Archive

Is it possible to use a decision matrix in Splunk?

Communicator

Hello,

We export a data from our vulnerability management tool to Splunk and we’d like to evaluate the initial severity score by using some additional information, like:
- Asset criticality (critical or no)
- Existed exploits for vulnerability (existed or no)
- Etc.

In my point of view, the best way to do it will be a decisional matrix, something like this:

SEVERITY | CRITICAL_ASSET | KNOWN_EXPLOIT | NEW_SEVERITY
Critical | True           | True          | Critical
Critical | True           | False         | High
Critical | False          | False         | Medium
High     | True           | True          | High
Etc.

Of course we can use an eval command instead of matrix, but I think it’s not the best way to do it. And also not the easiest one, especially if we’ll add more conditions like Exposal level, Volume of stoked data, etc.

Also I thought about replace text values by numbers (critical=5, high=4, etc.) and simply deduct a point in every case of ‘False’, but it doesn’t look like a good idea either. Because for some cases we prefer to maintain the same severity level even for ‘False’ values (for example, keep the same vulnerability level for exposed assets).

Do you have any idea how this decisional matrix could be realized? Or do you have a better idea maybe?

Thanks for the help.

Regards,
Alex.

0 Karma

SplunkTrust
SplunkTrust

You can accomplish that using lookups where you input SEVERITY, CRITICAL_ASSET, KNOWN_EXPLOIT and output NEW_SEVERITY. But you need to make sure that the SEVERITY, CRITICAL_ASSET, KNOWN_EXPLOIT exist in your data

Splunk enterprise security actually uses something close to that for assigning urgency to notables
http://docs.splunk.com/Documentation/ES/5.1.0/User/Howurgencyisassigned

------------
Hope I was able to help you. If so, an upvote would be appreciated.
0 Karma

Communicator

Hello @diogofgm,
Thanks for your answer.

Well, that exactly what I’m asking myself about: how this could be realized? I can create thislookup table, but how it will correlate with the events?

Let’s say, a vulnerability tool event has the following fields:

NAME
SEVERITY
KNOWN_EXPLOIT
CRITICAL_ASSET (added automatically via asset center)

Beside I have my lookup and… and unfortunately I have no idea how can I make them communicate with each other.

Regards,
Alex.

0 Karma

SplunkTrust
SplunkTrust

Create the lookup just like you mapped it in your question and then follow the docs.
http://docs.splunk.com/Documentation/Splunk/7.1.2/Knowledge/Usefieldlookupstoaddinformationtoyoureve...
Particularly the section "Make the lookup automatic"
In your case, like i stated before you'll have to define the 3 input fields and the 1 output field.

------------
Hope I was able to help you. If so, an upvote would be appreciated.
0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!