable.
SYN Scan
Use Nessus built-in SYN scanner to identify open TCP ports on the targets. SYN
scans are a popular method for conducting port scans and generally considered to be
a bit less intrusive than TCP scans. The scanner sends a SYN packet to the port, waits
for SYN-ACK reply and determines port state based on a reply, or lack of reply.
SNMP Scan
Direct Nessus to scan targets for a SNMP service. Nessus will guess relevant SNMP
settings during a scan. If the settings are provided by the user under Preferences,
this will allow Nessus to better test the remote host and produce more detailed audit
results. For example, there are many Cisco router checks that determine the
vulnerabilities present by examining the version of the returned SNMP string. This
information is necessary for these audits.
Netstat SSH Scan
the netstat command being available via a SSH connection to the target. This scan
is intended for Unix-based systems and requires authentication credentials.
Netstat WMI Scan
the netstat command being available via a WMI connection to the target. This scan
is intended for Windows-based systems and requires authentication credentials.
Ping Host
This option enables the pinging of remote hosts on multiple ports to determine if they
are alive.
139
The Port Scan Options frame directs the scanner to target a specific range of ports. The following values are allowed
for the Port Scan Range option:
Table 51 Values for Port Scan Options
Value
Description
default
Using the keyword default, Nessus will scan approximately 4,605 common ports.
Custom List
A custom range of ports can be selected by using a comma-delimited list of ports or

port ranges. For example, 21,23,25,80,110 or 1-1024,8080,9000-9200 are allowed.
Specifying 1-65535 will scan all ports.
The range specified for a port scan will be applied to both TCP and UDP scans.
The Performance frame provides two options that control how many scans will be launched. These options are perhaps
the most important when configuring a scan as they have the biggest impact on scan times and network activity.
Table 52 Performance Options
Option
Description
Max Checks Per Host
This setting limits the maximum number of checks a Nessus scanner will perform
against a single host at one time.
Max Hosts Per Scan
This setting limits the maximum number of hosts that a Nessus scanner will scan at
the same time. If the scan is using a zone with multiple scanners, each scanner will
accept up to the amount specified in the Max Hosts Per Scan option. For example, if
the Max Hosts Per Scan is set to 5 and there are five scanners per zone, each
scanner will accept five hosts to scan, allowing a total of 25 hosts to be scanned
between the five scanners.
Max Scan Time in hours
This setting limits the length of time a scan is allowed to run. If a scan reaches this
limit, the unscanned targets are captured in a new rollover scan that can be run
manually or scheduled at a later time.
Max TCP Connections
This setting limits the maximum number of TCP sessions established by any of the
active scanners while scanning a single host.
Audit Files
The Audit Files tab contains two options related to Nessus compliance scans. Note that you must at least name the scan
from the Basic frame to be able to open the Audit Files tab.
Table 53 Audit File Options
Option
Description
Select Audit File
Tenable provides a variety of audit files that provide a template check for compliance
audits against various established standards, such as the Center for Internet Security
(CIS) benchmarks, healthcare industry standards (HIPAA), Payment Card Industry
(PCI) requirements and many more. To perform a compliance check, you must have
140
the ability to perform authenticated Unix and/or Windows local checks.

Perform PCI DSS Analysis
The Payment Card Industry Data Security Standard (PCI DSS) is a comprehensive set
of security standards established by the founding members of the PCI Security
Standards Council, including Visa, American Express, Discover Financial Services,
and MasterCard. The PCI DSS is intended to provide a common baseline to safeguard
sensitive cardholder data for all bankcard brands and is in use by many e-commerce
vendors who accept and store credit card data.
Tenable provides three plugins to all SecurityCenter users that automate the process
of performing a PCI DSS audit. These plugins are:
PCI DSS compliance: tests requirements

