Splunk Search

Problem with ranges calculation in search

mbasharat
Contributor

Hi,

I have vulnerability dataset. Each vulnerability comes with a score from the scanning tool. Scanning tool has its own calculation and assigns a severity based on that.

We on customer side, calculate Severity based on customer defined score ranges below:

9.0-10.0 > CRITICAL
7.0-8.9 > HIGH
4.0-6.9 > MEDIUM
0.1-3.9 > LOW
0.0 > NONE

Issue is that when data comes from source/scanning tool, it has its own severities which are not always lined up with the above ranges. Our Score ranges above is the main root guideline to use.

Example:
Often times, Severity from data does not match the Score that is passed by the tool as I mentioned above.

A Severity of MAJOR in data coming with a Score of 3.0.
A Severity of MINOR in data coming with a Score of 3.0.
A Severity of CRITICAL in data coming with a Score of 0.0.
A Severity of CRITICAL in data coming with a Score of 10.0 (This is correct and inline with our ranges above)

I need both of the options below:

Desired output 1 (based on score ranges):

SEVERITY_Data  Score_Data   Severity_Adjusted_Score   Severity_Adjusted_Code
MAJOR                             3.0                       Median of 0.1-3.9                               LOW

Desired output 2 (based on SEVERITY_Data e.g. value is MAJOR):

SEVERITY_Data   Score_Data   Severity_Adjusted_Score   Severity_Adjusted_Code
MAJOR                               3.0                      Median of 7.0-8.9                               HIGH


Likewise for the rest of the severities and score ranges. Thanks in advance!!!

Labels (3)
Tags (1)
0 Karma

tscroggins
Builder

@mbasharat 

It's unclear how you need to aggregate scores or map severity labels, but here's an example using random data that may provide inspiration:

| makeresults count=100
| eval severity=mvindex(split("MINOR,MAJOR,CRITICAL", ","), random() % 3), score=round(10 * random() / 2147483647, 1)
| stats median(score) as score by severity
| rangemap field=score LOW=0.1-3.9 MEDIUM=4.0-6.9 HIGH=7.0-8.9 CRITICAL=9.0-10.0 default=NONE
| rename range as adjusted_severity

0 Karma
Did you miss .conf21 Virtual?

Good news! The event's keynotes and many of its breakout sessions are now available online, and still totally FREE!