Hi @rich7177 ,

Here are two events with all date fields and some additionnal fields as well:

cve                      | CVE-2019-11111
cvss                     | 9.80
dest                     | my_dest_name
first_discovered         | 2020-01-14 16:33:19.121
host                     | my_host
index                    | my_index
ip                       | 123.45.67.89
most_recently_discovered | 2020-01-22 18:11:28.127
severity                 | critical
signature                | CVE-2019-11111: Remote Code Execution    
solution_summary         | Apply the MMM    
source                   | xxx.log
sourcetype               | my_sourcetype    
timestamp                | 2020-01-22 18:11:28.127

cve                      | CVE-2019-22222   
cvss                     | 9.60
dest                     | my_dest_name
first_discovered         | 2020-01-22 18:11:28.126  
host                     | my_host
index                    | my_index
ip                       | 123.45.67.89
most_recently_discovered | 2020-01-22 18:11:28.126  
severity                 | critical
signature                | CVE-2019-22222: Access   
solution_summary         | Apply the NNN    
source                   | xxx.log
sourcetype               | my_sourcetype    
timestamp                | 2020-01-22 18:11:28.126  

I thought about to round the value of the most_recently_discoveredfield as a workaround:

| eval most_recently_discovered=strftime((floor(now()/600))*600,"%Y-%m-%d %H:%M:%S")
| eval most_recently_discovered = strptime(most_recently_discovered, "%Y-%m-%d %H:%S")

Thanks for the help.

OK, so let's recount what we're trying to do.

Does the vulnerability scanner include an event for when a particular CVE had applied previously but no longer applies?

(If it does, we can use a simpler method probably, but I'm assuming not because I haven't seen one that does yet...)

In that case, we need to probably find the latest scan for any host, then only use that latest scan's information. Right?

Is there any field that is consistent across a single scan, but not the same as a previous scan? For instance, something like a scan id would work, or maybe a "scan start time?" This can be per host, or overall for that entire scan - as long as it separates subsequent scans of the same host in some way.

Here's what I'm thinking. What we'll have to do is find the latest scan for each host using a subsearch, and we'll feed that back into the main search to get the pile of results for each scan of the host.

If no such scanid or similar thing exists, this is still possible but just harder. How often do scans run? Daily? Weekly? If they are separated by long enough, maybe this isn't hard even without a scanid.

Anyway, information gathering phase is getting close to done. Soon maybe we can start on an actual search... 🙂

Hi @rich7177,
I think I have to provide you a bit more information.

There are actually two sourcetypes we have in logs: vulnerability and asset. The first one lists all discovered vulnerabilities one by one on each device with vulnerability name, severity, category, etc. The second one provides an information about every scanned asset at the end of each scan with total number of discovered vulnerabilities, asset score, etc.

We’ve decided to use the second sourcetype to show the information for a group of assets because the filtering by most_recently_discovered date could be implemented easily. One thing that reminds is to list all vulnerabilities for a selected asset (where we need a vulnerabilitysourcetype). It means that we have no need to perform a subsearch to find a last scan date for each asset – we have only one asset selected for this part of the dashboard.

Unfortunately, we wasn’t be able to find a field with a constant value for a single scan such as scan_id or scan_start_time. That’s why we thought about to use the value of the most_recently_discovered field which stays almost the same for an asset for each scan. Different vulnerabilities of the same scan could have a difference but really the small one, maybe few seconds (where the idea to use floor command comes from). Our purple team does not have a “locked” scan schedule (scan could be launched out of schedule because of a particular vulnerability test, etc.), but different scans will surely have a difference of few hours at least.

Thanks for the help!