I am recently trying to ingest data from Tenable to our Splunk environment. I noticed there are 2 add-ons available. I first used Tenable Add-on for Splunk and didn't have much issues. However, I noticed there was a Splunk add-on for Tenable. What's the difference between the 2?
Also, did anyone experience reports missing from Tenable SC after configuring the Splunk Tenable App? My IA team mentioned they no longer see their reports after I started ingesting the reports to Splunk.
We are comparing the two, by looking at events, and comparing them. The Tenable add-on for Splunk seems to add a lot more data fields, specific to the discovered vulnerability. But the Splunk Add-on for Tenable seems to give more data on the host with the vulnerability.
Our next step is to run both, and compare an identical event record in both plugins.
I used the "Splunk Add-on for Tenable" some time ago. I'm not sure the "Tenable Add-On for Splunk" existed back then.
What we can tell from splunkbase is that the Tenable Add-On for Splunk is authored by Tenable. (I didn't verify.)
The Splunk Add-on for Tenable is authored by Splunk.
You can see that on Spunkbase under "BUILD BY".
Also, it appears that the "Tenable Add-On for Splunk" was recently updated on Oct. 30, 2018.
However, the "Splunk Add-on for Tenable" was last updated on May 10, 2018.
Given that the "Tenable Add-On for Splunk" appears to be directly from Tenable and that it was recently updated, I suggest you use this one.