Hi Guys,
I'm using the qualys TA to extract VM data and I'm having some issues with making a multi value field out of the "cve" field qualys use.
My "cve" field has values like:
"CVE-2017-3003, CVE-2017-3002, CVE-2017-3001, CVE-2017-3000, CVE-2017-2999, CVE-2017-2998, CVE-2017-2997"
OR
"CVE-2013-1346"
OR
"CVE-2015-2808, CVE-2013-2566"
My goal is to make it when I search for a single CVE (such as CVE-2017-3000), hosts with that cve will be shown. However, currently it will only show the host if my search matches the full value for the cve field which could be over 20 cve values. (Sorry if that doesn't make sense, It's quite hard to explain without visualisations but I've not got enough karma to upload pictures.)
I want to use transforms and props to configure this extraction at search time. I have my regex working to capture each individual CVE.
I've been trying for a while now to no avail, could someone please show me what my transforms and props needs? Currently I have...
props.conf
[qualys:hostDetection]
REPORT-cve = mv-cve
transforms.conf
[mv-cve]
REGEX = cve=(?CVE-\d+-\d+) (I've tried this line without the "cve=" but it shows an example with it in the docs)
FORMAT = cve::$1 (I don't fully understand what this line is doing, I don't think the docs are very clear)
MV_ADD= true
Any help would be greatly appreciated, cheers.
Here is a nifty trick for cases like that that avoids creating a multivalue
field (an approach that over-complicates things and can create other problems):
|makeresults | eval raw="CVE-2017-3003, CVE-2017-3002, CVE-2017-3001, CVE-2017-3000, CVE-2017-2999, CVE-2017-2998, CVE-2017-2997::CVE-2013-1346::CVE-2015-2808, CVE-2013-2566"
| makemv delim="::" raw
| mvexpand raw
| rename raw AS _raw
| eval cve=_raw
| rename COMMENT AS "Everything above generates sample event data; everything below is your solution"
| search CVE-2017-3000
| rename COMMENT AS "This has all the potential matches"
| where mvcount(split(cve, "CVE-2017-3000"))=2
| rename COMMENT AS "Now you have all the real matches"
The nice thing about this is that if you can use either a string literal
inside the split
command or a field name
!
Here is a nifty trick for cases like that that avoids creating a multivalue
field (an approach that over-complicates things and can create other problems):
|makeresults | eval raw="CVE-2017-3003, CVE-2017-3002, CVE-2017-3001, CVE-2017-3000, CVE-2017-2999, CVE-2017-2998, CVE-2017-2997::CVE-2013-1346::CVE-2015-2808, CVE-2013-2566"
| makemv delim="::" raw
| mvexpand raw
| rename raw AS _raw
| eval cve=_raw
| rename COMMENT AS "Everything above generates sample event data; everything below is your solution"
| search CVE-2017-3000
| rename COMMENT AS "This has all the potential matches"
| where mvcount(split(cve, "CVE-2017-3000"))=2
| rename COMMENT AS "Now you have all the real matches"
The nice thing about this is that if you can use either a string literal
inside the split
command or a field name
!
Can this be of any help to you? Replace the CVE with input token or change it to whichever you are searching for.
eventtype="qualys_vm_detection_event" cve=*CVE-2016-5554* | dedup 1 HOST_ID, QID | table HOST_ID, IP, QID, cve
Change the query as per your need.
Hi somesoni2,
Thanks for the links but I've already looked at them and they didn't help too much. I don't really understand why my configs aren't working! :'(