How-to Guide: Tenable Applications for Splunk Last Revised: June 20, 2018

Table of Contents Overview

3

Components

4

Tenable Add-on (TA-tenable)

5

Source and Source Types

6

CIM Mapping

7

Tenable App for Splunk Installation Workflow

8 10

Splunk Environments

11

Installation

12

Configuration

14

Tenable SecurityCenter Credentials

15

Tenable SecurityCenter Certificates

18

Tenable.io

22

Create Input

25

Adaptive Response

29

Additional Information

32

Tenable Macros

33

Troubleshooting

34

Copyright 2017 Tenable, Inc. All rights reserved. Tenable Network Security, Nessus, SecurityCenter, SecurityCenter Continuous View and Log Correlation Engine are registered trademarks of Tenable, Inc. Tenable, Tenable.io, Assure, and The Cyber Exposure Company are trademarks of Tenable, Inc. All other products or services are trademarks of their respective owners.

Overview The Tenable Splunk applications perform data collection, normalization, and visualization. The Tenable application is divided into two parts: l

Tenable Add-On for Splunk (TA-tenable) - provides all data collection and normalization functionality.

l

Tenable App for Splunk (TenableAppforSplunk) - provides a dashboard to view the Tenable data in Splunk.

Tenable Application Topology

Copyright 2017 Tenable, Inc. All rights reserved. Tenable Network Security, Nessus, SecurityCenter, SecurityCenter Continuous View and Log Correlation Engine are registered trademarks of Tenable, Inc. Tenable, Tenable.io, Assure, and The Cyber Exposure Company are trademarks of Tenable, Inc. All other products or services are trademarks of their respective owners.

Components The Tenable Add-on has specific purposes for different Splunk components. l

The Heavy Forwarder collects and forwards data for all events. Note: All inputs should be configured to run from the heavy forwarder.

l

The Indexer must be installed to ensure Tenable data is properly indexed. Note: You can use a default index or create and set a custom index. This is required.

l

The Search Head must be configured and installed to allow full functionality of the Tenable Add-on adaptive response actions. Note: You must use the same configuration details you have on the Heavy Forwarder for the adaptive response actions to work correctly.

Copyright 2017 Tenable, Inc. All rights reserved. Tenable Network Security, Nessus, SecurityCenter, SecurityCenter Continuous View and Log Correlation Engine are registered trademarks of Tenable, Inc. Tenable, Tenable.io, Assure, and The Cyber Exposure Company are trademarks of Tenable, Inc. All other products or services are trademarks of their respective owners.

Tenable Add-on (TA-tenable) The Tenable Add-On for Splunk pulls data from Tenable platforms and normalizes it in Splunk. The current Tenable Add-On uses the following endpoints.

SecurityCenter l

Vulnerability and assets details: /rest/analysis

l

Plugin details: /rest/plugins

l

Repository details: /rest/repository

Tenable.io l

Request Export: /vulns/export

l

Export Status: /vulns//status

l

Download Chunk: /vulns//chunks/

Copyright 2017 Tenable, Inc. All rights reserved. Tenable Network Security, Nessus, SecurityCenter, SecurityCenter Continuous View and Log Correlation Engine are registered trademarks of Tenable, Inc. Tenable, Tenable.io, Assure, and The Cyber Exposure Company are trademarks of Tenable, Inc. All other products or services are trademarks of their respective owners.

Source and Source Types The Tenable Add-on for Splunk will store data with the following sources and source types.

SecurityCenter Source

Sourcetype

Description

|

tenable:sc:vuln

This collects all vulnerability data.

|

tenable:sc:assets

This collects pull assets data.

|

tenable:sc:plugin

This collects all plugin data.

Tenable.io Source

Sourcetype

Description

tenable_io://

tenable:io:vuln

This collects all vulnerability data.

Copyright 2017 Tenable, Inc. All rights reserved. Tenable Network Security, Nessus, SecurityCenter, SecurityCenter Continuous View and Log Correlation Engine are registered trademarks of Tenable, Inc. Tenable, Tenable.io, Assure, and The Cyber Exposure Company are trademarks of Tenable, Inc. All other products or services are trademarks of their respective owners.

