Monitoring Tenable OT Security
Tenable OT Security is a service that unifies OT/IT asset visibility, insight, and control. An OT environment with this solution can automate asset discovery, as well as vulnerability detection. You want to use data from Tenable OT Security to enable proactive risk mitigation through continuous asset discovery and compliance monitoring.
Data required
How to use Splunk software for this use case
Run the following search to see the OT assets and their associated vulnerabilities. You can optimize it by specifying an index and adjusting the time range.
index="tenable_ot" sourcetype="tenable:ot:vuln" | join pluginId [search index="tenable_ot" sourcetype="tenable:ot:plugin" | eval pluginId=id] | join assetId [search index="tenable_ot" sourcetype="tenable:ot:assets" | eval assetId=id] | table assetId, name, description, details.cves{}, severity
Next, run this search to sort them by severity. You can then filter based on severity, for example, filtering for only findings ranked critical.
index="tenable_ot" sourcetype="tenable:ot:vuln" | join pluginId [search index="tenable_ot" sourcetype="tenable:ot:plugin" | eval pluginId=id] | join assetId [search index="tenable_ot" sourcetype="tenable:ot:assets" | eval assetId=id] | table assetId, name, description, details.cves{}, severity | eval severityRank=case(severity=="critical", 1, severity=="high", 2, severity=="medium", 3, severity=="low", 4, 1=1, 5) | sort severityRank
Identifying OT assets with the most severe vulnerabilities will allow your team to track compliance, report status, and prioritize remediation of the affected assets.
Search Explanation
Splunk Search | Explanation |
---|---|
|
Search first by vulnerabilities. |
|
Join vulnerabilities with the associated |
|
Join the asset data to see the affected OT asset. |
|
Create a table to view key fields in the results. |
|
Map the severity string to a number so it can be sorted. |
|
Sort by the level of severity from critical to low. |
Next steps
If you are looking to improve your asset discovery and management capabilities further, you might be interested in Splunk Asset and Risk Intelligence (ARI). Learn more about ARI in Getting Started with Splunk Asset & Risk Intelligence.
To see a live demo of the OT security capabilities in the Tenable Add-on for Splunk, you can request one from your Splunk SE.
In addition, these resources might help you understand and implement this guidance:
- Splunkbase: Tenable Add-On for Splunk