All Apps and Add-ons
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Getting tenable.sc assets lists into splunk with names

cpiza
Engager
‎06-24-2020 03:02 PM

In tenable.sc we have the option of grouping assets into lists and giving them a specific name. When using the tenable addon for splunk neither the asset nor the vulnerability data has that I could find a field with which assets a particular system might be associated with. Is there a way to import the asset list information into splunk otherwise? Or is the information already included somewhere and I can't just find it.

Reply

DBattisto
Communicator
‎08-17-2020 02:12 PM

Having similar issue. With Security Center, Splunk would collect scan data by scan group (if I had a scan that scanned all Netgear devices under the scan 'Netgear Scan', Splunk would collect all of that scan data and have a field for the scan name). I tried contacting Tenable about it, and they were extremely unhelpful. They only told me that the way Splunk communicates with the Tenable.sc application has changed. The case # was 01012618 if anyone wants to call and ask about it. Here's some of their responses:

"I checked with the Integrations team for you. Since the new integration is based on the Vulnerability Analysis API rather than munching actual scan results, the information on what scan a given vuln came from isn't available. Unfortunately, there's no way to have that included. The information available is essentially whatever you can see in the Vulnerability Analysis area of Tenable.sc, which is based on cumulative vuln data in the repositories rather than the individual scan results."

Tags (1)
Reply

kennetkline
Path Finder
‎10-22-2020 07:53 PM

Yes, Understand your frustration.  Back in April 2019.  I took a serious look at the Splunk Addon for Tenable versus the Tenable Addon for Splunk.

I ran both of these connector side by side bringing data two separate indexes in text;  did a full review of the tradeOff's for each of the connectors.   Splunk ended up getting me a varient of the first connector they helped develop for another government customer. 

This other variant of the connector will allow for spath of the scan name.  I do rex on the scan name to bring out FISMA system ID numbers among check for other things.

This is focused such to export the individual scans; but is written in such a way they can bring back 3 other important fields;  (accept_risk, recast_risk, has_been_mitigated).

This connector is far more effective as it allows pass information plugins you don't get are are infrequent to change and you need to be passed and current to track OS, serial_number, barcode, make, model, os_build, other important info you may need to track.

I had a meeting with Tenable Wednesday, and brought this up again.  I said I would check their newer connector and retest; as was a year since I looked at it; but just reading based on the notes; they have not changed to suit our needs.   Better off hitting up your Splunk Reps, if you need to know who mine is let me know.

Reply
Get Updates on the Splunk Community!

Splunk Mobile: Your Brand-New Home Screen

Meet Your New Mobile Hub  Hello Splunk Community!  Staying connected to your data—no matter where you are—is ...

Introducing Value Insights (Beta): Understand the Business Impact your organization ...

Real progress on your strategic priorities starts with knowing the business outcomes your teams are delivering ...

Enterprise Security (ES) Essentials 8.3 is Now GA — Smarter Detections, Faster ...

As of today, Enterprise Security (ES) Essentials 8.3 is now generally available, helping SOC teams simplify ...