CIM Mapping This chart displays how we map tenable vulnerability findings to Splunk CIM.

Field Name from Ten-

Field Name from Secur-

CIM Field

CIM Data

ble.io API

ityCenter API

Name

Model

asset.fqdn or asset.ipv4

dnsName or ip

dest

Vulnerability

plugin.bid

bid

bugtraq

Vulnerability

asset.ipv4

ip

dest_ip

Vulnerability

asset.fqdn

dnsName

dest_name

Vulnerability

plugin.synopsis

synopsis

signature

Vulnerability

plugin.family

family.name

category

Vulnerability

Tenable.io

Tenable SecurityCenter

vendor_ product

Vulnerability

Copyright 2017 Tenable, Inc. All rights reserved. Tenable Network Security, Nessus, SecurityCenter, SecurityCenter Continuous View and Log Correlation Engine are registered trademarks of Tenable, Inc. Tenable, Tenable.io, Assure, and The Cyber Exposure Company are trademarks of Tenable, Inc. All other products or services are trademarks of their respective owners.

Tenable App for Splunk The Tenable App for Splunk provides a single dashboard showing all of your Tenable data.

Displayed Components l

Total Vulnerabilities Today

l

Active Vulnerabilities Today

l

Fixed Vulnerabilities Today

l

Total Vulnerabilities

l

Active Vulnerabilities

l

Fixed Vulnerabilities

l

Top 10 Vulnerabilities

l

Most Vulnerable Hosts

l

Vulnerabilities by Severity

l

New Vulnerabilities

Copyright 2017 Tenable, Inc. All rights reserved. Tenable Network Security, Nessus, SecurityCenter, SecurityCenter Continuous View and Log Correlation Engine are registered trademarks of Tenable, Inc. Tenable, Tenable.io, Assure, and The Cyber Exposure Company are trademarks of Tenable, Inc. All other products or services are trademarks of their respective owners.

Copyright 2017 Tenable, Inc. All rights reserved. Tenable Network Security, Nessus, SecurityCenter, SecurityCenter Continuous View and Log Correlation Engine are registered trademarks of Tenable, Inc. Tenable, Tenable.io, Assure, and The Cyber Exposure Company are trademarks of Tenable, Inc. All other products or services are trademarks of their respective owners.

Installation Workflow Follow the steps below to complete the installation and configuration of the Tenable applications for Splunk.

Install and Configure 1. Install the Tenable application. 2. Configure the desired Tenable application for Splunk. 3. Create an input for the configured Tenable application for Splunk. 4. Configure adaptive response actions.

Copyright 2017 Tenable, Inc. All rights reserved. Tenable Network Security, Nessus, SecurityCenter, SecurityCenter Continuous View and Log Correlation Engine are registered trademarks of Tenable, Inc. Tenable, Tenable.io, Assure, and The Cyber Exposure Company are trademarks of Tenable, Inc. All other products or services are trademarks of their respective owners.

Splunk Environments The installation process for the Tenable App for Splunk and Tenable Add-On for Splunk varies based on your Splunk environment.

Deployment Types Single server, distributed deployment, and cloud instance options are available.

Single Server Deployment In a single server deployment, a single instance of Splunk Enterprise works as a data collection node, indexer, and search head. In this instance, install the Tenable Add-On and Tenable App on this node. Complete the setup for the Tenable Add-On to start data collection.

Distributed Deployment In a distributed deployment, install Splunk on at least two instances. One node works as a search head while the other node works as an indexer for data collection. The following table displays information on how the Tenable Add-On and Tenable App are installed in the distributed environment.

Component

Forwarder

Indexer

Search Head

Tenable Add-on for Splunk (TA-Tenable)

Yes

No

Yes

l l

Tenable-SC App for Splunk (Tenable App)

configure accounts configure data input

No

l

No

configure accounts

Yes

Cloud Instance In Splunk Cloud, the data indexing takes place in a cloud instance. Note: The data collection can take place in an on premise Splunk instance that works as a heavy forwarder.

The application can be installed via a command line or from the Splunk UI.

