From 280cfd00fade24ce3d87c98be9e23ac5cb60813a Mon Sep 17 00:00:00 2001 From: "Andrew D. Pease" <7442091+peasead@users.noreply.github.com> Date: Mon, 7 Oct 2019 17:11:07 -0500 Subject: [PATCH 01/36] created vulnerability schema --- code/go/ecs/vulnerability.go | 108 ++ docs/field-details.asciidoc | 208 ++++ docs/fields.asciidoc | 2 + generated/beats/fields.ecs.yml | 857 +++++++++++++++ generated/csv/fields.csv | 96 ++ generated/ecs/ecs_flat.yml | 1316 ++++++++++++++++++++++ generated/ecs/ecs_nested.yml | 1340 +++++++++++++++++++++++ generated/elasticsearch/6/template.json | 520 +++++++++ generated/elasticsearch/7/template.json | 520 +++++++++ generated/legacy/template.json | 65 ++ schema.json | 129 +++ schemas/vulnerability.yml | 144 +++ scripts/go.mod | 2 + 13 files changed, 5307 insertions(+) create mode 100644 code/go/ecs/vulnerability.go create mode 100644 schemas/vulnerability.yml diff --git a/code/go/ecs/vulnerability.go b/code/go/ecs/vulnerability.go new file mode 100644 index 0000000000..6b077cbbc0 --- /dev/null +++ b/code/go/ecs/vulnerability.go @@ -0,0 +1,108 @@ +// Licensed to Elasticsearch B.V. under one or more contributor +// license agreements. See the NOTICE file distributed with +// this work for additional information regarding copyright +// ownership. Elasticsearch B.V. licenses this file to you under +// the Apache License, Version 2.0 (the "License"); you may +// not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, +// software distributed under the License is distributed on an +// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +// KIND, either express or implied. See the License for the +// specific language governing permissions and limitations +// under the License. + +// Code generated by scripts/gocodegen.go - DO NOT EDIT. + +package ecs + +import ( + "time" +) + +// The vulnerability fields describe information about a vulnerabilty that is +// relevant to an event. +// Fields can have one entry or multiple entries. +type Vulnerability struct { + // The Common Vulnerability Scoring System (CVSS) is an open framework for + // communicating the characteristics and severity of software + // vulnerabilities. Scores can range from 0.0 to 10.0, with 10.0 being the + // most severe. + // Base scores cover an assessment for exploitability metrics (attack + // vector, complexity, privileges, and user interaction), impact metrics + // (confidentialy, integrity, and availability), and scope. For example + // (ex. https://www.first.org/cvss/specification-document) + CvssScoreBase int64 `ecs:"cvss.score.base"` + + // The Common Vulnerability Scoring System (CVSS) is an open framework for + // communicating the characteristics and severity of software + // vulnerabilities. Scores can range from 0.0 to 10.0, with 10.0 being the + // most severe. + // Temporal scores cover an assessment for code maturity, remediation + // level, and confidence. For example (ex. + // https://www.first.org/cvss/specification-document) + CvssScoreTemporal int64 `ecs:"cvss.score.temporal"` + + // The Common Vulnerability Scoring System (CVSS) is an open framework for + // communicating the characteristics and severity of software + // vulnerabilities. Scores can range from 0.0 to 10.0, with 10.0 being the + // most severe. + // Environmental scores cover an assessment for any modified Base metrics, + // confidentiality, integrity, and availability requirements. For example + // (ex. https://www.first.org/cvss/specification-document) + CvssScoreEvironmental int64 `ecs:"cvss.score.evironmental"` + + // The type of system or architecture that the vulnerability affects. These + // may be platform-specific (for example, Debian or SUSE) or general (for + // example, Database or Firewall). For example (ex. + // https://qualysguard.qualys.com/qwebhelp/fo_portal/knowledgebase/vulnerability_categories.htm) + Category string `ecs:"category"` + + // The Common Vulnerability and Exposures (CVE) list is an open source list + // for publicly known cybersecurity vulnerabilities providing an + // identification number, a description, and at least one public reference. + // The description of the vulnerability that provides additional context of + // the vulnerability. For example (ex. + // https://cve.mitre.org/about/faqs.html#cve_entry_descriptions_created) + CveDescription string `ecs:"cve.description"` + + // The Common Vulnerability and Exposures (CVE) list is an open source list + // for publicly known cybersecurity vulnerabilities providing an + // identification number, a description, and at least one public reference. + // The identification (ID) is the number portion of a CVE Entry. It + // includes the year the vulnerability ID was requested followed by a + // sequence number. CVE-YYYY-NNNNN. For example (ex. + // https://cve.mitre.org/about/faqs.html#what_is_cve_id) + CveID string `ecs:"cve.id"` + + // The severity of the vulnerability can help with metrics and internal + // prioritization regarding remediation. For example (ex. + // https://nvd.nist.gov/vuln-metrics/cvss) + Severity string `ecs:"severity"` + + // The current status of the vulerability on the asset: + // New - The first time a vulnerability is detected by a scan the status is + // set to New. Active - A vulnerability detected by two or more scans is + // set to Active. Fixed - A vulnerability was verified by the most recent + // scan as fixed, and this vulnerability was detected by the previous scan. + // Re-Opened - A vulnerability was reopened by the most recent scan, and + // this vulnerability was verified as fixed by the previous scan. + // For example (ex. + // https://qualysguard.qualys.com/qwebhelp/fo_portal/scans/vulnerability_status.htm) + Status string `ecs:"status"` + + // The first time that the vulnerability was observed on the asset. + DetectedFirst time.Time `ecs:"detected.first"` + + // The last time that the vulnerability was observed on the asset. + DetectedLast time.Time `ecs:"detected.last"` + + // The first time that the asset was scanned for vulnerabilities. + ScannedFirst time.Time `ecs:"scanned.first"` + + // The last time that the asset was scanned for vulnerabilities. + ScannedLast time.Time `ecs:"scanned.last"` +} diff --git a/docs/field-details.asciidoc b/docs/field-details.asciidoc index e5aa5f247f..2d69abc11b 100644 --- a/docs/field-details.asciidoc +++ b/docs/field-details.asciidoc @@ -387,6 +387,12 @@ example: `co.uk` // =============================================================== +| <> +| Fields to describe the vulnerabilty relevant to an event. + +// =============================================================== + + |===== [[ecs-cloud]] @@ -2023,6 +2029,12 @@ example: `1325` // =============================================================== +| <> +| Fields to describe the vulnerabilty relevant to an event. + +// =============================================================== + + |===== [[ecs-http]] @@ -2638,6 +2650,12 @@ type: keyword // =============================================================== +| <> +| Fields to describe the vulnerabilty relevant to an event. + +// =============================================================== + + |===== [[ecs-organization]] @@ -2769,6 +2787,24 @@ Note also that the `os` fields are not expected to be used directly at the top l +[[ecs-os-nestings]] +===== Field sets that can be nested under Operating System + +[options="header"] +|===== +| Nested fields | Description + +// =============================================================== + + +| <> +| Fields to describe the vulnerabilty relevant to an event. + +// =============================================================== + + +|===== + [[ecs-package]] === Package Fields @@ -4106,3 +4142,175 @@ example: `12.0` |===== + +[[ecs-vulnerability]] +=== Vulnerability Fields + +The vulnerability fields describe information about a vulnerabilty that is relevant to an event. + +Fields can have one entry or multiple entries. + +==== Vulnerability Field Details + +[options="header"] +|===== +| Field | Description | Level + +// =============================================================== + +| vulnerability.category +| The type of system or architecture that the vulnerability affects. These may be platform-specific (for example, Debian or SUSE) or general (for example, Database or Firewall). For example (ex. https://qualysguard.qualys.com/qwebhelp/fo_portal/knowledgebase/vulnerability_categories.htm) + +type: keyword + +example: `AIX, Firewall, Malware, Office Application, Solaris, Windows` + +| extended + +// =============================================================== + +| vulnerability.cve.description +| The Common Vulnerability and Exposures (CVE) list is an open source list for publicly known cybersecurity vulnerabilities providing an identification number, a description, and at least one public reference. + +The description of the vulnerability that provides additional context of the vulnerability. For example (ex. https://cve.mitre.org/about/faqs.html#cve_entry_descriptions_created) + +type: keyword + +example: `In Keybase before 2.12.6 on macOS, the move RPC to the Helper was susceptible to time-to-check-time-to-use bugs and would also allow one user of the system (who didn't have root access) to tamper with another's installs.