Splunk Search

Why am I having this issue Parsing Vulnerability Data?

qcjacobo2577
Path Finder

Community,

I am attempting to retrieve events in Splunk regarding Tenable vulnerability data.  The goals are as follows:

  • Obtain the most recent information for a given vulnerability ID and device pair.
  • Filter out any vulnerabilities that have a "severity" equal to "informational"

AND/OR

  • Filter out any vulnerabilities that have a state of "fixed"

 

The issue I have encountered, is that the "fixed" vulnerability may be the most recent status.  So, simply filtering that value out for a specific vulnerability ID and device combination will result in that vulnerability ID for that device showing up in the result set. (even though the vulnerability has been "fixed" in this case) --- don't want IT chasing "fixed" vulnerabilities.

In reality what I want to see is the most recent vulnerability for a given device if the severity is not equal to "fixed" and/or the vulnerability severity is not "informational" (the reason behind this is that some vulnerability severities are reduced over time due to various conditions --- where they may have started out as "high" are now "informational" or vice versa) --- otherwise do not list that device and vulnerability ID pair at all in my result set.

Here is how far I have gotten to date:

 

 

 

`get_tenable_index` sourcetype="tenable:io:vuln"

[ search index="tenable" sourcetype="tenable:io:assets" deleted_at="null" 
| rename uuid AS asset_uuid
| stats count by asset_uuid
| fields asset_uuid ]


| rename plugin.id AS Plugin_ID asset_uuid AS Asset_ID
| strcat Asset_ID : Plugin_ID Custom_ID
| stats latest(*) as * by Custom_ID << The problem here is that the latest might be "fixed" or "informational" which in this case I want to ignore (if either of those is true).
| rename plugin.cvss_base_score AS CVSS plugin.synopsis AS Description plugin.name AS Name plugin.cve{} AS CVE output AS Output severity AS Risk plugin.see_also{} AS See_Also plugin.solution AS Solution state AS State plugin.has_patch AS Patchable plugin.exploit_available AS Exploitable plugin.exploited_by_malware AS Exploited_By_Malware plugin.publication_date AS Plugin_Publish_Date
| table Custom_ID, CVSS, Description, Name, CVE, Plugin_ID, Output, Risk, See_Also, Solution, State, Asset_ID, Patchable, Exploitable, Exploited_By_Malware, Plugin_Publish_Date tags{}.value

 

 

 

 

Labels (2)
0 Karma
1 Solution

richgalloway
SplunkTrust
SplunkTrust

After you get the latest values for each asset (I prefer to use dedup), filter out those with severity of fixed or informational.  Then you will have discarded all events for that asset so they won't distract IT.

`get_tenable_index` sourcetype="tenable:io:vuln"

[ search index="tenable" sourcetype="tenable:io:assets" deleted_at="null" 
| rename uuid AS asset_uuid
| stats count by asset_uuid
| fields asset_uuid ]

| rename plugin.id AS Plugin_ID asset_uuid AS Asset_ID
| strcat Asset_ID : Plugin_ID Custom_ID
| stats latest(*) as * by Custom_ID 
| search NOT severity IN (fixed informational)
| rename plugin.cvss_base_score AS CVSS plugin.synopsis AS Description plugin.name AS Name plugin.cve{} AS CVE output AS Output severity AS Risk plugin.see_also{} AS See_Also plugin.solution AS Solution state AS State plugin.has_patch AS Patchable plugin.exploit_available AS Exploitable plugin.exploited_by_malware AS Exploited_By_Malware plugin.publication_date AS Plugin_Publish_Date
| table Custom_ID, CVSS, Description, Name, CVE, Plugin_ID, Output, Risk, See_Also, Solution, State, Asset_ID, Patchable, Exploitable, Exploited_By_Malware, Plugin_Publish_Date tags{}.value
---
If this reply helps you, Karma would be appreciated.

View solution in original post

richgalloway
SplunkTrust
SplunkTrust

After you get the latest values for each asset (I prefer to use dedup), filter out those with severity of fixed or informational.  Then you will have discarded all events for that asset so they won't distract IT.

