Initial release

vulnerability_scanner_app/bin/README

@@ -0,0 +1 @@
+This is where you put any scripts you want to add to this app.

vulnerability_scanner_app/default/app.conf

@@ -0,0 +1,16 @@
+#
+# Splunk app configuration file
+#
+
+[install]
+is_configured = 0
+
+[ui]
+is_visible = 1
+label = Vulnerability Scanner App
+
+[launcher]
+author = Patrick Bareiss
+description = Visualize vulnerability scan data.
+version = 1.0.0
+

vulnerability_scanner_app/default/data/ui/nav/default.xml

@@ -0,0 +1,4 @@
+<nav search_view="search">
+  <view name="vulnerability_dashboard" default='true' />
+  <view name="search"  />
+</nav>

vulnerability_scanner_app/default/data/ui/views/README

@@ -0,0 +1 @@
+Add all the views that your app needs in this directory

vulnerability_scanner_app/default/data/ui/views/vulnerability_dashboard.xml

@@ -0,0 +1,223 @@
+<form theme="dark">
+  <label>Vulnerability Dashboard</label>
+  <fieldset submitButton="true" autoRun="true">
+    <input type="multiselect" token="multiselect_token" searchWhenChanged="true">
+      <label>Severity</label>
+      <choice value="critical">critical</choice>
+      <choice value="high">high</choice>
+      <choice value="medium">medium</choice>
+      <choice value="low">low</choice>
+      <choice value="informational">informational</choice>
+      <choice value="unknown">unknown</choice>
+      <initialValue>critical,high,medium,low,informational,unknown</initialValue>
+      <default>critical,high,medium,low,informational,unknown</default>
+      <valuePrefix>severity="</valuePrefix>
+      <valueSuffix>"</valueSuffix>
+      <delimiter> OR </delimiter>
+    </input>
+    <input type="time" token="time_token" searchWhenChanged="false">
+      <label></label>
+      <default>
+        <earliest>-7d@h</earliest>
+        <latest>now</latest>
+      </default>
+    </input>
+  </fieldset>
+  <row>
+    <panel>
+      <title>Total Vulnerabilities</title>
+      <single>
+        <title>Distinct Count</title>
+        <search>
+          <query>`get_nessus_index` `get_nessus_scan_sourcetype` $multiselect_token$
+| timechart distinct_count(signature) span=1d</query>
+          <earliest>$time_token.earliest$</earliest>
+          <latest>$time_token.latest$</latest>
+          <sampleRatio>1</sampleRatio>
+        </search>
+        <option name="colorBy">trend</option>
+        <option name="colorMode">none</option>
+        <option name="drilldown">none</option>
+        <option name="numberPrecision">0.0</option>
+        <option name="rangeColors">["0x65a637","0xf7bc38","0xd93f3c"]</option>
+        <option name="rangeValues">[2,5]</option>
+        <option name="refresh.display">progressbar</option>
+        <option name="showSparkline">1</option>
+        <option name="showTrendIndicator">1</option>
+        <option name="trellis.enabled">0</option>
+        <option name="trellis.scales.shared">1</option>
+        <option name="trellis.size">medium</option>
+        <option name="trendColorInterpretation">inverse</option>
+        <option name="trendDisplayMode">percent</option>
+        <option name="unitPosition">after</option>
+        <option name="useColors">1</option>
+        <option name="useThousandSeparators">1</option>
+      </single>
+    </panel>
+    <panel>
+      <title>Vulnerabilities per System</title>
+      <single>
+        <title>Distinct Count</title>
+        <search>
+          <query>`get_nessus_index` `get_nessus_scan_sourcetype` $multiselect_token$
+| timechart distinct_count(signature) AS dc_signature distinct_count(dest) AS dc_dest span=1d
+| eval vuln_per_dest = dc_signature/dc_dest
+| table _time vuln_per_dest</query>
+          <earliest>$time_token.earliest$</earliest>
+          <latest>$time_token.latest$</latest>
+          <sampleRatio>1</sampleRatio>
+        </search>
+        <option name="colorBy">trend</option>
+        <option name="colorMode">none</option>
+        <option name="drilldown">none</option>
+        <option name="numberPrecision">0.0</option>
+        <option name="rangeColors">["0x65a637","0x6db7c6","0xf7bc38","0xf58f39","0xd93f3c"]</option>
+        <option name="rangeValues">[0,30,70,100]</option>
+        <option name="refresh.display">progressbar</option>
+        <option name="showSparkline">1</option>
+        <option name="showTrendIndicator">1</option>
+        <option name="trellis.enabled">0</option>
+        <option name="trellis.scales.shared">1</option>
+        <option name="trellis.size">medium</option>
+        <option name="trendColorInterpretation">inverse</option>
+        <option name="trendDisplayMode">absolute</option>
+        <option name="unitPosition">after</option>
+        <option name="useColors">1</option>
+        <option name="useThousandSeparators">1</option>
+      </single>
+    </panel>
+    <panel>
+      <title>Total Vulnerability Score</title>
+      <single>
+        <title>low: 1, medium: 2, high: 4, critical: 8</title>
+        <search>
+          <query>`get_nessus_index` `get_nessus_scan_sourcetype`
+| timechart dc(signature) AS dc_signatures span=1d by severity
+| eval vuln_score=if(isnotnull(low),low,0)+if(isnotnull(medium),medium,0)*2+if(isnotnull(high),high,0)*4+if(isnotnull(critical),critical,0)*8
+| table _time vuln_score</query>
+          <earliest>$time_token.earliest$</earliest>
+          <latest>$time_token.latest$</latest>
+          <sampleRatio>1</sampleRatio>
+        </search>
+        <option name="colorBy">trend</option>
+        <option name="colorMode">none</option>
+        <option name="drilldown">none</option>
+        <option name="numberPrecision">0</option>
+        <option name="rangeColors">["0x53a051","0x0877a6","0xf8be34","0xf1813f","0xdc4e41"]</option>
+        <option name="rangeValues">[0,30,70,100]</option>