PCI DSS compliance: passed
PCI DSS compliance
These plugins evaluate the results of your scan and the actual configuration of your
scan to determine if the target server is PCI compliant. The plugins do not perform
actual scanning; they just look at the results from other plugins.
To activate the PCI DSS plugins, simply check the box labeled Perform PCI DSS
Analysis from the Compliance screen.
It is important to note that a secure infrastructure is achieved through a
fusion of people, processes, and technology. Tenables solutions provide
the technology to aid in compliance requirements and are intended to be
used in conjunction with a comprehensive security strategy. Please
consult with your organizations Audit and Compliance group for guidance
and directives specific to your organization.
Generate SCAP XML
Results
When performing a compliance scan with a qualifying SCAP audit file, the Generate
SCAP XML Results option is enabled by default. When the scan completes, it will
generate a SCAP result file, which may be downloaded from the scan result page
when the scan is selected.
141
Plugins
The Plugins tab gives the user the option to customize which plugins will be utilized during the policys Nessus scan.
Scan Policy Plugins Settings
Clicking on the circle next to a plugin family allows you to enable or disable the entire family. When the circle next to a
family is green, that family is enabled and all plugins within that family are enabled. Selecting a family will display the list
of its plugins in the upper right pane. Individual plugins can be enabled or disabled to create very specific scan policies.
As adjustments are made, the total number of families and plugins selected is displayed at the bottom. The circles next to
the Family name will show green when some or all of the plugins for that Family are enabled. The green will show as full if
all the plugins are selected, or , , or full when some plugins in the family are selected, where the circles green fill
approximates the percentage of plugins selected.
142
Plugin Selection Dialog
Selecting a specific plugin will display the plugin output that will be displayed as seen in a report. The synopsis and
description will provide more details of the vulnerability being examined. Scrolling down in the Plugin Description pane
will also show solution information, additional references, the CVSSv2 score that provides a basic risk rating, and/or any
other information that is available in the plugin.
When a policy is created and saved, it records all of the plugins that are initially selected. When new plugins are received
via a plugin feed update, they will automatically be enabled if the family they are associated with is enabled. If the family
has been disabled or partially enabled, new plugins in that family will automatically be disabled as well.
The Denial of Service family contains some plugins that could cause outages on a corporate network if the
Safe Checks option is not enabled, but does contain some useful checks that will not cause any harm. The
Denial of Service family can be used in conjunction with Safe Checks to ensure that any potentially
dangerous plugins are not run. However, it is recommended that the Denial of Service family not be used on
a production network.
The following table describes options that will assist you in selecting plugins.
Table 54 Plugin Options
Option
Description
Plugin Filters
Display plugins based on selected parameters (Name, ID, and Family). Select the
parameter you wish to search and type in some text to look for and hit Enter.
Show Only Enabled
Select this checkbox to only show currently enabled plugins.
143
Enable All Plugins
Enable all available plugins.
Disable All Plugins
Disable all available plugins.
Preferences
Configures optional settings for various plugins. Scan Policy preferences are discussed in detail in the Plugin
Preferences section of this document.
Additional Scan Policy Options

Other options are available to the user who wishes to work with scan policies. These include, Copy, Edit, Share,
Download, Detail, and Delete. Clicking on Copy makes a copy of the highlighted policy so that the existing policy
does not need to be modified. This copy is created with a visibility of User. Clicking on Share allows you to share a
policy with one or more groups that may not currently have access to your policy. Download provides the option to
download a XML version of the policy to share with other SecurityCenter users outside of the Organization or with a
separate SecurityCenter. Other options such as Edit, Details and Delete allow the user to modify, view an overview
and remove existing scan policies.
Users
The Users tab is used to define Users, Roles, and Groups.
Users
Organizational users can be added, edited, viewed and deleted by selecting Users from the drop down menu in the
Users tab. The username, group, role, title, and last login of the user are displayed as shown by the screen capture
below:
Organizational User Listing
144
Add User
Clicking on Add displays a two-tab configuration dialog with the following options:
Table 55 User Basic Options
Option
Description
Authentication Information
Type TNS
Username
This is the name the user will use to login to SecurityCenter. When selecting this
account name, it is sometimes easier to focus on the persons real name as a
convention (e.g., Bob Smirth would become bsmirth). However, it may also be useful
to assign names based on role, such as auditNY.
Password
Login password.
It is recommended to use passwords that are at least eight characters in
length and include a combination of lower and upper-case letters along
with non-alphabetic characters.
Type LDAP
Search String
This is the LDAP search string to use to narrow down user searches. Proper format is:
attribute=<filter text>. Wildcards are permitted and the field accepts up to 1024
characters.
For Example:
sAMAccountName=*
mail=a*
displayName=C*
Users
List of available LDAP user accounts.
Username
User that is selected from the list of users above.
Notification
Email user their account
information
When the user is created, you can choose to have them notified via email of their
account by selecting this check box.
If the following error message is received when attempting to add a user:
Error creating email notifying user 'test'. Invalid
address: noreply@localhost
Login as the administrator user and check the System -> Configuration ->
Mail -> Return Address settings. The email address defaults to
145
noreply@localhost if left blank and many email servers will disallow

