CVE Lookup – Splunk App

I’m passionate about Security, Splunk and Python. I mixed all 3 and it led to my first Splunk App which is now live in Splunkbase.

Description
It is a Splunk App that pulls down CVE information from the National Vulnerability Database using its new JSON 1.0 feed. The app extracts CVE information, its impact, affected products, vendors and associated advisory and references. It could be a great addition to enrich data that your security team already looks into for creating very informative correlation.

Indexes and Sourcetypes
index=cve with a default retention of 3 days.
Sourcetypes are cveinfo, cvereferences and cveproducts

Data feed
Data is pulled through a modular input [cve://<name] where you can specify the cron/interval and specify what format to download (gz or zip).

Dashboards
It has two sample dashboards for you to play with and get a feel of what you can do with this data. The dashboards allow you to lookup CVE by Year (supported years are 2017-2019) and lookup CVE by Vendor. Screenshots below.

2 thoughts on “CVE Lookup – Splunk App

    1. Did you configure the modular input that this app comes with? Also ensure your splunk instance has access to the internet. If things still don’t work you may need to look at _internal for errors.
      Note: This app has been successfully tested multiple times before being released.

      Like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s