All Apps and Add-ons

How do I get scan data from Tenable.io to Splunk?

bayman
Path Finder

I followed this guide from Tenable and installed the Splunk Add-on for Tenable to add my on-premise scanners and when I look up nessus sources, I only see these log sources:
/opt/splunk/var/log/splunk/splunk_ta_nessus_tenable_sc.log
/opt/splunk/var/log/splunk/splunk_ta_nessus_ucc_lib.log
/opt/splunk/var/log/splunk/ta_nessus.log

What do I need to do to see scan data from Tenable.io?

0 Karma

nkeuning
Communicator

Tenable has just released a new app with Tenable.io and SecurityCenter support. https://splunkbase.splunk.com/app/4060/

0 Karma

markhill1
Path Finder

I have set this up as above, and I can get data from the "nessus:plugins", but not the "Nessus Host Scans", has anyone seen this and solved the issue before?
We have tried putting the user up to 'administrator' as a test, and still no joy.
I cant see any other settings that would allow access to these logs.
Thanks

stevejfice
Path Finder

Under the Splunk Add-on For Tenable, add a new input and choose "Nessus".
You then need to name this input (NessusCloud or Tenable IO, or something more meaningful to yourself).
The URL you will use shall be "https://cloud.tenable.com" (no ports are needed, as it's just 443/https).
You still need to use the Secret/Access key from your Tenable IO user profile, the documentation is reasonably accurate here.

Everything else is going to be the same, so long as your Splunk instance can reach https://cloud.tenable.com then you should be working ok.

mreynov_splunk
Splunk Employee
Splunk Employee

This is not a supported scenario and will cause intermittent authorization errors and data loss.

0 Karma

stevejfice
Path Finder

In what way is it not supported? I have it working in three different environments in exactly this manner, collecting data every 6 hours from both plugins and scan data.

0 Karma

Richfez
SplunkTrust
SplunkTrust

Your link is broken (not your fault! Google also points to that same document and their link is also broken!), so until Tenable puts that back up somewhere we can see it, we may not be able to answer this easily.

(Unless someone actually does tenable.io and knows this answer off hand, of course. We do on premise Security Center - if tenable.io acts like "Security Center in the Cloud" then maybe I can help. But if it's more like "Nessus Manager in the cloud" I may not be able to. Do you know which method/methodology it uses?)

0 Karma

babecassisgenet
New Member

I can confirm, it is like Nessus Manager. I have this working in Splunk now using the Nessus TA. Follow this guide https://webcache.googleusercontent.com/search?q=cache:-5V-FbT4TQ0J:https://www.tenable.com/sites/dru...

The trick is that data will show up in Splunk using the timestamp from the scan - not the index time.

0 Karma

Richfez
SplunkTrust
SplunkTrust

Which means Splunk will pulling scan data from the Nessus scan boxes directly. So I wonder, where does Tenable.io come into play, and if it does come into play how do we get whatever extra data it has? Hmm.

Will have to do more research.

Still, this thread is still alive. 🙂

0 Karma

babecassisgenet
New Member

Tenable.io is "Nessus Manager" and "Nessus Scanners" in the cloud - so you just need to point it to cloud.tenable.com and give it your API keys

0 Karma

bayman
Path Finder

I did follow that guide when it was available. Do I specify my on-premise scanner ip or cloud.tenable.com under "Nessus Server URL"? What source or sourcetype should I be searching for to see the scan data?

0 Karma
Get Updates on the Splunk Community!

Improve Your Security Posture

Watch NowImprove Your Security PostureCustomers are at the center of everything we do at Splunk and security ...

Maximize the Value from Microsoft Defender with Splunk

 Watch NowJoin Splunk and Sens Consulting for this Security Edition Tech TalkWho should attend:  Security ...

This Week's Community Digest - Splunk Community Happenings [6.27.22]

Get the latest news and updates from the Splunk Community here! News From Splunk Answers ✍️ Splunk Answers is ...