I am looking for the most efficient way to do a sub search to see if vulnerabilities still exist now vs 90 days.
Currently I do a search from 90 days back and spit that file to a csv and then do a lookup and pass those to the search but want to automate this process instead of constantly updating a lookup file. I have listed the base search below.
index=network sourcetype=nessus severity!=informational
| dedup signature_id, dest_dns ]
| dedup signature_id, dest_dns
| eval hostnamesplit=split(dest_dns,".")
| eval hostnamesplit=mvindex(hostnamesplit,0)
| lookup AssetTag.csv Asset as hostnamesplit OUTPUT BusinessUnit1 System1
| eval Combo=mvzip(BusinessUnit1, System1)
| fields - System1, BusinessUnit1
| mvexpand Combo
| makemv Combo delim=","
| eval BU1=mvindex(Combo,0)
| eval Sys1=mvindex(Combo,1)
| fields - Combo
| dedup hostnamesplit signature_id BU1 Sys1
| table BU1 signature Sys1 dest_dns severity
| rename Sys1 AS "System", signature AS "Signature", BU1 AS "Business Unit",dest_dns as "Host" severity as "Severity"
↧