Splunk Search
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Using Splunk for Asset Discovery in Vulnerability Management

simuneer
New Member
‎05-30-2024 01:53 PM

I am in Vulnerability Management and a novice Splunk user.  I want to create a query to quickly determine whether we possess any assets that could be affected when a critical CVE is released.    For example, if Cisco releases a CVE that affects Cisco Adaptive Security Appliance (ASA), I want to be able to run a query and quickly determine whether we possess any of the affected assets in our environment.

 

 

Labels (4)
Labels
0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎06-01-2024 02:18 AM

You can't search data you don't have. So first you have to ask yourself if you have any data regarding your assets in your Splunk and if you do, what kind of information it contains.

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎05-30-2024 11:34 PM

Hi @simuneer,

your request isn't so easy to answer because there are many information missing:

  • have you an asset list from your data (also from your Vulnerability Assessment tool)?
  • have you a CVE list from a site (e.g. VulnDB) or a tool?
  • have you a common key to correate your CVE list to the assets (e.g. OS)?

having the above information, it's possible and we developed this for one of our customer but it isn't a question for the Community but a project.

Ciao.

Giuseppe

0 Karma
Reply

simuneer
New Member
‎05-31-2024 10:47 AM

There are no logs coming in from a VMgmt tool, I'm simply being handed a Critical CVE and being told to search for any assets that match.  Right now, I'm just performing a very taxing search where "index=* sourcetype=* [insert something that might relate to the asset]"

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎05-31-2024 09:57 PM

Hi @simuneer ,

as I said, if you have a CVE list (e.g. the one from VulDB) you can check the contents of the CVE with your data.

Otherwise, you have two solutions:

  • you should identify the pattern to search (e.g. Log4J) in your logs and run a search containing these patternes,
  • have an Asset Inventory and extract from the CVE the device classes to associate the CVE with your assets.

As I said, we implemented for a customer a connection with VulDB (it is a paid service), using an app from Spunkbase, and we developed an app to integrate these data with the Customer Asset Inventory.

Ciao.

Giuseppe

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎06-01-2024 02:22 AM

@gcuselloan off-topic question - were you able to do anything reasonable with the VulDB data? We tested the app for a while with one customer but it turned out the returned data was useless due to complete lack of any reasonable structure to it.

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎06-01-2024 02:49 AM

Hi @PickleRick ,

we are receiving the messages from VulDB, we form them and we send to a customer External system.

Then we receive assets from their asset management and we compare them with the daily CVEs, there are two fields in the record layout to do this.

Ciao.

Giuseppe

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎06-01-2024 03:29 AM

We tried to do similar thing but we found the data from VulDB lacking in terms of precision. The vulnerability description was free-form text, sometimes there were affected versions of software mentioned, sometimes not...

0 Karma
Reply
Get Updates on the Splunk Community!

Announcing the Expansion of the Splunk Academic Alliance Program

The Splunk Community is more than just an online forum — it’s a network of passionate users, administrators, ...

Learn Splunk Insider Insights, Do More With Gen AI, & Find 20+ New Use Cases You Can ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Buttercup Games: Further Dashboarding Techniques (Part 7)

This series of blogs assumes you have already completed the Splunk Enterprise Search Tutorial as it uses the ...
Top