Vulnerability Module Detected_at problem

[Leonardo Ventura]

Hi!

The field vulnerability.detected_at keeps updating with every agent scan, and not keeping the original detected date, is this a bug, or intentional?

Thanks!

[Javier Adán Méndez Méndez]

Hi @Leonardo Ventura

This behavior is intentional.
The vulnerability.detected_at field is updated on every scan because it reflects the last time the engine detected the vulnerability on the agent, not the first time it appeared.

If you need the original detection time, the recommended approach is to track it externally (SIEM, index snapshots, or custom dashboards), since the field is designed to reflect the latest scan state.

https://documentation.wazuh.com/current/user-manual/capabilities/vulnerability-detection/how-it-works.html

Javier Mendez
Wazuh Teams