Hello everyone,
I am trying to perform a correlated search using 2 macros. The idea is to create thes macros that will search for a specfic piece of data between 2 different source types. The over all goal is to display this data on a table to be used a report or alert everytime there is a match between the sourcetypes. Source 1 is a csv file that has application names and there version numbers. Source to is a rss feed from NIST that brings in vulnerbilities from the nation vulnerability database. Currently I can not match between the 2 sourcetypes on a dynamic basis because the funicationality does not exsist in Splunk. I what to break up Source 1 into two macros that will be outputed to a csv then reindex 1 of the outputed csv files and before match based of the title section on the csv and display a table with the fields title, summary, app, version.
source 1 example: appname version
Windows 7
Windows 2012 R2
Internet Explorer 11
Chrome N/A
Visual Studio 2015
Source 2 sample data:
url: https://nvd.nist.gov/download/nvd-rss-analyzed.xml
11/14/2017 19:24:20 UTC, _time="1510705460.0", id="https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-5067", link="https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-5067", links.0.href="https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-5067", links.0.rel="alternate", links.0.type="text/html", summary="An insufficient watchdog timer in navigation in Google Chrome prior to 58.0.3029.81 for Linux, Windows, and Mac allowed a remote attacker to spoof the contents of the Omnibox (URL bar) via a crafted HTML page.", summary_detail.base="https://nvd.nist.gov/download/nvd-rss-analyzed.xml", summary_detail.language="None", summary_detail.type="text/html", summary_detail.value="An insufficient watchdog timer in navigation in Google Chrome prior to 58.0.3029.81 for Linux, Windows, and Mac allowed a remote attacker to spoof the contents of the Omnibox (URL bar) via a crafted HTML page.", title="CVE-2017-5067 (chrome)", title_detail.base="https://nvd.nist.gov/download/nvd-rss-analyzed.xml", title_detail.language="None", title_detail.type="text/plain", title_detail.value="CVE-2017-5067 (chrome)", updated="2017-10-27T05:29:00Z", updated_parsed="2017-10-27T05:29:00Z"
11/14/2017 19:24:20 UTC, _time="1510705460.0", id="https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-5055", link="https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-5055", links.0.href="https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-5055", links.0.rel="alternate", links.0.type="text/html", summary="A use after free in printing in Google Chrome prior to 57.0.2987.133 for Linux and Windows allowed a remote attacker to perform an out of bounds memory read via a crafted HTML page.", summary_detail.base="https://nvd.nist.gov/download/nvd-rss-analyzed.xml", summary_detail.language="None", summary_detail.type="text/html", summary_detail.value="A use after free in printing in Google Chrome prior to 57.0.2987.133 for Linux and Windows allowed a remote attacker to perform an out of bounds memory read via a crafted HTML page.", title="CVE-2017-5055 (chrome)", title_detail.base="https://nvd.nist.gov/download/nvd-rss-analyzed.xml", title_detail.language="None", title_detail.type="text/plain", title_detail.value="CVE-2017-5055 (chrome)", updated="2017-10-27T05:29:00Z", updated_parsed="2017-10-27T05:29:00Z"
10/25/2017 12:38:38 UTC, _time="1508953118.0", id="https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-4334", link="https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-4334", links.0.href="https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-4334", links.0.rel="alternate", links.0.type="text/html", summary="edit.php in LabWiki 1.1 and earlier does not properly verify uploaded user files, which allows remote authenticated users to upload arbitrary PHP files via a PHP file with a .gif extension in the userfile parameter.", summary_detail.base="https://nvd.nist.gov/download/nvd-rss-analyzed.xml", summary_detail.language="None", summary_detail.type="text/html", summary_detail.value="edit.php in LabWiki 1.1 and earlier does not properly verify uploaded user files, which allows remote authenticated users to upload arbitrary PHP files via a PHP file with a .gif extension in the userfile parameter.", title="CVE-2011-4334 (labwiki)", title_detail.base="https://nvd.nist.gov/download/nvd-rss-analyzed.xml", title_detail.language="None", title_detail.type="text/plain", title_detail.value="CVE-2011-4334 (labwiki)", updated="2017-10-23T18:29:00Z", updated_parsed="2017-10-23T18:29:00Z"
macro1(1)
index=vulnerability sourcetype=source2 $app$ | table summary
macro2(2)
index=vulnerability sourcetype=source2 $ver$ | table summary
Search being used to test the macro:
Macro1
index=vulnerability sourcetype=source1 | table appname | map maxsearches=100 search=" search `macro1(\"$appname$\")`"
Macro2
index=vulnerability sourcetype=source1 | table version | map maxsearches=100 search=" search `macro2(\"$version$\")`"
The macro test is where i am running into. It is returning no results but it the job status it is failing on with the first application.
Has anyone ever done something similiar to this or like this? Any help or advice would be awesome.
Thank you guys for your support.
↧