emails from this address.
Email user their password
(TNS Authentication Only)
There is an option to include the users password within the email if desired. If this is
not included, contact information of the security manager will be included.
User must change their

password on login (TNS
Authentication Only)
Require password change on next login.
Dashboard Template
Assigns the user being created a dashboard that has been created from a previously
exported dashboard. Selecting the Browse button opens a dialog box to enable
locating and uploading the desired dashboard template.
Basic/Contact Information
Name, Title, Address
Information, Email, Phone
Contact information for the user can be entered here.
Table 56 User Access Options
Option
Description
Role
The role assigned to the user. The default roles that may be used during user creation
include:
Auditor
Credential Manager
Executive
No Role
Security Analyst
A user may only create new users with permissions that the creating user currently
has. For example, if a user has the Auditor role, they can only create new users with
the Auditor or lesser role.
Group
This option assigns the user to a designated group. This determines the rights to which
SecurityCenter resources the user is granted.
Group Permissions
This option controls the permissions of the user within a group. A user may have
control of groups outside of which they are assigned. They may be assigned manage
objects and/or manage user rights to all available groups or select groups.
This option is only viewable to users with the Manage Groups permission in their role.
Responsibility
Optionally assigns a user to an asset list for which the user is responsible for. By
utilizing this, it is easier to determine who in a group or Organization is to be assigned
tickets, notifications, and similar to resolve issues with particular issues.
146
Edit
Clicking on the Edit button allows editing of any information described in the previous section after the user has been
created. Additionally, the users account may be locked or unlocked from the edit screens Basic tab.
Detail
Clicking on the Detail button displays a summary of the users information, such as name, role, last login, repositories
and defined assets.
Delete
Clicking on the Delete button displays a window asking to confirm the deletion of the user. Organization objects
assigned to the user will be moved to Security Manager.
Roles
Custom roles can be edited by the administrator and Security Manager users.
Roles determine what a user can or cannot do when they access their account and are configurable to a great degree.
SecurityCenter comes with a variety of pre-defined roles; however, custom roles may be created by the Security
Manager user to facilitate organizations with complex security policy needs. In keeping with the SecurityCenter
convention, role assignments are hierarchical. Users may only create new users with roles that have the same
permissions or a subset of permissions of their current Role. For example, if a user has a custom role with View
Vulnerability Data enabled and Update Plugins disabled, they can only create users with View Vulnerability Data
enabled.
Available pre-defined roles include:
No Role
Security Manager
Security Analyst
Executive
Credential Manager
Auditor
These roles are static and cannot be modified. An administrator is an account that has management responsibility over
the console. The primary task of the administrator is to correctly install and configure each organization. In addition, the
administrator adds components to SecurityCenter such as PVS, LCE, and Nessus to extend its capability. The
administrator is automatically assigned the Manage Application permission.
A Security Manager is the account within an organization that has a broad range of security roles. This is the role
assigned to the initial user that is created when a new organization is created. They have the ability to launch scans,
configure users (except for administrator user roles), vulnerability policies, and other objects belonging to their
organization. Each organization has a Security Manager account that cannot be deleted without deleting the entire
Organization.
Additional users may be created and assigned one of the default roles or a custom role. Viewing the details of the roles
describes the purpose of the role, the number of users assigned to the role, and the permissions granted.
147
Add Role
Only the administrator and Security Manager users can add new roles. Other user roles do not have this
privilege.
A powerful feature of SecurityCenter is the ability to add new roles. These custom roles can be configured and fine-tuned
to match the duties to be performed by users who are assigned them. Clicking on Add Role displays a screen similar to
the one below:
Add Role Dialog
Please reference the table below for detailed descriptions of each role item:
Table 57 Add User Role
Option
Description
Basic
Name
Custom role name
Description
Custom role description
148
Scan Permissions
Scan Privileges
Allow user with this role to perform Nessus scans. Available options include:
No Scan cannot perform scans

