Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Why am I having this issue Parsing Vulnerability Data?

qcjacobo2577
Path Finder
‎12-16-2022 11:04 AM

Community,

I am attempting to retrieve events in Splunk regarding Tenable vulnerability data.  The goals are as follows:

  • Obtain the most recent information for a given vulnerability ID and device pair.
  • Filter out any vulnerabilities that have a "severity" equal to "informational"

AND/OR

  • Filter out any vulnerabilities that have a state of "fixed"

 

The issue I have encountered, is that the "fixed" vulnerability may be the most recent status.  So, simply filtering that value out for a specific vulnerability ID and device combination will result in that vulnerability ID for that device showing up in the result set. (even though the vulnerability has been "fixed" in this case) --- don't want IT chasing "fixed" vulnerabilities.

In reality what I want to see is the most recent vulnerability for a given device if the severity is not equal to "fixed" and/or the vulnerability severity is not "informational" (the reason behind this is that some vulnerability severities are reduced over time due to various conditions --- where they may have started out as "high" are now "informational" or vice versa) --- otherwise do not list that device and vulnerability ID pair at all in my result set.

Here is how far I have gotten to date:

 

 

 

`get_tenable_index` sourcetype="tenable:io:vuln"

[ search index="tenable" sourcetype="tenable:io:assets" deleted_at="null" 
| rename uuid AS asset_uuid
| stats count by asset_uuid
| fields asset_uuid ]


| rename plugin.id AS Plugin_ID asset_uuid AS Asset_ID
| strcat Asset_ID : Plugin_ID Custom_ID
| stats latest(*) as * by Custom_ID << The problem here is that the latest might be "fixed" or "informational" which in this case I want to ignore (if either of those is true).
| rename plugin.cvss_base_score AS CVSS plugin.synopsis AS Description plugin.name AS Name plugin.cve{} AS CVE output AS Output severity AS Risk plugin.see_also{} AS See_Also plugin.solution AS Solution state AS State plugin.has_patch AS Patchable plugin.exploit_available AS Exploitable plugin.exploited_by_malware AS Exploited_By_Malware plugin.publication_date AS Plugin_Publish_Date
| table Custom_ID, CVSS, Description, Name, CVE, Plugin_ID, Output, Risk, See_Also, Solution, State, Asset_ID, Patchable, Exploitable, Exploited_By_Malware, Plugin_Publish_Date tags{}.value

 

 

 

 

Labels (2)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎12-16-2022 12:03 PM

After you get the latest values for each asset (I prefer to use dedup), filter out those with severity of fixed or informational.  Then you will have discarded all events for that asset so they won't distract IT.

`get_tenable_index` sourcetype="tenable:io:vuln"

[ search index="tenable" sourcetype="tenable:io:assets" deleted_at="null" 
| rename uuid AS asset_uuid
| stats count by asset_uuid
| fields asset_uuid ]

| rename plugin.id AS Plugin_ID asset_uuid AS Asset_ID
| strcat Asset_ID : Plugin_ID Custom_ID
| stats latest(*) as * by Custom_ID 
| search NOT severity IN (fixed informational)
| rename plugin.cvss_base_score AS CVSS plugin.synopsis AS Description plugin.name AS Name plugin.cve{} AS CVE output AS Output severity AS Risk plugin.see_also{} AS See_Also plugin.solution AS Solution state AS State plugin.has_patch AS Patchable plugin.exploit_available AS Exploitable plugin.exploited_by_malware AS Exploited_By_Malware plugin.publication_date AS Plugin_Publish_Date
| table Custom_ID, CVSS, Description, Name, CVE, Plugin_ID, Output, Risk, See_Also, Solution, State, Asset_ID, Patchable, Exploitable, Exploited_By_Malware, Plugin_Publish_Date tags{}.value
---
If this reply helps you, Karma would be appreciated.

View solution in original post

Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎12-16-2022 12:03 PM

After you get the latest values for each asset (I prefer to use dedup), filter out those with severity of fixed or informational.  Then you will have discarded all events for that asset so they won't distract IT.

`get_tenable_index` sourcetype="tenable:io:vuln"

[ search index="tenable" sourcetype="tenable:io:assets" deleted_at="null" 
| rename uuid AS asset_uuid
| stats count by asset_uuid
| fields asset_uuid ]

| rename plugin.id AS Plugin_ID asset_uuid AS Asset_ID
| strcat Asset_ID : Plugin_ID Custom_ID
| stats latest(*) as * by Custom_ID 
| search NOT severity IN (fixed informational)
| rename plugin.cvss_base_score AS CVSS plugin.synopsis AS Description plugin.name AS Name plugin.cve{} AS CVE output AS Output severity AS Risk plugin.see_also{} AS See_Also plugin.solution AS Solution state AS State plugin.has_patch AS Patchable plugin.exploit_available AS Exploitable plugin.exploited_by_malware AS Exploited_By_Malware plugin.publication_date AS Plugin_Publish_Date
| table Custom_ID, CVSS, Description, Name, CVE, Plugin_ID, Output, Risk, See_Also, Solution, State, Asset_ID, Patchable, Exploitable, Exploited_By_Malware, Plugin_Publish_Date tags{}.value
---
If this reply helps you, Karma would be appreciated.
Reply
Solved! Jump to solution

qcjacobo2577
Path Finder
‎12-16-2022 01:33 PM

  Seems to be working so far, so thank you for the help!

One last question and we can wrap this up.

 

`get_tenable_index` sourcetype="tenable:io:vuln"
[ search index="tenable" sourcetype="tenable:io:assets" deleted_at="null"
| rename uuid AS asset_uuid netbios_name AS Netbios_Name
| stats count by asset_uuid
| fields asset_uuid ]
| rename plugin.id AS Plugin_ID asset_uuid AS Asset_ID port AS Network_Port
| strcat Asset_ID : Plugin_ID : Network_Port Custom_ID 
| stats latest(*) as * by Custom_ID
| search state!=fixed
| search severity!=informational
| rename plugin.cvss_base_score AS CVSS plugin.synopsis AS Description plugin.name AS Name plugin.cve{} AS CVE output AS Output severity AS Risk plugin.see_also{} AS See_Also plugin.solution AS Solution state AS State plugin.has_patch AS Patchable plugin.exploit_available AS Exploitable plugin.exploited_by_malware AS Exploited_By_Malware plugin.publication_date AS Plugin_Publish_Date synopsis AS Synopsis first_found AS First_Found
| table CVSS, Description, Name, Plugin_ID, Output, Risk, See_Also, Solution, Synopsis, State, Asset_ID, First_Found

 

  How do I pull in a field value from a subsearch into the last table command?  I included the field "netbios" into the example above. That data is not returned in the main search.

Thank you in advance!

Tags (1)
0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎12-16-2022 02:06 PM

It's not possible for the main search to access fields not returned by the subsearch.  You would need to run the subsearch again as part of the main search or (maybe) have the subsearch save the desired field(s) in a lookup file.

---
If this reply helps you, Karma would be appreciated.
Reply
Solved! Jump to solution

qcjacobo2577
Path Finder
‎12-16-2022 03:24 PM

@richgalloway I think the below is as close as I will get for now.  I can forgo the "Netbios" since I have the DNS name in my vuln data as well as the IP.  It would be a nice to have in the future, but not a deal breaker.

 

`get_tenable_index` sourcetype="tenable:io:vuln"
[ search index="tenable" sourcetype="tenable:io:assets" deleted_at="null"
| rename uuid AS asset_uuid
| stats count by asset_uuid
| fields asset_uuid ]
| rename plugin.id AS Plugin_ID asset_uuid AS Asset_ID port AS Network_Port
| strcat Asset_ID : Plugin_ID : Network_Port Custom_ID_1 
| strcat Asset_ID : Plugin_ID Custom_ID_2
| stats latest(*) as * by Custom_ID_1
| search state!="fixed"
| search severity!="informational"
| eval unixtime=strptime(first_found,"%Y-%m-%dT%H:%M:%S")
| eval mydate=strftime(unixtime,"%Y-%m-%d")
| rename plugin.cvss_base_score AS CVSS plugin.synopsis AS Description dns_name AS DNS_Name ip AS IP_Address plugin.name AS Name plugin.cve{} AS CVE output AS Output severity AS Risk plugin.see_also{} AS See_Also plugin.solution AS Solution state AS State plugin.publication_date AS Plugin_Publish_Date mydate AS First_Found
| table Custom_ID_2, CVSS, Description, DNS_Name, IP_Address, Name, CVE, Plugin_ID, Output, Risk, See_Also, Solution, State, Asset_ID, First_Found
0 Karma
Reply
Get Updates on the Splunk Community!

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...