Copyright 2017 Tenable, Inc. All rights reserved. Tenable Network Security, Nessus, SecurityCenter, SecurityCenter Continuous View and Log Correlation Engine are registered trademarks of Tenable, Inc. Tenable, Tenable.io, Assure, and The Cyber Exposure Company are trademarks of Tenable, Inc. All other products or services are trademarks of their respective owners.

Installation Pre-requisites You must have sufficient permissions to integrate with Tenable Tenable.io or Tenable SecurityCenter. l

The Security Manager role is required for SecurityCenter. (See the SecurityCenter user guide for information about user role configuration.)

l

The Admin role is required for Tenable.io. (See the Tenable.io user guide for information about user role configuration.)

Note: See the Splunk Environments section for additional information about the different types of Splunk deployments and their requirements.

Install via the Splunk UI 1. Log in to Splunk. 2. Go to Apps at the top of the screen. Click Manage App .

3. Click Install app from file.

Copyright 2017 Tenable, Inc. All rights reserved. Tenable Network Security, Nessus, SecurityCenter, SecurityCenter Continuous View and Log Correlation Engine are registered trademarks of Tenable, Inc. Tenable, Tenable.io, Assure, and The Cyber Exposure Company are trademarks of Tenable, Inc. All other products or services are trademarks of their respective owners.

4. Next, choose the SPL file to install.

5. Click upload. Note: You must restart Splunk after installing the Tenable App or Tenable Add-On. Note: Next, configure the Tenable application.

Copyright 2017 Tenable, Inc. All rights reserved. Tenable Network Security, Nessus, SecurityCenter, SecurityCenter Continuous View and Log Correlation Engine are registered trademarks of Tenable, Inc. Tenable, Tenable.io, Assure, and The Cyber Exposure Company are trademarks of Tenable, Inc. All other products or services are trademarks of their respective owners.

Configuration Tenable provides three application configuration options for the Tenable Add-On for Splunk.

Tenable SecurityCenter Credentials Tenable SecurityCenter Certificates Tenable.io

Copyright 2017 Tenable, Inc. All rights reserved. Tenable Network Security, Nessus, SecurityCenter, SecurityCenter Continuous View and Log Correlation Engine are registered trademarks of Tenable, Inc. Tenable, Tenable.io, Assure, and The Cyber Exposure Company are trademarks of Tenable, Inc. All other products or services are trademarks of their respective owners.

Tenable SecurityCenter Credentials To complete the installation process, you must complete the setup for the Tenable Add-on for

Splunk. 1. Log in to your data collection node. 2. In the left navigation bar, click the Tenable Add-on for Splunk.

3. Click the Configuration tab.

Copyright 2017 Tenable, Inc. All rights reserved. Tenable Network Security, Nessus, SecurityCenter, SecurityCenter Continuous View and Log Correlation Engine are registered trademarks of Tenable, Inc. Tenable, Tenable.io, Assure, and The Cyber Exposure Company are trademarks of Tenable, Inc. All other products or services are trademarks of their respective owners.

4. Click the Add button. A new window displays.

Copyright 2017 Tenable, Inc. All rights reserved. Tenable Network Security, Nessus, SecurityCenter, SecurityCenter Continuous View and Log Correlation Engine are registered trademarks of Tenable, Inc. Tenable, Tenable.io, Assure, and The Cyber Exposure Company are trademarks of Tenable, Inc. All other products or services are trademarks of their respective owners.

5. In the Tenable Access Type field, select Tenable SecurityCenter Credentials 6. Enter the necessary information for each field. The field options are described in the chart below.

Input Parameters

Description

Account Name

(Required) The unique name for each Tenable SecurityCenter data input.

Tenable Account Type

(Required) Tenable SecurityCenter Credentials.

Address

(Required) The host name or IP address for SecurityCenter.

Verify SSL Certificate

If enabled, Splunk verifies the certificate in SecurityCenter.

Username

The username in SecurityCenter.

Password

The password in SecurityCenter.

