Good day,
My first search pulls servername and owner from a sourcetype (database). I then need to take the servername, owner, and match that info with the results from a CVE vulnerability search, having the servername as the constant in both searches. I have attempted append, join, and subsearch. I can get results but the owner will not match up with the Host and extracted_Host in a one to one relationship .
Search #1
sourcetype=DB ADM
| dedup host_name
| rex field=host_name "(?(\w+\-\w+))"
| stats values(Host) as Host by owner
| where Host != " "
Search #2
sourcetype="CVE" host="VulScanner" (Risk=High OR Risk=Critical)
| eval Time=_time
| dedup Solution
| convert timeformat="%Y-%m-%d %H:%M:%S" ctime(Time)
| table Time, extracted_Host, Risk, Name, CVE, Solution, "See Also" ]
When I do a join this gives me the owner column, but the two Host and extracted_Host columns do not tie together.
Thank you
Somesoni2 - thank you for your help and time. The two sourcetypes do not have an exact value match for everything considered a host, but some are. One sourcetype uses a database, compiled by data sent from a local agent that lives on each server, the other sourcetype uses data received from a Nessus scan. I hope this answers your question. Thanks again!
Give this a try
sourcetype="CVE" host="VulScanner" (Risk=High OR Risk=Critical) [search sourcetype=DB ADM | dedup host_name | rex field=host_name "(?(\w+\-\w+))" | stats count by owner Host| where Host != " " | table owner Host | rename Host as extracted_Host owner as Name ]
| eval Time=_time
| dedup Solution
| convert timeformat="%Y-%m-%d %H:%M:%S" ctime(Time)
| table Time, extracted_Host, Risk, Name, CVE, Solution, "See Also" ]
Unfortunately, the search returns with "No results found".
For
|rex field=host_name "(?(\w+-\w+))
I had to add
"(?(\w+-\w+))"
because it initially gave error = Regex: unmatched parentheses
When you post code/query, select whole query and click on "101010" button or Ctrl+K to format. You can see that rex was truncated in the question.
The query assumes that field Host
and owner
from sourcetype=DB ADM
are mapped (exact value match) to the field extracted_Host
and Name
from sourcetype="CVE" host="VulScanner"
. Is that correct assumption?