SPL query that will provide a good or bad credenti...

Omarop · ‎11-16-2021

Hello,

I am trying to figure out how many good IP addresses vs bad IP addresses there are based on Tenable Security center results (severity=low, medium, high, critical). A good scan should show multiple severity level results vs a bad scan would not show as many severity level results. I would like to get as many fields filled based on SPL query. More importantly I would like to get the good vs bad scan results (credentialed scans) from Tenable Security Center (ACAS). What I mean by this is that when a scan has been initiated, you know a good scan vs a bad scan, where a good scan can pull multiple vulnerabilities based on the severity levels. Where as for a bad scan does not pull as many vulnerabilities and the severity levels are very low or close to nothing at all. I created a SPL query that provides the 26 data standard fields:

IP

repository.dataFormat

netbiosName

dnsName

AWS

hostname

macAddress

OS_Type, OS_Version

operatingSystem

SystemManufacture

SystemSerialNumber

SYStemModel

AWSAccountNumber

AWSInstanceID

AWSENI

passFail

plugin_id

pluginName

repository.name, cpe

low, medium,

high

critical

total

Country

lat

lon

SPL Query

earliest=7d@d index=acas sourcetype="tenable:sc:vuln"

| rex field=operatingSystem "^(?P<OS_Type>\w+)\.(?P<OS_Version>.*)$"

| rex field=dnsName "^(?P<hostname>\w+)\.(?P<domain>.*)$"

| rex field=system "^(?P<manufacture>\w+)\.(?P<serialnumber>.*)$"

| rex field=pluginText "\<cm\:compliance-result\>(?<status>\w+)\<\/cm\:compliance-result\>"

| eval AWS=if(like(dnsName,"clou%"),"TRUE","FALSE")

| iplocation ip

| eventstats count(eval(severity="informational")) as informational, count(eval(severity="low")) as low, count(eval(severity="medium")) as medium, count(eval(severity="high")) as high, count(eval(severity="critical")) as critical by ip

| dedup ip

| eval total = low+medium+high+critical

| table ip, repositiory.dtatFormat, netbiosName, dnsName, AWS, hostname, macAddress, OS_Type, OS_Version, operatingSystem, SystemManufacture, SystemSerialNumber, SystemModel, AWSAccountNumber, AWSINstanceID, AWSENI, passFail, plugin_id, pluginName, repository.name, cpe, low, medium, high, critical, total, Country, lat, lon

Omarop · ‎11-18-2021

So I ran another query to check for credentialed_Scan:true") and the severity level scores are not accurate. I am only getting a low severity level = 1. Can someone please tell me how I can get a good count of the severity levels?

earliest=7d@d index=acas sourcetype="tenable:sc:vuln"

|where match(pluginText, "credentialed_Scan:true")

| rex field=operatingSystem "^(?P<OS_Type>\w+)\.(?P<OS_Version>.*)$"

| rex field=dnsName "^(?P<hostname>\w+)\.(?P<domain>.*)$"

| rex field=system "^(?P<manufacture>\w+)\.(?P<serialnumber>.*)$"

| eval AWS=if(like(dnsName,"clou%"),"TRUE","FALSE")

| iplocation ip

| eventstats count(eval(severity="informational")) as informational, count(eval(severity="low")) as low, count(eval(severity="medium")) as medium, count(eval(severity="high")) as high, count(eval(severity="critical")) as critical by ip

| dedup ip

| eval total = low+medium+high+critical

| table ip, repositiory.dtatFormat, netbiosName, dnsName, AWS, hostname, macAddress, OS_Type, OS_Version, operatingSystem, SystemManufacture, SystemSerialNumber, SystemModel, AWSAccountNumber, AWSINstanceID, AWSENI, passFail, plugin_id, pluginName, repository.name, cpe, low, medium, high, critical, total, Country, lat, lon

Omarop · ‎11-18-2021

I really need some help with this query. Is there someone that can assist me with this matter? Your help will gladly be appreciated.

SPL query that will provide a good or bad credentialed scan based on Severity level from Tenable Security Center

field extraction

summary indexing

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!