Spectre and Meltdown Vulnerable Systems

Name:Spectre and Meltdown Vulnerable Systems
id:354be8e0-32cd-4da0-8c47-796de13b60ea
version:4
date:2024-11-14
author:David Dorsey, Splunk
status:deprecated
type:TTP
Description:The search is used to detect systems that are still vulnerable to the Spectre and Meltdown vulnerabilities.
Data_source:

search:| tstats `security_content_summariesonly` min(_time) as firstTime max(_time) as lastTime from datamodel=Vulnerabilities where Vulnerabilities.cve ="CVE-2017-5753" OR Vulnerabilities.cve ="CVE-2017-5715" OR Vulnerabilities.cve ="CVE-2017-5754" by Vulnerabilities.dest
| `drop_dm_object_name(Vulnerabilities)`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `spectre_and_meltdown_vulnerable_systems_filter`

how_to_implement:The search requires that you are ingesting your vulnerability-scanner data and that it reports the CVE of the vulnerability identified.
known_false_positives:It is possible that your vulnerability scanner is not detecting that the patches have been applied.
References:
drilldown_searches:
  :
tags:
  analytic_story:
    - 'Spectre And Meltdown Vulnerabilities'
  asset_type:Endpoint
  cve:
    - 'CVE-2017-5753'
  product:
    - 'Splunk Enterprise'
    - 'Splunk Enterprise Security'
    - 'Splunk Cloud'
  security_domain:endpoint

tests:
  :
manual_test:None