Knowledge Management

SPL query that will provide a good or bad credentialed scan based on Severity level from Tenable Security Center

Omarop
Loves-to-Learn Lots

Hello,

 

I am trying to figure out how many good IP addresses vs bad IP addresses there are based on Tenable Security center results (severity=low, medium, high, critical).  A good scan should show multiple severity level results vs a bad scan would not show as many severity level results.   I would like to get as many fields filled based on SPL query.  More importantly I would like to get the good vs bad scan results (credentialed scans) from Tenable Security Center (ACAS).  What I mean by this is that when a scan has been initiated, you know a good scan vs a bad scan, where a good scan can pull multiple vulnerabilities based on the severity levels.  Where as for a bad scan does not pull as many vulnerabilities and the severity levels are very low or close to nothing at all.  I created a SPL query that provides the 26 data standard fields: 

IP

repository.dataFormat

 netbiosName

dnsName

AWS

hostname

macAddress

OS_Type, OS_Version

operatingSystem

SystemManufacture

SystemSerialNumber

SYStemModel

AWSAccountNumber

AWSInstanceID

AWSENI

passFail

plugin_id

pluginName

repository.name, cpe

low, medium,

high

critical

total

Country

lat

lon

SPL Query

earliest=7d@d index=acas sourcetype="tenable:sc:vuln" 

| rex field=operatingSystem "^(?P<OS_Type>\w+)\.(?P<OS_Version>.*)$"

| rex field=dnsName "^(?P<hostname>\w+)\.(?P<domain>.*)$"

| rex field=system "^(?P<manufacture>\w+)\.(?P<serialnumber>.*)$"

| rex field=pluginText "\<cm\:compliance-result\>(?<status>\w+)\<\/cm\:compliance-result\>"

| eval AWS=if(like(dnsName,"clou%"),"TRUE","FALSE")

| iplocation ip

| eventstats count(eval(severity="informational")) as informational, count(eval(severity="low")) as low, count(eval(severity="medium")) as medium, count(eval(severity="high")) as high, count(eval(severity="critical")) as critical by ip

| dedup ip

| eval total = low+medium+high+critical

| table ip, repositiory.dtatFormat, netbiosName, dnsName, AWS, hostname, macAddress, OS_Type, OS_Version, operatingSystem, SystemManufacture, SystemSerialNumber, SystemModel, AWSAccountNumber, AWSINstanceID, AWSENI, passFail, plugin_id, pluginName, repository.name, cpe, low, medium, high, critical, total, Country, lat, lon

 

Labels (2)
0 Karma

Omarop
Loves-to-Learn Lots

So I ran another query to check for credentialed_Scan:true") and the severity level scores are not accurate.  I am only getting a low severity level = 1.  Can someone please tell me how I can get a good count of the severity levels?

earliest=7d@d index=acas sourcetype="tenable:sc:vuln" 

|where match(pluginText, "credentialed_Scan:true")

| rex field=operatingSystem "^(?P<OS_Type>\w+)\.(?P<OS_Version>.*)$"

| rex field=dnsName "^(?P<hostname>\w+)\.(?P<domain>.*)$"

| rex field=system "^(?P<manufacture>\w+)\.(?P<serialnumber>.*)$"

| eval AWS=if(like(dnsName,"clou%"),"TRUE","FALSE")

| iplocation ip

| eventstats count(eval(severity="informational")) as informational, count(eval(severity="low")) as low, count(eval(severity="medium")) as medium, count(eval(severity="high")) as high, count(eval(severity="critical")) as critical by ip

| dedup ip

| eval total = low+medium+high+critical

| table ip, repositiory.dtatFormat, netbiosName, dnsName, AWS, hostname, macAddress, OS_Type, OS_Version, operatingSystem, SystemManufacture, SystemSerialNumber, SystemModel, AWSAccountNumber, AWSINstanceID, AWSENI, passFail, plugin_id, pluginName, repository.name, cpe, low, medium, high, critical, total, Country, lat, lon

0 Karma

Omarop
Loves-to-Learn Lots

I really need some help with this query.   Is there someone that can assist me with this matter?  Your help will gladly be appreciated. 

0 Karma
Get Updates on the Splunk Community!

Splunk Observability Cloud | Unified Identity - Now Available for Existing Splunk ...

Raise your hand if you’ve already forgotten your username or password when logging into an account. (We can’t ...

Index This | How many sides does a circle have?

February 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

Registration for Splunk University is Now Open!

Are you ready for an adventure in learning?   Brace yourselves because Splunk University is back, and it's ...