how-to guide: tenable applications for splunk · splunkenvironments...

How-to Guide: Tenable Applicationsfor Splunk

Last Revised: August 21, 2018

Table of Contents

Overview 3

Components 4

Tenable Add-on (TA-tenable) 5

Source and Source Types 6

CIM Mapping 7

Tenable App for Splunk 8

Installation Workflow 10

Splunk Environments 11

Installation 12

Configuration 14

Tenable SecurityCenter Credentials 15

Tenable SecurityCenter Certificates 18

Tenable.io 22

Create Input 25

Adaptive Response 29

Additional Information 32

Tenable Macros 33

Troubleshooting 34

Copyright 2018 Tenable, Inc. All rights reserved. Tenable Network Security, Nessus, SecurityCenter, SecurityCenter Continuous View and Log Correlation Engine are registered trademarks of Tenable, Inc. Tenable, Ten-

able.io, Assure, and The Cyber Exposure Company are trademarks of Tenable, Inc. All other products or services are trademarks of their respective owners.

Overview

The Tenable Splunk applications perform data collection, normalization, and visualization.

The Tenable application is divided into two parts:

l Tenable Add-On for Splunk (TA-tenable) - provides all data collection and normalization func-tionality.

l Tenable App for Splunk (TenableAppforSplunk) - provides a dashboard to view the Tenabledata in Splunk.

Tenable Application Topology



Components

The Tenable Add-on has specific purposes for different Splunk components.

l The Heavy Forwarder collects and forwards data for all events.

Note: All inputs should be configured to run from the heavy forwarder.

Note: You must enable the key value store (KV) on the heavy forwarder.

l The Indexermust be installed to ensure Tenable data is properly indexed.

Note: You can use a default index or create and set a custom index. This is required.

l The Search Head must be configured and installed to allow full functionality of the TenableAdd-on adaptive response actions.

Note: You must use the same configuration details you have on the Heavy Forwarder for theadaptive response actions to work correctly.



Tenable Add-on (TA-tenable)

The Tenable Add-On for Splunk pulls data from Tenable platforms and normalizes it in Splunk.

The current Tenable Add-On uses the following endpoints.

SecurityCenter

l Vulnerability and assets details: /rest/analysis

l Plugin details: /rest/plugins

l Repository details: /rest/repository

Tenable.io

l Request Export: /vulns/export

l Export Status: /vulns/<Export UUID>/status

l Download Chunk: /vulns/<Export UUID>/chunks/<Chunk ID>



Source and Source Types

The Tenable Add-on for Splunk will store data with the following sources and source types.

SecurityCenter

Source Sourcetype Description

<username>|<address> tenable:sc:vuln This collects all vulnerabilitydata.

<username>|<address> tenable:sc:assets This collects pull assets data.

<username>|<address> tenable:sc:plugin This collects all plugin data.

Tenable.io

Source Sourcetype Description

tenable_io://<data input name> tenable:io:vuln This collects all vulnerabilitydata.



CIM Mapping

This chart displays how we map tenable vulnerability findings to Splunk CIM.

Field Name from Ten-ble.io API

Field Name from Secur-ityCenter API

CIM FieldName

CIM DataModel

asset.fqdn or asset.ipv4 dnsName or ip dest Vulnerability

plugin.bid bid bugtraq Vulnerability

asset.ipv4 ip dest_ip Vulnerability

asset.fqdn dnsName dest_name Vulnerability

plugin.synopsis synopsis signature Vulnerability

plugin.family family.name category Vulnerability

Tenable.io Tenable SecurityCenter vendor_product

Vulnerability



Tenable App for Splunk

The Tenable App for Splunk provides a single dashboard showing all of your Tenable data.

Displayed Components

l Total Vulnerabilities Today

l Active Vulnerabilities Today

l Fixed Vulnerabilities Today

l Total Vulnerabilities

l Active Vulnerabilities

l Fixed Vulnerabilities

l Top 10 Vulnerabilities

l Most Vulnerable Hosts

l Vulnerabilities by Severity

l New Vulnerabilities



Installation Workflow

Follow the steps below to complete the installation and configuration of the Tenable applications forSplunk.