` + +| extended + +// =============================================================== + +| vulnerability.cve.id +| The Common Vulnerability and Exposures (CVE) list is an open source list for publicly known cybersecurity vulnerabilities providing an identification number, a description, and at least one public reference. + +The identification (ID) is the number portion of a CVE Entry. It includes the year the vulnerability ID was requested followed by a sequence number. CVE-YYYY-NNNNN. For example (ex. https://cve.mitre.org/about/faqs.html#what_is_cve_id) + +type: keyword + +example: `CVE-2019-00001, CVE-2019-00002` + +| extended + +// =============================================================== + +| vulnerability.cvss.score.base +| The Common Vulnerability Scoring System (CVSS) is an open framework for communicating the characteristics and severity of software vulnerabilities. Scores can range from 0.0 to 10.0, with 10.0 being the most severe. + +Base scores cover an assessment for exploitability metrics (attack vector, complexity, privileges, and user interaction), impact metrics (confidentialy, integrity, and availability), and scope. For example (ex. https://www.first.org/cvss/specification-document) + +type: long + +example: `5.5, 6.6` + +| extended + +// =============================================================== + +| vulnerability.cvss.score.evironmental +| The Common Vulnerability Scoring System (CVSS) is an open framework for communicating the characteristics and severity of software vulnerabilities. Scores can range from 0.0 to 10.0, with 10.0 being the most severe. + +Environmental scores cover an assessment for any modified Base metrics, confidentiality, integrity, and availability requirements. For example (ex. https://www.first.org/cvss/specification-document) + +type: long + +example: `5.5, 6.6` + +| extended + +// =============================================================== + +| vulnerability.cvss.score.temporal +| The Common Vulnerability Scoring System (CVSS) is an open framework for communicating the characteristics and severity of software vulnerabilities. Scores can range from 0.0 to 10.0, with 10.0 being the most severe. + +Temporal scores cover an assessment for code maturity, remediation level, and confidence. For example (ex. https://www.first.org/cvss/specification-document) + +type: long + +example: `5.5, 6.6` + +| extended + +// =============================================================== + +| vulnerability.detected.first +| The first time that the vulnerability was observed on the asset. + +type: date + +example: `YYYY-MM-DD-HH-MM` + +| extended + +// =============================================================== + +| vulnerability.detected.last +| The last time that the vulnerability was observed on the asset. + +type: date + +example: `YYYY-MM-DD-HH-MM` + +| extended + +// =============================================================== + +| vulnerability.scanned.first +| The first time that the asset was scanned for vulnerabilities. + +type: date + +example: `YYYY-MM-DD-HH-MM` + +| extended + +// =============================================================== + +| vulnerability.scanned.last +| The last time that the asset was scanned for vulnerabilities. + +type: date + +example: `YYYY-MM-DD-HH-MM` + +| extended + +// =============================================================== + +| vulnerability.severity +| The severity of the vulnerability can help with metrics and internal prioritization regarding remediation. For example (ex. https://nvd.nist.gov/vuln-metrics/cvss) + +type: keyword + +example: `Critical, High, Medium, Low, None` + +| extended + +// =============================================================== + +| vulnerability.status +| The current status of the vulerability on the asset: + +New - The first time a vulnerability is detected by a scan the status is set to New. Active - A vulnerability detected by two or more scans is set to Active. Fixed - A vulnerability was verified by the most recent scan as fixed, and this vulnerability was detected by the previous scan. Re-Opened - A vulnerability was reopened by the most recent scan, and this vulnerability was verified as fixed by the previous scan. + +For example (ex. https://qualysguard.qualys.com/qwebhelp/fo_portal/scans/vulnerability_status.htm) + +type: keyword + +example: `New, Active, Fixed, Re-Opened` + +| extended + +// =============================================================== + +|===== + +==== Field Reuse + +The `vulnerability` fields are expected to be nested at: `client.vulnerability`, `host.vulnerability`, `observer.vulnerability`, `os.vulnerability`. + +Note also that the `vulnerability` fields may be used directly at the top level. + + + diff --git a/docs/fields.asciidoc b/docs/fields.asciidoc index 074bcbb837..1072ef7cf9 100644 --- a/docs/fields.asciidoc +++ b/docs/fields.asciidoc @@ -84,6 +84,8 @@ all fields are defined. | <> | Fields to describe a browser user_agent string. +| <> | Fields to describe the vulnerabilty relevant to an event. + |===== include::field-details.asciidoc[] diff --git a/generated/beats/fields.ecs.yml b/generated/beats/fields.ecs.yml index b95ae54007..c9ce425bbf 100644 --- a/generated/beats/fields.ecs.yml +++ b/generated/beats/fields.ecs.yml @@ -352,6 +352,112 @@ ignore_above: 1024 description: Short name or login of the user. example: albert + - name: vulnerability.category + level: extended + type: keyword + ignore_above: 1024 + description: The type of system or architecture that the vulnerability affects. + These may be platform-specific (for example, Debian or SUSE) or general (for + example, Database or Firewall). For example (ex. https://qualysguard.qualys.com/qwebhelp/fo_portal/knowledgebase/vulnerability_categories.htm) + example: AIX, Firewall, Malware, Office Application, Solaris, Windows + - name: vulnerability.cve.description + level: extended + type: keyword + ignore_above: 1024 + description: 'The Common Vulnerability and Exposures (CVE) list is an open source + list for publicly known cybersecurity vulnerabilities providing an identification + number, a description, and at least one public reference. + + The description of the vulnerability that provides additional context of the + vulnerability. For example (ex. https://cve.mitre.org/about/faqs.html#cve_entry_descriptions_created)' + example: In Keybase before 2.12.6 on macOS, the move RPC to the Helper was susceptible + to time-to-check-time-to-use bugs and would also allow one user of the system + (who didn't have root access) to tamper with another's installs. + - name: vulnerability.cve.id + level: extended + type: keyword + ignore_above: 1024 + description: 'The Common Vulnerability and Exposures (CVE) list is an open source + list for publicly known cybersecurity vulnerabilities providing an identification + number, a description, and at least one public reference. + + The identification (ID) is the number portion of a CVE Entry. It includes + the year the vulnerability ID was requested followed by a sequence number. + CVE-YYYY-NNNNN. For example (ex. https://cve.mitre.org/about/faqs.html#what_is_cve_id)' + example: CVE-2019-00001, CVE-2019-00002 + - name: vulnerability.cvss.score.base + level: extended + type: long + description: 'The Common Vulnerability Scoring System (CVSS) is an open framework + for communicating the characteristics and severity of software vulnerabilities. + Scores can range from 0.0 to 10.0, with 10.0 being the most severe. + + Base scores cover an assessment for exploitability metrics (attack vector, + complexity, privileges, and user interaction), impact metrics (confidentialy, + integrity, and availability), and scope. For example (ex. https://www.first.org/cvss/specification-document)' + example: 5.5, 6.6 + - name: vulnerability.cvss.score.evironmental + level: extended + type: long + description: 'The Common Vulnerability Scoring System (CVSS) is an open framework + for communicating the characteristics and severity of software vulnerabilities. + Scores can range from 0.0 to 10.0, with 10.0 being the most severe. + + Environmental scores cover an assessment for any modified Base metrics, confidentiality, + integrity, and availability requirements. For example (ex. https://www.first.org/cvss/specification-document)' + example: 5.5, 6.6 + - name: vulnerability.cvss.score.temporal + level: extended + type: long + description: 'The Common Vulnerability Scoring System (CVSS) is an open framework + for communicating the characteristics and severity of software vulnerabilities. + Scores can range from 0.0 to 10.0, with 10.0 being the most severe. + + Temporal scores cover an assessment for code maturity, remediation level, + and confidence. For example (ex. https://www.first.org/cvss/specification-document)' + example: 5.5, 6.6 + - name: vulnerability.detected.first + level: extended + type: date + description: The first time that the vulnerability was observed on the asset. + example: YYYY-MM-DD-HH-MM + - name: vulnerability.detected.last + level: extended + type: date + description: The last time that the vulnerability was observed on the asset. + example: YYYY-MM-DD-HH-MM + - name: vulnerability.scanned.first + level: extended + type: date + description: The first time that the asset was scanned for vulnerabilities. + example: YYYY-MM-DD-HH-MM + - name: vulnerability.scanned.last + level: extended + type: date + description: The last time that the asset was scanned for vulnerabilities. + example: YYYY-MM-DD-HH-MM + - name: vulnerability.severity + level: extended + type: keyword + ignore_above: 1024 + description: The severity of the vulnerability can help with metrics and internal + prioritization regarding remediation. For example (ex. https://nvd.nist.gov/vuln-metrics/cvss) + example: Critical, High, Medium, Low, None + - name: vulnerability.status + level: extended + type: keyword + ignore_above: 1024 + description: 'The current status of the vulerability on the asset: + + New - The first time a vulnerability is detected by a scan the status is set + to New. Active - A vulnerability detected by two or more scans is set to Active. + Fixed - A vulnerability was verified by the most recent scan as fixed, and + this vulnerability was detected by the previous scan. Re-Opened - A vulnerability + was reopened by the most recent scan, and this vulnerability was verified + as fixed by the previous scan. + + For example (ex. https://qualysguard.qualys.com/qwebhelp/fo_portal/scans/vulnerability_status.htm)' + example: New, Active, Fixed, Re-Opened - name: cloud title: Cloud group: 2 @@ -1493,6 +1599,112 @@ ignore_above: 1024 description: Operating system version as a raw string. example: 