Introduction to Splunk
Splunk is a Security Information and Event Management (SIEM) application used by Tenable customers to collect and store events from assets within the organization. NNM provides the SIEM Pull Service to enhance the vulnerability management process through event collection and analysis. The SIEM Pull Service looks for risk-altering events in collected data and send the data to Tenable.io or Tenable.sc for use in the Risk Based Vulnerability Management (RBVM) program. A risk-altering event is an event that changes an asset's risk posture (for example, starting or stopping a service) . When these events occur, and the event matches the core query provided with plugins, the SIEM Pull Service sends the data to NNM, then to Tenable.io or Tenable.sc.
The SIEM Pull Service monitors for the following four risk-altering event types:
|Assets Discovery||Instances where assets are discovered using DHCP events.|
|User Account Activity||
Instances where a user account on an asset is modified in one of the following ways:
Instances where software is added or removed by a user or the software management system. For example:
Note: This type does not include instances where binaries are copied on the system and run without execution.
Instances where the software service is modified in one of the following ways:
For more information, see the following topics: