Join the Conversation
- Find Answers
- :
- Apps & Add-ons
- :
- All Apps and Add-ons
- :
- All Apps and Add-ons
- :
- Re: Getting tenable.sc assets lists into splunk wi...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Getting tenable.sc assets lists into splunk with names
In tenable.sc we have the option of grouping assets into lists and giving them a specific name. When using the tenable addon for splunk neither the asset nor the vulnerability data has that I could find a field with which assets a particular system might be associated with. Is there a way to import the asset list information into splunk otherwise? Or is the information already included somewhere and I can't just find it.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Having similar issue. With Security Center, Splunk would collect scan data by scan group (if I had a scan that scanned all Netgear devices under the scan 'Netgear Scan', Splunk would collect all of that scan data and have a field for the scan name). I tried contacting Tenable about it, and they were extremely unhelpful. They only told me that the way Splunk communicates with the Tenable.sc application has changed. The case # was 01012618 if anyone wants to call and ask about it. Here's some of their responses:
"I checked with the Integrations team for you. Since the new integration is based on the Vulnerability Analysis API rather than munching actual scan results, the information on what scan a given vuln came from isn't available. Unfortunately, there's no way to have that included. The information available is essentially whatever you can see in the Vulnerability Analysis area of Tenable.sc, which is based on cumulative vuln data in the repositories rather than the individual scan results."
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes, Understand your frustration. Back in April 2019. I took a serious look at the Splunk Addon for Tenable versus the Tenable Addon for Splunk.
I ran both of these connector side by side bringing data two separate indexes in text; did a full review of the tradeOff's for each of the connectors. Splunk ended up getting me a varient of the first connector they helped develop for another government customer.
This other variant of the connector will allow for spath of the scan name. I do rex on the scan name to bring out FISMA system ID numbers among check for other things.
This is focused such to export the individual scans; but is written in such a way they can bring back 3 other important fields; (accept_risk, recast_risk, has_been_mitigated).
This connector is far more effective as it allows pass information plugins you don't get are are infrequent to change and you need to be passed and current to track OS, serial_number, barcode, make, model, os_build, other important info you may need to track.
I had a meeting with Tenable Wednesday, and brought this up again. I said I would check their newer connector and retest; as was a year since I looked at it; but just reading based on the notes; they have not changed to suit our needs. Better off hitting up your Splunk Reps, if you need to know who mine is let me know.
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
[Puzzles] Solve, Learn, Repeat: Matching cron expressions
Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass
May 2026 Splunk Expert Sessions: Security & Observability
