0% found this document useful (0 votes)

304 views

Tenable and Splunk Integration Guide

Uploaded by

Suman Ghimire

Available Formats

Download as PDF, TXT or read online on Scribd

0% found this document useful (0 votes)

304 views

Tenable and Splunk Integration Guide

Uploaded by

Suman Ghimire

Available Formats

Download as PDF, TXT or read online on Scribd

You are on page 1/ 66

Tenable and Splunk Integration Guide

Last Revised: June 17, 2022

Table of Contents

Welcome to Tenable for Splunk 4

Components 6

Tenable Add-on (TA-tenable) 7

Source and Source Types 8

CIM Mapping 9

Tenable Plugin for Splunk Mission Control 10

Installation Workflow 12

Upgrade the App from v1 to v4 13

Splunk Environments 15

Installation 17

Configuration 19

Configure Tenable Plugin for Mission Control 20

Configure Tenable.ad 22

Configure Tenable.io 25

Configure Tenable Nessus Network Monitor 30

Configure Tenable.ot 33

Configure Tenable.sc Credentials 36

Configure Tenable.sc Certificates 41

Create an Input 45

Tenable Data in Splunk Dashboard 49

Saved Searches 53

Adaptive Response 55

Additional Information 61

Customized Actions 62

Tenable Macros 63

Troubleshooting 64

l Tenable Add-On for Splunk (TA-tenable) provides all data collection and normalization func-
tionality.

l Tenable App for Splunk (TenableAppforSplunk) provides a dashboard to view the Tenable data
in Splunk.

Optional plugins for the Splunk application:

l Tenable Plugin for Splunk Mission Control provides vulnerability data and insights to the
Splunk Mission Control application.

Tenable Application Topology

Copyright © 2022 Tenable, Inc. All rights reserved. Tenable, Tenable.io, Tenable Network Security, Nessus, SecurityCenter, SecurityCenter Continuous View and Log Correlation Engine are registered trade-
marks of Tenable,Inc. Tenable.sc, Tenable.ot, Lumin, Indegy, Assure, and The Cyber Exposure Company are trademarks of Tenable, Inc. All other products or services are trademarks of their respective
Copyright © 2022 Tenable, Inc. All rights reserved. Tenable, Tenable.io, Tenable Network Security, Nessus, SecurityCenter, SecurityCenter Continuous View and Log Correlation Engine are registered trade-
marks of Tenable,Inc. Tenable.sc, Tenable.ot, Lumin, Indegy, Assure, and The Cyber Exposure Company are trademarks of Tenable, Inc. All other products or services are trademarks of their respective
Components
The Tenable Add-on has specific purposes for each Splunk component. The available components
are in the following list:

Heavy Forwarder

The Heavy Forwarder collects and forwards data for all events.

Note: Configure inputs to run from the heavy forwarder.

Note: Enable the key value store (KV) on the heavy forwarder.

Indexer

The Indexer ensures Tenable data is properly indexed.

Note: Use a default index or create and set a custom index. This is required.

Search Head

The Search Head allows full functionality of the Tenable Add-on adaptive response actions.

Note: Configure the Search Head with the same configuration details you have on the Heavy Forwarder for
the adaptive response actions to work correctly.

Note: If you install the Tenable App for Splunk on the search head, you must also install the Tenable Add-
on.

The current Tenable Add-On uses the following API endpoints:

Request Export

l GET /vulns/export

Asset Export

l POST /assets/export

l GET /assets/export/{id}/status

l GET /assets/export/{id}/chunks/{id}

Vulnerability Export

l POST /vulns/export

l GET /vulns/export/{id}/status

l GET /vulns/export/{id}/chunks/{id}

Tenable.sc

Source Sourcetype Description

<username>|<address> tenable:sc:vuln This collects all vulnerability data.

<username>|<address> tenable:sc:assets This collects pull assets data.

<username>|<address> tenable:sc:plugin This collects all plugin data.

Tenable.io

Source Sourcetype Description

tenable_io://<data input tenable:io:vuln This collects all vulnerability data.

name>

tenable_io://<data input tenable:io:assets This collects all asset data.

name>

tenable_io://<data input tenable:io:plugin This collects all plugin data.

name>

Field Name from Ten- Field Name from Ten-

CIM Field Name CIM Data Model
able.io API able.sc API

asset.fqdn dnsName dest_name vulnerability

asset.ipv4 ip dest_ip vulnerability

plugin.bid bid bugtraq vulnerability

plugin.family family.name category vulnerability

plugin.synopsis synopsis signature vulnerability

tenable tenable vendor vulnerability

tenable.io tenable.sc product vulnerability

Copyright © 2022 Tenable, Inc. All rights reserved. Tenable, Tenable.io, Tenable Network Security, Nessus, SecurityCenter, SecurityCenter Continuous View and Log Correlation Engine are registered trade-
marks of Tenable,Inc. Tenable.sc, Tenable.ot, Lumin, Indegy, Assure, and The Cyber Exposure Company are trademarks of Tenable, Inc. All other products or services are trademarks of their respective
Tenable Plugin for Splunk Mission Control
Tenable Plugin for Splunk Mission Control is an optional plugin for the Splunk application which
provides vulnerability data and insights to the Splunk Mission Control application. Splunk Mission
Control is a unified cloud-based security operations platform that provides security incident triage,
investigation, collaboration, and response functionality as a Software-as-a-Service (SaaS) solution.

