How to investigate Tenable data
Since in both Vulcan and Tenable you can set the time frame of the history you'de like to see, please make sure they both align before comparing. (both default to 30 days).
One more thing to account for is the scan interval. Vulcan pulls the data off of Tenable once a day, and it takes some time to ingest the data. make sure that this process finished ("Connected" status on the connectors), and that you are looking at data newer than that timestamp - which cause the number of differences.
Number of unique vulnerabilities
This is the number of currently alive vuln. In the entire account. In Tenable you get to that number by navigating to the Vulnerabilities page. You'll see at the end of the vulnerabilities table a number:
In this case its 365 unique vulnerabilities. Mind that it is different than the number at the top of the table, which shows the amount of vulnerabilities instances - which we will elaborate in different sections.
In Vulcan - you should see the same number in the vulnerabilities table - under the Vulnerable tab:
Number of unique assets
Vulcan pulling Tenable data via API. Tenable's API shows only licensed assets. to get that number in the Tenable UI to compare the data properly, you\ll have to fiter the unlicensed assets out.
To do so, go to the assets table, filter to "is licensed=True".
The result will yield a number that can be compared against the Vulcan UI - in the top right widget:
Number of Vulnerability Instances
these are essentially the connection between Vulnerabilities and assets. to get that number in Tenable's UI, simply click on the vulnerability table, and look at the number called Total Count:
In Vulcan, you can see this number straight off the dashboard, in the "Vulnerability instances and risk over time" widget:
If you have more than 1 scanner, you can use the vulnerability table "export" option by filtering with the correct scanner name:
You'll get a CSV with the exact amount (remember to subtract 1 of the header).
What happens over time?
Vulnerability management is dynamic, and numbers might start to shift - what is that mean?
Vulnerability move to fixed - Tenable will indicate that vulnerability is fixed, Vulcan will ingest the data, and you should see the numbers align. You can drill down in each vulnerability to see the flow.
Vulnerability "disappeared" - there are certain cases in Tenable where the vulnerability does not report as fixed but is not here anymore. Most of the time it's due to the fact that the asset is not seen anymore. In these cases, Vulcan will treat the Vulnerability as Fixed, so it will be removed from the counts to match Tenable but will stay in the history of auditing.
Archiving Assets - Both Tenable and Vulcan have a setting to delete stale assets (have not been seen in the last X days). If Vulcan is set to a lower number (by default, it's not - these Vulnerability instances might still be visible in Tenable, but removed from Vulcan, which will align eventually once the Tenable Threshold will be reached.
Culprits to avoid
Looking at specific scan data - scan data is not what Vulcan aims to pull, Vulcan aims to pull the overall status. Scan data might be confusing since it might show "dead" hosts just so you know you scanned them - but they pose no risk since they don't exist. Tenable treats it the same way - by not adding them to the assets table.
Informational severity findings - These can be seen by looking in Tenable in the asset view/scan view. They are not seen in the Vulnerability table, since they are not actually vulnerabilities. Vulcan filters them out as well.
Scans in Tenable can be marked as "Keep private" - for the scan data. this means that the finding cannot be pulled off the API and will skew the numbers.
How to pull all tags from Tenable
Vulcan automatically pulls Tenable tags, as long as two conditions apply:
The tag relates to at lease 1 asset.
The asset on the tag was scanned in the last 30 days.
How to verify these conditions apply on Tenable before connecting to Vulcan?
To verify the tag related to assets:
on the new interface, go to Settings -->Tagging-->Choose a specific tag.
On the tag page, you can see it matched to a # of assets:
To verify the asset was scanned in the kast 30 days:
Search for an asset that relates to the tag you are looking, by searching by the tag name on the assets advanced search:
Choose 1 of the assets on the list and open the asset page. on the assets page, you can see the tag is applied on this asset, and last seen in the last 30 days.
Lastly, Now, When you enter to Vulcan platform, you can see this specific tag:
How to compare the asset count between Vulcan and Tenable
Background
When first configuring the Tenable.io connector to Vulcan, This is highly recommended to conduct a data comparison between the numbers.
The two most common reasons to have asset count differences are two possible issues:
Licensed assets - Vulcan is ingesting only licensed assets, and Tenable UI showing all the assets.
