Correct count of vulnerabilities in OpenSearch Dashboards > Discover

[Juan Ignacio Contino]

Hello everyone.

I am trying to get a correct count of current vulnerabilities in agents on my network in

Menu > OpenSearch Dashboards > Discover

These agents were updated on different days.

Using a query like
rule.groups:vulnerability-detector and agent.name:webserver01
in the indexes
wazuh-alerts-*
doesn't work for me, because I get historical (pre-update) documents pertaining to vulnerabilities that are already fixed and acknowledgment documents of vulnerabilities that disappeared while operating system packages were updated.
I still can't find a way to filter the historical or update acknowledgment documents, so it's impossible for me to get the correct vulnerability count.

In other words, I need a query that reproduces this exact count in the Wazuh Dashboard for each individual agent:

I need a query to get this data in "Discover" so as not to manually browse the dashboard for each agent.

Can you help me?
Thank you so much!

[moosemaimer]

There isn't really any way to get that information in Discover because it's stored in a separate database from the alerts, so I wrote a Python module that does the same thing.

[Juan Ignacio Contino]

Moosemaimer, thank you very much for the script, it is VERY useful.

However, it is not what I need.
I need a query to get only the documents from the index wazuh-alerts-* that have the current vulnerabilities (avoid documents with vulnerabilities fixed and acknowledgments of correction)
because I intend to use it to make dashboards using buckets for fields like
data.vulnerability.cvss.cvss3.vector.attack_vector
data.vulnerability.cvss.cvss3.vector.access_complexity

Is it possible to filter those documents somehow?
thanks in advance

[Ariel Ojeda]

Hi,

As the person in the previous answer explained, the results of the VD scans are stored in a database, so to get current results you would need to query said database (that is how the Default VD Module gets its information about the agents' vulnerabilities). 

You can use requests to the Wazuh API endpoints to get information about vulnerabilities.

Wazuh API reference - Get vulnerabilities

Every time a new Vulnerability is detected (or solved) a new alert is generated. If you create a dashboard or visualization, the information will be based on those alerts (which is the information stored in the indices as documents).

You can apply a simple filter to the Discovery tab to only show alerts for VD (filters: rule.groups is vulnerability-detector and data.vulnerability.status is Active).

I hope this helps,

Ariel.

[Juan Ignacio Contino]

Hello Ariel and moosemaimer
how are you?

First of all, thank you very much for the assistance of both of you.
For now I prefer not to get involved with the wazuh API to resolve this issue.

Ariel, regarding the filter that you recommend for the Discovery tab, it doesn't work for me.
As I explained in my first post, I need to have a correct count of current vulnerabilities.
Filtering based on rule.groups and data.vulnerability.status returns unwanted documents

Example:

The filter

rule.groups:vulnerability-detector and data.vulnerability.status:Active and agent.name:webserver01

returns documents of the detections of vulnerabilities prior to an update.
I cannot do Visualizations with this data, since I will not only have the current vulnerabilities but also the vulnerabilities that are already resolved.

Is there a way to make a query or to configure some Visualization to get the set of documents I need?

Thanks for the assistance.

--
You received this message because you are subscribed to a topic in the Google Groups "Wazuh | Mailing List" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/wazuh/hTpwLLkTz-0/unsubscribe.
To unsubscribe from this group and all its topics, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/7b9844e6-fce1-43ce-bfec-728f48ac6ae1n%40googlegroups.com.

--

Ing. Juan Ignacio Contino

[Juan Ignacio Contino]

Hi!, how are things?
I have not been able to put together a query with the criteria I needed.

One way to solve my need could be to regenerate all vulnerability alerts on each agent. In such a way that, from the moment of regeneration, the alerts only take into account the present vulnerabilities.
This way I could filter the alerts based on a known timestamp and obtain the index files I need.

In the Vulnerability Detector documentation I find that there are 3 types of scans:
-Baseline
- Full scan
- Partial scan

What I need is to trigger the Baseline scan at will.
Is there any way of doing this?

[Ariel Ojeda]

Hi Juan,

Yes, that is what we explained before, the alerts don't show the current status, just the status of what was detected at that specific moment.

To do something like what you suggest, we would need to clear the databases, to "force" a baseline scan.