10.14.1 + - name: os.vulnerability.category + level: extended + type: keyword + ignore_above: 1024 + description: The type of system or architecture that the vulnerability affects. + These may be platform-specific (for example, Debian or SUSE) or general (for + example, Database or Firewall). For example (ex. https://qualysguard.qualys.com/qwebhelp/fo_portal/knowledgebase/vulnerability_categories.htm) + example: AIX, Firewall, Malware, Office Application, Solaris, Windows + - name: os.vulnerability.cve.description + level: extended + type: keyword + ignore_above: 1024 + description: 'The Common Vulnerability and Exposures (CVE) list is an open source + list for publicly known cybersecurity vulnerabilities providing an identification + number, a description, and at least one public reference. + + The description of the vulnerability that provides additional context of the + vulnerability. For example (ex. https://cve.mitre.org/about/faqs.html#cve_entry_descriptions_created)' + example: In Keybase before 2.12.6 on macOS, the move RPC to the Helper was susceptible + to time-to-check-time-to-use bugs and would also allow one user of the system + (who didn't have root access) to tamper with another's installs. + - name: os.vulnerability.cve.id + level: extended + type: keyword + ignore_above: 1024 + description: 'The Common Vulnerability and Exposures (CVE) list is an open source + list for publicly known cybersecurity vulnerabilities providing an identification + number, a description, and at least one public reference. + + The identification (ID) is the number portion of a CVE Entry. It includes + the year the vulnerability ID was requested followed by a sequence number. + CVE-YYYY-NNNNN. For example (ex. https://cve.mitre.org/about/faqs.html#what_is_cve_id)' + example: CVE-2019-00001, CVE-2019-00002 + - name: os.vulnerability.cvss.score.base + level: extended + type: long + description: 'The Common Vulnerability Scoring System (CVSS) is an open framework + for communicating the characteristics and severity of software vulnerabilities. + Scores can range from 0.0 to 10.0, with 10.0 being the most severe. + + Base scores cover an assessment for exploitability metrics (attack vector, + complexity, privileges, and user interaction), impact metrics (confidentialy, + integrity, and availability), and scope. For example (ex. https://www.first.org/cvss/specification-document)' + example: 5.5, 6.6 + - name: os.vulnerability.cvss.score.evironmental + level: extended + type: long + description: 'The Common Vulnerability Scoring System (CVSS) is an open framework + for communicating the characteristics and severity of software vulnerabilities. + Scores can range from 0.0 to 10.0, with 10.0 being the most severe. + + Environmental scores cover an assessment for any modified Base metrics, confidentiality, + integrity, and availability requirements. For example (ex. https://www.first.org/cvss/specification-document)' + example: 5.5, 6.6 + - name: os.vulnerability.cvss.score.temporal + level: extended + type: long + description: 'The Common Vulnerability Scoring System (CVSS) is an open framework + for communicating the characteristics and severity of software vulnerabilities. + Scores can range from 0.0 to 10.0, with 10.0 being the most severe. + + Temporal scores cover an assessment for code maturity, remediation level, + and confidence. For example (ex. https://www.first.org/cvss/specification-document)' + example: 5.5, 6.6 + - name: os.vulnerability.detected.first + level: extended + type: date + description: The first time that the vulnerability was observed on the asset. + example: YYYY-MM-DD-HH-MM + - name: os.vulnerability.detected.last + level: extended + type: date + description: The last time that the vulnerability was observed on the asset. + example: YYYY-MM-DD-HH-MM + - name: os.vulnerability.scanned.first + level: extended + type: date + description: The first time that the asset was scanned for vulnerabilities. + example: YYYY-MM-DD-HH-MM + - name: os.vulnerability.scanned.last + level: extended + type: date + description: The last time that the asset was scanned for vulnerabilities. + example: YYYY-MM-DD-HH-MM + - name: os.vulnerability.severity + level: extended + type: keyword + ignore_above: 1024 + description: The severity of the vulnerability can help with metrics and internal + prioritization regarding remediation. For example (ex. https://nvd.nist.gov/vuln-metrics/cvss) + example: Critical, High, Medium, Low, None + - name: os.vulnerability.status + level: extended + type: keyword + ignore_above: 1024 + description: 'The current status of the vulerability on the asset: + + New - The first time a vulnerability is detected by a scan the status is set + to New. Active - A vulnerability detected by two or more scans is set to Active. + Fixed - A vulnerability was verified by the most recent scan as fixed, and + this vulnerability was detected by the previous scan. Re-Opened - A vulnerability + was reopened by the most recent scan, and this vulnerability was verified + as fixed by the previous scan. + + For example (ex. https://qualysguard.qualys.com/qwebhelp/fo_portal/scans/vulnerability_status.htm)' + example: New, Active, Fixed, Re-Opened - name: type level: core type: keyword @@ -1562,6 +1774,112 @@ ignore_above: 1024 description: Short name or login of the user. example: albert + - name: vulnerability.category + level: extended + type: keyword + ignore_above: 1024 + description: The type of system or architecture that the vulnerability affects. + These may be platform-specific (for example, Debian or SUSE) or general (for + example, Database or Firewall). For example (ex. https://qualysguard.qualys.com/qwebhelp/fo_portal/knowledgebase/vulnerability_categories.htm) + example: AIX, Firewall, Malware, Office Application, Solaris, Windows + - name: vulnerability.cve.description + level: extended + type: keyword + ignore_above: 1024 + description: 'The Common Vulnerability and Exposures (CVE) list is an open source + list for publicly known cybersecurity vulnerabilities providing an identification + number, a description, and at least one public reference. + + The description of the vulnerability that provides additional context of the + vulnerability. For example (ex. https://cve.mitre.org/about/faqs.html#cve_entry_descriptions_created)' + example: In Keybase before 2.12.6 on macOS, the move RPC to the Helper was susceptible + to time-to-check-time-to-use bugs and would also allow one user of the system + (who didn't have root access) to tamper with another's installs. + - name: vulnerability.cve.id + level: extended + type: keyword + ignore_above: 1024 + description: 'The Common Vulnerability and Exposures (CVE) list is an open source + list for publicly known cybersecurity vulnerabilities providing an identification + number, a description, and at least one public reference. + + The identification (ID) is the number portion of a CVE Entry. It includes + the year the vulnerability ID was requested followed by a sequence number. + CVE-YYYY-NNNNN. For example (ex. https://cve.mitre.org/about/faqs.html#what_is_cve_id)' + example: CVE-2019-00001, CVE-2019-00002 + - name: vulnerability.cvss.score.base + level: extended + type: long + description: 'The Common Vulnerability Scoring System (CVSS) is an open framework + for communicating the characteristics and severity of software vulnerabilities. + Scores can range from 0.0 to 10.0, with 10.0 being the most severe. + + Base scores cover an assessment for exploitability metrics (attack vector, + complexity, privileges, and user interaction), impact metrics (confidentialy, + integrity, and availability), and scope. For example (ex. https://www.first.org/cvss/specification-document)' + example: 5.5, 6.6 + - name: vulnerability.cvss.score.evironmental + level: extended + type: long + description: 'The Common Vulnerability Scoring System (CVSS) is an open framework + for communicating the characteristics and severity of software vulnerabilities. + Scores can range from 0.0 to 10.0, with 10.0 being the most severe. + + Environmental scores cover an assessment for any modified Base metrics, confidentiality, + integrity, and availability requirements. For example (ex. https://www.first.org/cvss/specification-document)' + example: 5.5, 6.6 + - name: vulnerability.cvss.score.temporal + level: extended + type: long + description: 'The Common Vulnerability Scoring System (CVSS) is an open framework + for communicating the characteristics and severity of software vulnerabilities. + Scores can range from 0.0 to 10.0, with 10.0 being the most severe. + + Temporal scores cover an assessment for code maturity, remediation level, + and confidence. For example (ex. https://www.first.org/cvss/specification-document)' + example: 5.5, 6.6 + - name: vulnerability.detected.first + level: extended + type: date + description: The first time that the vulnerability was observed on the asset. + example: YYYY-MM-DD-HH-MM + - name: vulnerability.detected.last + level: extended + type: date + description: The last time that the vulnerability was observed on the asset. + example: YYYY-MM-DD-HH-MM + - name: vulnerability.scanned.first + level: extended + type: date + description: The first time that the asset was scanned for vulnerabilities. + example: YYYY-MM-DD-HH-MM + - name: vulnerability.scanned.last + level: extended + type: date + description: The last time that the asset was scanned for vulnerabilities. + example: YYYY-MM-DD-HH-MM + - name: vulnerability.severity + level: extended + type: keyword + ignore_above: 1024 + description: The severity of the vulnerability can help with metrics and internal + prioritization regarding remediation. For example (ex. https://nvd.nist.gov/vuln-metrics/cvss) + example: Critical, High, Medium, Low, None + - name: vulnerability.status + level: extended + type: keyword + ignore_above: 1024 + description: 'The current status of the vulerability on the asset: + + New - The first time a vulnerability is detected by a scan the status is set + to New. Active - A vulnerability detected by two or more scans is set to Active. + Fixed - A vulnerability was verified by the most recent scan as fixed, and + this vulnerability was detected by the previous scan. Re-Opened - A vulnerability + was reopened by the most recent scan, and this vulnerability was verified + as fixed by the previous scan. + + For example (ex. https://qualysguard.qualys.com/qwebhelp/fo_portal/scans/vulnerability_status.htm)' + example: New, Active, Fixed, Re-Opened - name: http title: HTTP group: 2 @@ -1989,6 +2307,112 @@ ignore_above: 1024 description: Operating system version as a raw string. example: 10.14.1 + - name: os.vulnerability.category + level: extended + type: keyword + ignore_above: 1024 + description: The type of system or architecture that the vulnerability affects. + These may be platform-specific (for example, Debian or SUSE) or general (for + example, Database or Firewall). For example (ex. https://qualysguard.qualys.com/qwebhelp/fo_portal/knowledgebase/vulnerability_categories.htm) + example: AIX, Firewall, Malware, Office Application, Solaris, Windows + - name: os.vulnerability.cve.description + level: extended + type: keyword + ignore_above: 1024 + description: 'The Common Vulnerability and Exposures (CVE) list is an open source + list for publicly known cybersecurity vulnerabilities providing an identification + number, a description, and at least one public reference. + + The description of the vulnerability that provides additional context of the + vulnerability. For example (ex. https://cve.mitre.org/about/faqs.html#cve_entry_descriptions_created)' + example: In Keybase before 2.12.6 on macOS, the move RPC to the Helper was susceptible + to time-to-check-time-to-use bugs and would also allow one user of the system + (who didn't have root access) to tamper with another's installs. + - name: os.vulnerability.cve.id + level: extended + type: keyword + ignore_above: 1024 + description: 'The Common Vulnerability and Exposures (CVE) list is an open source + list for publicly known cybersecurity vulnerabilities providing an identification + number, a description, and at least one public reference. + + The identification (ID) is the number portion of a CVE Entry. It includes + the year the vulnerability ID was requested followed by a sequence number. + CVE-YYYY-NNNNN. For example (ex. https://cve.mitre.org/about/faqs.html#what_is_cve_id)' + example: CVE-2019-00001, CVE-2019-00002 + - name: os.vulnerability.cvss.score.base + level: extended + type: long + description: 'The Common Vulnerability Scoring System (CVSS) is an open framework + for communicating the characteristics and severity of software vulnerabilities. + Scores can range from 0.0 to 10.0, with 10.0 being the most severe. + + Base scores cover an assessment for exploitability metrics (attack vector, + complexity, privileges, and user interaction), impact metrics (confidentialy, + integrity, and availability), and scope. For example (ex. https://www.first.org/cvss/specification-document)' + example: 5.5, 6.6 + - name: os.vulnerability.cvss.score.evironmental + level: extended + type: long + description: 'The Common Vulnerability Scoring System (CVSS) is an open framework + for communicating the characteristics and severity of software vulnerabilities. + Scores can range from 0.0 to 10.0, with 10.0 being the most severe. + + Environmental scores cover an assessment for any modified Base metrics, confidentiality, + integrity, and availability requirements. For example (ex. https://www.first.org/cvss/specification-document)' + example: 5.5, 6.6 + - name: os.vulnerability.cvss.score.temporal + level: extended + type: long + description: 'The Common Vulnerability Scoring System (CVSS) is an open framework + for communicating the characteristics and severity of software vulnerabilities. + Scores can range from 0.0 to 10.0, with 10.0 being the most severe. + + Temporal scores cover an assessment for code maturity, remediation level, + and confidence. For example (ex. https://www.first.org/cvss/specification-document)' + example: 5.5, 6.6 + - name: os.vulnerability.detected.first + level: extended + type: date + description: The first time that the vulnerability was observed on the asset. + example: YYYY-MM-DD-HH-MM + - name: os.vulnerability.detected.last + level: extended + type: date + description: The last time that the vulnerability was observed on the asset. + example: YYYY-MM-DD-HH-MM + - name: os.vulnerability.scanned.first + level: extended + type: date + description: The first time that the asset was scanned for vulnerabilities. + example: YYYY-MM-DD-HH-MM + - name: os.vulnerability.scanned.last + level: extended + type: date + description: The last time that the asset was scanned for vulnerabilities. + example: YYYY-MM-DD-HH-MM + - name: os.vulnerability.severity + level: extended + type: keyword + ignore_above: 1024 + description: The severity of the vulnerability can help with metrics and internal + prioritization regarding remediation. For example (ex. https://nvd.nist.gov/vuln-metrics/cvss) + example: Critical, High, Medium, Low, None + - name: os.vulnerability.status + level: extended + type: keyword + ignore_above: 1024 + description: 'The current status of the vulerability on the asset: + + New - The first time a vulnerability is detected by a scan the status is set + to New. Active - A vulnerability detected by two or more scans is set to Active. + Fixed - A vulnerability was verified by the most recent scan as fixed, and + this vulnerability was detected by the previous scan. Re-Opened - A vulnerability + was reopened by the most recent scan, and this vulnerability was verified + as fixed by the previous scan. + + For example (ex. https://qualysguard.qualys.com/qwebhelp/fo_portal/scans/vulnerability_status.htm)' + example: New, Active, Fixed, Re-Opened - name: product level: extended type: keyword @@ -2020,6 +2444,112 @@ type: keyword ignore_above: 1024 description: Observer version. + - name: vulnerability.category + level: extended + type: keyword + ignore_above: 1024 + description: The type of system or architecture that the vulnerability affects. + These may be platform-specific (for example, Debian or SUSE) or general (for + example, Database or Firewall). For example (ex. https://qualysguard.qualys.com/qwebhelp/fo_portal/knowledgebase/vulnerability_categories.htm) + example: AIX, Firewall, Malware, Office Application, Solaris, Windows + - name: vulnerability.cve.description + level: extended + type: keyword + ignore_above: 1024 + description: 'The Common Vulnerability and Exposures (CVE) list is an open source + list for publicly known cybersecurity vulnerabilities providing an identification + number, a description, and at least one public reference. + + The description of the vulnerability that provides additional context of the + vulnerability. For example (ex. https://cve.mitre.org/about/faqs.html#cve_entry_descriptions_created)' + example: In Keybase before 2.12.6 on macOS, the move RPC to the Helper was susceptible + to time-to-check-time-to-use bugs and would also allow one user of the system + (who didn't have root access) to tamper with another's installs. + - name: vulnerability.cve.id + level: extended + type: keyword + ignore_above: 1024 + description: 'The Common Vulnerability and Exposures (CVE) list is an open source + list for publicly known cybersecurity vulnerabilities providing an identification + number, a description, and at least one public reference. + + The identification (ID) is the number portion of a CVE Entry. It includes + the year the vulnerability ID was requested followed by a sequence number. + CVE-YYYY-NNNNN. For example (ex. https://cve.mitre.org/about/faqs.html#what_is_cve_id)' + example: CVE-2019-00001, CVE-2019-00002 + - name: vulnerability.cvss.score.base + level: extended + type: long + description: 'The Common Vulnerability Scoring System (CVSS) is an open framework + for communicating the characteristics and severity of software vulnerabilities. + Scores can range from 0.0 to 10.0, with 10.0 being the most severe. + + Base scores cover an assessment for exploitability metrics (attack vector, + complexity, privileges, and user interaction), impact metrics (confidentialy, + integrity, and availability), and scope. For example (ex. https://www.first.org/cvss/specification-document)' + example: 5.5, 6.6 + - name: vulnerability.cvss.score.evironmental + level: extended + type: long + description: 'The Common Vulnerability Scoring System (CVSS) is an open framework + for communicating the characteristics and severity of software vulnerabilities. + Scores can range from 0.0 to 10.0, with 10.0 being the most severe. + + Environmental scores cover an assessment for any modified Base metrics, confidentiality, + integrity, and availability requirements. For example (ex. https://www.first.org/cvss/specification-document)' + example: 5.5, 6.6 + - name: vulnerability.cvss.score.temporal + level: extended + type: long + description: 'The Common Vulnerability Scoring System (CVSS) is an open framework + for communicating the characteristics and severity of software vulnerabilities. + Scores can range from 0.0 to 10.0, with 10.0 being the most severe. + + Temporal scores cover an assessment for code maturity, remediation level, + and confidence. For example (ex. https://www.first.org/cvss/specification-document)' + example: 5.5, 6.6 + - name: vulnerability.detected.first + level: extended + type: date + description: The first time that the vulnerability was observed on the asset. + example: YYYY-MM-DD-HH-MM + - name: vulnerability.detected.last + level: extended + type: date + description: The last time that the vulnerability was observed on the asset. + example: YYYY-MM-DD-HH-MM + - name: vulnerability.scanned.first + level: extended + type: date + description: The first time that the asset was scanned