Hi,
Scnenario is:
I have an Organization A.
Organization A has 10 Hosts.
Vulnerability scan finds 50 unique vulnerabilities found across all 10 Hosts in Organization A.
Each host is affected by multiple vulnerabilities so total vulnerabilities count spread across all Hosts is lets say 500 since each host can be affected by more than one vulnerabilities or vice versa, each vulnerability is affecting more than one host.
I want to calculate the Compliance% of Organization A.
Fully compliant Organization A is 100% compliant if no vulnerabilities are found and no affected host found. Splunk will have data for a Host only if vulnerability scans detects to have vulnerability on this host. Otherwise, Host's vulnerability data will not be in Splunk.
In my understanding, the only way to calculate that is IF feed has "Remediated" field for a Host with specific Vulnerability as Remediated. Next scan of vulnerability should drop this host since it has been Remediated. This way if we have Hosts found, vulnerabilities found and vulnerabilities remediated only then we can calculate Compliance%.
Am I missing something or my head is just spinning? How to calculate Compliance% of Organization A?
(a) It all depends on your "Organisation" view of Compliance. My company would say if 10 hosts are there and; say 8 of them have vulnerabilities (even 1), the compliance% is 20%. So even if 1 vulnerability exists per host, that host will be considered vulnerable.
(b) but if you consider more granular (which is technicallly more accurate), let's say remediate all vulnerabilities in the company. Then the total vulnerabilities in your org becomes 500. So if you clean up 300 of them, then your remaining vulnerability% becomes 200/500 = 40%
if you consider . (a), then calculation is easy.. as you just need . ... | stats count(vulnerability) by host
and if it is null or zero, then that host is compliant.
if you consider (b), then something in lines of . ...| fillnull value="0" | stats count by vulnerability, host
and if the vulnerability is atleast 1, then it is considered against compliance
(a) It all depends on your "Organisation" view of Compliance. My company would say if 10 hosts are there and; say 8 of them have vulnerabilities (even 1), the compliance% is 20%. So even if 1 vulnerability exists per host, that host will be considered vulnerable.
(b) but if you consider more granular (which is technicallly more accurate), let's say remediate all vulnerabilities in the company. Then the total vulnerabilities in your org becomes 500. So if you clean up 300 of them, then your remaining vulnerability% becomes 200/500 = 40%
if you consider . (a), then calculation is easy.. as you just need . ... | stats count(vulnerability) by host
and if it is null or zero, then that host is compliant.
if you consider (b), then something in lines of . ...| fillnull value="0" | stats count by vulnerability, host
and if the vulnerability is atleast 1, then it is considered against compliance
Hi @mbasharat,
You got most of it right, just missing step 1 below:
Step 1 : You will need the list of hosts that you will be scanning and that (in your example) represent the entire organization, this will be used to ensure that all your hosts responded and to a fixed total for your hosts.
Step 2: Run the scan and consider that the initial list was fully clean, then from there just calculate host many infected hosts you got. In your case whether the host has one, two or ten vulnerabilities it will still count as 1/10 infected.
Step 3: After running multiple scans you can get the results and make trend on which hosts are getting more and more infections and which hosts are getting better over time.
So yeah you're not missing anything except that initial list to work your compliance% on.
Cheers,
David
This one up-voted as well!! THANKS 🙂