Splunk Enterprise Security
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Filtering non-compliant Machines from forescout logs

DSIre
New Member
‎06-11-2018 01:00 PM

We have events feeding into splunk from ForeScout logs (no forescout APP) and i would like to filter it so that only machines currently non-compliant are shown in a search at the end of each month.

They was a similar question asked
regex-help-in-filtering-machines-that-were-not-com

but their field set up is different, we have a Compliant field which is either Yes or No and a Policy field which states which Policy the host is non compliant with, there are 4 different Policies (Anti-Virus Compliance - SCCM Compliance - DLP Compliance - Safety Compliance) Over the course of a month a host may show as non compliant to multiple Policies (Compliant = no for multiple Policies) and also have some of these remediated over the month (Compliant = Yes for any one or more of the Policies). So in the final report we will have to see only the non-compliant machines listed as below including all the Policies it is still non-compliant too.
eg

IP Machine Non Compliant Policy User
10.10.10.10 HostA Anti-Virus Compliance DSMITH
DLP Compliance

The solution of the previous question applied to our situation

index=forescout (Group = "Windows Machine" OR Group = "Windows Workstations" OR Group = "Windows Laptops") (Policy = "Anti-Virus Compliance" OR Policy = "SCCM Compliance" OR Policy = "DLP Compliance" OR Policy = "Safety Compliance") earliest=-30d@d
| fields Machine Compliant
| eval statusValue = if(match(Compliant, "No"), 0, 1)
| stats sum(statusValue) as statusValue by Machine
| search statusValue = 0
| table Machine

This Gives us the Machine name output if it was last seen as Compliant = No, but it could be non-compliant for multiple Policies so it does not give the list or detials we need.

Also 🙂
We are trying to use a lookup to pull in city, host_serial_nbr, os_name going by the Machine field (nt_host field in the csv).

I had used this in a previous search and it worked fine.

|eval nt_host = Machine | lookup assets.csv nt_host OUTPUT city host_serial_nbr os_name | table IP, nt_host, User, Status, city, host_serial_nbr, os_name

Any help would be great!

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

What Is Splunk? Here’s What You Can Do with Splunk

Hey Splunk Community, we know you know Splunk. You likely leverage its unparalleled ability to ingest, index, ...

Level Up Your .conf25: Splunk Arcade Comes to Boston

With .conf25 right around the corner in Boston, there’s a lot to look forward to — inspiring keynotes, ...

Manual Instrumentation with Splunk Observability Cloud: How to Instrument Frontend ...

Although it might seem daunting, as we’ve seen in this series, manual instrumentation can be straightforward ...