Asking for a friend after we spent some time looking through the questions posted earlier.
What's the best way to make sure that all the data I see in SecurityCenter is pulled into Splunk? Comparing what we see in SecurityCenter with what's pulled by the add-on, we see 20,000 more Critical and High vulnerabilities in SecurityCenter than were pulled into Splunk. Theories here are either:
At the root of this is something we'd like to understand: the first time you run the Add-on, what exactly is pulled down? We would expect it to be all the data. Future pulls would pull deltas (changes in vulnerability status) as explained in another answer.
Thanks for any advice here!
Edit: Directly tagging @nkeuning to see if you know.
By default the Tenable Add-on for Splunk will pull ALL data the user we are configured to connect with has access to in Tenable.sc. There are obviously options on the Input for Tenable.sc that could limit this data a bit, but if you arent using/setting these it will pull everything. When you are comparing what you see in T.sc to what is in Splunk we recommend the following:
The way the current app stores data limits how much data we store drastically, but requires searches to be for all time as vulnerabilities are only indexed once based on their firstSeen time and never updated until their state changes.
Our V2 app that went EA yesterday changes all of this drastically so you may want to chat with your Tenable PoC about what is in the next version and all the changes it will provide.
By default the Tenable Add-on for Splunk will pull ALL data the user we are configured to connect with has access to in Tenable.sc. There are obviously options on the Input for Tenable.sc that could limit this data a bit, but if you arent using/setting these it will pull everything. When you are comparing what you see in T.sc to what is in Splunk we recommend the following:
The way the current app stores data limits how much data we store drastically, but requires searches to be for all time as vulnerabilities are only indexed once based on their firstSeen time and never updated until their state changes.
Our V2 app that went EA yesterday changes all of this drastically so you may want to chat with your Tenable PoC about what is in the next version and all the changes it will provide.