When an agent connects to the manager for the first time, and if Vulnerability Detection (VD) is active, the agent's installed packages (reported via syscollector) will be scanned for vulnerabilities. Suppose a vulnerability is found in any package. In that case, this information is recorded in the Inventory using an index in the wazuh-indexer to keep track of all vulnerabilities and a local database (inventory database) on the manager.
Regarding your question about what gets generated during the first scan: the initial scan doesn't create alerts or vulnerability events. Subsequent scans, triggered by the syscollector scan configuration, will generate alerts if an installation or removal of a package results in a change in the vulnerability inventory.
Here are a couple of other factors that affect alert generation:
Cluster environment: If an agent switches to a different node, its inventory syncs with the new node, but no alerts are generated during this initial sync.
Content update: When content changes, all agents are re-scanned to ensure results are up to date, but no alerts are generated during this initial sync.
Regarding your query on forcing a full scan again for an agent, every time the vulnerability feed is updated, a rescan is automatically triggered across all agents. This ensures that the latest vulnerability data is always used to assess the security posture of the managed devices.
If you need more detailed guidance or further assistance, please feel free to ask! 😊