Introduction

The Cisco Vulnerability Management (CVM) platform is a risk-based vulnerability management (RBVM) solution that equips organizations with tools to identify, assess, and prioritize security vulnerabilities across their assets. By leveraging advanced risk scoring using data science, machine learning and a host of threat intelligence feeds, CVM enables security teams to focus on vulnerabilities that pose the most significant threats to their environment.

Splunk, a leading data analytics platform, among other features and functionalities, provides robust capabilities for indexing, searching and visualization large volumes of data.

When data from CVM is integrated into Splunk, organizations can create dynamic dashboards to provide insights into their assets and vulnerabilities, analyze risk, and generate actionable insights.

While CVM provides robust native reporting, some organizations may need additional flexibility for visualizations, filtering, and reporting. For organizations using CVM alongside Splunk, this article goes into details of creating a dashboard that serves as a proof of concept (PoC) to showcase the power of combining CVM data with the capabilities of the Splunk platform. It shows a step-by-step process for getting data from the CVM platform into Splunk and should be particularly helpful for vulnerability management professionals that may not be familiar with the Splunk platform, while providing them a template that they can re-use for reporting on their VM data.

Some of the visuals presented in the dashboard include:

Asset-based Reports

• Graphs of Active vs Inactive assets (count and percentage)
• Assets by Priorities

Vulnerability-based Reports

• Top occurring vulnerabilities (all and high vulns)
• Monthly trends for opened vulnerabilities
• Top occurring vulnerabilities by exposure (risk x count) for all and high vulns
• Vulnerabilities by severities
• Comparison of vulnerability severities for the Cisco risk scoring, scanner and CVSS scores

Etc.

The rest of the article goes into detail on how this is done – exporting data from CVM, ingesting it into Splunk and setting up the dashboard.

How to Set Up the Dashboard in Splunk

Step 1: Export ‘Assets’ and ‘Vulnerabilities’ Data from CVM

To be able to get the relevant information out of the platform, we’ll be doing an export of the assets, and vulnerabilities from the CVM platform using the CVM APIs. While the fixes are not used in any of the dashboards, you could do those as well and create your desired virtualizations around fixes also. We would be exporting the data via the Data exports API endpoint and obtaining the relevant export as a JSONL (JSON lines) file. This article goes into more detail on how each can be done, while this video goes into more detail around the API exports. 

Examples below show how the body of the POST requests to pull all the information for assets and vulnerabilities would look like. Note that only the body of the API request for requesting each of the data exports are provided here.

Asset exports (all assets)

{
    "status": [
        "inactive",
        "active"
    ],
    "exclude_child_filter" : [
        "include all assets"
    ],
    "export_settings" : {
        "format": "jsonl",
        "model": "asset"
    }
}

Vulnerabilities export (all vulnerabilities)

{
    "asset":{
        "status":[
            "active",
            "inactive"
        ]
    },
    "status" : [
        "open",
        "closed",
        "risk accepted",
        "false positive"
    ],
    "export_settings" : {
        "format": "jsonl",
        "model": "vulnerability"
    }
}

The JSONL format is used in the exports as this provided the best results during the setup of the dashboard.

Step 2: Import the Data into Splunk.

Once the data is exported from CVM, it is time to have that data imported into the Splunk platform. If you aren’t very familiar with the Splunk platform, screenshots are provided to guide you along with the process.

Note: To minimize the changes required when setting up the Splunk dashboard provided in the article, it is recommended to keep the index and sourcetype names consistent with those used in the dashboard. The indexes and sourcetypes used in the dashboard are: 

1. Vulnerabilities Data:
• Index: vulnerabilities
• Sourcetype: dash_vulns_jsonl
2. Assets Data:
• Index: assets
• Sourcetype: dash_asset_jsonl

If you decide to use your own unique values, do make sure to make changes to the values in the dashboard in Step 3 / 4.

Data ingest steps:

Click on ‘Settings’ and then click on ‘Add Data’.

In the next screen, select the option to ‘Upload files from my computer’. For this guide, we will be starting with uploading the vulnerabilities data export.

