How to see the Tenable "Source" field within Vulnerability Response (Agent vs Scan)
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
3 weeks ago
Hello!
We use Tenable.IO with VR, we have both network scans and agent scans. My end goal here is to be able to see at the individual VIT record if the vulnerability was discovered by a Nessus Agent, or through the Nessus Scan (over the network). I cannot use the "Has Agent" field on the Discovered Item table, to my knowledge we researched this and saw vulnerabilities from Tenable Network Scanner on an item that said "Has Agent" = "True".
I'm trying to see how I could navigate from the Vulnerable Item record, to a field on the "sn_vul_tenable_io_vi_import" table. We've got a field there (that I'm assuming is custom because of the u_ prefix) that can tell me if a Tenable vulnerability was agent or network based. It's called u_source.
I can't figure out how to dot walk or even what the reference key would be between the two tables.
Has anyone done this? Or is there another way to solve this issue?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
3 weeks ago
Hey there,
One idea to consider testing out, is leverage Asset Tagging in Tenable.IO
- You could look at a filter based on assets with a Scan Source (i.e. Nessus Agent vs Nessus Scan)
- Then create a new Tag value for each filter
- E.g. "Src_Nessus_Scan" vs ""Src_Nessus_Agent"
On the Discovered Items, those tag values would be mapped to the Resource Tag field
You could then dot-walk, from the Vulnerable Item > Discovered Item > Resource Tag ...
- Show me VITs where the Discovered Item > Resource Tag, has a value of "Src_Nessus_Scan"
- Show me VITs where the Discovered Item > Resource Tag, has a value of "Src_Nessus_Agent"
Would say it's worth time to explore, and the dynamic Asset Tagging you setup in Tenable.IO could be used for similar neat use-cases in Vulnerability Response.
These are the filters in Tenable.IO that can shape the Asset Tagging (see the Source filter object)
- https://docs.tenable.com/vulnerability-management/Content/Explore/asset-filters.htm
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
3 weeks ago
Hi! Thanks for replying! Tags only apply at the asset level, so that won't work for this as I've got assets where they are scanned by the network scan & an agent. Thus, at most I'd just know that the asset has agent and network scans, which I do already leverage with "has agent".
I need something at the VIT level, and it seems like the table I've listed above has the info I need, I just don't know how to get there from the VIT.
