Using API for Vulnerability detection
Vuk Kadija
I have created API calls that can get the results that we want from wazuh-states-vulnerabilities-(I cant state the rest). That works fine. That covers what is on the "Inventory" tab.
Now I want to pull the data from wazuh-archives-4.x-etc that has some interesting fields like "data.vulnerability.status".
Bony V John
Hi,
To get extra details such as data.vulnerability.status, you need to query the wazuh-alerts-* index.
The wazuh-archives-* index contains raw event data and is only created when archive logging is enabled on the Wazuh manager together with archive indexing enabled on the Filebeat side.
Based on your requirement, it is better to use the wazuh-alerts-* index because it contains all generated alerts.
You already mentioned that you queried the wazuh-states-vulnerabilities-* index. That index contains the data shown in the Inventory section of the Vulnerability Dashboard because the inventory visualizations use the wazuh-states-vulnerabilities-* index.
However, the Events tab in the Vulnerability Dashboard uses the wazuh-alerts-* index, and this is where you can view fields such as: data.vulnerability.status
So, similar to how you queried the wazuh-states-vulnerabilities-* index, you can query the wazuh-alerts-* index to fetch the additional details.
You can use a query like the following:
curl -k -u admin:<password> \ -H "Content-Type: application/json" \ -X GET "https://<indexer-IP>:9200/wazuh-alerts-4.x-*/_search?pretty" \ -d '{ "size": 100, "_source": [ "timestamp", "agent.id", "agent.name", "agent.ip", "rule.id", "rule.level", "rule.description", "data.vulnerability.status", "data.vulnerability.cve", "data.vulnerability.severity", "data.vulnerability.title", "data.vulnerability.package.name", "data.vulnerability.package.version" ], "query": { "bool": { "filter": [ { "term": { "location": "vulnerability-detector" } }, { "exists": { "field": "data.vulnerability.cve" } } ] } }, "sort": [ { "timestamp": { "order": "desc" } } ] }'Replace <password> with your dashboard admin user password and <indexer-IP> with your Wazuh indexer IP address.
This query will return 100 vulnerability alerts from the wazuh-alerts-* index.
Please note that the wazuh-alerts-* index contains both active and solved vulnerability alerts because it stores historical alert data.
For example:
When a vulnerable package is detected, an active vulnerability alert is generated.
Later, if the package is updated or removed, a solved vulnerability alert is generated.
Because both alerts are stored historically, the query results may contain both active and solved vulnerabilities.
Please let me know if you need any further details or have any questions.