Hi @rich7177,
I think I have to provide you a bit more information.
There are actually two sourcetypes we have in logs: vulnerability and asset . The first one lists all discovered vulnerabilities one by one on each device with vulnerability name, severity, category, etc. The second one provides an information about every scanned asset at the end of each scan with total number of discovered vulnerabilities, asset score, etc.
We’ve decided to use the second sourcetype to show the information for a group of assets because the filtering by most_recently_discovered date could be implemented easily. One thing that reminds is to list all vulnerabilities for a selected asset (where we need a vulnerability sourcetype). It means that we have no need to perform a subsearch to find a last scan date for each asset – we have only one asset selected for this part of the dashboard.
Unfortunately, we wasn’t be able to find a field with a constant value for a single scan such as scan_id or scan_start_time. That’s why we thought about to use the value of the most_recently_discovered field which stays almost the same for an asset for each scan. Different vulnerabilities of the same scan could have a difference but really the small one, maybe few seconds (where the idea to use floor command comes from). Our purple team does not have a “locked” scan schedule (scan could be launched out of schedule because of a particular vulnerability test, etc.), but different scans will surely have a difference of few hours at least.
Thanks for the help!
... View more