Policy Scanning unable to perform plugin scans. Used without the Create
Policies permission, this role can limit a user to a select number of policies for
scanning.
Full Scanning may create policy and plugin based scans
Upload Nessus Scan

Results
Allows user with this role to upload Nessus scan results to SecurityCenter.
Create Policies
Allows users with this role to create scan policies.
Create Audit Files
Allows users with this role to upload audit files.
Manage Blackout Windows
Allows user with this role to add, remove, or edit blackout windows.
Asset Permissions
Create LDAP Query Assets
Allows users with this role to create LDAP query assets.
Analysis Permissions
Accept Risks
Allows user with this role to accept risks for vulnerabilities.
Recast Risks
Allows user with this role to recast risks for vulnerabilities.
Organizational Permissions
Share Objects Between
Groups
Allows a user with this role to share an object between different groups.
View Organization Logs
Allows user with this role to view logs for all Organizational users.
User Permissions
Manage Roles
Allows user with this role to manage roles for non-admin SecurityCenter users.
Manage Groups
Allows user with this role to manage group permissions for objects.
Manage Group
Relationships
Allows user with this role to manage the relationships between different groups.
149
Report Permissions
Manage Report Images
Allows user with this role to add or remove images used in SecurityCenter reports.
Manage Attribute Sets
Allows user with this role to manage the attributes used in reporting.
System Permissions
Update Feeds
Allow user with this role to manually update Nessus, LCE, and PVS plugins and the
SecurityCenter feed.
Workflow Permissions
Create Alerts
Allows users with this role to create custom alerts.
Create Tickets
Allows users with this role to create tickets.
Purge Tickets
Allows users with this role to purge tickets.
Edit
Clicking on the Edit button allows you to change any of the information for any custom role that has been created.
Detail
Clicking on the Detail button displays a summary of the role, such as name, description, number of users and
permissions.
Delete
Clicking on the Delete button displays a window asking if you really want to delete the role and then deletes it after
confirmation.
Deleting a role will cause all users with that role to lose all assigned permissions.
Groups
Beginning in SecurityCenter 4.8, access to security data (repositories and LCEs intersected with defining assets) is now
controlled through a group hierarchy rather than individual users. User access to security data is granted based on the
users group membership. Users will be able to automatically use Policies, Assets, and other objects created by others in
the same group with the appropriate permissions. The new group-based model also allows for more flexibility in user
management, object management, and visibility into running scans and reports that is not constrained by the previouslyused user hierarchy. Utilizing groups in SecurityCenter makes it quicker and simpler to create, maintain, and assign
resources to multiple users.
150
From the Groups page, the name of the group and at least a partial list of users included in the group are displayed in the
table. From this page, groups may be added, edited, view the details of, and deleted.
Add Group
The following table describes the fields available from the Basic and Group Sharing tabs when adding (or editing) a group.
Table 58 Add Group
Option
Description
Basic
Name
Allows the creation of a name for the group
Description
A text field used to create a description of what the group is used for, such as the
security team at the central office, the executives on the east coast, and other desired
information.
Repositories
Makes one or more repositories available to the group
Viewable IPs
Assigns the IP addresses that are viewable by the group. The selection is made by all
available IP addresses or the selection of one or more asset lists.
LCEs
Assigns one or more LCEs to the group
Group Sharing
Shared Assets
Selects one or more assets to be assigned to the group
Shared Dashboards
Selects one or more dashboards to be assigned to the group
Shared Credentials
Selects one or more credential sets to be assigned to the group
Shared Policies
Selects one or more scan policies to be assigned to the group
Shared Queries
Selects one or more vulnerability queries to be assigned to the group
151
Edit
Clicking on the Edit button allows you to change any of the information for any custom group that has been created.
Detail
Clicking on the Detail button displays a summary of the group, such as name, description, assigned LCEs, available
repositories, viewable IP addresses, and users assigned to the group.
Delete
Clicking on the Delete button displays a window asking if you really want to delete the group, and then deletes it after
confirmation.
Workflow
The Workflow tab contains options for alerting and ticketing. These functions allow the user to be notified of and properly
handle vulnerabilities and events as they come in.
Alerts
SecurityCenter can be configured to perform actions, such as email alerts, for select vulnerability or alert occurrences to
various users regardless of whether the events correlate to a local vulnerability or not. Other alert actions include UI
notification, ticket creation/assignment, remediation scans, launching a report, and syslog alerting. Many actions can be
assigned per ticket.
Triggered Alert Listing
The user is presented with the ability to Add, Edit, Evaluate, Detail (view details of), and Delete alerts. The
Evaluate option allows an alert to be tested whether it has met the configured time criteria or not.
152
The screen capture below shows a sample alert configuration page:
Add Alert Dialog

