Good afternoon and happy monday!
I'm working on trying to figure out a way to do the following :
Count of vulnerabilities per eventKey, per Application where the number of eventKeys is greater than 3.
Basically, if a certain app has assessments performed more than 3 times and one of the vuln results is not 0, then we want to flag them as a security risk.
What I have so far, which isn't working:
search appname="*" eventtype="Complete" | dedup CompltdDate | stats dc(eventKey) by appname | eval vuln_count=+Vulnerabilities+" Outstanding Vulnerabilities - - - "+eventKey | stats values(vuln_count) AS Total_Vuln by appname APS_UAID | eval unique_vulns=mvcount(vuln_count) | sort = -unique_vuln
Give this a try
search appname="*" eventtype="Complete" | dedup CompltdDate | stats count(Vulnerabilities) as Vulnerabilities by eventKey appname | eventstats dc(eventKey) as eventKeysCount by appname | where eventKeysCount>3
Based on your current query, it's difficult to find out what all fields are available and useful for your requirement. Please provide what all fields are available in all events and define their values for better answer.
Give this a try
search appname="*" eventtype="Complete" | dedup CompltdDate | stats count(Vulnerabilities) as Vulnerabilities by eventKey appname | eventstats dc(eventKey) as eventKeysCount by appname | where eventKeysCount>3
Based on your current query, it's difficult to find out what all fields are available and useful for your requirement. Please provide what all fields are available in all events and define their values for better answer.
Here's what I have for the table, and what the data looks like
APS_UAID | accessor | CompltdDate | ScanResult | Vulnerabilities | appname | eventKey | dataType
001 | name 1 | 2015-03-04 17:51:00 | Failed | 16 | application A | 20150304Rescan | Pii,Pci,Whatever
001 | name 1 | 2015-08-19 9:18:00 | Failed | 28 | application A | 20150819Rescan| Pii,Pci,Whatever
001 | name 1 | 2014-11-22 14:30:00 | Failed | 71 | application A | 20141122Baseline| Pii,Pci,Whatever
I would like to organize this like-
appname | APS_UAID | Vulnerabilities per Assessment ID
name 1 | APS_3001 | 16 - 20150304Rescan
__________________________ | 28 - 20150819Rescan
__________________________ | 71 - 20141122Baseline
| stats count by appname APS_UAID Vulnerabilities eventKey | eval vuln_count=+Vulnerabilities+" Outstanding Vulnerabilities - - - "+eventKey | stats values(vuln_count) AS "Total Vulnerabilties per Assessment ID" by appname APS_UAID | eval unique_vulns=mvcount(vuln_count) | sort by eventKey, appname
That query will do that part of it, but it will show all of them. I need to only show more than 3 assessments where none of them = 0.
If there are more than 3 scans completed per App and they are still vulnerabilities. This is how we plan to keep application owners accountable for patching and securing their internet facing applications.