I'm trying to find the average time (in weeks) it takes to patch specific network vulnerabilities. I take in data from network scans which include the hostname and the name of the plugin that are vulnerable. The scans run weekly, so if it took a department three weeks to patch a vulnerable plugin, that *"plugin_name=VulnerabilityX"* within *"hostname=0.0.0.0"* should be present three times. Then I could take those numbers of occurrences and use them to find the average number of weeks it takes to patch each plugin_name.
There are 100+ hostnames each with however many plugins that I need to do this for. From what I've tried and researched so far it seems like there is no easy way to do this without a huge mess of subsearches. There is a timestamp field included in the events with the field values represented in epoch time, for example *"timestamp=1469561133 "*, which seems like it could be useful, but I haven't found a way yet.
Any advice at all on this would be greatly appreciated!
↧