Limited access - The Vulcan user created for the connector has limited access due to configuration on access groups on the Tenable side.
Licensed assets
Since March-18, Vulcan is able to ingest only licensed assets from Tenable.
To see the number of licensed assets on Tenable, check the following:
Enter Tenable and to Settings --> License
See the number of Licensed assets your organization has:
3. Now, Go and make sure you see all the available licensed assets before going to the specific comparisons.
Go to the assets view --> Choose to see the last 90m days:
4. On the same view, go to the search and apply the filters:
"Is licensed" - "Is equal to" - "True".
"Is deleted" - "Is equal to" - False.
5. Next to the search, you will see the number of licensed assets from the last 90 days.
6. Now, after we verified the numbers are aligned with the licensed assets number from the setting to the assets table, please return the time frame from "90 days" to "30 days" for the compression with Vulcan:
7. Now, next to the search, we can see the licensed assets that are active in the last 30 days. This is the default time frame Vulcan is ingesting. Now you will see a lower number of assets:
8. Go to Vulcan --> Assets view --> Tenable assets count:
Limited access due to Access groups configuration
Another option that can cause different asset counts is if the Vulcan user has limited access by being configured to an access group with limited capabilities.
To check if the Vulcan user has limited access, check the following:
Go to settings-->Users
Hover over the Vulcan user, and choose on the right side the option to "User Assist".
Click on the "User assist" option.
4. Now, you will see the numbers that the user is exposed to:
If the numbers you are seeing as a Vulcan user are different from the numbers you are expecting to see, the Vulcan user has limited access and under a limited access group.
To change that, go to the "Access group" section and add the Vulcan user to the same group that your user have access to.
How to investigate the number of affected assets by a specific vulnerability in Vulcan vs. Tenable
Background:
Data display logic is different between Vulcan and Tenable.
Vulcan displays all the active assets (i.e., last seen < 14/30/90 days, depends on the environment configuration) and shows all the vulnerability - instances that are related to the active asset.
Tenable displays only the vulnerability instances from the last 14/30/90 days, meaning that if a vulnerability or an asset is older than the filtering criteria, the filter will not display it.
This difference causes confusion in cases when the customer sees a different number of vulnerabilities that affect a specific asset (i.e. number of vulnerability - instances) between Vulcan and Tenable.
Initial checks to perform:
Check what's the "Inactive Hosts" configuration is in your account, i.e., the number of days the data is shown in the Vulcan platform
Go to Settings > Administration > Inactive hosts
Make sure that in every view (Assets view or Vulnerabilities view) in Tenable, you choose the same number of days:
Important Note: A vulnerability - Instance investigation should be done from the Assets view in Tenable
Investigation steps:
Take a single vulnerability that has a different amount of affected assets between Vulcan and Tenable
Go to Vulcan > Search for the vulnerability > click on Export
Save the downloaded CSV file
Go to Tenable > Search for the same vulnerability > Actions > Export > CSV.
You can export all the available fields, or choose several columns for the export (FQDN, Host, Last Seen, First Seen)
Compare between the exported CSVs to find the assets that appear in Vulcan and not in Tenable
Find the asset that appears in Vulcan and not in Tenable - and save its name
Go to Vulcan and make sure that the asset is active: Assets view > Search for the asset > check the "Last Seen" column
Go to the Assets view in Tenable: left sidebar >> Assets
Search for the asset. Make sure that the number of days to show the data is aligned with Vulcan's properties.
Click on the asset and review its data. In the upper right corner, it will show how many vulnerabilities does it have, according to the "days" filter.
Choose last 30 days > See if the number of vulnerabilities in the upper right corner is updated:
If yes - click on the vulnerabilities > search for the vulnerability you started with:
Click on Export > check the last seen of the vulnerability and make sure that it is greater than "Last X Days" that is chosen in the filter.
That proves that the vulnerability age is older than the number of days configured in the Vulcan platform, that is why:
Tenable does not display this vulnerability instance under the active asset;
Vulcan does display it since the asset is active and in this case, all the vulnerability instances of the active assets are displayed.
If no - Choose the "last 90 days" in the days' filter and repeat the previous step.
Summary
Vulcan does not assume that the vulnerability is fixed until we don't get confirmation from the scanner.
Until then - Vulcan displays all the vulnerability instances of the active assets.