for vulnerabilities. + example: YYYY-MM-DD-HH-MM + - name: vulnerability.scanned.last + level: extended + type: date + description: The last time that the asset was scanned for vulnerabilities. + example: YYYY-MM-DD-HH-MM + - name: vulnerability.severity + level: extended + type: keyword + ignore_above: 1024 + description: The severity of the vulnerability can help with metrics and internal + prioritization regarding remediation. For example (ex. https://nvd.nist.gov/vuln-metrics/cvss) + example: Critical, High, Medium, Low, None + - name: vulnerability.status + level: extended + type: keyword + ignore_above: 1024 + description: 'The current status of the vulerability on the asset: + + New - The first time a vulnerability is detected by a scan the status is set + to New. Active - A vulnerability detected by two or more scans is set to Active. + Fixed - A vulnerability was verified by the most recent scan as fixed, and + this vulnerability was detected by the previous scan. Re-Opened - A vulnerability + was reopened by the most recent scan, and this vulnerability was verified + as fixed by the previous scan. + + For example (ex. https://qualysguard.qualys.com/qwebhelp/fo_portal/scans/vulnerability_status.htm)' + example: New, Active, Fixed, Re-Opened - name: organization title: Organization group: 2 @@ -2082,6 +2612,112 @@ ignore_above: 1024 description: Operating system version as a raw string. example: 10.14.1 + - name: vulnerability.category + level: extended + type: keyword + ignore_above: 1024 + description: The type of system or architecture that the vulnerability affects. + These may be platform-specific (for example, Debian or SUSE) or general (for + example, Database or Firewall). For example (ex. https://qualysguard.qualys.com/qwebhelp/fo_portal/knowledgebase/vulnerability_categories.htm) + example: AIX, Firewall, Malware, Office Application, Solaris, Windows + - name: vulnerability.cve.description + level: extended + type: keyword + ignore_above: 1024 + description: 'The Common Vulnerability and Exposures (CVE) list is an open source + list for publicly known cybersecurity vulnerabilities providing an identification + number, a description, and at least one public reference. + + The description of the vulnerability that provides additional context of the + vulnerability. For example (ex. https://cve.mitre.org/about/faqs.html#cve_entry_descriptions_created)' + example: In Keybase before 2.12.6 on macOS, the move RPC to the Helper was susceptible + to time-to-check-time-to-use bugs and would also allow one user of the system + (who didn't have root access) to tamper with another's installs. + - name: vulnerability.cve.id + level: extended + type: keyword + ignore_above: 1024 + description: 'The Common Vulnerability and Exposures (CVE) list is an open source + list for publicly known cybersecurity vulnerabilities providing an identification + number, a description, and at least one public reference. + + The identification (ID) is the number portion of a CVE Entry. It includes + the year the vulnerability ID was requested followed by a sequence number. + CVE-YYYY-NNNNN. For example (ex. https://cve.mitre.org/about/faqs.html#what_is_cve_id)' + example: CVE-2019-00001, CVE-2019-00002 + - name: vulnerability.cvss.score.base + level: extended + type: long + description: 'The Common Vulnerability Scoring System (CVSS) is an open framework + for communicating the characteristics and severity of software vulnerabilities. + Scores can range from 0.0 to 10.0, with 10.0 being the most severe. + + Base scores cover an assessment for exploitability metrics (attack vector, + complexity, privileges, and user interaction), impact metrics (confidentialy, + integrity, and availability), and scope. For example (ex. https://www.first.org/cvss/specification-document)' + example: 5.5, 6.6 + - name: vulnerability.cvss.score.evironmental + level: extended + type: long + description: 'The Common Vulnerability Scoring System (CVSS) is an open framework + for communicating the characteristics and severity of software vulnerabilities. + Scores can range from 0.0 to 10.0, with 10.0 being the most severe. + + Environmental scores cover an assessment for any modified Base metrics, confidentiality, + integrity, and availability requirements. For example (ex. https://www.first.org/cvss/specification-document)' + example: 5.5, 6.6 + - name: vulnerability.cvss.score.temporal + level: extended + type: long + description: 'The Common Vulnerability Scoring System (CVSS) is an open framework + for communicating the characteristics and severity of software vulnerabilities. + Scores can range from 0.0 to 10.0, with 10.0 being the most severe. + + Temporal scores cover an assessment for code maturity, remediation level, + and confidence. For example (ex. https://www.first.org/cvss/specification-document)' + example: 5.5, 6.6 + - name: vulnerability.detected.first + level: extended + type: date + description: The first time that the vulnerability was observed on the asset. + example: YYYY-MM-DD-HH-MM + - name: vulnerability.detected.last + level: extended + type: date + description: The last time that the vulnerability was observed on the asset. + example: YYYY-MM-DD-HH-MM + - name: vulnerability.scanned.first + level: extended + type: date + description: The first time that the asset was scanned for vulnerabilities. + example: YYYY-MM-DD-HH-MM + - name: vulnerability.scanned.last + level: extended + type: date + description: The last time that the asset was scanned for vulnerabilities. + example: YYYY-MM-DD-HH-MM + - name: vulnerability.severity + level: extended + type: keyword + ignore_above: 1024 + description: The severity of the vulnerability can help with metrics and internal + prioritization regarding remediation. For example (ex. https://nvd.nist.gov/vuln-metrics/cvss) + example: Critical, High, Medium, Low, None + - name: vulnerability.status + level: extended + type: keyword + ignore_above: 1024 + description: 'The current status of the vulerability on the asset: + + New - The first time a vulnerability is detected by a scan the status is set + to New. Active - A vulnerability detected by two or more scans is set to Active. + Fixed - A vulnerability was verified by the most recent scan as fixed, and + this vulnerability was detected by the previous scan. Re-Opened - A vulnerability + was reopened by the most recent scan, and this vulnerability was verified + as fixed by the previous scan. + + For example (ex. https://qualysguard.qualys.com/qwebhelp/fo_portal/scans/vulnerability_status.htm)' + example: New, Active, Fixed, Re-Opened - name: package title: Package group: 2 @@ -3141,9 +3777,230 @@ ignore_above: 1024 description: Operating system version as a raw string. example: 10.14.1 + - name: os.vulnerability.category + level: extended + type: keyword + ignore_above: 1024 + description: The type of system or architecture that the vulnerability affects. + These may be platform-specific (for example, Debian or SUSE) or general (for + example, Database or Firewall). For example (ex. https://qualysguard.qualys.com/qwebhelp/fo_portal/knowledgebase/vulnerability_categories.htm) + example: AIX, Firewall, Malware, Office Application, Solaris, Windows + - name: os.vulnerability.cve.description + level: extended + type: keyword + ignore_above: 1024 + description: 'The Common Vulnerability and Exposures (CVE) list is an open source + list for publicly known cybersecurity vulnerabilities providing an identification + number, a description, and at least one public reference. + + The description of the vulnerability that provides additional context of the + vulnerability. For example (ex. https://cve.mitre.org/about/faqs.html#cve_entry_descriptions_created)' + example: In Keybase before 2.12.6 on macOS, the move RPC to the Helper was susceptible + to time-to-check-time-to-use bugs and would also allow one user of the system + (who didn't have root access) to tamper with another's installs. + - name: os.vulnerability.cve.id + level: extended + type: keyword + ignore_above: 1024 + description: 'The Common Vulnerability and Exposures (CVE) list is an open source + list for publicly known cybersecurity vulnerabilities providing an identification + number, a description, and at least one public reference. + + The identification (ID) is the number portion of a CVE Entry. It includes + the year the vulnerability ID was requested followed by a sequence number. + CVE-YYYY-NNNNN. For example (ex. https://cve.mitre.org/about/faqs.html#what_is_cve_id)' + example: CVE-2019-00001, CVE-2019-00002 + - name: os.vulnerability.cvss.score.base + level: extended + type: long + description: 'The Common Vulnerability Scoring System (CVSS) is an open framework + for communicating the characteristics and severity of software vulnerabilities. + Scores can range from 0.0 to 10.0, with 10.0 being the most severe. + + Base scores cover an assessment for exploitability metrics (attack vector, + complexity, privileges, and user interaction), impact metrics (confidentialy, + integrity, and availability), and scope. For example (ex. https://www.first.org/cvss/specification-document)' + example: 5.5, 6.6 + - name: os.vulnerability.cvss.score.evironmental + level: extended + type: long + description: 'The Common Vulnerability Scoring System (CVSS) is an open framework + for communicating the characteristics and severity of software vulnerabilities. + Scores can range from 0.0 to 10.0, with 10.0 being the most severe. + + Environmental scores cover an assessment for any modified Base metrics, confidentiality, + integrity, and availability requirements. For example (ex. https://www.first.org/cvss/specification-document)' + example: 5.5, 6.6 + - name: os.vulnerability.cvss.score.temporal + level: extended + type: long + description: 'The Common Vulnerability Scoring System (CVSS) is an open framework + for communicating the characteristics and severity of software vulnerabilities. + Scores can range from 0.0 to 10.0, with 10.0 being the most severe. + + Temporal scores cover an assessment for code maturity, remediation level, + and confidence. For example (ex. https://www.first.org/cvss/specification-document)' + example: 5.5, 6.6 + - name: os.vulnerability.detected.first + level: extended + type: date + description: The first time that the vulnerability was observed on the asset. + example: YYYY-MM-DD-HH-MM + - name: os.vulnerability.detected.last + level: extended + type: date + description: The last time that the vulnerability was observed on the asset. + example: YYYY-MM-DD-HH-MM + - name: os.vulnerability.scanned.first + level: extended + type: date + description: The first time that the asset was scanned for vulnerabilities. + example: YYYY-MM-DD-HH-MM + - name: os.vulnerability.scanned.last + level: extended + type: date + description: The last time that the asset was scanned for vulnerabilities. + example: YYYY-MM-DD-HH-MM + - name: os.vulnerability.severity + level: extended + type: keyword + ignore_above: 1024 + description: The severity of the vulnerability can help with metrics and internal + prioritization regarding remediation. For example (ex. https://nvd.nist.gov/vuln-metrics/cvss) + example: Critical, High, Medium, Low, None + - name: os.vulnerability.status + level: extended + type: keyword + ignore_above: 1024 + description: 'The current status of the vulerability on the asset: + + New - The first time a vulnerability is detected by a scan the status is set + to New. Active - A vulnerability detected by two or more scans is set to Active. + Fixed - A vulnerability was verified by the most recent scan as fixed, and + this vulnerability was detected by the previous scan. Re-Opened - A vulnerability + was reopened by the most recent scan, and this vulnerability was verified + as fixed by the previous scan. + + For example (ex. https://qualysguard.qualys.com/qwebhelp/fo_portal/scans/vulnerability_status.htm)' + example: New, Active, Fixed, Re-Opened - name: version level: extended type: keyword ignore_above: 1024 description: Version of the user agent. example: 12.0 + - name: vulnerability + title: Vulnerability + group: 2 + description: 'The vulnerability fields describe information about a vulnerabilty + that is relevant to an event. + + Fields can have one entry or multiple entries.' + type: group + fields: + - name: category + level: extended + type: keyword + ignore_above: 1024 + description: The type of system or architecture that the vulnerability affects. + These may be platform-specific (for example, Debian or SUSE) or general (for + example, Database or Firewall). For example (ex. https://qualysguard.qualys.com/qwebhelp/fo_portal/knowledgebase/vulnerability_categories.htm) + example: AIX, Firewall, Malware, Office Application, Solaris, Windows + - name: cve.description + level: extended + type: keyword + ignore_above: 1024 + description: 'The Common Vulnerability and Exposures (CVE) list is an open source + list for publicly known cybersecurity vulnerabilities providing an identification + number, a description, and at least one public reference. + + The description of the vulnerability that provides additional context of the + vulnerability. For example (ex. https://cve.mitre.org/about/faqs.html#cve_entry_descriptions_created)' + example: In Keybase before 2.12.6 on macOS, the move RPC to the Helper was susceptible + to time-to-check-time-to-use bugs and would also allow one user of the system + (who didn't have root access) to tamper with another's installs. + - name: cve.id + level: extended + type: keyword + ignore_above: 1024 + description: 'The Common Vulnerability and Exposures (CVE) list is an open source + list for publicly known cybersecurity vulnerabilities providing an identification + number, a description, and at least one public reference. + + The identification (ID) is the number portion of a CVE Entry. It includes + the year the vulnerability ID was requested followed by a sequence number. + CVE-YYYY-NNNNN. For example (ex. https://cve.mitre.org/about/faqs.html#what_is_cve_id)' + example: CVE-2019-00001, CVE-2019-00002 + - name: cvss.score.base + level: extended + type: long + description: 'The Common Vulnerability Scoring System (CVSS) is an open framework + for communicating the characteristics and severity of software vulnerabilities. + Scores can range from 0.0 to 10.0, with 10.0 being the most severe. + + Base scores cover an assessment for exploitability metrics (attack vector, + complexity, privileges, and user interaction), impact metrics (confidentialy, + integrity, and availability), and scope. For example (ex. https://www.first.org/cvss/specification-document)' + example: 5.5, 6.6 + - name: cvss.score.evironmental + level: extended + type: long + description: 'The Common Vulnerability Scoring System (CVSS) is an open framework + for communicating the characteristics and severity of software vulnerabilities. + Scores can range from 0.0 to 10.0, with 10.0 being the most severe. + + Environmental scores cover an assessment for any modified Base metrics, confidentiality, + integrity, and availability requirements. For example (ex. https://www.first.org/cvss/specification-document)' + example: 5.5, 6.6 + - name: cvss.score.temporal + level: extended + type: long + description: 'The Common Vulnerability Scoring System (CVSS) is an open framework + for communicating the characteristics and severity of software vulnerabilities. + Scores can range from 0.0 to 10.0, with 10.0 being the most severe. + + Temporal scores cover an assessment for code maturity, remediation level, + and confidence. For example (ex. https://www.first.org/cvss/specification-document)' + example: 5.5, 6.6 + - name: detected.first + level: extended + type: date + description: The first time that the vulnerability was observed on the asset. + example: YYYY-MM-DD-HH-MM + - name: detected.last + level: extended + type: date + description: The last time that the vulnerability was observed on the asset. + example: YYYY-MM-DD-HH-MM + - name: scanned.first + level: extended + type: date + description: The first time that the asset was scanned for vulnerabilities. + example: YYYY-MM-DD-HH-MM + - name: scanned.last + level: extended + type: date + description: The last time that the asset was scanned for vulnerabilities. + example: YYYY-MM-DD-HH-MM + - name: severity + level: extended + type: keyword + ignore_above: 1024 + description: The severity of the vulnerability can help with metrics and internal + prioritization regarding remediation. For example (ex. https://nvd.nist.gov/vuln-metrics/cvss) + example: Critical, High, Medium, Low, None + - name: status + level: extended + type: keyword + ignore_above: 1024 + description: 'The current status of the vulerability on the asset: + + New - The first time a vulnerability is detected by a scan the status is set + to New. Active - A vulnerability detected by two or more scans is set to Active. + Fixed - A vulnerability was verified by the most recent scan as fixed, and + this vulnerability was detected by the previous scan. Re-Opened - A vulnerability + was reopened by the most recent scan, and this vulnerability was verified + as fixed by the previous scan. + + For example (ex. https://qualysguard.qualys.com/qwebhelp/fo_portal/scans/vulnerability_status.htm)' + example: New, Active, Fixed, Re-Opened diff --git a/generated/csv/fields.csv b/generated/csv/fields.csv index 9859650b83..3bc28e7f14 100644 --- a/generated/csv/fields.csv +++ b/generated/csv/fields.csv @@ -40,6 +40,18 @@ client.user.group.name,keyword,extended,,1.2.0-dev client.user.hash,keyword,extended,,1.2.0-dev client.user.id,keyword,core,,1.2.0-dev client.user.name,keyword,core,albert,1.2.0-dev +client.vulnerability.category,keyword,extended,"AIX, Firewall, Malware, Office Application, Solaris, Windows",1.2.0-dev +client.vulnerability.cve.description,keyword,extended,"In Keybase before 2.12.6 on macOS, the move RPC to the Helper was susceptible to time-to-check-time-to-use bugs and would also allow one user of the system (who didn't have root access) to tamper with another's installs.",1.2.0-dev +client.vulnerability.cve.id,keyword,extended,"CVE-2019-00001, CVE-2019-00002",1.2.0-dev +client.vulnerability.cvss.score.base,long,extended,"5.5, 6.6",1.2.0-dev +client.vulnerability.cvss.score.evironmental,long,extended,"5.5, 6.6",1.2.0-dev +client.vulnerability.cvss.score.temporal,long,extended,"5.5, 6.6",1.2.0-dev +client.vulnerability.detected.first,date,extended,YYYY-MM-DD-HH-MM,1.2.0-dev +client.vulnerability.detected.last,date,extended,YYYY-MM-DD-HH-MM,1.2.0-dev +client.vulnerability.scanned.first,date,extended,YYYY-MM-DD-HH-MM,1.2.0-dev +client.vulnerability.scanned.last,date,extended,YYYY-MM-DD-HH-MM,1.2.0-dev +client.vulnerability.severity,keyword,extended,"Critical, High, Medium, Low, None",1.2.0-dev +client.vulnerability.status,keyword,extended,"New, Active, Fixed, Re-Opened",1.2.0-dev cloud.account.id,keyword,extended,666777888999,1.2.0-dev cloud.availability_zone,keyword,extended,us-east-1c,1.2.0-dev cloud.instance.id,keyword,extended,i-1234567890abcdef0,1.2.0-dev @@ -185,6 +197,18 @@ host.os.kernel,keyword,extended,4.4.0-112-generic,1.2.0-dev host.os.name,keyword,extended,Mac OS X,1.2.0-dev host.os.platform,keyword,extended,darwin,1.2.0-dev host.os.version,keyword,extended,10.14.1,1.2.0-dev +host.os.vulnerability.category,keyword,extended,"AIX, Firewall, Malware, Office Application, Solaris, Windows",1.2.0-dev +host.os.vulnerability.cve.description,keyword,extended,"In Keybase before 2.12.6 on macOS, the move RPC to the Helper was susceptible to time-to-check-time-to-use bugs and would also allow one user of the system (who didn't have root access) to tamper with another's installs.",1.2.0-dev +host.os.vulnerability.cve.id,keyword,extended,"CVE-2019-00001, CVE-2019-00002",1.2.0-dev +host.os.vulnerability.cvss.score.base,long,extended,"5.5, 6.6",1.2.0-dev +host.os.vulnerability.cvss.score.evironmental,long,extended,"5.5, 