Here is my props.conf for the Qualys vulnerability data:
[qualys:hostDetection]
LOOKUP-2_qualys_nvd_lookup = nvd_db_lookup cve AS cve OUTPUT cvss_access_complexity AS cvss_access_complexity, cvss_access_vector AS cvss_access_vector, cvss_authentication AS cvss_authentication, cvss_availability_impact AS cvss_availability_impact, cvss_base AS cvss_base, cvss_confidentiality_impact AS cvss_confidentiality_impact, cvss_exploit AS cvss_exploit, cvss_integrity_impact AS cvss_integrity_impact, summary AS summary
LOOKUP-1_qualys_kb_lookup = qualys_kb_lookup QID as qid OUTPUT VULN_TYPE as vuln_type, PATCHABLE as patchable, PCI_FLAG as PCI_flag, TITLE as signature, CATEGORY as vuln_category, PUBLISHED_DATETIME as published_datetime, CVSS_BASE as cvss, CVSS_TEMPORAL as cvss_temporal, CVE as cve, VENDOR_REFERENCE as xref
The LOOKUP-1_qualys_kb_lookup comes straight from the Qualys TA.
The second one should take the cve ID returned from the first lookup and then grabs the associated CVSS metrics from another lookup table.
The lookup names in lexicographical order should have them working properly, but I never get the CVSS metrics. I've copied the lookup logic into the search pipeline and that works fine, so I know it isn't a problem with the lookup syntax.
Any ideas on why this isn't working?
Thx.
Hi @responsys_cm
It seems to be permission issue.
so include Below Stanza in metadata>default.meta -
[props/<sourcetype_name>/LOOKUP-<Automatic_Lookup_Name>]
export = system
In your case it will be
[props/qualys:hostdetection/LOOKUP-nvd_db_lookup]
export = system
I tried that and it didn't work. When I look at the permissions for the lookup table and the automatic lookup, they are all set to Global...
I'm seeing this error message:
01-12-2018 18:11:30.440 +0000 ERROR LookupOperator - The lookup table 'nvd_db_lookup' does not exist. It is referenced by configuration 'qualys:hostdetection'.
The lookup table exists on disk. The data in it looks valid. The transforms.conf entry for that lookup is:
[nvd_db_lookup]
filename = nvd_db_lookup.csv
max_matches = 1
That's the file name. All these configs are in the same search app.