Tenable Add-on: configuration and authentication w...

acensi0n · ‎09-05-2018

I have the Tenable apps installed and configured but no data is being pulled from SecurityCenter. The Security Manager account configured reports a successful login from Splunk but events in the index remains zero.

The following configuration items are used:

== Configuration: Account Name ==
- Verify SSL Certificate is disabled

== indexes ==
tenable
- App: TA-Tenable

== advanced search: search macros ==
get_tenable_index
- (index="tenable")

What could I be missing?

Any help appreciated!

nkeuning · ‎09-06-2018

Have you checked the TA logs?
index="_internal" source="*ta_tenable*"

jawaharas · ‎02-10-2019

I can notice the /vulns/export endpoint doesn't return any result (even via 'curl' command)

From TA logs:
DEBUG pid=59172 tid=MainThread file=connectionpool.py:_make_request:400 | https://cloud.tenable.com:443 "POST /vulns/export HTTP/1.1" 200 None

Tenable support says '/vulns/export' endpoint is no longer in user. Any help will be appreciable.

nkeuning · ‎02-10-2019

vulns/export is very much still used across all of our integrations. This api only returns a uuid that we use to check the status of the data to be pulled and finally we use a chunks endpoint to pull the actual results we get. This log shows that the request returned a 200 so it is working as expected.

jawaharas · ‎02-12-2019

This is from ta_tenable_tenable_io.log (in chronological order). I don't see any errors. But no data is indexed.

 2019-02-13 13:55:51,110 file=io_connect.py:__setupSession:32 | Tenable debug: Setting up session.
2019-02-13 13:55:51,110 file=io_connect.py:__setupSession:40 | Tenable debug: Setting max retries to: 3
2019-02-13 13:55:51,111 file=io_connect.py:__setupSession:46 | Tenable debug: Setting requests ssl verify to: True
2019-02-13 13:55:51,111 file=base_modinput.py:log_debug:286 | Tenable Debug: check point name: scan_resultscloud.tenable.com
2019-02-13 13:55:51,112 file=binding.py:get:664 | GET request to https://127.0.0.1:8089/servicesNS/nobody/TA-tenable/storage/collections/config/TA_tenable_checkpointer (body: {})
2019-02-13 13:55:51,117 file=connectionpool.py:_make_request:387 | "GET /servicesNS/nobody/TA-tenable/storage/collections/config/TA_tenable_checkpointer HTTP/1.1" 200 5326
2019-02-13 13:55:51,118 file=binding.py:get:664 | GET request to https://127.0.0.1:8089/servicesNS/nobody/TA-tenable/storage/collections/config/ (body: {'offset': 0, 'search': 'TA_tenable_checkpointer', 'count': -1})
2019-02-13 13:55:51,122 file=connectionpool.py:_make_request:387 | "GET /servicesNS/nobody/TA-tenable/storage/collections/config/?offset=0&search=TA_tenable_checkpointer&count=-1 HTTP/1.1" 200 4524
2019-02-13 13:55:51,124 file=binding.py:get:664 | GET request to https://127.0.0.1:8089/servicesNS/nobody/TA-tenable/storage/collections/data/TA_tenable_checkpointer/scan_resultscloud.tenable.com (body: {})
2019-02-13 13:55:51,126 file=connectionpool.py:_make_request:387 | "GET /servicesNS/nobody/TA-tenable/storage/collections/data/TA_tenable_checkpointer/scan_resultscloud.tenable.com HTTP/1.1" 200 101
2019-02-13 13:55:51,127 file=base_modinput.py:log_debug:286 | Tenable Debug: check point state returned: {u'since': 1550022951}
2019-02-13 13:55:51,131 file=connectionpool.py:_new_conn:809 | Starting new HTTPS connection (1): cloud.tenable.com
2019-02-13 13:55:52,189 file=connectionpool.py:_make_request:400 | https://cloud.tenable.com:443 "POST /vulns/export HTTP/1.1" 200 None
2019-02-13 13:55:52,191 file=io_connect.py:__checkResponse:68 | Tenable debug: response OK http_status code: 200
2019-02-13 13:55:52,191 file=io_connect.py:getEndpoint:94 | Tenable Debug: GET URL: https://cloud.tenable.com/vulns/export/51d2af32-baf9-4aa0-886d-73412a093dfd/status
2019-02-13 13:55:52,191 file=io_connect.py:getEndpoint:95 | Tenable Debug: GET PARMS: None
2019-02-13 13:55:52,669 file=connectionpool.py:_make_request:400 | https://cloud.tenable.com:443 "GET /vulns/export/51d2af32-baf9-4aa0-886d-73412a093dfd/status HTTP/1.1" 200 None
2019-02-13 13:55:52,670 file=io_connect.py:__checkResponse:68 | Tenable debug: response OK http_status code: 200
2019-02-13 13:55:52,670 file=binding.py:post:736 | POST request to https://127.0.0.1:8089/servicesNS/nobody/TA-tenable/storage/collections/data/TA_tenable_checkpointer/batch_save (body: {'body': '[{"state": "{\\"since\\": 1550026551}", "_key": "scan_resultscloud.tenable.com"}]'})
2019-02-13 13:55:52,702 file=connectionpool.py:_make_request:387 | "POST /servicesNS/nobody/TA-tenable/storage/collections/data/TA_tenable_checkpointer/batch_save HTTP/1.1" 200 35

nkeuning · ‎02-12-2019

Please create a support ticket with tenable so we can help track down the issue. The only other thing i would recommend is expanding you search window as we index/store all vuln data based on first seen date so searching is a bit different than if we duplicated all data daily.

jawaharas · ‎02-12-2019

Thanks. A Tenable Case #00755880 has been raised already. No luck so far. As you suggested I have searched the index with 'All Time' as time range. Still no data.

Tenable Add-on: configuration and authentication was successful but index has no events.

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

.conf24 | Personalize your .conf experience with Learning Paths!

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...