topic Why am I having this issue Parsing Vulnerability Data? in Splunk Search

Why am I having this issue Parsing Vulnerability Data?

qcjacobo2577 — Fri, 16 Dec 2022 19:43:27 GMT

Community,

I am attempting to retrieve events in Splunk regarding Tenable vulnerability data. The goals are as follows:

Obtain the most recent information for a given vulnerability ID and device pair.
Filter out any vulnerabilities that have a "severity" equal to "informational"

AND/OR

Filter out any vulnerabilities that have a state of "fixed"

The issue I have encountered, is that the "fixed" vulnerability may be the most recent status. So, simply filtering that value out for a specific vulnerability ID and device combination will result in that vulnerability ID for that device showing up in the result set. (even though the vulnerability has been "fixed" in this case) --- don't want IT chasing "fixed" vulnerabilities.

In reality what I want to see is the most recent vulnerability for a given device if the severity is not equal to "fixed" and/or the vulnerability severity is not "informational" (the reason behind this is that some vulnerability severities are reduced over time due to various conditions --- where they may have started out as "high" are now "informational" or vice versa) --- otherwise do not list that device and vulnerability ID pair at all in my result set.

Here is how far I have gotten to date:

`get_tenable_index` sourcetype="tenable:io:vuln" [ search index="tenable" sourcetype="tenable:io:assets" deleted_at="null" | rename uuid AS asset_uuid | stats count by asset_uuid | fields asset_uuid ] | rename plugin.id AS Plugin_ID asset_uuid AS Asset_ID | strcat Asset_ID : Plugin_ID Custom_ID | stats latest(*) as * by Custom_ID << The problem here is that the latest might be "fixed" or "informational" which in this case I want to ignore (if either of those is true). | rename plugin.cvss_base_score AS CVSS plugin.synopsis AS Description plugin.name AS Name plugin.cve{} AS CVE output AS Output severity AS Risk plugin.see_also{} AS See_Also plugin.solution AS Solution state AS State plugin.has_patch AS Patchable plugin.exploit_available AS Exploitable plugin.exploited_by_malware AS Exploited_By_Malware plugin.publication_date AS Plugin_Publish_Date | table Custom_ID, CVSS, Description, Name, CVE, Plugin_ID, Output, Risk, See_Also, Solution, State, Asset_ID, Patchable, Exploitable, Exploited_By_Malware, Plugin_Publish_Date tags{}.value

Re: Why am I having this issue Parsing Vulnerability Data?

richgalloway — Fri, 16 Dec 2022 20:03:47 GMT

After you get the latest values for each asset (I prefer to use dedup), filter out those with severity of fixed or informational. Then you will have discarded all events for that asset so they won't distract IT.

`get_tenable_index` sourcetype="tenable:io:vuln" [ search index="tenable" sourcetype="tenable:io:assets" deleted_at="null" | rename uuid AS asset_uuid | stats count by asset_uuid | fields asset_uuid ] | rename plugin.id AS Plugin_ID asset_uuid AS Asset_ID | strcat Asset_ID : Plugin_ID Custom_ID | stats latest(*) as * by Custom_ID | search NOT severity IN (fixed informational) | rename plugin.cvss_base_score AS CVSS plugin.synopsis AS Description plugin.name AS Name plugin.cve{} AS CVE output AS Output severity AS Risk plugin.see_also{} AS See_Also plugin.solution AS Solution state AS State plugin.has_patch AS Patchable plugin.exploit_available AS Exploitable plugin.exploited_by_malware AS Exploited_By_Malware plugin.publication_date AS Plugin_Publish_Date | table Custom_ID, CVSS, Description, Name, CVE, Plugin_ID, Output, Risk, See_Also, Solution, State, Asset_ID, Patchable, Exploitable, Exploited_By_Malware, Plugin_Publish_Date tags{}.value

Re: Why am I having this issue Parsing Vulnerability Data?

qcjacobo2577 — Fri, 16 Dec 2022 21:33:36 GMT

Seems to be working so far, so thank you for the help!

One last question and we can wrap this up.

`get_tenable_index` sourcetype="tenable:io:vuln" [ search index="tenable" sourcetype="tenable:io:assets" deleted_at="null" | rename uuid AS asset_uuid netbios_name AS Netbios_Name | stats count by asset_uuid | fields asset_uuid ] | rename plugin.id AS Plugin_ID asset_uuid AS Asset_ID port AS Network_Port | strcat Asset_ID : Plugin_ID : Network_Port Custom_ID | stats latest(*) as * by Custom_ID | search state!=fixed | search severity!=informational | rename plugin.cvss_base_score AS CVSS plugin.synopsis AS Description plugin.name AS Name plugin.cve{} AS CVE output AS Output severity AS Risk plugin.see_also{} AS See_Also plugin.solution AS Solution state AS State plugin.has_patch AS Patchable plugin.exploit_available AS Exploitable plugin.exploited_by_malware AS Exploited_By_Malware plugin.publication_date AS Plugin_Publish_Date synopsis AS Synopsis first_found AS First_Found | table CVSS, Description, Name, Plugin_ID, Output, Risk, See_Also, Solution, Synopsis, State, Asset_ID, First_Found

How do I pull in a field value from a subsearch into the last table command? I included the field "netbios" into the example above. That data is not returned in the main search.

Thank you in advance!

Re: Why am I having this issue Parsing Vulnerability Data?

richgalloway — Fri, 16 Dec 2022 22:06:44 GMT

It's not possible for the main search to access fields not returned by the subsearch. You would need to run the subsearch again as part of the main search or (maybe) have the subsearch save the desired field(s) in a lookup file.

Re: Why am I having this issue Parsing Vulnerability Data?

qcjacobo2577 — Fri, 16 Dec 2022 23:24:49 GMT

@richgalloway I think the below is as close as I will get for now. I can forgo the "Netbios" since I have the DNS name in my vuln data as well as the IP. It would be a nice to have in the future, but not a deal breaker.

`get_tenable_index` sourcetype="tenable:io:vuln" [ search index="tenable" sourcetype="tenable:io:assets" deleted_at="null" | rename uuid AS asset_uuid | stats count by asset_uuid | fields asset_uuid ] | rename plugin.id AS Plugin_ID asset_uuid AS Asset_ID port AS Network_Port | strcat Asset_ID : Plugin_ID : Network_Port Custom_ID_1 | strcat Asset_ID : Plugin_ID Custom_ID_2 | stats latest(*) as * by Custom_ID_1 | search state!="fixed" | search severity!="informational" | eval unixtime=strptime(first_found,"%Y-%m-%dT%H:%M:%S") | eval mydate=strftime(unixtime,"%Y-%m-%d") | rename plugin.cvss_base_score AS CVSS plugin.synopsis AS Description dns_name AS DNS_Name ip AS IP_Address plugin.name AS Name plugin.cve{} AS CVE output AS Output severity AS Risk plugin.see_also{} AS See_Also plugin.solution AS Solution state AS State plugin.publication_date AS Plugin_Publish_Date mydate AS First_Found | table Custom_ID_2, CVSS, Description, DNS_Name, IP_Address, Name, CVE, Plugin_ID, Output, Risk, See_Also, Solution, State, Asset_ID, First_Found