Topology features and workflow:

l Tenable Add-on for Splunk collects Tenable data on your Splunk Enterprise, or Enterprise
Cloud, deployment.

l Splunk Enterprise Security generates notable events via correlation searches which it for-
wards to Mission Control using Splunk Connect for Mission Control App.

l Splunk Connect for Mission Control establishes connection between your on-premise, or
cloud, Splunk deployment & Mission Control.

l Tenable Plugin for Splunk Mission Control fetches data from your connected on-premise, or
cloud, deployment’s Splunk indexes.

Before you begin:

l Complete the Upgrade the App from v1 to v4 from Splunk V1 to Splunk V2.

To install and configure Tenable applications for Splunk:

1. Install the Tenable application.

2. Configure the desired Tenable application for Splunk: Tenable Plugin for Mission Control, Ten-
able.io, Tenable.sc Credentials, Tenable.sc Certificates, Tenable NNM, Tenable.ad, or Ten-
able.ot.

Note: You need unique credentials for each Splunk environment.

3. Create an input for the configured Tenable application for Splunk.

4. Configure your Tenable App for Splunk dashboard.

5. Configure adaptive response actions.

Note: If you are upgrading from App v2 or v3 to v4, install the new version (v4) over your current version.

Complete the following steps to upgrade your application from v1 to v4:

Before you begin:

l Back up all current application configurations outside the Splunk install path.

To upgrade from v1 to v4:

Note: The upgrade process includes uninstalling v1 before you install v4.

1. Delete the app and all app configuration files from all Splunk search heads and heavy for-
warders from the command line. For example:

rm -rf $SPLUNK_HOME/etc/apps/TA-tenable/

2. Installation the v4 app.

3. Configuration your account.

4. Create a new index to store your data.

Note: You cannot re-use an existing index.

5. Create an Input.

Note: Use the index that you created in step 4.

After the upgrade

l When you enable the input, v4 imports all of your existing vulnerabilities, including all pre-
viously fixed vulnerabilities. Doing this ensures that you lose no data.

l Synchronization of previously fixed vulnerabilities is optional during the input setup and dis-
abled by default. To enable the synchronization, see the Create an Input section.

Deployment Types
Single-server, distributed deployment, and cloud instance options are available.

Single-Server Deployment

In a single-server deployment, a single instance of Splunk Enterprise works as a data collection

node, indexer, and search head. In this instance, install the Tenable Add-On and Tenable App on this
node. Complete the setup for the Tenable Add-On to start data collection.

Distributed Deployment

In a distributed deployment, install Splunk on at least two instances. One node works as a search
head, while the other node works as an indexer for data collection.

The following table displays Tenable Add-On and Tenable App installation information in the dis-
tributed environment.

Component Forwarder Indexer Search Head

Tenable Add-on for Yes No Yes

Splunk (TA-Tenable)
l configure l configure
accounts accounts
l configure data
input

Tenable-SC App for No No Yes

Splunk (Tenable App)

Cloud Instance

In Splunk Cloud, the data indexing takes place in a cloud instance.

Note: The data collection can take place in an on-premise Splunk instance that works as a heavy for-
warder.

Required User Role: Administrator

For Tenable.sc:

Required User Role: Security Manager, Security Analyst, or Vulnerability Analyst

Before you begin:

l Complete the Upgrade the App from v1 to v4 from Splunk v1 to Splunk v4.

l You must have Splunk downloaded on your system with a Splunk basic login.

Note: See the Splunk Environments section for additional information about the different types of Splunk
deployments and their requirements.

Note: If you install the Tenable App for Splunk on the search head, you must also install the Tenable Add-
on.

To install via the Splunk User Interface:

1. Log in to Splunk.

2. Go to Apps at the top of the screen.

A drop-down menu appears.

3. Click Manage App.

Tenable-related options appear:

5. Click Launch App for the Tenable application you want to install.

6. Follow the Splunk prompts to launch the application.

Note: Restart Splunk after installing the Tenable App or Tenable Add-On.

Note: You may need to update the Tenable Macro, get_tenable_index, for data to begin populating the applic-
ation dashboards.

Next, configure the Tenable application.

View the corresponding pages for steps to configure your application:

l Tenable Plugin for Mission Control

l Tenable.ad

l Tenable.io

l Tenable NNM

l Tenable.ot

l Tenable.sc Credentials

l Tenable.sc Certificates

Before you begin:

1. Install and configure the following on Splunk Enterprise (version 8 or higher)

l Tenable Add-On for Splunk (TA-tenable)provides all data collection and normalization
functionality.

l Tenable App for Splunk (TenableAppforSplunk) provides a dashboard to view the Tenable
data in Splunk.

l Splunk Enterprise Security 6.2.0

l Splunk Connect for Mission Control 1.6.1

2. Access Splunk Mission Control:

l Ensure you have access to a Splunk Mission Control tenant. If you do not have a tenant
set up, contact your Splunk representative.

To configure Tenable Plugin for Mission Control:

1. Confirm that you have an active connection in Splunk Connect for Mission Control.

a. In Mission Control, click on the ellipsis icon on the top-right corner.

b. From the drop-down menu, navigate to Admin Settings > Product Settings > Splunk Con-
nect for Mission Control.

c. Confirm that the connection status shows Active.Log in and navigate to the Mission Con-
trol Home page.

2. In the upper-right corner, click the ellipses icon on the top right corner. A drop-down menu
appears.

3. From the drop-down menu, navigate to Product Settings > Splunk Connect for Mission Con-
trol. Select the instance configured with Mission Control. Save the deployment ID for future
use. This deployment ID is used as a default instance while populating the Tenable Vul-
nerability Center dashboard.

