How-to Guide: Tenable Applications for Splunk. Last Revised: August 21, 2018

Similar documents
How-to Guide: JIRA Plug-in for Tenable.io. Last Revised: January 29, 2019

How-to Guide: Tenable.io Plugin for JIRA. Last Revised: November 21, 2018

ForeScout Extended Module for Tenable Vulnerability Management

How-to Guide: Tenable for McAfee epolicy Orchestrator. Last Updated: April 03, 2018

Tenable.io for Thycotic

Tenable.io User Guide. Last Revised: November 03, 2017

Tenable.io Evaluation Workflow. Last Revised: August 22, 2018

Tenable.sc-Tenable.io Upgrade Assistant Guide, Version 2.0. Last Revised: January 16, 2019

<Partner Name> <Partner Product> RSA ARCHER GRC Platform Implementation Guide. Swimlane 2.x

Tenable for Palo Alto Networks

USER MANUAL. SalesPort Salesforce Customer Portal for WordPress (Lightning Mode) TABLE OF CONTENTS. Version: 3.1.0

Tenable for McAfee epolicy Orchestrator

Tenable for ServiceNow. Last Updated: March 19, 2018

Tenable for McAfee epolicy Orchestrator

How-to Guide: Tenable Nessus for Microsoft Azure. Last Updated: April 03, 2018

How-to Guide: Tenable.io for Lieberman. Last Revised: August 14, 2018

Tenable SecurityCenter Data Feeds for RSA Archer IT Security Vulnerability Program

How-to Guide: Tenable.io for Microsoft Azure. Last Updated: November 16, 2018

Documentation. IBM Workload Scheduler integration with Splunk. Written by : Miguel Sanders Uniforce

DYNAMICS 365 BUSINESS PROCESS VISUALIZATION USING VISIO

Tripwire App for QRadar Documentation

Tenable for Google Cloud Platform

Nessus Network Monitor 5.4 User Guide. Last Updated: February 20, 2018

DomainTools for Splunk

Configuration Guide. Requires Vorex version 3.9 or later and VSA version or later. English

USM Anywhere AlienApps Guide

ForeScout App for Splunk

Symantec Advanced Threat Protection App for Splunk

Read the following information carefully, before you begin an upgrade.

Troubleshooting AWS App

Okta Identity Cloud Addon for Splunk

PVS 5.1 User Guide. Last Updated: October 10, 2016

F5 Analytics and Visibility Solutions

The Vectra App for Splunk. Table of Contents. Overview... 2 Getting started Setup... 4 Using the Vectra App for Splunk... 4

Integration Guide. LoginTC

VMware AirWatch Integration with RSA PKI Guide

ForeScout Extended Module for ServiceNow

Integration with Tenable Security Center

McAfee Security Connected Integrating epo and MFECC

Vulnerability Management

ATTACHMENT MANAGEMENT USING AZURE BLOB STORAGE

Magento 2 User Guide March 11, 2018

Enable SSH Access on the Tenable Virtual Appliance (4.4.x-4.7.x) Last Revised: February 27, 2018

ATTACHMENT MANAGEMENT USING AZURE BLOB STORAGE

ForeScout Extended Module for Splunk

VMware AirWatch Integration with Palo Alto Networks WildFire Integrate your application reputation service with AirWatch

Workspace ONE UEM Integration with RSA PKI. VMware Workspace ONE UEM 1810

Qualys Cloud Suite 2.x

RSA NetWitness Platform

ForeScout Extended Module for Splunk

Deliver and manage customer VIP POCs. The lab will be directed and provide you with step-by-step walkthroughs of key features.

Installation Components for Scan to Worldox Canon MFP Application

ForeScout CounterACT. Configuration Guide. Version 1.1

Table of Contents. Configure and Manage Logging in to the Management Portal Verify and Trust Certificates

2. PRTG LabTech Plugin Configuration and Usage

Edge Device Manager Quick Start Guide. Version R15

VMware AirWatch Content Gateway for Linux. VMware Workspace ONE UEM 1811 Unified Access Gateway

vrealize Operations Manager Management Pack for vrealize Hyperic Release Notes

Centrify for Splunk Integration Guide

WP Voting Plugin - Ohiowebtech Video Extension - Youtube Documentation

McAfee Security-as-a-Service

VMware AirWatch Content Gateway for Windows. VMware Workspace ONE UEM 1811 Unified Access Gateway

SecurityCenter 4.6 Administration Guide. April 11, 2013 (Revision 5)

Continuous Integration, Continuous Deployment and Continuous Testing by HP Codar using ALM and Jenkins

Qualys Cloud Platform (VM, PC) v8.x Release Notes

Forescout. eyeextend for ServiceNow. Configuration Guide. Version 2.0

Comodo SecureBox Management Console Software Version 1.9

AirWatch Mobile Device Management

Centralized Log Hosting Manual for User

Revised: 08/02/ Click the Start button at bottom left, enter Server Manager in the search box, and select it in the list to open it.

