The vulnerabilities input uses the sourcetype otbase:vulns. As the source, "OTbase:" followed by the hostname or the IP address of the host where OTbase Inventory is installed is used.
The vulnerabilities input generates one event per vulnerability per device each time vulnerability data is obtained. So for example if you select 24 hour updates for 1000 devices each of which has 500 vulnerabilities, you will see 500.000 events every 24 hours.
Vulnerability data field names are chosen for compatibility with Splunk Enterprise Security. In addition to the standard fields you also find the "priority" field from OTbase, which is populated using CVSS severity by default but can be adjusted to different values in OTbase Inventory.
Note to Splunk users: There is no need to explicitly start a vulnerability "scan" in OTbase. Vulnerability data is downloaded automatically from NIST and associated with asset configuration (hardware and software product configuration, observing any installed security patches).
Since vulnerability data are CIM compliant, you can also view and process them in Splunk Vulnerability Center.
Comments
0 comments
Please sign in to leave a comment.