Merge pull request #567 from CrossRealms/nessus_pro_support

Added support for nessus:pro data.

cyences_app_for_splunk/appserver/static/cs_asset_intelligence.js

@@ -52,6 +52,8 @@ function(mvc, SplunkCommonUtilities){
                 unsetToken("tkn_show_hide_qualys");
                 setToken("tkn_tablefields_tenable", "");
                 unsetToken("tkn_show_hide_tenable");
+                setToken("tkn_tablefields_nessus", "");
+                unsetToken("tkn_show_hide_nessus");
                 setToken("tkn_tablefields_sophos", "");
                 unsetToken("tkn_show_hide_sophos");
                 setToken("tkn_tablefields_defender", "");
@@ -65,10 +67,11 @@ function(mvc, SplunkCommonUtilities){
             let lansweeper = results[0];
             let qualys = results[1];
             let tenable = results[2];
-            let sophos = results[3];
-            let defender = results[4];
-            let crowdstrike = results[5];
-            let kaspersky = results[6];
+            let nessus = results[3];
+            let sophos = results[4];
+            let defender = results[5];
+            let crowdstrike = results[6];
+            let kaspersky = results[7];
 
             if(lansweeper > 0){
                 setToken("tkn_tablefields_lansweeper", ", lansweeper");
@@ -97,6 +100,15 @@ function(mvc, SplunkCommonUtilities){
                 unsetToken("tkn_show_hide_tenable");
             }
 
+            if(nessus > 0){
+                setToken("tkn_tablefields_nessus", ", nessus");
+                setToken("tkn_show_hide_nessus", "true");
+            }
+            else{
+                setToken("tkn_tablefields_nessus", "");
+                unsetToken("tkn_show_hide_nessus");
+            }
+
             if(sophos > 0){
                 setToken("tkn_tablefields_sophos", ", sophos");
                 setToken("tkn_show_hide_sophos", "true");

cyences_app_for_splunk/appserver/static/cs_device_inventory_table.js

@@ -178,6 +178,10 @@ require([
                     [| inputlookup cs_tenable_inventory
                     | rename time as tenable_last_event, created_at as tenable_created_at, first_seen as tenable_first_seen, last_seen as tenable_last_seen 
                     | fields - ip, hostname, mac_address] 
+                | append 
+                    [| inputlookup cs_nessus_inventory
+                    | rename time as nessus_last_event, created_at as nessus_created_at, first_seen as nessus_first_seen, last_seen as nessus_last_seen 
+                    | fields - ip, hostname, mac_address] 
                 | append 
                     [| inputlookup cs_qualys_inventory
                     | rename time as qualys_last_event 
@@ -205,7 +209,7 @@ require([
             | eval _time=strftime(latest_time, "%F %T") 
             | eval Select="CHECKBOX_THIS_".uuid 
             | rename ips as ip, hostnames as hostname, mac_addresses as mac_address
-            | table uuid, Select, _time, ip, hostname, mac_address, lansweeper_id, lansweeper_state, lansweeper_asset_type, lansweeper_os, lansweeper_user, lansweeper_description, qualys_id, QUALYS_OS, qualys_network_id, tenable_uuid, tenable_os, sophos_uuid, sophos_type, sophos_os, sophos_user, sophos_login_via, sophos_health, sophos_product_installed, crowdstrike_id,kaspersky_collected_by,kaspersky_version,kaspersky_host, kaspersky_status windows_defender_host 
+            | table uuid, Select, _time, ip, hostname, mac_address, lansweeper_id, lansweeper_state, lansweeper_asset_type, lansweeper_os, lansweeper_user, lansweeper_description, qualys_id, QUALYS_OS, qualys_network_id, tenable_uuid, tenable_os, nessus_uuid, nessus_os, sophos_uuid, sophos_type, sophos_os, sophos_user, sophos_login_via, sophos_health, sophos_product_installed, crowdstrike_id,kaspersky_collected_by,kaspersky_version,kaspersky_host, kaspersky_status windows_defender_host 
             | transpose 0 header_field=uuid column_name=field include_empty=false`);
                 // $container is the jquery object where we can put out content.
                 // In this case we will render our chart and add it to the $container

