Activity Feed
- Karma Re: Nessus add-on: How to obtain vulnerability count, host count, and vulnerability count per host for kennetkline. 09-21-2023 06:32 PM
- Posted Does Tenable send remediated vulnerabilities after reporting? on All Apps and Add-ons. 09-14-2023 02:24 PM
- Posted CLONE_SOURCETYPE not honoring REGEX? on Getting Data In. 11-24-2020 12:25 PM
- Tagged CLONE_SOURCETYPE not honoring REGEX? on Getting Data In. 11-24-2020 12:25 PM
Topics I've Started
Subject | Karma | Author | Latest Post |
---|---|---|---|
0 | |||
0 |
09-14-2023
02:24 PM
Hello,
Does Tenable not send remediated vulnerabilities to Splunk after it has reported it once? The situation is as follows:
A Host ABC had it's CVE-1234-5678 patched in April 2023, for which there is a record in the index. But after that there is not a single time that the Remediated vulnerability has been reported. It only reports on the open ones from there on. I tried enabling the "Historical reporting of remediated vulnerabilities" - but that still isn't helping. As a result, we consider that host to have the vulnerability as "Open".
Is this the expected behaviour? I thought this setting would report the remediated vulnerabilities each time the scan runs?
... View more
Labels
- Labels:
-
troubleshooting
11-24-2020
12:25 PM
While attempting to clone (and mask) events that belong to select source patterns,. the CLONE_SOURCETYPE doesn't honor the REGEX. The goal is to restrict cloning to those events that have dev or tst in their source. So prod or perf or uat etc wouldn't get cloned. it seems that the no matter what the REGEX in the clone stanza in transforms, the events gets cloned. The temporary solution was to run a nullQueue for those non-dev and non-tst sources. What am I doing wrong here? Any thoughts/suggestions? Note -The test file doesn't have any source defined. The only place I supply a source is using the rename-source argument as below # Code fragment How I run this using oneshot - splunk add oneshot test-foo.txt -rename-source "sfdc_object://User_splunk_dev_cnf" -index mask -sourcetype sfdc:orig -host dev_01 [WORKS- clones should be created. Works as expected] splunk add oneshot test-foo.txt -rename-source "sfdc_object://User_splunk_prod_cnf" -index mask -sourcetype sfdc:orig -host dev_02 [DOESN'T WORK - clones shouldn't be created, but they are] props..conf [sfdc:orig] TRANSFORMS-sfdc-orig = sfdc_cloner [sfdc:clone] EVAL-mn = "foo" transforms.conf # sources are one of the following - sfdc_object://User_splunk_dev_cnf sfdc_object://User_splunk_tst_cnf sfdc_object://User_splunk_prod_cnf ... [sfdc_cloner] #Only clone those where sources don't have _prod_ REGEX = ^(?=.*(dev|tst)).* # Tried this as well - no bueno #REGEX = (sfdc_object:.*(dev|tst)_cnf.*) SOURCE_KEY = MetaData:Source FORMAT = $0 DEST_KEY = _raw CLONE_SOURCETYPE = sfdc:clone
... View more
- Tags:
- clone_sourcetype
Labels
- Labels:
-
transforms.conf