host="SPL-SH-DC" sourcetype="ABCSW"......| search "Plugin Name" != "TLS Version 1.1 Protocol Deprecated" AND Port != "8443" AND Port != "8444"
| table "IP Address",Host_Name,"Plugin Name",Severity,Protocol,Port,Exploit,System_Type,Synopsis,Description,Solution,"See Also","CVSS V2 Base Score",CVE,Plugin,status,Pending_since,source
Hi Splunker, Could you please help..
I have a query as I have put above . However, I want a result query with filter Field " Plugin Name " not equal "TLS Version 1.1 Protocol Deprecated" but base on Field "Port" equal "8443" and " 8444".
I will be appreciate for your help.
Hi @Rithekakan,
sorry but I don't understand the problem, let me understand: you want to use as filter all the following conditions:
"Plugin Name"!="TLS Version 1.1 Protocol Deprecated" (Port="8443" OR Port="8444")
Is this correct?
If this is your need, you have only to a little update to your search:
host="SPL-SH-DC" sourcetype="ABCSW" "Plugin Name"!="TLS Version 1.1 Protocol Deprecated" (Port="8443" OR Port="8444")
| table "IP Address" Host_Name "Plugin Name" Severity Protocol Port Exploit System_Type Synopsis Description Solution "See Also" "CVSS V2 Base Score" CVE Plugin status Pending_since source
Then, you don't need to use the search command: in this way you have a slower search because before you take all the events and then you filter them, it isn't efficient, it's better to put all the filters as left as possible in your search!
Then, if possible, avoid to use spaces in field names.
Ciao.
Giuseppe
Hi @Rithekakan,
sorry but I don't understand the problem, let me understand: you want to use as filter all the following conditions:
"Plugin Name"!="TLS Version 1.1 Protocol Deprecated" (Port="8443" OR Port="8444")
Is this correct?
If this is your need, you have only to a little update to your search:
host="SPL-SH-DC" sourcetype="ABCSW" "Plugin Name"!="TLS Version 1.1 Protocol Deprecated" (Port="8443" OR Port="8444")
| table "IP Address" Host_Name "Plugin Name" Severity Protocol Port Exploit System_Type Synopsis Description Solution "See Also" "CVSS V2 Base Score" CVE Plugin status Pending_since source
Then, you don't need to use the search command: in this way you have a slower search because before you take all the events and then you filter them, it isn't efficient, it's better to put all the filters as left as possible in your search!
Then, if possible, avoid to use spaces in field names.
Ciao.
Giuseppe
Hi gcusello,
I have this report, and I want to filter out Plugin Name = TLS Version 1.1 Protocol Deprecated with Port = 8443 and 8444.
Thanks for your help,
Rithekakan
Hi @Rithekakan ,
what's the condition:
It's different, anyway, you can use my search modifying the conditions.
Ciao.
Giuseppe
Yes exactly, I use it.
This is my full search..
host="SPL-SH-DC" sourcetype="ABCSW"
NOT Severity IN (Info,Low)
NOT Port IN (6502,8089,8001)
NOT "Plugin Name" IN ("SSL Certificate with Wrong Hostname","SSL Self-Signed Certificate","SSL Certificate Cannot Be Trusted")
| lookup ABCDEFGServerInventory.csv IP_Address as "IP Address" output Host_Name, System_Type
| eval days_since = floor((now() - _time) / 86400)
| eval Pending_since = case(days_since == 0, "Today", days_since < 30, "Pending (< 30 days)", days_since > 45, "Pending ( > 45 days)", days_since > 30, "Pending ( 30>Days<45 )", days_since < 45, "Pending ( 30>Days<45 )", days_since > 1, days_since . " Days")
| stats values(*) as * by "IP Address",Plugin,"Plugin Name",Severity,Protocol,Port,Exploit
| eval status = case(mvcount(source)>1,"Pending", source=="ABCDEFGSW26062022.csv","Fixed", true(), "New Vulnerable")
| search "IP Address" IN ("1........,...................................")
"Plugin Name" != "OpenSSH S/KEY Authentication Account Enumeration"
"Plugin Name" != "OPIE w/ OpenSSH Account Enumeration"
"Plugin Name" != "OpenSSH >= 2.3.0 AllowTcpForwarding Port Bouncing"
"Plugin Name" != "OpenSSH PCI Disputed Vulnerabilities."
"Plugin Name" != "TLS Version 1.1 Protocol Deprecated" (Port ="8443" OR Port="8444")
| table "IP Address",Host_Name,"Plugin Name",Severity,Protocol,Port,Exploit,System_Type,Synopsis,Description,Solution,"See Also","CVSS V2 Base Score",CVE,Plugin,status,Pending_since,source
@gcusello
sorry,