I am currenlty trying to make a search a little more dynamic based off scanned devices rather than a static number
index=network sourcetype=nessus severity!=informational signature!=*Windows* signature!=*Adobe* signature!=*Java* signature_family!="Windows : Microsoft Bulletins" signature_family!="Red Hat Local Security Checks" signature!="Google Chrome*" signature!="Firefox*" signature!="MS*" signature!="Flash Player*" signature!="Solaris*"
| dedup dest_dns signature_id
| bin span=1mon _time
| stats count by _time signature_id cvss_base_score
| eval scoreadjust=floor(cvss_base_score)
| eval scoreadjust=round(pow(scoreadjust,3)/100)
| eval riskscore=count*scoreadjust/5500
| eval my_time=_time
| convert timeformat="%m-%Y" ctime(my_time)
| stats sum(riskscore) as VulnScore by my_time
I want to replace the 5500 with using the dc(dest_dns) for scanned devices rather then a number we think we scan.
Any suggestions on how I can mold my search or include this would be very helpful
↧