Install and Configure

1. Install the Tenable application.

2. Configure the desired Tenable application for Splunk.

3. Create an input for the configured Tenable application for Splunk.

4. Configure adaptive response actions.



Splunk Environments

The installation process for the Tenable App for Splunk and Tenable Add-On for Splunk varies basedon your Splunk environment.

Deployment Types

Single server, distributed deployment, and cloud instance options are available.

Single Server Deployment

In a single server deployment, a single instance of Splunk Enterprise works as a data collection node,indexer, and search head. In this instance, install the Tenable Add-On and Tenable App on this node.Complete the setup for the Tenable Add-On to start data collection.

Distributed Deployment

In a distributed deployment, install Splunk on at least two instances. One node works as a search headwhile the other node works as an indexer for data collection.

The following table displays information on how the Tenable Add-On and Tenable App are installed inthe distributed environment.

Component Forwarder Indexer Search Head

Tenable Add-on for Splunk (TA-Ten-able)

Yes

l configure accountsl configure datainput

No Yes

l configureaccounts

Tenable-SC App for Splunk (TenableApp)

No No Yes

Cloud Instance

In Splunk Cloud, the data indexing takes place in a cloud instance.

Note: The data collection can take place in an on premise Splunk instance that works as a heavy for-warder.

The application can be installed via a command line or from the Splunk UI.



Installation

Pre-requisites

You must have sufficient permissions to integrate with Tenable Tenable.io or Tenable SecurityCenter.

l The Security Manager role is required for SecurityCenter. (See the SecurityCenter user guidefor information about user role configuration.)

l The Admin role is required for Tenable.io. (See the Tenable.io user guide for informationabout user role configuration.)

Note: See the Splunk Environments section for additional information about the different types ofSplunk deployments and their requirements.

Install via the Splunk UI

1. Log in to Splunk.

2. Go to Apps at the top of the screen. Click Manage App.

3. Click Install app from file.



https://docs.tenable.com/sccv/Content/UserRoles.htm

https://docs.tenable.com/cloud/Content/Settings/Users.htm

4. Next, choose the SPL file to install.

5. Click upload.

Note: You must restart Splunk after installing the Tenable App or Tenable Add-On.

Note: Next, configure the Tenable application.



Configuration

Tenable provides three application configuration options for the Tenable Add-On for Splunk.

Tenable SecurityCenter Credentials

Tenable SecurityCenter Certificates

Tenable.io



Tenable SecurityCenter Credentials

To complete the installation process, you must complete the setup for the Tenable Add-on forSplunk.

1. Log in to your data collection node.

2. In the left navigation bar, click the Tenable Add-on for Splunk.

3. Click the Configuration tab.



4. Click the Add button.

A new window displays.



5. In the Tenable Access Type field, select Tenable SecurityCenter Credentials

6. Enter the necessary information for each field. The field options are described in the chartbelow.

Input Parameters Description

Account Name (Required) The unique name for each Tenable Secur-ityCenter data input.

Tenable Account Type (Required) Tenable SecurityCenter Credentials.

Address (Required) The host name or IP address for Secur-ityCenter.

Verify SSL Certificate If enabled, Splunk verifies the certificate in Secur-ityCenter.

Username The username in SecurityCenter.

Password The password in SecurityCenter.

7. Click Add to complete the configuration.

Note: Next, you must create an input for the Tenable Add-On for Splunk.



Tenable SecurityCenter Certificates








The Add Account window displays.



5. In the Tenable Account Type field, select Tenable SecurityCenter Certificates.

6. Enter the necessary information for each field. The field description are described in the chartbelow.


Account Name (Required) The unique name for each Tenable Secur-ityCenter data input.

Tenable Account Type (Required) The Tenable application -Tenable Secur-ityCenter Certificate.

Address (Required)The host name or IP address for Secur-ityCenter.

Verify SSL Certificate If enabled, Splunk verifies the SSL Certificate in Secur-ityCenter.



Certificate Filename The name of the certificate that you uploaded to$SPLUNK_HOME/etc/apps/TA-tenable/certs/.

Key Filename The name of the key that you uploaded to $SPLUNK_HOME/etc/apps/TA-tenable/certs/.

Key Password The password for the key file you uploaded.





Tenable.io








A new window displays.



5. Enter the necessary information for each field. The field options are described in the chartbelow.

Note: You must generate an API key in Tenable.io to complete the configuration. See the Ten-able.io user guide for instructions on how to generate an API key.


