I am trying to create a search query that pulls tenable (critical, and high) scan results that provides an output of the Tenable (ACAS) critical and high scan results with the following information:
1.) IP Address (unique identifier for ACAS mapping to Xacta)
2.) DNS Name
3.) System Name
4.) MAC address
5.) OS Type
6.) OS Version
7.) OS Build
8.) System Manufacture
9.) System Serial Number
10.) System Model
11.) AWS Account Number (new field to capture in the standard)
12.) AWS Instance ID #
13.) AWS ENI
for example: I am running the following query and I get some of the information but I don't get the rest.
Query
index=acas sourcetype="tenable:sc:vuln" (severity=crtical or severity=high) | eval lastSeen=strftime(lastSeen,"%m-%d-%Y") | stats max(lastSeen) AS Last_Seen by severity, IP address, DNS name, system name, MAC address, OS Type, OS version, OS build, system manufacture, system serial number, system model, AWS account number, AWS instance ID number, AWS ENI
When I run the query I don't get all of the information
Do all the fields have values in all the events or are you only getting stats for events where none of these fields are empty?
To add to your question, it all depends on the Security Center scan data once ingested into Splunk. The fields don't necessarily have to have value (it all depends on the scan results.
For your stats command, all the fields mentioned in the by clause need to have values in all the events you want to include in the stats. Since you have some events without values for some of the fields, this will be why the numbers are not coming out as you expected.
Good morning,
So I attempted the following and I am able to get some of the information.
index=acas sourcetype="tenable:sc:vuln" ( severity=crtiical OR severity=high ) eval lastSeen=strftime(lastSeen, "%m-%d-%Y") | stats count by ip, repository.dataFormat, netbiosName, dnsName, host, macAddress, operationSystem, family.name, version
I am trying to get the rest of the information but I think it is related to the naming convention. Not exactly sure how to get the other fields (System Manufacture, System Serial Number, System Model, AWS Account Number, AWS Instance ID #, AWS ENI, System location, and System Purpose)
If the field names have embedded spaces or other special characters, they should be in single quotes.
I am trying to create a query that can provide an output of a Security Center scan. The output should be able to provide the following in the same order:
1.) IP Address
2.) DNS Name
3.) System Name
4.) MAC address
5.) OS Type
6.) OS Version
7.) OS Build
8.) System Manufacture
9.) System Serial Number
10.) System Model
11.) AWS Account Number
12.) AWS Instance ID number
To answer your question there should be values for each category but if there is none then that is ok as well.