Hello all,
It appears that Rapid7 has goofed the TA to provide their asset data as the destination (dest field) instead of relating it to an 'actual' location as one would expect in Enterprise Security in the Vulnerability Center. You can't go there, search there - even get their data to actually populate the panels with anything but the dest field (not dest_ip and/or dest_host).
Any thoughts on getting this to properly populate in Enterprise Security? Maybe concatenate or something here anyone?
| tstats summariesonly=true allow_old_summaries=true dc(Vulnerabilities.signature) as vuln_count from datamodel=Vulnerabilities.Vulnerabilities where * by Vulnerabilities.severity,Vulnerabilities.dest | chart useother=0 first(vuln_count) over Vulnerabilities.dest by Vulnerabilities.severity | rename "Vulnerabilities.*" as * | search dest=388062 medium=31 | eval total=case(critical>0 AND high>0,critical+high,critical>0,critical,high>0,high,1==1,0) | eval subTotal=case(medium>0 AND low>0,medium+low,medium>0,medium,low>0,low,1==1,0) | eval subSubTotal=case(informational>0 AND unknown>0,informational+unknown,informational>0,informational,unknown>0,unknown,1==1,0) | sort 10 - total,subTotal,subSubTotal | fields - total,subTotal,subSubTotal
↧