We'd like to create a dashboard for our vulnerability data. Our two main goals are:
1. Track the number of vulnerabilities over selected time (ex.: 30 days, 45 days, etc.)
2. Show the current "vulnerability state" of an asset or group of assets (the data of the last performed scan).
There are no surprises for the first part, but for the second one we can’t find a way to show the data of the last scan only. Our scans has a different frequency for different assets, so we can’t just select a time period equal to the scan frequency. We tried to use the value of the
last_discovered field and then use
max function in order to track the last scan like below:
| streamstats max(last_discovered) as last_scan | where last_discovered=last_scan
But it does not work because a scan can take a few seconds, so the
last_discovered field’s values are not the same.
Do you have any ideas how we can grab the date of the last scan only?
There are several options for how to do this, but all will require a bit more information on the source data.
Can you post an abbreviated version of a couple of events? (Really, we just need all the date fields, and a tiny bit of the "data" part so we can get a feel for it).
Hi @rich7177 ,
Here are two events with all date fields and some additionnal fields as well:
cve | CVE-2019-11111 cvss | 9.80 dest | my_dest_name first_discovered | 2020-01-14 16:33:19.121 host | my_host index | my_index ip | 126.96.36.199 most_recently_discovered | 2020-01-22 18:11:28.127 severity | critical signature | CVE-2019-11111: Remote Code Execution solution_summary | Apply the MMM source | xxx.log sourcetype | my_sourcetype timestamp | 2020-01-22 18:11:28.127 cve | CVE-2019-22222 cvss | 9.60 dest | my_dest_name first_discovered | 2020-01-22 18:11:28.126 host | my_host index | my_index ip | 188.8.131.52 most_recently_discovered | 2020-01-22 18:11:28.126 severity | critical signature | CVE-2019-22222: Access solution_summary | Apply the NNN source | xxx.log sourcetype | my_sourcetype timestamp | 2020-01-22 18:11:28.126
I thought about to round the value of the
most_recently_discoveredfield as a workaround:
| eval most_recently_discovered=strftime((floor(now()/600))*600,"%Y-%m-%d %H:%M:%S") | eval most_recently_discovered = strptime(most_recently_discovered, "%Y-%m-%d %H:%S")
Thanks for the help.
OK, so let's recount what we're trying to do.
Does the vulnerability scanner include an event for when a particular CVE had applied previously but no longer applies?
(If it does, we can use a simpler method probably, but I'm assuming not because I haven't seen one that does yet...)
In that case, we need to probably find the latest scan for any host, then only use that latest scan's information. Right?
Is there any field that is consistent across a single scan, but not the same as a previous scan? For instance, something like a scan id would work, or maybe a "scan start time?" This can be per host, or overall for that entire scan - as long as it separates subsequent scans of the same host in some way.
Here's what I'm thinking. What we'll have to do is find the latest scan for each host using a subsearch, and we'll feed that back into the main search to get the pile of results for each scan of the host.
If no such scanid or similar thing exists, this is still possible but just harder. How often do scans run? Daily? Weekly? If they are separated by long enough, maybe this isn't hard even without a scanid.
Anyway, information gathering phase is getting close to done. Soon maybe we can start on an actual search... 🙂
I think I have to provide you a bit more information.
There are actually two sourcetypes we have in logs:
asset. The first one lists all discovered vulnerabilities one by one on each device with vulnerability name, severity, category, etc. The second one provides an information about every scanned asset at the end of each scan with total number of discovered vulnerabilities, asset score, etc.
We’ve decided to use the second sourcetype to show the information for a group of assets because the filtering by
most_recently_discovered date could be implemented easily. One thing that reminds is to list all vulnerabilities for a selected asset (where we need a
vulnerabilitysourcetype). It means that we have no need to perform a subsearch to find a last scan date for each asset – we have only one asset selected for this part of the dashboard.
Unfortunately, we wasn’t be able to find a field with a constant value for a single scan such as scan_id or scan_start_time. That’s why we thought about to use the value of the
most_recently_discovered field which stays almost the same for an asset for each scan. Different vulnerabilities of the same scan could have a difference but really the small one, maybe few seconds (where the idea to use
floor command comes from). Our purple team does not have a “locked” scan schedule (scan could be launched out of schedule because of a particular vulnerability test, etc.), but different scans will surely have a difference of few hours at least.
Thanks for the help!