Vulnerability detection - API

21 views

Skip to first unread message

Vuk Kadija

unread,

7:31 AM (12 hours ago) 7:31 AM

to Wazuh | Mailing List

Hello community,

I am trying to automate as much as I can in my environment.

At the moment I am collecting SCA checks using API, after that report is being created. I want to do that with Vulnerability detection, but there is no API support for that scenario.

Anyone maybe exporting Vulnerability detection reports in any other way, not using the UI.

Best regards,

Vuk

Ezequiel Matías Montero

unread,

8:55 AM (10 hours ago) 8:55 AM

to Vuk Kadija, Wazuh | Mailing List

In Wazuh v4.14.4, the architecture of the Vulnerability Detection (VD) module changed radically compared to previous versions. Currently, there is no dedicated endpoint in the Wazuh REST API for querying vulnerabilities (as there is for SCA with /sca/{agent_id}). However, there are several alternatives for automating report exports without using the UI.

How it works internally (key context)
The VD module processes the Syscollector inventory, correlates it with local CVE databases (RocksDB), and indexes the results in ECS format in the Wazuh Indexer's wazuh-states-vulnerabilities index (OpenSearch). This is explicitly documented in /docs/ref/modules/vulnerability-scanner/api-reference.md

Options for automation without a UI

1. Wazuh Indexer API (OpenSearch) — Recommended option

This is the official method and is documented in the source code. The index is queried directly:

# All vulnerabilities (paginated)
curl -k -u admin:PASSWORD \
"https://<INDEXER_IP>:9200/wazuh-states-vulnerabilities/_search?pretty" \
-H "Content-Type: application/json" \
-d '{
"size": 1000,
"query": { "match_all": {} }
}'

Filter by specific agent:

curl -k -u admin:PASSWORD \
"https://<INDEXER_IP>:9200/wazuh-states-vulnerabilities/_search?pretty" \
-H "Content-Type: application/json" \
-d '{
"query": {
"term": { "agent.id": "001" }
}
}'

Filter by severity (critical + high):

curl -k -u admin:PASSWORD \
"https://<INDEXER_IP>:9200/wazuh-states-vulnerabilities/_search?pretty" \
-H "Content-Type: application/json" \
-d '{
"query": {
"terms": {
"vulnerability.severity": ["Critical", "High"]
}
},
"sort": [{ "vulnerability.score.base": { "order": "desc" } }]
}'

Relevant ECS fields available in each document:

Field Description
agent.id / agent.name Agent identification
vulnerability.id CVE ID
vulnerability.severity Critical / High / Medium / Low
vulnerability.score.base CVSS score
vulnerability.description CVE Description
vulnerability.detected_at Detection timestamp
vulnerability.published_at CVE publication date
package.name / package.version Affected package
host.os.full Agent's OS

2. Python script to generate automated reports

import requests
import json
import csv
from datetime import datetime

INDEXER_URL = "https://localhost:9200"
INDEXER_USER = "admin"
INDEXER_PASS = "your_password"
INDEX = "wazuh-states-vulnerabilities"

def get_all_vulnerabilities(severity_filter=None):
query = {"match_all": {}}
if severity_filter:
query = {"terms": {"vulnerability.severity": severity_filter}}

payload = {
"size": 10000,
"query": query,
"sort": [{"vulnerability.score.base": {"order": "desc"}}]
}
resp = requests.post(
f"{INDEXER_URL}/{INDEX}/_search",
json=payload,
auth=(INDEXER_USER, INDEXER_PASS),
verify=False
)
resp.raise_for_status()
return resp.json()["hits"]["hits"]

def export_csv(hits, output_file):
with open(output_file, "w", newline="") as f:
writer = csv.writer(f)
writer.writerow(["agent_id", "agent_name", "cve_id", "severity",
"cvss_score", "package", "version", "os", "detected_at"])
for h in hits:
s = h["_source"]
writer.writerow([
s.get("agent", {}).get("id"),
s.get("agent", {}).get("name"),
s.get("vulnerability", {}).get("id"),
s.get("vulnerability", {}).get("severity"),
s.get("vulnerability", {}).get("score", {}).get("base"),
s.get("package", {}).get("name"),
s.get("package", {}).get("version"),
s.get("host", {}).get("os", {}).get("full"),
s.get("vulnerability", {}).get("detected_at"),
])

hits = get_all_vulnerabilities(severity_filter=["Critical", "High"])
export_csv(hits, f"vuln_report_{datetime.now().strftime('%Y%m%d')}.csv")

3. Scroll API for large datasets (>10,000 records)

If the volume of vulnerabilities is large, use the OpenSearch Scroll API (https://docs.opensearch.org/latest/api-reference/search-apis/scroll/) to paginate correctly:

# Start scroll
curl -k -u admin:PASSWORD \
"https://<INDEXER_IP>:9200/wazuh-states-vulnerabilities/_search?scroll=2m" \
-H "Content-Type: application/json" \
-d '{"size": 1000, "query": {"match_all": {}}}'

# Continue with the obtained scroll_id
curl -k -u admin:PASSWORD \
"https://<INDEXER_IP>:9200/_search/scroll" \
-H "Content-Type: application/json" \
-d '{"scroll": "2m", "scroll_id": "<SCROLL_ID>"}'

Difference vs SCA
SCA Vulnerability Detection
Wazuh API GET /sca/{agent_id} (REST dedicated API) No dedicated endpoint exists
SQLite storage in var/db/agents/ + wazuh-db OpenSearch index wazuh-states-vulnerabilities
How to export Wazuh REST API OpenSearch/Wazuh Indexer API directly

Summary
The native way to automate Vulnerability Detection reports in Wazuh v4.14.4 is to directly query the Wazuh Indexer (port 9200) via the OpenSearch API. The wazuh-states-vulnerabilities index contains all the data in ECS format and supports complex queries by agent, CVE, severity, OS, package, etc. — exactly the same backend used by the dashboard UI.

--
You received this message because you are subscribed to the Google Groups "Wazuh | Mailing List" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/wazuh/abb67db3-28c9-4c5b-b925-389a4db150c0n%40googlegroups.com.

Reply all

Reply to author

Forward

0 new messages