Vulnerabilities from all endpoints summarized in single pane

[kkhy yyz]

Hi All

I re-deployed Wazuh all in one install 4.3.8 an i seem to be only able to see Vulerbility per End point...how can i see a summarized versoin for all and then run a report against it.

currently have 22 endpoints but want to expand to around 60....so a summarized version would be awesome

TIA

Benali

[Miguel Angel Cazajous]

Hello kkhy2yyz,

Since 4.3.0 we changed the way vulnerabilities are displayed, as you may know, the vulnerabilities now are listed per agent reading each single vulnerability inventory database because the previous approach was not precise. The reason for this big change is to provide better quality data related to vulnerabilities in the agents sacrificing the global overview we had prior 4.3.0.
Currently, I'm afraid there's no implementation to query all agent databases to summarize the vulnerabilities in all agents, but with some UI filters you may have some useful responses, also using the API directly from the command line would help.

We are aware that the feature is so important for large environments and consulting agent per agent is far away to be practical. We are working on a complete refactor of the module, and while I can not promise a release date I can share with you the approach we are going to follow.

https://github.com/wazuh/wazuh/issues/14153

In that link, there's a roadmap that explains the development needed to achieve the goal. Apologize for the inconvenience we are working as fast as possible to provide a solution to this.

Regards!

[kkhy yyz]

Thanks for the explanation.

is there a possibility to export the EVENTS tab in the VULERABILITIES area since that show ALL the data for all end points...if i can take a dump of that , that would be awesome...for the time being.

Thanks again.

[kkhy yyz]

some problem again.........i can see Vulnerabilities 1 by 1 but now nothing showing up under EVENTS 

:(

help please.

[moosemaimer]

I've been working on a Python script to do that for a while, this is the latest revision. It requires Python 3 with the "requests" and "urllib3" libraries installed, and you will have to edit the file with the IP of your server and the user/pass for your manager API; if you're running it on Linux you might also want to add a shebang with your Python path so you can execute it. I recommend creating a read-only user and putting those credentials in the script as a security mitigation as well.

[kkhy yyz]

Thanks moosemaimer...will give it a try

[Miguel Angel Cazajous]

Hi kkhy2yyz,

Thanks for the contribution Stephen!

Another approach I'm thinking of is since you want to export the vulnerabilities, it would be better to make an API request to get the vulnerabilities per agent (this can be easily managed with a loop in a script) instead of exporting something from the UI. As a quick test, I did this for two agents.

- Agent Ubuntu Jammy


- Agent Centos 8



If you do the calc you should get 486 vulnerabilities for Ubuntu agent and 1164 vulnerabilities for Centos agent.

Then please take a look at this

https://documentation.wazuh.com/current/user-manual/api/reference.html#operation/api.controllers.vulnerability_controller.get_vulnerability_agent

You get a response for those agents that match the number of vulnerabilities you get from the UI



The content is something like this.



Then you can process that information as you want.

I hope this approach helps you.

[kkhy yyz]

Thanks Miguel..will definitely give it a try

[Miguel Angel Cazajous]

Great kkhy2yyz, let us know how it goes!

[Raphael Pepi]

@Mooserunner this is definitely a step in the right direction bravo! 

It would be helpful if the summary showed the Agent Name as well as the ID which would make the report more readable. Also, if the list of results per vulnerability included  the value of

field name="vulnerability.package.condition" you would be able to tell at a glance if the package was unfixed or had a fix ready.

I would suggest adding a  2 additional command line options:

-g <Groupname> : Only Query Agents in Group

-p :  list vulnerabilities separated per agent name   

I made the script as provided into a jinja2 template to be installed by ansible, so here is the j2 (with variables in place, and the tasks for ansible) 

# Add to your main.yml

- name: Vulnerability Python Script Block
  block:
  - name: Install requirements
    pip:
      name: [requests,urllib3]

  - name: Created Production shared config
    template:
      src: vuln_dash.py.j2
      dest: '{{wazuh_dash_dir}}/vuln_dash.py'
      mode: 700
  tags: vuln-script

# end tasks

cheers! 

[moosemaimer]

New version of the script, with a few changes:

• Agent summary lists names as well as IDs
• Long version of agent vulnerability counts now breaks out results by severity
• Package names have condition appended (each combination of name+condition is unique, therefore totals reflect only that and packages can appear multiple times, not sure if I like this)
• Results can be filtered by group (-g, --group)

The main purpose of the script is to give a bird's-eye view of the agents, since the dashboard is no longer present in the web UI; more detailed information is still available when viewing agents individually.