qualys_vmdr: Add latest transform for Asset Host Detections (#13455)

Adds a latest transform for vulnerabilities which allows data
from Qualys VMDR to be displayed in Elastic Security CNVM workflow.

Ref: #11673

Author: kcreddy

packages/qualys_vmdr/changelog.yml

@@ -1,4 +1,9 @@
 # newer versions go on top
+- version: "6.6.0"
+  changes:
+    - description: Add latest transform for Host Detections.
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/13455
 - version: "6.5.0"
   changes:
     - description: Update to v3 API for asset and knowledge_base data streams.

packages/qualys_vmdr/data_stream/asset_host_detection/sample_event.json

@@ -1,11 +1,11 @@
 {
-    "@timestamp": "2025-02-04T13:41:14.474Z",
+    "@timestamp": "2025-04-08T09:44:10.009Z",
     "agent": {
-        "ephemeral_id": "fdc43b03-8e0f-41f9-a377-5d8820668401",
-        "id": "ddaa4708-4109-4d2b-bbca-dc3fa4b8bfb5",
-        "name": "elastic-agent-15814",
+        "ephemeral_id": "7e54ee7b-229e-4d8a-b4db-021a9755f3b6",
+        "id": "a6b5dc9a-fdd8-48e8-93df-bd12211c464a",
+        "name": "elastic-agent-13786",
         "type": "filebeat",
-        "version": "8.16.0"
+        "version": "8.18.0"
     },
     "cloud": {
         "instance": {
@@ -14,25 +14,25 @@
     },
     "data_stream": {
         "dataset": "qualys_vmdr.asset_host_detection",
-        "namespace": "49337",
+        "namespace": "92309",
         "type": "logs"
     },
     "ecs": {
         "version": "8.11.0"
     },
     "elastic_agent": {
-        "id": "ddaa4708-4109-4d2b-bbca-dc3fa4b8bfb5",
-        "snapshot": false,
-        "version": "8.16.0"
+        "id": "a6b5dc9a-fdd8-48e8-93df-bd12211c464a",
+        "snapshot": true,
+        "version": "8.18.0"
     },
     "event": {
         "agent_id_status": "verified",
         "category": [
-            "host"
+            "vulnerability"
         ],
         "dataset": "qualys_vmdr.asset_host_detection",
         "id": "11111111",
-        "ingested": "2025-02-04T13:41:17Z",
+        "ingested": "2025-04-08T09:44:12Z",
         "kind": "alert",
         "original": "{\"DETECTION_LIST\":{\"AFFECT_RUNNING_KERNEL\":\"0\",\"FIRST_FOUND_DATETIME\":\"2021-02-05T04:50:45Z\",\"IS_DISABLED\":\"0\",\"IS_IGNORED\":\"0\",\"LAST_FIXED_DATETIME\":\"2022-12-14T06:52:57Z\",\"LAST_FOUND_DATETIME\":\"2024-03-08T20:15:41Z\",\"LAST_PROCESSED_DATETIME\":\"2024-03-08T20:15:41Z\",\"LAST_TEST_DATETIME\":\"2024-03-08T20:15:41Z\",\"LAST_UPDATE_DATETIME\":\"2024-03-08T20:15:41Z\",\"QDS\":{\"#text\":\"35\",\"severity\":\"LOW\"},\"QDS_FACTORS\":{\"QDS_FACTOR\":[{\"#text\":\"7.7\",\"name\":\"CVSS\"},{\"#text\":\"v3.x\",\"name\":\"CVSS_version\"},{\"#text\":\"0.00232\",\"name\":\"epss\"},{\"#text\":\"AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H\",\"name\":\"CVSS_vector\"}]},\"QID\":\"101\",\"RESULTS\":\"Package\\tInstalled Version\\tRequired Version\\nlinux-cloud-tools-4.4.0\\t1074-aws_4.4.0-1074.84\\t1092\\nlinux-aws-tools-4.4.0\\t1074_4.4.0-1074.84\\t1092\\nlinux-aws-headers-4.4.0\\t1074_4.15.0-1126.135\\t1092\\nlinux-tools-4.4.0\\t1074-aws_4.4.0-1074.84\\t1092\\nlinux-aws-cloud-tools-4.4.0\\t1074_4.4.0-1074.84\\t1092\",\"SEVERITY\":\"3\",\"SSL\":\"0\",\"STATUS\":\"Active\",\"TIMES_FOUND\":\"5393\",\"TYPE\":\"Confirmed\",\"UNIQUE_VULN_ID\":\"11111111\"},\"DNS\":\"adfssrvr.adfs.local\",\"DNS_DATA\":{\"DOMAIN\":\"adfs.local\",\"FQDN\":\"adfssrvr.adfs.local\",\"HOSTNAME\":\"adfssrvr\"},\"ID\":\"1\",\"IP\":\"10.50.2.111\",\"KNOWLEDGE_BASE\":{\"CATEGORY\":\"CGI\",\"CONSEQUENCE\":\"Depending on the vulnerability being exploited, an unauthenticated remote attacker could conduct cross-site scripting, clickjacking or MIME-type sniffing attacks.\",\"CVE_LIST\":[\"CVE-2022-31629\",\"CVE-2022-31628\"],\"DIAGNOSIS\":\"This QID reports the absence of the following\",\"DISCOVERY\":{\"REMOTE\":\"1\"},\"LAST_SERVICE_MODIFICATION_DATETIME\":\"2023-06-29T12:20:46Z\",\"PATCHABLE\":\"0\",\"PCI_FLAG\":\"1\",\"PUBLISHED_DATETIME\":\"2017-06-05T21:34:49Z\",\"QID\":\"101\",\"SEVERITY_LEVEL\":\"2\",\"SOFTWARE_LIST\":{\"SOFTWARE\":[{\"PRODUCT\":\"None\",\"VENDOR\":\"multi-vendor\"}]},\"SOLUTION\":\"\\u003cB\\u003eNote:\\u003c/B\\u003e To better debug the results of this QID\",\"THREAT_INTELLIGENCE\":{\"THREAT_INTEL\":[{\"id\":\"8\"}]},\"TITLE\":\"HTTP Security Header Not Detected\",\"VULN_TYPE\":\"Vulnerability\"},\"LAST_PC_SCANNED_DATE\":\"2023-06-28T09:58:12Z\",\"LAST_SCAN_DATETIME\":\"2023-07-03T06:25:17Z\",\"LAST_VM_SCANNED_DATE\":\"2023-07-03T06:23:47Z\",\"LAST_VM_SCANNED_DURATION\":\"1113\",\"NETBIOS\":\"ADFSSRVR\",\"OS\":\"Windows 2016/2019/10\",\"TRACKING_METHOD\":\"IP\"}",
         "type": [
@@ -140,29 +140,33 @@
             "last_vm_scanned_duration": 1113,
             "netbios": "ADFSSRVR",
             "os": "Windows 2016/2019/10",
-            "package_nested": {
-                "fixed_version": [
-                    "1092",
-                    "1092",
-                    "1092",
-                    "1092",
-                    "1092"
-                ],
-                "name": [
-                    "linux-cloud-tools-4.4.0",
-                    "linux-aws-tools-4.4.0",
-                    "linux-aws-headers-4.4.0",
-                    "linux-tools-4.4.0",
-                    "linux-aws-cloud-tools-4.4.0"
-                ],
-                "version": [
-                    "1074-aws_4.4.0-1074.84",
-                    "1074_4.4.0-1074.84",
-                    "1074_4.15.0-1126.135",
-                    "1074-aws_4.4.0-1074.84",
-                    "1074_4.4.0-1074.84"
-                ]
-            },
+            "package_nested": [
+                {
+                    "fixed_version": "1092",
+                    "name": "linux-cloud-tools-4.4.0",
+                    "version": "1074-aws_4.4.0-1074.84"
+                },
+                {
+                    "fixed_version": "1092",
+                    "name": "linux-aws-tools-4.4.0",
+                    "version": "1074_4.4.0-1074.84"
+                },
+                {
+                    "fixed_version": "1092",
+                    "name": "linux-aws-headers-4.4.0",
+                    "version": "1074_4.15.0-1126.135"
+                },
+                {
+                    "fixed_version": "1092",
+                    "name": "linux-tools-4.4.0",
+                    "version": "1074-aws_4.4.0-1074.84"
+                },
+                {
+                    "fixed_version": "1092",
+                    "name": "linux-aws-cloud-tools-4.4.0",
+                    "version": "1074_4.4.0-1074.84"
+                }
+            ],
             "tracking_method": "IP",
             "vulnerability": {
                 "affect_running_kernel": "0",
@@ -276,4 +280,4 @@
         "severity": "high",
         "title": "HTTP Security Header Not Detected"
     }
-}
+}

packages/qualys_vmdr/docs/README.md

@@ -125,13 +125,13 @@ An example event for `asset_host_detection` looks as following:
 
 ```json
 {
-    "@timestamp": "2025-02-04T13:41:14.474Z",
+    "@timestamp": "2025-04-08T09:44:10.009Z",
     "agent": {
-        "ephemeral_id": "fdc43b03-8e0f-41f9-a377-5d8820668401",
-        "id": "ddaa4708-4109-4d2b-bbca-dc3fa4b8bfb5",
-        "name": "elastic-agent-15814",
+        "ephemeral_id": "7e54ee7b-229e-4d8a-b4db-021a9755f3b6",
+        "id": "a6b5dc9a-fdd8-48e8-93df-bd12211c464a",
+        "name": "elastic-agent-13786",
         "type": "filebeat",
-        "version": "8.16.0"
+        "version": "8.18.0"
     },
     "cloud": {
         "instance": {
@@ -140,25 +140,25 @@ An example event for `asset_host_detection` looks as following:
     },
     "data_stream": {
         "dataset": "qualys_vmdr.asset_host_detection",
-        "namespace": "49337",
+        "namespace": "92309",
         "type": "logs"
     },
     "ecs": {
         "version": "8.11.0"
     },
     "elastic_agent": {
-        "id": "ddaa4708-4109-4d2b-bbca-dc3fa4b8bfb5",
-        "snapshot": false,
-        "version": "8.16.0"
+        "id": "a6b5dc9a-fdd8-48e8-93df-bd12211c464a",
+        "snapshot": true,
+        "version": "8.18.0"
     },
     "event": {
         "agent_id_status": "verified",
         "category": [
-            "host"
+            "vulnerability"
         ],
         "dataset": "qualys_vmdr.asset_host_detection",
         "id": "11111111",
-        "ingested": "2025-02-04T13:41:17Z",
+        "ingested": "2025-04-08T09:44:12Z",
         "kind": "alert",
         "original": "{\"DETECTION_LIST\":{\"AFFECT_RUNNING_KERNEL\":\"0\",\"FIRST_FOUND_DATETIME\":\"2021-02-05T04:50:45Z\",\"IS_DISABLED\":\"0\",\"IS_IGNORED\":\"0\",\"LAST_FIXED_DATETIME\":\"2022-12-14T06:52:57Z\",\"LAST_FOUND_DATETIME\":\"2024-03-08T20:15:41Z\",\"LAST_PROCESSED_DATETIME\":\"2024-03-08T20:15:41Z\",\"LAST_TEST_DATETIME\":\"2024-03-08T20:15:41Z\",\"LAST_UPDATE_DATETIME\":\"2024-03-08T20:15:41Z\",\"QDS\":{\"#text\":\"35\",\"severity\":\"LOW\"},\"QDS_FACTORS\":{\"QDS_FACTOR\":[{\"#text\":\"7.7\",\"name\":\"CVSS\"},{\"#text\":\"v3.x\",\"name\":\"CVSS_version\"},{\"#text\":\"0.00232\",\"name\":\"epss\"},{\"#text\":\"AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H\",\"name\":\"CVSS_vector\"}]},\"QID\":\"101\",\"RESULTS\":\"Package\\tInstalled Version\\tRequired Version\\nlinux-cloud-tools-4.4.0\\t1074-aws_4.4.0-1074.84\\t1092\\nlinux-aws-tools-4.4.0\\t1074_4.4.0-1074.84\\t1092\\nlinux-aws-headers-4.4.0\\t1074_4.15.0-1126.135\\t1092\\nlinux-tools-4.4.0\\t1074-aws_4.4.0-1074.84\\t1092\\nlinux-aws-cloud-tools-4.4.0\\t1074_4.4.0-1074.84\\t1092\",\"SEVERITY\":\"3\",\"SSL\":\"0\",\"STATUS\":\"Active\",\"TIMES_FOUND\":\"5393\",\"TYPE\":\"Confirmed\",\"UNIQUE_VULN_ID\":\"11111111\"},\"DNS\":\"adfssrvr.adfs.local\",\"DNS_DATA\":{\"DOMAIN\":\"adfs.local\",\"FQDN\":\"adfssrvr.adfs.local\",\"HOSTNAME\":\"adfssrvr\"},\"ID\":\"1\",\"IP\":\"10.50.2.111\",\"KNOWLEDGE_BASE\":{\"CATEGORY\":\"CGI\",\"CONSEQUENCE\":\"Depending on the vulnerability being exploited, an unauthenticated remote attacker could conduct cross-site scripting, clickjacking or MIME-type sniffing attacks.\",\"CVE_LIST\":[\"CVE-2022-31629\",\"CVE-2022-31628\"],\"DIAGNOSIS\":\"This QID reports the absence of the following\",\"DISCOVERY\":{\"REMOTE\":\"1\"},\"LAST_SERVICE_MODIFICATION_DATETIME\":\"2023-06-29T12:20:46Z\",\"PATCHABLE\":\"0\",\"PCI_FLAG\":\"1\",\"PUBLISHED_DATETIME\":\"2017-06-05T21:34:49Z\",\"QID\":\"101\",\"SEVERITY_LEVEL\":\"2\",\"SOFTWARE_LIST\":{\"SOFTWARE\":[{\"PRODUCT\":\"None\",\"VENDOR\":\"multi-vendor\"}]},\"SOLUTION\":\"\\u003cB\\u003eNote:\\u003c/B\\u003e To better debug the results of this QID\",\"THREAT_INTELLIGENCE\":{\"THREAT_INTEL\":[{\"id\":\"8\"}]},\"TITLE\":\"HTTP Security Header Not Detected\",\"VULN_TYPE\":\"Vulnerability\"},\"LAST_PC_SCANNED_DATE\":\"2023-06-28T09:58:12Z\",\"LAST_SCAN_DATETIME\":\"2023-07-03T06:25:17Z\",\"LAST_VM_SCANNED_DATE\":\"2023-07-03T06:23:47Z\",\"LAST_VM_SCANNED_DURATION\":\"1113\",\"NETBIOS\":\"ADFSSRVR\",\"OS\":\"Windows 2016/2019/10\",\"TRACKING_METHOD\":\"IP\"}",
         "type": [
@@ -266,29 +266,33 @@ An example event for `asset_host_detection` looks as following:
             "last_vm_scanned_duration": 1113,
             "netbios": "ADFSSRVR",
             "os": "Windows 2016/2019/10",
-            "package_nested": {
-                "fixed_version": [
-                    "1092",
-                    "1092",
-                    "1092",
-                    "1092",
-                    "1092"
-                ],
-                "name": [
-                    "linux-cloud-tools-4.4.0",
-                    "linux-aws-tools-4.4.0",
-                    "linux-aws-headers-4.4.0",
-                    "linux-tools-4.4.0",
-                    "linux-aws-cloud-tools-4.4.0"
-                ],
-                "version": [
-                    "1074-aws_4.4.0-1074.84",
-                    "1074_4.4.0-1074.84",
-                    "1074_4.15.0-1126.135",
-                    "1074-aws_4.4.0-1074.84",
-                    "1074_4.4.0-1074.84"
-                ]
-            },
+            "package_nested": [
+                {
+                    "fixed_version": "1092",
+                    "name": "linux-cloud-tools-4.4.0",
+                    "version": "1074-aws_4.4.0-1074.84"
+                },
+                {
+                    "fixed_version": "1092",
+                    "name": "linux-aws-tools-4.4.0",
+                    "version": "1074_4.4.0-1074.84"
+                },
+                {
+                    "fixed_version": "1092",
+                    "name": "linux-aws-headers-4.4.0",
+                    "version": "1074_4.15.0-1126.135"
+                },
+                {
+                    "fixed_version": "1092",
+                    "name": "linux-tools-4.4.0",
+                    "version": "1074-aws_4.4.0-1074.84"
+                },
+                {
+                    "fixed_version": "1092",
+                    "name": "linux-aws-cloud-tools-4.4.0",
+                    "version": "1074_4.4.0-1074.84"
+                }
+            ],
             "tracking_method": "IP",
             "vulnerability": {
                 "affect_running_kernel": "0",

packages/qualys_vmdr/elasticsearch/transform/latest_cdr_vulnerabilities/fields/base-fields.yml

@@ -0,0 +1,17 @@
+- name: data_stream.type
+  external: ecs
+- name: data_stream.dataset
+  external: ecs
+- name: data_stream.namespace
+  external: ecs
+  type: keyword
+- name: event.module
+  external: ecs
+  type: constant_keyword
+  value: qualys_vmdr
+- name: event.dataset
+  external: ecs
+  type: constant_keyword
+  value: qualys_vmdr.asset_host_detection
+- name: '@timestamp'
+  external: ecs

packages/qualys_vmdr/elasticsearch/transform/latest_cdr_vulnerabilities/fields/beats.yml

@@ -0,0 +1,6 @@
+- name: input.type
+  type: keyword
+  description: Type of filebeat input.
+- name: log.offset
+  type: long
+  description: Log offset.

packages/qualys_vmdr/elasticsearch/transform/latest_cdr_vulnerabilities/fields/ecs.yml

@@ -0,0 +1,98 @@
+# Define ECS constant fields as constant_keyword
+- name: observer.vendor
+  type: constant_keyword
+  external: ecs
+- name: vulnerability.scanner.vendor
+  type: constant_keyword
+  external: ecs
+# Other ECS fields
+- name: agent.ephemeral_id
+  external: ecs
+- name: agent.id
+  external: ecs
+- name: agent.name
+  external: ecs
+- name: agent.type
+  external: ecs
+- name: agent.version
+  external: ecs
+- name: cloud.account.id
+  external: ecs
+- name: cloud.account.name
+  external: ecs
+- name: cloud.availability_zone
+  external: ecs
+- name: cloud.instance.id
+  external: ecs
+- name: cloud.instance.name
+  external: ecs
+- name: cloud.machine.type
+  external: ecs
+- name: cloud.project.id
+  external: ecs
+- name: cloud.project.name
+  external: ecs
+- name: cloud.provider
+  external: ecs
+- name: cloud.region
+  external: ecs
+- name: cloud.service.name
+  external: ecs
+- name: ecs.version
+  external: ecs
+- name: event.agent_id_status
+  external: ecs
+- name: event.category
+  external: ecs
+- name: event.id
+  external: ecs
+- name: event.ingested
+  external: ecs
+- name: event.kind
+  external: ecs
+- name: event.type
+  external: ecs
+- name: host.domain
+  external: ecs
+- name: host.hostname
+  external: ecs
+- name: host.id
+  external: ecs
+- name: host.ip
+  external: ecs
+- name: host.name
+  external: ecs
+- name: host.os.full
+  external: ecs
+- name: host.os.platform
+  external: ecs
+- name: host.os.type
+  external: ecs
+- name: package.name
+  external: ecs
+- name: package.version
+  external: ecs
+- name: related.hosts
+  external: ecs
+- name: related.ip
+  external: ecs
+- name: tags
+  external: ecs
+- name: vulnerability.category
+  external: ecs
+- name: vulnerability.classification
+  external: ecs
+- name: vulnerability.description
+  external: ecs
+- name: vulnerability.enumeration
+  external: ecs
+- name: vulnerability.id
+  external: ecs
+- name: vulnerability.reference
+  external: ecs
+- name: vulnerability.score.base
+  external: ecs
+- name: vulnerability.score.version
+  external: ecs
+- name: vulnerability.severity
+  external: ecs