cyences_app_for_splunk/appserver/static/cs_overview.js

@@ -62,7 +62,7 @@ require([
         { token: 'o365', associated_products: ['Office 365'] },
         { token: 'email', associated_products: ['Office 365', 'Google Workspace'] },
         { token: 'network_compromise', associated_products: ['Cisco IOS', 'FortiGate', 'Palo Alto', 'Sophos Firewall', 'Cisco Meraki'] },
-        { token: 'vulnerability', associated_products: ['Qualys', 'Tenable', 'CrowdStrike Spotlight'] },
+        { token: 'vulnerability', associated_products: ['Qualys', 'Tenable', 'Nessus', 'CrowdStrike Spotlight'] },
         { token: 'ad_windows', associated_products: ['Sysmon', 'Windows', 'Windows AD', 'Windows DNS'] },
         { token: 'credential_compromise', associated_products: ['Sysmon'] },
         { token: 'ransomware', associated_products: ['Sysmon', 'Windows', 'Cisco IOS', 'FortiGate', 'Palo Alto', 'Sophos Firewall', 'Cisco Meraki'] },

cyences_app_for_splunk/appserver/static/dashboard.js

@@ -79,6 +79,5 @@ require([
 
     // Handles the multi-select option properly
     SplunkCommonUtilities.vSetupMultiSelectHandlerOnAll();
-    // TODO - Add this to release notes as this is major useful feature for user.
     // When user selects any item, it will automatically unselect "All" option. And when user selects "All" option then it will automatically unselect all other.
 });

cyences_app_for_splunk/appserver/static/notable_event_editor.js

@@ -108,7 +108,6 @@ require([
             new SplunkCommonUtilities.VSearchManagerUtility(
                 function(results){
                     if (results != null) {
-                        // TODO - read through the output of the results and validate the custom command was successful.
                         searchesCompleted[i] = true;
                     }
                 },

cyences_app_for_splunk/appserver/static/privilege_user_role_editor.js

@@ -106,7 +106,6 @@ require([
             new SplunkCommonUtilities.VSearchManagerUtility(
                 function(results){
                     if (results != null) {
-                        // TODO - read through the output of the results and validate the custom command was successful.
                         searchesCompleted[i] = true;
                     }
                 },

cyences_app_for_splunk/bin/cs_product_list.py

@@ -316,7 +316,20 @@ def build_source_reviewer_search(by, values, first_call=True):
                 "macro_name": "cs_tenable",
                 "label": "Tenable Data",
                 "search_by": "sourcetype",
-                "search_values": "tenable:io:assets,tenable:io:plugin,tenable:io:vuln,tenable:sc:assets,tenable:sc:plugin,tenable:sc:vuln",
+                "search_values": "tenable:io:assets,tenable:io:vuln,tenable:sc:assets,tenable:sc:vuln",
+                "earliest_time": "-7d@d",
+                "latest_time": "now",
+            }
+        ],
+    },
+    {
+        "name": "Nessus",
+        "macro_configurations": [
+            {
+                "macro_name": "cs_nessus",
+                "label": "Nessus Data",
+                "search_by": "sourcetype",
+                "search_values": "nessus:pro:vuln,nessus_json",
                 "earliest_time": "-7d@d",
                 "latest_time": "now",
             }

cyences_app_for_splunk/default/collections.conf

@@ -36,6 +36,10 @@ accelerated_fields.incident_id = {"notable_event_id": 1}
 
 [cs_tenable_vuln_collection]
 
+[cs_nessus_inventory_collection]
+
+[cs_nessus_vuln_collection]
+
 [cs_qualys_inventory_collection]
 
 [cs_sophos_inventory_collection]

