This app provides Splunk dashboards, forms, and reports which can be used to explore your vulnerability events, and make sense of what can often be a large volume of data.
To do this, the app relies on the Splunk Common Information Model (CIM) for vulnerability events. This means that the app can report on any vulnerability data, as long as it has been on-boarded properly, and is available through the
Vulnerabilities data model.
This app requires data model acceleration, which will use additional disk space. If you are using the Splunk App for Enterprise Security, this is already enabled, and should have been factored into your retention policies. If not, you should review the documentation on data model acceleration, how it uses disk space, and how to plan for it. This documentation can be found here: <http: docs.splunk.com="" documentation="" splunk="" latest="" knowledge="" acceleratedatamodels#data_model_summary_size_on_disk="">
As mentioned above, the app uses the CIM for web events. The CIM allows you to take events from a number of sources or products, and report on them in one cohesive manner, using a common set of names for fields and event types.
These are the dashboards and forms currently present in the app:
This dashboard serves as a jumping-off point for exploring your vulnerability data. It includes panels for vulnerabilities over time, severities, destinations, and signatures. Clicking on panels in this dashboard will drill down to the appropriate profile page for further exploration.
Form with reports and visualizations built around a set of severities (Critical, High, Medium, Low, Informational, Unknown, or all).
Form with reports and visualizations built around a destination (host or IP address, depending on how your CIM information for your vulnerability management events is mapped).
Form with reports and visualizations built around a signature, such as "Terminal Services Encryption Level is Medium or Low" or "Buffer overrun in NT kernel message handling". Note that this is different than a CVE number, this is the text description of the vulnerability.
Form with many input variables. This is a flexible form designed to help generate a knockout list for fixing a set, or particular type of vulnerability.
Form for searching based on an identifier for a vulnerability, such as CVE, Cert, MSFT, or other reference number.
This app has been tested with Splunk versions 6.4.x. This app should be installed on the same search head on which the vulnerability data model has been accelerated.
This app depends on data models included in the Splunk Common Information Model Add-on, specifically the
Vulnerabilities data model. Information on installing and using the Splunk Common Information Model Add-on can be found here: <http: docs.splunk.com="" documentation="" cim="" latest="" user="" install="">. Information on configuring the acceleration on the data model can be found here: <http: docs.splunk.com="" documentation="" splunk="" latest="" knowledge="" acceleratedatamodels#enable_persistent_acceleration_for_a_data_model="">.
The Splunk Common Information Model Add-on can be downloaded from here: <https: apps.splunk.com="" app="" 1621=""/>
This app has been tested with versions 4.x of the CIM add-on.
In order to make the app respond and load quickly, accelerated data models are used to provide summary data. For this data to be available, the
Vulnerabilities data model must be accelerated. Information on how to enable acceleration for the Web data model can be found here: <http: docs.splunk.com="" documentation="" splunk="" latest="" knowledge="" managedatamodels#enable_data_model_acceleration="">
This app should be installed on a search head where the Web data model has been accelerated. More information on installing or upgrading Splunk apps can be found here: <http: docs.splunk.com="" documentation="" splunk="" latest="" admin="" wheretogetmoreapps="">
Note: This app will require a restart of Splunk.
Vulnerabilitiesdata model (skip if you are installing on an ES search head).
This app uses the following macros which can be used for customization:
This macro can be used to make the app use a less strict approach to the CIM. The CIM defines what valid values for
severity. If your data does not follow this, you can use this for adding other definitions.
Support for this app is provided on a best-effort basis. We have released this app for free, and want to help solve issues, and add features, but we also have day-jobs.
Need help? Use the Splunk community resources! I can be found on many of them:
The git repo for this app is located here.
This app was created by David Shpritz of Aplura, LLC. <http: www.aplura.com="" consulting.html="">
Thanks to other members of the Splunk Professional Services team, as well members of the #splunk IRC on efnet <http: wiki.splunk.com="" community:irc="">
Icon made by Freepik from http://www.flaticon.com is licensed under CC BY 3.0.
* Removed local.meta
* Removed linkView tag from SimpleXML files
Splunk AppInspect evaluates Splunk apps against a set of Splunk-defined criteria to assess the validity and security of an app package and components.
As a Splunkbase app developer, you will have access to all Splunk development resources and receive a 50GB license to build an app that will help solve use cases for customers all over the world. Splunkbase has 1000+ apps and add-ons from Splunk, our partners and our community. Find an app or add-on for most any data source and user need, or simply create your own with help from our developer portal.