Splunk Enterprise Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Anyone have any ideas with Enterprise Security and Rapid7 to get the dest_ip, host name to be displayed/used instead of the asset number (which is wrong)?

brian1_tate
Path Finder
‎09-23-2016 11:39 AM

Hello all,

It appears that Rapid7 has goofed the TA to provide their asset data as the destination (dest field) instead of relating it to an 'actual' location as one would expect in Enterprise Security in the Vulnerability Center. You can't go there, search there - even get their data to actually populate the panels with anything but the dest field (not dest_ip and/or dest_host).

Any thoughts on getting this to properly populate in Enterprise Security? Maybe concatenate or something here anyone?

| tstats summariesonly=true allow_old_summaries=true dc(Vulnerabilities.signature) as vuln_count from datamodel=Vulnerabilities.Vulnerabilities where * by Vulnerabilities.severity,Vulnerabilities.dest | chart useother=0 first(vuln_count) over Vulnerabilities.dest by Vulnerabilities.severity | rename "Vulnerabilities.*" as * | search dest=388062 medium=31 | eval total=case(critical>0 AND high>0,critical+high,critical>0,critical,high>0,high,1==1,0) | eval subTotal=case(medium>0 AND low>0,medium+low,medium>0,medium,low>0,low,1==1,0) | eval subSubTotal=case(informational>0 AND unknown>0,informational+unknown,informational>0,informational,unknown>0,unknown,1==1,0) | sort 10 - total,subTotal,subSubTotal | fields - total,subTotal,subSubTotal

Reply
1 Solution
Solved! Jump to solution
Solution

jonathan_stewar
Path Finder
‎09-30-2016 02:54 AM

Hi brian1_tate -- thanks for contacting us.

To my knowledge, you would need to edit the nexpose_cim_data_generator.py file (line 276) so that dest is set to the IP or host e.g.
dest = row[4]
dest = row[5]
However, that may have knock-on effects for the vulnerability association (since it also uses the asset ID as 'dest') and charts.
The dest field is set in nexpose_cim_data_generator.py script (lines 156 for vulnerability events, 276 for asset events). Changing this may affect the dashboard and so you would need to test these modifications before you implement them.
Jonathan.

View solution in original post

0 Karma
Reply
Solved! Jump to solution

windbishn
Explorer
‎10-04-2016 08:16 AM

Brian,

Wrestled with this one a while back and I ultimately achieved good results by editing the Vulnerabilities datamodel and related dashboards changing the field from "dest" to "dest_ip" which is the correct field when the data is inputted and indexed from the Rapid7 app.

I hope to have understood your question correctly,

Nathaniel

0 Karma
Reply
Solved! Jump to solution
Solution

jonathan_stewar
Path Finder
‎09-30-2016 02:54 AM

Hi brian1_tate -- thanks for contacting us.

To my knowledge, you would need to edit the nexpose_cim_data_generator.py file (line 276) so that dest is set to the IP or host e.g.
dest = row[4]
dest = row[5]
However, that may have knock-on effects for the vulnerability association (since it also uses the asset ID as 'dest') and charts.
The dest field is set in nexpose_cim_data_generator.py script (lines 156 for vulnerability events, 276 for asset events). Changing this may affect the dashboard and so you would need to test these modifications before you implement them.
Jonathan.

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...