2 Replies Latest reply on Jan 6, 2015 9:10 AM by julienb

    Custom ASP for Tenable PVS (Passive Vulnerability Scanner)

    julienb

      Dear Community,

       

      I have created a custom parsing rule to handle SYSLOG events sent by Tenable PVS sensors.

      This is a very basic parsing rule, as only the first CEF fields are mapped to the SIEM fields - but it should be enough to catch the interesting stuff (see PVS Syslog format | Tenable Discussions Forum for details).

       

      As this is not a support data source, you first need to configure it as:

      • Data source: GENERIC
      • Data source model: Advanced Syslog Parser
      • Data format: Default
      • Data retrieval: Syslog

       

      Then, create custom types (you could use some default one instead, but then you'll need to change the mapping accordingly):

      1. PVS_PluginID, interger, #1
      2. PVS_PluginName, string, #2
      3. PVS_EventDetails, random string, #3

       

      Then import and apply the attached parsing rule to the data source (I removed the aggregation to prevent information loss on my side).

      I also attached a sample dashboard with the main Plugin Names.

       

      Have a great day!

      Julien