Knowledge Management
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Is it possible to use a decision matrix in Splunk?

AlexeySh
Communicator
‎08-07-2018 07:53 AM

Hello,

We export a data from our vulnerability management tool to Splunk and we’d like to evaluate the initial severity score by using some additional information, like:
- Asset criticality (critical or no)
- Existed exploits for vulnerability (existed or no)
- Etc.

In my point of view, the best way to do it will be a decisional matrix, something like this:

SEVERITY | CRITICAL_ASSET | KNOWN_EXPLOIT | NEW_SEVERITY
Critical | True           | True          | Critical
Critical | True           | False         | High
Critical | False          | False         | Medium
High     | True           | True          | High
Etc.

Of course we can use an eval command instead of matrix, but I think it’s not the best way to do it. And also not the easiest one, especially if we’ll add more conditions like Exposal level, Volume of stoked data, etc.

Also I thought about replace text values by numbers (critical=5, high=4, etc.) and simply deduct a point in every case of ‘False’, but it doesn’t look like a good idea either. Because for some cases we prefer to maintain the same severity level even for ‘False’ values (for example, keep the same vulnerability level for exposed assets).

Do you have any idea how this decisional matrix could be realized? Or do you have a better idea maybe?

Thanks for the help.

Regards,
Alex.

0 Karma
Reply

diogofgm
SplunkTrust
SplunkTrust
‎08-07-2018 04:25 PM

You can accomplish that using lookups where you input SEVERITY, CRITICAL_ASSET, KNOWN_EXPLOIT and output NEW_SEVERITY. But you need to make sure that the SEVERITY, CRITICAL_ASSET, KNOWN_EXPLOIT exist in your data

Splunk enterprise security actually uses something close to that for assigning urgency to notables
http://docs.splunk.com/Documentation/ES/5.1.0/User/Howurgencyisassigned

------------
Hope I was able to help you. If so, some karma would be appreciated.
0 Karma
Reply

AlexeySh
Communicator
‎08-08-2018 02:39 AM

Hello @diogofgm,
Thanks for your answer.

Well, that exactly what I’m asking myself about: how this could be realized? I can create thislookup table, but how it will correlate with the events?

Let’s say, a vulnerability tool event has the following fields:

NAME
SEVERITY
KNOWN_EXPLOIT
CRITICAL_ASSET (added automatically via asset center)

Beside I have my lookup and… and unfortunately I have no idea how can I make them communicate with each other.

Regards,
Alex.

0 Karma
Reply

diogofgm
SplunkTrust
SplunkTrust
‎08-08-2018 05:21 AM

Create the lookup just like you mapped it in your question and then follow the docs.
http://docs.splunk.com/Documentation/Splunk/7.1.2/Knowledge/Usefieldlookupstoaddinformationtoyoureve...
Particularly the section "Make the lookup automatic"
In your case, like i stated before you'll have to define the 3 input fields and the 1 output field.

------------
Hope I was able to help you. If so, some karma would be appreciated.
0 Karma
Reply
Get Updates on the Splunk Community!

Join Us for Splunk University and Get Your Bootcamp Game On!

If you know, you know! Splunk University is the vibe this summer so register today for bootcamps galore ...

.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!

.conf24 is taking place at The Venetian in Las Vegas from June 11 - 14. Continue reading to learn about the ...

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...