|| VulnDB Splunk Add-on ||
The VulnDB Splunk Add-on is designed to communicate with the VulnDB database
of vulnerability information, accessible via REST API. This application
requires an active subscription to the VulnDB REST API.
Prior to installation, be sure to have the TA-vuln-db.tgz or TA-vuln-db.spl
file on your local machine (Web Interface installation) or on the target Splunk
server(s) (Shell installation), where it is readily available for the
Log into Splunk with an administrator account.
Click on the gear icon for Application Management.
Click on the "Install app from file button".
Click the "Choose File" button and browse to the location on your local machine
where the TA-vuln-db.tgz or TA-vuln-db.spl file is located and select it.
Check the "Upgrade App" checkbox to overwrite any previous versions of this app
Click the "Upload button"
Log into the shell for your Splunk server
Change to the Splunk application folder:
Extract the application from the archive file:
tar xzf <archive location="">
Verify that the app has the proper permissions for the OS:
chown -R splunk:splunk $SPLUNK_HOME/etc/apps/TA-vuln-db
The VulnDB application has a straightforward configuration interface.
Before starting configuration of the application, you must have your Vuln DB
consumer API key, and consumer API secret in order to successfully add an
input to Splunk for VulnDB vulnerability information.
Before adding an input for Vuln DB, please review the "Configuration" menu
option to make sure you put in your proxy server settings (if necessary) and
your logging level.
Once the app is installed, you can navigate to it by clicking on the Vuln DB app
on the left side of the Splunk web interface.
The first page that will appear is the Inputs page.
Click on the "Create New Input" button on the upper right of the Inputs page.
Fill in the information as requested on the Add vulndb input window:
Name - The name of the input you wish to create. Ie; vulndb_input
Interval - The time interval in seconds between API requests to load data into
Splunk (3600 = Every hour, 86400 = Once per day)
Index - The Splunk index that you want to ingest the vulnerability events
API URL - The URL to access the VulnDB API (the default should work, but
this might change at some point)
API Key - The VulnDB consumer key assigned from Vuln DB. You can get this
from your Vuln DB account:
API Secret - The VulnDB consumer secret assigned from Vuln DB. You can get
this from your account as well (see link above)
Start date - The starting date that you want to use to gather vulnerability
information from. The API will return results that have
vulnerabilities that were modified on or after this date.
Page size - The number of VulnDB results that the API should return in a
single request. The maximum is 300. This means if there are
800 new vulnerabilities updated since the last run, and your
page size is set to 300, the app will make 3 total API requests to
the VulnDB API. If you are enabling the Affected Package Information,
CVSS v3 Metrics options or VulnDB Changelog Details then we
recommend providing 100 as page size.
Reset Input- If for some reason, you need to re-ingest vulnerability information
from the start date, you will have to check this box off in order
to do so. The app remembers the most recent date stamp, and by
default will ignore the start date after the first run.
There are additional options available, which are documented in the VulnDB
API reference manuals.
When you are finished selecting all of your desired options, you can click on
the "Add" button to add the input. The input will start to contact the Vuln
DB API immediately. The first time the input runs, it may take a long period
of time to see results in Splunk. Depedning upon your start date, the input
will be trying to retrieve 1000's or more vulnerability details. Please
be patient, as the process takes time. You can view activity in Splunk using
This will search the Vuln DB application log file for events. Depending upon
the logging level selected, you will see various details about the input
|| END ||
Removed unnecessary logs
Added feature to filter data using CVSSv2 score
Added proxy support
Resolved truncation issue for long events
Improved data collection logic
Added validation for Splunk's generic UI outside of the app.
Fixed Splunk Appcert issues, separated main app and add-on.
Minor bug fixes
Splunk AppInspect evaluates Splunk apps against a set of Splunk-defined criteria to assess the validity and security of an app package and components.
As a Splunkbase app developer, you will have access to all Splunk development resources and receive a 10GB license to build an app that will help solve use cases for customers all over the world. Splunkbase has 1000+ apps and add-ons from Splunk, our partners and our community. Find an app or add-on for most any data source and user need, or simply create your own with help from our developer portal.