Splunk Enterprise Security
Highlighted

Vulnerability scan: how to grab the last scan data only?

Path Finder

Hello,

We'd like to create a dashboard for our vulnerability data. Our two main goals are:
1. Track the number of vulnerabilities over selected time (ex.: 30 days, 45 days, etc.)
2. Show the current "vulnerability state" of an asset or group of assets (the data of the last performed scan).

There are no surprises for the first part, but for the second one we can’t find a way to show the data of the last scan only. Our scans has a different frequency for different assets, so we can’t just select a time period equal to the scan frequency. We tried to use the value of the last_discovered field and then use max function in order to track the last scan like below:

| streamstats max(last_discovered) as last_scan
| where last_discovered=last_scan

But it does not work because a scan can take a few seconds, so the last_discovered field’s values are not the same.

Do you have any ideas how we can grab the date of the last scan only?
Thanks.

0 Karma
Highlighted

Re: Vulnerability scan: how to grab the last scan data only?

SplunkTrust
SplunkTrust

There are several options for how to do this, but all will require a bit more information on the source data.

Can you post an abbreviated version of a couple of events? (Really, we just need all the date fields, and a tiny bit of the "data" part so we can get a feel for it).

0 Karma
Highlighted

Re: Vulnerability scan: how to grab the last scan data only?

Path Finder

Hi @rich7177 ,

Here are two events with all date fields and some additionnal fields as well:

cve                      | CVE-2019-11111
cvss                     | 9.80
dest                     | my_dest_name
first_discovered         | 2020-01-14 16:33:19.121
host                     | my_host
index                    | my_index
ip                       | 123.45.67.89
most_recently_discovered | 2020-01-22 18:11:28.127
severity                 | critical
signature                | CVE-2019-11111: Remote Code Execution    
solution_summary         | Apply the MMM    
source                   | xxx.log
sourcetype               | my_sourcetype    
timestamp                | 2020-01-22 18:11:28.127

cve                      | CVE-2019-22222   
cvss                     | 9.60
dest                     | my_dest_name
first_discovered         | 2020-01-22 18:11:28.126  
host                     | my_host
index                    | my_index
ip                       | 123.45.67.89
most_recently_discovered | 2020-01-22 18:11:28.126  
severity                 | critical
signature                | CVE-2019-22222: Access   
solution_summary         | Apply the NNN    
source                   | xxx.log
sourcetype               | my_sourcetype    
timestamp                | 2020-01-22 18:11:28.126  

I thought about to round the value of the most_recently_discoveredfield as a workaround:

| eval most_recently_discovered=strftime((floor(now()/600))*600,"%Y-%m-%d %H:%M:%S")
| eval most_recently_discovered = strptime(most_recently_discovered, "%Y-%m-%d %H:%S")

Thanks for the help.

0 Karma
Highlighted

Re: Vulnerability scan: how to grab the last scan data only?

SplunkTrust
SplunkTrust

OK, so let's recount what we're trying to do.

Does the vulnerability scanner include an event for when a particular CVE had applied previously but no longer applies?

(If it does, we can use a simpler method probably, but I'm assuming not because I haven't seen one that does yet...)

In that case, we need to probably find the latest scan for any host, then only use that latest scan's information. Right?

Is there any field that is consistent across a single scan, but not the same as a previous scan? For instance, something like a scan id would work, or maybe a "scan start time?" This can be per host, or overall for that entire scan - as long as it separates subsequent scans of the same host in some way.

Here's what I'm thinking. What we'll have to do is find the latest scan for each host using a subsearch, and we'll feed that back into the main search to get the pile of results for each scan of the host.

If no such scanid or similar thing exists, this is still possible but just harder. How often do scans run? Daily? Weekly? If they are separated by long enough, maybe this isn't hard even without a scanid.

Anyway, information gathering phase is getting close to done. Soon maybe we can start on an actual search... 🙂

0 Karma
Highlighted

Re: Vulnerability scan: how to grab the last scan data only?

Path Finder

Hi @rich7177,
I think I have to provide you a bit more information.

There are actually two sourcetypes we have in logs: vulnerability and asset. The first one lists all discovered vulnerabilities one by one on each device with vulnerability name, severity, category, etc. The second one provides an information about every scanned asset at the end of each scan with total number of discovered vulnerabilities, asset score, etc.

We’ve decided to use the second sourcetype to show the information for a group of assets because the filtering by most_recently_discovered date could be implemented easily. One thing that reminds is to list all vulnerabilities for a selected asset (where we need a vulnerabilitysourcetype). It means that we have no need to perform a subsearch to find a last scan date for each asset – we have only one asset selected for this part of the dashboard.

Unfortunately, we wasn’t be able to find a field with a constant value for a single scan such as scanid or scanstarttime. That’s why we thought about to use the value of the `mostrecently_discoveredfield which stays almost the same for an asset for each scan. Different vulnerabilities of the same scan could have a difference but really the small one, maybe few seconds (where the idea to usefloor` command comes from). Our purple team does not have a “locked” scan schedule (scan could be launched out of schedule because of a particular vulnerability test, etc.), but different scans will surely have a difference of few hours at least.

Thanks for the help!

0 Karma