Internal Alignment: Wazuh Vulnerability Reporting Guidelines
25 views
Skip to first unread message
xeption
May 26, 2026, 10:08:10 AM (12 days ago) May 26
to Wazuh | Mailing List
Hello team
i have some confusion on vulnerability detector module findings in inventory and events given below:
Objective: Clarify the difference between the Inventory and Events tabs in Wazuh to ensure accurate reporting to our customer regarding their "present" vs "detected" vulnerabilities.
1. Core Definitions (The Difference)
Inventory Tab (Present State): Shows a real-time snapshot of live, unresolved vulnerabilities currently sitting on the customer's systems right now.
Events Tab (Historical Log): Shows a chronological timeline of alerts triggered whenever a vulnerability's status changes (e.g., when a vulnerability is newly found or patched).
2. Resolving the "Active Alerts in Events" Confusion
An alert marked status: Active in the Events tab simply means a vulnerability was newly discovered at that specific date and time.
Important: Even if we patch the vulnerability later in the week, that historical event log never changes.
Rule of Thumb: To check if an "Active" event is still a threat today, look for it in the Inventory tab. If it’s gone from Inventory, it is successfully resolved.
3. How to Structure the Customer's Weekly Report
To give the customer a clear answer on what is actually present in their environment, we must split our exports:
Use Inventory Data for: The "Current Exposure" list. This lists the live, unfixed risks that their IT team needs to patch immediately.
Use Events Data (Filtered for the Last 7 Days) for: The "Weekly Progress" list. This proves our value by showing a history of what we newly detected versus what we successfully resolved (status: Solved) over the week.
1. Core Definitions (The Difference)
Inventory Tab (Present State): Shows a real-time snapshot of live, unresolved vulnerabilities currently sitting on the customer's systems right now.
Events Tab (Historical Log): Shows a chronological timeline of alerts triggered whenever a vulnerability's status changes (e.g., when a vulnerability is newly found or patched).
2. Resolving the "Active Alerts in Events" Confusion
An alert marked status: Active in the Events tab simply means a vulnerability was newly discovered at that specific date and time.
Important: Even if we patch the vulnerability later in the week, that historical event log never changes.
Rule of Thumb: To check if an "Active" event is still a threat today, look for it in the Inventory tab. If it’s gone from Inventory, it is successfully resolved.
3. How to Structure the Customer's Weekly Report
To give the customer a clear answer on what is actually present in their environment, we must split our exports:
Use Inventory Data for: The "Current Exposure" list. This lists the live, unfixed risks that their IT team needs to patch immediately.
Use Events Data (Filtered for the Last 7 Days) for: The "Weekly Progress" list. This proves our value by showing a history of what we newly detected versus what we successfully resolved (status: Solved) over the week.
regards,
xeption
Pablo Ariel Gonzalez
May 26, 2026, 1:26:33 PM (12 days ago) May 26
to Wazuh | Mailing List
Hi Xeption:
Your understanding is mostly correct. The Inventory tab should be used as the current exposure view. It shows the vulnerabilities currently detected on the monitored endpoints, based on the latest processed inventory/vulnerability scan. So this is the right place to check what is still present and needs remediation.
The Events tab is the historical alert view. It shows alerts generated when vulnerabilities are detected or remediated. An `Active` event means the vulnerability was detected at that point in time; it does not mean that the vulnerability is necessarily still active today. If it was later fixed, the original `Active` event remains as history, and a `Solved` event may be generated.
So for reporting:
- Use Inventory for the current/open vulnerabilities.
- Use Events for weekly activity/progress, such as newly detected and remediated vulnerabilities.
One small clarification: Inventory is not exactly “real-time”; it reflects the latest data processed from the agent inventory and vulnerability detection scans.
Documentation:
- Vulnerability Detection
- How it works / viewing vulnerability data
The Events tab is the historical alert view. It shows alerts generated when vulnerabilities are detected or remediated. An `Active` event means the vulnerability was detected at that point in time; it does not mean that the vulnerability is necessarily still active today. If it was later fixed, the original `Active` event remains as history, and a `Solved` event may be generated.
So for reporting:
- Use Inventory for the current/open vulnerabilities.
- Use Events for weekly activity/progress, such as newly detected and remediated vulnerabilities.
One small clarification: Inventory is not exactly “real-time”; it reflects the latest data processed from the agent inventory and vulnerability detection scans.
Documentation:
- Vulnerability Detection
- How it works / viewing vulnerability data
xeption
Jun 4, 2026, 2:55:50 AM (3 days ago) Jun 4
to Wazuh | Mailing List
Hi Pablo,
Thank you for the confirmation.
However, I have encountered an issue while exporting the vulnerability events. The total number of events exceeds 10,000, and Wazuh only allows exporting up to 10,000 events at a time in the Excel export file.
I also noticed that there is no time-filtering option available in the export section. As a workaround, I have not been splitting the data into smaller parts to export it successfully.
Could you please advise on the best way to export all vulnerability events when the total count exceeds 10,000?
Thank you for your assistance.
Reply all
Reply to author
Forward
0 new messages