I'm trying to figure out the smartest way to track vulnerability data over time and account for how DHCP may mean that a single host is scanned at multiple IPs.
So, I've tried a search that looks for all vulnerability data and then it does an inner join by dest
and _time
on a subsearch that looks for a particular event ID that contains the hostname. I'm guessing I can them do a | streamstats max(_time) AS last_scan by dest | where _time=last_scan
.
But for whatever reason, this search doesn't come back with any results:
index=vulnerabilities sourcetype=nessus NOT "Plugin ID,CVE," NOT dest=\*/* | join type=inner _time,dest [search index=vulnerabilities nessus_id="11936" OR nessus_id="12053" OR nessus_id="60035" NOT dest=\*/* | rex field=plugin_output "(?i)resolves\sas\s(?P<hostname>[^\.]+)\.(?P<domainname>\S+)?\." | eval hostname=if(isnull(hostname),dest,hostname) | fields hostname] | table _time,dest,hostname,signature_name
What am I doing wrong here?
One reason that it does not work (correctly) is that you cannot escape asterisks in SPL so this part is bad:
NOT dest=\*/*
You have to do something like this instead:
| regex dest!="\*/.*"
Try this. Any results?
index=vulnerabilities sourcetype=nessus | join type=inner _time,dest [search index=vulnerabilities | rex field=plugin_output "(?i)resolves\sas\s(?P<hostname>[^\.]+)\.(?P<domainname>\S+)?\." | eval hostname=if(isnull(hostname),dest,hostname) | fields hostname]
Not really sure about the index. Try breaking down the entire query and make sure that each part is working as expected.
The parentheses didn't change anything...
Are parentheses required for your sub search to work?
[search index=vulnerabilities (nessus_id="11936" OR nessus_id="12053" OR nessus_id="60035") NOT dest=\*/*
Tim.