Skip to main content
Security Performance Management
Continuous Monitoring
Vendor Risk Management
Trust Management Hub
Cyber Insurance
National Cybersecurity

View Prebuilt Alerts in Splunk

Ingrid

To view prebuilt alerts in Splunk, go to SettingsSearches, Reports, and Alerts.

The pre-built alerts are:

  • Bad Open Ports discovered
  • Compromised System
  • Patching Cadence
  • Vulnerabilities & Infections

Example

Get all BAD Open Ports observed in the last 4 days (e.g, replace the number 4 with 10 to see results for the last 10 days). From here, you can correlate this to any other logs indexed in your Splunk instance.

SPL query:
index="Your_Index" sourcetype="bitsight" | head 1 | spath "findings{}" output=Results
|stats count by Results
|eval _raw=Results
|spath "id" output=id | spath "results{}" output=res
|stats count by id res | where id="open_ports" 
|eval _raw=res | spath "risk_category" output="Risk_Category" | spath "risk_vector_label" output="Risk_Vector" | spath details{}.grade output="Grade"| where Grade= "BAD" | spath details{}.diligence_annotations.message output="Message" |spath "evidence_key" output="Evidence Key" | spath "first_seen" output="First_Seen" | sort -"First Seen" | spath "severity" output="Severity"
|eval epochdate=strptime(First_Seen, "%Y-%m-%d") |eval now=now() 
|eval deltaDays = (now - epochdate)/86400 | where deltaDays < 4 
|table "Risk_Category", "Risk_Vector", "Grade","Severity", "Evidence Key", "First_Seen", "Message"
Publication Date – July 10, 2020

Related articles

Feedback

0 comments

Please sign in to leave a comment.