Hello, I am trying to figure out how many good IP addresses vs bad IP addresses there are based on Tenable Security center results (severity=low, medium, high, critical). A good scan should show multiple severity level results vs a bad scan would not show as many severity level results. I would like to get as many fields filled based on SPL query. More importantly I would like to get the good vs bad scan results (credentialed scans) from Tenable Security Center (ACAS). What I mean by this is that when a scan has been initiated, you know a good scan vs a bad scan, where a good scan can pull multiple vulnerabilities based on the severity levels. Where as for a bad scan does not pull as many vulnerabilities and the severity levels are very low or close to nothing at all. I created a SPL query that provides the 26 data standard fields: IP repository.dataFormat netbiosName dnsName AWS hostname macAddress OS_Type, OS_Version operatingSystem SystemManufacture SystemSerialNumber SYStemModel AWSAccountNumber AWSInstanceID AWSENI passFail plugin_id pluginName repository.name, cpe low, medium, high critical total Country lat lon SPL Query earliest=7d@d index=acas sourcetype="tenable:sc:vuln" | rex field=operatingSystem "^(?P<OS_Type>\w+)\.(?P<OS_Version>.*)$" | rex field=dnsName "^(?P<hostname>\w+)\.(?P<domain>.*)$" | rex field=system "^(?P<manufacture>\w+)\.(?P<serialnumber>.*)$" | rex field=pluginText "\<cm\:compliance-result\>(?<status>\w+)\<\/cm\:compliance-result\>" | eval AWS=if(like(dnsName,"clou%"),"TRUE","FALSE") | iplocation ip | eventstats count(eval(severity="informational")) as informational, count(eval(severity="low")) as low, count(eval(severity="medium")) as medium, count(eval(severity="high")) as high, count(eval(severity="critical")) as critical by ip | dedup ip | eval total = low+medium+high+critical | table ip, repositiory.dtatFormat, netbiosName, dnsName, AWS, hostname, macAddress, OS_Type, OS_Version, operatingSystem, SystemManufacture, SystemSerialNumber, SystemModel, AWSAccountNumber, AWSINstanceID, AWSENI, passFail, plugin_id, pluginName, repository.name, cpe, low, medium, high, critical, total, Country, lat, lon
... View more