All Apps and Add-ons

Integrate Tenable nessus(sc) with splunk

Contributor

hello everyone. please forgive my English level. I'm a splunk novice and nessus novice.

I am trying to ingest the Tenable(sc) vulnerability data into the splunk indexer, I have read the official document related to Tenable Add-On for Splunk, (link : https://docs.tenable.com/integrations/splunk/Content/Splunk%20Add%20On.htm). I think my type of Tenable is Tenable.sc, not Tenable.io.Please see the screenshot below:

alt text

I'am trying to configure Tenable Add-On for Splunk ,but it return an error message Please enter valid Address, Username and Password., as shown below:
alt text

I have tried to delete the port number in the address (192.168.20.129) and checked "Verify SSL Certificate", but still not working , I have tested all the configurations.

if I change the "Tenable Account Type" to Tenable.io and using access_keysecret Key , it can successfully create configuration successfully. but after successfully create the input, the vulnerability data is not indexed into splunk. and I can find the following error from the log file error.log (/opt/splunk/var/log/splunk/tatenabletenable_io.log)

2019-09-11 16:09:56,668 INFO pid=10770 tid=MainThread file=base_modinput.py:log_info:293 | Tenable.io vulnerability data collection started
2019-09-11 16:09:56,669 INFO pid=10770 tid=MainThread file=splunk_rest_client.py:_request_handler:100 | Use HTTP connection pooling
2019-09-11 16:09:56,670 INFO pid=10770 tid=MainThread file=connectionpool.py:_new_conn:758 | Starting new HTTPS connection (1): 127.0.0.1
2019-09-11 16:09:56,693 ERROR pid=10770 tid=MainThread file=io_connect.py:__check_response:80 | Tenable Error: response: {"error":"The requested file was not found"}

I am trying to force the creation of Tenable.sc account configuration information (tatenableaccount.conf) on the command line. then select Global Account* when configuring the input. When I click the "add" button, the following error still occurs:

2019-09-11 16:34:12,528 ERROR pid=19830 tid=MainThread file=sc_connect.py:_check_response:98 | Tenable SC Error: URL: https://192.168.20.129:8834/rest/system, HTTP status code: 404, error code: 1

So I re-read the principle of Tenable Add-on, which calls the Tenable API to extract data from the Tenable platform. link (https://docs.tenable.com/integrations/splunk/Content/Splunk%20Add%20On.htm)

The Tenable Add-On for Splunk pulls data from Tenable platforms and normalizes it in Splunk.

The current Tenable Add-On uses the following endpoints.

Tenable.io

Request Export: /vulns/export
Vulnerability Export: /vulns/export

Asset Export: /assets/export

Tenable.sc

Vulnerability and assets details: /rest/analysis
Plugin details: /rest/plugins
Repository details: /rest/repository

The reason for the error was that my Nessus does not provide an API at all. . When I tried to access these API links using a browser, it returned 404 not found.

E.g:

Tenable.io Vulnerability Export is called api /vulns/export. When I try to access "https://192.168.20.129:8834/vulns/export", the browser returns a status code of 404 with the content: "{"error":" The requested file was not found"}"

Tenable.sc Vulnerability and assets detail is called api /rest/analysis, when I try to access the "https://192.168.20.129:8834/rest/analysis" browser returns a status code of 404, the content is: "{"error": "The requested file was not found"}"

question:

  1. Why doesn't my Nessus provide an API interface?
  2. Do I need to configure nessus to enable the api interface?
  3. Is there a nessus expert who can tell me whether my nessus type is tenable.io or tenable.sc
0 Karma
1 Solution

Communicator

Im not sure why you box says "Nessus (SC)" but that is not Tenable.sc it is Nessus. The Tenable Add-On for Splunk only supports Tenable.sc and Tenable.io. You will need to connect it to one of these platforms, rather than directly to nessus. You can find more information on Tenable.sc here

View solution in original post

Communicator

Im not sure why you box says "Nessus (SC)" but that is not Tenable.sc it is Nessus. The Tenable Add-On for Splunk only supports Tenable.sc and Tenable.io. You will need to connect it to one of these platforms, rather than directly to nessus. You can find more information on Tenable.sc here

View solution in original post

Contributor

Because I saw the title of the website is nessuc scanner(SC), so I mistakenly think it is Tenable.sc

0 Karma