All Apps and Add-ons

Tenable Add-on: configuration and authentication was successful but index has no events.

acensi0n
Engager

I have the Tenable apps installed and configured but no data is being pulled from SecurityCenter. The Security Manager account configured reports a successful login from Splunk but events in the index remains zero.

The following configuration items are used:

== Configuration: Account Name ==
- Verify SSL Certificate is disabled

== indexes ==
tenable
- App: TA-Tenable

== advanced search: search macros ==
get_tenable_index
- (index="tenable")

What could I be missing?

Any help appreciated!

nkeuning
Communicator

Have you checked the TA logs?
index="_internal" source="*ta_tenable*"

0 Karma

jawaharas
Motivator

I can notice the /vulns/export endpoint doesn't return any result (even via 'curl' command)

From TA logs:
DEBUG pid=59172 tid=MainThread file=connectionpool.py:_make_request:400 | https://cloud.tenable.com:443 "POST /vulns/export HTTP/1.1" 200 None

Tenable support says '/vulns/export' endpoint is no longer in user. Any help will be appreciable.

0 Karma

nkeuning
Communicator

vulns/export is very much still used across all of our integrations. This api only returns a uuid that we use to check the status of the data to be pulled and finally we use a chunks endpoint to pull the actual results we get. This log shows that the request returned a 200 so it is working as expected.

0 Karma

jawaharas
Motivator

This is from ta_tenable_tenable_io.log (in chronological order). I don't see any errors. But no data is indexed.

 2019-02-13 13:55:51,110 file=io_connect.py:__setupSession:32 | Tenable debug: Setting up session.
2019-02-13 13:55:51,110 file=io_connect.py:__setupSession:40 | Tenable debug: Setting max retries to: 3
2019-02-13 13:55:51,111 file=io_connect.py:__setupSession:46 | Tenable debug: Setting requests ssl verify to: True
2019-02-13 13:55:51,111 file=base_modinput.py:log_debug:286 | Tenable Debug: check point name: scan_resultscloud.tenable.com
2019-02-13 13:55:51,112 file=binding.py:get:664 | GET request to https://127.0.0.1:8089/servicesNS/nobody/TA-tenable/storage/collections/config/TA_tenable_checkpointer (body: {})
2019-02-13 13:55:51,117 file=connectionpool.py:_make_request:387 | "GET /servicesNS/nobody/TA-tenable/storage/collections/config/TA_tenable_checkpointer HTTP/1.1" 200 5326
2019-02-13 13:55:51,118 file=binding.py:get:664 | GET request to https://127.0.0.1:8089/servicesNS/nobody/TA-tenable/storage/collections/config/ (body: {'offset': 0, 'search': 'TA_tenable_checkpointer', 'count': -1})
2019-02-13 13:55:51,122 file=connectionpool.py:_make_request:387 | "GET /servicesNS/nobody/TA-tenable/storage/collections/config/?offset=0&search=TA_tenable_checkpointer&count=-1 HTTP/1.1" 200 4524
2019-02-13 13:55:51,124 file=binding.py:get:664 | GET request to https://127.0.0.1:8089/servicesNS/nobody/TA-tenable/storage/collections/data/TA_tenable_checkpointer/scan_resultscloud.tenable.com (body: {})
2019-02-13 13:55:51,126 file=connectionpool.py:_make_request:387 | "GET /servicesNS/nobody/TA-tenable/storage/collections/data/TA_tenable_checkpointer/scan_resultscloud.tenable.com HTTP/1.1" 200 101
2019-02-13 13:55:51,127 file=base_modinput.py:log_debug:286 | Tenable Debug: check point state returned: {u'since': 1550022951}
2019-02-13 13:55:51,131 file=connectionpool.py:_new_conn:809 | Starting new HTTPS connection (1): cloud.tenable.com
2019-02-13 13:55:52,189 file=connectionpool.py:_make_request:400 | https://cloud.tenable.com:443 "POST /vulns/export HTTP/1.1" 200 None
2019-02-13 13:55:52,191 file=io_connect.py:__checkResponse:68 | Tenable debug: response OK http_status code: 200
2019-02-13 13:55:52,191 file=io_connect.py:getEndpoint:94 | Tenable Debug: GET URL: https://cloud.tenable.com/vulns/export/51d2af32-baf9-4aa0-886d-73412a093dfd/status
2019-02-13 13:55:52,191 file=io_connect.py:getEndpoint:95 | Tenable Debug: GET PARMS: None
2019-02-13 13:55:52,669 file=connectionpool.py:_make_request:400 | https://cloud.tenable.com:443 "GET /vulns/export/51d2af32-baf9-4aa0-886d-73412a093dfd/status HTTP/1.1" 200 None
2019-02-13 13:55:52,670 file=io_connect.py:__checkResponse:68 | Tenable debug: response OK http_status code: 200
2019-02-13 13:55:52,670 file=binding.py:post:736 | POST request to https://127.0.0.1:8089/servicesNS/nobody/TA-tenable/storage/collections/data/TA_tenable_checkpointer/batch_save (body: {'body': '[{"state": "{\\"since\\": 1550026551}", "_key": "scan_resultscloud.tenable.com"}]'})
2019-02-13 13:55:52,702 file=connectionpool.py:_make_request:387 | "POST /servicesNS/nobody/TA-tenable/storage/collections/data/TA_tenable_checkpointer/batch_save HTTP/1.1" 200 35
0 Karma

nkeuning
Communicator

Please create a support ticket with tenable so we can help track down the issue. The only other thing i would recommend is expanding you search window as we index/store all vuln data based on first seen date so searching is a bit different than if we duplicated all data daily.

0 Karma

jawaharas
Motivator

Thanks. A Tenable Case #00755880 has been raised already. No luck so far. As you suggested I have searched the index with 'All Time' as time range. Still no data.

0 Karma
Get Updates on the Splunk Community!

Splunk Observability Cloud | Unified Identity - Now Available for Existing Splunk ...

Raise your hand if you’ve already forgotten your username or password when logging into an account. (We can’t ...

Index This | How many sides does a circle have?

February 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

Registration for Splunk University is Now Open!

Are you ready for an adventure in learning?   Brace yourselves because Splunk University is back, and it's ...