I have created the search below which: Filters out by only hostnames that I want Then extracts the STIG ID from those results Then extracts the controls status Lastly, consolidating Errors, Fai...
See more...
I have created the search below which: Filters out by only hostnames that I want Then extracts the STIG ID from those results Then extracts the controls status Lastly, consolidating Errors, Failed, and Warnings into a group of 'failed' controls with the remaining being "Passed" What I would like to do is identify any controls that have passed across all of the hostnames and vice versa identify the controls that have failed across all of the host names. Example: 15 STIG ID(s) have Failed across all hosts. 200 STIG ID(s) have passed a crossed all hosts. Failed Passed 15 200 index="tenable" sourcetype="tenable:sc:vuln" repository="Audit Repository"
[ inputlookup windows10_hostnames.csv
| fields dnsName ]
| rex field=pluginName "(?<stigid>\w{4}\S\w{2}\S\d{6})\s+.*"
| rex field=pluginText "\<cm\:compliance-result\>(?<status>\w+)\<\/cm\:compliance-result\>"
| eval passFail=if(IN(status,"ERROR","FAILED","WARNING"), "Failed","Passed") I tried appending the below to the end of this query. While it's interesting data, I'm having a hard time figuring out the comparison and filtering to get the desired output in the table above. | stats values(stigid) by dnsName passFail
| stats count by dnsName passFail Any help is much appreciated.