Hello,
I am trying to figure out how many good IP addresses vs bad IP addresses there are based on Tenable Security center results (severity=low, medium, high, critical). A good scan should show multiple severity level results vs a bad scan would not show as many severity level results. I would like to get as many fields filled based on SPL query. More importantly I would like to get the good vs bad scan results (credentialed scans) from Tenable Security Center (ACAS). What I mean by this is that when a scan has been initiated, you know a good scan vs a bad scan, where a good scan can pull multiple vulnerabilities based on the severity levels. Where as for a bad scan does not pull as many vulnerabilities and the severity levels are very low or close to nothing at all. I created a SPL query that provides the 26 data standard fields:
IP
repository.dataFormat
netbiosName
dnsName
AWS
hostname
macAddress
OS_Type, OS_Version
operatingSystem
SystemManufacture
SystemSerialNumber
SYStemModel
AWSAccountNumber
AWSInstanceID
AWSENI
passFail
plugin_id
pluginName
repository.name, cpe
low, medium,
high
critical
total
Country
lat
lon
SPL Query
earliest=7d@d index=acas sourcetype="tenable:sc:vuln"
| rex field=operatingSystem "^(?P<OS_Type>\w+)\.(?P<OS_Version>.*)$"
| rex field=dnsName "^(?P<hostname>\w+)\.(?P<domain>.*)$"
| rex field=system "^(?P<manufacture>\w+)\.(?P<serialnumber>.*)$"
| rex field=pluginText "\<cm\:compliance-result\>(?<status>\w+)\<\/cm\:compliance-result\>"
| eval AWS=if(like(dnsName,"clou%"),"TRUE","FALSE")
| iplocation ip
| eventstats count(eval(severity="informational")) as informational, count(eval(severity="low")) as low, count(eval(severity="medium")) as medium, count(eval(severity="high")) as high, count(eval(severity="critical")) as critical by ip
| dedup ip
| eval total = low+medium+high+critical
| table ip, repositiory.dtatFormat, netbiosName, dnsName, AWS, hostname, macAddress, OS_Type, OS_Version, operatingSystem, SystemManufacture, SystemSerialNumber, SystemModel, AWSAccountNumber, AWSINstanceID, AWSENI, passFail, plugin_id, pluginName, repository.name, cpe, low, medium, high, critical, total, Country, lat, lon
So I ran another query to check for credentialed_Scan:true") and the severity level scores are not accurate. I am only getting a low severity level = 1. Can someone please tell me how I can get a good count of the severity levels?
earliest=7d@d index=acas sourcetype="tenable:sc:vuln"
|where match(pluginText, "credentialed_Scan:true")
| rex field=operatingSystem "^(?P<OS_Type>\w+)\.(?P<OS_Version>.*)$"
| rex field=dnsName "^(?P<hostname>\w+)\.(?P<domain>.*)$"
| rex field=system "^(?P<manufacture>\w+)\.(?P<serialnumber>.*)$"
| eval AWS=if(like(dnsName,"clou%"),"TRUE","FALSE")
| iplocation ip
| eventstats count(eval(severity="informational")) as informational, count(eval(severity="low")) as low, count(eval(severity="medium")) as medium, count(eval(severity="high")) as high, count(eval(severity="critical")) as critical by ip
| dedup ip
| eval total = low+medium+high+critical
| table ip, repositiory.dtatFormat, netbiosName, dnsName, AWS, hostname, macAddress, OS_Type, OS_Version, operatingSystem, SystemManufacture, SystemSerialNumber, SystemModel, AWSAccountNumber, AWSINstanceID, AWSENI, passFail, plugin_id, pluginName, repository.name, cpe, low, medium, high, critical, total, Country, lat, lon
I really need some help with this query. Is there someone that can assist me with this matter? Your help will gladly be appreciated.