Why is the minimum interval set at 1 day (86400 seconds). Frequently when visiting the Tenable App dashboard the "Vulnerabilities today" is 0 as it has not yet pulled yet for that day. Can we decrease the interval to have it pull more than once a day? i have tried to set it below 86400 but it says it has to be greater than that.
what i did was modify the dashboard panels for "today" to include latest=-1d@d
in the base search
that way the panels wont be zero, you just have to know that today really means yesterday...guess i should change the names on those panels too 😛
The Interval for the SecurityCenter input is minimum one day, 86400 seconds, because of how the SecurityCenter API works. Today the smallest differential we can pull from SecurityCenter is one day. If this changes in the future we will update the validation to allow a smaller interval to be set.
Nkeuning- SC input type does not allow you to specify an 'earliest' time from which to retrieve records , by default whats the time range ( how far back) it will pull the records? in previous addon it was pulling by default 30 days back records. As this add-on pulls records only once per day , how do we set to particular time in a day to get that done?
The first time the SC input runs it will pull ALL vulnerabilities for all time, indexed based on firstSeen time. The Splunk Input functionality only allows you to set an interval to run on, not control when the interval starts as far i know.
By default whats the time at which interval starts?
The time that you first create the input.
Thanks nkeuning
I have created input at 6 am but i do see events coming at 10 AM and later in the day as well. As it runs only once per day as interval is set at 86400 seconds , not sure how we are getting data later in the day even though input is created at 6AM. Can you please confirm if this runs more than once in a day even though interval is set at 86400 seconds?
It only runs once per day. Please make sure you have your time filter set to all time since all events are indexed based on the firstSeen time of the vulnerability, not the time the integration ran.
One thing that we observed in our environment is that add-on is not collecting all the events with pluginID=19506 ( Nessus Scan Information). Can you please let me know if this came to your notice before or is this something that's new?
If the data is available we will pull it. Just remember we only pull it the first time it is seen we never update the events or create new events when the plugin_output changes.
There are vulnerabilities that can have multiple outputs and if those dont update, the one shown in splunk wont be accurate, for example...a plugin 21745 which shows authentication failure, has 6 different ouptuts...but if it only shows the first one found for a device and it's been scanned over and over and in SC there are new outputs Splunk would only show the first one it saw.
Can you please let me know if this issue will be fixed in the next version or if there is any work around with present version?
We plan to support min 5 minute interval in the next major release of the apps as long as you are connecting to SC 5.7+.
Thanks, do you know when will be the next major release?
Our goal is to have it GA in Q1 with a long beta starting in January.
Thanks nkeuning. Yes, there is no control when the interval starts. Looks like we will be not be able to know when to go back and check for the records in a day as there is no certain time we know it will start the interval.