All Apps and Add-ons

Splunk Add-on for Nessus: How can I retrieve scan results?

jpolcari
Communicator

I have setup the Nessus add-on and Splunk appears to be retrieving data via the API but the scans do not seem to provide any useful information. How can I have Splunk retrieve the actual results from the scan? This is with Nessus Pro. 6.5.4 and Splunk 6.3.1

Here is an example of one of the scans that appears when I search for sourcetype="nessus:scan":

control:  true 
count:  47 
edit_allowed:  true 
folder_id:  846 
hasaudittrail:  true 
haskb:  true 
host-fqdn:  rnxxxxx
host-ip:  10.xx.xx.xx
host_end:  Mon Feb 01 13:43:07 2016 
host_id:  2 
host_start:  Mon Feb 01 13:42:19 2016 
hostcount:  1 
hostname:  rnxxxxx
name:  Policy Audit Testing 
netbios-name:  RNxxxx
object_id:  1007 
pci-can-upload:  false 
plugin_family:  Port scanners 
plugin_id:  34220 
plugin_name:  Netstat Portscanner (WMI) 
policy:  QA - Win10 Audit Policy 
scan_end:  1454352190 
scan_start:  1454352139 
scan_type:  local 
scanner_end:  1454352187 
scanner_name:  Local Scanner 
scanner_start:  1454352139 
severity:  0 
severity_index:  1 
sid:  1007 
status:  completed 
targets:  RNxxxxx
timestamp:  1454352190 
user_permissions:  128 
uuid:  66dc112c-83cc-fb92-746d-1f13b987192fdab3db0239ddc279 
vuln_index:  2 

gfreitas
Builder

Hi jpolcari,

I had the same issue and changed for another app: https://splunkbase.splunk.com/app/2740/. This app downloads the data in JSON format with the full information we need. Try installing it.

Hope this helps.

0 Karma

mab_cu
New Member

If you ever found an answer to this I'd be interested as well. I have Nessus 6.5.5 and Splunk 6.3.3 and I am getting scan data, but something seems missing. The data contains information on the hosts, plugins, etc, as above, but there is very little information on the results on those scans like open ports, TLS versions...

0 Karma

jpolcari
Communicator

Unfortunately, I have not found an answer to this yet. If I do, i'll be sure to share.

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In September, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...

New in Observability - Improvements to Custom Metrics SLOs, Log Observer Connect & ...

The latest enhancements to the Splunk observability portfolio deliver improved SLO management accuracy, better ...

Improve Data Pipelines Using Splunk Data Management

  Register Now   This Tech Talk will explore the pipeline management offerings Edge Processor and Ingest ...