Introduction to Splunk

Splunk is a Security Information and Event Management (SIEM) application used by Tenable customers to collect and store events from assets within the organization. NNM provides the SIEM Pull Service to enhance the vulnerability management process through event collection and analysis. The SIEM Pull Service looks for risk-altering events in collected data and send the data to Tenable.io or Tenable.sc for use in the Risk Based Vulnerability Management (RBVM) program. A risk-altering event is an event that changes an asset's risk posture (for example, starting or stopping a service) . When these events occur, and the event matches the core query provided with plugins, the SIEM Pull Service sends the data to NNM, then to Tenable.io or Tenable.sc.

The SIEM Pull Service monitors for the following four Closedrisk-altering event types:

Event Type Description
Assets Discovery Instances where assets are discovered using DHCP events.
User Account Activity

Instances where a user account on an asset is modified in one of the following ways:

  • Account is created or deleted

  • Account is added or removed to/from a group

  • Account password modified

  • Policy that affects user accounts is modified (i.e. password policy, lockout policy)

Software Detection

Instances where software is added or removed by a user or the software management system. For example:

  • RPM installations

  • Software added via YUM

  • Installations on Windows using standard install tools

Note: This type does not include instances where binaries are copied on the system and run without execution.
Service Modification

Instances where the software service is modified in one of the following ways:

  • Service starts or stops

  • Service fails to start

  • Service reboots

  • Service is installed or uninstalled

For more information, see the following topics: