Splunk Search

Compliance % Calculation

mbasharat
Builder

Hi,

Scnenario is:

I have an Organization A.
Organization A has 10 Hosts.
Vulnerability scan finds 50 unique vulnerabilities found across all 10 Hosts in Organization A.
Each host is affected by multiple vulnerabilities so total vulnerabilities count spread across all Hosts is lets say 500 since each host can be affected by more than one vulnerabilities or vice versa, each vulnerability is affecting more than one host.

I want to calculate the Compliance% of Organization A.

Fully compliant Organization A is 100% compliant if no vulnerabilities are found and no affected host found. Splunk will have data for a Host only if vulnerability scans detects to have vulnerability on this host. Otherwise, Host's vulnerability data will not be in Splunk.

In my understanding, the only way to calculate that is IF feed has "Remediated" field for a Host with specific Vulnerability as Remediated. Next scan of vulnerability should drop this host since it has been Remediated. This way if we have Hosts found, vulnerabilities found and vulnerabilities remediated only then we can calculate Compliance%.

Am I missing something or my head is just spinning? How to calculate Compliance% of Organization A?

Tags (1)
0 Karma
1 Solution

koshyk
Super Champion

(a) It all depends on your "Organisation" view of Compliance. My company would say if 10 hosts are there and; say 8 of them have vulnerabilities (even 1), the compliance% is 20%. So even if 1 vulnerability exists per host, that host will be considered vulnerable.

(b) but if you consider more granular (which is technicallly more accurate), let's say remediate all vulnerabilities in the company. Then the total vulnerabilities in your org becomes 500. So if you clean up 300 of them, then your remaining vulnerability% becomes 200/500 = 40%

if you consider . (a), then calculation is easy.. as you just need . ... | stats count(vulnerability) by host and if it is null or zero, then that host is compliant.
if you consider (b), then something in lines of . ...| fillnull value="0" | stats count by vulnerability, host and if the vulnerability is atleast 1, then it is considered against compliance

View solution in original post

0 Karma

koshyk
Super Champion

(a) It all depends on your "Organisation" view of Compliance. My company would say if 10 hosts are there and; say 8 of them have vulnerabilities (even 1), the compliance% is 20%. So even if 1 vulnerability exists per host, that host will be considered vulnerable.

(b) but if you consider more granular (which is technicallly more accurate), let's say remediate all vulnerabilities in the company. Then the total vulnerabilities in your org becomes 500. So if you clean up 300 of them, then your remaining vulnerability% becomes 200/500 = 40%

if you consider . (a), then calculation is easy.. as you just need . ... | stats count(vulnerability) by host and if it is null or zero, then that host is compliant.
if you consider (b), then something in lines of . ...| fillnull value="0" | stats count by vulnerability, host and if the vulnerability is atleast 1, then it is considered against compliance

0 Karma

DavidHourani
Super Champion

Hi @mbasharat,

You got most of it right, just missing step 1 below:

Step 1 : You will need the list of hosts that you will be scanning and that (in your example) represent the entire organization, this will be used to ensure that all your hosts responded and to a fixed total for your hosts.
Step 2: Run the scan and consider that the initial list was fully clean, then from there just calculate host many infected hosts you got. In your case whether the host has one, two or ten vulnerabilities it will still count as 1/10 infected.
Step 3: After running multiple scans you can get the results and make trend on which hosts are getting more and more infections and which hosts are getting better over time.

So yeah you're not missing anything except that initial list to work your compliance% on.

Cheers,
David

0 Karma

mbasharat
Builder

This one up-voted as well!! THANKS 🙂

0 Karma
Get Updates on the Splunk Community!

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

Get Inspired! We’ve Got Validation that Your Hard Work is Paying Off

We love our Splunk Community and want you to feel inspired by all your hard work! Eric Fusilero, our VP of ...

What's New in Splunk Enterprise 9.4: Features to Power Your Digital Resilience

Hey Splunky People! We are excited to share the latest updates in Splunk Enterprise 9.4. In this release we ...