About rahul8777

rahul8777 · ‎08-18-2021

Hello Arun Thanks for the response . i m wondering the solution for vulnerability dashboard where noticed in query for "Total Vulnerabilities Found Today" from both (Tenable.sc and Tenable.io ) data should required and if tenable.sc only required for On-prem then how dashboard will work for On-prem . For your reference below is the query. | inputlookup io_vuln_data_lookup | eval today = round(relative_time(now(), "-0d@d")) | where last_found >= today AND synopsis!="" AND synopsis!="N/A" AND synopsis!="n/a" AND synopsis!="None" | eval product="Tenable.io" | search (product="*") (severity="*") | append [| inputlookup sc_vuln_data_lookup | eval today = round(relative_time(now(), "-0d@d")) | where last_found >= today AND synopsis!="" AND synopsis!="N/A" AND synopsis!="n/a" AND synopsis!="None" | eval product="Tenable.sc" | search (product="*") (severity="*")] | eval state=if(state="fixed","fixed", "not fixed") | stats dc(synopsis) as Count by state | stats sum(Count) as "Total Vulnerabilities Found Today"

rahul8777 · ‎08-03-2021

not yet tried on Soc prime forum.

rahul8777 · ‎08-02-2021

Hello, Thanks you for your response. I just want know is there any use case through which alert can trigger as per Soc prime IOCs. Regards, Rahul

rahul8777 · ‎08-01-2021

Hello, Please guide me, how can i use "Soc prime" tool with Splunk as i am new with Soc prime. Regards, Rahul

rahul8777 · ‎07-28-2021

Please help someone on above mentioned query

rahul8777 · ‎07-27-2021

Hello, The Tenable Add-on for Splunk stores data with the following sources and source types. Tenable.sc Source Sourcetype Description <username>|<address> tenable:sc:vuln This collects all vulnerability data. <username>|<address> tenable:sc:assets This collects pull assets data. <username>|<address> tenable:sc:plugin This collects all plugin data. Tenable.io Source Sourcetype Description tenable_io://<data input name> tenable:io:vuln This collects all vulnerability data. tenable_io://<data input name> tenable:io:assets This collects all asset data. tenable_io://<data input name> tenable:io:plugin This collects all plugin data. In my production environment i am getting logs from sourcetype Tenable.sc (tenable:sc:vuln, tenable:sc:assets, tenable:sc:plugin)) and these sourcetypes are visible in in my data summary however sourcetype Tenable.io (tenable:io:vuln, tenable:io:assets, tenable:io:plugin) are not visible in data summary and not getting logs from these sourcetype. Question:- 1)need help to be confirmed for sourcetype Tenable.io either it is configure or not and if it is configured then why not visible in data summary sourcetype lists. 2)how can i identify ,where is my Tenable add-on is installed . 3)Tenable vulnerability dashboard not working. Requesting answer for above mentioned question. Thanks in advance

rahul8777 · ‎07-24-2021

Thanks kamlesh

rahul8777 · ‎07-24-2021

sourcetype=cp_log action!=Drop OR action!=Reject OR action!=dropped I am socked ,when i am searching with above query in Splunk search for my checkpoint logs .it showing me Drop traffic ,although i have clearly mentioned in query that i don't need Drop traffic(action!=Drop) Kindly help me on this!

Posts	8
Solutions	1
Karma Given	1
Karma Received	0
Member Since	‎07-24-2021

Online Status	Offline
Date Last Visited	‎08-19-2021 03:23 AM

Use of soc prime

Tenable add on

Firewall logs

Re: Tenable add on

Re: Use of soc prime

Re: Use of soc prime

Use of soc prime

Re: Tenable add on

Tenable add on

Re: Firewall logs

Firewall logs