Configure Tenable Plugin for Mission Control

Before You Begin

• Install and configure the following on Splunk Enterprise (version 8 or higher)

  • Tenable Add-On for Splunk (TA-tenable)provides all data collection and normalization functionality.

  • Tenable App for Splunk (TenableAppforSplunk) provides a dashboard to view the Tenable data in Splunk.

  • Splunk Enterprise Security 6.2.0

  • Splunk Connect for Mission Control 1.6.1

• Access Splunk Mission Control:

  • Ensure you have access to a Splunk Mission Control tenant. If you do not have a tenant set up, contact your Splunk representative.

 

Configuration

To configure Tenable Plugin for Mission Control:

1. Confirm that you have an active connection in Splunk Connect for Mission Control.

   1. In Mission Control, click on the ellipsis icon on the top right corner.

   2. From the drop-down menu, navigate to Admin Settings > Product Settings > Splunk Connect for Mission Control.

   3. Confirm that the connection status shows Active.Log in and navigate to the Mission Control Home page.

2. In the upper-right corner, click the ellipses icon on the top right corner. A drop-down menu appears.

3. From the drop-down menu, navigate to Product Settings > Splunk Connect for Mission Control. Select the instance configured with Mission Control. Save the deployment ID for future use. This deployment ID is used as a default instance while populating the Tenable Vulnerability Center dashboard.

4. Navigate to Product Settings > Plugin. If you do not see the Plugin page, contact your Splunk representative.

5. Select Tenable Plugin for Mission Control. The setup page appears.

6. Enable the Tenable Plugin for Mission Control by clicking the toggle.

7. In the Default Connection ID box, enter the deployment ID that you previously took note of.

8. If you see, the message Subscription Successful - you have enabled the plugin. You will be able to see Tenable Vulnerability Center Dashboard under Managed Dashboards sections in Dashboards drop-down.

9. Configure your notable events label to enable integration between the Tenable Plugin and Mission Control. The notable events label mcef_tenable_plugin_for_mission_control must be applied for the integration to work.

   1. In the Splunk Connect for Mission Control application, navigate to Settings > Searches, reports, and alerts on Cloud/on-premise instance.

   2. To filter the list, in the Owner drop-down box, select All.

   3. To configure the saved searches to forward notables with specific label values of plugin Id, in the Mission Control - Forward Notable Events box enter the label mcef_tenable_plugin_for_mission_control.

   4. Click Save. Splunk Mission Control is configured to forward notable events with this label to the Tenable Plugin for Mission Control dashboard.

 

Troubleshooting

If you are experiencing problems with setup or data retrieval with Tenable Plugin for Mission Control, refer to Troubleshooting.