All Apps and Add-ons

How do you get the scan date from scans as a searchable field

bwgates
Explorer

We previously had a dashboard to compare vulnerability results to compliance results and were able to define a date the scan happened to verify patching levels. Were not able to do this with the new add-on. We did create a search time extraction based on a Tenable plugin that has the scan date in it, but the search will only show events for that plugin and not all plugins for the selected scan. Anyone run into this issue or can provide some pointers to get a scan date and show all results? Thanks much!

sourcetype=tenable:sc:vuln plugin_id=19506
| rex field=plugin_id "(?)\d{4}\d{1,2}\d{1,2}"

1 Solution

nkeuning
Communicator

When we rebuilt the app we specifically dropped scan information. We now pull all data using the analysis api with the vulnerability detail list view (this is the same as the UI view). This allowed us to keep data storage way down and lighten the load put on SC for large deployments. We then index all data using the firstSeen time as the event time to create an event when the "state" (open/reopened/fixed) changes. While this works well today there are a few types of reporting that aren difficult or not possible. We are in the process of update the app to start updating the lastSeen time so that this can be used for reporting. Once this is implemented it will allow you to do similar reporting to last scan time you were doing before with all the other benefits of the new app.

View solution in original post

0 Karma

nkeuning
Communicator

When we rebuilt the app we specifically dropped scan information. We now pull all data using the analysis api with the vulnerability detail list view (this is the same as the UI view). This allowed us to keep data storage way down and lighten the load put on SC for large deployments. We then index all data using the firstSeen time as the event time to create an event when the "state" (open/reopened/fixed) changes. While this works well today there are a few types of reporting that aren difficult or not possible. We are in the process of update the app to start updating the lastSeen time so that this can be used for reporting. Once this is implemented it will allow you to do similar reporting to last scan time you were doing before with all the other benefits of the new app.

0 Karma

bwgates
Explorer

@nkeuning Thanks for the information. I'll keep an eye out for the new app and see what else we can do until then.

0 Karma

bwgates
Explorer

@nkeuning Thanks for the quick response. Do you have a timeline on when this is supposed to be accomplished and released?

If I'm understanding correctly, this seems like a good metric for an individual host, but when scans per host start at a different time and possibly day, the actual date of the initiation of the scan will be hard to determine. Especially when using Nessus agents as all hosts will scan at a different time and possibly a different day due to the type of the device, if the device was on the network when the scan was scheduled, etc.

Basically, I'm trying to isolate a single scan date, per scan ID, and report based on those metrics. It might be worth while to isolate the "Scan Start Date" in plugin ID 19506 as it's own JSON field so it's easier to search.

0 Karma

nkeuning
Communicator

The goal is to have the new app out by end of Q1 2019. Unfortunately the way that we need to pull data from SC doesnt lend itself to be correlated back to scans, because it is the collapsed view of all vulnerabilities found across all scans for every asset. The lastSeen date in the new app will be the last time that that vuln was found on that host during a scan. This will be the closest you can get to a scan date.

0 Karma

jaxjohnny2000
Builder

1.0.7 is released I see. is this the version you were talking about? How could I get a complete count of unique IP addresses which match the number of hosts the Tenable UI shows?

0 Karma

nkeuning
Communicator

The new version will be 2.x.x. it depends on view but unique assets in t.sc are unique based on ip, repository.id so you could use that in a splunk search and dedupe.

0 Karma
Get Updates on the Splunk Community!

Set Up More Secure Configurations in Splunk Enterprise With Config Assist

This blog post is part 3 of 4 of a series on Splunk Assist. Click the links below to see the other ...

Observability Highlights | November 2022 Newsletter

 November 2022Observability CloudEnd Of Support Extension for SignalFx Smart AgentSplunk is extending the End ...

Enterprise Security Content Update (ESCU) v3.54.0

The Splunk Threat Research Team (STRT) recently released Enterprise Security Content Update (ESCU) v3.54.0 and ...