Wazuh Vulnerabilities 4.9.2

53 views
Skip to first unread message

wazuh

unread,
Nov 29, 2024, 9:35:33 AMNov 29
to Wazuh | Mailing List
I've recently upgraded to wazuh 4.9.2 from wazuh 4.6.0.

for wazuh-alerts-4.x-* i have created a label called agent.labels.company_group: companyname. However i've noticed that vulnerability logs in wazuh-states-vulnerabilities-wazuh index do not have the agent label assigned to them. 

is there any way to view vulnerabilities that only belong to a specific agent group?

Nicolas Curioni

unread,
Dec 2, 2024, 12:16:46 PMDec 2
to Wazuh | Mailing List

Hello!

In this case, if the label that you assigned to the groups is not present in the vulnerabilities index, as a workaround you can create a custom dashboard to filter out the results that you wish.
Let me share with you our official documentation related to this topic:

I hope this helps.
Regards!

wazuh

unread,
Dec 3, 2024, 3:14:01 AMDec 3
to Wazuh | Mailing List
the issue with that is as the agents increase and sometimes over 100 agents can be added at once or new agents get added overtime, filtering out by simply agent names or Ids does not work efficiently as someone would need to constantly modify the filter. Is there no other way to select it by agent group even if it is through indexer API or both Indexer and Server API workaround?

Nicolas Curioni

unread,
Dec 5, 2024, 7:04:14 AMDec 5
to wazuh, Wazuh | Mailing List

Hello!

You can retrieve Vulnerabilities information by using the Wazuh Indexer API.

For this, you need to go to the top left menu > Dev tools (under Index Management section)

Once here, you can use a query similar to the following, and retrieve the needed information:

GET /wazuh-states-vulnerabilities-*/_search
{
"size": 500,
"query": {
"bool": {
"must": [
{"match": {"agent.name": "Agent-Name"}}
],
"should": [
{"match": {"vulnerability.severity": "Critical"}},
{"match": {"vulnerability.severity": "High"}},
{"match": {"vulnerability.severity": "Medium"}},
{"match": {"vulnerability.severity": "Low"}}
],
"minimum_should_match": 1
}
}
}

In this case, this will get all the vulnerabilities for a particular agent. You can replace agent.name with a different field to limit your search.

I hope this helps.
Regards!

--
You received this message because you are subscribed to the Google Groups "Wazuh | Mailing List" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/wazuh/0d0bc2e6-0af0-4813-b5c6-98a219d90439n%40googlegroups.com.
Captura de pantalla 2024-12-05 a la(s) 08.33.42.png
Reply all
Reply to author
Forward
0 new messages