## `wazuh-states-vulnerabilities` index data model ### Fields summary The fields are based on the ECS: - [Agent Fields](https://www.elastic.co/guide/en/ecs/current/ecs-agent.html). - [Package Fields](https://www.elastic.co/guide/en/ecs/current/ecs-package.html). - [Host Fields](https://www.elastic.co/guide/en/ecs/current/ecs-host.html). - [Vulnerability Fields](https://www.elastic.co/guide/en/ecs/current/ecs-vulnerability.html). | | Field | Type | Description | | --- | ----------------------------------- | ------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | --- | | | `agent.*` | object | All the `agent` fields. | ` | | | `host.*` | object | All the `host` fields. | | | `package.architecture` | keyword | Package architecture. | | | `package.build_version` | keyword | Additional information about the build version of the installed package. | | | `package.checksum` | keyword | Checksum of the installed package for verification. | | | `package.description` | keyword | Description of the package. | | | `package.install_scope` | keyword | Indicating how the package was installed, e.g. user-local, global. | | | `package.installed` | date | Time when package was installed. | | | `package.license` | keyword | License under which the package was released. | | | `package.name` | keyword | Package name | | | `package.path` | keyword | Path where the package is installed. | | | `package.reference` | keyword | Home page or reference URL of the software in this package, if available. | | | `package.size` | long | Package size in bytes. | | | `package.type` | keyword | Type of package. | | | `package.version` | keyword | Package version | | | `vulnerability.category` | keyword | The type of system or architecture that the vulnerability affects | | | `vulnerability.classification` | keyword | The classification of the vulnerability scoring system. | | | `vulnerability.description` | keyword | The description of the vulnerability that provides additional context of the vulnerability | | \* | `vulnerability.detected_at` | date | Vulnerability's detection date. | | | `vulnerability.enumeration` | keyword | The type of identifier used for this vulnerability. | | | `vulnerability.id` | keyword | The identification (ID) is the number portion of a vulnerability entry. | | \* | `vulnerability.published_at` | date | Vulnerability's publication date. | | | `vulnerability.reference` | keyword | A resource that provides additional information, context, and mitigations for the identified vulnerability. | | | `vulnerability.report_id` | keyword | The report or scan identification number. | | \* | `vulnerability.scanner.source` | keyword | The origin of the decision of the scanner (AKA feed used to detect the vulnerability). | | | `vulnerability.scanner.vendor` | keyword | The name of the vulnerability scanner vendor. | | | `vulnerability.score.base` | float | Scores can range from 0.0 to 10.0, with 10.0 being the most severe. | | | `vulnerability.score.environmental` | float | Scores can range from 0.0 to 10.0, with 10.0 being the most severe. | | | `vulnerability.score.temporal` | float | Scores can range from 0.0 to 10.0, with 10.0 being the most severe. | | | `vulnerability.score.version` | keyword | The National Vulnerability Database (NVD) provides qualitative severity rankings of "Low", "Medium", and "High" for CVSS v2.0 base score ranges in addition to the severity ratings for CVSS v3.0 as they are defined in the CVSS v3.0 specification. | | | `vulnerability.severity` | keyword | The severity of the vulnerability can help with metrics and internal prioritization regarding remediation. | | \* | `vulnerability.under_evaluation` | boolean | Indicates if the vulnerability is awaiting analysis by the NVD. | | \* | `wazuh.cluster.name` | keyword | Name of the Wazuh cluster. | | \* | `wazuh.cluster.node` | keyword | Name of the Wazuh cluster node. | | \* | `wazuh.schema.version` | keyword | Version of the Wazuh schema. | \* Custom field. ### ECS mapping ```yml --- name: wazuh-states-vulnerabilities fields: base: fields: tags: [] agent: fields: groups: {} id: {} name: {} type: {} version: {} host: fields: "*" package: fields: "*" host: fields: "*" vulnerability: fields: "*" wazuh: fields: "*" ``` ```yml --- - name: vulnerability title: Vulnerability group: 2 short: Fields to describe the vulnerability relevant to an event. description: > The vulnerability fields describe information about a vulnerability that is relevant to an event. type: group fields: - name: detected_at type: date level: custom description: > Vulnerability's detection date. - name: published_at type: date level: custom description: > Vulnerability's publication date. - name: under_evaluation type: boolean level: custom description: > Indicates if the vulnerability is awaiting analysis by the NVD. - name: scanner.source type: keyword level: custom description: > The origin of the decision of the scanner (AKA feed used to detect the vulnerability). ``` ```yml --- --- - name: wazuh title: Wazuh description: > Wazuh Inc. custom fields fields: - name: cluster.name type: keyword level: custom description: > Wazuh cluster name. - name: cluster.node type: keyword level: custom description: > Wazuh cluster node name. - name: schema.version type: keyword level: custom description: > Wazuh schema version. ``` ### Index settings ```json { "index_patterns": ["wazuh-states-vulnerabilities*"], "priority": 1, "template": { "settings": { "index": { "number_of_shards": "1", "number_of_replicas": "0", "refresh_interval": "5s", "query.default_field": [ "agent.id", "agent.groups", "host.os.full", "host.os.version", "package.name", "package.version", "vulnerability.id", "vulnerability.description", "vulnerability.severity", "wazuh.cluster.name" ] } } } } ```