Activity Feed
- Got Karma for Re: get all ip address that connect to ios devices and make config changes. 06-05-2020 12:48 AM
- Karma Re: How do I remediate "Nessus ID 42873"? for araitz. 06-05-2020 12:45 AM
- Posted Re: Nessus vulnerability solution on All Apps and Add-ons. 10-05-2017 08:18 AM
- Posted Nessus vulnerability solution on All Apps and Add-ons. 10-04-2017 02:30 AM
- Tagged Nessus vulnerability solution on All Apps and Add-ons. 10-04-2017 02:30 AM
- Tagged Nessus vulnerability solution on All Apps and Add-ons. 10-04-2017 02:30 AM
- Tagged Nessus vulnerability solution on All Apps and Add-ons. 10-04-2017 02:30 AM
- Tagged Nessus vulnerability solution on All Apps and Add-ons. 10-04-2017 02:30 AM
- Tagged Nessus vulnerability solution on All Apps and Add-ons. 10-04-2017 02:30 AM
- Posted Re: Nessus exploitable vulnerabilities on All Apps and Add-ons. 10-03-2017 05:29 AM
- Posted Nessus exploitable vulnerabilities on All Apps and Add-ons. 10-03-2017 02:38 AM
- Tagged Nessus exploitable vulnerabilities on All Apps and Add-ons. 10-03-2017 02:38 AM
- Tagged Nessus exploitable vulnerabilities on All Apps and Add-ons. 10-03-2017 02:38 AM
- Tagged Nessus exploitable vulnerabilities on All Apps and Add-ons. 10-03-2017 02:38 AM
- Tagged Nessus exploitable vulnerabilities on All Apps and Add-ons. 10-03-2017 02:38 AM
- Tagged Nessus exploitable vulnerabilities on All Apps and Add-ons. 10-03-2017 02:38 AM
- Posted Re: Get column count as new column on Splunk Search. 06-13-2017 07:52 AM
- Posted Re: Get column count as new column on Splunk Search. 06-13-2017 07:46 AM
- Posted Get column count as new column on Splunk Search. 06-13-2017 04:14 AM
- Tagged Get column count as new column on Splunk Search. 06-13-2017 04:14 AM
Topics I've Started
Subject | Karma | Author | Latest Post |
---|---|---|---|
0 | |||
0 | |||
0 | |||
0 |
10-04-2017
02:30 AM
I am trying to find all hosts affected by a specific vulnerability and the solution to remediate that vulnerability as suggested by nessus. Since the solution field is present in the nessus:plugin field and every other information needed present in the nessus:scan sourcetype, nothing I have come up with seems to work. The end result should look something like this.
Vulnerability | Host-IP(s) | Solution
XSS vulnerability | 10.10.10.10 | Patch it
10.10.10.20
10.10.10.30
Thanks
... View more
10-03-2017
05:29 AM
Hi rich7177,
Thank you for the effort but while both your searches completes in under a minute which is an improvement on the current 78s it does not give accurate results. They both pull values from nessus:scan while ignoring the query after the OR looking for only exploitable vulnerabilities using nessus:plugins.
Search
Look for all exploitable vulnerabilities from nessus:plugin and use their ids to search nessus:scan to get their name and the hosts they affect. This is because I have noticed that not all the plugins listed by Tenable are actually vulnerabilities on my network.
... View more
10-03-2017
02:38 AM
Here, am trying to find all vulnerabilities found during a nessus scan that are exploitable. The exploit_available field is shown only in nessus plugin. I would like to corelate the exploitable vulnerabilities with hosts in my network which are only shown in the nessus scan sourcetype. My search query works but once again, it takes a while to run. Any help fine tuning this is welcome.
sourcetype="nessus:scan" plugin_id="*" [search sourcetype="nessus:plugin" exploit_available="true" id="*" | table plugin_name] | dedup plugin_id |table plugin_name, plugin_id, severity
Thanks
... View more
06-13-2017
07:52 AM
Hi Woodcock,
Thanks for your response,
Your solution worked a treat!!!. I did amend it a bit.
basesearch
| transaction ipadd
| eventstats dc(columnB) as columnC by ipadd | table columnA, columnB, columnC
... View more
06-13-2017
07:46 AM
Hi Giuseppe,
Thanks for your response
Your query counts by the ipadd field giving a result of one. The columnC is hypothetical at the moment. It is what am looking to add. I tried the query as is and the result was columnC was always 1 which is less than the sum of values in columnB
This edited query gives a false result (higher count than what columnB has)
my search
| transaction ipadd
| stats values(ColumnB) AS ColumnB count by ColumnA
| rename count AS Column D
... View more
06-13-2017
04:14 AM
I have three columns from a search query. I would like to count the items in one column and display it next to the other two columns. EG
Column A Column B Column C (count of columnB)
ip add 1 vuln1 4
vuln2
vuln3
vuln4
ip add 2 vuln1 2
vuln2
etc.
query:
.. | transaction ipadd |table ipadd, vuln
All help highly appreciated.
... View more
05-04-2017
01:58 PM
1 Karma
The log results on config file changes does not pull the ip address of the person who made those change/s.
Using an OR operator, I pulled the two eventtypes I was interested in (successful logins and config changes). I got all users who had successful logged in or changed a config file (user = "*" mnemonic = "login_success" or mnemonic ="config change"). I excluded all rows where there was no config change (| where command !=null). I grouped the result in a transaction (.. | transaction mnemonic = "login_success") and finally piped that into a table.
It was a long about way of doing it I suppose but it works just fine.
... View more
05-04-2017
01:49 PM
Even though your answer didn't solve the problem, it did give me a direction to go in, so I will accept it.
... View more
05-02-2017
02:14 PM
I need to create an alert that shows all successful logins to ios devices that made changes to the config file and the changes made. I can get all the config changes made on the ios device since I have archive logging turned on (sourcetype="cisco:ios" eventtype=cisco_ios-cfglog_loggedcmd).
However, I would like to get the ip address of any host that successfully logs into my device and the changes made to my config file in one fell.
All help will be very much appreciated.
... View more