Nessus scan - select last (not closed) vulnerabili...

lorder · ‎09-27-2018

I have scans (from nessus add-on). Some host was scanned more times. When I select severity="critical" I see old vulnerabilities. For example:

IP, plugin-id, timestamp
10.0.0.1, 90315, 1537252785
10.0.0.1, 90316, 1537252785
10.0.0.1, 90317, 1537252785
10.0.0.1, 90318, 1537252785
10.0.0.2, 90421, 1537187491
10.0.0.2, 90422, 1537187491
10.0.0.2, 90423, 1537187491
10.0.0.2, 90424, 1537187491
10.0.0.1, 90316, 1537624344
10.0.0.1, 90318, 1537624344
10.0.0.1, 90319, 1537624344
10.0.0.2, 90422, 1537538233
10.0.0.2, 90428, 1537538233

As you see, for 10.0.0.1 max timestamp is 1537624344 and for 10.0.0.2 max timestamp is 1537538233.

How to select only events with max timestamps by IP:
10.0.0.1, 90316, 1537624344
10.0.0.1, 90318, 1537624344
10.0.0.1, 90319, 1537624344
10.0.0.2, 90422, 1537538233
10.0.0.2, 90428, 1537538233

And how to select only new plugin-id for max timestamp:
10.0.0.1, 90319, 1537624344
10.0.0.2, 90428, 1537538233

Thanks!

lorder · ‎09-27-2018

Unfortunately there is no answer, perhaps it is very difficult.
Prompt then how it is possible to choose IP and for each IP the maximum value of timestamp. Like this:

IP, timestamp
10.0.0.1, 1537624344
10.0.0.2, 1537538233

Thanks!

lorder · ‎09-28-2018

IP, timestamp
10.0.0.1, 1537624344
10.0.0.2, 1537538233

I made it such a search:
| inputcsv test1.csv | sort 0 - timestamp | dedup IP | table IP, timestamp
As optimal from the point of view of run-time?

And how to use the found data for a new query only for them?
How found from svc all data where ip, timestamp = (10.0.0.1, 1537624344) and (10.0.0.2, 1537538233)

Nessus scan - select last (not closed) vulnerabilities

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!