+        <option name="refresh.display">progressbar</option>
+        <option name="showSparkline">1</option>
+        <option name="showTrendIndicator">1</option>
+        <option name="trellis.enabled">0</option>
+        <option name="trellis.scales.shared">1</option>
+        <option name="trellis.size">medium</option>
+        <option name="trendColorInterpretation">inverse</option>
+        <option name="trendDisplayMode">absolute</option>
+        <option name="unitPosition">after</option>
+        <option name="useColors">1</option>
+        <option name="useThousandSeparators">1</option>
+      </single>
+    </panel>
+  </row>
+  <row>
+    <panel>
+      <title>Top Vulnerabilities</title>
+      <chart>
+        <search>
+          <query>`get_nessus_index` `get_nessus_scan_sourcetype` $multiselect_token$
+| stats count by signature 
+| sort - count 
+| head 10</query>
+          <earliest>$time_token.earliest$</earliest>
+          <latest>$time_token.latest$</latest>
+          <sampleRatio>1</sampleRatio>
+        </search>
+        <option name="charting.chart">bar</option>
+        <option name="charting.drilldown">none</option>
+        <option name="charting.legend.placement">none</option>
+        <option name="refresh.display">progressbar</option>
+      </chart>
+    </panel>
+    <panel>
+      <title>Most vulnerable hosts</title>
+      <chart>
+        <search>
+          <query>`get_nessus_index` `get_nessus_scan_sourcetype` $multiselect_token$
+| stats dc(signature) AS dc_signatures by dest severity 
+| chart first(dc_signatures) over dest by severity 
+| eval total=case(critical&gt;0 AND high&gt;0,critical+high,critical&gt;0,critical,high&gt;0,high,1==1,0) 
+| eval subTotal=case(medium&gt;0 AND low&gt;0,medium+low,medium&gt;0,medium,low&gt;0,low,1==1,0) 
+| eval subSubTotal=case(informational&gt;0 AND unknown&gt;0,informational+unknown,informational&gt;0,informational,unknown&gt;0,unknown,1==1,0) 
+| sort 10 - total,subTotal,subSubTotal 
+| fields - total,subTotal,subSubTotal 
+| table dest,critical,high,medium,low,informational,unknown</query>
+          <earliest>$time_token.earliest$</earliest>
+          <latest>$time_token.latest$</latest>
+          <sampleRatio>1</sampleRatio>
+        </search>
+        <option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
+        <option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option>
+        <option name="charting.axisTitleX.visibility">visible</option>
+        <option name="charting.axisTitleY.visibility">visible</option>
+        <option name="charting.axisTitleY2.visibility">visible</option>
+        <option name="charting.axisX.abbreviation">none</option>
+        <option name="charting.axisX.scale">linear</option>
+        <option name="charting.axisY.abbreviation">none</option>
+        <option name="charting.axisY.scale">linear</option>
+        <option name="charting.axisY2.abbreviation">none</option>
+        <option name="charting.axisY2.enabled">0</option>
+        <option name="charting.axisY2.scale">inherit</option>
+        <option name="charting.chart">bar</option>
+        <option name="charting.chart.bubbleMaximumSize">50</option>
+        <option name="charting.chart.bubbleMinimumSize">10</option>
+        <option name="charting.chart.bubbleSizeBy">area</option>
+        <option name="charting.chart.nullValueMode">gaps</option>
+        <option name="charting.chart.showDataLabels">none</option>
+        <option name="charting.chart.sliceCollapsingThreshold">0.01</option>
+        <option name="charting.chart.stackMode">stacked</option>
+        <option name="charting.chart.style">shiny</option>
+        <option name="charting.drilldown">all</option>
+        <option name="charting.layout.splitSeries">0</option>
+        <option name="charting.layout.splitSeries.allowIndependentYRanges">0</option>
+        <option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>
+        <option name="charting.legend.mode">standard</option>
+        <option name="charting.legend.placement">right</option>
+        <option name="charting.lineWidth">2</option>
+        <option name="charting.seriesColors">["0xd93f3c","0xf58f39","0xf7bc38","0x65a637","0x6db7c6","0x909090"]</option>
+        <option name="refresh.display">progressbar</option>
+        <option name="trellis.enabled">0</option>
+        <option name="trellis.scales.shared">1</option>
+        <option name="trellis.size">medium</option>
+        <drilldown>
+          <link target="_blank">search?q=%60get_nessus_index%60%20%60get_nessus_scan_sourcetype%60%20dest=$click.value$%20severity=$click.name2$%0A%7C%20table%20dest%20severity%20signature&amp;earliest=$time_token.earliest$&amp;latest=$time_token.latest$</link>
+        </drilldown>
+      </chart>
+    </panel>
+  </row>
+  <row>
+    <panel>
+      <title>New Critical Vulnerabilities</title>
+      <table>
+        <search>
+          <query>`get_nessus_index` `get_nessus_plugin_sourcetype` 
+| stats count by cvss3_base_score signature 
+| rename cvss3_base_score AS score 
+| sort - score 
+| where score&gt;=9.0
+| table score, signature</query>
+          <earliest>$time_token.earliest$</earliest>
+          <latest>$time_token.latest$</latest>
+          <sampleRatio>1</sampleRatio>
+        </search>
+        <option name="count">10</option>
+        <option name="dataOverlayMode">none</option>
+        <option name="drilldown">none</option>
+        <option name="percentagesRow">false</option>
+        <option name="refresh.display">progressbar</option>
+        <option name="rowNumbers">false</option>
+        <option name="totalsRow">false</option>
+        <option name="wrap">true</option>
+      </table>
+    </panel>
+  </row>
+</form>

