Hi Guys,
I'm using the qualys TA to extract VM data and I'm having some issues with making a multi value field out of the "cve" field qualys use.
My "cve" field has values like:
"CVE-2017-3003, CVE-2017-3002, CVE-2017-3001, CVE-2017-3000, CVE-2017-2999, CVE-2017-2998, CVE-2017-2997"
OR
"CVE-2013-1346"
OR
"CVE-2015-2808, CVE-2013-2566"
My goal is to make it when I search for a single CVE (such as CVE-2017-3000), hosts with that cve will be shown. However, currently it will only show the host if my search matches the full value for the cve field which could be over 20 cve values. (Sorry if that doesn't make sense, It's quite hard to explain without visualisations but I've not got enough karma to upload pictures.)
I want to use transforms and props to configure this extraction at search time. I have my regex working to capture each individual CVE.
I've been trying for a while now to no avail, could someone please show me what my transforms and props needs? Currently I have...
props.conf
[qualys:hostDetection]
REPORT-cve = mv-cve
transforms.conf
[mv-cve]
REGEX = cve=(?CVE-\d+\-\d+) (I've tried this line without the "cve=" but it shows an example with it in the docs)
FORMAT = cve::$1 (I don't fully understand what this line is doing, I don't think the docs are very clear)
MV_ADD= true
Any help would be greatly appreciated, cheers.
↧
