I have my nessus data in splunk, and in my example below I would like to search for all critical findings, and for each of those I would like to correlate the finding with the plugin data and present the details and remediation. The search does not work, and I would like some help if I'm doing this correctly (I'm a complete newbie with the foreach-command).
sourcetype=nessus:scan plugin_id=* severity=critical "host-ip"=* | foreach "host-ip" [search (sourcetype=nessus:scan plugin_id=* severity=critical "host-ip"=<<FIELD>>) OR (sourcetype=nessus:plugin id=*)] | eval match_id=coalesce(id,plugin_id) | stats values(*) AS * by match_id | search plugin_id=* id=* | table host-ip,host_end,match_id,solution,description
... View more
I have imported Nessus scan data and plugin data into Splunk using the Splunk Add-On for Tenable and have been playing with it.
I would like to generate a table containing description and solution for critical vulnerabilities. In the long run, I would like to create a scheduled search to automate reports per host-ip for all severity=critical findings, but I want the basic search to be efficient first.
Basically I have both sourcetypes (nessus:scan and nessus:plugin) in one index with the field plugin_id in the nessus:scan being the same as id in nessus:plugin. I am trying to create a search where I can get details for a plugin per IP-address.
This search works, but it's very slow and I'm trying to determine if this is the best way to solve it.
(sourcetype=nessus:scan plugin_id=\* severity=critical "host-ip"="A.B.C.D") OR (sourcetype=nessus:plugin id=\*)
| eval match_id=coalesce(id,plugin_id)
| stats values(\*) AS \* by match_id
| search plugin_id=\* id=\*
| table host-ip, host_end, match_id, solution, description
... View more