5. Select Tenable Plugin for Mission Control. The setup page appears.

6. Enable the Tenable Plugin for Mission Control by clicking the toggle.

7. In the Default Connection ID box, enter the deployment ID that you previously took note of.

8. If you see, the message Subscription Successful - you have enabled the plugin. You will see
Tenable Vulnerability Center Dashboard under Managed Dashboards sections in Dashboards
drop-down.

9. Configure your notable events label to enable integration between the Tenable Plugin and Mis-
sion Control. The notable events label mcef_tenable_plugin_for_mission_control must be
applied for the integration to work.

a. In the Splunk Connect for Mission Control application, navigate to Settings > Searches,
reports, and alerts on Cloud/on-premise instance.

b. To filter the list, in the Owner drop-down box, select All.

c. To configure the saved searches to forward notables with specific label values of plugin
Id, in the Mission Control - Forward Notable Events box enter the label mcef_tenable_
plugin_for_mission_control.

d. Click Save. Splunk Mission Control is configured to forward notable events with this
label to the Tenable Plugin for Mission Control dashboard.

Troubleshooting
If you are experiencing problems with setup or data retrieval with Tenable Plugin for Mission Con-
trol, refer to Troubleshooting.

Source Type Description

tenable:ad:alerts This option configures Splunk to accept Tenable.ad

alerts.

To configure Tenable.ad with Splunk:

Complete the following steps in Splunk

1. In the top navigation bar, click Settings > Data Inputs.

The Data Inputs page appears.

2. In the Local Inputs section, scroll to TCP or UDP.

3. Click the + Add New option in the TCP or UDP row.

The Add Data page appears with the TCP/UDP option selected.

5. At the top of the page, click Next.

The Input Settings page appears:

6. For the Source Type option, click New.

More options appear.

7. In the Source Type box, enter tenable:ad:alerts.

8. In the Source Type Category drop-down, select Tenable.

9. (Optional) Enter a description in the Source Type Description field.

10. Scroll down to the Index option.

11. Click on the Index drop-down menu.

13. At the top of the page, click Review.

14. Review your configuration settings.

Note: If your configuration needs edits, click Back to update your settings.

15. At the top of the page, click Done.

Complete the following steps in Tenable.ad

1. In the Tenable.ad console, under Local Settings, go to the Servers > Syslog Servers screen.

2. Click + Add Syslog Server.

The Syslog Server configuration window appears.

3. In the Server Name field, enter a name for your Splunk system.

4. In the Hostname\IP field, enter the IP address of your Splunk system.

5. In the Port field, enter the port number on the Splunk system to which the events will be sent.

6. In the Transport field, select from the drop-down list the transport protocol in use. (Options
are TCP or UDP).

7. Click Send Test Message to send a test message to verify that the configuration was suc-
cessful, and check if the message has arrived. If the message did not arrive, then
troubleshoot to discover the cause of the problem and correct it.

8. Click Save.

Before you begin:

Required User Role: Administrator

l You must have your Tenable.io API keys.

Note: For your Tenable.io integration:

l Generate an API key in Tenable.io to complete the configuration. See the Tenable.io
user guide for instructions on how to generate an API key. Do not use this API key for
any other third-party or custom-built application or integration. It must be unique for
each installed instance of the integration.

To set up the Tenable Add-on for Splunk:

1. Log in to the heavy forwarder where you installed the Tenable Add-on for Splunk.

2. In the left navigation bar, click Tenable Add-on for Splunk.

4. Click the Add button.

A new window appears:

Copyright © 2022 Tenable, Inc. All rights reserved. Tenable, Tenable.io, Tenable Network Security, Nessus, SecurityCenter, SecurityCenter Continuous View and Log Correlation Engine are registered trade-
marks of Tenable,Inc. Tenable.sc, Tenable.ot, Lumin, Indegy, Assure, and The Cyber Exposure Company are trademarks of Tenable, Inc. All other products or services are trademarks of their respective
Copyright © 2022 Tenable, Inc. All rights reserved. Tenable, Tenable.io, Tenable Network Security, Nessus, SecurityCenter, SecurityCenter Continuous View and Log Correlation Engine are registered trade-
marks of Tenable,Inc. Tenable.sc, Tenable.ot, Lumin, Indegy, Assure, and The Cyber Exposure Company are trademarks of Tenable, Inc. All other products or services are trademarks of their respective
5. Enter the necessary information for each field. The following table describes the available
options.

Input Parameters Description

Account Name (Required) The unique name for each Tenable data
input.

Tenable Account Type (Required) The type of Tenable account -

Tenable.io, Tenable.sc API Keys, or Tenable.sc Cer-
tificate

Address (Required) The hostname or IP address for Ten-

able.io.

Verify SSL Certificate If enabled, Splunk verifies the SSL certificate in

Tenable.io.

Access Key (Required) Tenable.io API access key.

Secret Key (Required) Your Tenable.io API secret key.

Proxy Enable Enables the plugin to collect Tenable.io data via a

proxy server. If you select this option, the plugin
prompts you to enter the following:

l Proxy Type - the type of proxy used.

l Proxy Host - the hostname or IP address of

the proxy server.

l Proxy Port - the port number of the proxy

server.

l Proxy Username - the username for an

account that has permissions to access and
use the proxy server.

l Proxy Password - the password associated

6. To complete the configuration, click Add.

Next steps
l Create an Input for the Tenable Add-On for Splunk.

Source Type Description

tenable:nnm:vuln This contains all vulnerability data.