ForeScout Extended Module for ServiceNow

Administration Guide for Resellers

INSTALLATION GUIDE Spring 2017

July 18, (Revision 3)

VMware Workspace ONE Intelligence. VMware Workspace ONE

AWS Remote Access VPC Bundle

Eloqua Integration User Guide. Cvent, Inc 1765 Greensboro Station Place McLean, VA

AppSpider Enterprise. Getting Started Guide

Workspace ios Content Locker. UBC Workspace 2.0: VMware Content Locker v4.12 for ios. User Guide

Manage Administrators and Admin Access Policies

VMware AirWatch Integration with SecureAuth PKI Guide

Tenable SCAP Standards Declarations. June 4, 2015 (Revision 11)

USER GUIDE Summer 2015

Oracle Cloud Using the Evernote Adapter. Release 17.3

VMware AirWatch Content Gateway Guide for Windows

Oracle Enterprise Manager. 1 Before You Install. System Monitoring Plug-in for Oracle Unified Directory User's Guide Release 1.0

Zephyr Cloud for HipChat

Pardot Overview and Setup Instructions

Who am I? Identity Product Group, CXP Team. Premier Field Engineer. SANS STI Student GWAPT, GCIA, GCIH, GCWN, GMOB

ForeScout App for Splunk

F5 DDoS Hybrid Defender : Setup. Version

VMware Content Gateway to Unified Access Gateway Migration Guide

PASSPORTAL PLUGIN DOCUMENTATION

Managing Modular Infrastructure by using OpenManage Essentials (OME)

ClearPass and Tenable.sc Integration Guide. Tenable.sc. Integration Guide. ClearPass. ClearPass and Tenable.sc - Integration Guide 1

Single Sign-On for PCF. User's Guide

ATTACHMENT MANAGEMENT USING AZURE BLOB STORAGE

Tenable.io Container Security. Last Updated: November 02, 2018

Manage Administrators and Admin Access Policies

Data Onboarding. Where Do I begin? Luke Netto Senior Professional Services Splunk. September 26, 2017 Washington, DC

Transcription:

How-to Guide: Tenable Applications for Splunk Last Revised: August 21, 2018

Table of Contents Overview 3 Components 4 Tenable Add-on (TA-tenable) 5 Source and Source Types 6 CIM Mapping 7 Tenable App for Splunk 8 Installation Workflow 10 Splunk Environments 11 Installation 12 Configuration 14 Tenable SecurityCenter Credentials 15 Tenable SecurityCenter Certificates 18 Tenable.io 22 Create Input 25 Adaptive Response 29 Additional Information 32 Tenable Macros 33 Troubleshooting 34

Overview The Tenable Splunk applications perform data collection, normalization, and visualization. The Tenable application is divided into two parts: Tenable Add-On for Splunk (TA-tenable) - provides all data collection and normalization functionality. Tenable App for Splunk (TenableAppforSplunk) - provides a dashboard to view the Tenable data in Splunk. Tenable Application Topology

Components The Tenable Add-on has specific purposes for different Splunk components. The Heavy Forwarder collects and forwards data for all events. Note: All inputs should be configured to run from the heavy forwarder. Note: You must enable the key value store (KV) on the heavy forwarder. The Indexer must be installed to ensure Tenable data is properly indexed. Note: You can use a default index or create and set a custom index. This is required. The Search Head must be configured and installed to allow full functionality of the Tenable Add-on adaptive response actions. Note: You must use the same configuration details you have on the Heavy Forwarder for the adaptive response actions to work correctly.

Tenable Add-on (TA-tenable) The Tenable Add-On for Splunk pulls data from Tenable platforms and normalizes it in Splunk. The current Tenable Add-On uses the following endpoints. SecurityCenter Vulnerability and assets details: /rest/analysis Plugin details: /rest/plugins Repository details: /rest/repository Tenable.io Request Export: /vulns/export Export Status: /vulns/<export UUID>/status Download Chunk: /vulns/<export UUID>/chunks/<Chunk ID>

Source and Source Types The Tenable Add-on for Splunk will store data with the following sources and source types. SecurityCenter Source Sourcetype Description <username> <address> tenable:sc:vuln This collects all vulnerability data. <username> <address> tenable:sc:assets This collects pull assets data. <username> <address> tenable:sc:plugin This collects all plugin data. Tenable.io Source Sourcetype Description tenable_io://<data input name> tenable:io:vuln This collects all vulnerability data.

