SPL query that will provide a good or bad credenti...

Omarop · ‎11-16-2021

Hello,

I am trying to figure out how many good IP addresses vs bad IP addresses there are based on Tenable Security center results (severity=low, medium, high, critical). A good scan should show multiple severity level results vs a bad scan would not show as many severity level results. I would like to get as many fields filled based on SPL query. More importantly I would like to get the good vs bad scan results (credentialed scans) from Tenable Security Center (ACAS). What I mean by this is that when a scan has been initiated, you know a good scan vs a bad scan, where a good scan can pull multiple vulnerabilities based on the severity levels. Where as for a bad scan does not pull as many vulnerabilities and the severity levels are very low or close to nothing at all. I created a SPL query that provides the 26 data standard fields:

IP

repository.dataFormat

netbiosName

dnsName

AWS

hostname

macAddress

OS_Type, OS_Version

operatingSystem

SystemManufacture

SystemSerialNumber

SYStemModel

AWSAccountNumber

AWSInstanceID

AWSENI

passFail

plugin_id

pluginName

repository.name, cpe

low, medium,

high

critical

total

Country

lat

lon

SPL Query

earliest=7d@d index=acas sourcetype="tenable:sc:vuln"

| rex field=operatingSystem "^(?P<OS_Type>\w+)\.(?P<OS_Version>.*)$"

| rex field=dnsName "^(?P<hostname>\w+)\.(?P<domain>.*)$"

| rex field=system "^(?P<manufacture>\w+)\.(?P<serialnumber>.*)$"

| rex field=pluginText "\<cm\:compliance-result\>(?<status>\w+)\<\/cm\:compliance-result\>"

| eval AWS=if(like(dnsName,"clou%"),"TRUE","FALSE")

| iplocation ip

| eventstats count(eval(severity="informational")) as informational, count(eval(severity="low")) as low, count(eval(severity="medium")) as medium, count(eval(severity="high")) as high, count(eval(severity="critical")) as critical by ip

| dedup ip

| eval total = low+medium+high+critical

| table ip, repositiory.dtatFormat, netbiosName, dnsName, AWS, hostname, macAddress, OS_Type, OS_Version, operatingSystem, SystemManufacture, SystemSerialNumber, SystemModel, AWSAccountNumber, AWSINstanceID, AWSENI, passFail, plugin_id, pluginName, repository.name, cpe, low, medium, high, critical, total, Country, lat, lon

Omarop · ‎11-18-2021

So I ran another query to check for credentialed_Scan:true") and the severity level scores are not accurate. I am only getting a low severity level = 1. Can someone please tell me how I can get a good count of the severity levels?

earliest=7d@d index=acas sourcetype="tenable:sc:vuln"

|where match(pluginText, "credentialed_Scan:true")

| rex field=operatingSystem "^(?P<OS_Type>\w+)\.(?P<OS_Version>.*)$"

| rex field=dnsName "^(?P<hostname>\w+)\.(?P<domain>.*)$"

| rex field=system "^(?P<manufacture>\w+)\.(?P<serialnumber>.*)$"

| eval AWS=if(like(dnsName,"clou%"),"TRUE","FALSE")

| iplocation ip

| eventstats count(eval(severity="informational")) as informational, count(eval(severity="low")) as low, count(eval(severity="medium")) as medium, count(eval(severity="high")) as high, count(eval(severity="critical")) as critical by ip

| dedup ip

| eval total = low+medium+high+critical

| table ip, repositiory.dtatFormat, netbiosName, dnsName, AWS, hostname, macAddress, OS_Type, OS_Version, operatingSystem, SystemManufacture, SystemSerialNumber, SystemModel, AWSAccountNumber, AWSINstanceID, AWSENI, passFail, plugin_id, pluginName, repository.name, cpe, low, medium, high, critical, total, Country, lat, lon

Omarop · ‎11-18-2021

I really need some help with this query. Is there someone that can assist me with this matter? Your help will gladly be appreciated.

SPL query that will provide a good or bad credentialed scan based on Severity level from Tenable Security Center

field extraction

summary indexing

Tech Talk Recap | Mastering Threat Hunting

Observability for AI Applications: Troubleshooting Latency

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

Are you a member of the Splunk Community?