To view prebuilt alerts in Splunk, go to Settings ➔ Searches, Reports, and Alerts.
The pre-built alerts are:
- Bad Open Ports discovered
- Compromised System
- Patching Cadence
- Vulnerabilities & Infections
Example
Get all BAD Open Ports observed in the last 4 days (e.g, replace the number 4 with 10 to see results for the last 10 days). From here, you can correlate this to any other logs indexed in your Splunk instance.
SPL query: index="Your_Index" sourcetype="bitsight" | head 1 | spath "findings{}" output=Results |stats count by Results |eval _raw=Results |spath "id" output=id | spath "results{}" output=res |stats count by id res | where id="open_ports" |eval _raw=res | spath "risk_category" output="Risk_Category" | spath "risk_vector_label" output="Risk_Vector" | spath details{}.grade output="Grade"| where Grade= "BAD" | spath details{}.diligence_annotations.message output="Message" |spath "evidence_key" output="Evidence Key" | spath "first_seen" output="First_Seen" | sort -"First Seen" | spath "severity" output="Severity" |eval epochdate=strptime(First_Seen, "%Y-%m-%d") |eval now=now() |eval deltaDays = (now - epochdate)/86400 | where deltaDays < 4 |table "Risk_Category", "Risk_Vector", "Grade","Severity", "Evidence Key", "First_Seen", "Message"
Publication Date – July 10, 2020
Feedback
0 comments
Please sign in to leave a comment.