Verification Required | Vulnerability Detection
43 views
Skip to first unread message
John Carry
Jan 24, 2023, 1:35:07 AM1/24/23
to Wazuh mailing list
Hello Team,
Could anyone here please confirm below concerns related to Vulnerability Detection?
1) The default Inventory Dashboard shows Vulnerabilities count mapped as critical; high, medium and low, my concern is are these total vulnerabilities count shows only the 'Active vulnerabilities COUNT' or they the count includes both Active and Solved?
2) The Events Tab shows Vulnerabilities with their status as either Solved or Active, the concern or confusion is that the vulnerabilities status as Solved are actually fixed or not ? Is there any mechanism we can apply status based filter on Inventory Tab so that the Dashboard only shows Active Vulnerabilities and its Count.
Regards,
John
Antonio David Gutiérrez
Jan 24, 2023, 3:37:21 AM1/24/23
to Wazuh mailing list
Hi John,
Thank you for using Wazuh!
Replying to your questions:
1. The default Inventory Dashboard shows Vulnerabilities count mapped as critical; high, medium and low, my concern is are these total vulnerabilities count shows only the 'Active vulnerabilities COUNT' or they the count includes both Active and Solved?
The Inventory tab of the Vulnerabilities module in the Wazuh plugin represents the current status of the vulnerabilities for the selected agent. The data is coming from the Wazuh API and you will see the data referred to in the last vulnerabilities scan. They are the active vulnerabilities count. You should take into account that the vulnerabilities scan is executed at intervals of time, so if you fix some vulnerability in an agent by updating some package, for example, this should be updated after the next vulnerabilities scan is done.
2. The Events Tab shows Vulnerabilities with their status as either Solved or Active, the concern or confusion is that the vulnerabilities status as Solved are actually fixed or not ?
The Events tab of the Vulnerabilities module in the Wazuh plugin displays the related alerts, for example, when a vulnerability was discovered or was solved. The data is coming from the Wazuh indexer or Elasticsearch. If you see any alert whose vulnerability status is Solved, that means the vulnerability was fixed and is not present in the agent.
Is there any mechanism we can apply status based filter on Inventory Tab so that the Dashboard only shows Active Vulnerabilities and its Count.
There is no easy mechanism to display that data. You should know when a new vulnerability is found or solved, an alert is created and indexed to Wazuh indexer or Elasticsearch. The Dashboard or Events tabs display these alerts and they have a filter related to the range of time. You could use filters in the Dashboard or Events tab, that is related to the data displayed in the Inventory tab, for example, the CVE of an active vulnerability to search for a related alert (consider the range of time too).
It would be interesting to us, to know the reason or your flow why you need to search the data of active vulnerabilities in the Dashboard/Events tab. Is not enough of the data displayed in the Inventory tab for your use case related to the active vulnerabilities? Thank you so much for commenting us this use case.
Thank you for using Wazuh!
Replying to your questions:
1. The default Inventory Dashboard shows Vulnerabilities count mapped as critical; high, medium and low, my concern is are these total vulnerabilities count shows only the 'Active vulnerabilities COUNT' or they the count includes both Active and Solved?
The Inventory tab of the Vulnerabilities module in the Wazuh plugin represents the current status of the vulnerabilities for the selected agent. The data is coming from the Wazuh API and you will see the data referred to in the last vulnerabilities scan. They are the active vulnerabilities count. You should take into account that the vulnerabilities scan is executed at intervals of time, so if you fix some vulnerability in an agent by updating some package, for example, this should be updated after the next vulnerabilities scan is done.
2. The Events Tab shows Vulnerabilities with their status as either Solved or Active, the concern or confusion is that the vulnerabilities status as Solved are actually fixed or not ?
The Events tab of the Vulnerabilities module in the Wazuh plugin displays the related alerts, for example, when a vulnerability was discovered or was solved. The data is coming from the Wazuh indexer or Elasticsearch. If you see any alert whose vulnerability status is Solved, that means the vulnerability was fixed and is not present in the agent.
Is there any mechanism we can apply status based filter on Inventory Tab so that the Dashboard only shows Active Vulnerabilities and its Count.
It would be interesting to us, to know the reason or your flow why you need to search the data of active vulnerabilities in the Dashboard/Events tab. Is not enough of the data displayed in the Inventory tab for your use case related to the active vulnerabilities? Thank you so much for commenting us this use case.
Reply all
Reply to author
Forward
0 new messages