index=INDEX1 source=*sva* | rename server_group_name AS LOB "scan.findings{}.cve_entries{}.cve_entry" AS CVE | fields - _raw | rename "scan.findings{}.id" AS Scan_FindingsID | rename "scan.server_id" AS serverID | mvexpand CVE | eval unique_CVE=CVE+serverID | dedup unique_CVE | join type=inner CVE [search index=INDEX2 earliest=1 latest=now |fields - _raw | fields + summary,CVE,"CVSS Metrics.score"| rename "CVSS Metrics.score" AS CVSS]|fields + hostname,serverID,CVE,CVSS| join type=left serverID [search index=INDEX3 earliest=-24h latest=now | fields - _raw | fields + server_id,server_group_name,server_primary_ip_address | dedup server_id | rename server_id AS serverID] | rename server_primary_ip_address AS private_IP | fields + serverID,hostname,server_group_name,private_IP,CVE,CVSS | rename server_group_name AS LOB| eval CVSS=case(CVSS>=0 AND CVSS<=3.9,"Low",CVSS>=4.0 AND CVSS <=6.9, "Medium", CVSS>=7.0,"High") | join type=left CVE [search index=INDEX2 earliest=1 latest=now| fields - _raw ]| table serverID,LOB,private_IP,CVSS,CVE,"CVSS Metrics.score",summary,References{},count | search LOB="*Prod*" | stats count by CVSS | sort -CVSS
↧