Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Help with tracking vulnerability data over time
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Help with tracking vulnerability data over time
I'm trying to figure out the smartest way to track vulnerability data over time and account for how DHCP may mean that a single host is scanned at multiple IPs.
So, I've tried a search that looks for all vulnerability data and then it does an inner join by dest and _time on a subsearch that looks for a particular event ID that contains the hostname. I'm guessing I can them do a | streamstats max(_time) AS last_scan by dest | where _time=last_scan.
But for whatever reason, this search doesn't come back with any results:
index=vulnerabilities sourcetype=nessus NOT "Plugin ID,CVE," NOT dest=\*/* | join type=inner _time,dest [search index=vulnerabilities nessus_id="11936" OR nessus_id="12053" OR nessus_id="60035" NOT dest=\*/* | rex field=plugin_output "(?i)resolves\sas\s(?P<hostname>[^\.]+)\.(?P<domainname>\S+)?\." | eval hostname=if(isnull(hostname),dest,hostname) | fields hostname] | table _time,dest,hostname,signature_name
What am I doing wrong here?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
One reason that it does not work (correctly) is that you cannot escape asterisks in SPL so this part is bad:
NOT dest=\*/*
You have to do something like this instead:
| regex dest!="\*/.*"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try this. Any results?
index=vulnerabilities sourcetype=nessus | join type=inner _time,dest [search index=vulnerabilities | rex field=plugin_output "(?i)resolves\sas\s(?P<hostname>[^\.]+)\.(?P<domainname>\S+)?\." | eval hostname=if(isnull(hostname),dest,hostname) | fields hostname]
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Not really sure about the index. Try breaking down the entire query and make sure that each part is working as expected.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The parentheses didn't change anything...
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Are parentheses required for your sub search to work?
[search index=vulnerabilities (nessus_id="11936" OR nessus_id="12053" OR nessus_id="60035") NOT dest=\*/*
Tim.
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Modernize your Splunk Apps – Introducing Python 3.13 in Splunk
Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...
SplunkTrust Application Period is Officially OPEN!
