Splunk Enterprise Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

datamodel - dedup count

siddh01r
New Member
‎03-26-2019 07:52 PM

This in regards to vulnerability center from Qualys

issue - the datamodel gets updated every 24hrs (this cant change) and when we click in the vulnerability centre we get incorrect numbers. It seems like its counting the number of same vulnerability for the host multiple times which increases the number in the dashboard. I can search the index and get the correct result but the engineer wants to use the defined dashboard in ES.

goal - to somehow dedup the count in that datamodel and get the correct asnwer using the datamodel

datamodal query that gives incorrect info -
| tstats summariesonly count from datamodel=Vulnerabilities.Vulnerabilities where earliest=-30d@d latest=+0s cim_filter_vuln_severity("Vulnerabilities") by Vulnerabilities.signature,Vulnerabilities.dest

eg answer: count should be 1 instead of 8
Vulnerabilities.signature Vulnerabilities.dest count
'nlockmgr' Allows Proxying of NFS Requests 172.20.204.14 8

searching index that gives correct answer -
eventtype="qualys_vm_detection_event" STATUS="NEW" OR STATUS="ACTIVE" earliest=-30d@d latest=+0s | dedup QID |stats count by dest_ip signature

eg correct answer
dest_ip signature count
172.20.204.18 'nlockmgr' Allows Proxying of NFS Requests 1

0 Karma
Reply

nickhills
Ultra Champion
‎03-27-2019 03:47 AM

meh.. I kinda disagree.
Enterprise Security is tracking your security posture across time. If you do a weekly scan and you fixed a load of vulns last week you want to see that number decrease, likewise if you find a load more issues this week ES wants to know that too.

I know this sounds a bit counter intuitive, but ES is tracking total vulns 'DETECTED' not unique vulns that exist. Its a subtlety which is related to how often you scan your hosts, but deduping this is not what ES or the correlation searches or notable events expects.

If you want to see total unique vulns per host (which is what you appear to be distilling this to) then you should create your own report/dashboard.

If my comment helps, please give it a thumbs up!
0 Karma
Reply
Get Updates on the Splunk Community!

Archived Metrics Now Available for APAC and EMEA realms

We’re excited to announce the launch of Archived Metrics in Splunk Infrastructure Monitoring for our customers ...

Detecting Remote Code Executions With the Splunk Threat Research Team

WATCH NOWRemote code execution (RCE) vulnerabilities pose a significant risk to organizations. If exploited, ...

Enter the Dashboard Challenge and Watch the .conf24 Global Broadcast!

The Splunk Community Dashboard Challenge is still happening, and it's not too late to enter for the week of ...