`get_tenable_index` sourcetype="tenable:io:vuln"

[ search index="tenable" sourcetype="tenable:io:assets" deleted_at="null" 
| rename uuid AS asset_uuid
| stats count by asset_uuid
| fields asset_uuid ]

| rename plugin.id AS Plugin_ID asset_uuid AS Asset_ID
| strcat Asset_ID : Plugin_ID Custom_ID
| stats latest(*) as * by Custom_ID 
| search NOT severity IN (fixed informational)
| rename plugin.cvss_base_score AS CVSS plugin.synopsis AS Description plugin.name AS Name plugin.cve{} AS CVE output AS Output severity AS Risk plugin.see_also{} AS See_Also plugin.solution AS Solution state AS State plugin.has_patch AS Patchable plugin.exploit_available AS Exploitable plugin.exploited_by_malware AS Exploited_By_Malware plugin.publication_date AS Plugin_Publish_Date
| table Custom_ID, CVSS, Description, Name, CVE, Plugin_ID, Output, Risk, See_Also, Solution, State, Asset_ID, Patchable, Exploitable, Exploited_By_Malware, Plugin_Publish_Date tags{}.value
---
If this reply helps you, Karma would be appreciated.

qcjacobo2577
Path Finder

  Seems to be working so far, so thank you for the help!

One last question and we can wrap this up.

 

`get_tenable_index` sourcetype="tenable:io:vuln"
[ search index="tenable" sourcetype="tenable:io:assets" deleted_at="null"
| rename uuid AS asset_uuid netbios_name AS Netbios_Name
| stats count by asset_uuid
| fields asset_uuid ]
| rename plugin.id AS Plugin_ID asset_uuid AS Asset_ID port AS Network_Port
| strcat Asset_ID : Plugin_ID : Network_Port Custom_ID 
| stats latest(*) as * by Custom_ID
| search state!=fixed
| search severity!=informational
| rename plugin.cvss_base_score AS CVSS plugin.synopsis AS Description plugin.name AS Name plugin.cve{} AS CVE output AS Output severity AS Risk plugin.see_also{} AS See_Also plugin.solution AS Solution state AS State plugin.has_patch AS Patchable plugin.exploit_available AS Exploitable plugin.exploited_by_malware AS Exploited_By_Malware plugin.publication_date AS Plugin_Publish_Date synopsis AS Synopsis first_found AS First_Found
| table CVSS, Description, Name, Plugin_ID, Output, Risk, See_Also, Solution, Synopsis, State, Asset_ID, First_Found

 

  How do I pull in a field value from a subsearch into the last table command?  I included the field "netbios" into the example above. That data is not returned in the main search.

Thank you in advance!

Tags (1)
0 Karma

richgalloway
SplunkTrust
SplunkTrust

It's not possible for the main search to access fields not returned by the subsearch.  You would need to run the subsearch again as part of the main search or (maybe) have the subsearch save the desired field(s) in a lookup file.

---
If this reply helps you, Karma would be appreciated.

qcjacobo2577
Path Finder

@richgalloway I think the below is as close as I will get for now.  I can forgo the "Netbios" since I have the DNS name in my vuln data as well as the IP.  It would be a nice to have in the future, but not a deal breaker.

 

`get_tenable_index` sourcetype="tenable:io:vuln"
[ search index="tenable" sourcetype="tenable:io:assets" deleted_at="null"
| rename uuid AS asset_uuid
| stats count by asset_uuid
| fields asset_uuid ]
| rename plugin.id AS Plugin_ID asset_uuid AS Asset_ID port AS Network_Port
| strcat Asset_ID : Plugin_ID : Network_Port Custom_ID_1 
| strcat Asset_ID : Plugin_ID Custom_ID_2
| stats latest(*) as * by Custom_ID_1
| search state!="fixed"
| search severity!="informational"
| eval unixtime=strptime(first_found,"%Y-%m-%dT%H:%M:%S")
| eval mydate=strftime(unixtime,"%Y-%m-%d")
| rename plugin.cvss_base_score AS CVSS plugin.synopsis AS Description dns_name AS DNS_Name ip AS IP_Address plugin.name AS Name plugin.cve{} AS CVE output AS Output severity AS Risk plugin.see_also{} AS See_Also plugin.solution AS Solution state AS State plugin.publication_date AS Plugin_Publish_Date mydate AS First_Found
| table Custom_ID_2, CVSS, Description, DNS_Name, IP_Address, Name, CVE, Plugin_ID, Output, Risk, See_Also, Solution, State, Asset_ID, First_Found
0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...