Background:

Data display logic is different between Vulcan and Tenable.

  • Vulcan displays all the active assets (i.e., last seen < 14/30/90 days, depends on the environment configuration) and shows all the vulnerability - instances that are related to the active asset.

  • Tenable displays only the vulnerability instances from the last 14/30/90 days, meaning that if a vulnerability or an asset is older than the filtering criteria, the filter will not display it.

This difference causes confusion in cases when the customer sees a different number of vulnerabilities that affect a specific asset (i.e. number of vulnerability - instances) between Vulcan and Tenable.

Initial checks to perform:

  1. Check what's the "Inactive Hosts" configuration is in your account, i.e., the number of days the data is shown in the Vulcan platform

    Go to Settings > Administration > Inactive hosts

  2. Make sure that in every view (Assets view or Vulnerabilities view) in Tenable, you choose the same number of days:

Important Note: A vulnerability - Instance investigation should be done from the Assets view in Tenable

Investigation steps:

Take a single vulnerability that has a different amount of affected assets between Vulcan and Tenable

  1. Go to Vulcan > Search for the vulnerability > click on Export

    Save the downloaded CSV file

  2. Go to Tenable > Search for the same vulnerability > Actions > Export > CSV.

    You can export all the available fields, or choose several columns for the export (FQDN, Host, Last Seen, First Seen)

  3. Compare between the exported CSVs to find the assets that appear in Vulcan and not in Tenable

  4. Find the asset that appears in Vulcan and not in Tenable - and save its name

  5. Go to Vulcan and make sure that the asset is active: Assets view > Search for the asset > check the "Last Seen" column

  6. Go to the Assets view in Tenable: left sidebar >> Assets

  7. Search for the asset. Make sure that the number of days to show the data is aligned with Vulcan's properties.

  8. Click on the asset and review its data. In the upper right corner, it will show how many vulnerabilities does it have, according to the "days" filter.

  9. Choose last 30 days > See if the number of vulnerabilities in the upper right corner is updated:

    1. If yes - click on the vulnerabilities > search for the vulnerability you started with:

      1. Click on Export > check the last seen of the vulnerability and make sure that it is greater than "Last X Days" that is chosen in the filter.

      That proves that the vulnerability age is older than the number of days configured in the Vulcan platform, that is why:

      1. Tenable does not display this vulnerability instance under the active asset;

      2. Vulcan does display it since the asset is active and in this case, all the vulnerability instances of the active assets are displayed.

    2. If no - Choose the "last 90 days" in the days' filter and repeat the previous step.

Summary

Vulcan does not assume that the vulnerability is fixed until we don't get confirmation from the scanner.
Until then - Vulcan displays all the vulnerability instances of the active assets.

Did this answer your question?