Fixing KBX input in Splunk TA after QWEB (VM/PC) 8.16 deployment

Document created by Jeff Leggett Employee on Dec 21, 2018Last modified by Robert Dell'Immagine on Dec 27, 2018
Version 2Show Document
  • View in full screen mode

We inadvertently caused a bug in processing the Knowledge Base lookup table with the new parameters in the KBX API introduced in 8.16 (see Qualys Cloud Platform 8.16 (VM/PC) API notification 2  for details of the new KBX API).

 

We will get out a more permanent fix in the TA itself ASAP, but in the meantime, to fix this you can do the following:

 

Solution

  1. Make a backup of the file kbpopulator.py.  
  2. Add the VECTOR_STRING as CVSS_VECTOR_STRING in CSV_HEADER_COLUMNS list. 
CSV_HEADER_COLUMNS = ["QID", "SEVERITY"] + QID_EXTRA_FIELDS_TO_LOG + ["CVSS_BASE", "CVSS_TEMPORAL", "CVSS_VECTOR_STRING", "CVE", "VENDOR_REFERENCE"]

Explanation

The payload from XML looks like this:

We normally get the "BASE", "TEMPORAL", fields. 
We parse them using below code in kbpopulator.py to get all the available fields.
So normally it gets the "BASE", "TEMPORAL", fields as they are mentioned in CSV_HEADER_COLUMNS list.
CSV_HEADER_COLUMNS = ["QID", "SEVERITY"] + QID_EXTRA_FIELDS_TO_LOG + ["CVSS_BASE", "CVSS_TEMPORAL", "CVE", "VENDOR_REFERENCE"]  

 

When  CVSS_VECTOR_STRING is added in the CSV_HEADER_COLUMNS list it will parse that field as well.

 

See Qualys solutions for Splunk.

Attachments

    Outcomes