All Apps and Add-ons

Integrating Tenable nessus(sc) with splunk?

bestSplunker
Contributor

hello everyone. please forgive my English level. I'm a splunk novice and nessus novice.

I am trying to ingest the Tenable(sc) vulnerability data into the splunk indexer, I have read the official document related to Tenable Add-On for Splunk, (link : https://docs.tenable.com/integrations/splunk/Content/Splunk%20Add%20On.htm). I think my type of Tenable is Tenable.sc, not Tenable.io.Please see the screenshot below:

alt text

I'am trying to configure Tenable Add-On for Splunk ,but it return an error message Please enter valid Address, Username and Password., as shown below:
alt text

I have tried to delete the port number in the address (192.168.20.129) and checked "Verify SSL Certificate", but still not working , I have tested all the configurations.

if I change the "Tenable Account Type" to Tenable.io and using access_keysecret Key , it can successfully create configuration successfully. but after successfully create the input, the vulnerability data is not indexed into splunk. and I can find the following error from the log file error.log (/opt/splunk/var/log/splunk/ta_tenable_tenable_io.log)

2019-09-11 16:09:56,668 INFO pid=10770 tid=MainThread file=base_modinput.py:log_info:293 | Tenable.io vulnerability data collection started
2019-09-11 16:09:56,669 INFO pid=10770 tid=MainThread file=splunk_rest_client.py:_request_handler:100 | Use HTTP connection pooling
2019-09-11 16:09:56,670 INFO pid=10770 tid=MainThread file=connectionpool.py:_new_conn:758 | Starting new HTTPS connection (1): 127.0.0.1
2019-09-11 16:09:56,693 ERROR pid=10770 tid=MainThread file=io_connect.py:__check_response:80 | Tenable Error: response: {"error":"The requested file was not found"}

I am trying to force the creation of Tenable.sc account configuration information (ta_tenable_account.conf) on the command line. then select Global Account* when configuring the input. When I click the "add" button, the following error still occurs:

2019-09-11 16:34:12,528 ERROR pid=19830 tid=MainThread file=sc_connect.py:_check_response:98 | Tenable SC Error: URL: https://192.168.20.129:8834/rest/system, HTTP status code: 404, error code: 1

So I re-read the principle of Tenable Add-on, which calls the Tenable API to extract data from the Tenable platform. link (https://docs.tenable.com/integrations/splunk/Content/Splunk%20Add%20On.htm)

The Tenable Add-On for Splunk pulls data from Tenable platforms and normalizes it in Splunk.

The current Tenable Add-On uses the following endpoints.

Tenable.io

Request Export: /vulns/export
Vulnerability Export: /vulns/export

Asset Export: /assets/export

Tenable.sc

Vulnerability and assets details: /rest/analysis
Plugin details: /rest/plugins
Repository details: /rest/repository

The reason for the error was that my Nessus does not provide an API at all. . When I tried to access these API links using a browser, it returned 404 not found.

E.g:

Tenable.io Vulnerability Export is called api /vulns/export. When I try to access "https://192.168.20.129:8834/vulns/export", the browser returns a status code of 404 with the content: "{"error":" The requested file was not found"}"

Tenable.sc Vulnerability and assets detail is called api /rest/analysis, when I try to access the "https://192.168.20.129:8834/rest/analysis" browser returns a status code of 404, the content is: "{"error": "The requested file was not found"}"

question:

  1. Why doesn't my Nessus provide an API interface?
  2. Do I need to configure nessus to enable the api interface?
  3. Is there a nessus expert who can tell me whether my nessus type is tenable.io or tenable.sc
Labels (1)
0 Karma
1 Solution

nkeuning
Communicator

Im not sure why you box says "Nessus (SC)" but that is not Tenable.sc it is Nessus. The Tenable Add-On for Splunk only supports Tenable.sc and Tenable.io. You will need to connect it to one of these platforms, rather than directly to nessus. You can find more information on Tenable.sc here

View solution in original post

nkeuning
Communicator

Im not sure why you box says "Nessus (SC)" but that is not Tenable.sc it is Nessus. The Tenable Add-On for Splunk only supports Tenable.sc and Tenable.io. You will need to connect it to one of these platforms, rather than directly to nessus. You can find more information on Tenable.sc here

am2
New Member

Where do you install the tenable.sc app? The tenable add-on and tenable app go on SHs. How do you configure it to work?

Tags (1)
0 Karma

bestSplunker
Contributor

Because I saw the title of the website is nessuc scanner(SC), so I mistakenly think it is Tenable.sc

0 Karma
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...