CIM Mapping This chart displays how we map tenable vulnerability findings to Splunk CIM. Field Name from Ten- Field Name from Secur- CIM Field CIM Data ble.io API itycenter API Name Model asset.fqdn or asset.ipv4 dnsname or ip dest Vulnerability plugin.bid bid bugtraq Vulnerability asset.ipv4 ip dest_ip Vulnerability asset.fqdn dnsname dest_name Vulnerability plugin.synopsis synopsis signature Vulnerability plugin.family family.name category Vulnerability Tenable.io Tenable SecurityCenter vendor_ product Vulnerability

Tenable App for Splunk The Tenable App for Splunk provides a single dashboard showing all of your Tenable data. Displayed Components Total Vulnerabilities Today Active Vulnerabilities Today Fixed Vulnerabilities Today Total Vulnerabilities Active Vulnerabilities Fixed Vulnerabilities Top 10 Vulnerabilities Most Vulnerable Hosts Vulnerabilities by Severity New Vulnerabilities

Installation Workflow Follow the steps below to complete the installation and configuration of the Tenable applications for Splunk. Install and Configure 1. Install the Tenable application. 2. Configure the desired Tenable application for Splunk. 3. Create an input for the configured Tenable application for Splunk. 4. Configure adaptive response actions.

Splunk Environments The installation process for the Tenable App for Splunk and Tenable Add-On for Splunk varies based on your Splunk environment. Deployment Types Single server, distributed deployment, and cloud instance options are available. Single Server Deployment In a single server deployment, a single instance of Splunk Enterprise works as a data collection node, indexer, and search head. In this instance, install the Tenable Add-On and Tenable App on this node. Complete the setup for the Tenable Add-On to start data collection. Distributed Deployment In a distributed deployment, install Splunk on at least two instances. One node works as a search head while the other node works as an indexer for data collection. The following table displays information on how the Tenable Add-On and Tenable App are installed in the distributed environment. Component Forwarder Indexer Search Head Tenable Add-on for Splunk (TA-Ten- Yes No Yes able) configure accounts configure data configure accounts input Tenable-SC App for Splunk (Tenable App) No No Yes Cloud Instance In Splunk Cloud, the data indexing takes place in a cloud instance. Note: The data collection can take place in an on premise Splunk instance that works as a heavy forwarder. The application can be installed via a command line or from the Splunk UI.

Installation Pre-requisites You must have sufficient permissions to integrate with Tenable Tenable.io or Tenable SecurityCenter. The Security Manager role is required for SecurityCenter. (See the SecurityCenter user guide for information about user role configuration.) The Admin role is required for Tenable.io. (See the Tenable.io user guide for information about user role configuration.) Note: See the Splunk Environments section for additional information about the different types of Splunk deployments and their requirements. Install via the Splunk UI 1. Log in to Splunk. 2. Go to Apps at the top of the screen. Click Manage App. 3. Click Install app from file.

4. Next, choose the SPL file to install. 5. Click upload. Note: You must restart Splunk after installing the Tenable App or Tenable Add-On. Note: Next, configure the Tenable application.

Configuration Tenable provides three application configuration options for the Tenable Add-On for Splunk. Tenable SecurityCenter Credentials Tenable SecurityCenter Certificates Tenable.io

Tenable SecurityCenter Credentials To complete the installation process, you must complete the setup for the Tenable Add-on for Splunk. 1. Log in to your data collection node. 2. In the left navigation bar, click the Tenable Add-on for Splunk. 3. Click the Configuration tab.

4. Click the Add button. A new window displays.

5. In the Tenable Access Type field, select Tenable SecurityCenter Credentials 6. Enter the necessary information for each field. The field options are described in the chart below. Input Parameters Account Name Tenable Account Type Address Verify SSL Certificate Username Password Description (Required) The unique name for each Tenable SecurityCenter data input. (Required) Tenable SecurityCenter Credentials. (Required) The host name or IP address for SecurityCenter. If enabled, Splunk verifies the certificate in SecurityCenter. The username in SecurityCenter. The password in SecurityCenter. 7. Click Add to complete the configuration. Note: Next, you must create an input for the Tenable Add-On for Splunk.

Tenable SecurityCenter Certificates To complete the installation process, you must complete the setup for the Tenable Add-on for Splunk. 1. Log in to your data collection node. 2. In the left navigation bar, click the Tenable Add-on for Splunk. 3. Click the Configuration tab.

4. Click the Add button. The Add Account window displays.

5. In the Tenable Account Type field, select Tenable SecurityCenter Certificates. 6. Enter the necessary information for each field. The field description are described in the chart below. Input Parameters Account Name Tenable Account Type Address Verify SSL Certificate Description (Required) The unique name for each Tenable SecurityCenter data input. (Required) The Tenable application -Tenable SecurityCenter Certificate. (Required)The host name or IP address for SecurityCenter. If enabled, Splunk verifies the SSL Certificate in SecurityCenter.

