Skip to main content

Splunk Lantern turned 5 on May 28th. Thank you for being one of our 750,000 annual users!
Click here to join our Slack channel to tell us what you love about the site or what content you'd like to see more of.
Lantern Home

 

Splunk Lantern

Monitoring Tenable OT Security

  1. Last updated
  2. Save as PDF

 

Tenable OT Security is a service that unifies OT/IT asset visibility, insight, and control. An OT environment with this solution can automate asset discovery, as well as vulnerability detection. You want to use data from Tenable OT Security to enable proactive risk mitigation through continuous asset discovery and compliance monitoring.

Data required

Tenable

How to use Splunk software for this use case

Run the following search to see the OT assets and their associated vulnerabilities. You can optimize it by specifying an index and adjusting the time range.

index="tenable_ot" sourcetype="tenable:ot:vuln"
| join pluginId [search index="tenable_ot" sourcetype="tenable:ot:plugin"
| eval pluginId=id]
| join assetId [search index="tenable_ot" sourcetype="tenable:ot:assets"
| eval assetId=id]
| table assetId, name, description, details.cves{}, severity

Next, run this search to sort them by severity. You can then filter based on severity, for example, filtering for only findings ranked critical.

index="tenable_ot" sourcetype="tenable:ot:vuln"
| join pluginId [search index="tenable_ot" sourcetype="tenable:ot:plugin"
| eval pluginId=id]
| join assetId [search index="tenable_ot" sourcetype="tenable:ot:assets"
| eval assetId=id]
| table assetId, name, description, details.cves{}, severity
| eval severityRank=case(severity=="critical", 1, severity=="high", 2, severity=="medium", 3, severity=="low", 4, 1=1, 5)
| sort severityRank

Identifying OT assets with the most severe vulnerabilities will allow your team to track compliance, report status, and prioritize remediation of the affected assets.

Search Explanation

Splunk Search Explanation

sourcetype=tenable:vuln

Search first by vulnerabilities.

join pluginId [search index="tenable_ot" sourcetype="tenable:ot:plugin"

| eval pluginId=id]

Join vulnerabilities with the associated plugin, which is an object to detect a specific vulnerability.

join assetId [search index="tenable_ot" sourcetype="tenable:ot:assets"

| eval assetId=id]

Join the asset data to see the affected OT asset.

| table assetId, name, description, details.cves{}, severity

Create a table to view key fields in the results.

| eval severityRank=case(severity=="critical", 1, severity=="high", 2, severity=="medium", 3, severity=="low", 4, 1=1, 5)

Map the severity string to a number so it can be sorted.

sort severityRank

Sort by the level of severity from critical to low.

Next steps

If you are looking to improve your asset discovery and management capabilities further, you might be interested in Splunk Asset and Risk Intelligence (ARI). Learn more about ARI in Getting Started with Splunk Asset & Risk Intelligence.

To see a live demo of the OT security capabilities in the Tenable Add-on for Splunk, you can request one from your Splunk SE.

In addition, these resources might help you understand and implement this guidance: