diff --git a/packages/qualys_vmdr/changelog.yml b/packages/qualys_vmdr/changelog.yml index 874bbc6188a..3d3c55bbb62 100644 --- a/packages/qualys_vmdr/changelog.yml +++ b/packages/qualys_vmdr/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "6.6.0" + changes: + - description: Add latest transform for Host Detections. + type: enhancement + link: https://github.com/elastic/integrations/pull/13455 - version: "6.5.0" changes: - description: Update to v3 API for asset and knowledge_base data streams. diff --git a/packages/qualys_vmdr/data_stream/asset_host_detection/sample_event.json b/packages/qualys_vmdr/data_stream/asset_host_detection/sample_event.json index 682b224bda0..06a8e8d24f6 100644 --- a/packages/qualys_vmdr/data_stream/asset_host_detection/sample_event.json +++ b/packages/qualys_vmdr/data_stream/asset_host_detection/sample_event.json @@ -1,11 +1,11 @@ { - "@timestamp": "2025-02-04T13:41:14.474Z", + "@timestamp": "2025-04-08T09:44:10.009Z", "agent": { - "ephemeral_id": "fdc43b03-8e0f-41f9-a377-5d8820668401", - "id": "ddaa4708-4109-4d2b-bbca-dc3fa4b8bfb5", - "name": "elastic-agent-15814", + "ephemeral_id": "7e54ee7b-229e-4d8a-b4db-021a9755f3b6", + "id": "a6b5dc9a-fdd8-48e8-93df-bd12211c464a", + "name": "elastic-agent-13786", "type": "filebeat", - "version": "8.16.0" + "version": "8.18.0" }, "cloud": { "instance": { @@ -14,25 +14,25 @@ }, "data_stream": { "dataset": "qualys_vmdr.asset_host_detection", - "namespace": "49337", + "namespace": "92309", "type": "logs" }, "ecs": { "version": "8.11.0" }, "elastic_agent": { - "id": "ddaa4708-4109-4d2b-bbca-dc3fa4b8bfb5", - "snapshot": false, - "version": "8.16.0" + "id": "a6b5dc9a-fdd8-48e8-93df-bd12211c464a", + "snapshot": true, + "version": "8.18.0" }, "event": { "agent_id_status": "verified", "category": [ - "host" + "vulnerability" ], "dataset": "qualys_vmdr.asset_host_detection", "id": "11111111", - "ingested": "2025-02-04T13:41:17Z", + "ingested": "2025-04-08T09:44:12Z", "kind": "alert", "original": "{\"DETECTION_LIST\":{\"AFFECT_RUNNING_KERNEL\":\"0\",\"FIRST_FOUND_DATETIME\":\"2021-02-05T04:50:45Z\",\"IS_DISABLED\":\"0\",\"IS_IGNORED\":\"0\",\"LAST_FIXED_DATETIME\":\"2022-12-14T06:52:57Z\",\"LAST_FOUND_DATETIME\":\"2024-03-08T20:15:41Z\",\"LAST_PROCESSED_DATETIME\":\"2024-03-08T20:15:41Z\",\"LAST_TEST_DATETIME\":\"2024-03-08T20:15:41Z\",\"LAST_UPDATE_DATETIME\":\"2024-03-08T20:15:41Z\",\"QDS\":{\"#text\":\"35\",\"severity\":\"LOW\"},\"QDS_FACTORS\":{\"QDS_FACTOR\":[{\"#text\":\"7.7\",\"name\":\"CVSS\"},{\"#text\":\"v3.x\",\"name\":\"CVSS_version\"},{\"#text\":\"0.00232\",\"name\":\"epss\"},{\"#text\":\"AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H\",\"name\":\"CVSS_vector\"}]},\"QID\":\"101\",\"RESULTS\":\"Package\\tInstalled Version\\tRequired Version\\nlinux-cloud-tools-4.4.0\\t1074-aws_4.4.0-1074.84\\t1092\\nlinux-aws-tools-4.4.0\\t1074_4.4.0-1074.84\\t1092\\nlinux-aws-headers-4.4.0\\t1074_4.15.0-1126.135\\t1092\\nlinux-tools-4.4.0\\t1074-aws_4.4.0-1074.84\\t1092\\nlinux-aws-cloud-tools-4.4.0\\t1074_4.4.0-1074.84\\t1092\",\"SEVERITY\":\"3\",\"SSL\":\"0\",\"STATUS\":\"Active\",\"TIMES_FOUND\":\"5393\",\"TYPE\":\"Confirmed\",\"UNIQUE_VULN_ID\":\"11111111\"},\"DNS\":\"adfssrvr.adfs.local\",\"DNS_DATA\":{\"DOMAIN\":\"adfs.local\",\"FQDN\":\"adfssrvr.adfs.local\",\"HOSTNAME\":\"adfssrvr\"},\"ID\":\"1\",\"IP\":\"10.50.2.111\",\"KNOWLEDGE_BASE\":{\"CATEGORY\":\"CGI\",\"CONSEQUENCE\":\"Depending on the vulnerability being exploited, an unauthenticated remote attacker could conduct cross-site scripting, clickjacking or MIME-type sniffing attacks.\",\"CVE_LIST\":[\"CVE-2022-31629\",\"CVE-2022-31628\"],\"DIAGNOSIS\":\"This QID reports the absence of the following\",\"DISCOVERY\":{\"REMOTE\":\"1\"},\"LAST_SERVICE_MODIFICATION_DATETIME\":\"2023-06-29T12:20:46Z\",\"PATCHABLE\":\"0\",\"PCI_FLAG\":\"1\",\"PUBLISHED_DATETIME\":\"2017-06-05T21:34:49Z\",\"QID\":\"101\",\"SEVERITY_LEVEL\":\"2\",\"SOFTWARE_LIST\":{\"SOFTWARE\":[{\"PRODUCT\":\"None\",\"VENDOR\":\"multi-vendor\"}]},\"SOLUTION\":\"\\u003cB\\u003eNote:\\u003c/B\\u003e To better debug the results of this QID\",\"THREAT_INTELLIGENCE\":{\"THREAT_INTEL\":[{\"id\":\"8\"}]},\"TITLE\":\"HTTP Security Header Not Detected\",\"VULN_TYPE\":\"Vulnerability\"},\"LAST_PC_SCANNED_DATE\":\"2023-06-28T09:58:12Z\",\"LAST_SCAN_DATETIME\":\"2023-07-03T06:25:17Z\",\"LAST_VM_SCANNED_DATE\":\"2023-07-03T06:23:47Z\",\"LAST_VM_SCANNED_DURATION\":\"1113\",\"NETBIOS\":\"ADFSSRVR\",\"OS\":\"Windows 2016/2019/10\",\"TRACKING_METHOD\":\"IP\"}", "type": [ @@ -140,29 +140,33 @@ "last_vm_scanned_duration": 1113, "netbios": "ADFSSRVR", "os": "Windows 2016/2019/10", - "package_nested": { - "fixed_version": [ - "1092", - "1092", - "1092", - "1092", - "1092" - ], - "name": [ - "linux-cloud-tools-4.4.0", - "linux-aws-tools-4.4.0", - "linux-aws-headers-4.4.0", - "linux-tools-4.4.0", - "linux-aws-cloud-tools-4.4.0" - ], - "version": [ - "1074-aws_4.4.0-1074.84", - "1074_4.4.0-1074.84", - "1074_4.15.0-1126.135", - "1074-aws_4.4.0-1074.84", - "1074_4.4.0-1074.84" - ] - }, + "package_nested": [ + { + "fixed_version": "1092", + "name": "linux-cloud-tools-4.4.0", + "version": "1074-aws_4.4.0-1074.84" + }, + { + "fixed_version": "1092", + "name": "linux-aws-tools-4.4.0", + "version": "1074_4.4.0-1074.84" + }, + { + "fixed_version": "1092", + "name": "linux-aws-headers-4.4.0", + "version": "1074_4.15.0-1126.135" + }, + { + "fixed_version": "1092", + "name": "linux-tools-4.4.0", + "version": "1074-aws_4.4.0-1074.84" + }, + { + "fixed_version": "1092", + "name": "linux-aws-cloud-tools-4.4.0", + "version": "1074_4.4.0-1074.84" + } + ], "tracking_method": "IP", "vulnerability": { "affect_running_kernel": "0", @@ -276,4 +280,4 @@ "severity": "high", "title": "HTTP Security Header Not Detected" } -} \ No newline at end of file +} diff --git a/packages/qualys_vmdr/docs/README.md b/packages/qualys_vmdr/docs/README.md index 0d9ee9f1c8d..cb672a2c359 100644 --- a/packages/qualys_vmdr/docs/README.md +++ b/packages/qualys_vmdr/docs/README.md @@ -125,13 +125,13 @@ An example event for `asset_host_detection` looks as following: ```json { - "@timestamp": "2025-02-04T13:41:14.474Z", + "@timestamp": "2025-04-08T09:44:10.009Z", "agent": { - "ephemeral_id": "fdc43b03-8e0f-41f9-a377-5d8820668401", - "id": "ddaa4708-4109-4d2b-bbca-dc3fa4b8bfb5", - "name": "elastic-agent-15814", + "ephemeral_id": "7e54ee7b-229e-4d8a-b4db-021a9755f3b6", + "id": "a6b5dc9a-fdd8-48e8-93df-bd12211c464a", + "name": "elastic-agent-13786", "type": "filebeat", - "version": "8.16.0" + "version": "8.18.0" }, "cloud": { "instance": { @@ -140,25 +140,25 @@ An example event for `asset_host_detection` looks as following: }, "data_stream": { "dataset": "qualys_vmdr.asset_host_detection", - "namespace": "49337", + "namespace": "92309", "type": "logs" }, "ecs": { "version": "8.11.0" }, "elastic_agent": { - "id": "ddaa4708-4109-4d2b-bbca-dc3fa4b8bfb5", - "snapshot": false, - "version": "8.16.0" + "id": "a6b5dc9a-fdd8-48e8-93df-bd12211c464a", + "snapshot": true, + "version": "8.18.0" }, "event": { "agent_id_status": "verified", "category": [ - "host" + "vulnerability" ], "dataset": "qualys_vmdr.asset_host_detection", "id": "11111111", - "ingested": "2025-02-04T13:41:17Z", + "ingested": "2025-04-08T09:44:12Z", "kind": "alert", "original": "{\"DETECTION_LIST\":{\"AFFECT_RUNNING_KERNEL\":\"0\",\"FIRST_FOUND_DATETIME\":\"2021-02-05T04:50:45Z\",\"IS_DISABLED\":\"0\",\"IS_IGNORED\":\"0\",\"LAST_FIXED_DATETIME\":\"2022-12-14T06:52:57Z\",\"LAST_FOUND_DATETIME\":\"2024-03-08T20:15:41Z\",\"LAST_PROCESSED_DATETIME\":\"2024-03-08T20:15:41Z\",\"LAST_TEST_DATETIME\":\"2024-03-08T20:15:41Z\",\"LAST_UPDATE_DATETIME\":\"2024-03-08T20:15:41Z\",\"QDS\":{\"#text\":\"35\",\"severity\":\"LOW\"},\"QDS_FACTORS\":{\"QDS_FACTOR\":[{\"#text\":\"7.7\",\"name\":\"CVSS\"},{\"#text\":\"v3.x\",\"name\":\"CVSS_version\"},{\"#text\":\"0.00232\",\"name\":\"epss\"},{\"#text\":\"AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H\",\"name\":\"CVSS_vector\"}]},\"QID\":\"101\",\"RESULTS\":\"Package\\tInstalled Version\\tRequired Version\\nlinux-cloud-tools-4.4.0\\t1074-aws_4.4.0-1074.84\\t1092\\nlinux-aws-tools-4.4.0\\t1074_4.4.0-1074.84\\t1092\\nlinux-aws-headers-4.4.0\\t1074_4.15.0-1126.135\\t1092\\nlinux-tools-4.4.0\\t1074-aws_4.4.0-1074.84\\t1092\\nlinux-aws-cloud-tools-4.4.0\\t1074_4.4.0-1074.84\\t1092\",\"SEVERITY\":\"3\",\"SSL\":\"0\",\"STATUS\":\"Active\",\"TIMES_FOUND\":\"5393\",\"TYPE\":\"Confirmed\",\"UNIQUE_VULN_ID\":\"11111111\"},\"DNS\":\"adfssrvr.adfs.local\",\"DNS_DATA\":{\"DOMAIN\":\"adfs.local\",\"FQDN\":\"adfssrvr.adfs.local\",\"HOSTNAME\":\"adfssrvr\"},\"ID\":\"1\",\"IP\":\"10.50.2.111\",\"KNOWLEDGE_BASE\":{\"CATEGORY\":\"CGI\",\"CONSEQUENCE\":\"Depending on the vulnerability being exploited, an unauthenticated remote attacker could conduct cross-site scripting, clickjacking or MIME-type sniffing attacks.\",\"CVE_LIST\":[\"CVE-2022-31629\",\"CVE-2022-31628\"],\"DIAGNOSIS\":\"This QID reports the absence of the following\",\"DISCOVERY\":{\"REMOTE\":\"1\"},\"LAST_SERVICE_MODIFICATION_DATETIME\":\"2023-06-29T12:20:46Z\",\"PATCHABLE\":\"0\",\"PCI_FLAG\":\"1\",\"PUBLISHED_DATETIME\":\"2017-06-05T21:34:49Z\",\"QID\":\"101\",\"SEVERITY_LEVEL\":\"2\",\"SOFTWARE_LIST\":{\"SOFTWARE\":[{\"PRODUCT\":\"None\",\"VENDOR\":\"multi-vendor\"}]},\"SOLUTION\":\"\\u003cB\\u003eNote:\\u003c/B\\u003e To better debug the results of this QID\",\"THREAT_INTELLIGENCE\":{\"THREAT_INTEL\":[{\"id\":\"8\"}]},\"TITLE\":\"HTTP Security Header Not Detected\",\"VULN_TYPE\":\"Vulnerability\"},\"LAST_PC_SCANNED_DATE\":\"2023-06-28T09:58:12Z\",\"LAST_SCAN_DATETIME\":\"2023-07-03T06:25:17Z\",\"LAST_VM_SCANNED_DATE\":\"2023-07-03T06:23:47Z\",\"LAST_VM_SCANNED_DURATION\":\"1113\",\"NETBIOS\":\"ADFSSRVR\",\"OS\":\"Windows 2016/2019/10\",\"TRACKING_METHOD\":\"IP\"}", "type": [ @@ -266,29 +266,33 @@ An example event for `asset_host_detection` looks as following: "last_vm_scanned_duration": 1113, "netbios": "ADFSSRVR", "os": "Windows 2016/2019/10", - "package_nested": { - "fixed_version": [ - "1092", - "1092", - "1092", - "1092", - "1092" - ], - "name": [ - "linux-cloud-tools-4.4.0", - "linux-aws-tools-4.4.0", - "linux-aws-headers-4.4.0", - "linux-tools-4.4.0", - "linux-aws-cloud-tools-4.4.0" - ], - "version": [ - "1074-aws_4.4.0-1074.84", - "1074_4.4.0-1074.84", - "1074_4.15.0-1126.135", - "1074-aws_4.4.0-1074.84", - "1074_4.4.0-1074.84" - ] - }, + "package_nested": [ + { + "fixed_version": "1092", + "name": "linux-cloud-tools-4.4.0", + "version": "1074-aws_4.4.0-1074.84" + }, + { + "fixed_version": "1092", + "name": "linux-aws-tools-4.4.0", + "version": "1074_4.4.0-1074.84" + }, + { + "fixed_version": "1092", + "name": "linux-aws-headers-4.4.0", + "version": "1074_4.15.0-1126.135" + }, + { + "fixed_version": "1092", + "name": "linux-tools-4.4.0", + "version": "1074-aws_4.4.0-1074.84" + }, + { + "fixed_version": "1092", + "name": "linux-aws-cloud-tools-4.4.0", + "version": "1074_4.4.0-1074.84" + } + ], "tracking_method": "IP", "vulnerability": { "affect_running_kernel": "0", diff --git a/packages/qualys_vmdr/elasticsearch/transform/latest_cdr_vulnerabilities/fields/base-fields.yml b/packages/qualys_vmdr/elasticsearch/transform/latest_cdr_vulnerabilities/fields/base-fields.yml new file mode 100644 index 00000000000..ba9bbc3471f --- /dev/null +++ b/packages/qualys_vmdr/elasticsearch/transform/latest_cdr_vulnerabilities/fields/base-fields.yml @@ -0,0 +1,17 @@ +- name: data_stream.type + external: ecs +- name: data_stream.dataset + external: ecs +- name: data_stream.namespace + external: ecs + type: keyword +- name: event.module + external: ecs + type: constant_keyword + value: qualys_vmdr +- name: event.dataset + external: ecs + type: constant_keyword + value: qualys_vmdr.asset_host_detection +- name: '@timestamp' + external: ecs diff --git a/packages/qualys_vmdr/elasticsearch/transform/latest_cdr_vulnerabilities/fields/beats.yml b/packages/qualys_vmdr/elasticsearch/transform/latest_cdr_vulnerabilities/fields/beats.yml new file mode 100644 index 00000000000..4084f1dc7f5 --- /dev/null +++ b/packages/qualys_vmdr/elasticsearch/transform/latest_cdr_vulnerabilities/fields/beats.yml @@ -0,0 +1,6 @@ +- name: input.type + type: keyword + description: Type of filebeat input. +- name: log.offset + type: long + description: Log offset. diff --git a/packages/qualys_vmdr/elasticsearch/transform/latest_cdr_vulnerabilities/fields/ecs.yml b/packages/qualys_vmdr/elasticsearch/transform/latest_cdr_vulnerabilities/fields/ecs.yml new file mode 100644 index 00000000000..541a3d588bf --- /dev/null +++ b/packages/qualys_vmdr/elasticsearch/transform/latest_cdr_vulnerabilities/fields/ecs.yml @@ -0,0 +1,98 @@ +# Define ECS constant fields as constant_keyword +- name: observer.vendor + type: constant_keyword + external: ecs +- name: vulnerability.scanner.vendor + type: constant_keyword + external: ecs +# Other ECS fields +- name: agent.ephemeral_id + external: ecs +- name: agent.id + external: ecs +- name: agent.name + external: ecs +- name: agent.type + external: ecs +- name: agent.version + external: ecs +- name: cloud.account.id + external: ecs +- name: cloud.account.name + external: ecs +- name: cloud.availability_zone + external: ecs +- name: cloud.instance.id + external: ecs +- name: cloud.instance.name + external: ecs +- name: cloud.machine.type + external: ecs +- name: cloud.project.id + external: ecs +- name: cloud.project.name + external: ecs +- name: cloud.provider + external: ecs +- name: cloud.region + external: ecs +- name: cloud.service.name + external: ecs +- name: ecs.version + external: ecs +- name: event.agent_id_status + external: ecs +- name: event.category + external: ecs +- name: event.id + external: ecs +- name: event.ingested + external: ecs +- name: event.kind + external: ecs +- name: event.type + external: ecs +- name: host.domain + external: ecs +- name: host.hostname + external: ecs +- name: host.id + external: ecs +- name: host.ip + external: ecs +- name: host.name + external: ecs +- name: host.os.full + external: ecs +- name: host.os.platform + external: ecs +- name: host.os.type + external: ecs +- name: package.name + external: ecs +- name: package.version + external: ecs +- name: related.hosts + external: ecs +- name: related.ip + external: ecs +- name: tags + external: ecs +- name: vulnerability.category + external: ecs +- name: vulnerability.classification + external: ecs +- name: vulnerability.description + external: ecs +- name: vulnerability.enumeration + external: ecs +- name: vulnerability.id + external: ecs +- name: vulnerability.reference + external: ecs +- name: vulnerability.score.base + external: ecs +- name: vulnerability.score.version + external: ecs +- name: vulnerability.severity + external: ecs diff --git a/packages/qualys_vmdr/elasticsearch/transform/latest_cdr_vulnerabilities/fields/fields.yml b/packages/qualys_vmdr/elasticsearch/transform/latest_cdr_vulnerabilities/fields/fields.yml new file mode 100644 index 00000000000..9a26cac4125 --- /dev/null +++ b/packages/qualys_vmdr/elasticsearch/transform/latest_cdr_vulnerabilities/fields/fields.yml @@ -0,0 +1,493 @@ +- name: qualys_vmdr.asset_host_detection + type: group + fields: + - name: asset_id + type: long + - name: cloud_provider + type: keyword + - name: cloud_provider_tags + type: group + fields: + - name: cloud_tag + type: group + fields: + - name: last_success_date + type: date + - name: name + type: keyword + - name: value + type: keyword + - name: cloud_resource_id + type: keyword + - name: cloud_service + type: keyword + - name: dns + type: keyword + - name: dns_data + type: group + fields: + - name: domain + type: keyword + - name: fqdn + type: keyword + - name: hostname + type: keyword + - name: ec2_instance_id + type: keyword + - name: id + type: keyword + - name: ip + type: ip + - name: ipv6 + type: ip + - name: last_pc_scanned_date + type: date + - name: last_scan_datetime + type: date + - name: last_vm_auth_scanned_date + type: date + - name: last_vm_auth_scanned_duration + type: long + - name: last_vm_scanned_date + type: date + - name: last_vm_scanned_duration + type: long + - name: package_nested + type: nested + - name: package_nested.fixed_version + type: keyword + - name: package_nested.name + type: keyword + - name: package_nested.version + type: keyword + - name: vulnerability + type: group + fields: + - name: affect_running_kernel + type: keyword + - name: affect_running_service + type: keyword + - name: affect_exploitable_config + type: keyword + - name: asset_cve + type: keyword + - name: first_found_datetime + type: date + - name: first_reopened_datetime + type: date + - name: fqdn + type: keyword + - name: instance + type: keyword + - name: is_disabled + type: boolean + - name: is_ignored + type: boolean + - name: last_fixed_datetime + type: date + - name: last_found_datetime + type: date + - name: last_processed_datetime + type: date + - name: last_reopened_datetime + type: date + - name: last_test_datetime + type: date + - name: last_update_datetime + type: date + - name: port + type: long + - name: protocol + type: keyword + - name: qds + type: group + fields: + - name: severity + type: keyword + - name: score + type: integer + - name: qds_factors + type: group + fields: + - name: name + type: keyword + - name: text + type: keyword + - name: qid + type: integer + - name: results + type: keyword + - name: service + type: keyword + - name: severity + type: long + - name: ssl + type: keyword + - name: status + type: keyword + - name: times_found + type: long + - name: times_reopened + type: long + - name: type + type: keyword + - name: unique_vuln_id + type: keyword + - name: metadata + type: group + fields: + - name: azure + type: group + fields: + - name: attribute + type: group + fields: + - name: last + type: group + fields: + - name: error + type: group + fields: + - name: value + type: keyword + - name: date + type: date + - name: status + type: keyword + - name: success_date + type: date + - name: name + type: keyword + - name: value + type: keyword + - name: ec2 + type: group + fields: + - name: attribute + type: group + fields: + - name: last + type: group + fields: + - name: error + type: group + fields: + - name: value + type: keyword + - name: date + type: date + - name: status + type: keyword + - name: success_date + type: date + - name: name + type: keyword + - name: value + type: keyword + - name: google + type: group + fields: + - name: attribute + type: group + fields: + - name: last + type: group + fields: + - name: error + type: group + fields: + - name: value + type: keyword + - name: date + type: date + - name: status + type: keyword + - name: success_date + type: date + - name: name + type: keyword + - name: value + type: keyword + - name: netbios + type: keyword + - name: network_id + type: keyword + - name: os + type: keyword + - name: os_cpe + type: keyword + - name: qg_hostid + type: keyword + - name: tags + type: group + fields: + - name: background_color + type: keyword + - name: color + type: keyword + - name: id + type: keyword + - name: name + type: keyword + - name: tracking_method + type: keyword + - name: knowledge_base + type: group + fields: + - name: automatic_pci_fail + type: keyword + - name: bugtraq_list + type: group + fields: + - name: id + type: keyword + - name: url + type: keyword + - name: category + type: keyword + - name: changelog_list + type: group + fields: + - name: info + type: group + fields: + - name: change_date + type: date + - name: comments + type: keyword + - name: compliance_list + type: group + fields: + - name: description + type: keyword + - name: section + type: keyword + - name: type + type: keyword + - name: consequence + type: group + fields: + - name: comment + type: keyword + - name: value + type: keyword + - name: correlation + type: group + fields: + - name: exploits + type: group + fields: + - name: explt_src + type: group + fields: + - name: list + type: group + fields: + - name: explt + type: group + fields: + - name: desc + type: keyword + - name: link + type: keyword + - name: ref + type: keyword + - name: name + type: keyword + - name: malware + type: group + fields: + - name: src + type: group + fields: + - name: list + type: group + fields: + - name: info + type: group + fields: + - name: alias + type: keyword + - name: id + type: keyword + - name: link + type: keyword + - name: platform + type: keyword + - name: rating + type: keyword + - name: type + type: keyword + - name: name + type: keyword + - name: cve_list + type: keyword + - name: cvss + type: group + fields: + - name: access + type: group + fields: + - name: complexity + type: keyword + - name: vector + type: keyword + - name: authentication + type: keyword + - name: base + type: keyword + - name: base_obj + type: flattened + - name: exploitability + type: keyword + - name: impact + type: group + fields: + - name: availability + type: keyword + - name: confidentiality + type: keyword + - name: integrity + type: keyword + - name: remediation_level + type: keyword + - name: report_confidence + type: keyword + - name: temporal + type: keyword + - name: vector_string + type: keyword + - name: cvss_v3 + type: group + fields: + - name: attack + type: group + fields: + - name: complexity + type: keyword + - name: vector + type: keyword + - name: base + type: keyword + - name: exploit_code_maturity + type: keyword + - name: impact + type: group + fields: + - name: availability + type: keyword + - name: confidentiality + type: keyword + - name: integrity + type: keyword + - name: privileges_required + type: keyword + - name: remediation_level + type: keyword + - name: report_confidence + type: keyword + - name: scope + type: keyword + - name: temporal + type: keyword + - name: user_interaction + type: keyword + - name: vector_string + type: keyword + - name: version + type: keyword + - name: detection_info + type: keyword + - name: diagnosis + type: group + fields: + - name: comment + type: match_only_text + - name: value + type: match_only_text + - name: discovery + type: group + fields: + - name: auth_type_list + type: group + fields: + - name: value + type: keyword + - name: additional_info + type: keyword + - name: remote + type: long + - name: error + type: keyword + - name: ids + type: keyword + - name: id_range + type: keyword + - name: is_disabled + type: boolean + - name: last + type: group + fields: + - name: customization + type: group + fields: + - name: datetime + type: date + - name: user_login + type: keyword + - name: service_modification_datetime + type: date + - name: patchable + type: boolean + - name: pci_flag + type: boolean + - name: pci_reasons + type: group + fields: + - name: value + type: keyword + - name: published_datetime + type: date + - name: patch_published_date + type: date + - name: qid + type: keyword + - name: severity_level + type: keyword + - name: software_list + type: group + fields: + - name: product + type: keyword + - name: vendor + type: keyword + - name: vendor_reference_list + type: group + fields: + - name: id + type: keyword + - name: url + type: keyword + - name: solution + type: group + fields: + - name: comment + type: match_only_text + - name: value + type: match_only_text + - name: supported_modules + type: keyword + - name: threat_intelligence + type: group + fields: + - name: intel + type: group + fields: + - name: id + type: keyword + - name: text + type: keyword + - name: title + type: keyword + - name: