Utilizing Vulnerability Detector and Osquery
148 views
Skip to first unread message
عبدالعزيز بن حلوان
Feb 29, 2024, 9:12:06 AM2/29/24
to Wazuh | Mailing List
Dear Wazuh Team,
Hope you are all doing well,
The current SIEM setup I use doesn't rely on
Wazuh agent however it has osquery component which from I can execute queries and extract the data I need such as installed packages name, version and operating system and kernel info and much more it's pretty flexible to choose what data you want to extract,
I will be thankful for your help in inserting this data to
Wazuh vulnerability detector and perform scans without
Wazuh agent regarding data formatting and shipping and insertion I can handle it from my side however I would appreciate if you can guide me if there is a place where I can add required data and perform scans in Wazuh Manager without using agent this could be a .db file I believe
Please let me know if you need any additional information
BR,
Abdulaziz
Miguel Casares
Mar 1, 2024, 6:23:45 AM3/1/24
to Wazuh | Mailing List
Hello,
There is no easy method to accomplish this as the vulnerability detector module follows a standard with the Databases for the comparison with the Wazuh feeds to report the vulnerabilities. My recommendation would be installing a Wazuh agent to accomplish this. You may also rely on the Wazuh and Osquery integration to visualize that data in the Wazuh Dashboard.
Reference: https://documentation.wazuh.com/current/user-manual/capabilities/malware-detection/osquery.html
I hope that helps,
Miguel
عبدالعزيز بن حلوان
Mar 1, 2024, 6:31:36 PM3/1/24
to Wazuh | Mailing List
Thank you for your response
Yeah I'm developing a security stack and using multiple technologies one of them is Wazuh for vulnerabilities detection.
Is there any high level design for the correlation between syscollector on agent and the manager vulnerability detector
I trying to find in which file does agents syscollector information is being stored in the manager
Thannks,
Abdulaziz
Miguel Casares
Mar 8, 2024, 4:26:25 AM3/8/24
to Wazuh | Mailing List
Hello Abdulaziz,
Here you have an overview of the procedure: https://documentation.wazuh.com/current/user-manual/capabilities/vulnerability-detection/how-it-works.html
I hope that helps. Let me know if you need anything else,
The Syscollector inventory is stored in databases for each agent, stored in /var/ossec/queue/<id>.db. Then the manager performs the correlation for the downloaded feed data that is stored in
/var/ossec/queue/vulnerabilities/cve.db
Here you have an overview of the procedure: https://documentation.wazuh.com/current/user-manual/capabilities/vulnerability-detection/how-it-works.html
I hope that helps. Let me know if you need anything else,
Miguel
Reply all
Reply to author
Forward
0 new messages