legal contact rss
 

mp_tag

As the action of the vulnerability (accept, fix, mitigate, mitigated, triage) can be defined by defining a special formed tag, the information from this tag is extracted and priotised into new fields at search time.

lookup triagecomments qid | eval c_comment=substr(c_comment,1,150) | lookup autopatch displayname | eval diff=(_time - strptime(kb_last_update, "%Y-%m-%dT%H:%M:%SZ"))/60/60/24 | eval action=if(searchmatch("diff<32 AND patchable=1"),"Accept","Triage") | eval highest_tag = mvindex('tag::eventtype', 0) | rex field=highest_tag "(?<qg_priority>.*)__(?<qg_action>.*)__(?<qg_ticket>.*)__(?<qg_title>.*)" | rename qg_action AS action | rename qg_ticket AS ticket | rename qg_title AS title | fillnull action value=Triage

[XX for priority if found more than one tag]__[Action]__[trouble ticket number]__[description of the action]

Sample: 01__Fix__TT4567__description_of_action

Outcome: action=Fix, ticket=TT4567, title=description_of_action

triagecomments.csv