Hi All,
I've been using the Splunk Add-on for Tenable to import the network scans from Nessus Professional. This part works great, searches are fine. I wanted to go to the next step and create a dashboard with all my critical vulnerabilities and how many IPs are affected.
I've managed to kludge together a query to get a nice looking table - but can't seem to take the next step into:
Right now my query is
sourcetype="nessus" OR sourcetype="nessus:scan" (severity="critical") | stats values(signature) as signature by dest, severity
It comes out with a table
dest severity signature
10.128.20.10 critical Apache 2.0.x < 2.0.48 Multiple Vulnerabilities (OF, Info Disc.)
PHP Unsupported Version Detection
Is this the best way to get to my requirement? Not sure how to integrate this into a panel.
Thanks for your help
--Dave
The Save As dashboard panel on the RHS of the screen is how you can convert your search results into a dashboard panel
Perhaps you want to have a distinct count of the IP's by signature, dest, severity?
sourcetype="nessus" OR sourcetype="nessus:scan" (severity="critical") | stats dc(IP) by dest, severity, signature
The above would assume your IP field is called "IP" and that you want it split by all three of those items...