My employer recently stood up the Tenable connector to Splunk and are looking to take full advantage of it. My experience in Splunk is very limited but here are the main points.
1. We have 10,000 endpoints of numerous OS, but largely just need to focus on 2 groups: Windows and everything else.
2. We use VPN heavily, which distorts the IP field for all of our Windows Endpoints, thus rendering it unusable for Windows.
3. Due to the VPN problem, I've been attempting to use the netbiosName field in its' place and then using the ip field for non-windows machines.
4. The netbiosName field contains two potential values that appear such as: XXXX\MachineName or XXXXXXXXX\MachineName
5. The problem I am running into is that I cannot seem to get a proper result for our total host count, and the vulnerability count tends to waffle depending on the search parameters. We can get the vulnerability_per_host result easy enough, but I'm unsure how reliable my query is over the long haul (or if I missed a step.)
Here is the query I've been tinkering with:
index=nessus plugin_family_type="active" severity="High" OR severity="Critical" state="Open" OR state="Reopened" | rex field=netbiosName "\\\(?[^.]+)" | eval unique_id=if(like(plugin_family,"%Windows%"),CombinedName+plugin_id, ip+plugin_id) | eval hostvalue=if(like(CombinedName, "*"),CombinedName, ip) | stats dc(unique_id) as totalvulns, dc(hostvalue) as totalhosts | eval totalvulns=totalvulns-1, vuln_per_host=totalvulns/totalhosts | fields totalvulns totalhosts vuln_per_host
↧