I have imported Nessus scan data and plugin data into Splunk using the Splunk Add-On for Tenable and have been playing with it.
I would like to generate a table containing description and solution for critical vulnerabilities. In the long run, I would like to create a scheduled search to automate reports per host-ip for all severity=critical findings, but I want the basic search to be efficient first.
Basically I have both sourcetypes (nessus:scan and nessus:plugin) in one index with the field plugin_id in the nessus:scan being the same as id in nessus:plugin. I am trying to create a search where I can get details for a plugin per IP-address.
This search works, but it's very slow and I'm trying to determine if this is the best way to solve it.
(sourcetype=nessus:scan plugin_id=\* severity=critical "host-ip"="A.B.C.D") OR (sourcetype=nessus:plugin id=\*)
| eval match_id=coalesce(id,plugin_id)
| stats values(\*) AS \* by match_id
| search plugin_id=\* id=\*
| table host-ip, host_end, match_id, solution, description
The other option would be to create a lookup
(updated periodically) of nessus:plugin
and use that to get solution & description
sourcetype=nessus:scan plugin_id=* severity=critical "host-ip"="A.B.C.D" | lookup nessusplugin.csv id AS plugin_id OUTPUT solution description | table host-ip, host_end, plugin_id, solution, description
http://docs.splunk.com/Documentation/Splunk/6.5.0/SearchReference/Lookup