Hello,
The Tenable Add-on for Splunk stores data with the following sources and source types.
Tenable.sc
Source Sourcetype Description
<username>|<address> | tenable:sc:vuln | This collects all vulnerability data. |
<username>|<address> | tenable:sc:assets | This collects pull assets data. |
<username>|<address> | tenable:sc:plugin | This collects all plugin data. |
Tenable.io
Source Sourcetype Description
tenable_io://<data input name> | tenable:io:vuln | This collects all vulnerability data. |
tenable_io://<data input name> | tenable:io:assets | This collects all asset data. |
tenable_io://<data input name> | tenable:io:plugin | This collects all plugin data. |
In my production environment i am getting logs from sourcetype Tenable.sc (tenable:sc:vuln, tenable:sc:assets, tenable:sc:plugin)) and these sourcetypes are visible in in my data summary however sourcetype Tenable.io (tenable:io:vuln, tenable:io:assets, tenable:io:plugin) are not visible in data summary and not getting logs from these sourcetype.
Question:-
1)need help to be confirmed for sourcetype Tenable.io either it is configure or not and if it is configured then why not visible in data summary sourcetype lists.
2)how can i identify ,where is my Tenable add-on is installed .
3)Tenable vulnerability dashboard not working.
Requesting answer for above mentioned question.
Thanks in advance
Tenable dashboard searches are designed to work for both products. Your search is appending both io and sc products. One of them should be enough for display. You can try removing where command that filters last_found field today's events to test the results. I had the same problem and made changes on the queries to make it work. Please try below;
| inputlookup io_vuln_data_lookup | eval today = round(relative_time(now(), "-0d@d")) | where synopsis!="" AND synopsis!="N/A" AND synopsis!="n/a" AND synopsis!="None" | eval product="Tenable.io" | search (product="*") (severity="*") | append [| inputlookup sc_vuln_data_lookup | eval today = round(relative_time(now(), "-0d@d")) | where synopsis!="" AND synopsis!="N/A" AND synopsis!="n/a" AND synopsis!="None" | eval product="Tenable.sc" | search (product="*") (severity="*")] | eval state=if(state="fixed","fixed", "not fixed") | stats dc(synopsis) as Count by state | stats sum(Count) as "Total Vulnerabilities Found Today"
Also you should run "Tenable SC Vuln Data - All Time" all-time report once to create the lookups.
I believe you haven't configured the add on to use the input for tenable.io, which connects with the tenable cloud and gets the logs. Please set up a new input in the add on and configure it to pull logs from tenable.io.
Tenable.sc is for on-prem and tenable.io is cloud. mostly you have on-prem tenable so you only seeing tenable.SC.
if you have tenable cloud then you need to configure account and inputs on your add-on.
Hello Arun
Thanks for the response .
i m wondering the solution for vulnerability dashboard where noticed in query for "Total Vulnerabilities Found Today" from both (Tenable.sc and Tenable.io ) data should required and if tenable.sc only required for On-prem then how dashboard will work for On-prem .
For your reference below is the query.
| inputlookup io_vuln_data_lookup | eval today = round(relative_time(now(), "-0d@d")) | where last_found >= today AND synopsis!="" AND synopsis!="N/A" AND synopsis!="n/a" AND synopsis!="None" | eval product="Tenable.io" | search (product="*") (severity="*") | append [| inputlookup sc_vuln_data_lookup | eval today = round(relative_time(now(), "-0d@d")) | where last_found >= today AND synopsis!="" AND synopsis!="N/A" AND synopsis!="n/a" AND synopsis!="None" | eval product="Tenable.sc" | search (product="*") (severity="*")] | eval state=if(state="fixed","fixed", "not fixed") | stats dc(synopsis) as Count by state | stats sum(Count) as "Total Vulnerabilities Found Today"
Please help someone on above mentioned query