https://community.splunk.com/t5/Security/What-metrics-to-monitor-for-Meltdown-and-Spectre/m-p/290337#M7755 <P>depends on what you currently have with Splunk ? are you ingesting from vulnerability management tools ?</P> <P>If you have Splunk ES you could use that to look for the vunerabilities as per this article here :</P> <P><A href="https://www.linkedin.com/pulse/splunking-apache-struts-vulnerabilities-exploits-love-ken-westin/" target="_blank">https://www.linkedin.com/pulse/splunking-apache-struts-vulnerabilities-exploits-love-ken-westin/</A></P> <P>Spectre:</P> <P>CVE-2017-5753: bounds check bypass</P> <P>CVE-2017-5715: branch target injection</P> <P>Meltdown:</P> <P>CVE-2017-5754: rogue data cache load</P> <P>So something like ..</P> <P>tag=vulnerability (cve=" CVE-2017-5753" OR cve=" CVE-2017-5715" OR cve=" CVE-2017-5754") <BR /> | table src cve pluginName first_found last_found last_fixed <BR /> | dedup src <BR /> | fillnull value=NOT_FIXED last_fixed <BR /> | search last_fixed=NOT_FIXED <BR /> | stats count as total</P> Tue, 29 Sep 2020 17:31:09 GMT Esky73 2020-09-29T17:31:09Z https://community.splunk.com/t5/Security/What-metrics-to-monitor-for-Meltdown-and-Spectre/m-p/290336#M7754 <P>I realize that these are both hardware vulnerabilities but wanted to know. out of the data we are able to collect with splunk, what specific metrics would be the best to monitor as they directly correlate to Meltdown and Spectre behavior? From what I have been reading from the white papers, it's extremely difficult/ impossible to determine if this attack has been executed in your environment.</P> <P>Any insight or recommendations are greatly appreciated.</P> <P>-iKF</P> Mon, 08 Jan 2018 12:11:08 GMT https://community.splunk.com/t5/Security/What-metrics-to-monitor-for-Meltdown-and-Spectre/m-p/290336#M7754 iKickFish 2018-01-08T12:11:08Z https://community.splunk.com/t5/Security/What-metrics-to-monitor-for-Meltdown-and-Spectre/m-p/290337#M7755 <P>depends on what you currently have with Splunk ? are you ingesting from vulnerability management tools ?</P> <P>If you have Splunk ES you could use that to look for the vunerabilities as per this article here :</P> <P><A href="https://www.linkedin.com/pulse/splunking-apache-struts-vulnerabilities-exploits-love-ken-westin/" target="_blank">https://www.linkedin.com/pulse/splunking-apache-struts-vulnerabilities-exploits-love-ken-westin/</A></P> <P>Spectre:</P> <P>CVE-2017-5753: bounds check bypass</P> <P>CVE-2017-5715: branch target injection</P> <P>Meltdown:</P> <P>CVE-2017-5754: rogue data cache load</P> <P>So something like ..</P> <P>tag=vulnerability (cve=" CVE-2017-5753" OR cve=" CVE-2017-5715" OR cve=" CVE-2017-5754") <BR /> | table src cve pluginName first_found last_found last_fixed <BR /> | dedup src <BR /> | fillnull value=NOT_FIXED last_fixed <BR /> | search last_fixed=NOT_FIXED <BR /> | stats count as total</P> Tue, 29 Sep 2020 17:31:09 GMT https://community.splunk.com/t5/Security/What-metrics-to-monitor-for-Meltdown-and-Spectre/m-p/290337#M7755 Esky73 2020-09-29T17:31:09Z https://community.splunk.com/t5/Security/What-metrics-to-monitor-for-Meltdown-and-Spectre/m-p/290338#M7756 <P>Excellent, Thank you so much!</P> Tue, 09 Jan 2018 12:21:52 GMT https://community.splunk.com/t5/Security/What-metrics-to-monitor-for-Meltdown-and-Spectre/m-p/290338#M7756 iKickFish 2018-01-09T12:21:52Z