Tenable Data in Splunk Dashboard

1. In Splunk, go to Settings > Advance search > Search Macros.

2. In the App section, select Tenable App for Splunk.

3. Click the search icon.

   Results appear.

4. Click get_tenable_index.

   The get_tenable_index macro page appears.

5. In the Definition field, update the definition to index=INDEX_NAME.

   The INDEX_NAME should be the same name entered when you created the data input.

6. Click Save.

After installation, you must run the All Time saved search specific to your Tenable platform. This is a one-time operation to populate indices that the Tenable App for Splunk depends on.

1. Navigate to the Tenable App for Splunk.
2. Click Saved Searches.
3. Select Tenable IO Plugin Data - All Time.
   Splunk completes the query.

4. Repeat steps 2 and 3 for other All Time saved searches:

   1. Tenable IO Vuln Data - All Time
   2. Tenable SC Vuln Data - All Time

• Total Vulnerabilities Found Today
• Active Vulnerabilities Found Today
• Fixed Vulnerabilities Found Today
• Total Vulnerabilities
• Active Vulnerabilities
• Fixed Vulnerabilities
• Top 10 Vulnerabilities
• Top 10 Vulnerable Assets
• Vulnerabilities by Severity
• Top 10 Latest Plugins

Dashboard

• Total Real-time events
• Unique Real-time events
• Top 10 Events
• Top Event Trends
• Top Source IP
• Top Event Name

Traffic Overview

• Top Destination Port
• Top Source Port
• Top Destination IP
• Top Source IP

Traffic Map

• Source IP Map
• Destination IP Map

Events

• Top Events
• Events