Publication Date – July 10, 2020
To view prebuilt alerts in Splunk, go to Settings ➔ Searches, Reports, and Alerts.
The pre-built alerts are:
- Bad Open Ports discovered
- Compromised System
- Patching Cadence
- Vulnerabilities & Infections
Example:
This will query all BAD Open Ports observed in the last 4 days (e.g, replace the number 4 with 10 to see results for the last 10 days). From here, you can correlate this to any other logs indexed in your Splunk instance.
SPL query:
index="Your_Index" sourcetype="bitsight" | head 1 | spath "findings{}" output=Results
|stats count by Results
|eval _raw=Results
|spath "id" output=id | spath "results{}" output=res
|stats count by id res | where id="open_ports"
|eval _raw=res | spath "risk_category" output="Risk_Category" | spath "risk_vector_label" output="Risk_Vector" | spath details{}.grade output="Grade"| where Grade= "BAD" | spath details{}.diligence_annotations.message output="Message" |spath "evidence_key" output="Evidence Key" | spath "first_seen" output="First_Seen" | sort -"First Seen" | spath "severity" output="Severity"
|eval epochdate=strptime(First_Seen, "%Y-%m-%d") |eval now=now()
|eval deltaDays = (now - epochdate)/86400 | where deltaDays < 4
|table "Risk_Category", "Risk_Vector", "Grade","Severity", "Evidence Key", "First_Seen", "Message"