I'm looking to put together some reports on vulnerability data where I can show a trending value of both fixed and active vulns at any given time. Our vulnerability data is separated where we have assets (asset_id) and the last time they were scanned (last_scan_finished) as one sourcetype, and the assets (asset_id), vulnerability (signature_id) and the last time that vuln was detected (most_recently_discovered) as another sourcetype. When a vulnerability is resolved we don't receive any indication in the data, but it will not be detected in future scans.
I'm looking to timechart each combination of asset_id and signature_id, where if the most_recently_discovered field is greater than or equal to the last_scan_finished date it is considered active, otherwise it's resolved. I've made several attempts however haven't been able to come up with a workable solution. Any help would be greatly appreciated.
↧