List agent's vulnerable packages with API
Veera
Hi,
I'm using Wazuh version 4.10.1.
Is there an API available to retrieve an agent's vulnerability details?
Are there any options to filter by severity or CVE?
I'm specifically looking for a way to list affected packages under "vulnerability-detection" in the Wazuh console for a given agent.(ref attachment)
Maximiliano Ibarra
Hi. To be able to filter by a specific field you can use the q parameter. You can see in the documentation that it uses the status example: https://documentation.wazuh.com/current/user-manual/api/reference.html#operation/api.controllers.syscollector_controller.get_packages_info
But in your case you would use the severity field. For example:
{protocol}://{host}:{port}/syscollector/{agent_id}/packages?q=severity=high
What you have to keep in mind is that there is information about the vulnerabilities that comes from the Wazuh API and other information that comes indexed like your attached screenshot.
Let me make some tests and I will be back with the exact query
Veera
Maximiliano Ibarra
To guide you within the UI in the Vulnerability Detection module, you will find 3 tabs. Dashboard, Inventory and Events. The first 2 use the wazuh-vulnerabilities-states index and the events tab that of wazuh-alerts. In addition to being able to use the UI to filter. You can use the dev tools from Index Management > Dev tools and make queries there. I leave you the specific queries to obtain the totals of the vulnerabilities of each index.
{
"query": {
"bool": {
"must": [
{
"match": {
"vulnerability.severity": "High"
}
}
]
}
}
}
GET wazuh-alerts-*/_count
{
"query": {
"bool": {
"must": [
{
"match": {
"data.vulnerability.severity": "Medium"
}
}
]
}
}
}
Also if you want to generate different indicators and/or visualizations you can create customized dashboards. I have attached the official documentation. There it will allow you to generate all types of graphs and specify the filters you need for each one.
Veera
Maximiliano Ibarra
What I would like to know is in the vulnerability detector section if any of the graphics that are being shown are the ones you want to make the query.
Is it any of these? To try to make the specific query you want and then there I see what ways there are to obtain them that are not from the UI.
Veera
HI Maximiliano,
Thanks for the details ..
I understand that we cannot directly query the affected vulnerable packages using the Wazuh API and instead need to retrieve this information using WQL.
Please refer to the attached image(Filter 1:) I have applied a filter with vulnerability.severity=high for a specific agent. The GUI displays the "Top 5 Vulnerabilities" on the left and the "Top 5 Packages" on the right. However, I need to list all affected packages(other than "Top 5 Packages" ) under this filter—not only in the GUI but to collect/export them as a file or text/json output.
Additionally, it would be helpful if we could include the affected packages along with their corresponding CVEs/CVSS for better tracking, like below. (equal to image filter2)
Package Name | Severity | CVE | CVSS |
Hari krishna Gurivisetti
Hi,
I am currently using Wazuh 4.10.1 and have added Windows, CentOS, and Ubuntu agents. However, I am encountering an issue with Vulnerability Detection metrics for certain Windows agents. For example, I am unable to view the Vulnerability Detection metrics for Microsoft Windows 10 Pro 10.0.19045.5487 and Microsoft Windows 11 Pro 10.0.26100.3194.
However, for the Windows agent Microsoft Windows 11 Pro 10.0.22631.4890, I am able to view the Vulnerability Detection metrics without any issues.
Please note that I have applied the same configuration for all the agents, and the Vulnerability Detection is working for some agents but not for others.
Could you please assist in resolving this issue?
Thanks
