Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Compliance % Calculation

mbasharat
Builder
‎05-24-2019 07:43 PM

Hi,

Scnenario is:

I have an Organization A.
Organization A has 10 Hosts.
Vulnerability scan finds 50 unique vulnerabilities found across all 10 Hosts in Organization A.
Each host is affected by multiple vulnerabilities so total vulnerabilities count spread across all Hosts is lets say 500 since each host can be affected by more than one vulnerabilities or vice versa, each vulnerability is affecting more than one host.

I want to calculate the Compliance% of Organization A.

Fully compliant Organization A is 100% compliant if no vulnerabilities are found and no affected host found. Splunk will have data for a Host only if vulnerability scans detects to have vulnerability on this host. Otherwise, Host's vulnerability data will not be in Splunk.

In my understanding, the only way to calculate that is IF feed has "Remediated" field for a Host with specific Vulnerability as Remediated. Next scan of vulnerability should drop this host since it has been Remediated. This way if we have Hosts found, vulnerabilities found and vulnerabilities remediated only then we can calculate Compliance%.

Am I missing something or my head is just spinning? How to calculate Compliance% of Organization A?

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

koshyk
Super Champion
‎05-25-2019 12:29 AM

(a) It all depends on your "Organisation" view of Compliance. My company would say if 10 hosts are there and; say 8 of them have vulnerabilities (even 1), the compliance% is 20%. So even if 1 vulnerability exists per host, that host will be considered vulnerable.

(b) but if you consider more granular (which is technicallly more accurate), let's say remediate all vulnerabilities in the company. Then the total vulnerabilities in your org becomes 500. So if you clean up 300 of them, then your remaining vulnerability% becomes 200/500 = 40%

if you consider . (a), then calculation is easy.. as you just need . ... | stats count(vulnerability) by host and if it is null or zero, then that host is compliant.
if you consider (b), then something in lines of . ...| fillnull value="0" | stats count by vulnerability, host and if the vulnerability is atleast 1, then it is considered against compliance

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

koshyk
Super Champion
‎05-25-2019 12:29 AM

(a) It all depends on your "Organisation" view of Compliance. My company would say if 10 hosts are there and; say 8 of them have vulnerabilities (even 1), the compliance% is 20%. So even if 1 vulnerability exists per host, that host will be considered vulnerable.

(b) but if you consider more granular (which is technicallly more accurate), let's say remediate all vulnerabilities in the company. Then the total vulnerabilities in your org becomes 500. So if you clean up 300 of them, then your remaining vulnerability% becomes 200/500 = 40%

if you consider . (a), then calculation is easy.. as you just need . ... | stats count(vulnerability) by host and if it is null or zero, then that host is compliant.
if you consider (b), then something in lines of . ...| fillnull value="0" | stats count by vulnerability, host and if the vulnerability is atleast 1, then it is considered against compliance

0 Karma
Reply
Solved! Jump to solution

DavidHourani
Super Champion
‎05-25-2019 12:25 AM

Hi @mbasharat,

You got most of it right, just missing step 1 below:

Step 1 : You will need the list of hosts that you will be scanning and that (in your example) represent the entire organization, this will be used to ensure that all your hosts responded and to a fixed total for your hosts.
Step 2: Run the scan and consider that the initial list was fully clean, then from there just calculate host many infected hosts you got. In your case whether the host has one, two or ten vulnerabilities it will still count as 1/10 infected.
Step 3: After running multiple scans you can get the results and make trend on which hosts are getting more and more infections and which hosts are getting better over time.

So yeah you're not missing anything except that initial list to work your compliance% on.

Cheers,
David

0 Karma
Reply
Solved! Jump to solution

mbasharat
Builder
‎06-10-2019 11:39 AM

This one up-voted as well!! THANKS 🙂

0 Karma
Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...