7. Click Add to complete the configuration. Note: Next, you must create an input for the Tenable Add-On for Splunk.

Copyright 2017 Tenable, Inc. All rights reserved. Tenable Network Security, Nessus, SecurityCenter, SecurityCenter Continuous View and Log Correlation Engine are registered trademarks of Tenable, Inc. Tenable, Tenable.io, Assure, and The Cyber Exposure Company are trademarks of Tenable, Inc. All other products or services are trademarks of their respective owners.

Tenable SecurityCenter Certificates To complete the installation process, you must complete the setup for the Tenable Add-on for

Splunk. 1. Log in to your data collection node. 2. In the left navigation bar, click the Tenable Add-on for Splunk.

3. Click the Configuration tab.

Copyright 2017 Tenable, Inc. All rights reserved. Tenable Network Security, Nessus, SecurityCenter, SecurityCenter Continuous View and Log Correlation Engine are registered trademarks of Tenable, Inc. Tenable, Tenable.io, Assure, and The Cyber Exposure Company are trademarks of Tenable, Inc. All other products or services are trademarks of their respective owners.

4. Click the Add button. The Add Account window displays.

Copyright 2017 Tenable, Inc. All rights reserved. Tenable Network Security, Nessus, SecurityCenter, SecurityCenter Continuous View and Log Correlation Engine are registered trademarks of Tenable, Inc. Tenable, Tenable.io, Assure, and The Cyber Exposure Company are trademarks of Tenable, Inc. All other products or services are trademarks of their respective owners.

5. In the Tenable Account Type field, select Tenable SecurityCenter Certificates . 6. Enter the necessary information for each field. The field description are described in the chart below.

Input Parameters

Description

Account Name

(Required) The unique name for each Tenable SecurityCenter data input.

Tenable Account Type

(Required) The Tenable application -Tenable SecurityCenter Certificate.

Address

(Required)The host name or IP address for SecurityCenter.

Verify SSL Certificate

If enabled, Splunk verifies the SSL Certificate in SecurityCenter.

Copyright 2017 Tenable, Inc. All rights reserved. Tenable Network Security, Nessus, SecurityCenter, SecurityCenter Continuous View and Log Correlation Engine are registered trademarks of Tenable, Inc. Tenable, Tenable.io, Assure, and The Cyber Exposure Company are trademarks of Tenable, Inc. All other products or services are trademarks of their respective owners.

Certificate Filename

The name of the certificate that you uploaded to

$SPLUNK_HOME/etc/apps/TA-tenable/certs/. Key Filename

The name of the key that you uploaded to $SPLUNK_

HOME/etc/apps/TA-tenable/certs/. Key Password

The password for the key file you uploaded.

7. Click Add to complete the configuration. Note: Next, you must create an input for the Tenable Add-On for Splunk.

Copyright 2017 Tenable, Inc. All rights reserved. Tenable Network Security, Nessus, SecurityCenter, SecurityCenter Continuous View and Log Correlation Engine are registered trademarks of Tenable, Inc. Tenable, Tenable.io, Assure, and The Cyber Exposure Company are trademarks of Tenable, Inc. All other products or services are trademarks of their respective owners.

Tenable.io To complete the installation process, you must complete the setup for the Tenable Add-on for

Splunk. 1. Log in to your data collection node. 2. In the left navigation bar, click the Tenable Add-on for Splunk.

3. Click the Configuration tab.

Copyright 2017 Tenable, Inc. All rights reserved. Tenable Network Security, Nessus, SecurityCenter, SecurityCenter Continuous View and Log Correlation Engine are registered trademarks of Tenable, Inc. Tenable, Tenable.io, Assure, and The Cyber Exposure Company are trademarks of Tenable, Inc. All other products or services are trademarks of their respective owners.

4. Click the Add button. A new window displays.

Copyright 2017 Tenable, Inc. All rights reserved. Tenable Network Security, Nessus, SecurityCenter, SecurityCenter Continuous View and Log Correlation Engine are registered trademarks of Tenable, Inc. Tenable, Tenable.io, Assure, and The Cyber Exposure Company are trademarks of Tenable, Inc. All other products or services are trademarks of their respective owners.

5. Enter the necessary information for each field. The field options are described in the chart below. Note: You must generate an API key in Tenable.io to complete the configuration. See the Tenable.io user guide for instructions on how to generate an API key.

