All Apps and Add-ons
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Nessus vulnerability solution

keronedave
Explorer
‎10-04-2017 02:30 AM

I am trying to find all hosts affected by a specific vulnerability and the solution to remediate that vulnerability as suggested by nessus. Since the solution field is present in the nessus:plugin field and every other information needed present in the nessus:scan sourcetype, nothing I have come up with seems to work. The end result should look something like this.

Vulnerability | Host-IP(s) | Solution
XSS vulnerability | 10.10.10.10 | Patch it
10.10.10.20
10.10.10.30

Thanks

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

spayneort
Contributor
‎10-04-2017 12:47 PM

Do you have the Splunk Add-on for Tenable installed on your search head? This has automatic lookups to add the plugin data to the nessus:scan sourcetype. You need to enable the saved searches for this to work.

http://docs.splunk.com/Documentation/AddOns/released/Nessus/Enablesavedsearch

Do you get results when you run this search? It should contain all of the plugin data, including the solution:

|inputlookup nessus_plugin_lookup

If so, and the automatic lookup is not working, you can do the lookup manually by adding the following to your nessus:scan search:

|lookup nessus_plugin_lookup id AS plugin_id OUTPUTNEW

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

spayneort
Contributor
‎10-04-2017 12:47 PM

Do you have the Splunk Add-on for Tenable installed on your search head? This has automatic lookups to add the plugin data to the nessus:scan sourcetype. You need to enable the saved searches for this to work.

http://docs.splunk.com/Documentation/AddOns/released/Nessus/Enablesavedsearch

Do you get results when you run this search? It should contain all of the plugin data, including the solution:

|inputlookup nessus_plugin_lookup

If so, and the automatic lookup is not working, you can do the lookup manually by adding the following to your nessus:scan search:

|lookup nessus_plugin_lookup id AS plugin_id OUTPUTNEW
0 Karma
Reply
Solved! Jump to solution

keronedave
Explorer
‎10-05-2017 08:18 AM

Thanks spayneort, that totally did it for me.

0 Karma
Reply
Solved! Jump to solution

DalJeanis
Legend
‎10-04-2017 06:39 AM

First, determine one host that you know has the vulnerability but not the patch. Using the host name, search the index to find an event that identifies the vulnerability. Once you find the event, determine a search that will find all hosts that have that kind of event. We will call this "Search 1"

Next, determine one host that has received the patch. Using the host name, search the index to find an event that documents the host receiving the patch. Once you find the event, determine a search that will find all hosts that have received the patch. We will call this "Search 2".

Then run this...

(Search 1) OR (search 2) 
| eval rectype=if(some test for search1,"Vulnerable","Patched")
| stats values(rectype) as rectype by host
| where (mvcount(rectype) < 1) AND (rectype="Vulnerable")
0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Observability for AI

Don’t miss out on an exciting Tech Talk on Splunk Observability for AI!Discover how Splunk’s agentic AI ...

Splunk Enterprise Security 8.x: The Essential Upgrade for Threat Detection, ...

Watch On Demand the Tech Talk on November 6 at 11AM PT, and empower your SOC to reach new heights! Duration: ...

Splunk Observability as Code: From Zero to Dashboard

For the details on what Self-Service Observability and Observability as Code is, we have some awesome content ...