Table 59 Alert Options
Option
Description
Name
Alert name
Description
Descriptive text for the alert
Data Type
Vulnerability, Event, or Ticket
Query
The dataset to which the trigger condition will be compared.
Filters
Apply advanced filters to the vulnerability or event data. The complete filter set may be
created here, or if a Query was selected those parameters may be edited. See tables
8 and 10 for filter options.
Trigger
IP Count Trigger on vulnerabilities or events whose IP count matches the given

parameters.
Unique Vulnerability/Event Count Trigger an alert when the vulnerability/event
count matches the given parameters. This option is set to Unique Vulnerability Count
for vulnerability alerts and Event Count for event alerts.
Port Count Trigger an alert when the events/vulnerabilities using a certain port
number match the given parameters.
153
Frequency
How often the alert will check the trigger condition.
Behavior
If set to alert on the first occurrence, the alert will only trigger when the condition
initially changes from false to true.
Clicking on Add New Action will present you with the following options:
Use email alerts to interface with third-party ticketing systems by adding variables in the message field.
Table 60 Alert Action Definition Options
Option
Description
Email
Subject
Subject line of the alert email.
Message
Message of the alert email. Within the message body, the following variables can be
defined for email message customization:
Alert ID Designated with the variable: %alertID%, this specifies the unique
identification number assigned to the alert by SecurityCenter.
Alert name Designated with the variable: %alertName%, this specifies the name
assigned to the alert (e.g., Test email alert).
Trigger Name Designated with the variable: %triggerName%, this specifies if the
trigger is IP count, Vulnerability count or Port count
Trigger Operator Designated with the variable: %triggerOperator%, this specifies
which operator was used for the count: >=, =, >= or !=
Trigger value Designated with the variable: %triggerValue%, this specifies the
specific threshold value set that will trigger the alert.
Calculated value Designated with the variable: %calculatedValue%, this specifies
the actual value that triggered the alert.
Alert Name Designated with the variable: %alertName%, this specifies the name
given to the alert within SecurityCenter.
Alert owner Designated with the variable: %owner%, this specifies the user that
created the alert.
SC4 URL Designated with the variable: %url%, this specifies the URL that the
SecurityCenter can be accessed with. This is useful where the URL that users can
access SecurityCenter with differs from the URL known by SecurityCenter.
The sample email alert below contains some of these keywords embedded into an
HTML email:
154
Alert %alertName% (id #%alertID%) has

