Getting Data In

How to do asset dumping using Nessus data?

xavierpaul
New Member

How to do asset dumping using Nessus data? Nessus is already feeding to Splunk and properly mapped to CIM.

0 Karma

Richfez
SplunkTrust
SplunkTrust

That's a great idea.

There's quite a bit of detail in this task, hopefully a general list on how to do it will get you started and if you have any specific questions come up you can ask about those directly.

The basic technique would be to create a search that creates your list and tweak that until it makes all the fields you need. Use that search to then ...| outputlookup mycompany_identities or whatever asset list you are already using. Schedule it to run at appropriate intervals (daily, weekly, whatever) and then bask in the glow of an automatically updating asset list!

A bit more detail and some techniques could be useful though. The list of fields you need are

ip,mac,nt_host,dns,owner,priority,lat,long,city,country,bunit,category,pci_domain,is_expected,should_timesync,should_update,requires_av

IP and at least some of the dns/nt_host type fields should be striaghtforward. mac - this should be in there I'd think, but I don't see it in my Nessus output (I do see it, just not in the Nessus output so I think I'm conflating my own already-set-up assets into my Nessus scans). May of the other fields aren't likely to be in the output, so you'll have to do some creative adjusting of the data.

I do Active Directory (from LDAP) searches to populate identities, and some of the techniques may be useful.

At one point mine started duplicating AD field events. I haven't had time to figure out why (quite the puzzler), but in the interim I just dedup them out. Takes practically no extra time (~40 seconds vs. ~38 seconds without)

| dedup sAMAccountName

Here as with all the other examples, change sAMAccountName to what you need. dedup doesn't scale well, though, so you may be better off with ... | stats count by sAMAccoutName | fields - count instead.

Sometimes you have no information on a particular field and just have to set it to nothing, or some single string.

| eval suffix=""

Other times, you have to use a case statement. Here's part of my obfuscated field priority which, while not directly usable in Nessus data shows the case statement and results fairly clearly, I think:

| eval priority=case(       
                            like(distinguishedName,"%OU=Expired,DC=MyComp,DC=local"), "critical",
                            like(distinguishedName,"%OU=Vendors,OU=SomeOU,DC=MyComp,DC=local"), "critical",
                            like(distinguishedName,"%OU=Support,DC=MyComp,DC=local"), "high",
                            like(distinguishedName,"%OU=SYSTEMS,DC=MyComp,DC=local"), "medium",
                            like(distinguishedName,"%OU=Users,OU=SomeOU,DC=MyComp,DC=local"), "low",
                            like(distinguishedName,"%OU=Users,OU=SomeOU2,DC=MyComp,DC=local"), "low",
                            1==1,"medium" )

Perhaps you could use that technique against the IP (use a CIDR match when possible) or against hostname or FQDN to get priority , lat / long , city , country or some of the other fields. I could imagine in our environment using the IP address range to determine location at least, if not quite a few more things.

Lastly, don't worry much about how the output looks until you have all the fields you need, then create a table and rename everything in one big pile at the end.

| table sAMAccountName, personalTitle, displayName, givenName, sn, suffix, mail, telephoneNumber, mobile, 
  managedBy, priority, department, category, watchlist, whenCreated, endDate 
| rename sAMAccountName as identity, personalTitle as prefix, displayName as nick, givenName as first, 
  sn as last, mail as email, telephoneNumber as phone, mobile as phone2, department as bunit, whenCreated as startDate
| outputlookup MyCompany_identities

I don't quite give exact answers for everything but that's because it'll take a bit of thinking about your environment, your scans and how exactly you want to define some things. Still, I hope this gets you on your way!

Just ask back if you have a specific question!

xavierpaul
New Member

awesome thank you!! you sir is a genius. that is what im trying to do. we already have a AD dumping for identities and assets but that is for wintel devices.

I am trying other ways how to do dumping on non-wintel devices, since we have a nessus scan in place why not use it for asset dumping.

0 Karma

Richfez
SplunkTrust
SplunkTrust

Well you are certainly correct on all accounts. 🙂

The problem you'll have is that much of this information isn't exposed in Nessus. Nessus doesn't quite seem to have the concept of an "inventory" and makes do with scan results instead. For its own purposes this is sufficient because it has to do 99% of the work again (if not 100%) on each scan.

I think the only things you need in your asset list that Nessus scans provide are ip, hostname and fqdn. Because of that aforementioned lack of "inventory", there's nowhere where you can add, say, "Location information" to a "system" in Nessus.

Given that, the only real option I can think of is to create a lookup for all the extra system information based off IP address or fqdn or something. The thing is, this gets you your information in an asset list but makes you do all the work. Well, maybe not ALL, but most. 😞

Fortunately, if you set defaults for all the fields of "Unknown" or some other control string you can get one big benefit: as you list IP addresses from Nessus scans and perform a lookup and append that into your csv for assets, anything Nessus finds that you don't have information on will show up quite brightly in the output as having a bunch of "Unknown" fields. Being able to identify previously undefined systems at a glance can be quite useful!

Here's what I'd suggest. Take your latest Nessus scans as a baseline.

index=nessus | table host-ip hostname host-fqdn | dedup host-ip

Export that as CSV, add the header information as per the requirements for the asset list and fill in the rest of the columns. Save that off as your assets list.

Once you have that, you can append that information in on your current asset generation search.

It's not as much of a help as I originally thought. And that makes me unhappy because frankly Nessus scans OUGHT to be a fine and useful thing for this.

0 Karma
Get Updates on the Splunk Community!

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...