For Tenable Vulnerability Management:

Minimum Required User Role: Basic User

Note: The Tenable integration with Splunk works with a Basic User if that user is assigned Can View permissions on the assets they are to export, along with Can Use permissions on tags the assets are assigned. Without the Can Use tag permissions, the assets return undefined or the integration fails to export vulnerabilities if a tag filter is used. For more information on Tenable Vulnerability Management permissions and user roles, refer to Permissions in the Tenable Developer Portal.

For Tenable Security Center:

Minumum Required User Role: Vulnerability Analyst

Before you begin:

  • You must have Splunk downloaded on your system with a Splunk basic login.

Note: See the Splunk Environments section for additional information about the different types of Splunk deployments and their requirements.

Note: If you install the Tenable App for Splunk on the search head, you must also install the Tenable Add-on.

To install Tenable Add-on for Splunk and Tenable App for Splunk for the first time:

  1. Log in to Splunk.
  2. Go to Apps at the top of the screen.

    A drop-down menu appears:

  3. Click Find More Apps.

  4. On the Browse More Apps page, type Tenable in the search bar.

    Tenable-related options appear:

  5. Click the Install button next to Tenable Add-on for Splunk.

  6. Restart Splunk if a Restart Required prompt displays.

To upgrade Tenable Add-on for Splunk and Tenable App for Splunk:

  1. Log in to Splunk.
  2. Go to Apps at the top of the screen.

    A drop-down menu appears:

  3. Click Manage Apps.

  4. In the search bar, type Tenable.

    Tenable-related options appear:

  5. In the Version column, click Update to x.y.z version link for Tenable Add-On for Splunk:

  6. Restart Splunk if a Restart Required prompt appears.

Note: You can set use_milliseconds_for_sc_vulns = True in the configuration under TA-Tenable/default/ta_tenable_settings.conf to enable millisecond based time fields in Tenable Security Center vulnerability data. Add the following lines under local/ta_tenable_settings.conf if you do not want the change to be reset after a plugin update: [sc_configuration] and use_milliseconds_for_sc_vulns = True

Note: You can optionally update the default chunk size for Tenable Vulnerability Management export host vulnerabilities and export host assets sync calls. To update the default setting, open the $SPLUNK_HOME/etc/apps/TA-tenable/default/inputs.conf file, and update the value of vuln_num_assets (number of assets used to chunk the vulnerabilities) and assets_chunk_size (number of assets per exported chunk) in tenable_io stanza as per requirement. Save the file changes and restart Splunk.

Note: You may need to update the Tenable Macro, get_tenable_index, for data to begin populating the application dashboards.

Note: (For Tenable OT Security or Tenable Security Center) If SSL Verification is not needed for a particular product, you can set it to ‘False’ by navigating to $SPLUNK_HOME/etc/apps/TA-tenable/bin/ and disable it for that particular product. The list of product flags:
  • verify_ssl_for_ot = True

  • verify_ssl_for_sc_cert = True

  • verify_ssl_for_sc_api_key = True

  • verify_ssl_for_sc_creds = True

Next, create an input.