Filtering events which is for compliance and not for vulnerabilities …

…in tenable data.
CrossRealms · Jun 21, 2024 · 1c7f889 · 1c7f889
1 parent 5722fa5
commit 1c7f889
Showing 1 changed file with 7 additions and 2 deletions.
diff --git a/cyences_app_for_splunk/default/savedsearches.conf b/cyences_app_for_splunk/default/savedsearches.conf
@@ -6144,7 +6144,8 @@ display.page.search.tab = statistics
 display.page.search.mode = fast
 request.ui_dispatch_app = cyences_app_for_splunk
 request.ui_dispatch_view = search
-search = | tstats `cs_summariesonly_cyences_vulnerabilities` count, latest(Vulnerabilities.category) as category, latest(Vulnerabilities.cpe) as cpe, latest(Vulnerabilities.cve) as cve, latest(Vulnerabilities.cvss) as cvss, latest(Vulnerabilities.description) as description, latest(Vulnerabilities.dest_ip) as dest_ip, latest(Vulnerabilities.dest_name) as dest_name, latest(Vulnerabilities.dvc) as dvc, latest(Vulnerabilities.first_found) as first_found, latest(Vulnerabilities.has_patch) as has_patch, latest(host) as host, latest(Vulnerabilities.in_the_news) as in_the_news, latest(Vulnerabilities.last_found) as last_found, latest(Vulnerabilities.last_scan_time) as last_scan_time, latest(Vulnerabilities.os) as os, latest(Vulnerabilities.port) as port, latest(Vulnerabilities.protocol) as protocol, latest(Vulnerabilities.published_time) as published_time, latest(Vulnerabilities.severity) as severity, latest(Vulnerabilities.signature) as signature, latest(Vulnerabilities.signature_id) as signature_id, latest(Vulnerabilities.solution) as solution, latest(Vulnerabilities.status) as status, latest(_time) as time, latest(Vulnerabilities.tracking_method) as tracking_method, latest(Vulnerabilities.type) as type, latest(Vulnerabilities.user) as user FROM datamodel=Cyences_Vulnerabilities by Vulnerabilities.dest_id, Vulnerabilities.vul_id, Vulnerabilities.vendor_product \
+search = | tstats `cs_summariesonly_cyences_vulnerabilities` count, latest(Vulnerabilities.category) as category, latest(Vulnerabilities.cpe) as cpe, latest(Vulnerabilities.cve) as cve, latest(Vulnerabilities.cvss) as cvss, latest(Vulnerabilities.description) as description, latest(Vulnerabilities.dest_ip) as dest_ip, latest(Vulnerabilities.dest_name) as dest_name, latest(Vulnerabilities.dvc) as dvc, latest(Vulnerabilities.first_found) as first_found, latest(Vulnerabilities.has_patch) as has_patch, latest(host) as host, latest(Vulnerabilities.in_the_news) as in_the_news, latest(Vulnerabilities.last_found) as last_found, latest(Vulnerabilities.last_scan_time) as last_scan_time, latest(Vulnerabilities.os) as os, latest(Vulnerabilities.port) as port, latest(Vulnerabilities.protocol) as protocol, latest(Vulnerabilities.published_time) as published_time, latest(Vulnerabilities.severity) as severity, latest(Vulnerabilities.signature) as signature, latest(Vulnerabilities.signature_id) as signature_id, latest(Vulnerabilities.solution) as solution, latest(Vulnerabilities.status) as status, latest(_time) as time, latest(Vulnerabilities.tracking_method) as tracking_method, latest(Vulnerabilities.type) as type, latest(Vulnerabilities.user) as user FROM datamodel=Cyences_Vulnerabilities where NOT ((Vulnerabilities.vendor_product="Tenable.io" OR Vulnerabilities.vendor_product="Tenable.sc") AND Vulnerabilities.vul_id>1000000) by Vulnerabilities.dest_id, Vulnerabilities.vul_id, Vulnerabilities.vendor_product \
+``` NOTE - vul_id over 1 million is for custom compliance reason, not actual vulnerabilities for Tenable products ``` \
 | `drop_dm_object_name(Vulnerabilities)` \
 | inputlookup cs_all_vuln append=t \
 | dedup dest_id, vul_id, vendor_product \
@@ -6167,6 +6168,8 @@ request.ui_dispatch_app = cyences_app_for_splunk
 request.ui_dispatch_view = search
 search = | inputlookup cs_all_vuln \
 | addinfo | where time>=info_min_time and time<=info_max_time \
+| search NOT ((vendor_product="Tenable.io" OR vendor_product="Tenable.sc") AND vul_id>1000000) \
+``` NOTE - vul_id over 1 million is for custom compliance reason, not actual vulnerabilities for Tenable products ``` \
 | outputlookup cs_all_vuln
 
 
@@ -6247,14 +6250,16 @@ display.page.search.tab = statistics
 display.page.search.mode = fast
 request.ui_dispatch_app = cyences_app_for_splunk
 request.ui_dispatch_view = search
-search = `cs_tenable_vuln` | dedup tenable_uuid, vul_id \
+search = `cs_tenable_vuln` vul_id<1000000 | dedup tenable_uuid, vul_id \
 | eval time=_time, indextime=_indextime, product_name="Tenable", product_uuid=tenable_uuid \
 | fillnull ip, hostname, mac_address, user value="" \
 | table time, indextime, _time, product_name, product_uuid, hostname, user, ip, mac_address, tenable_uuid, vul_id, vul_name, vul_description, vul_severity, vul_severity_id, vul_state, last_fixed, last_found, vul_cve, vul_solution, vul_cpe, vul_family, vul_has_patch, vul_in_the_news, vul_risk_factor, vul_synopsis, vul_type, vul_version, vul_protocol, vul_port \
 | cyencesdevicemanager operation="addentries" \
 | fields - time \
 | append [| inputlookup cs_tenable_vuln] \
 | dedup tenable_uuid, vul_id sortby -_time \
+| where vul_id<1000000 \
+``` NOTE - vul_id over 1 million is for custom compliance reason, not actual vulnerabilities for Tenable products ``` \
 | outputlookup cs_tenable_vuln
 action.cyences_notable_event_action.products = Tenable