Step 1: Prerequisites: a. Splunk® Universal Forwarder w/Splunk_TA_nix installed b. "Package.sh" should be enabled similar to the example below Note: that the UF needs to be restarted to enable the input if it was previously started without the input. Step 2: Deploy the updated inputs / app If you need to deploy the app out, you'll only need to deploy it to Linux hosts. Do make sure you enable splunkd restart on your app deployment Step 3. Detect the CVE Now allow time for the data to arrive at your indexing tier and you should be able to run this search as a detection source=package sourcetype=package NAME=xz-libs VERSION IN ("5.6.0","5.6.1") Note: You may need to add index=os or index=Your_Linux_TA_Data_Index_here, but by default the data will be in index=main You'll probably want to take the search a few steps further. First thing that comes to our mind is adding a "| stats latest(_time) as latest_time by host". When you manipulate _time like that you'll notice it converts to epoch, so you'll probably want to convert it back to human readable format with "| convert ctime(latest_time)". The full search might look something like this: source=package sourcetype=package NAME=xz-libs VERSION IN ("5.6.0","5.6.1")
| stats latest(_time) as latest_time by host
| convert ctime(latest_time) If anyone else has anything to add, please reply or add your answer.
... View more
