legal contact rss

The "vulns" macro basicaly searches the variable name hostname in the fields ip, dns or netbios. The reason for that is to be sure to catch the right data were ever it is defined.


args = hostname

sourcetype=whatever (ip="$name$" OR dns="$name$" OR netbios="$name$") | dedup host_id,qid

The vulns macro below is the more advanced version, as it takes some variables from a search form (see the $xxx$ definitions) and adds the tagging information from the mp_tag macro.


sourcetype=whatever| fillnull signature | fillnull os | `mp_tag` | search (ip="$name$" OR dns="$name$" OR netbios="$name$") patchable=$patchable$ os="$os$" signature="$signature$" internal="$internal$" severity_id > $sev$ owner=$owner$ action=$action$ | dedup host_id,qid