Tenable Archives -

Overview of all medium to critical risks for Win20xx

Get an overview of all medium to critical risks for Windows 2008 / 2012: Windows 2008:

sourcetype="tenable:sc:vuln" cpe:/o:microsoft:windows_server_2008  | table ip, netbiosName, dnsName, severity.name, pluginName, solution, description | join ip type=inner max=0 [search index=main sourcetype="tenable:sc:vuln" baseScore>3  | table ip, netbiosName, dnsName, severity.name, pluginName, solution, description ] | sort by severity.name | chart count by severity.name

sourcetype="tenable:sc:vuln" cpe:/o:microsoft:windows_server_2008 | table ip, netbiosName, dnsName, severity.name, pluginName, solution, description | join ip type=inner max=0 [search index=main sourcetype="tenable:sc:vuln" baseScore>3 | table ip, netbiosName, dnsName, severity.name, pluginName, solution, description ] | sort by severity.name | chart count by severity.name

Windows 2012:

sourcetype="tenable:sc:vuln" cpe:/o:microsoft:windows_server_2012  | table ip, netbiosName, dnsName, severity.name, pluginName, solution, description | join ip type=inner max=0 [search index=main sourcetype="tenable:sc:vuln" baseScore>3  | table ip, netbiosName, dnsName, severity.name, pluginName, solution, description ] | sort by severity.name | chart count by severity.name

sourcetype="tenable:sc:vuln" cpe:/o:microsoft:windows_server_2012 | table ip, netbiosName, dnsName, severity.name, pluginName, solution, description | join ip type=inner max=0 [search index=main sourcetype="tenable:sc:vuln" baseScore>3 | table ip, netbiosName, dnsName, severity.name, pluginName, solution, description ] | sort by severity.name | chart count by severity.name

Continue Reading →

Overview SMB Shares with unprivileged access (tenable)

This search will give an overview of all SMB shares with unprivilged access.

sourcetype="tenable:sc:vuln" pluginID=42411 | table ip dnsName pluginText | rename "pluginText" as "Shares enabled" | rename "dnsName" as "DNS Name" | rename "ip" as "IP address"

1	sourcetype="tenable:sc:vuln" pluginID=42411 \| table ip dnsName pluginText \| rename "pluginText" as "Shares enabled" \| rename "dnsName" as "DNS Name" \| rename "ip" as "IP address"

Continue Reading →

SSL certificates about to expire

The query below will give an overview of all certificates about to expire (within 60 days)

 sourcetype="tenable:sc:vuln" synopsis="The SSL certificate associated with the remote service will expire soon." | dedup ip | lookup dnslookup clientip as ip | chart count by ip,clienthost

1	sourcetype="tenable:sc:vuln" synopsis="The SSL certificate associated with the remote service will expire soon." \| dedup ip \| lookup dnslookup clientip as ip \| chart count by ip,clienthost

Continue Reading →

SSL Certificates expired

The query below will give an overview of all hosts running expired certificates:

sourcetype="tenable:sc:vuln" synopsis="The remote server's SSL certificate has already expired." | dedup ip | chart count by ip

1	sourcetype="tenable:sc:vuln" synopsis="The remote server's SSL certificate has already expired." \| dedup ip \| chart count by ip

Continue Reading →

Top 10 most vulnerable systems (Tenable)

Get an overview of the 10 most vulnerable systems in your network

sourcetype="tenable:sc:vuln" baseScore > 3 | dedup cve ip | stats count by ip, riskFactor | sort 10-count | lookup dnslookup clientip as ip | chart sum(count) by clienthost

1	sourcetype="tenable:sc:vuln" baseScore > 3 \| dedup cve ip \| stats count by ip, riskFactor \| sort 10-count \| lookup dnslookup clientip as ip \| chart sum(count) by clienthost

Continue Reading →

Top exploitable vulnerabilities (tenable)

To see the top of exploitable vulnarabilities from the Tenable Security Center:

sourcetype="tenable:sc:vuln" exploitAvailable="yes" | chart count over pluginName by riskFactor

1	sourcetype="tenable:sc:vuln" exploitAvailable="yes" \| chart count over pluginName by riskFactor

Continue Reading →

Overall CVSS score (tenable)

Ronald (Access42)
3 1

Tenable uses the CVSS scoring method for detected vulnerabilities. To have an overall CVSS, use the following query:

sourcetype="tenable:sc:vuln" ip=* |stats mean(baseScore) as base | eval base = round(base,2)

1	sourcetype="tenable:sc:vuln" ip=* \|stats mean(baseScore) as base \| eval base = round(base,2)

Continue Reading →

Current Vulnerability Summary by Severity (tenable)

Having Tenable Security Center connected via the splunk plugin, this search gives an overview of all vulnerabilties, summarized by severity.

sourcetype="tenable:sc:vuln" severity.name=* | chart count over severity.name by ip

1	sourcetype="tenable:sc:vuln" severity.name=* \| chart count over severity.name by ip

Add the following to your dashboard source to add consistent colors to the pie chart: <option name=”charting.fieldColors”>{“Critical”:0x800000,”High”:0xFF0000,”Medium”:0xFFA500,”Low”:0x008000,”Info”:0x0000FF}</option>

Continue Reading →

Sourcetype: Tenable