All Apps and Add-ons
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Splunk Add-On for Tenable: How do I efficiently correlate Nessus scan and plugin data?

jesperp
Engager
‎10-11-2016 01:10 AM

I have imported Nessus scan data and plugin data into Splunk using the Splunk Add-On for Tenable and have been playing with it.
I would like to generate a table containing description and solution for critical vulnerabilities. In the long run, I would like to create a scheduled search to automate reports per host-ip for all severity=critical findings, but I want the basic search to be efficient first.

Basically I have both sourcetypes (nessus:scan and nessus:plugin) in one index with the field plugin_id in the nessus:scan being the same as id in nessus:plugin. I am trying to create a search where I can get details for a plugin per IP-address.

This search works, but it's very slow and I'm trying to determine if this is the best way to solve it.

(sourcetype=nessus:scan plugin_id=\* severity=critical "host-ip"="A.B.C.D") OR (sourcetype=nessus:plugin id=\*) 
  | eval match_id=coalesce(id,plugin_id) 
  | stats values(\*) AS \* by match_id 
  | search plugin_id=\* id=\* 
  | table host-ip, host_end, match_id, solution, description
0 Karma
Reply

sundareshr
Legend
‎10-11-2016 09:11 AM

The other option would be to create a lookup (updated periodically) of nessus:plugin and use that to get solution & description

sourcetype=nessus:scan plugin_id=* severity=critical "host-ip"="A.B.C.D" | lookup nessusplugin.csv id AS plugin_id OUTPUT solution description | table host-ip, host_end, plugin_id, solution, description

http://docs.splunk.com/Documentation/Splunk/6.5.0/SearchReference/Lookup

Reply
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...