All Apps and Add-ons

Why are we seeing a disparity between results in Tenable SecurityCenter vs those pulled by Add-on?

vnakra_splunk
Splunk Employee
Splunk Employee

Asking for a friend after we spent some time looking through the questions posted earlier.

What's the best way to make sure that all the data I see in SecurityCenter is pulled into Splunk? Comparing what we see in SecurityCenter with what's pulled by the add-on, we see 20,000 more Critical and High vulnerabilities in SecurityCenter than were pulled into Splunk. Theories here are either:

  • The Add-on is only pulling a subset of the data in SecurityCenter. If so, what is that subset, and what's the best way to pull the remaining?
  • The Add-on is looking at a different datastore than what is used to populate the SC UI.
  • The Add-on is running into errors pulling down all the data. What's the best way to diagnose this?

At the root of this is something we'd like to understand: the first time you run the Add-on, what exactly is pulled down? We would expect it to be all the data. Future pulls would pull deltas (changes in vulnerability status) as explained in another answer.

Thanks for any advice here!

Edit: Directly tagging @nkeuning to see if you know.

0 Karma
1 Solution

nkeuning
Communicator

By default the Tenable Add-on for Splunk will pull ALL data the user we are configured to connect with has access to in Tenable.sc. There are obviously options on the Input for Tenable.sc that could limit this data a bit, but if you arent using/setting these it will pull everything. When you are comparing what you see in T.sc to what is in Splunk we recommend the following:

  • In T.sc login as the user configured for Splunk to use to pull data and go to the analysis ->vulnerabilities page and select the Vulnerability Detail List View. In the upper right-hand corner should be the total number of vulnerabilities you should see in Splunk.
  • In Splunk search against the index you have configured for your input for sourcetype="tenable:sc:vulns" | dedup ip, pluginID, port, protocol |search state!=fixed with a search window of All Time.

The way the current app stores data limits how much data we store drastically, but requires searches to be for all time as vulnerabilities are only indexed once based on their firstSeen time and never updated until their state changes.

Our V2 app that went EA yesterday changes all of this drastically so you may want to chat with your Tenable PoC about what is in the next version and all the changes it will provide.

View solution in original post

0 Karma

nkeuning
Communicator

By default the Tenable Add-on for Splunk will pull ALL data the user we are configured to connect with has access to in Tenable.sc. There are obviously options on the Input for Tenable.sc that could limit this data a bit, but if you arent using/setting these it will pull everything. When you are comparing what you see in T.sc to what is in Splunk we recommend the following:

  • In T.sc login as the user configured for Splunk to use to pull data and go to the analysis ->vulnerabilities page and select the Vulnerability Detail List View. In the upper right-hand corner should be the total number of vulnerabilities you should see in Splunk.
  • In Splunk search against the index you have configured for your input for sourcetype="tenable:sc:vulns" | dedup ip, pluginID, port, protocol |search state!=fixed with a search window of All Time.

The way the current app stores data limits how much data we store drastically, but requires searches to be for all time as vulnerabilities are only indexed once based on their firstSeen time and never updated until their state changes.

Our V2 app that went EA yesterday changes all of this drastically so you may want to chat with your Tenable PoC about what is in the next version and all the changes it will provide.

View solution in original post

0 Karma
Did you miss .conf21 Virtual?

Good news! The event's keynotes and many of its breakout sessions are now available online, and still totally FREE!