cyences_app_for_splunk/default/data/ui/views/cs_asset_intelligence.xml

@@ -11,7 +11,7 @@
     <latest>now</latest>
   </search>
   <search base="base_inventory_table" id="show_hide_search">
-    <query>| stats first(lansweeper_last_event) as field_lansweeper, first(qualys_last_event) as field_qualys, first(tenable_last_event) as field_tenable, first(sophos_last_event) as field_sophos, first(defender_last_event) as field_defender, first(crowdstrike_last_event) as field_crowdstrike, first(kaspersky_last_event) as field_kaspersky</query>
+    <query>| stats first(lansweeper_last_event) as field_lansweeper, first(qualys_last_event) as field_qualys, first(tenable_last_event) as field_tenable, first(nessus_last_event) as field_nessus, first(sophos_last_event) as field_sophos, first(defender_last_event) as field_defender, first(crowdstrike_last_event) as field_crowdstrike, first(kaspersky_last_event) as field_kaspersky</query>
   </search>
   <fieldset submitButton="false"></fieldset>
   <row>
@@ -50,6 +50,7 @@
         <br/>Lansweeper -&gt; $tkn_show_hide_lansweeper$ - $tkn_filter_main_label$
         <br/>Qualys -&gt; $tkn_show_hide_qualys$ - $tkn_filter_ip_only$ - $tkn_filter_ip_only_label$
         <br/>Tenable -&gt; $tkn_show_hide_tenable$ - $tkn_filter_ip_host$ - $tkn_filter_ip_host_label$
+        <br/>Nessus -&gt; $tkn_show_hide_nessus$ - $tkn_filter_ip_host$ - $tkn_filter_ip_host_label$
         <br/>VPN, Radius Authentication, Authentication -&gt; $tkn_filter_authentication$ - $tkn_filter_authentication_label$
         <br/>CrowdStrike -&gt; $tkn_show_hide_crowdstrike$ - $tkn_filter_main$ - $tkn_filter_main_label$
         <br/>Kaspersky -&gt; $tkn_show_hide_kaspersky$ - $tkn_filter_main$ - $tkn_filter_main_label$
@@ -63,9 +64,9 @@
       <title>Device Inventory $tkn_filter_main_label$</title>
       <table>
         <search base="base_inventory_table">
-          <query>table uuid, hostname, ip, mac_address, os, user $tkn_tablefields_lansweeper$ $tkn_tablefields_qualys$ $tkn_tablefields_tenable$, active_vul, high_vul $tkn_tablefields_sophos$ $tkn_tablefields_defender$ $tkn_tablefields_crowdstrike$ $tkn_tablefields_kaspersky$ tmp_*  | rename hostname as host | search $tkn_filter_main$</query>
+          <query>table uuid, hostname, ip, mac_address, os, user $tkn_tablefields_lansweeper$ $tkn_tablefields_qualys$ $tkn_tablefields_tenable$ $tkn_tablefields_nessus$, active_vul, high_vul $tkn_tablefields_sophos$ $tkn_tablefields_defender$ $tkn_tablefields_crowdstrike$ $tkn_tablefields_kaspersky$ tmp_*  | rename hostname as host | search $tkn_filter_main$</query>
         </search>
-        <fields>uuid, host, ip, mac_address, os, user $tkn_tablefields_lansweeper$ $tkn_tablefields_qualys$ $tkn_tablefields_tenable$, active_vul, high_vul $tkn_tablefields_sophos$ $tkn_tablefields_defender$ $tkn_tablefields_crowdstrike$ $tkn_tablefields_kaspersky$</fields>
+        <fields>uuid, host, ip, mac_address, os, user $tkn_tablefields_lansweeper$ $tkn_tablefields_qualys$ $tkn_tablefields_tenable$ $tkn_tablefields_nessus$, active_vul, high_vul $tkn_tablefields_sophos$ $tkn_tablefields_defender$ $tkn_tablefields_crowdstrike$ $tkn_tablefields_kaspersky$</fields>
         <option name="count">5</option>
         <option name="drilldown">none</option>
         <option name="refresh.display">progressbar</option>
@@ -79,6 +80,9 @@
         <format type="color" field="tenable">
           <colorPalette type="map">{"Green": #008000, "Blue": "#6DB7C6", "Yellow": #cbcf00, "Orange": #ff8c00, "Red": #B83C08, "-": #363030}</colorPalette>
         </format>
+        <format type="color" field="nessus">
+          <colorPalette type="map">{"Green": #008000, "Blue": "#6DB7C6", "Yellow": #cbcf00, "Orange": #ff8c00, "Red": #B83C08, "-": #363030}</colorPalette>
+        </format>
         <format type="color" field="high_vul">
           <colorPalette type="list">[#008000,#B83C08]</colorPalette>
           <scale type="threshold">1</scale>