Here, I am providing you the ndjson file for this dashboard, so that you can import and use it quickly in your Wazuh Dashboard. This custom dashboard will allow you to show Vulns for all the agents, but still based on the alerts as explained before. You can complement this with the two options shared below.

VD_Dashboard.ndjson (you can find it attached at the bottom)

To import it, you need to go to the top left menu ☰ > Stack Management > Saved Object, click on Import and select the ndjson file there:

Then, you will get a new custom dashboard Vulnerability detector main dashboard in your Dashboard section:

If you want this dashboard for vulnerability detection reporting, we have two available workarounds to index all the active vulnerability alerts there. Both can be set up with a cronjob or a wodle command. We recommend executing any one of these scripts once a week:

vd_update.py

• Gets the vulnerabilities from all agents through the API and sends it to the socket (analysisd).

• It will upload all vulnerability alerts to Wazuh Indexer if you run it with -w yes option.

• You will need to execute this script once (recommended in the master node).

• It is not recommended to use it if you’re using reports filtered by labels.

Note:

Move the script to /var/ossec/integrations/:

mv -n vd_update.py.txt /var/ossec/integrations/vd_update.py

Modify permissions.

chmod 550 vd_update.py

You may have to define the following arguments while running the command if you have values other than the default ones.

manager (-m): default='127.0.0.1' user (-u): default='wazuh-wui' password (-p): default='wazuh-wui' port (-port): default='55000'

The following configurations can be added to the Wazuh manager ossec file located in /var/ossec/etc/ossec.conf. You can also update it from the UI, by going to Wazuh -> Management -> Configuration and then clicking on Edit configuration at the top right corner. If you edit the file from the CLI, you need to restart the manager using your service manager (I.E. systemctl restart wazuh-manager) or using the Restart button if done from the UI (it will show after you save the changes).

This is a sample wodle for vd_update:

<wodle name="command"> <disabled>no</disabled> <tag>vd-update_script</tag> <command>/var/ossec/framework/python/bin/python3 /var/ossec/integrations/vd_update.py -w yes</command> <wday>mon</wday> <time>01:00</time> <run_on_start>no</run_on_start> <timeout>3600</timeout> </wodle>

 

You also need to allow this wodle command to run through API by adding the following in file: /var/ossec/api/configuration/api.yaml

remote_commands: wodle_command: enabled: false exceptions: ["/var/ossec/framework/python/bin/python3 /var/ossec/integrations/vd_update.py -w yes"]

The wodle will run periodically on Every Monday at 01:00 am. You can update the schedule values according to your requirements. Also, to test immediately, you can set <run_on_start> as yes once, restart the wazuh-manager and revert it back to no once the test is completed.

vd_db_cleaner.py

• Cleans the agent database in the manager.

• It will force agents to run a full_scan to trigger alerts, therefore it will use more resources. We recommend executing it once or twice a week.

• You will need to execute this script in all the manager's nodes if you’re running a cluster.

Move the script to /var/ossec/integrations/:

mv -n vd_update.py.txt /var/ossec/integrations/vd_db_cleaner.py

Modify permissions.

chmod 550 vd_db_cleaner.py

This script can also be scheduled with a wodle as below:

<wodle name="command"> <disabled>no</disabled> <tag>vd-db-cleaner_script</tag> <command>/var/ossec/framework/python/bin/python3 /var/ossec/integrations/vd_db_cleaner.py</command> <wday>mon</wday> <time>01:00</time> <run_on_start>no</run_on_start> <timeout>3600</timeout> </wodle>

Bear in mind, that both these workarounds will upload the recent vulnerability scan events to the Wazuh Indexer either by collecting through the API or by forcing full scans in the agents, but will not clear/remove the previous events from the indices. Therefore, in the custom dashboard, you need to set the time accordingly to review only the latest active vulnerabilities.

I hope this helps,

Ariel.

[Juan Ignacio Contino]

Thanks Ariel!

The second script is EXACTLY what I needed.

IMHO having the possibility of creating dashboards of current vulnerabilities from the alert index should be a feature of wazuh. In this way it would not be necessary to use external tools to make graphs of data extracted from a sqlite db through an API. This will probably require considering these workarounds for future versions of Wazuh as functionalities (example: adding a "baseline scan frequency" tag in the VD configuration).

Thank you so much!

[Ariel Ojeda]

Hi Juan,

You are very welcome!

Have a nice day,

Ariel.