Hi users,
I am trying to combine the outputs of two different searches and stack them in a chart.
The idea is to find the most popular IPs in my network based on vulnerability severity high OR critical, and then chart each popular IP with its respective number of vulns (high OR critical).
Here is how I started dealing with this:
sourcetype=nessus severity=high OR severity=critical earliest=-30d@mon latest=now| top 5 severity,dest_ip|chart sum(count) by dest_ip,severity
However, the above lists only IPs with severity==high because there are more high vulns for all of the IPs.
Bearing the above in mind, and hoping that I can still list the most popular IPs (total of high + critical vulns for each IP), I thought combining searches, that is have one to find the most popular IPs (high + critical) and then somehow instruct the other search to take from the listed previously IPs and list how many critical vulns. Below is the attempt:
|set union [search sourcetype=nessus severity=high OR severity=critical earliest=-30d@mon latest=now| top 5 severity,dest_ip|chart sum(count) by dest_ip,severity] [search sourcetype=nessus severity=critical OR severity=high earliest=-30d@mon latest=now| top 5 severity,dest_ip| where severity=critical| chart sum(count) by dest_ip,severity]
However, the above lists again only machines with high vulns. Critical ones are missing.
Could anyone help?
Regards,
Evang
Try this approach:
sourcetype=nessus severity=high OR severity=critical earliest=-30d@mon latest=now
| chart count by dest_ip severity
| sort -high
| streamstats count as rank_high
| sort -critical
| streamstats count as rank_critical
| where rank_high <= 10 OR rank_critical <=10
| fields - rank_high rank_critical
| addcoltotals high critical
| sort -total
This approach uses sorting plus streamstats
to identify the top IPs based on high severity, plus the top based on critical severity. The where
command keeps the top 10 in both groups. If you show this as a graphic chart, you may want to eliminate the last 2 lines, which calculates an overall total of the two categories.
This should give you no more than 20 IPs in the resulting chart.
Try this approach:
sourcetype=nessus severity=high OR severity=critical earliest=-30d@mon latest=now
| chart count by dest_ip severity
| sort -high
| streamstats count as rank_high
| sort -critical
| streamstats count as rank_critical
| where rank_high <= 10 OR rank_critical <=10
| fields - rank_high rank_critical
| addcoltotals high critical
| sort -total
This approach uses sorting plus streamstats
to identify the top IPs based on high severity, plus the top based on critical severity. The where
command keeps the top 10 in both groups. If you show this as a graphic chart, you may want to eliminate the last 2 lines, which calculates an overall total of the two categories.
This should give you no more than 20 IPs in the resulting chart.
That worked!
Thank you very much indeed lguinn.
Hope some day I'll be able to help guys like me in the future!
Regards,
Evang
Try this:
sourcetype=nessus severity=high OR severity=critical earliest=-30d@mon latest=now
| chart count by dest_ip severity
| sort -high
| streamstats count as rank_high
| sort -critical
| streamstats count as rank_critical
| where rank_high <= 10 OR rank_critical <=10
| fields - rank_high rank_critical
It is a little complex! You really are combining two independent "Top Tens" - one based on critical severity and the other based on high severity. You could do this with other commands like join
or append
but this approach should be much more efficient and work with large data sets.
Hi tom_frotscher,
I tried with both of them,
| fields dest_ip critical high
| table dest_ip critical high
It didn't worked. I tried also with a fieldnull, same thing.
Regards,
Evang
I think what Iguinn meant was to delete the last two lines of the search string that was posted. Because this just calculates the totals of the columns.
If you just want to keep certain fields, use the table or fields command after your search to achieve this. For example:
... | table dest_ip critical high
Hi lguinn,
Wow, that worked amazingly!
However, I haven't thought that it would be that (let's say ) advanced, using streamstats and staff. I'll keep that script though in my one-note to be processed for future queries.
One more question though, how to eliminate 2 lines as you say? I am attempting to keep only dest_ip, critical and high fields but it doesn't work.
Regards,
Evang