To configure Tenable NNM with Splunk:

Complete the following steps in Splunk

1. In the top navigation bar, click Settings > Data Inputs.

The Data Inputs page appears.

2. In the Local Inputs section, scroll to TCP or UDP.

3. Click the + Add New option in the TCP or UDP row.

The Add Data page appears with the TCP/UDP option selected.

4. Enter the port configuration information.

The Input Settings page appears:

6. For the Source Type option, click New.

More options appear.

7. In the Source Type field, enter tenable:nnm:vuln.

8. In the Source Type Category drop-down, select Tenable.

9. (Optional) Enter a description in the Source Type Description field.

10. Scroll down to the Index option.

11. Click on the Index drop-down menu.

12. Select an Index.

14. Review your configuration settings.

Note: If your configuration needs edits, click Back to update your settings.

15. At the top of the page, click Done.

Complete the following steps in NNM

1. Log in to NNM.

2. Go to > Configuration.

The Configuration page appears.

3. In the Setting Type drop-down, click Syslog.

The Syslog options appear.

4. Next to Realtime Syslog Server List, click Add.

The +Add Syslog Item window appears.

5. In the IP field, enter the IP address of the Splunk server you configured to accept syslog.

6. In the Port field, enter the port number you have Splunk set to listen to when syslog is on.

7. For Format Type, select Standard.

8. For Protocol, select the protocol you have set up to accept the syslog for Splunk.

Source Type Description

tenable:ot:alerts This option configures Splunk to accept Tenable.ot

alerts.

To configure Tenable.ot with Splunk:

Complete the following steps in Splunk

1. In the top navigation bar, click Settings > Data Inputs.

The Data Inputs page appears.

2. In the Local Inputs section, scroll to TCP or UDP.

3. Click the + Add New option in the TCP or UDP row.

The Add Data page appears with the TCP/UDP option selected:

5. At the top of the page, click Next.

The Input Settings page appears:

6. For the Source Type option, click New.

More options appear.

7. In the Source Type field, enter tenable:ot:alerts.

8. In the Source Type Category drop-down, select Tenable.

9. (Optional) Enter a description in the Source Type Description field.

10. Scroll down to the Index option.

11. Click on the Index drop-down menu.

13. At the top of the page, click Review.

14. Review your configuration settings.

Note: If your configuration needs edits, click Back to update your settings.

15. At the top of the page, click Done.

Complete the following steps in Tenable.ot

1. In the Tenable.ot console, under Local Settings, go to the Servers > Syslog Servers screen.

2. Click + Add Syslog Server.

The Syslog Server configuration window appears.

3. In the Server Name field, enter a name for your Splunk system.

4. In the Hostname\IP field, enter the IP address of your Splunk system.

5. In the Port field, enter the port number on the Splunk system to which the events will be sent.

6. In the Transport field, select from the drop-down list the transport protocol in use. (Options
are TCP or UDP).

8. Click Save.

For Tenable.sc:

Required User Role: Security Analyst

To set up the Tenable Add-on for Splunk:

1. Log in to your data collection node.

2. In the left navigation bar, click Tenable Add-on for Splunk.

3. Click the Configuration tab.

An Add Account window appears:

5. In the Tenable Access Type drop-down box, select Tenable.sc Credentials.

Input Parameters Description

Account Name (Required) The unique name for each Tenable data
input.

Tenable Account Type (Required) The type of Tenable account -

Tenable.io, Tenable.sc API Keys, or Tenable.sc Cer-
tificate.

Address (Required) The hostname or IP address for Ten-

able.sc.

Verify SSL Certificate If enabled, Splunk verifies the certificate in Ten-

able.sc.

Username (Required) The username in Tenable.sc.

Password The password in Tenable.sc.

Proxy Enable Enables the plugin to collect Tenable.sc data via a

proxy server. If you select this option, the plugin
prompts you to enter the following:

l Proxy Type - the type of proxy used.

l Proxy Host - the hostname or IP address of

the proxy server.

l Proxy Port - the port number of the proxy

server.

l Proxy Username - the username for an

account that has permissions to access and
use the proxy server.

l Proxy Password - the password associated

7. Click Add to complete the configuration.

Next steps
l Create an Input for the Tenable Add-On for Splunk.

To set up the Tenable Add-on for Splunk:

1. Log in to your data collection node.

2. In the left navigation bar, click Tenable Add-on for Splunk.

3. Click the Configuration tab.

The Add Account window appears:

6. Enter the necessary information for each field. The following table describes the available
options.

Note: The certificates you upload and configure must be associated with a specific user in Ten-
able.sc.

Input Parameters Description

Account Name (Required) The unique name for each Tenable.sc

data input.

Tenable Account Type (Required) The type of Tenable account - Ten-

able.io, Tenable.sc API Keys, or Tenable.sc Cer-

Address (Required) The hostname or IP address for Ten-

able.sc.

Verify SSL Certificate If enabled, Splunk verifies the SSL Certificate in

Tenable.sc.

Certificate Filename The name of the certificate that you uploaded to

$SPLUNK_HOME/etc/apps/TA-tenable/certs/.

Key Filename The name of the key that you uploaded to

$SPLUNK_HOME/etc/apps/TA-tenable/certs/.

Key Password The password for the key file you uploaded.

Proxy Enable Enables the plugin to collect Tenable.sc data via a

proxy server. If you select this option, the plugin
prompts you to enter the following:

l Proxy Type - the type of proxy used.

l Proxy Host - the hostname or IP address of

the proxy server.

l Proxy Port - the port number of the proxy

server.

l Proxy Username - the username for an

account that has permissions to access and
use the proxy server.

l Proxy Password - the password associated

with the username you provided.

