Monitoring Tenable OT Security

Last updated
Save as PDF
Share
1. Share
2. Tweet
3. Share

Tenable OT Security is a service that unifies OT/IT asset visibility, insight, and control. An OT environment with this solution can automate asset discovery, as well as vulnerability detection. You want to use data from Tenable OT Security to enable proactive risk mitigation through continuous asset discovery and compliance monitoring.

Data required

Tenable

How to use Splunk software for this use case

Run the following search to see the OT assets and their associated vulnerabilities. You can optimize it by specifying an index and adjusting the time range.

index="tenable_ot" sourcetype="tenable:ot:vuln"
| join pluginId [search index="tenable_ot" sourcetype="tenable:ot:plugin"
| eval pluginId=id]
| join assetId [search index="tenable_ot" sourcetype="tenable:ot:assets"
| eval assetId=id]
| table assetId, name, description, details.cves{}, severity

Next, run this search to sort them by severity. You can then filter based on severity, for example, filtering for only findings ranked critical.

index="tenable_ot" sourcetype="tenable:ot:vuln"
| join pluginId [search index="tenable_ot" sourcetype="tenable:ot:plugin"
| eval pluginId=id]
| join assetId [search index="tenable_ot" sourcetype="tenable:ot:assets"
| eval assetId=id]
| table assetId, name, description, details.cves{}, severity
| eval severityRank=case(severity=="critical", 1, severity=="high", 2, severity=="medium", 3, severity=="low", 4, 1=1, 5)
| sort severityRank

Identifying OT assets with the most severe vulnerabilities will allow your team to track compliance, report status, and prioritize remediation of the affected assets.

Search Explanation

Splunk Search	Explanation
`sourcetype=tenable:vuln`	Search first by vulnerabilities.
`join pluginId [search index="tenable_ot" sourcetype="tenable:ot:plugin"` `\| eval pluginId=id]`	Join vulnerabilities with the associated `plugin`, which is an object to detect a specific vulnerability.
`join assetId [search index="tenable_ot" sourcetype="tenable:ot:assets"` `\| eval assetId=id]`	Join the asset data to see the affected OT asset.
`\| table assetId, name, description, details.cves{}, severity`	Create a table to view key fields in the results.
`\| eval severityRank=case(severity=="critical", 1, severity=="high", 2, severity=="medium", 3, severity=="low", 4, 1=1, 5)`	Map the severity string to a number so it can be sorted.
`sort severityRank`	Sort by the level of severity from critical to low.

Next steps

If you are looking to improve your asset discovery and management capabilities further, you might be interested in Splunk Asset and Risk Intelligence (ARI). Learn more about ARI in Getting Started with Splunk Asset & Risk Intelligence.

To see a live demo of the OT security capabilities in the Tenable Add-on for Splunk, you can request one from your Splunk SE.

In addition, these resources might help you understand and implement this guidance:

Splunkbase: Tenable Add-On for Splunk