Account Name (Required) The unique name for each Tenable.io datainput.

Tenable Account Type (Required) The Tenable application - Tenable.io.

Address (Required) The host name or IP address for Ten-able.io.

Verify SSL Certificate If enabled, Splunk verifies the SSL certificate in Ten-able.io.

Access Key Your Tenable.io API Access Key.

Secret Key Your Tenable.io API Secret Key.





https://docs.tenable.com/cloud/Content/Settings/GenerateAPIKey.htm

https://docs.tenable.com/cloud/Content/Settings/GenerateAPIKey.htm

Create Input

After you have completed configuring your Tenable Add-On for Splunk, you must create the input.

Steps

1. In the Splunk interface, click the Inputs tab.

2. Click the Create New Input button.

A drop down appears.

3. Select the appropriate Tenable application.

The selected Tenable application input options open in a new window.



l Tenable.io

l Tenable SecurityCenter



4. Enter the necessary information for each field. The field description are described in the chartbelow.

Note: If you dont use the default index, you have to update the Tenable Macro.

Tenable.io


Name (Required) The unique name for each Tenable Secur-ityCenter data input.

Interval (Required) The interval parameter specifies when theinput restarts to perform the task again (in seconds).

Index (Required) Select the index to store Tenable.io data



in.

Global Account (Required) The Tenable account from which data isacquired.

Start Time The date and time to start collecting data from. If youleave this field blank, all historical data will be col-lected. (Enter in this format - YYYY-MM-DDhh:mm:ss.)

Lowest Severity Score (Required) The lowest level of severity that will bestored.

Tenable SecurityCenter


Name (Required) The unique name for each Tenable Secur-ityCenter data input.

Interval (Required) The interval parameter specifies when theinput restarts to perform the task again (in seconds).

Index (Required) Select the index to store SecurityCenterdata in.

Global Account (Required) The Tenable account from which data isacquired.

Lowest Severity Score (Required) The lowest level of severity that will bestored.

Sync Plugin Details If selected, plugin details are included.

Include Accepted Risks If selected, data with accepted risks true is included.

Repositories List of repository IDs to collect data.

5. Click Add to create the input.



Adaptive Response

To configure an adaptive response:

Select an Index

Before configuring the adaptive response, you have to configure the index that stores the adaptiveresponse actions.

Note: If you do not select an index , the responses will be stored in the default - "main" index.

1. On the configuration page, click the Alert Actions Configuration tab.

2. Click the Alert Actions Index drop down to display the index list.

Select an index.

3. Click Save.

Configure Saved Actions

Configure adaptive response actions when you create a correlation search.

Note: The actions are retrieved automatically when you run the search.



1. In the top navigation panel, click Configure.

Select Content Management from the drop down menu.

2. In the top right corner, click the Create New Content button.Select Correlation Search from drop down menu.

Note:You can bind adaptive response actions while creating the correlation search.

3. Click Add New Response Action.

Select the appropriate action for your search.



4. Run a search.

The saved events are retrieved and display in the Adaptive Responses panel.



Additional Information

See the following pages for additional information.

Update Macro Definition

Troubleshooting



Tenable Macros

To modify the macro definition:

Tenable Index Macro

1. Go to Settings-> Advance search-> Search Macros.

2. Click get_tenable_index.

Note: The get_tenable_index tells the system how to find the index in which the Tenable datais being stored.

3. If the index=default is selected in the modular input, there is no need to update the macro.

Note: The default macro definition is index=main. Update the macro with the same index selec-ted in the respective modular input.

Tenable Source Types

1. Go to Settings-> Advance search-> Search Macros.

2. Click get_tenable_sourcetype.

Note: Default macro definition is sourcetype=(tenable:sc:vuln OR tenable:io:vuln).



Troubleshooting

1. I don’t see data after setting up mod input.

l Verify that you have checked the Enable Data Collection? field in modular input.

l Check the Splunk file (<SPLUNK_HOME>/var/log/splunk/ta_tenable_tenable_secur-itycenter.log) for any TA-Tenable specific errors.

2. Data is not populating in the Tenable App dashboards.

l Try expanding the time range from the last 24 hours.

l Check the Tenable macro (get_tenable_index) and ensure the Tenable index is set cor-rectly.



how-to guide: tenable applications for splunk · splunkenvironments...

Documents