Splunk Add-On for Tenable: How do I efficiently co...

jesperp · ‎10-11-2016

I have imported Nessus scan data and plugin data into Splunk using the Splunk Add-On for Tenable and have been playing with it.
I would like to generate a table containing description and solution for critical vulnerabilities. In the long run, I would like to create a scheduled search to automate reports per host-ip for all severity=critical findings, but I want the basic search to be efficient first.

Basically I have both sourcetypes (nessus:scan and nessus:plugin) in one index with the field plugin_id in the nessus:scan being the same as id in nessus:plugin. I am trying to create a search where I can get details for a plugin per IP-address.

This search works, but it's very slow and I'm trying to determine if this is the best way to solve it.

(sourcetype=nessus:scan plugin_id=\* severity=critical "host-ip"="A.B.C.D") OR (sourcetype=nessus:plugin id=\*) 
  | eval match_id=coalesce(id,plugin_id) 
  | stats values(\*) AS \* by match_id 
  | search plugin_id=\* id=\* 
  | table host-ip, host_end, match_id, solution, description

sundareshr · ‎10-11-2016

The other option would be to create a lookup (updated periodically) of nessus:plugin and use that to get solution & description

sourcetype=nessus:scan plugin_id=* severity=critical "host-ip"="A.B.C.D" | lookup nessusplugin.csv id AS plugin_id OUTPUT solution description | table host-ip, host_end, plugin_id, solution, description

http://docs.splunk.com/Documentation/Splunk/6.5.0/SearchReference/Lookup

Splunk Add-On for Tenable: How do I efficiently correlate Nessus scan and plugin data?

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms