Splunk Enterprise Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Anyone have any ideas with Enterprise Security and Rapid7 to get the dest_ip, host name to be displayed/used instead of the asset number (which is wrong)?

brian1_tate
Path Finder
‎09-23-2016 11:39 AM

Hello all,

It appears that Rapid7 has goofed the TA to provide their asset data as the destination (dest field) instead of relating it to an 'actual' location as one would expect in Enterprise Security in the Vulnerability Center. You can't go there, search there - even get their data to actually populate the panels with anything but the dest field (not dest_ip and/or dest_host).

Any thoughts on getting this to properly populate in Enterprise Security? Maybe concatenate or something here anyone?

| tstats summariesonly=true allow_old_summaries=true dc(Vulnerabilities.signature) as vuln_count from datamodel=Vulnerabilities.Vulnerabilities where * by Vulnerabilities.severity,Vulnerabilities.dest | chart useother=0 first(vuln_count) over Vulnerabilities.dest by Vulnerabilities.severity | rename "Vulnerabilities.*" as * | search dest=388062 medium=31 | eval total=case(critical>0 AND high>0,critical+high,critical>0,critical,high>0,high,1==1,0) | eval subTotal=case(medium>0 AND low>0,medium+low,medium>0,medium,low>0,low,1==1,0) | eval subSubTotal=case(informational>0 AND unknown>0,informational+unknown,informational>0,informational,unknown>0,unknown,1==1,0) | sort 10 - total,subTotal,subSubTotal | fields - total,subTotal,subSubTotal

Reply
1 Solution
Solved! Jump to solution
Solution

jonathan_stewar
Path Finder
‎09-30-2016 02:54 AM

Hi brian1_tate -- thanks for contacting us.

To my knowledge, you would need to edit the nexpose_cim_data_generator.py file (line 276) so that dest is set to the IP or host e.g.
dest = row[4]
dest = row[5]
However, that may have knock-on effects for the vulnerability association (since it also uses the asset ID as 'dest') and charts.
The dest field is set in nexpose_cim_data_generator.py script (lines 156 for vulnerability events, 276 for asset events). Changing this may affect the dashboard and so you would need to test these modifications before you implement them.
Jonathan.

View solution in original post

0 Karma
Reply
Solved! Jump to solution

windbishn
Explorer
‎10-04-2016 08:16 AM

Brian,

Wrestled with this one a while back and I ultimately achieved good results by editing the Vulnerabilities datamodel and related dashboards changing the field from "dest" to "dest_ip" which is the correct field when the data is inputted and indexed from the Rapid7 app.

I hope to have understood your question correctly,

Nathaniel

0 Karma
Reply
Solved! Jump to solution
Solution

jonathan_stewar
Path Finder
‎09-30-2016 02:54 AM

Hi brian1_tate -- thanks for contacting us.

To my knowledge, you would need to edit the nexpose_cim_data_generator.py file (line 276) so that dest is set to the IP or host e.g.
dest = row[4]
dest = row[5]
However, that may have knock-on effects for the vulnerability association (since it also uses the asset ID as 'dest') and charts.
The dest field is set in nexpose_cim_data_generator.py script (lines 156 for vulnerability events, 276 for asset events). Changing this may affect the dashboard and so you would need to test these modifications before you implement them.
Jonathan.

0 Karma
Reply
Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

(view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...