2 Replies Latest reply on Jan 6, 2015 9:10 AM by julienb

    Custom ASP for Tenable PVS (Passive Vulnerability Scanner)


      Dear Community,


      I have created a custom parsing rule to handle SYSLOG events sent by Tenable PVS sensors.

      This is a very basic parsing rule, as only the first CEF fields are mapped to the SIEM fields - but it should be enough to catch the interesting stuff (see PVS Syslog format | Tenable Discussions Forum for details).


      As this is not a support data source, you first need to configure it as:

      • Data source: GENERIC
      • Data source model: Advanced Syslog Parser
      • Data format: Default
      • Data retrieval: Syslog


      Then, create custom types (you could use some default one instead, but then you'll need to change the mapping accordingly):

      1. PVS_PluginID, interger, #1
      2. PVS_PluginName, string, #2
      3. PVS_EventDetails, random string, #3


      Then import and apply the attached parsing rule to the data source (I removed the aggregation to prevent information loss on my side).

      I also attached a sample dashboard with the main Plugin Names.


      Have a great day!