Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Tenable Data - Combining Sourcetypes

kbrisson
Loves-to-Learn
‎11-27-2024 03:33 PM

I'm sure this has been asked before but can't find the answer. I'm looking to use SPLUNK to provide better metrics from Tenable. The data that is sent into SPLUNK from tenable has two source types that I'm interested in. Asset data and vuln data - I need to combine the two of them (UUID is the common field) so that I can then filter the data set down to specific tags that have been applied to the assets. This way, I can start creating better historical dashboards and reports. 

I think what I need to do, is match the UUID's from both SourceTypes, which hopefully will then take all the vuln data and list it under the one unique UUID. From there, I need to be able to filter based on the tags created in tenable.

Is this possible?

Thanks

Labels (1)
Labels
0 Karma
Reply

tscroggins
Champion
‎11-27-2024 03:56 PM

Hi @kbrisson,

Yes, it's possible, although the "how" is a long answer, and I don't have any active Tenable.sc or Tenable.io data to demo with. A few key points to remember:

  • Tenable data is relational, but the Splunk data will be a point-in-time snapshot of assets and scan results represented as a time series. Each query returns the latest scan results from all repositories the configured account can access.
  • You'll need to deduplicate assets and vulns using time ranges that cover the span of first seen and last seen timestamps for the assets and vulns of interest.
  • UUIDs may be globally unique, but if you have multiple repositories and/or multiple Tenable instances, you'll need to deduplicate by Tenable instance, repository, and UUID*.
  • * UUID isn't the only field used to uniquely identify assets. Check the uniqueness/hostUniqueness field to see which fields create a composite key that uniquely identifies a host.

Some apps, e.g. Tenable's, attempt to work around these issues by storing data in a kvstore collection; however, the collection can grow quite large, limiting its usefulness as a search tool. It doesn't scale.

You may have better luck defining reports in Tenable and pulling the report results into Splunk.

Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Event Series May & June: From Network Visibility to Service Intelligence

Unifying the Network: Moving from Alert Noise to Service Intelligence with Splunk ITSI In today’s hybrid ...

Global Splunk User Group Events: May + June 2026

Your Splunk Community Awaits: Discover Upcoming User Group Events Worldwide    Staying ahead in the fast-paced ...

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas     Cisco Live 2026 is almost here, and this ...