7. Click Add to complete the configuration.

Next steps
l Create an Input for the Tenable Add-On for Splunk.

To create an input:
1. In the Splunk interface, click the Inputs tab.

2. Click the Create New Input button.

A drop-down box appears:

3. Select the appropriate Tenable application.

The selected Tenable application input options open in a new window.

Note: If you don't use the default index, you must update the Tenable Macro.

Tenable.io

Input Parameters Description Required

Name The unique name for each Tenable data input. yes

Interval The interval parameter specifies when the yes

input restarts to perform the task again (in
seconds). The interval amount must be
between 3600 and 86400.

Index The index in which to store Tenable.io data. yes

Global Account Splunk pulls data from this Tenable account. yes

Start Time The date and time to start collecting data. If no

you leave this field blank, all historical data is
collected. (Enter in this format - YYYY-MM-DD
hh:mm:ss.)

Lowest Severity Score The lowest level of severity that is stored. yes

Historical Fixed Vul- Allows the import of vulnerabilities fixed no

nerability before the current day.

Tags Limits vulnerabilities pulled to assets that no

have tags selected.

Tenable.sc Vulnerability

Input Parameters Description Required

Name The unique name for each Tenable data input. yes

Note: If using a Tenable.sc version previous to

5.7, the minimum interval you can select is 24
hours. If using Tenable.sc 5.7 or later, you can
specify a minimum interval of an hour.

Index The index in which to store Tenable.sc data. yes

Global Account Splunk pulls data from this Tenable account. yes

Start Time The date and time to start collecting data. If no

you leave this field blank, all historical data is
collected.

Note: Uses the YYYY-MM-DD hh:mm:ss

format.

Sync Plugin Details If selected, plugin details are included for the yes
related tags in Tenable assets.

Historical Fixed Vul- Allows the import of vulnerabilities fixed no

nerability before the current day.

Query Name A name for Tenable.sc vulnerability filter. no

Note: The interval must be query type Vul-

nerability Detail List.

Tenable.sc Mobile

Input Parameters Description Required

Name The unique name for each Tenable data yes

Interval The interval parameter specifies when the yes

input restarts to perform the task again (in
seconds).

Index The index in which to store Tenable.sc data. yes

Global Account Splunk pulls data from this Tenable account. yes

Query Name A name for Tenable.sc vulnerability filter. no

Note: The interval must be query type - Vul-

nerability Detail List.

5. Click Add to create the input.

6. Run the All Time saved search.

7. Schedule an All Time saved search.

Note: Tenable recommends running the saved search every 24 hours. However, you can adjust as needed.

To set up the Tenable App for Splunk:

Set up the macro definition
1. In Splunk, go to Settings > Advance search > Search Macros.

2. In the App section, select Tenable App for Splunk.

3. Click the search icon.

Results appear.

4. Click get_tenable_index.

The get_tenable_index macro page appears.

5. In the Definition field, update the definition to index=INDEX_NAME.

The INDEX_NAME should be the same name entered when you created the data input.

6. Click Save.

Run the All Time saved search

After installation, you must run the All Time saved search specific to your Tenable platform. This is
a one-time operation to accurately populate indices that the Tenable App for Splunk depends on.

1. Navigate to the Tenable App for Splunk.

2. Click Saved Searches.

3. Select either Tenable IO Vuln Date - All Time or Tenable SC Vuln Data - All Time.
Splunk completes the query.

Displayed Components
l Total Vulnerabilities Today

l Active Vulnerabilities Today

l Total Vulnerabilities

l Active Vulnerabilities

l Fixed Vulnerabilities

l Top 10 Vulnerabilities

l Most Vulnerable Hosts

l Vulnerabilities by Severity

l New Vulnerabilities

Displayed Components
Dashboard

l Total Real-time events

l Unique Real-time events

l Top Event Trends

l Top Source IP

l Top Event Name

Traffic Overview

l Top Destination Port

l Top Source Port

l Top Destination IP

l Top Source IP

Traffic Map

l Source IP Map

l Destination IP Map

Events

l Top Events

l Events

Tenable Saved Search Types

Tenable.io vulnerability data: Type the following command to view the KV store collection for Ten-
able.io vulnerability data.

io_vuln_data_lookup

Tenable.io asset data: Type the following command to view the KV store collection for Tenable.io
asset data.

io_asset_data_lookup

Tenable. io plugin data: Type the following command to view the KV store collection for Tenable.io
plugin data.

io_plugin_data_lookup

Tenable.sc Saved Searches

Tenable.sc vulnerability data: Type the following command to view the KV store collection for Ten-
able.sc vulnerability data.

sc_vuln_data_lookup

Tenable.sc asset data: Type the following command to view the KV store collection for Tenable.sc
asset data.

sc_asset_data_lookup

sc_plugin_data_lookup

Tenable.NNM Saved Search Types

Tenable.NNM vulnerability data: Type the following command to view the KV store collection for
Tenable.NNM vulnerability data.

nnm_vuln_data_lookup

NNM events over time, NNM Top 10 Events, NNM Top Destination by Country, NNM Top Source by
Country, Top Destination IP, Top Destination Port, Top NNM Plugin ID, Top Source IP, and Top
Source Port: Type the following command to view NNM events.

tenable:nnm:vuln

Before you begin:

Select an index on the Alert Actions Configuration tab in the Tenable Configuration section to
retrieve data.

To configure saved actions:

Configure adaptive response actions when you create a correlation search.

