Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

Tenable Blog


SpreadSheets of Excitement and Convenience

I've been at several conferences and forums where a panel of CIOs or CSOs gives their guidance about enterprise risk and compliance reporting.  When asked which products are up to the task, as each vendor in the audience is leaning forward on the tip of their chair hoping for a free product placement, the answer most commonly is -- Excel.

One of the very cool features of the Security Center that our customers continually remind me of is the ability for anyone with an account to download anything they are authorized to see as a spreadsheet. This includes vulnerabilities, configuration settings, intrusion events, failed logins and much more. This blog entry focuses on the different kinds of things we've seen our customers do with spread sheet exporting of security, log and compliance data.

Exporting Data via CSV

CSV stands for "Comma Separated Variables". For any type of query performed by the Security Center, the data rendered will also have a corresponding [CSV] link, such as this shown below:


This link also includes the appropriate access control such that someone who is only supposed to have access to the IT systems in Milwaukee only sees vulnerabilities, logs and compliance data from the IT systems in Milwaukee.

The data is also automatically sorted and presented based on the tool the user has invoked. For example, you may have 10,000 unique vulnerabilities you are dealing with, but have chosen to view a "Vulnerability Summary". Your spreadsheet will also be rendered as a summary of vulnerabilities and not list all 10,000 unique entries. This makes working with and manipulating the data very easy.

Obtaining CSV Export by Asset List

A very common request of the Security Center is to find all of the systems with some sort of property, such as an open port, installed software, the existence of given vulnerability or so on. With more than 15,000 active checks and 4000 passive checks, a Security Center that is managing Nessus and Passive Vulnerability Scanners will have a large volume of data to work with and create dynamic asset lists. These asset lists can be used as a filter to create spread sheets just like any others.

Customers have shared with us several different types of useful dynamic asset lists including:

  • Highlighting all devices which host some sort of office document through web, FTP or network shares.
  • Finding unmanaged devices by looking for certain vulnerabilities that are older than a time period such as 30 days.
  • Finding which systems in DMZs and other protected networks connect to the Internet and/or accept connections from the Internet.
  • Finding devices that do not have credentials to log in as an administrator. The Security Center tracks when Nessus can or can't successfully log into a Windows or UNIX host.
  • Finding all systems that have certain software installed on them. Customers have used text filtering for the software name, and plugins #22869 and #20811 for UNIX or Windows software enumeration.
  • Finding specific non-compliant servers. Customers pick some or all of the available configuration auditing results and then create a dynamic asset list against this list.
  • Finding specific types of certain operating systems and network devices. A query for certain types of detected operating system is performed and lists are created for various operating systems.

In each of these cases, a customer performs a query for vulnerability names, system names, networks, IP addresses or open ports and then downloads the spread sheet.

Obtaining Log and System Events for Compliance and Security

For evidence collection, a wide variety of logs and events can also be collected in spread sheet form. Storing certain types of data in a spread sheet is sometimes more efficient than keeping the raw logs. Of course, raw logs should be maintained for legal purposes, but for summaries, investigations and reporting, spread sheets can be extremely useful. 

When managed by the Security Center, the Log Correlation Engine can be used to sort and list many different types of events. Common events which are relevant for compliance and security monitoring include:

  • User creation events
  • User deletion events
  • Access of certain audited objects
  • Password changes
  • Detecting system and network change events
  • Network and login events to show who is accessing key systems
  • Times that certain types of activity is occurring
  • Statistical deviation events
  • Events related to compromise and botnet activity
  • Never before seen events

Saving this data as an Excel spreadsheet can make it available to other users in your organization who don't easily read logs or make use of web consoles.

Visualizing Security, Compliance and Event Data

Tenable's 3D Tool makes use of data obtained through the Security Center's CSV exporting functions. An example topology image of a large network is shown below:


A video demonstration of the 3D Tool is available here.

Currently, Tenable's 3D Tool does not support visualization of IDS or Log data. However, several customers have used a variety of commercial and free tools (such as Many Eyes, AfterGlow, Miner3D and Advisor) that work with different types of data.

Typically, a customer will perform some sort of query, such as obtaining a list of all port 22 connections, and then save a raw list of each event as a spread sheet. When feed into a tool such as Miner3D (this was an evaluation copy, but I was really impressed with the flexibility of the tool) you can get very cool visualizations such as shown below:

3dminer1_3 3dminer2_3

These images above were obtained from a Log Correlation Engine running at a large university that was running the blacklist.tasl script. The site was scanned by a system tracked by the Dsheild list of known scanners. These images had the X and Y axises mapped to the detected source and destination IP addresses. The Z axis was time. The images show a few hosts making a sweep of the IP space at this location. Also, the target port is indicted in color.

Typically, these tools require an analyst to pick which columns in the spread sheet correspond with which axis of the plot. Source IP might be on one axis, time on another. Color could even be used in some tools to indicate port, protocol or type of event.

For More Information

To learn more about visualization of security data, I recommend visiting the AfterGlow web site  and to also take a look at the Security Visualization web site.

To learn more about what sorts of types of data you can obtain via spread sheet from the Security Center, I suggest requesting a copy of the Real Time Compliance paper. This paper summarizes the specific types of data which should be monitored and reported for as required or recommended by NIST, the PCI standard and many others.

Related Articles

Are You Vulnerable to the Latest Exploits?

Enter your email to receive the latest cyber exposure alerts in your inbox.

Try Tenable.io


Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Sign up now.

Buy Tenable.io

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

65 assets

Choose Your Subscription Option:

Buy Now

Try Nessus Professional Free


Nessus® is the most comprehensive vulnerability scanner on the market today. Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy Nessus Professional

Nessus® is the most comprehensive vulnerability scanner on the market today. Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy a multi-year license and save. Add Advanced Support for access to phone, community and chat support 24 hours a day, 365 days a year. Full details here.

Try Tenable.io Web Application Scanning


Enjoy full access to our latest web application scanning offering designed for modern applications as part of the Tenable.io platform. Safely scan your entire online portfolio for vulnerabilities with a high degree of accuracy without heavy manual effort or disruption to critical web applications. Sign up now.

Buy Tenable.io Web Application Scanning

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.



Buy Now

Try Tenable.io Container Security


Enjoy full access to the only container security offering integrated into a vulnerability management platform. Monitor container images for vulnerabilities, malware and policy violations. Integrate with continuous integration and continuous deployment (CI/CD) systems to support DevOps practices, strengthen security and support enterprise policy compliance.

Buy Tenable.io Container Security

Tenable.io Container Security seamlessly and securely enables DevOps processes by providing visibility into the security of container images – including vulnerabilities, malware and policy violations – through integration with the build process.

Get a Demo of Tenable.sc

Please fill out the form below with your contact information and a sales representative will contact you shortly to schedule a demo. You may also include a short comment (limited to 255 characters). Please note that fields with asterisks (*) are mandatory.

Try Tenable Lumin


Visualize and explore your Cyber Exposure, track risk reduction over time and benchmark against your peers with Tenable Lumin.

Buy Tenable Lumin

Contact a Sales Representative to see how Lumin can help you gain insight across your entire organization and manage cyber risk.

Request a demo of Tenable.ot

Get the Operational Technology Security You Need.
Reduce the Risk You Don’t.


Continuously detect and respond to Active Directory attacks. No agents. No privileges. On-prem and in the cloud.