Input Parameters

Description

Account Name

(Required) The unique name for each Tenable.io data input.

Tenable Account Type

(Required) The Tenable application - Tenable.io.

Address

(Required) The host name or IP address for Tenable.io.

Verify SSL Certificate

If enabled, Splunk verifies the SSL certificate in Tenable.io.

Access Key

Your Tenable.io API Access Key.

Secret Key

Your Tenable.io API Secret Key.

6. Click Add to complete the configuration. Note: Next, you must create an input for the Tenable Add-On for Splunk.

Copyright 2017 Tenable, Inc. All rights reserved. Tenable Network Security, Nessus, SecurityCenter, SecurityCenter Continuous View and Log Correlation Engine are registered trademarks of Tenable, Inc. Tenable, Tenable.io, Assure, and The Cyber Exposure Company are trademarks of Tenable, Inc. All other products or services are trademarks of their respective owners.

Create Input After you have completed configuring your Tenable Add-On for Splunk, you must create the input.

Steps 1. In the Splunk interface, click the Inputs tab.

2. Click the Create New Input button. A drop down appears.

3. Select the appropriate Tenable application. The selected Tenable application input options open in a new window.

Copyright 2017 Tenable, Inc. All rights reserved. Tenable Network Security, Nessus, SecurityCenter, SecurityCenter Continuous View and Log Correlation Engine are registered trademarks of Tenable, Inc. Tenable, Tenable.io, Assure, and The Cyber Exposure Company are trademarks of Tenable, Inc. All other products or services are trademarks of their respective owners.

l

Tenable.io

l

Tenable SecurityCenter

Copyright 2017 Tenable, Inc. All rights reserved. Tenable Network Security, Nessus, SecurityCenter, SecurityCenter Continuous View and Log Correlation Engine are registered trademarks of Tenable, Inc. Tenable, Tenable.io, Assure, and The Cyber Exposure Company are trademarks of Tenable, Inc. All other products or services are trademarks of their respective owners.

4. Enter the necessary information for each field. The field description are described in the chart below. Note: If you dont use the default index, you have to update the Tenable Macro.

Tenable.io

Input Parameters

Description

Name

(Required) The unique name for each Tenable SecurityCenter data input.

Interval

(Required) The interval parameter specifies when the input restarts to perform the task again (in seconds).

Index

(Required) Select the index to store Tenable.io data

Copyright 2017 Tenable, Inc. All rights reserved. Tenable Network Security, Nessus, SecurityCenter, SecurityCenter Continuous View and Log Correlation Engine are registered trademarks of Tenable, Inc. Tenable, Tenable.io, Assure, and The Cyber Exposure Company are trademarks of Tenable, Inc. All other products or services are trademarks of their respective owners.

in. Global Account

(Required) The Tenable account from which data is acquired.

Start Time

The date and time to start collecting data from. If you leave this field blank, all historical data will be collected. (Enter in this format - YYYY-MM-DD

hh:mm:ss.) Lowest Severity Score

(Required) The lowest level of severity that will be stored.

Tenable SecurityCenter

Input Parameters

Description

Name

(Required) The unique name for each Tenable SecurityCenter data input.

Interval

(Required) The interval parameter specifies when the input restarts to perform the task again (in seconds).

Index

(Required) Select the index to store SecurityCenter data in.

Global Account

(Required) The Tenable account from which data is acquired.

Lowest Severity Score

(Required) The lowest level of severity that will be stored.

Sync Plugin Details

If selected, plugin details are included.

Include Accepted Risks

If selected, data with accepted risks true is included.

Repositories

List of repository IDs to collect data.

5. Click Add to create the input.

Copyright 2017 Tenable, Inc. All rights reserved. Tenable Network Security, Nessus, SecurityCenter, SecurityCenter Continuous View and Log Correlation Engine are registered trademarks of Tenable, Inc. Tenable, Tenable.io, Assure, and The Cyber Exposure Company are trademarks of Tenable, Inc. All other products or services are trademarks of their respective owners.

