hello everyone. please forgive my English level. I'm a splunk novice and nessus novice. I am trying to ingest the Tenable(sc) vulnerability data into the splunk indexer, I have read the official document related to Tenable Add-On for Splunk , (link : https://docs.tenable.com/integrations/splunk/Content/Splunk%20Add%20On.htm). I think my type of Tenable is Tenable.sc, not Tenable.io.Please see the screenshot below: I'am trying to configure Tenable Add-On for Splunk ,but it return an error message Please enter valid Address, Username and Password. , as shown below: I have tried to delete the port number in the address (192.168.20.129) and checked "Verify SSL Certificate", but still not working , I have tested all the configurations. if I change the "Tenable Account Type" to Tenable.io and using access_key 、 secret Key , it can successfully create configuration successfully. but after successfully create the input, the vulnerability data is not indexed into splunk. and I can find the following error from the log file error.log (/opt/splunk/var/log/splunk/ta_tenable_tenable_io.log) 2019-09-11 16:09:56,668 INFO pid=10770 tid=MainThread file=base_modinput.py:log_info:293 | Tenable.io vulnerability data collection started 2019-09-11 16:09:56,669 INFO pid=10770 tid=MainThread file=splunk_rest_client.py:_request_handler:100 | Use HTTP connection pooling 2019-09-11 16:09:56,670 INFO pid=10770 tid=MainThread file=connectionpool.py:_new_conn:758 | Starting new HTTPS connection (1): 127.0.0.1 2019-09-11 16:09:56,693 ERROR pid=10770 tid=MainThread file=io_connect.py:__check_response:80 | Tenable Error: response: {"error":"The requested file was not found"} I am trying to force the creation of Tenable.sc account configuration information (ta_tenable_account.conf) on the command line. then select Global Account* when configuring the input. When I click the "add" button, the following error still occurs: 2019-09-11 16:34:12,528 ERROR pid=19830 tid=MainThread file=sc_connect.py:_check_response:98 | Tenable SC Error: URL: https://192.168.20.129:8834/rest/system, HTTP status code: 404, error code: 1 So I re-read the principle of Tenable Add-on, which calls the Tenable API to extract data from the Tenable platform. link (https://docs.tenable.com/integrations/splunk/Content/Splunk%20Add%20On.htm) The Tenable Add-On for Splunk pulls data from Tenable platforms and normalizes it in Splunk. The current Tenable Add-On uses the following endpoints. Tenable.io Request Export: /vulns/export Vulnerability Export: /vulns/export Asset Export: /assets/export Tenable.sc Vulnerability and assets details: /rest/analysis Plugin details: /rest/plugins Repository details: /rest/repository The reason for the error was that my Nessus does not provide an API at all. . When I tried to access these API links using a browser, it returned 404 not found. E.g: Tenable.io Vulnerability Export is called api /vulns/export . When I try to access "https://192.168.20.129:8834/vulns/export", the browser returns a status code of 404 with the content: "{"error":" The requested file was not found"}" Tenable.sc Vulnerability and assets detail is called api /rest/analysis , when I try to access the "https://192.168.20.129:8834/rest/analysis" browser returns a status code of 404, the content is: "{"error": "The requested file was not found"}" question: Why doesn't my Nessus provide an API interface? Do I need to configure nessus to enable the api interface? Is there a nessus expert who can tell me whether my nessus type is tenable.io or tenable.sc ... View more

hello everyone! I have a program that counts the number of requests for website api per minute.the log format is as following, where field time is the time of the statistics. request_domain time uri min_count www.test.com 11/Jul/2019 15:51 /api/test 19 www.test.com 11/Jul/2019 15:51 /api/exmple 208 m.test.com 11/Jul/2019 15:52 /api/search 80 www.test.com 11/Jul/2019 15:52 /api/test 31 www.test.com 11/Jul/2019 15:52 /api/exmple 253 m.test.com 11/Jul/2019 15:52 /api/search 62 I want to create an alert based on the following requirements, but I don't know how to do it. If the number of uri requests is greater than 100 times per hour. Compare the previous hour, if the growth rate is greater than 80%, then alert Compare the same time period yesterday, if the growth rate is greater than 80%, then the alarm. If the number of uri requests is less than 100 times per hour. Compare the previous hour, if the growth number is greater than 50 times, then alert Compare the same time period yesterday, if the growth number is greater than 50 times,then alert I think it needs to be split into at least 2 alert to achieve all help will be greatly appreciated! ... View more

hi. everyone . My website has some API interfaces. Sometimes malicious attacks will request these api continuously. It is clear on the time chart that the peak has been reached. How do I detect and alert? for example: I have a search like this now, I can see the number of requests per hour for these URIs. index = web sourcetype=nginx_access uri=/api/getuserInfo OR uri=/api/featchData OR uri=/login OR uri=/home |timechart span=1h count by uri under normal conditions the request per hour of /api/getuserInfo is about 1000~5000 times, if a certain time period encounters a malicious attack, the interface requests 50,000 times. I think this is an anomaly. How should I use a smarter method to detect abnormal peaks and issue alarms? I think of a stupid way, i can write the number of api interface requests per hour to csv or kvstore, and then use today's and yesterday's comparisons to see the magnitude of the rise. If the rise is too high, I think this is abnormal peaks But I think there are more efficient methods, such as machine learning? Can someone help me and share a use case with me, thank you Note: I have a lot of API interfaces, about 20, I want to monitor the abnormal peak of each API interface, ... View more

hello. I use splunk db connect 3.1.3 connect mongodb database. it is working now. and I can use SQL statement query data from mongodb |dxquery connection="testmongodb" query="select * from result" . We all know that mongodb does not contain a self-incrementing column. So mongodb's data is similar to the following format: info ip port task_date task_id time vul_info Unauthorized Access 172.16.10.9 6379 2019-6-6 d40617172258939a57fdb5617724fc55 2019-6-6 {"vul_type":"Weak password",vul_name:"Redis Weak password",vul_level:"High"} SMB Remote Overflow 10.10.2.8 445 2019-6-6 cfab842aa0e8166cabb2f4548477756b 2019-6-6 {"vul_type":"Remote Overflow",vul_name:"SMB Remote Overflow",vul_level:"High"} MySQL Weak password 10.10.2.7 3306 2019-6-13 2389ccda6788fc124d1cec7a951f7089 2019-6-13 {"vul_type":"Weak password",vul_name:"MySQL Weak password",vul_level:"High"} Firstly, it does not have an rising column, for example id , secondly, it does not have a timestamp. If I use input with batch to index these data into splunk, there will be a lot of duplicate data. So I hope. Every time there is new data in the result collections, it can automatically index to Splunk . If this mongo collection have a rising column, it will be easy to implement this requirement, unfortunately not. So is there a clever way to index new data from mongodb to splunk? ... View more

I am trying to index mongodb data into splunk, The Hunk App for MongoDB seems to be an obsolete. Is there a best way to import mongodb data into splunk? similar to the input function of db_connect? Because I don't just import it once, when mongodb has new data, I hope it can be automatically indexed to splunk I refer to the following documentation, but when I connect to the mongodb database that requires authentication, it prompts an error. not authorized for query on xunfeng._schema . I am sure I have created an identity XunfengMongodb . http://www.unityjdbc.com/mongojdbc/setup/mongodb_jdbc_splunk_dbconnect_v2.pdf splunk version: 7.2.3 db connect version 3.1.3 ... View more