triggered.
Alert Definition: %triggerName%
%triggerOperator% %triggerValue%
Calculated Value: %calculatedValue%
Please visit your SecurityCenter (<a href="%url%">%url%</a>) for
more information.
This e-mail was automatically generated by SecurityCenter as a
result of alert %alertName% owned by
%owner%.
If you do not wish to receive this email, contact the alert
owner.
Include Results
If this check box is checked, the query results (maximum of 500) that triggered the
alert are included in the email.
Users
Users who will be emailed. The user email address is used with this function.
If a user is configured within the email action and that user is deleted, the
action field within the alert turns red. In addition, a notification is displayed
for the new alert owner with the new alert status. To resolve this, edit the
alert action definitions and choose Edit Action to apply the correct
users(s).
Email Addresses
Additional email addresses to send the alert to. For multiple recipients, add one email
address per line or use a comma-separated list.
Notify
Notification Message
Custom notification message to generate when the alert triggers.
Assignees
Users who will receive the notification message.
Syslog
Host
Host that will receive the syslog alert.
Port
UDP port used by the remote syslog server.
Severity
Severity level of the syslog messages (Critical, Warning, or Notice).
Message
Message to include within the syslog alert.
Assign Ticket
Name
Name assigned to the ticket
155
Description
Ticket description
Assignee
User who will receive the ticket
Scan
Scan Template
Scan template to be used for the alert scan. Allows the user to select from a list of
available scan templates to launch a scan against a triggered host.
The scanned host will be the host that triggered the scan and not the host
within the scan template itself. IPs used for the scan targets are limited to
the top 100 results of the alert query.
Report
Report Template
Allows the user to select an existing report template and generate the report based on
triggered alert data.
Tickets
Tickets can be created both manually and automatically by a predefined set of conditions through the alerting functionality
described above.
Tickets are created from the Workflow -> Tickets view or when viewing vulnerabilities or events through the analysis tools.
Tickets contain the following fields:
Option
Description
Name
Name assigned to the ticket.
Description
Descriptive text for the ticket.
Notes
Notes for the ticket assignee.
Status (Available during edit)
The following ticket statuses become available after a ticket has been created and are
available from the Edit screen:
Assignee
Assigned
More Information
Not Applicable
Duplicate
Resolved
Closed
User that the ticket is assigned to.
156
If the ticket assignee is deleted, the ticket is automatically reassigned to

the assignees owner along with a notification message indicating that the
ticket has been reassigned.
Classification
Ticket classification can be selected from a drop-down list containing such items as
Information, Configuration, Patch, Disable, False Positive, and many others.
Data Type
Vulnerability or Event
Take Snapshot
Allows a snapshot of query results to be saved for the ticket assignee.
Queries
List of queries generated from the Take Snapshot option for the ticket assignee to
assist with resolution.
In addition to adding and editing tickets, a Browse command button is available. This option enables the user to view
the vulnerability snapshot added during ticket creation. The displayed view matches the query that was used by the ticket.
To return to the ticket view, click on the white arrow displayed on the left-hand side of the screen.
To view details about an existing ticket, either use the Edit button to view options that were set during the Add Ticket
process or use the Details button to view a Ticket Detail summary with the name, status, creator, assignee, history,
queries, description, and ticket notes.
Once a ticket has been mitigated, click on Update to provide ticket resolution.
Ticket Resolution
Within the Status drop-down, the user can select from one of three status options: Resolved, More Information,
Duplicate, or Not Applicable. Choose the correct status and add notes relevant to the ticket resolution. Resolved tickets
still show up in the users ticket queue with an Active status. Closing a ticket removes the ticket from the Active status
filter view, but does not provide the ability to add notes similar to the Update Ticket function. Tickets in the Resolved
or Closed state can always be reopened as needed. The final option is Purge Tickets.
Purged tickets are removed completely from SecurityCenter. Do not perform this option unless you are certain
that the tickets are no longer needed.
157
This option is available, by default, only to the Security Manager user and is used to remove tickets based on date criteria.
Clicking on the Purge Tickets command button displays the following dialog:
Ticket Purge Dialog
Only closed tickets can be purged and purged tickets are removed permanently from the system.
Accept Risk Rules