Adaptive Response To configure an adaptive response:

Select an Index Before configuring the adaptive response, you have to configure the index that stores the adaptive response actions. Note: If you do not select an index , the responses will be stored in the default - "main" index.

1. On the configuration page, click the Alert Actions Configuration tab.

2. Click the Alert Actions Index drop down to display the index list. Select an index.

3. Click Save.

Configure Saved Actions Configure adaptive response actions when you create a correlation search. Note: The actions are retrieved automatically when you run the search.

Copyright 2017 Tenable, Inc. All rights reserved. Tenable Network Security, Nessus, SecurityCenter, SecurityCenter Continuous View and Log Correlation Engine are registered trademarks of Tenable, Inc. Tenable, Tenable.io, Assure, and The Cyber Exposure Company are trademarks of Tenable, Inc. All other products or services are trademarks of their respective owners.

1. In the top navigation panel, click Configure. Select Content Management from the drop down menu.

2. In the top right corner, click the Create New Content button. Select Correlation Search from drop down menu.

Note: You can bind adaptive response actions while creating the correlation search.

3. Click Add New Response Action . Select the appropriate action for your search.

Copyright 2017 Tenable, Inc. All rights reserved. Tenable Network Security, Nessus, SecurityCenter, SecurityCenter Continuous View and Log Correlation Engine are registered trademarks of Tenable, Inc. Tenable, Tenable.io, Assure, and The Cyber Exposure Company are trademarks of Tenable, Inc. All other products or services are trademarks of their respective owners.

4. Run a search. The saved events are retrieved and display in the Adaptive Responses panel.

Copyright 2017 Tenable, Inc. All rights reserved. Tenable Network Security, Nessus, SecurityCenter, SecurityCenter Continuous View and Log Correlation Engine are registered trademarks of Tenable, Inc. Tenable, Tenable.io, Assure, and The Cyber Exposure Company are trademarks of Tenable, Inc. All other products or services are trademarks of their respective owners.

Additional Information See the following pages for additional information.

Update Macro Definition Troubleshooting

Copyright 2017 Tenable, Inc. All rights reserved. Tenable Network Security, Nessus, SecurityCenter, SecurityCenter Continuous View and Log Correlation Engine are registered trademarks of Tenable, Inc. Tenable, Tenable.io, Assure, and The Cyber Exposure Company are trademarks of Tenable, Inc. All other products or services are trademarks of their respective owners.

Tenable Macros To modify the macro definition:

Tenable Index Macro 1. Go to Settings-> Advance search-> Search Macros . 2. Click get_tenable_index. Note: The get_tenable_index tells the system how to find the index in which the Tenable data is being stored.

3. If the index=default is selected in the modular input, there is no need to update the macro. Note: The default macro definition is index=main. Update the macro with the same index selected in the respective modular input.

Tenable Source Types 1. Go to Settings-> Advance search-> Search Macros . 2. Click get_tenable_sourcetype. Note: Default macro definition is sourcetype=(tenable:sc:vuln OR tenable:io:vuln).

Copyright 2017 Tenable, Inc. All rights reserved. Tenable Network Security, Nessus, SecurityCenter, SecurityCenter Continuous View and Log Correlation Engine are registered trademarks of Tenable, Inc. Tenable, Tenable.io, Assure, and The Cyber Exposure Company are trademarks of Tenable, Inc. All other products or services are trademarks of their respective owners.

Troubleshooting 1. I don’t see data after setting up mod input. l

l

Verify that you have checked the Enable Data Collection? field in modular input. Check the Splunk file (/var/log/splunk/ta_tenable_tenable_securitycenter.log) for any TA-Tenable specific errors.

2. Data is not populating in the Tenable App dashboards. l

Try expanding the time range from the last 24 hours.

l

Check the Tenable macro (get_tenable_index) and ensure the Tenable index is set correctly.

Copyright 2017 Tenable, Inc. All rights reserved. Tenable Network Security, Nessus, SecurityCenter, SecurityCenter Continuous View and Log Correlation Engine are registered trademarks of Tenable, Inc. Tenable, Tenable.io, Assure, and The Cyber Exposure Company are trademarks of Tenable, Inc. All other products or services are trademarks of their respective owners.