vuln_type + type: keyword diff --git a/packages/qualys_vmdr/elasticsearch/transform/latest_cdr_vulnerabilities/fields/package.yml b/packages/qualys_vmdr/elasticsearch/transform/latest_cdr_vulnerabilities/fields/package.yml new file mode 100644 index 00000000000..6878cdb24a6 --- /dev/null +++ b/packages/qualys_vmdr/elasticsearch/transform/latest_cdr_vulnerabilities/fields/package.yml @@ -0,0 +1,6 @@ +- name: package + type: group + fields: + # package.name, package.version are already part of ECS. + - name: fixed_version + type: keyword diff --git a/packages/qualys_vmdr/elasticsearch/transform/latest_cdr_vulnerabilities/fields/resource.yml b/packages/qualys_vmdr/elasticsearch/transform/latest_cdr_vulnerabilities/fields/resource.yml new file mode 100644 index 00000000000..425eb9530e9 --- /dev/null +++ b/packages/qualys_vmdr/elasticsearch/transform/latest_cdr_vulnerabilities/fields/resource.yml @@ -0,0 +1,7 @@ +- name: resource + type: group + fields: + - name: id + type: keyword + - name: name + type: keyword diff --git a/packages/qualys_vmdr/elasticsearch/transform/latest_cdr_vulnerabilities/fields/vulnerability.yml b/packages/qualys_vmdr/elasticsearch/transform/latest_cdr_vulnerabilities/fields/vulnerability.yml new file mode 100644 index 00000000000..f0198251655 --- /dev/null +++ b/packages/qualys_vmdr/elasticsearch/transform/latest_cdr_vulnerabilities/fields/vulnerability.yml @@ -0,0 +1,14 @@ +- name: vulnerability + type: group + fields: + - name: title + type: keyword + - name: package + type: group + fields: + - name: name + type: keyword + - name: version + type: keyword + - name: fixed_version + type: keyword diff --git a/packages/qualys_vmdr/elasticsearch/transform/latest_cdr_vulnerabilities/transform.yml b/packages/qualys_vmdr/elasticsearch/transform/latest_cdr_vulnerabilities/transform.yml new file mode 100644 index 00000000000..0d7519dd66e --- /dev/null +++ b/packages/qualys_vmdr/elasticsearch/transform/latest_cdr_vulnerabilities/transform.yml @@ -0,0 +1,30 @@ +source: + index: + - "logs-qualys_vmdr.asset_host_detection-*" +dest: + index: "security_solution-qualys_vmdr.vulnerability_latest-v1" + aliases: + - alias: "security_solution-qualys_vmdr.vulnerability_latest" + move_on_creation: true +latest: + unique_key: + - event.id + - resource.id + - data_stream.namespace + sort: "@timestamp" +description: Latest Vulnerabilities Findings from Qualys VMDR +settings: + unattended: true +frequency: 5m +sync: + time: + field: event.ingested +retention_policy: + time: + field: "@timestamp" + max_age: 24h +_meta: + managed: true + # Bump this version to delete, reinstall, and restart the transform during package. + # Version bump is needed if there is any code change in transform. + fleet_transform_version: 0.1.0 diff --git a/packages/qualys_vmdr/manifest.yml b/packages/qualys_vmdr/manifest.yml index 84e5188d2b3..08d0bcccbdf 100644 --- a/packages/qualys_vmdr/manifest.yml +++ b/packages/qualys_vmdr/manifest.yml @@ -1,7 +1,7 @@ format_version: "3.2.3" name: qualys_vmdr title: Qualys VMDR -version: "6.5.0" +version: "6.6.0" description: Collect data from Qualys VMDR platform with Elastic Agent. type: integration categories: @@ -9,7 +9,7 @@ categories: - vulnerability_management conditions: kibana: - version: "^8.18.0 || ^9.0.0" + version: "^8.19.0 || ^9.1.0" elastic: subscription: basic screenshots: