Update E2E method to filter wazuh-states-vulnerabilities by detected_at instead of timestamp #5239

Rebits · 2024-04-17T18:04:51Z

Description

In 4.8.0-beta5 it changed the index structure for wazuh-states-vulnerabilities.

In previous stages, vulnerability indices contain a timestamp field like the following:

{
   "_index":"wazuh-states-vulnerabilities",
   "_id":"master_008_b28978ba313613635f07ea1aae582041f387b2cc_CVE-2024-0741",
   "_score":1.1063815,
   "_source":{
      "@timestamp":"2024-03-06T15:51:08.761Z",
      "agent":{
         "ephemeral_id":"master",
         "id":"008",
         "name":"agent1",
         "type":"wazuh",
         "version":"v4.8.0"
      },
      "ecs":{
         "version":"8.11.0"
      },
      "host":{
         "os":{
            "full":"CentOS Linux 7.9.2009",
            "kernel":"3.10.0-1160.102.1.el7.x86_64",
            "name":"CentOS Linux",
            "platform":"centos",
            "type":"centos",
            "version":"7.9.2009"
         }
      },
      "package":{
         "architecture":"x86_64",
         "description":"Mozilla Firefox Web browser",
         "installed":"2024-03-06T15:51:04.000Z",
         "name":"firefox",
         "size":275922442,
         "type":"rpm",
         "version":"91.13.0-1.el7.centos"
      },
      "vulnerability":{
         "category":"Packages",
         "classification":"CVSS",
         "description":"An out of bounds write in ANGLE could have allowed an attacker to corrupt memory leading to a potentially exploitable crash. This vulnerability affects Firefox < 122, Firefox ESR < 115.7, and Thunderbird < 115.7.",
         "enumeration":"CVE",
         "id":"CVE-2024-0741",
         "reference":"https://bugzilla.mozilla.org/show_bug.cgi?id=1864587, https://lists.debian.org/debian-lts-announce/2024/01/msg00015.html, https://lists.debian.org/debian-lts-announce/2024/01/msg00022.html, https://www.mozilla.org/security/advisories/mfsa2024-01/, https://www.mozilla.org/security/advisories/mfsa2024-02/, https://www.mozilla.org/security/advisories/mfsa2024-04/",
         "scanner":{
            "vendor":"Wazuh"
         },
         "score":{
            "base":6.5,
            "version":"3.1"
         },
         "severity":"Medium"
      },
      "wazuh":{
         "cluster":{
            "name":"wazuh"
         },
         "manager":{
            "name":"ip-172-31-7-184"
         }
      }
   }
},

Now, this field was removed, including a detected_at value in the vulnerability field:

{
   "_index":"wazuh-states-vulnerabilities",
   "_id":"node01_002_HTOFC4PYXP_CVE-1999-1301",
   "_score":1.0,
   "_source":{
      "agent":{
         "ephemeral_id":"node01",
         "id":"002",
         "name":"1-m7MtocT5LYkPKjNC-debian8",
         "type":"wazuh"
      },
      "host":{
         "os":{
            "full":"Ubuntu 20.04.6LTS(FocalFossa)",
            "kernel":"6.2.6-76060206-generic",
            "name":"Ubuntu",
            "platform":"ubuntu",
            "type":"ubuntu",
            "version":"20.04.6.4.18.0-305.12.1.el8_4.x86_64"
         }
      },
      "package":{
         "name":"freebsd",
         "size":6,
         "version":"2.0"
      },
      "vulnerability":{
         "category":"Packages",
         "classification":"CVSS",
         "description":"A design flaw in the Z-Modem protocol allows the remote sender of a file to execute arbitrary programs on the client, as implemented in rz in the rzsz module of FreeBSD before 2.1.5, and possibly other programs.",
         "detected_at":"2024-04-15T15:46:48.356Z",
         "enumeration":"CVE",
         "id":"CVE-1999-1301",
         "published_at":"1996-07-16T04:00:00Z",
         "reference":"ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/old/FreeBSD-SA-96:17.rzsz.asc, http://ciac.llnl.gov/ciac/bulletins/g-31.shtml, http://www.iss.net/security_center/static/7540.php",
         "scanner":{
            "vendor":"Wazuh"
         },
         "score":{
            "base":7.5,
            "version":"2.0"
         },
         "severity":"High"
      },
      "wazuh":{
         "cluster":{
            "name":"wazuh"
         },
         "manager":{
            "name":"rhel-manager"
         },
         "schema":{
            "version":"1.0.0"
         }
      }
   }
},

The text was updated successfully, but these errors were encountered:

Rebits · 2024-04-24T08:53:28Z

Moved ETA to allow final review to 24/04/2024

davidjiglesias · 2024-04-25T06:39:11Z

LGTM

Rebits added level/task Task issue type/bug labels Apr 17, 2024

wazuhci added this to Release 4.8.0 Apr 17, 2024

wazuhci moved this to Triage in Release 4.8.0 Apr 17, 2024

MARCOSD4 mentioned this issue Apr 18, 2024

Add vulnerabilities and change packages in some Windows upgrade cases #5234

Merged

Rebits self-assigned this Apr 18, 2024

wazuhci moved this from Triage to In progress in Release 4.8.0 Apr 18, 2024

Rebits linked a pull request Apr 18, 2024 that will close this issue

Fix change greater than timestamp by detected_at in vulnerability index #5266

Merged

wazuhci moved this from In progress to Pending review in Release 4.8.0 Apr 19, 2024

wazuhci moved this from Pending review to In review in Release 4.8.0 Apr 22, 2024

wazuhci moved this from In review to On hold in Release 4.8.0 Apr 22, 2024

wazuhci moved this from On hold to In progress in Release 4.8.0 Apr 23, 2024

wazuhci moved this from In progress to Pending final review in Release 4.8.0 Apr 23, 2024

davidjiglesias closed this as completed Apr 25, 2024

wazuhci moved this from Pending final review to Done in Release 4.8.0 Apr 25, 2024

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Update E2E method to filter wazuh-states-vulnerabilities by detected_at instead of timestamp #5239

Update E2E method to filter wazuh-states-vulnerabilities by detected_at instead of timestamp #5239

Rebits commented Apr 17, 2024

Rebits commented Apr 24, 2024

davidjiglesias commented Apr 25, 2024

Update E2E method to filter wazuh-states-vulnerabilities by detected_at instead of timestamp #5239

Update E2E method to filter wazuh-states-vulnerabilities by detected_at instead of timestamp #5239

Comments

Rebits commented Apr 17, 2024

Description

Rebits commented Apr 24, 2024

davidjiglesias commented Apr 25, 2024