Use the form below to ‘Select File’ by browsing to the location of the data export, or drag and drop the file unto the space provided. Then click on Next

For the vulnerability ingest, it is recommended to disable truncation to prevent Splunk from truncating parts of vulnerability information. We do this in the next screen.

In the ‘Set Source Type’ screen look for a setting ‘TRUNCATE’ and if it doesn’t exist, use the ‘New setting’ button to add it and set the value to ‘0’. Your settings should look similar to the following:

Click on Next. You will be prompted to save the Source Type. Choose the name you would like to use and take consideration on the earlier note about maintaining consistency with the dashboard naming – the dashboard uses dash_vulns_jsonl as the Source type for vulnerabilities and so this is what is referenced in the queries. Click on Next to go to the ‘Input Settings’ screen.

On the Input Settings screen, you can set values for the ‘host’ and ‘index’. Customize as desired but do note the consideration on maintaining consistency with the dashboard’s indexes – the index used in for vulnerability-related SPLs is vulnerabilities. The host value isn’t featured in the queries and so you can set it to any desired value.

Click on review and then hit Submit. Repeat the same process for ingesting the assets data export. The source types and indexes for the asset-related SPLs are dash_asset_jsonl and assets respectively in the dashboard’s SPLs.

With the data import done, we can then download the Splunk Dashboard.

Step 3: Download the Dashboard

The Splunk dashboard is provided as a compressed JSON file in ZIP format. Download the ZIP and extract the JSON file for the next steps. If you have used different sourcetype and index values, you can use a find and replace to change to your values. For example.

For Vulnerabilities

Find: sourcetype=\"dash_vulns_jsonl \"

Replace: sourcetype=\"your_vulns_source_type_name\"

For Assets

Find: sourcetype=\"dash_asset_jsonl \"

Replace: sourcetype=\"your_asset_source_type_name\"

Use similar search and replace operations to replace the indexes for vulnerabilities and assets only if your index values are different from the naming in the dashboard.

Step 4: Import the Dashboard template in JSON into Splunk

1. Navigate to the Search App and click on Dashboard. Create a new dashboard or open an existing one. Click on Dashboard and

Fill out details similar to the screenshot shown below.

1. Switch to Source Mode in the dashboard editor.

1. Paste the JSON file into the editor, click on “Apply and Close” to save the dashboard.

Step 5: Review Information presented in the dashboard to confirm it all looks good.

At this point, you should have similar visuals and reports as shown in the attached screenshots and all source types and the graphs should be populated properly. Check field names like scanner_score, risk_meter_score are correctly extracted in your Splunk data. Review visualizations to confirm the data contained in them are as expected. If adjustments are needed, edit the SPL queries in the dashboard source or visualization editor.

If the data in the graphs are not populating, make sure to adjust the Time range to a value that provides results for the various graphs. Usually, the default captured is 24 hours.

Below are snippets of the reports provided in the dashboard.

[Optional] Step 6: Customize the Dashboard

Once imported, you can use the dashboard as is or customize the dashboard further to fit your needs. Some possible modifications / improvements could include:

• Add filters for date ranges, severity levels, or specific assets.
• Adjust the layout or visualization types (e.g., change a table to a bar chart or pie chart).
• Update SPLs to look at duration / values of interest e.g. top 20 vulnerabilities instead of top 10, etc.
• Add tokens for user-driven inputs e.g., selecting the last N months, top N vulnerabilities, etc., where N is a user-supplied input.

Possible Enhancements and Closing Comments

This initial dashboard provides a good foundation for CVM reporting in Splunk. Organizations may look to further enhance the dashboard by:

• Introduce user-driven filters (e.g., changeable time ranges, top N vulnerabilities).
• Add advanced orchestration workflows using Splunk SOAR.
• Incorporate some form of alerting.

Feel free to download the JSON representation of the dashboard and give it a try in your environment! If you have any questions or encounter any issues, leave a comment or reach out to the CVM community for support and someone from the community may be able to provide some assistance.