Vulnerability Detection Queries

14 views
Skip to first unread message

Gokul Suresh

unread,
Jul 1, 2026, 2:11:20 PM (2 days ago) Jul 1
to Wazuh | Mailing List

Hello Wazuh Team,

I am currently working on the Vulnerability Detection feature in Wazuh 4.14.5 and have a few questions regarding how to identify active vulnerabilities.

From the Vulnerability Detection in Threat Intelligence section, I can see the DashboardInventory and Events tabs.

1. Identifying active (unsolved) vulnerabilities

My requirement is to list only the vulnerabilities that are currently active (not solved). 

I came across a few discussions on the Wazuh mailing list stating that the Inventory tab displays the CVEs that are still active and not solved. However, in my Wazuh 4.14.5 environment, I can see CVEs that have already been marked as Solved in the Events tab, and those same CVEs also appear in the Inventory tab.

Could you please clarify the following?

  • Does the Inventory tab contain both active and solved vulnerabilities?

  • If so, what is the recommended way to list only the currently active (unsolved) CVEs?

  • Is there a filter, query, or dashboard that can be used to display only active (not solved) vulnerabilities?

2. Meaning of "Evaluation" and "Under Evaluation"

I have also noticed  Evaluation and Under Evaluation in Vulnerability Detection.
VUL.png

Could you please explain what these mean?

3. CVE evaluation frequency

How often does Wazuh check for vulnerabilities on an agent? 

Thank you in advance for your help.

Olamilekan Abdullateef Ajani

unread,
Jul 1, 2026, 3:04:01 PM (2 days ago) Jul 1
to Wazuh | Mailing List
Hello,

The Inventory tab is intended to show the current vulnerability state for the monitored endpoints. This data is stored in the wazuh-states-vulnerabilities-* indices and is generally the best place to look when you want to know which vulnerabilities are currently affecting your agents.
The Events tab is different. It shows vulnerability-related alerts/events, including when a vulnerability is detected and when it is remediated. That is why you can see both Active and Solved statuses in Events.
For example, to list only active vulnerabilities from the Events tab, you can use a filter like: data.vulnerability.status: Active. For solved vulnerabilities, the filter would be: data.vulnerability.status: Solved

Regarding the vulnerability.under_evaluation field is set to true when a vulnerability lacks a valid base score, classification, or severity data, placing it in the "Under evaluation" category. You can check the screenshot attached for more reference. This can be useful for vulnerabilities marked as "AWAITING ANALYSIS" in the National Vulnerability Database (NVD), where no definitive data is available from the Analysis Data Provider making the required fields like vulnerability.severity, vulnerability.classification, and even vulnerability.score.version missing. It allows users to identify and track vulnerabilities that are still under evaluation.

You can refer to this thread for more information if this has been lingering for too long: https://github.com/wazuh/wazuh/issues/28553

And for the scan frequency, Vulnerability Detection works together with Syscollector. The Wazuh agent periodically collects system inventory, such as OS and installed package/application information, and sends it to the manager. The manager then correlates that inventory with Wazuh CTI vulnerability content. The vulnerability feed update interval is controlled by the configuration below on each agent:

<vulnerability-detection>
   <enabled>yes</enabled>
   <index-status>yes</index-status>
   <feed-update-interval>60m</feed-update-interval>
</vulnerability-detection>

By default, the vulnerability feed update interval is 60m. However, vulnerability updates for an endpoint also depend on Syscollector inventory scans and whether package/OS changes are detected on the agent.


Please let me know if you require further clarification on this.

Gokul Suresh

unread,
Jul 2, 2026, 2:59:47 AM (yesterday) Jul 2
to Wazuh | Mailing List
Hi Olamilekan,
Thank you for your reply, but I would like to get more clarifications.

You have mentioned that " to list only active vulnerabilities from the Events tab, you can use a filter like: data.vulnerability.status: Active. For solved vulnerabilities, the filter would be: data.vulnerability.status: Solved"
I think, in the Events tab the method you have suggested does not work for what I need.
You suggested to filter Active and Solved from the Events tab, but when I filter the CVE with Active as the status many of the CVE's are Solved so at present they are not Active.
Some of the CVE's with  data.vulnerability.status: Active  are Active and not Solved and other were Active and then they were Solved, so in the Eents tab the same CVE will be present with Active and Solved  data.vulnerability.status  . I want to get the list of CVE's that are Active but not Solved.
So taking the Active CVE's list from the Events tab wont give me the list of CVE that are Active at present (particularly that are not solved).

Please check this, and loooking forward for your response.
Reply all
Reply to author
Forward
0 new messages