Splunk Search

Problem with ranges calculation in search



I have vulnerability dataset. Each vulnerability comes with a score from the scanning tool. Scanning tool has its own calculation and assigns a severity based on that.

We on customer side, calculate Severity based on customer defined score ranges below:

9.0-10.0 > CRITICAL
7.0-8.9 > HIGH
4.0-6.9 > MEDIUM
0.1-3.9 > LOW
0.0 > NONE

Issue is that when data comes from source/scanning tool, it has its own severities which are not always lined up with the above ranges. Our Score ranges above is the main root guideline to use.

Often times, Severity from data does not match the Score that is passed by the tool as I mentioned above.

A Severity of MAJOR in data coming with a Score of 3.0.
A Severity of MINOR in data coming with a Score of 3.0.
A Severity of CRITICAL in data coming with a Score of 0.0.
A Severity of CRITICAL in data coming with a Score of 10.0 (This is correct and inline with our ranges above)

I need both of the options below:

Desired output 1 (based on score ranges):

SEVERITY_Data  Score_Data   Severity_Adjusted_Score   Severity_Adjusted_Code
MAJOR                             3.0                       Median of 0.1-3.9                               LOW

Desired output 2 (based on SEVERITY_Data e.g. value is MAJOR):

SEVERITY_Data   Score_Data   Severity_Adjusted_Score   Severity_Adjusted_Code
MAJOR                               3.0                      Median of 7.0-8.9                               HIGH

Likewise for the rest of the severities and score ranges. Thanks in advance!!!

Labels (3)
Tags (1)
0 Karma



It's unclear how you need to aggregate scores or map severity labels, but here's an example using random data that may provide inspiration:

| makeresults count=100
| eval severity=mvindex(split("MINOR,MAJOR,CRITICAL", ","), random() % 3), score=round(10 * random() / 2147483647, 1)
| stats median(score) as score by severity
| rangemap field=score LOW=0.1-3.9 MEDIUM=4.0-6.9 HIGH=7.0-8.9 CRITICAL=9.0-10.0 default=NONE
| rename range as adjusted_severity

0 Karma
.conf21 CFS Extended through 5/20!

Don't miss your chance
to share your Splunk
wisdom in-person or
virtually at .conf21!

Call for Speakers has
been extended through
Thursday, 5/20!