The Accept Risk Rules section lists the currently created rules of accepted risks. This enables users to obtain information
on what particular vulnerabilities or hosts have been declared to be accepted and, if noted in the comments, the reason.
Rules may be searched by Plugin ID or Repository. If a vulnerability is determined to be unaccepted, the rule may
selected and deleted.
Recast Risk Rules

The Recast Risk Rules section lists the currently created rules of recast risks. This enables users to obtain information on
what particular vulnerabilities or hosts have had risk levels recast, their new severity level and, if noted in the comments,
the reason for the severity change. Rules may be searched by Plugin ID or Repository. If a vulnerability is to be reset to its
original severity level, the rule may be deleted.
Plugins
Plugins are scripts used by the Nessus, PVS, and LCE servers to interpret vulnerability data. For ease of operation,
Nessus and PVS plugins are managed centrally by SecurityCenter and pushed out to their respective scanners. LCE
servers download their own event plugins and SecurityCenter downloads event plugins for its local reference.
SecurityCenter does not currently push event plugins to LCE servers.
Within the Plugins interface, the user has the ability to perform a wide variety of plugin-related functions including
updating active, passive and event plugins, upload custom plugins, view plugin details/source, and search for specific
plugins. Clicking on the Plugins tab displays a page similar to the one below:
158
Plugin Listing
Update Plugins
Immediately after installing SecurityCenter, plugins are automatically updated and then updated on a regular scheduled
basis. Manually updating plugins simply involves clicking on the command button and waiting for the process to complete.
Due to the large quantity of plugins and inconsistency of network speeds, this process can take a long time to complete.
The date and time of the last successful plugin update is displayed for each type at the top of the page to the right of the
Upload Plugins command button. After a successful download, the plugins are displayed in the plugin table with the date
or number of hours or days of the last successful download in the Date Downloaded field.
Upload Plugins
Clicking on Upload Plugins opens a dialog box that allows the user to upload one or more active, passive, event, or
custom plugins. Choose Custom for any active, passive, or event plugins that you have created. All custom plugins
must have unique Plugin ID numbers and have family associations based on existing SecurityCenter families. Choose
Active, Passive, or Event for the appropriate type of Tenable provided signed plugins.
Custom plugin uploads must now be a complete feed. In order to upload custom plugins the provided
tar.gz file must include the relevant NASLs and a custom_feed_info.inc file comprised of the
following two lines:
PLUGIN_SET = "201202131526";
PLUGIN_FEED = "Custom";
The administrator must manage this file and update the PLUGIN_SET option for each upload. The
PLUGIN_SET format is YYYYMMDDHHMM.
For example, running the following command against the custom_feed_info.inc file and custom plugins
in a directory will create a new tar and gziped uploadable archive file called
custom_nasl_archive.tar.gz that contains both custom plugins:
# tar -cvzf custom_nasl_archive.tar.gz custom_feed_info.inc *.nasl
It is recommended that the custom_nasl_archive.tar.gz file be updated for each addition and update of
custom NASLs.
159
Plugin Upload Dialog
After browsing for the plugin archive and uploading it, confirm the plugin type and whether you wish to override previous
custom plugins and then click on Add to extract the plugins to your SecurityCenter. Shortly after completion a
notification message is displayed indicating a successful plugin upload.
Other Plugin Options

