Splunk Enterprise Security

Anyone have any ideas with Enterprise Security and Rapid7 to get the dest_ip, host name to be displayed/used instead of the asset number (which is wrong)?

brian1_tate
Path Finder

Hello all,

It appears that Rapid7 has goofed the TA to provide their asset data as the destination (dest field) instead of relating it to an 'actual' location as one would expect in Enterprise Security in the Vulnerability Center. You can't go there, search there - even get their data to actually populate the panels with anything but the dest field (not dest_ip and/or dest_host).

Any thoughts on getting this to properly populate in Enterprise Security? Maybe concatenate or something here anyone?

| tstats summariesonly=true allow_old_summaries=true dc(Vulnerabilities.signature) as vuln_count from datamodel=Vulnerabilities.Vulnerabilities where * by Vulnerabilities.severity,Vulnerabilities.dest | chart useother=0 first(vuln_count) over Vulnerabilities.dest by Vulnerabilities.severity | rename "Vulnerabilities.*" as * | search dest=388062 medium=31 | eval total=case(critical>0 AND high>0,critical+high,critical>0,critical,high>0,high,1==1,0) | eval subTotal=case(medium>0 AND low>0,medium+low,medium>0,medium,low>0,low,1==1,0) | eval subSubTotal=case(informational>0 AND unknown>0,informational+unknown,informational>0,informational,unknown>0,unknown,1==1,0) | sort 10 - total,subTotal,subSubTotal | fields - total,subTotal,subSubTotal

1 Solution

jonathan_stewar
Path Finder

Hi brian1_tate -- thanks for contacting us.

To my knowledge, you would need to edit the nexpose_cim_data_generator.py file (line 276) so that dest is set to the IP or host e.g.
dest = row[4]
dest = row[5]
However, that may have knock-on effects for the vulnerability association (since it also uses the asset ID as 'dest') and charts.
The dest field is set in nexpose_cim_data_generator.py script (lines 156 for vulnerability events, 276 for asset events). Changing this may affect the dashboard and so you would need to test these modifications before you implement them.
Jonathan.

View solution in original post

0 Karma

windbishn
Explorer

Brian,

Wrestled with this one a while back and I ultimately achieved good results by editing the Vulnerabilities datamodel and related dashboards changing the field from "dest" to "dest_ip" which is the correct field when the data is inputted and indexed from the Rapid7 app.

I hope to have understood your question correctly,

Nathaniel

0 Karma

jonathan_stewar
Path Finder

Hi brian1_tate -- thanks for contacting us.

To my knowledge, you would need to edit the nexpose_cim_data_generator.py file (line 276) so that dest is set to the IP or host e.g.
dest = row[4]
dest = row[5]
However, that may have knock-on effects for the vulnerability association (since it also uses the asset ID as 'dest') and charts.
The dest field is set in nexpose_cim_data_generator.py script (lines 156 for vulnerability events, 276 for asset events). Changing this may affect the dashboard and so you would need to test these modifications before you implement them.
Jonathan.

0 Karma
Get Updates on the Splunk Community!

New This Month in Splunk Observability Cloud - Metrics Usage Analytics, Enhanced K8s ...

The latest enhancements across the Splunk Observability portfolio deliver greater flexibility, better data and ...

Alerting Best Practices: How to Create Good Detectors

At their best, detectors and the alerts they trigger notify teams when applications aren’t performing as ...

Discover Powerful New Features in Splunk Cloud Platform: Enhanced Analytics, ...

Hey Splunky people! We are excited to share the latest updates in Splunk Cloud Platform 9.3.2408. In this ...