Here's what I have for the table, and what the data looks like
APS_UAID | accessor | CompltdDate | ScanResult | Vulnerabilities | appname | eventKey | dataType
001 | name 1 | 2015-03-04 17:51:00 | Failed | 16 | application A | 20150304Rescan | Pii,Pci,Whatever
001 | name 1 | 2015-08-19 9:18:00 | Failed | 28 | application A | 20150819Rescan| Pii,Pci,Whatever
001 | name 1 | 2014-11-22 14:30:00 | Failed | 71 | application A | 20141122Baseline| Pii,Pci,Whatever
I would like to organize this like-
appname | APS_UAID | Vulnerabilities per Assessment ID
name 1 | APS_3001 | 16 - 20150304Rescan
__________________________ | 28 - 20150819Rescan
__________________________ | 71 - 20141122Baseline
| stats count by appname APS_UAID Vulnerabilities eventKey | eval vuln_count=+Vulnerabilities+" Outstanding Vulnerabilities - - - "+eventKey | stats values(vuln_count) AS "Total Vulnerabilties per Assessment ID" by appname APS_UAID | eval unique_vulns=mvcount(vuln_count) | sort by eventKey, appname
That query will do that part of it, but it will show all of them. I need to only show more than 3 assessments where none of them = 0.
If there are more than 3 scans completed per App and they are still vulnerabilities. This is how we plan to keep application owners accountable for patching and securing their internet facing applications.
... View more