Splunk Enterprise Security

Anyone have any ideas with Enterprise Security and Rapid7 to get the dest_ip, host name to be displayed/used instead of the asset number (which is wrong)?

brian1_tate
Path Finder

Hello all,

It appears that Rapid7 has goofed the TA to provide their asset data as the destination (dest field) instead of relating it to an 'actual' location as one would expect in Enterprise Security in the Vulnerability Center. You can't go there, search there - even get their data to actually populate the panels with anything but the dest field (not dest_ip and/or dest_host).

Any thoughts on getting this to properly populate in Enterprise Security? Maybe concatenate or something here anyone?

| tstats summariesonly=true allow_old_summaries=true dc(Vulnerabilities.signature) as vuln_count from datamodel=Vulnerabilities.Vulnerabilities where * by Vulnerabilities.severity,Vulnerabilities.dest | chart useother=0 first(vuln_count) over Vulnerabilities.dest by Vulnerabilities.severity | rename "Vulnerabilities.*" as * | search dest=388062 medium=31 | eval total=case(critical>0 AND high>0,critical+high,critical>0,critical,high>0,high,1==1,0) | eval subTotal=case(medium>0 AND low>0,medium+low,medium>0,medium,low>0,low,1==1,0) | eval subSubTotal=case(informational>0 AND unknown>0,informational+unknown,informational>0,informational,unknown>0,unknown,1==1,0) | sort 10 - total,subTotal,subSubTotal | fields - total,subTotal,subSubTotal

1 Solution

jonathan_stewar
Path Finder

Hi brian1_tate -- thanks for contacting us.

To my knowledge, you would need to edit the nexpose_cim_data_generator.py file (line 276) so that dest is set to the IP or host e.g.
dest = row[4]
dest = row[5]
However, that may have knock-on effects for the vulnerability association (since it also uses the asset ID as 'dest') and charts.
The dest field is set in nexpose_cim_data_generator.py script (lines 156 for vulnerability events, 276 for asset events). Changing this may affect the dashboard and so you would need to test these modifications before you implement them.
Jonathan.

View solution in original post

0 Karma

windbishn
Explorer

Brian,

Wrestled with this one a while back and I ultimately achieved good results by editing the Vulnerabilities datamodel and related dashboards changing the field from "dest" to "dest_ip" which is the correct field when the data is inputted and indexed from the Rapid7 app.

I hope to have understood your question correctly,

Nathaniel

0 Karma

jonathan_stewar
Path Finder

Hi brian1_tate -- thanks for contacting us.

To my knowledge, you would need to edit the nexpose_cim_data_generator.py file (line 276) so that dest is set to the IP or host e.g.
dest = row[4]
dest = row[5]
However, that may have knock-on effects for the vulnerability association (since it also uses the asset ID as 'dest') and charts.
The dest field is set in nexpose_cim_data_generator.py script (lines 156 for vulnerability events, 276 for asset events). Changing this may affect the dashboard and so you would need to test these modifications before you implement them.
Jonathan.

0 Karma
Get Updates on the Splunk Community!

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...

March Community Office Hours Security Series Uncovered!

Hello Splunk Community! In March, Splunk Community Office Hours spotlighted our fabulous Splunk Threat ...

Stay Connected: Your Guide to April Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars in April. This post ...