Re: How do I get scan data from Tenable.io to Splu...

bayman · ‎06-07-2017

I followed this guide from Tenable and installed the Splunk Add-on for Tenable to add my on-premise scanners and when I look up nessus sources, I only see these log sources:
/opt/splunk/var/log/splunk/splunk_ta_nessus_tenable_sc.log
/opt/splunk/var/log/splunk/splunk_ta_nessus_ucc_lib.log
/opt/splunk/var/log/splunk/ta_nessus.log

What do I need to do to see scan data from Tenable.io?

nkeuning · ‎06-21-2018

Tenable has just released a new app with Tenable.io and SecurityCenter support. https://splunkbase.splunk.com/app/4060/

markhill1 · ‎05-21-2018

I have set this up as above, and I can get data from the "nessus:plugins", but not the "Nessus Host Scans", has anyone seen this and solved the issue before?
We have tried putting the user up to 'administrator' as a test, and still no joy.
I cant see any other settings that would allow access to these logs.
Thanks

stevejfice · ‎07-13-2017

Under the Splunk Add-on For Tenable, add a new input and choose "Nessus".
You then need to name this input (NessusCloud or Tenable IO, or something more meaningful to yourself).
The URL you will use shall be "https://cloud.tenable.com" (no ports are needed, as it's just 443/https).
You still need to use the Secret/Access key from your Tenable IO user profile, the documentation is reasonably accurate here.

Everything else is going to be the same, so long as your Splunk instance can reach https://cloud.tenable.com then you should be working ok.

mreynov_splunk · ‎02-06-2018

This is not a supported scenario and will cause intermittent authorization errors and data loss.

stevejfice · ‎02-07-2018

In what way is it not supported? I have it working in three different environments in exactly this manner, collecting data every 6 hours from both plugins and scan data.

Richfez · ‎06-08-2017

Your link is broken (not your fault! Google also points to that same document and their link is also broken!), so until Tenable puts that back up somewhere we can see it, we may not be able to answer this easily.

(Unless someone actually does tenable.io and knows this answer off hand, of course. We do on premise Security Center - if tenable.io acts like "Security Center in the Cloud" then maybe I can help. But if it's more like "Nessus Manager in the cloud" I may not be able to. Do you know which method/methodology it uses?)

babecassisgenet · ‎06-09-2017

I can confirm, it is like Nessus Manager. I have this working in Splunk now using the Nessus TA. Follow this guide https://webcache.googleusercontent.com/search?q=cache:-5V-FbT4TQ0J:https://www.tenable.com/sites/dru...

The trick is that data will show up in Splunk using the timestamp from the scan - not the index time.

Richfez · ‎06-09-2017

Which means Splunk will pulling scan data from the Nessus scan boxes directly. So I wonder, where does Tenable.io come into play, and if it does come into play how do we get whatever extra data it has? Hmm.

Will have to do more research.

Still, this thread is still alive. 🙂

babecassisgenet · ‎06-09-2017

Tenable.io is "Nessus Manager" and "Nessus Scanners" in the cloud - so you just need to point it to cloud.tenable.com and give it your API keys

bayman · ‎06-13-2017

I did follow that guide when it was available. Do I specify my on-premise scanner ip or cloud.tenable.com under "Nessus Server URL"? What source or sourcetype should I be searching for to see the scan data?

How do I get scan data from Tenable.io to Splunk?

Developer Spotlight with Brett Adams

Index This | What can you do to make 55,555 equal 500?

Say goodbye to manually analyzing phishing and malware threats with Splunk Attack ...