Have seen a lot of Q&A about wildcards in the lookup table; this is the reverse. Here is the scenario.
Lookup table **priority_cve**:
CVE, Patch
CVE-2014-2053, Patch A
CVE-2015-1111, Patch B
In the events, a given event may have a **cve** field as follows:
hostname="alpha" cve="CVE-2014-0251;CVE-2014-0253;CVE-2014-0297"
So I want the above event to match the CVE-2014-2053 entry in the lookup table. I want to end up with a table of hostnames that match entries in the lookup table. Some events may have just one CVE in the **cve** field, others may have multiple as above.
Bonus points if this can be done without messing with transforms.conf, etc. which I do not have access to.
I know I can match an event with: where like(cve,"%CVE-2014-0253%"). But how to extract the matched item of the multiple items?
↧