wazuh/wazuh-indexer-plugins
1
0
Fork 0
mirror of https://github.com/wazuh/wazuh-indexer-plugins.git synced 2025-12-10 14:32:28 -06:00
Code Issues Packages Projects Releases Wiki Activity
wazuh-indexer-plugins/ecs/docs/states-vulnerability.md
Jorge Sánchez 877477e59c
New workflows names and triggers (#291) 
* Workflows renamed according to the convention and deleted extras

* Workflos trigger fixed

* Fixed test workflow trigger

* Used the new VERSION.json and fixed it to work with push

* Changed the default inputs work in push events

* Include a new linck checker workflow

* Modifies names and adds useful workflows and needed files (CHANGELOG.md)

* Deleted extra workflow files

* Corrects build docs execution

* Fixes link

* Updates codeql-action to v3 and limits scan to /plugins

* Updates ubuntu, lychee-action and checkout versions

* Adds paths to avoid innecesary workflow execution

* Deletes  statements

These statements, without the ci build, inserted the default values to avoid workflow failure. We go back to use build on push

* Updates ubuntu version

* Fixes adding default to the plugins builder values by calling it with an onpush workflow

* Apply suggestions from code review

Signed-off-by: Álex Ruiz <alejandro.ruiz.becerra@wazuh.com>

* Format and renaming

* Fix broken links

* More renaming

* Exclude gnu links

* Add .editorconfig

* Add id to build on push

---------

Signed-off-by: Álex Ruiz <alejandro.ruiz.becerra@wazuh.com>
Co-authored-by: abbonno <abbogonluq@gmail.com>
Co-authored-by: Álex Ruiz <alejandro.ruiz.becerra@wazuh.com>
2025-03-04 16:48:13 +01:00

14 KiB
Raw Blame History

wazuh-states-vulnerabilities index data model

Fields summary

The fields are based on the ECS:

Field Type Description
agent.* object All the agent fields. `
host.* object All the host fields.
package.architecture keyword Package architecture.
package.build_version keyword Additional information about the build version of the installed package.
package.checksum keyword Checksum of the installed package for verification.
package.description keyword Description of the package.
package.install_scope keyword Indicating how the package was installed, e.g. user-local, global.
package.installed date Time when package was installed.
package.license keyword License under which the package was released.
package.name keyword Package name
package.path keyword Path where the package is installed.
package.reference keyword Home page or reference URL of the software in this package, if available.
package.size long Package size in bytes.
package.type keyword Type of package.
package.version keyword Package version
vulnerability.category keyword The type of system or architecture that the vulnerability affects
vulnerability.classification keyword The classification of the vulnerability scoring system.
vulnerability.description keyword The description of the vulnerability that provides additional context of the vulnerability
* vulnerability.detected_at date Vulnerability's detection date.
vulnerability.enumeration keyword The type of identifier used for this vulnerability.
vulnerability.id keyword The identification (ID) is the number portion of a vulnerability entry.
* vulnerability.published_at date Vulnerability's publication date.
vulnerability.reference keyword A resource that provides additional information, context, and mitigations for the identified vulnerability.
vulnerability.report_id keyword The report or scan identification number.
* vulnerability.scanner.source keyword The origin of the decision of the scanner (AKA feed used to detect the vulnerability).
vulnerability.scanner.vendor keyword The name of the vulnerability scanner vendor.
vulnerability.score.base float Scores can range from 0.0 to 10.0, with 10.0 being the most severe.
vulnerability.score.environmental float Scores can range from 0.0 to 10.0, with 10.0 being the most severe.
vulnerability.score.temporal float Scores can range from 0.0 to 10.0, with 10.0 being the most severe.
vulnerability.score.version keyword The National Vulnerability Database (NVD) provides qualitative severity rankings of "Low", "Medium", and "High" for CVSS v2.0 base score ranges in addition to the severity ratings for CVSS v3.0 as they are defined in the CVSS v3.0 specification.
vulnerability.severity keyword The severity of the vulnerability can help with metrics and internal prioritization regarding remediation.
* vulnerability.under_evaluation boolean Indicates if the vulnerability is awaiting analysis by the NVD.
* wazuh.cluster.name keyword Name of the Wazuh cluster.
* wazuh.cluster.node keyword Name of the Wazuh cluster node.
* wazuh.schema.version keyword Version of the Wazuh schema.

* Custom field.

ECS mapping

---
name: wazuh-states-vulnerabilities
fields:
  base:
    fields:
      tags: []
  agent:
    fields:
      groups: {}
      id: {}
      name: {}
      type: {}
      version: {}
      host:
        fields: "*"
  package:
    fields: "*"
  host:
    fields: "*"
  vulnerability:
    fields: "*"
  wazuh:
    fields: "*"


---
- name: vulnerability
  title: Vulnerability
  group: 2
  short: Fields to describe the vulnerability relevant to an event.
  description: >
    The vulnerability fields describe information about a vulnerability that is
    relevant to an event.
  type: group
  fields:
    - name: detected_at
      type: date
      level: custom
      description: >
        Vulnerability's detection date.
    - name: published_at
      type: date
      level: custom
      description: >
        Vulnerability's publication date.
    - name: under_evaluation
      type: boolean
      level: custom
      description: >
        Indicates if the vulnerability is awaiting analysis by the NVD.
    - name: scanner.source
      type: keyword
      level: custom
      description: >
        The origin of the decision of the scanner (AKA feed used to detect the vulnerability).

---
---
- name: wazuh
  title: Wazuh
  description: >
    Wazuh Inc. custom fields
  fields:
    - name: cluster.name
      type: keyword
      level: custom
      description: >
        Wazuh cluster name.
    - name: cluster.node
      type: keyword
      level: custom
      description: >
        Wazuh cluster node name.
    - name: schema.version
      type: keyword
      level: custom
      description: >
        Wazuh schema version.

Index settings

{
  "index_patterns": ["wazuh-states-vulnerabilities*"],
  "priority": 1,
  "template": {
    "settings": {
      "index": {
        "number_of_shards": "1",
        "number_of_replicas": "0",
        "refresh_interval": "5s",
        "query.default_field": [
          "agent.id",
          "agent.groups",
          "host.os.full",
          "host.os.version",
          "package.name",
          "package.version",
          "vulnerability.id",
          "vulnerability.description",
          "vulnerability.severity",
          "wazuh.cluster.name"
        ]
      }
    }
  }
}