Note: When you run the search, the actions are retrieved automatically

1. In the Splunk navigation bar, click the Apps drop-down menu.

2. Select Enterprise Security.

The Enterprise Security page appears:

A drop-down menu appears:

4. Click Content.

More options appear.

The Content Management page appears.

6. In the top-right corner, click the Create New Content button.

A drop-down menu appears:

7. Select Correlation Search.

8. Enter information for the correlation search. Refer to the Correlation Search section in the
Splunk user guide for additional information.

9. Scroll to the Adaptive Response Actions section.

10. Click the Add New Response Action link.

A list of options appears:

12. The field options for the selected option appear:

14. Click Save.

A confirmation message appears.

15. Run a search.

To configure alert actions:

1. In the Tenable navigation bar, click Configuration.

The Configuration page appears:

2. Click the Adaptive Actions Configuration tab.

The Alert Actions Configuration options appear.

3. Select an index from the Alert Actions Index drop-down menu.

4. Click Save.

l Update Macro Definition

l Troubleshooting

To call a customized action:

1. Open the Incident Review and search for events.

The list of events appears.

2. Do one of the following:

l Expand the event to view the details.

l Click drop-down list in the top-right corner of the item.

3. Select Run Adaptive Response Action.

A list of the configured adaptive response actions appears.

Next steps
l You can view the Alert Action status in the Adaptive Responses section to verify they were
executed successfully.

To modify the macro definition:

Tenable Index Macro

1. Go to Settings > Advance search > Search Macros.

2. In the App section, select Tenable App for Splunk.

3. Click the search icon.

Results appear.

4. Click get_tenable_index.

The get_tenable_index macro page appears.

5. In the Definition entry field, update the definition to index=INDEX_NAME. The INDEX_NAME
should be the same name entered when you created the data input.

6. Click Save.

Tenable Source Types

1. Go to Settings > Advance search > Search Macros.

2. Click get_tenable_sourcetype.

Note: The default macro definition is sourcetype=(tenable:sc:vuln OR tenable:io:vuln).

l Check the $SPLUNK_HOME/var/log/splunk/splunkd.log for Splunk related errors. If you

see errors, contact your Splunk administrator.

Note: You must set your SPLUNK_HOME environment.

2. I don’t see data after setting up mod input.

l For Tenable.io mod-input, check the $SPLUNK_HOME/var/log/splunk/ta_tenable_ten-

able_io.log file.

l For Tenable.sc mod-input, check the $SPLUNK_HOME/var/log/splunk/ta_tenable_ten-

able_securitycenter.log .

l For Tenable.sc mobile mod-input, check the $SPLUNK_HOME/var/log/splunk/ta_ten-

able_tenable_securitycenter_mobile.log file.

3. Data is not populating in the Tenable App dashboards.

l Run an All Time saved search for Tenable.io or Tenable.sc. After running the All Time
saved search, turn on and schedule a saved search.

l Try expanding the time range from the last 24 hours.

l Check the Tenable macro (get_tenable_index) and ensure the Tenable index is set cor-
rectly.

l The dashboard can take some time to populate when data collection is started. To
ensure you are receiving all available data, take the following steps:

l search `get_tenable_index` | stats count by source type

l You should see the following source types: tenable:io:vuln, tenable:io:assets, ten-
able:sc:vuln"\, tenable:sc:plugin, tenable:sc:assets, tenable:sc:mobile:vuln, ten-
able:sc:mobile:assets, tenable:nnm:vuln.

l Check the log file for any errors - $SPLUNK_HOME/var/log/splunk/splunkd.log

4. While running Tenable.io, I get the following error: ERROR pid=106020 tid=MainThread
file=io_connect.py:__checkResponse:83 | Tenable Error: response: Duplicate
export not allowed. Please modify request or wait until existing export is
complete.

l Create a new, unique user and API login to use in Splunk.

5. I can't set up a connection with Splunk Mission Control.

l If you have an issue trying to establish connection with Mission Control, refer to Splunk
documentation for Splunk Connect for Mission Control.

6. I can't set up a default Instance.

l If you are unable to find the Tenable Vulnerability Center dashboard under Managed
Dashboards section in the Dashboards drop-down, make sure there are no trailing white
spaces for the connection ID fetched from Admin Settings. Refer to Tenable Plugin for
Splunk documentation.

7. Data is not populated on Mission Control.

l If you are not able to find data on Plugin Dashboards/ AQ tabs/ Investigation tabs:

1. Verify that you have an active connection between the On-premise instance and
Mission Control by navigating to Admin settings > Product Settings > Splunk Con-
nect for Mission Control. Check the connection status against the configured
instance.

2. If the status is Inactive, refer to Splunk documentation.

3. If the status is Active, verify that the Tenable application’s look-up has data by
referring to Tenable App for Splunk documentation.