Other plugin options include Detail, Source, and Search. The Details option loads a pop-up with plugin details such as
Plugin ID, Plugin Name, Family, Plugin Type, Version, Plugin Publication Date, Plugin Modification Date, CVE/BID, CVSS
Score, CVSS Vector, Description, and Solution. The Source option displays the source code of the plugin for the user to
review. The Search option allows searches for plugins based on several plugin attributes including: ID, Name, Description,
Type, Family, CVE, BID (Bugtraq ID number), MSFT (Microsoft Bulletin), Cross References, and Exploit Available.
About Tenable Network Security

Tenable Network Security provides continuous network monitoring to identify vulnerabilities, reduce risk, and ensure
compliance. Our family of products includes SecurityCenter Continuous View, which provides the most comprehensive
and integrated view of network health, and Nessus, the global standard in detecting and assessing network data.
Tenable is relied upon by more than 24,000 organizations, including the entire U.S. Department of Defense and many of
the worlds largest companies and governments. We offer customers peace of mind thanks to the largest install base, the
best expertise, and the ability to identify their biggest threats and enable them to respond quickly.
For more information, please visit tenable.com.
160

SecurityCenter 4.8 User Guide PDF

Загружено:

Сведения о документе

Оригинальное название

Авторское право

Доступные форматы

Поделиться этим документом

Поделиться или встроить документ

Параметры публикации

Этот документ был вам полезен?

Это неприемлемый материал?

Авторское право:

Доступные форматы

SecurityCenter 4.8 User Guide PDF

Загружено:

Авторское право:

Доступные форматы

SecurityCenter 4.

Changes in SecurityCenter 4.8 .......................................................................................................... 6

SecurityCenter Functional Overview ................................................................................................ 6

Getting Started .................................................................................................................................. 11

SecurityCenter Functions ................................................................................................................ 15

Working with Custom Components .......................................................................................................... 20

Copy Component Options ........................................................................................................................ 34

Load Query .............................................................................................................................................. 49

Event Filters ............................................................................................................................................. 73

Scan Progress ......................................................................................................................................... 98

Adding Assets ........................................................................................................................................................ 118

Audit Files .............................................................................................................................................. 124

Additional Scan Policy Options .............................................................................................................. 144

Roles ..................................................................................................................................................... 147

Groups ................................................................................................................................................... 150

About Tenable Network Security ................................................................................................... 160

Please email any comments and suggestions to support@tenable.com.

Standards and Conventions

Log Correlation Engine

Passive Vulnerability Scanner

Intrusion Detection System

Changes in SecurityCenter 4.8

New and Enhanced Features

Defining User Responsibility by associating an asset list with a user

Increased the default file upload size to 500MB

SecurityCenter Functional Overview

Configure the Dashboard

Define Support Objects

SNMP community string

Granular plugin family or individual plugin based scan specifications

User Access Control

Active Vulnerability Scanning

Continuous Passive Discovery

SecurityCenter Web Interface

SecurityCenter Login Screen

Sample SecurityCenter Dashboard

Working with Dashboards

SecurityCenter Dashboard Component Selection

Delete the selected dashboard.

Working with Custom Components

Vulnerability, Mobile, Event, Ticket, Alert, or User

(Vulnerability Data Type only) Sources include Cumulative or Mitigated depending

(Except Event Data Type) Descending (default) or Ascending

Desired columns shown in the component output.

Table 3 Bar Chart Options

Vulnerability, Mobile, Event, or Ticket

(Vulnerability Data Type only) Sources include Cumulative or Mitigated depending

The number of displayed results (Bar Chart maximum: 100).

(Vulnerability/Ticket Data Type only) Descending (default) or Ascending

Desired columns shown in the component output.

Table 4 Pie Chart Options

Pie chart name

Pie chart description

Vulnerability, Mobile, Event, or Ticket

(Vulnerability Data Type only) If Data Type of Vulnerability is chosen, sources

The number of displayed results (default: 10).

Column that the results are sorted by.

Descending (default) or Ascending

Desired columns shown in the component output.

Table 5 Line/Area Chart Options

Last Minutes 15, 20, 30

Table 6 Matrix Options

Matrix component name