Solved: Compare two timestamps

LionSplunk · ‎10-24-2023

Hello,

We are implenting splunk in our environment and right now i import every 7 days our vulnerability scan to splunk. My Task is to filter the Host and the CVE Number and get the output which host and CVE is new in the newest scan "New", which was in the old scan but is not there in the new scan "finished" and which is in both scan and is "unchanged"
The Problem is i do not have any information in the log data that the Host is finished or anything else . I have only 4 Fields: CVE ,extracted_Host, RISK Level = Critical,High and Medium and _time of course.

Thats my try:

index=vulnerability_scan Risk=Critical earliest=-7d latest=now
| stats values(CVE) as CVE_7d by extracted_Host
| appendcols [ search index=vulnerability_scan Risk=Critical earliest=now -7d latest=now
| stats values(CVE) as CVE_now by extracted_Host ]
| eval Status=case(isnull(CVE_7d) AND isnotnull(CVE_now), "New",
isnotnull(CVE_7d) AND isnull(CVE_now), "Finished",
isnotnull(CVE_7d) AND isnotnull(CVE_now), "Not Changed")
| table extracted_Host, Status

Problem with this i get only the output "finished" but most of the scans are in the old scan means that they are "unchanged". For me It is possible to split out the 3 outputs then i would build a Dashboard with the 3 Informations. I dont know if Splunk is the best tool to compare 2 timestamps like i will do? The Time Range is every time 7 days - maybe in the next time it will be shorter but right now its 7 days.

Thanks for the help

PickleRick · ‎10-25-2023

1. If I remember correctly, you can do a delta report in Nessus 😉

2. Instead of bending over backwards with comparing summarized stats, approach it from the other side. Categorize your events first, then do a summary.

I'm not 100% sure about your data and your desired outcome but I would probably try to approach it like this:

index=nessus Risk=Medium earliest=-9d
| eval state=if(_time<now()-7*85400,"OLD","NEW")
| stats values(state) as state by CVE extracted_Host

This will give you a summary with a field (possibly multivalued) telling you whether it was in the old scan, the new one or both. Now you can decide what is the final status depending on the state of CVE in the old scan and the new one

| eval status=case(state="OLD" and state="NEW","still open",state="OLD","closed",state="NEW","Yummy, a fresh one!")

View solution in original post

PickleRick · ‎10-24-2023

I don't get it.

index=vulnerability_scan Risk=Critical earliest=-7d latest=now
| stats values(CVE) as CVE_7d by extracted_Host
| appendcols [ search index=vulnerability_scan Risk=Critical earliest=now -7d latest=now
| stats values(CVE) as CVE_now by extracted_Host ]

I see two practically identical searches (with one having "earliest=-7d" and the other one having "now-7d" which mean the same). The only difference between them might be if some event got ingested between run of the outer search and inner one.

LionSplunk · ‎10-25-2023

Yes, you are right. Second search is useless.

index=nessus Risk=Medium earliest=-9d latest=now
| stats values(CVE) as CVE_9d by extracted_Host
| eval Status=case(isnull(CVE_9d) AND isnotnull(CVE_now), "New",isnotnull(CVE_9d) AND isnull(CVE_now), "Finished", isnotnull(CVE_9d) AND isnotnull(CVE_now), "Not Changed")
| table extracted_Host, Status

My Problem is still here. I import vulnerability scans Logs into Splunk and get the Information about which Host has an open CVE and how high critical it is. I want the output if the scanned Host is in the old scan for 7 days and not in the new scan today and get the output that the Host is "Finished", same output for Host if is in the old scan and the new scan then i want the output "Unchanged", same output for Host when it is not in the old scan but in the new scan then i want the output "New" .

I need the Information that i can build a Dashboard and see which Host and CVE are "done" , which one are "still open" and which Host and CVE are "New" because i must give the information/Ticket to the Server Admins.
Thanks

PickleRick · ‎10-25-2023

1. If I remember correctly, you can do a delta report in Nessus 😉

2. Instead of bending over backwards with comparing summarized stats, approach it from the other side. Categorize your events first, then do a summary.

I'm not 100% sure about your data and your desired outcome but I would probably try to approach it like this:

index=nessus Risk=Medium earliest=-9d
| eval state=if(_time<now()-7*85400,"OLD","NEW")
| stats values(state) as state by CVE extracted_Host

This will give you a summary with a field (possibly multivalued) telling you whether it was in the old scan, the new one or both. Now you can decide what is the final status depending on the state of CVE in the old scan and the new one

| eval status=case(state="OLD" and state="NEW","still open",state="OLD","closed",state="NEW","Yummy, a fresh one!")

LionSplunk · ‎11-10-2023

Hi Rick,

I try to do a dropdown for the status to filter for "still open", "closed" etc.

index=nessus Risk=Critical | eval state=if(_time<now()-7*85400,"OLD","NEW")

| eval status=case(state="OLD" and state="NEW","still open",state="OLD","closed",state="NEW","Yummy, a fresh one!")

and added |stats count by status
I get the Information for the 3 status outputs in the normal search. I added this in the dropdown and can choose between the 3 but when i choose one of them i get no result found back. All with * is going. i tried a static options and thats the same problem. i cant filter for the 3 status outputs.
Do you know what i am doing wrong?
Thanks

LionSplunk · ‎11-07-2023

Hello Pickle Rick,

Thanks for your help!
It worked!

Compare two timestamps

other

Introducing the Splunk Community Dashboard Challenge!

Wondering How to Build Resiliency in the Cloud?

Updated Data Management and AWS GDI Inventory in Splunk Observability