8. The Analyst Queue and Investigation tabs are not getting rendered for a particular Notable in
Splunk Mission Control.

l If you are not able to render Tenable Summary Analyst Queue tabs and Tenable Invest-
igation tabs, make sure the label for the given notable is mcef_tenable_plugin_for_

SPLK-2003 Updated Dumps - Splunk SOAR Certified Automation Developer Exam
0% (1)
SPLK-2003 Updated Dumps - Splunk SOAR Certified Automation Developer Exam
11 pages
Forcepoint DLP Admin Guide
No ratings yet
Forcepoint DLP Admin Guide
496 pages
SPLNK ADM Splunk Certified Administrator
No ratings yet
SPLNK ADM Splunk Certified Administrator
1 page
Lab 5: 802.1X: Wired Networks: PEAP
No ratings yet
Lab 5: 802.1X: Wired Networks: PEAP
13 pages
Facebook FNA White Paper
50% (2)
Facebook FNA White Paper
11 pages
Manual de Operaciones-MK9Config 3 Instrukcja 3.1.8.7 en
No ratings yet
Manual de Operaciones-MK9Config 3 Instrukcja 3.1.8.7 en
34 pages
SecurityCenter Data Sheet
No ratings yet
SecurityCenter Data Sheet
2 pages
Splunk and Cisco
No ratings yet
Splunk and Cisco
4 pages
NEW Security4Rookiesv1.3
No ratings yet
NEW Security4Rookiesv1.3
98 pages
Enterprise Security Script: Splunk Security Solutions Marketing October 2019
No ratings yet
Enterprise Security Script: Splunk Security Solutions Marketing October 2019
26 pages
Nessus Credential Checks
No ratings yet
Nessus Credential Checks
18 pages
Splunk Enterprise Security Implementation Success
No ratings yet
Splunk Enterprise Security Implementation Success
3 pages
Trellix Cloud Workload Security 5.3.x Product Guide
No ratings yet
Trellix Cloud Workload Security 5.3.x Product Guide
67 pages
Splunk User Manual - v1.3
No ratings yet
Splunk User Manual - v1.3
42 pages
Building Correlation Searches With Splunk Enterprise Security Takeaway
No ratings yet
Building Correlation Searches With Splunk Enterprise Security Takeaway
4 pages
Simulating, Detecting, and Responding To Log4Shell With Splunk - Splunk
No ratings yet
Simulating, Detecting, and Responding To Log4Shell With Splunk - Splunk
1 page
Akamai Splunk SIEM Splunk Connector
100% (1)
Akamai Splunk SIEM Splunk Connector
12 pages
Ipsec Site-To-Site VPN Tutorial
No ratings yet
Ipsec Site-To-Site VPN Tutorial
3 pages
Nessus Lab V12nov07
No ratings yet
Nessus Lab V12nov07
6 pages
Courses For Cloud Customers
No ratings yet
Courses For Cloud Customers
1 page
Dataonboarding
No ratings yet
Dataonboarding
17 pages
Splunk-7.0.0-Knowledge - Knowledge Manager Manual 2
No ratings yet
Splunk-7.0.0-Knowledge - Knowledge Manager Manual 2
426 pages
Cyops1.1 Chp07-Dts Oa
No ratings yet
Cyops1.1 Chp07-Dts Oa
49 pages
How To Use Splunk For Automated Regulatory Compliance PDF
No ratings yet
How To Use Splunk For Automated Regulatory Compliance PDF
74 pages
NSE Insider - Learn How FortiSIEM's New Security Analytics Can Extend Threat Visibility August 11, 2020
No ratings yet
NSE Insider - Learn How FortiSIEM's New Security Analytics Can Extend Threat Visibility August 11, 2020
35 pages
ESM Health Check PDF
No ratings yet
ESM Health Check PDF
41 pages
Splunk Use Case.
No ratings yet
Splunk Use Case.
18 pages
Splunk DBX 1.0.9 DeployDBX
No ratings yet
Splunk DBX 1.0.9 DeployDBX
41 pages
Splunk
No ratings yet
Splunk
49 pages
Snort Presentation
No ratings yet
Snort Presentation
24 pages
ArcSight SIEM Best Practices
No ratings yet
ArcSight SIEM Best Practices
20 pages
ArcSight L3
100% (1)
ArcSight L3
11 pages
Oracle Security: Radoslav Rusinov
No ratings yet
Oracle Security: Radoslav Rusinov
58 pages
Netskope Security Cloud DSM User Guide 3.0.0
No ratings yet
Netskope Security Cloud DSM User Guide 3.0.0
29 pages
Correlation Rules and Engine Debugging1
No ratings yet
Correlation Rules and Engine Debugging1
30 pages
Splunk Search Optimization
No ratings yet
Splunk Search Optimization
3 pages
Setting Up Splunk For Vmware Monitoring: Proven Practice Guide
No ratings yet
Setting Up Splunk For Vmware Monitoring: Proven Practice Guide
18 pages
© 2019 Caendra Inc. - Hera For IHRP - Effectively Using Splunk (Scenario 2)
No ratings yet
© 2019 Caendra Inc. - Hera For IHRP - Effectively Using Splunk (Scenario 2)
22 pages
Security Onion - Network Security Monitoring in Minutes
No ratings yet
Security Onion - Network Security Monitoring in Minutes
21 pages
Lab Exercises: Lab Module 4 - Ingesting Data
No ratings yet
Lab Exercises: Lab Module 4 - Ingesting Data
8 pages
Splunk Deployment Guidelines
No ratings yet
Splunk Deployment Guidelines
12 pages
Monitoring BIG-IP System Traffic With SNMP
No ratings yet
Monitoring BIG-IP System Traffic With SNMP
41 pages
Take Splunk For A Test Drive: Getting Started With Splunk
100% (1)
Take Splunk For A Test Drive: Getting Started With Splunk