vulnerability_scanner_app/default/macros.conf

@@ -0,0 +1,12 @@
+[get_nessus_index]
+definition = (index=va)
+description = Define the name of the index, e.g. index="va"
+
+[get_nessus_scan_sourcetype]
+definition = (sourcetype="nessus:scan")
+description = Define the name of sourcetype for nessus scans e.g. sourcetype="nessus:scan"
+
+[get_nessus_plugin_sourcetype]
+definition = (sourcetype="nessus:plugin")
+description = Define the name of sourcetype for nessus plugins e.g. sourcetype="nessus:plugin"
+

vulnerability_scanner_app/local/app.conf

@@ -0,0 +1,3 @@
+[ui]
+
+[launcher]

vulnerability_scanner_app/metadata/default.meta

@@ -0,0 +1,35 @@
+
+# Application-level permissions
+
+[]
+access = read : [ * ], write : [ admin, power ]
+
+### EVENT TYPES
+
+[eventtypes]
+export = system
+
+
+### PROPS
+
+[props]
+export = system
+
+
+### TRANSFORMS
+
+[transforms]
+export = system
+
+
+### LOOKUPS
+
+[lookups]
+export = system
+
+
+### VIEWSTATES: even normal users should be able to create shared viewstates
+
+[viewstates]
+access = read : [ * ], write : [ * ]
+export = system

vulnerability_scanner_app/metadata/local.meta

@@ -0,0 +1,12 @@
+[app/ui]
+version = 7.2.3
+modtime = 1548529324.095179000
+
+[app/launcher]
+version = 7.2.3
+modtime = 1548529324.096415000
+
+[views/vulnerability_dashboard]
+owner = admin
+version = 7.2.3
+modtime = 1548540473.623535000