- Apps and Add-ons
- :
- All Apps and Add-ons
- :
- Re: How do you get the scan date from scans as a s...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
We previously had a dashboard to compare vulnerability results to compliance results and were able to define a date the scan happened to verify patching levels. Were not able to do this with the new add-on. We did create a search time extraction based on a Tenable plugin that has the scan date in it, but the search will only show events for that plugin and not all plugins for the selected scan. Anyone run into this issue or can provide some pointers to get a scan date and show all results? Thanks much!
sourcetype=tenable:sc:vuln plugin_id=19506
| rex field=plugin_id "(?)\d{4}\d{1,2}\d{1,2}"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
When we rebuilt the app we specifically dropped scan information. We now pull all data using the analysis api with the vulnerability detail list view (this is the same as the UI view). This allowed us to keep data storage way down and lighten the load put on SC for large deployments. We then index all data using the firstSeen time as the event time to create an event when the "state" (open/reopened/fixed) changes. While this works well today there are a few types of reporting that aren difficult or not possible. We are in the process of update the app to start updating the lastSeen time so that this can be used for reporting. Once this is implemented it will allow you to do similar reporting to last scan time you were doing before with all the other benefits of the new app.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
When we rebuilt the app we specifically dropped scan information. We now pull all data using the analysis api with the vulnerability detail list view (this is the same as the UI view). This allowed us to keep data storage way down and lighten the load put on SC for large deployments. We then index all data using the firstSeen time as the event time to create an event when the "state" (open/reopened/fixed) changes. While this works well today there are a few types of reporting that aren difficult or not possible. We are in the process of update the app to start updating the lastSeen time so that this can be used for reporting. Once this is implemented it will allow you to do similar reporting to last scan time you were doing before with all the other benefits of the new app.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@nkeuning Thanks for the information. I'll keep an eye out for the new app and see what else we can do until then.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@nkeuning Thanks for the quick response. Do you have a timeline on when this is supposed to be accomplished and released?
If I'm understanding correctly, this seems like a good metric for an individual host, but when scans per host start at a different time and possibly day, the actual date of the initiation of the scan will be hard to determine. Especially when using Nessus agents as all hosts will scan at a different time and possibly a different day due to the type of the device, if the device was on the network when the scan was scheduled, etc.
Basically, I'm trying to isolate a single scan date, per scan ID, and report based on those metrics. It might be worth while to isolate the "Scan Start Date" in plugin ID 19506 as it's own JSON field so it's easier to search.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The goal is to have the new app out by end of Q1 2019. Unfortunately the way that we need to pull data from SC doesnt lend itself to be correlated back to scans, because it is the collapsed view of all vulnerabilities found across all scans for every asset. The lastSeen date in the new app will be the last time that that vuln was found on that host during a scan. This will be the closest you can get to a scan date.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
1.0.7 is released I see. is this the version you were talking about? How could I get a complete count of unique IP addresses which match the number of hosts the Tenable UI shows?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The new version will be 2.x.x. it depends on view but unique assets in t.sc are unique based on ip, repository.id so you could use that in a splunk search and dedupe.
Routing logs with Splunk OTel Collector for Kubernetes
Welcome to the Splunk Community!
Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM
