Splunk Enterprise Security

What's your favorite vuln scanner to use with Splunk?

Builder

All,

What's your favorite Vulnerability scanner to use with Splunk? That is what have you seen generate the best logs and metrics for Splunk data models and CIM?

0 Karma

New Member

With all due respect to the poster stating that vuln scan data is "state data" and should remain resident outside of Splunk, that response is very short sided and under-appreciates why one would want the data there.

Tenable products work well for vuln scanning, but they're less awesome for policy-based scans. Qualys has a better policy scanner, but it too has issues if you want to import into Splunk. If you're looking for a cost-effective for more simplistic data processing environments (ie 1 data center), and can roll your own reporting, Nessus Pro is a great solution.

0 Karma

Explorer

Hello, If you want a commercial product Nessus is so good, but if you want a free Vuln scanner, you can use OpenVAS, it's has an App for Splunk but it's not released on splunkbase and it is accessible from OpenVAS website (google for it!) and also you can send OpenVAS scan results with syslog to Splunk and parse it manually.

0 Karma

New Member

Hi! Can you add link to OpenVAS App for Splunk? (yes, google delete :C)

Thank you!

0 Karma

Explorer

Hi, you can find it at Tools section in doc subdomain of greenbone website.

0 Karma

Legend

Hi @daniel333,
if you're speaking about a probe like Nessus, we usually use Tenable Nessus and SecurityCenter integrated with Splunk and we have good results from the App in appbase ( https://splunkbase.splunk.com/app/4061/ ) and creating our own searches.

Ciao.
Giuseppe

0 Karma

SplunkTrust
SplunkTrust

None, vuln data is state and belongs in a database. Trying to turn Splunk into a vuln management tool when it is based on time series events leads to pain. The best compromise is run reports of key vulns and send only that to Splunk for alerting and correlation. Just don’t try to feed everything in.