(index=nvd sourcetype=vuln_feed ) OR (index=nessusta sourcetype=nessus:plugin)|eval CVE1=coalesce(CVE,cve)|chart first(_time) as Recent_Time over CVE1 by index | rename nvd as Recent_Time, nessusta as Recent_Time2 | eval NoOfWeeks=floor(abs(Recent_Time2-Recent_Time)/86400/7) | convert ctime(Recent_Time*) as Recent_Time*| eval Sev= case(NoOfWeeks>=0 AND NoOfWeeks<=4,"High",NoOfWeeks>=5 AND NoOfWeeks<=8,"Medium",NoOfWeeks>=8 AND NoOfWeeks<=16,"Low")
Need some suggestion, in the above statement coalesce(CVE,cve), the list of" CVE" ahs 100+ values where as cve has only 2 values
and when I run the above query. this is what I see below
CVE1 Recent_time2 NoOfWeeks Recent_time Sev
CVE-2016-5672 8/16 0 08/08/2016 22:04:24 High
However I am find how I can find % of CVE and cve and then search it by Sev(High Low Medium)
.
.
... View more