We export a data from our vulnerability management tool to Splunk and we’d like to evaluate the initial severity score by using some additional information, like:
- Asset criticality (critical or no)
- Existed exploits for vulnerability (existed or no)
In my point of view, the best way to do it will be a decisional matrix, something like this:
SEVERITY | CRITICAL_ASSET | KNOWN_EXPLOIT | NEW_SEVERITY Critical | True | True | Critical Critical | True | False | High Critical | False | False | Medium High | True | True | High Etc.
Of course we can use an
eval command instead of matrix, but I think it’s not the best way to do it. And also not the easiest one, especially if we’ll add more conditions like Exposal level, Volume of stoked data, etc.
Also I thought about replace text values by numbers (critical=5, high=4, etc.) and simply deduct a point in every case of ‘False’, but it doesn’t look like a good idea either. Because for some cases we prefer to maintain the same severity level even for ‘False’ values (for example, keep the same vulnerability level for exposed assets).
Do you have any idea how this decisional matrix could be realized? Or do you have a better idea maybe?
Thanks for the help.
You can accomplish that using lookups where you input SEVERITY, CRITICAL_ASSET, KNOWN_EXPLOIT and output NEW_SEVERITY. But you need to make sure that the SEVERITY, CRITICAL_ASSET, KNOWN_EXPLOIT exist in your data
Splunk enterprise security actually uses something close to that for assigning urgency to notables
Thanks for your answer.
Well, that exactly what I’m asking myself about: how this could be realized? I can create thislookup table, but how it will correlate with the events?
Let’s say, a vulnerability tool event has the following fields:
NAME SEVERITY KNOWN_EXPLOIT CRITICAL_ASSET (added automatically via asset center)
Beside I have my lookup and… and unfortunately I have no idea how can I make them communicate with each other.
Create the lookup just like you mapped it in your question and then follow the docs.
Particularly the section "Make the lookup automatic"
In your case, like i stated before you'll have to define the 3 input fields and the 1 output field.