Splunk Enterprise Security

datamodel - dedup count

New Member

This in regards to vulnerability center from Qualys

issue - the datamodel gets updated every 24hrs (this cant change) and when we click in the vulnerability centre we get incorrect numbers. It seems like its counting the number of same vulnerability for the host multiple times which increases the number in the dashboard. I can search the index and get the correct result but the engineer wants to use the defined dashboard in ES.

goal - to somehow dedup the count in that datamodel and get the correct asnwer using the datamodel

datamodal query that gives incorrect info -
| tstats summariesonly count from datamodel=Vulnerabilities.Vulnerabilities where earliest=-30d@d latest=+0s cim_filter_vuln_severity("Vulnerabilities") by Vulnerabilities.signature,Vulnerabilities.dest

eg answer: count should be 1 instead of 8
Vulnerabilities.signature Vulnerabilities.dest count
'nlockmgr' Allows Proxying of NFS Requests 8

searching index that gives correct answer -
eventtype="qualysvmdetectionevent" STATUS="NEW" OR STATUS="ACTIVE" earliest=-30d@d latest=+0s | dedup QID |stats count by destip signature

eg correct answer
dest_ip signature count 'nlockmgr' Allows Proxying of NFS Requests 1

0 Karma

Re: datamodel - dedup count

Ultra Champion

meh.. I kinda disagree.
Enterprise Security is tracking your security posture across time. If you do a weekly scan and you fixed a load of vulns last week you want to see that number decrease, likewise if you find a load more issues this week ES wants to know that too.

I know this sounds a bit counter intuitive, but ES is tracking total vulns 'DETECTED' not unique vulns that exist. Its a subtlety which is related to how often you scan your hosts, but deduping this is not what ES or the correlation searches or notable events expects.

If you want to see total unique vulns per host (which is what you appear to be distilling this to) then you should create your own report/dashboard.

0 Karma