How to see the Tenable "Source" field within Vulnerability Response (Agent vs Scan)

D_SantiagoHQY · 4 hours ago

Hello!

We use Tenable.IO with VR, we have both network scans and agent scans. My end goal here is to be able to see at the individual VIT record if the vulnerability was discovered by a Nessus Agent, or through the Nessus Scan (over the network). I cannot use the "Has Agent" field on the Discovered Item table, to my knowledge we researched this and saw vulnerabilities from Tenable Network Scanner on an item that said "Has Agent" = "True".

I'm trying to see how I could navigate from the Vulnerable Item record, to a field on the "sn_vul_tenable_io_vi_import" table. We've got a field there (that I'm assuming is custom because of the u_ prefix) that can tell me if a Tenable vulnerability was agent or network based. It's called u_source.

I can't figure out how to dot walk or even what the reference key would be between the two tables.

Has anyone done this? Or is there another way to solve this issue?

andy_ojha · 2 hours ago

Hey there,

One idea to consider testing out, is leverage Asset Tagging in Tenable.IO

- You could look at a filter based on assets with a Scan Source (i.e. Nessus Agent vs Nessus Scan)
- Then create a new Tag value for each filter
- E.g. "Src_Nessus_Scan" vs ""Src_Nessus_Agent"

On the Discovered Items, those tag values would be mapped to the Resource Tag field

You could then dot-walk, from the Vulnerable Item > Discovered Item > Resource Tag ...
- Show me VITs where the Discovered Item > Resource Tag, has a value of "Src_Nessus_Scan"

- Show me VITs where the Discovered Item > Resource Tag, has a value of "Src_Nessus_Agent"

Would say it's worth time to explore, and the dynamic Asset Tagging you setup in Tenable.IO could be used for similar neat use-cases in Vulnerability Response.

These are the filters in Tenable.IO that can shape the Asset Tagging (see the Source filter object)
- https://docs.tenable.com/vulnerability-management/Content/Explore/asset-filters.htm