3 pages
CyberArk-PAM Implementation
No ratings yet
CyberArk-PAM Implementation
6 pages
Expedition Ver 1.1.0 QuickStart
No ratings yet
Expedition Ver 1.1.0 QuickStart
51 pages
50 Splunk Interview Questions and Answers
No ratings yet
50 Splunk Interview Questions and Answers
10 pages
Lab9 - Nessus
No ratings yet
Lab9 - Nessus
11 pages
How To Implement and Test SSL Decryption Palo Alto Networks Live
No ratings yet
How To Implement and Test SSL Decryption Palo Alto Networks Live
14 pages
FortiSIEM Sizing Guide PDF
0% (1)
FortiSIEM Sizing Guide PDF
18 pages
Using ES 5.0 Labs
50% (2)
Using ES 5.0 Labs
28 pages
Splunk 7 Essentials 3rd
0% (1)
Splunk 7 Essentials 3rd
2 pages
Splunk PDF
No ratings yet
Splunk PDF
11 pages
Splunk Nutanix PDF
No ratings yet
Splunk Nutanix PDF
52 pages
Strategy Document for SOC Setup as an MSSP
No ratings yet
Strategy Document for SOC Setup as an MSSP
34 pages
Splunk Use Case Framework Introduction Session
100% (1)
Splunk Use Case Framework Introduction Session
34 pages
Splunk 6.0.1 SearchTutorial
No ratings yet
Splunk 6.0.1 SearchTutorial
70 pages
Amazon Virtual Private Cloud - User Guide PDF
No ratings yet
Amazon Virtual Private Cloud - User Guide PDF
311 pages
Big Ip Application Security Manager Ds PDF
No ratings yet
Big Ip Application Security Manager Ds PDF
16 pages
Tenable Security Center-User Guide
No ratings yet
Tenable Security Center-User Guide
990 pages
Mastering Splunk for Cybersecurity: Advanced Threat Detection and Analysis
From Everand
Mastering Splunk for Cybersecurity: Advanced Threat Detection and Analysis
Robert Johnson
No ratings yet
Ultimate Splunk for Cybersecurity: Practical Strategies for SIEM Using Splunk’s Enterprise Security (ES) for Threat Detection, Forensic Investigation, and Cloud Security (English Edition)
From Everand
Ultimate Splunk for Cybersecurity: Practical Strategies for SIEM Using Splunk’s Enterprise Security (ES) for Threat Detection, Forensic Investigation, and Cloud Security (English Edition)
Jit Sinha
No ratings yet
Configuring TACACS+: in This Chapter
No ratings yet
Configuring TACACS+: in This Chapter
12 pages
Configuring Outband Management
No ratings yet
Configuring Outband Management
6 pages
Brksec 2463
No ratings yet
Brksec 2463
79 pages
VPN Connection Troubleshooting
No ratings yet
VPN Connection Troubleshooting
14 pages
Chapter 7
No ratings yet
Chapter 7
47 pages
l9 Osi Model
No ratings yet
l9 Osi Model
172 pages
MTCNA Outline PDF
No ratings yet
MTCNA Outline PDF
5 pages
BRS40 0012OOOO STEV99HHSESXXX - Techdata
No ratings yet
BRS40 0012OOOO STEV99HHSESXXX - Techdata
3 pages
Monitor and Manage Cluster Performance Using The CLI
No ratings yet
Monitor and Manage Cluster Performance Using The CLI
40 pages
Adding Email
No ratings yet
Adding Email
31 pages
Computer Networks Laboratory OSPF Routing: Experiment No.4
No ratings yet
Computer Networks Laboratory OSPF Routing: Experiment No.4
15 pages
RT048 DS R1510 V1.0.5-1
No ratings yet
RT048 DS R1510 V1.0.5-1
2 pages
Xerox 5021 Network Addendum en
No ratings yet
Xerox 5021 Network Addendum en
50 pages
DS-7632NI-K2 NVR: Key Feature
No ratings yet
DS-7632NI-K2 NVR: Key Feature
4 pages
New CCNA Commonly Asked Questions
No ratings yet
New CCNA Commonly Asked Questions
24 pages
GMail Brute
No ratings yet
GMail Brute
2 pages
Yacht Devices NMEA 2000 Gateway User Manual
No ratings yet
Yacht Devices NMEA 2000 Gateway User Manual
64 pages
Zadarma - Asterisk Setup Manual
No ratings yet
Zadarma - Asterisk Setup Manual
7 pages
HTB Admirertoo Writeup Enumeration: Filtered Port: Nmap Cannot Determine Whether The Port Is Open Because Packet
No ratings yet
HTB Admirertoo Writeup Enumeration: Filtered Port: Nmap Cannot Determine Whether The Port Is Open Because Packet
22 pages
Mikrotik Hotspot Walled Garden
No ratings yet
Mikrotik Hotspot Walled Garden
3 pages
Data Links Protocol Vishal
No ratings yet
Data Links Protocol Vishal
11 pages
Telephone Self-Diagnostic System (TSS-1000) : Page 1 of 4
No ratings yet
Telephone Self-Diagnostic System (TSS-1000) : Page 1 of 4
4 pages
Number: 303-200 Passing Score: 800 Time Limit: 120 Min File Version: 1 303-200 LPIC-3 Exam 303: Security
No ratings yet
Number: 303-200 Passing Score: 800 Time Limit: 120 Min File Version: 1 303-200 LPIC-3 Exam 303: Security
12 pages
Summary of EIGRP PDF
No ratings yet
Summary of EIGRP PDF
43 pages
Avaya Aura Communication Manager Messaging Doc Fact Sheet PDF
No ratings yet
Avaya Aura Communication Manager Messaging Doc Fact Sheet PDF
2 pages
01Module15-230110-190214
No ratings yet
01Module15-230110-190214
48 pages
Deco X20 (US) 3.0 - Datasheet
No ratings yet
Deco X20 (US) 3.0 - Datasheet
4 pages
Mega Lab
No ratings yet
Mega Lab
10 pages