Tenable IO Audit Input

Pulls Tenable IO Audit logs via API. Install on Splunk Cloud IDM or a heavy forwarder. Can also be installed on Search heads for the sourcetypes, but its clearer if you just create the sourcetype tenable:io:audit manually with KV_MODE = none. The API has a limit of 5000 events per request, and can only filter by the day the events occurred, so if more than 5000 audit events occurred in a single day there is no way to query the remaining events. The input will raise a warning and set the checkpoint to the following day to avoid getting stuck in an endless loop. Every pull also generates an audit log, so by setting the polling interval too low you can contribute to the problem mentioned above, so the default is set to every 10 minutes. Icon from https://www.vecteezy.com/vector-art/1919479-linear-audit-document-icons-design-isolated-on-white-background

Built by Brett Adams

Latest Version 1.0.2

September 12, 2024

Compatibility

Not Available

Platform Version: 9.4, 9.3, 9.2, 9.1, 9.0

Rating

0

(0)

Log in to rate this app

Support

Not Supported

Learn more

Pulls Tenable IO Audit logs via API. Install on Splunk Cloud IDM or a heavy forwarder. Can also be installed on Search heads for the sourcetypes, but its clearer if you just create the sourcetype tenable:io:audit manually with KV_MODE = none. The API has a limit of 5000 events per request, and can only filter by the day the events occurred, so if more than 5000 audit events occurred in a single day there is no way to query the remaining events. The input will raise a warning and set the checkpoint to the following day to avoid getting stuck in an endless loop. Every pull also generates an audit log, so by setting the polling interval too low you can contribute to the problem mentioned above, so the default is set to every 10 minutes. Icon from https://www.vecteezy.com/vector-art/1919479-linear-audit-document-icons-design-isolated-on-white-background