Tenable Plugin for Splunk Mission Control

Tenable Plugin for Splunk Mission Control provides vulnerability data and insights to the Splunk Mission Control application.

Splunk Mission Control is a unified cloud-based security operations platform that provides security incident triage, investigation, collaboration, and response functionality as a Software-as-a-Service (SaaS) solution.

  • Tenable Add-on for Splunk collects tenable data on your Splunk Enterprise/Enterprise Cloud deployment.

  • Splunk Enterprise Security generates notable events via correlation searches.

  • Splunk Connect for Mission Control is used to establish connection between your on-prem/cloud Splunk deployment & Mission Control.

  • Notables which will be forwarded to Mission Control using Splunk Connect for Mission Control App.

  • Tenable Plugin for Splunk Mission Control will fetch data from your connected on-prem/Cloud deployment’s Splunk indexes.

 

Tenable Plugin Topology

Prerequisites

Install and configure the following on Splunk Enterprise (version 8 or higher):

Access Splunk Mission Control:

Tenable Plugin for Mission Control is accessible on the Mission Control app on Splunk Cloud Platform which is accessible via a SCP tenant. Reach out to your Splunk representative to get your tenant

 

Configuration

Splunk Connect:

  1. Establish connection between your Splunk deployment and Mission Control via steps mentioned in the Splunk documentation.

  2. Before moving forward, make sure you have an active connection status in Splunk Connect for Mission Control.

  3. Also confirm that connection shows active on Mission Control. In Mission Control, click on the ellipsis icon on the top right corner Admin settings > Product Settings > Splunk Connect for Mission Control. Check the connection status against the configured instance.

Tenable Plugin for Mission Control:

  1. Log in and navigate to the Mission Control Home page.

  2. Navigate to Admin Settings by clicking the ellipses icon on the top right corner. You should see the page Product Settings > Splunk Connect for Mission Control > Select the instance configured with Mission Control. Save the deployment ID for future use. This deployment ID is used as a default instance while populating the Tenable Vulnerability Center dashboard.

  3. Navigate back to Admin Settings. Head over to Product Settings > Plugin. If you do not see the Plugin page, contact your Splunk representative.

  4. Select Tenable Plugin for Mission Control and head over to its setup page.

  5. Enable it and add the default connection ID which we initially saved.

  6. If you see, the message Subscription Successful - you have enabled the plugin. You will be able to see Tenable Vulnerability Center Dashboard under Managed Dashboards sections in Dashboards drop-down.

Notable Events Label:

The notable events label mcef_tenable_plugin_for_mission_control must be applied for the integration to work.

  1. Open the Splunk Connect for Mission Control application.

  2. Navigate to Settings → Searches, reports, and alerts on Cloud/on-premise instance.

  3. Filter the list by selecting All in the Owner dropdown list.

  4. Configure the saved searches to forward notables with specific label values of plugin Id. Edit the Mission Control - Forward Notable Events and update trigger with label mcef_tenable_plugin_for_mission_control.

 

Troubleshooting

If you are experiencing problems with setup or data retrieval with Tenable Plugin for Mission Control, refer to Troubleshooting.