AnsweredAssumed Answered

Enable Additional Fields in Splunk KB Lookup

Question asked by Malcolm Wilson on Feb 27, 2018
Latest reply on Mar 7, 2018 by Prabhas Gupte

Hello, 

 

I'm trying to enable the following fields in the Qualys KB Lookup in Splunk: 

  • DIAGNOSIS
  • CONSEQUENCE
  • SOLUTION

I found the following lines in $SplunkHome/etc/apps/TA-QualysCloudPlatform/bin/qualysModule/splunkpopulator/kbpopulator.py:

 

 

# extra fields to log with QID, by default QID_INFO and SEVERITY are already included

#QID_EXTRA_FIELDS_TO_LOG = ["VULN_TYPE", "PATCHABLE", "PCI_FLAG", "TITLE", "CATEGORY", "DIAGNOSIS", "CONSEQUENCE", "SOLUTION", "PUBLISHED_DATETIME"]
QID_EXTRA_FIELDS_TO_LOG = ["VULN_TYPE", "PATCHABLE", "PCI_FLAG", "TITLE", "CATEGORY", "PUBLISHED_DATETIME"]

Other than switching out the commented lines, is there any other configurations that need to be done to import these fields? 

 

Thanks!

Outcomes