Tenable Add-On for Splunk Installation

For Tenable Vulnerability Management:

Minimum Required User Role: Basic User

Note: The Tenable integration with Splunk works with a Basic User if that user is assigned Can View permissions on the assets they are to export, along with Can Use permissions on tags the assets are assigned. Without the Can Use tag permissions, the assets return undefined or the integration fails to export vulnerabilities if a tag filter is used. For more information on Tenable Vulnerability Management permissions and user roles, refer to Permissions in the Tenable Developer Portal.

For Tenable Security Center:

Minumum Required User Role: Vulnerability Analyst

Complete the installation and configuration of the Tenable applications for Splunk according to the following workflow.

Before you begin:

  • You must have Splunk downloaded on your system with a Splunk basic login.

Note: See the Splunk Environments section for additional information about the different types of Splunk deployments and their requirements.

Note: If you install the Tenable App for Splunk on the search head, you must also install the Tenable Add-on.

  1. Log in to Splunk.

  2. Go to Apps > Manage Apps > Browse more apps at the top of the screen.

  3. Search for “Tenable” and from the list select “Tenable Add-on for Splunk."

  4. Download the Add-on from Splunkbase.

  5. Go to Apps > Manage Apps > Install app from file.

  6. Upload the Tenable Add-on for Splunk v8.0.0 file by extracting the compressed file (.tar.gz) into the $SPLUNK_HOME$/etc/apps folder.

  1. Log in to Splunk.

  2. Disable the existing inputs of Tenable Add-on for Splunk by navigating to Tenable Add-On for Splunk > Inputs.

  3. Click the toggle button under Status column.

  4. Navigate to Apps > Manage Apps.

  5. Click Install app from file.

  6. Click Choose file.

  7. Select the Tenable Add-on for Splunk v8.0.0 installation file.

  8. Check the Upgrade checkbox.

  9. Click Upload.

  10. Restart Splunk if prompted.

Note: You can set use_milliseconds_for_sc_vulns = True in the configuration under TA-Tenable/default/ta_tenable_settings.conf to enable millisecond based time fields in Tenable Security Center vulnerability data. Add the following lines under local/ta_tenable_settings.conf if you do not want the change to be reset after a plugin update: [sc_configuration] and use_milliseconds_for_sc_vulns = True

Note: You can optionally update the default chunk size for Tenable Vulnerability Management export host vulnerabilities and export host assets sync calls. To update the default setting, open the $SPLUNK_HOME/etc/apps/TA-tenable/default/inputs.conf file, and update the value of vuln_num_assets (number of assets used to chunk the vulnerabilities) and assets_chunk_size (number of assets per exported chunk) in tenable_io stanza as per requirement. Save the file changes and restart Splunk.

Note: You may need to update the Tenable Macro, get_tenable_index, for data to begin populating the application dashboards.

Note: (For Tenable OT Security or Tenable Security Center) If SSL Verification is not needed for a particular product, you can set it to ‘False’ by navigating to $SPLUNK_HOME/etc/apps/TA-tenable/bin/tenable_consts.py and disable it for that particular product. The list of product flags:

  • verify_ssl_for_ot = True

  • verify_ssl_for_sc_cert = True

  • verify_ssl_for_sc_api_key = True

  • verify_ssl_for_sc_creds = True

Next, create an input.