Certificate Filename Key Filename Key Password The name of the certificate that you uploaded to $SPLUNK_HOME/etc/apps/TA-tenable/certs/. The name of the key that you uploaded to $SPLUNK_ HOME/etc/apps/TA-tenable/certs/. The password for the key file you uploaded. 7. Click Add to complete the configuration. Note: Next, you must create an input for the Tenable Add-On for Splunk.

Tenable.io To complete the installation process, you must complete the setup for the Tenable Add-on for Splunk. 1. Log in to your data collection node. 2. In the left navigation bar, click the Tenable Add-on for Splunk. 3. Click the Configuration tab.

4. Click the Add button. A new window displays.

5. Enter the necessary information for each field. The field options are described in the chart below. Note: You must generate an API key in Tenable.io to complete the configuration. See the Tenable.io user guide for instructions on how to generate an API key. Input Parameters Account Name Tenable Account Type Address Verify SSL Certificate Access Key Secret Key Description (Required) The unique name for each Tenable.io data input. (Required) The Tenable application - Tenable.io. (Required) The host name or IP address for Tenable.io. If enabled, Splunk verifies the SSL certificate in Tenable.io. Your Tenable.io API Access Key. Your Tenable.io API Secret Key. 6. Click Add to complete the configuration. Note: Next, you must create an input for the Tenable Add-On for Splunk.

Create Input After you have completed configuring your Tenable Add-On for Splunk, you must create the input. Steps 1. In the Splunk interface, click the Inputs tab. 2. Click the Create New Input button. A drop down appears. 3. Select the appropriate Tenable application. The selected Tenable application input options open in a new window.

Tenable.io Tenable SecurityCenter

4. Enter the necessary information for each field. The field description are described in the chart below. Note: If you dont use the default index, you have to update the Tenable Macro. Tenable.io Input Parameters Name Interval Index Description (Required) The unique name for each Tenable SecurityCenter data input. (Required) The interval parameter specifies when the input restarts to perform the task again (in seconds). (Required) Select the index to store Tenable.io data

in. Global Account Start Time Lowest Severity Score (Required) The Tenable account from which data is acquired. The date and time to start collecting data from. If you leave this field blank, all historical data will be collected. (Enter in this format - YYYY-MM-DD hh:mm:ss.) (Required) The lowest level of severity that will be stored. Tenable SecurityCenter Input Parameters Name Interval Index Global Account Lowest Severity Score Sync Plugin Details Include Accepted Risks Repositories Description (Required) The unique name for each Tenable SecurityCenter data input. (Required) The interval parameter specifies when the input restarts to perform the task again (in seconds). (Required) Select the index to store SecurityCenter data in. (Required) The Tenable account from which data is acquired. (Required) The lowest level of severity that will be stored. If selected, plugin details are included. If selected, data with accepted risks true is included. List of repository IDs to collect data. 5. Click Add to create the input.

Adaptive Response To configure an adaptive response: Select an Index Before configuring the adaptive response, you have to configure the index that stores the adaptive response actions. Note: If you do not select an index, the responses will be stored in the default - "main" index. 1. On the configuration page, click the Alert Actions Configuration tab. 2. Click the Alert Actions Index drop down to display the index list. Select an index. 3. Click Save. Configure Saved Actions Configure adaptive response actions when you create a correlation search. Note: The actions are retrieved automatically when you run the search.

1. In the top navigation panel, click Configure. Select Content Management from the drop down menu. 2. In the top right corner, click the Create New Content button. Select Correlation Search from drop down menu. Note:You can bind adaptive response actions while creating the correlation search. 3. Click Add New Response Action. Select the appropriate action for your search.

4. Run a search. The saved events are retrieved and display in the Adaptive Responses panel.

Additional Information See the following pages for additional information. Update Macro Definition Troubleshooting

Tenable Macros To modify the macro definition: Tenable Index Macro 1. Go to Settings-> Advance search-> Search Macros. 2. Click get_tenable_index. Note: The get_tenable_index tells the system how to find the index in which the Tenable data is being stored. 3. If the index=default is selected in the modular input, there is no need to update the macro. Note: The default macro definition is index=main. Update the macro with the same index selected in the respective modular input. Tenable Source Types 1. Go to Settings-> Advance search-> Search Macros. 2. Click get_tenable_sourcetype. Note: Default macro definition is sourcetype=(tenable:sc:vuln OR tenable:io:vuln).

Troubleshooting 1. I don t see data after setting up mod input. Verify that you have checked the Enable Data Collection? field in modular input. Check the Splunk file (<SPLUNK_HOME>/var/log/splunk/ta_tenable_tenable_securitycenter.log) for any TA-Tenable specific errors. 2. Data is not populating in the Tenable App dashboards. Try expanding the time range from the last 24 hours. Check the Tenable macro (get_tenable_index) and ensure the Tenable index is set correctly.

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback