Knowledge Management

Is it possible to use a decision matrix in Splunk?

AlexeySh
Communicator

Hello,

We export a data from our vulnerability management tool to Splunk and we’d like to evaluate the initial severity score by using some additional information, like:
- Asset criticality (critical or no)
- Existed exploits for vulnerability (existed or no)
- Etc.

In my point of view, the best way to do it will be a decisional matrix, something like this:

SEVERITY | CRITICAL_ASSET | KNOWN_EXPLOIT | NEW_SEVERITY
Critical | True           | True          | Critical
Critical | True           | False         | High
Critical | False          | False         | Medium
High     | True           | True          | High
Etc.

Of course we can use an eval command instead of matrix, but I think it’s not the best way to do it. And also not the easiest one, especially if we’ll add more conditions like Exposal level, Volume of stoked data, etc.

Also I thought about replace text values by numbers (critical=5, high=4, etc.) and simply deduct a point in every case of ‘False’, but it doesn’t look like a good idea either. Because for some cases we prefer to maintain the same severity level even for ‘False’ values (for example, keep the same vulnerability level for exposed assets).

Do you have any idea how this decisional matrix could be realized? Or do you have a better idea maybe?

Thanks for the help.

Regards,
Alex.

0 Karma

diogofgm
SplunkTrust
SplunkTrust

You can accomplish that using lookups where you input SEVERITY, CRITICAL_ASSET, KNOWN_EXPLOIT and output NEW_SEVERITY. But you need to make sure that the SEVERITY, CRITICAL_ASSET, KNOWN_EXPLOIT exist in your data

Splunk enterprise security actually uses something close to that for assigning urgency to notables
http://docs.splunk.com/Documentation/ES/5.1.0/User/Howurgencyisassigned

------------
Hope I was able to help you. If so, some karma would be appreciated.
0 Karma

AlexeySh
Communicator

Hello @diogofgm,
Thanks for your answer.

Well, that exactly what I’m asking myself about: how this could be realized? I can create thislookup table, but how it will correlate with the events?

Let’s say, a vulnerability tool event has the following fields:

NAME
SEVERITY
KNOWN_EXPLOIT
CRITICAL_ASSET (added automatically via asset center)

Beside I have my lookup and… and unfortunately I have no idea how can I make them communicate with each other.

Regards,
Alex.

0 Karma

diogofgm
SplunkTrust
SplunkTrust

Create the lookup just like you mapped it in your question and then follow the docs.
http://docs.splunk.com/Documentation/Splunk/7.1.2/Knowledge/Usefieldlookupstoaddinformationtoyoureve...
Particularly the section "Make the lookup automatic"
In your case, like i stated before you'll have to define the 3 input fields and the 1 output field.

------------
Hope I was able to help you. If so, some karma would be appreciated.
0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...