- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Help with tracking vulnerability data over time
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Help with tracking vulnerability data over time
I'm trying to figure out the smartest way to track vulnerability data over time and account for how DHCP may mean that a single host is scanned at multiple IPs.
So, I've tried a search that looks for all vulnerability data and then it does an inner join by dest and _time on a subsearch that looks for a particular event ID that contains the hostname. I'm guessing I can them do a | streamstats max(_time) AS last_scan by dest | where _time=last_scan.
But for whatever reason, this search doesn't come back with any results:
index=vulnerabilities sourcetype=nessus NOT "Plugin ID,CVE," NOT dest=\*/* | join type=inner _time,dest [search index=vulnerabilities nessus_id="11936" OR nessus_id="12053" OR nessus_id="60035" NOT dest=\*/* | rex field=plugin_output "(?i)resolves\sas\s(?P<hostname>[^\.]+)\.(?P<domainname>\S+)?\." | eval hostname=if(isnull(hostname),dest,hostname) | fields hostname] | table _time,dest,hostname,signature_name
What am I doing wrong here?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
One reason that it does not work (correctly) is that you cannot escape asterisks in SPL so this part is bad:
NOT dest=\*/*
You have to do something like this instead:
| regex dest!="\*/.*"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try this. Any results?
index=vulnerabilities sourcetype=nessus | join type=inner _time,dest [search index=vulnerabilities | rex field=plugin_output "(?i)resolves\sas\s(?P<hostname>[^\.]+)\.(?P<domainname>\S+)?\." | eval hostname=if(isnull(hostname),dest,hostname) | fields hostname]
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Not really sure about the index. Try breaking down the entire query and make sure that each part is working as expected.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The parentheses didn't change anything...
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Are parentheses required for your sub search to work?
[search index=vulnerabilities (nessus_id="11936" OR nessus_id="12053" OR nessus_id="60035") NOT dest=\*/*
Tim.
Thanks for the Memories! Splunk University, .conf24, and Community Connections
.conf24 | Day 0
Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...
