I'm trying to filter my Tenable results to show only vulnerabilities seen within the last 7 days. Here is my current search:
index=tenable (riskFactor=Critical OR riskFactor=High OR riskFactor=Medium OR riskFactor=Low) earliest=-2d
| where lastSeen < relative_time(now(),"-7d")
| eval LastSeen=strftime(lastSeen,"%Y-%m-%d")
| stats count by ip,riskFactor,pluginName,dnsName,solution,scan_result_info.name,LastSeen
| stats list(pluginName) list(solution) list(LastSeen) list(riskFactor) list(count) sum(count) by scan_result_info.name,ip,dnsName
| sort -sum(count)
If I remove the
| where lastSeen < relative_time(now(),"-7d")
then I get results. By default the lastSeen values are in epoch time format.
... View more