Hi users,
I am trying to combine the outputs of two different searches and stack them in a chart.
The idea is to find the most popular IPs in my network based on vulnerability severity high OR critical, and then chart each popular IP with its respective number of vulns (high OR critical).
Here is how I started dealing with this:
sourcetype=nessus severity=high OR severity=critical earliest=-30d@mon latest=now| top 5 severity,dest_ip|chart sum(count) by dest_ip,severity
However, the above lists only IPs with severity==high because there are more high vulns for all of the IPs.
Bearing the above in mind, and hoping that I can still list the most popular IPs (total of high + critical vulns for each IP), I thought combining searches, that is have one to find the most popular IPs (high + critical) and then somehow instruct the other search to take from the listed previously IPs and list how many critical vulns. Below is the attempt:
|set union [search sourcetype=nessus severity=high OR severity=critical earliest=-30d@mon latest=now| top 5 severity,dest_ip|chart sum(count) by dest_ip,severity] [search sourcetype=nessus severity=critical OR severity=high earliest=-30d@mon latest=now| top 5 severity,dest_ip| where severity=critical| chart sum(count) by dest_ip,severity]
However, the above lists again only machines with high vulns. Critical ones are missing.
Could anyone help?
Regards,
Evang
... View more