Splunk Enterprise Security

Vulnerabilities remediation over time

jlovik
Explorer

Ok so my data is coming from a vulnerability management system. every day i get a dump of every vulnerability in the system. Each unique vulnerability on every asset is given a UniqueAssetVulnID. That id is specific to that vulnerability on that asset day over day. Now I would like to identify when a vulnerability has been remediated IE appeared on yesterdays scan but not on todays scan by Category which is just the severity. This would all be plotted on a area chart.

Sample data would be like
_time Category UniqueAssetVulnID
05/26/2020 Low 1249+cve-2020-3948
05/27/2020 High 5239+cve-2010-4533

index=rapid7 sourcetype="VulnData" 
| streamstats current=f last(dc(UniqueAssetVulnID)) as UniqueVulnslast_count by Category
| rename UniqueAssetVulnID as current_UniqueAssetVuln
| eval delta = UniqueVulnslast_count - current_UniqueAssetVuln
| timechart span=1d delta by Category useother=f
Labels (1)
0 Karma
Get Updates on the Splunk Community!

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud  In today’s fast-paced digital ...

Observability protocols to know about

Observability protocols define the specifications or formats for collecting, encoding, transporting, and ...

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...