Splunk Enterprise

Tenable add on

rahul8777
Explorer

Hello,

The Tenable Add-on for Splunk stores data with the following sources and source types.

Tenable.sc

Source Sourcetype Description

<username>|<address>tenable:sc:vulnThis collects all vulnerability data.
<username>|<address>tenable:sc:assetsThis collects pull assets data.
<username>|<address>tenable:sc:pluginThis collects all plugin data.

 

Tenable.io

Source Sourcetype Description

tenable_io://<data input name>tenable:io:vulnThis collects all vulnerability data.
tenable_io://<data input name>tenable:io:assetsThis collects all asset data.
tenable_io://<data input name>tenable:io:pluginThis collects all plugin data.

 

In my production environment i am getting logs from sourcetype Tenable.sc (tenable:sc:vuln, tenable:sc:assets, tenable:sc:plugin)) and these sourcetypes are visible in in my data summary however sourcetype Tenable.io (tenable:io:vuln, tenable:io:assets, tenable:io:plugin) are not visible in data summary and not getting logs from these sourcetype.

Question:-

1)need help to be confirmed for sourcetype Tenable.io either it is configure or not and if it is configured then why not visible in data summary sourcetype lists.

2)how can i identify ,where is my Tenable add-on is installed .

3)Tenable vulnerability dashboard not working.

 

Requesting answer for above mentioned question.

Thanks in advance

 

 

Labels (1)
0 Karma

scelikok
SplunkTrust
SplunkTrust

Tenable dashboard searches are designed to work for both products. Your search is appending both io and sc products. One of them should be enough for display. You can try removing where command that filters last_found field today's events to test the results. I had the same problem and made changes on the queries to make it work. Please try below;

| inputlookup io_vuln_data_lookup | eval today = round(relative_time(now(), "-0d@d")) | where synopsis!="" AND synopsis!="N/A" AND synopsis!="n/a" AND synopsis!="None" | eval product="Tenable.io" | search (product="*") (severity="*") | append [| inputlookup sc_vuln_data_lookup | eval today = round(relative_time(now(), "-0d@d")) | where synopsis!="" AND synopsis!="N/A" AND synopsis!="n/a" AND synopsis!="None" | eval product="Tenable.sc" | search (product="*") (severity="*")] | eval state=if(state="fixed","fixed", "not fixed") | stats dc(synopsis) as Count by state | stats sum(Count) as "Total Vulnerabilities Found Today"

 

Also you should run "Tenable SC Vuln Data - All Time" all-time report once to create the lookups.

If this reply helps you an upvote and "Accept as Solution" is appreciated.
0 Karma

shivanshu1593
Builder

I believe you haven't configured the add on to use the input for tenable.io, which connects with the tenable cloud and gets the logs. Please set up a new input in the add on and configure it to pull logs from tenable.io.

Thank you,
Shiv
###If you found the answer helpful, kindly consider upvoting/accepting it as the answer as it helps other Splunkers find the solutions to similar issues###
0 Karma

arunkumarkyamaj
Engager

Tenable.sc is for on-prem and tenable.io is cloud. mostly you have on-prem tenable so you only seeing tenable.SC. 

if you have tenable cloud then you need to configure account and inputs on your add-on. 

0 Karma

rahul8777
Explorer

Hello Arun

Thanks for  the response .

i m wondering the solution for vulnerability dashboard where noticed in query for "Total Vulnerabilities Found Today"  from both (Tenable.sc and Tenable.io ) data should required and if tenable.sc only required for On-prem then how dashboard will work for On-prem .

For your reference below is the query.

| inputlookup io_vuln_data_lookup | eval today = round(relative_time(now(), "-0d@d")) | where last_found >= today AND synopsis!="" AND synopsis!="N/A" AND synopsis!="n/a" AND synopsis!="None" | eval product="Tenable.io" | search (product="*") (severity="*") | append [| inputlookup sc_vuln_data_lookup | eval today = round(relative_time(now(), "-0d@d")) | where last_found >= today AND synopsis!="" AND synopsis!="N/A" AND synopsis!="n/a" AND synopsis!="None" | eval product="Tenable.sc" | search (product="*") (severity="*")] | eval state=if(state="fixed","fixed", "not fixed") | stats dc(synopsis) as Count by state | stats sum(Count) as "Total Vulnerabilities Found Today"

vulnera.PNG

0 Karma

rahul8777
Explorer

Please help someone on above mentioned query

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...