Am trying to find all vulnerabilities present in nessus scans that have been reported more than 15 days ago and are still present. My current search query works but I can't help feeling that it is inefficient. Here it is:
sourcetype="nessus:scan" | fields severity, plugin_name, _time, host-ip | stats earliest(_time) as firsttime, latest(_time) as lasttime by plugin_name, severity, host-ip | eval now=now()| eval Days =((lasttime-firsttime)/86400), test=((now-lasttime)/86400), First_Sighting =strftime(firsttime,"%Y/%m/%d %I:%M:%S"), Last_Sighting =strftime(lasttime,"%Y/%m/%d %I:%M:%S") | where test<15 | eval Real-Days=round(Days, 0) | table plugin_name, severity, host-ip, First_Sighting, Last_Sighting, Real-Days | sort -Last_Sighting
Thanks
↧