6.6",1.2.0-dev +host.os.vulnerability.cvss.score.temporal,long,extended,"5.5, 6.6",1.2.0-dev +host.os.vulnerability.detected.first,date,extended,YYYY-MM-DD-HH-MM,1.2.0-dev +host.os.vulnerability.detected.last,date,extended,YYYY-MM-DD-HH-MM,1.2.0-dev +host.os.vulnerability.scanned.first,date,extended,YYYY-MM-DD-HH-MM,1.2.0-dev +host.os.vulnerability.scanned.last,date,extended,YYYY-MM-DD-HH-MM,1.2.0-dev +host.os.vulnerability.severity,keyword,extended,"Critical, High, Medium, Low, None",1.2.0-dev +host.os.vulnerability.status,keyword,extended,"New, Active, Fixed, Re-Opened",1.2.0-dev host.type,keyword,core,,1.2.0-dev host.uptime,long,extended,1325,1.2.0-dev host.user.domain,keyword,extended,,1.2.0-dev @@ -196,6 +220,18 @@ host.user.group.name,keyword,extended,,1.2.0-dev host.user.hash,keyword,extended,,1.2.0-dev host.user.id,keyword,core,,1.2.0-dev host.user.name,keyword,core,albert,1.2.0-dev +host.vulnerability.category,keyword,extended,"AIX, Firewall, Malware, Office Application, Solaris, Windows",1.2.0-dev +host.vulnerability.cve.description,keyword,extended,"In Keybase before 2.12.6 on macOS, the move RPC to the Helper was susceptible to time-to-check-time-to-use bugs and would also allow one user of the system (who didn't have root access) to tamper with another's installs.",1.2.0-dev +host.vulnerability.cve.id,keyword,extended,"CVE-2019-00001, CVE-2019-00002",1.2.0-dev +host.vulnerability.cvss.score.base,long,extended,"5.5, 6.6",1.2.0-dev +host.vulnerability.cvss.score.evironmental,long,extended,"5.5, 6.6",1.2.0-dev +host.vulnerability.cvss.score.temporal,long,extended,"5.5, 6.6",1.2.0-dev +host.vulnerability.detected.first,date,extended,YYYY-MM-DD-HH-MM,1.2.0-dev +host.vulnerability.detected.last,date,extended,YYYY-MM-DD-HH-MM,1.2.0-dev +host.vulnerability.scanned.first,date,extended,YYYY-MM-DD-HH-MM,1.2.0-dev +host.vulnerability.scanned.last,date,extended,YYYY-MM-DD-HH-MM,1.2.0-dev +host.vulnerability.severity,keyword,extended,"Critical, High, Medium, Low, None",1.2.0-dev +host.vulnerability.status,keyword,extended,"New, Active, Fixed, Re-Opened",1.2.0-dev http.request.body.bytes,long,extended,887,1.2.0-dev http.request.body.content,keyword,extended,Hello world,1.2.0-dev http.request.bytes,long,extended,1437,1.2.0-dev @@ -247,11 +283,35 @@ observer.os.kernel,keyword,extended,4.4.0-112-generic,1.2.0-dev observer.os.name,keyword,extended,Mac OS X,1.2.0-dev observer.os.platform,keyword,extended,darwin,1.2.0-dev observer.os.version,keyword,extended,10.14.1,1.2.0-dev +observer.os.vulnerability.category,keyword,extended,"AIX, Firewall, Malware, Office Application, Solaris, Windows",1.2.0-dev +observer.os.vulnerability.cve.description,keyword,extended,"In Keybase before 2.12.6 on macOS, the move RPC to the Helper was susceptible to time-to-check-time-to-use bugs and would also allow one user of the system (who didn't have root access) to tamper with another's installs.",1.2.0-dev +observer.os.vulnerability.cve.id,keyword,extended,"CVE-2019-00001, CVE-2019-00002",1.2.0-dev +observer.os.vulnerability.cvss.score.base,long,extended,"5.5, 6.6",1.2.0-dev +observer.os.vulnerability.cvss.score.evironmental,long,extended,"5.5, 6.6",1.2.0-dev +observer.os.vulnerability.cvss.score.temporal,long,extended,"5.5, 6.6",1.2.0-dev +observer.os.vulnerability.detected.first,date,extended,YYYY-MM-DD-HH-MM,1.2.0-dev +observer.os.vulnerability.detected.last,date,extended,YYYY-MM-DD-HH-MM,1.2.0-dev +observer.os.vulnerability.scanned.first,date,extended,YYYY-MM-DD-HH-MM,1.2.0-dev +observer.os.vulnerability.scanned.last,date,extended,YYYY-MM-DD-HH-MM,1.2.0-dev +observer.os.vulnerability.severity,keyword,extended,"Critical, High, Medium, Low, None",1.2.0-dev +observer.os.vulnerability.status,keyword,extended,"New, Active, Fixed, Re-Opened",1.2.0-dev observer.product,keyword,extended,s200,1.2.0-dev observer.serial_number,keyword,extended,,1.2.0-dev observer.type,keyword,core,firewall,1.2.0-dev observer.vendor,keyword,core,Symantec,1.2.0-dev observer.version,keyword,core,,1.2.0-dev +observer.vulnerability.category,keyword,extended,"AIX, Firewall, Malware, Office Application, Solaris, Windows",1.2.0-dev +observer.vulnerability.cve.description,keyword,extended,"In Keybase before 2.12.6 on macOS, the move RPC to the Helper was susceptible to time-to-check-time-to-use bugs and would also allow one user of the system (who didn't have root access) to tamper with another's installs.",1.2.0-dev +observer.vulnerability.cve.id,keyword,extended,"CVE-2019-00001, CVE-2019-00002",1.2.0-dev +observer.vulnerability.cvss.score.base,long,extended,"5.5, 6.6",1.2.0-dev +observer.vulnerability.cvss.score.evironmental,long,extended,"5.5, 6.6",1.2.0-dev +observer.vulnerability.cvss.score.temporal,long,extended,"5.5, 6.6",1.2.0-dev +observer.vulnerability.detected.first,date,extended,YYYY-MM-DD-HH-MM,1.2.0-dev +observer.vulnerability.detected.last,date,extended,YYYY-MM-DD-HH-MM,1.2.0-dev +observer.vulnerability.scanned.first,date,extended,YYYY-MM-DD-HH-MM,1.2.0-dev +observer.vulnerability.scanned.last,date,extended,YYYY-MM-DD-HH-MM,1.2.0-dev +observer.vulnerability.severity,keyword,extended,"Critical, High, Medium, Low, None",1.2.0-dev +observer.vulnerability.status,keyword,extended,"New, Active, Fixed, Re-Opened",1.2.0-dev organization.id,keyword,extended,,1.2.0-dev organization.name,keyword,extended,,1.2.0-dev os.family,keyword,extended,debian,1.2.0-dev @@ -260,6 +320,18 @@ os.kernel,keyword,extended,4.4.0-112-generic,1.2.0-dev os.name,keyword,extended,Mac OS X,1.2.0-dev os.platform,keyword,extended,darwin,1.2.0-dev os.version,keyword,extended,10.14.1,1.2.0-dev +os.vulnerability.category,keyword,extended,"AIX, Firewall, Malware, Office Application, Solaris, Windows",1.2.0-dev +os.vulnerability.cve.description,keyword,extended,"In Keybase before 2.12.6 on macOS, the move RPC to the Helper was susceptible to time-to-check-time-to-use bugs and would also allow one user of the system (who didn't have root access) to tamper with another's installs.",1.2.0-dev +os.vulnerability.cve.id,keyword,extended,"CVE-2019-00001, CVE-2019-00002",1.2.0-dev +os.vulnerability.cvss.score.base,long,extended,"5.5, 6.6",1.2.0-dev +os.vulnerability.cvss.score.evironmental,long,extended,"5.5, 6.6",1.2.0-dev +os.vulnerability.cvss.score.temporal,long,extended,"5.5, 6.6",1.2.0-dev +os.vulnerability.detected.first,date,extended,YYYY-MM-DD-HH-MM,1.2.0-dev +os.vulnerability.detected.last,date,extended,YYYY-MM-DD-HH-MM,1.2.0-dev +os.vulnerability.scanned.first,date,extended,YYYY-MM-DD-HH-MM,1.2.0-dev +os.vulnerability.scanned.last,date,extended,YYYY-MM-DD-HH-MM,1.2.0-dev +os.vulnerability.severity,keyword,extended,"Critical, High, Medium, Low, None",1.2.0-dev +os.vulnerability.status,keyword,extended,"New, Active, Fixed, Re-Opened",1.2.0-dev package.architecture,keyword,extended,x86_64,1.2.0-dev package.checksum,keyword,extended,68b329da9893e34099c7d8ad5cb9c940,1.2.0-dev package.description,keyword,extended,Open source programming language to build simple/reliable/efficient software.,1.2.0-dev @@ -394,4 +466,28 @@ user_agent.os.kernel,keyword,extended,4.4.0-112-generic,1.2.0-dev user_agent.os.name,keyword,extended,Mac OS X,1.2.0-dev user_agent.os.platform,keyword,extended,darwin,1.2.0-dev user_agent.os.version,keyword,extended,10.14.1,1.2.0-dev +user_agent.os.vulnerability.category,keyword,extended,"AIX, Firewall, Malware, Office Application, Solaris, Windows",1.2.0-dev +user_agent.os.vulnerability.cve.description,keyword,extended,"In Keybase before 2.12.6 on macOS, the move RPC to the Helper was susceptible to time-to-check-time-to-use bugs and would also allow one user of the system (who didn't have root access) to tamper with another's installs.",1.2.0-dev +user_agent.os.vulnerability.cve.id,keyword,extended,"CVE-2019-00001, CVE-2019-00002",1.2.0-dev +user_agent.os.vulnerability.cvss.score.base,long,extended,"5.5, 6.6",1.2.0-dev +user_agent.os.vulnerability.cvss.score.evironmental,long,extended,"5.5, 6.6",1.2.0-dev +user_agent.os.vulnerability.cvss.score.temporal,long,extended,"5.5, 6.6",1.2.0-dev +user_agent.os.vulnerability.detected.first,date,extended,YYYY-MM-DD-HH-MM,1.2.0-dev +user_agent.os.vulnerability.detected.last,date,extended,YYYY-MM-DD-HH-MM,1.2.0-dev +user_agent.os.vulnerability.scanned.first,date,extended,YYYY-MM-DD-HH-MM,1.2.0-dev +user_agent.os.vulnerability.scanned.last,date,extended,YYYY-MM-DD-HH-MM,1.2.0-dev +user_agent.os.vulnerability.severity,keyword,extended,"Critical, High, Medium, Low, None",1.2.0-dev +user_agent.os.vulnerability.status,keyword,extended,"New, Active, Fixed, Re-Opened",1.2.0-dev user_agent.version,keyword,extended,12.0,1.2.0-dev +vulnerability.category,keyword,extended,"AIX, Firewall, Malware, Office Application, Solaris, Windows",1.2.0-dev +vulnerability.cve.description,keyword,extended,"In Keybase before 2.12.6 on macOS, the move RPC to the Helper was susceptible to time-to-check-time-to-use bugs and would also allow one user of the system (who didn't have root access) to tamper with another's installs.",1.2.0-dev +vulnerability.cve.id,keyword,extended,"CVE-2019-00001, CVE-2019-00002",1.2.0-dev +vulnerability.cvss.score.base,long,extended,"5.5, 6.6",1.2.0-dev +vulnerability.cvss.score.evironmental,long,extended,"5.5, 6.6",1.2.0-dev +vulnerability.cvss.score.temporal,long,extended,"5.5, 6.6",1.2.0-dev +vulnerability.detected.first,date,extended,YYYY-MM-DD-HH-MM,1.2.0-dev +vulnerability.detected.last,date,extended,YYYY-MM-DD-HH-MM,1.2.0-dev +vulnerability.scanned.first,date,extended,YYYY-MM-DD-HH-MM,1.2.0-dev +vulnerability.scanned.last,date,extended,YYYY-MM-DD-HH-MM,1.2.0-dev +vulnerability.severity,keyword,extended,"Critical, High, Medium, Low, None",1.2.0-dev +vulnerability.status,keyword,extended,"New, Active, Fixed, Re-Opened",1.2.0-dev diff --git a/generated/ecs/ecs_flat.yml b/generated/ecs/ecs_flat.yml index e00c05f372..0b41268b4c 100644 --- a/generated/ecs/ecs_flat.yml +++ b/generated/ecs/ecs_flat.yml @@ -442,6 +442,172 @@ client.user.name: original_fieldset: user short: Short name or login of the user. type: keyword +client.vulnerability.category: + description: The type of system or architecture that the vulnerability affects. + These may be platform-specific (for example, Debian or SUSE) or general (for example, + Database or Firewall). For example (ex. https://qualysguard.qualys.com/qwebhelp/fo_portal/knowledgebase/vulnerability_categories.htm) + example: AIX, Firewall, Malware, Office Application, Solaris, Windows + flat_name: client.vulnerability.category + ignore_above: 1024 + level: extended + name: category + order: 3 + original_fieldset: vulnerability + short: Category of a vulnerabilty. + type: keyword +client.vulnerability.cve.description: + description: 'The Common Vulnerability and Exposures (CVE) list is an open source + list for publicly known cybersecurity vulnerabilities providing an identification + number, a description, and at least one public reference. + + The description of the vulnerability that provides additional context of the vulnerability. + For example (ex. https://cve.mitre.org/about/faqs.html#cve_entry_descriptions_created)' + example: In Keybase before 2.12.6 on macOS, the move RPC to the Helper was susceptible + to time-to-check-time-to-use bugs and would also allow one user of the system + (who didn't have root access) to tamper with another's installs. + flat_name: client.vulnerability.cve.description + ignore_above: 1024 + level: extended + name: cve.description + order: 4 + original_fieldset: vulnerability + short: Description of the vulnerability. + type: keyword +client.vulnerability.cve.id: + description: 'The Common Vulnerability and Exposures (CVE) list is an open source + list for publicly known cybersecurity vulnerabilities providing an identification + number, a description, and at least one public reference. + + The identification (ID) is the number portion of a CVE Entry. It includes the + year the vulnerability ID was requested followed by a sequence number. CVE-YYYY-NNNNN. + For example (ex. https://cve.mitre.org/about/faqs.html#what_is_cve_id)' + example: CVE-2019-00001, CVE-2019-00002 + flat_name: client.vulnerability.cve.id + ignore_above: 1024 + level: extended + name: cve.id + order: 5 + original_fieldset: vulnerability + short: ID of the vulnerability. + type: keyword +client.vulnerability.cvss.score.base: + description: 'The Common Vulnerability Scoring System (CVSS) is an open framework + for communicating the characteristics and severity of software vulnerabilities. + Scores can range from 0.0 to 10.0, with 10.0 being the most severe. + + Base scores cover an assessment for exploitability metrics (attack vector, complexity, + privileges, and user interaction), impact metrics (confidentialy, integrity, and + availability), and scope. For example (ex. https://www.first.org/cvss/specification-document)' + example: 5.5, 6.6 + flat_name: client.vulnerability.cvss.score.base + level: extended + name: cvss.score.base + order: 0 + original_fieldset: vulnerability + short: CVSS Base score. + type: long +client.vulnerability.cvss.score.evironmental: + description: 'The Common Vulnerability Scoring System (CVSS) is an open framework + for communicating the characteristics and severity of software vulnerabilities. + Scores can range from 0.0 to 10.0, with 10.0 being the most severe. + + Environmental scores cover an assessment for any modified Base metrics, confidentiality, + integrity, and availability requirements. For example (ex. https://www.first.org/cvss/specification-document)' + example: 5.5, 6.6 + flat_name: client.vulnerability.cvss.score.evironmental + level: extended + name: cvss.score.evironmental + order: 2 + original_fieldset: vulnerability + short: CVSS Environmental score. + type: long +client.vulnerability.cvss.score.temporal: + description: 'The Common Vulnerability Scoring System (CVSS) is an open framework + for communicating the characteristics and severity of software vulnerabilities. + Scores can range from 0.0 to 10.0, with 10.0 being the most severe. + + Temporal scores cover an assessment for code maturity, remediation level, and + confidence. For example (ex. https://www.first.org/cvss/specification-document)' + example: 5.5, 6.6 + flat_name: client.vulnerability.cvss.score.temporal + level: extended + name: cvss.score.temporal + order: 1 + original_fieldset: vulnerability + short: CVSS Temporal score. + type: long +client.vulnerability.detected.first: + description: The first time that the vulnerability was observed on the asset. + example: YYYY-MM-DD-HH-MM + flat_name: client.vulnerability.detected.first + level: extended + name: detected.first + order: 8 + original_fieldset: vulnerability + short: Vulnerability first observed. + type: date +client.vulnerability.detected.last: + description: The last time that the vulnerability was observed on the asset. + example: YYYY-MM-DD-HH-MM + flat_name: client.vulnerability.detected.last + level: extended + name: detected.last + order: 9 + original_fieldset: vulnerability + short: Vulnerability last observed. + type: date +client.vulnerability.scanned.first: + description: The first time that the asset was scanned for vulnerabilities. + example: YYYY-MM-DD-HH-MM + flat_name: client.vulnerability.scanned.first + level: extended + name: scanned.first + order: 10 + original_fieldset: vulnerability + short: Asset first scanned. + type: date +client.vulnerability.scanned.last: + description: The last time that the asset was scanned for vulnerabilities. + example: YYYY-MM-DD-HH-MM + flat_name: client.vulnerability.scanned.last + level: extended + name: scanned.last + order: 11 + original_fieldset: vulnerability + short: Asset last scanned. + type: date +client.vulnerability.severity: + description: The severity of the vulnerability can help with metrics and internal + prioritization regarding remediation. For example (ex. https://nvd.nist.gov/vuln-metrics/cvss) + example: Critical, High, Medium, Low, None + flat_name: client.vulnerability.severity + ignore_above: 1024 + level: extended + name: severity + order: 6 + original_fieldset: vulnerability + short: Severity of the vulnerability. + type: keyword +client.vulnerability.status: + description: 'The current status of the vulerability on the asset: + + New - The first time a vulnerability is detected by a scan the status is set to + New. Active - A vulnerability detected by two or more scans is set to Active. + Fixed - A vulnerability was verified by the most recent scan as fixed, and this + vulnerability was detected by the previous scan. Re-Opened - A vulnerability was + reopened by the most recent scan, and this vulnerability was verified as fixed + by the previous scan. + + For example (ex. https://qualysguard.qualys.com/qwebhelp/fo_portal/scans/vulnerability_status.htm)' + example: New, Active, Fixed, Re-Opened + flat_name: client.vulnerability.status + ignore_above: 1024 + level: extended + name: status + order: 7 + original_fieldset: vulnerability + short: Status of the vulnerability. + type: keyword cloud.account.id: description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. @@ -2088,6 +2254,172 @@ host.os.version: original_fieldset: os short: Operating system version as a raw string. type: keyword +host.os.vulnerability.category: + description: The type of system or architecture that the vulnerability affects. + These may be platform-specific (for example, Debian or SUSE) or general (for example, + Database or Firewall). For example (ex. https://qualysguard.qualys.com/qwebhelp/fo_portal/knowledgebase/vulnerability_categories.htm) + example: AIX, Firewall, Malware, Office Application, Solaris, Windows + flat_name: host.os.vulnerability.category + ignore_above: 1024 + level: extended + name: category + order: 3 + original_fieldset: os + short: Category of a vulnerabilty. + type: keyword +host.os.vulnerability.cve.description: + description: 'The Common Vulnerability and Exposures (CVE) list is an open source + list for publicly known cybersecurity vulnerabilities providing an identification + number, a description, and at least one public reference. + + The description of the vulnerability that provides additional context of the vulnerability. + For example (ex. https://cve.mitre.org/about/faqs.html#cve_entry_descriptions_created)' + example: In Keybase before 2.12.6 on macOS, the move RPC to the Helper was susceptible + to time-to-check-time-to-use bugs and would also allow one user of the system + (who didn't have root access) to tamper with another's installs. + flat_name: host.os.vulnerability.cve.description + ignore_above: 1024 + level: extended + name: cve.description + order: 4 + original_fieldset: os + short: Description of the vulnerability. + type: keyword +host.os.vulnerability.cve.id: + description: 'The Common Vulnerability and Exposures (CVE) list is an open source + list for publicly known cybersecurity vulnerabilities providing an identification + number, a description, and at least one public reference. + + The identification (ID) is the number portion of a CVE Entry. It includes the + year the vulnerability ID was requested followed by a sequence number. CVE-YYYY-NNNNN. + For example (ex. https://cve.mitre.org/about/faqs.html#what_is_cve_id)' + example: CVE-2019-00001, CVE-2019-00002 + flat_name: host.os.vulnerability.cve.id + ignore_above: 1024 + level: extended + name: cve.id + order: 5 + original_fieldset: os + short: ID of the vulnerability. + type: keyword +host.os.vulnerability.cvss.score.base: + description: 'The Common Vulnerability Scoring System (CVSS) is an open framework + for communicating the characteristics and severity of software vulnerabilities. + Scores can range from 0.0 to 10.0, with 10.0 being the most severe. + + Base scores cover an assessment for exploitability metrics (attack vector, complexity, + privileges, and user interaction), impact metrics (confidentialy, integrity, and + availability), and scope. For example (ex. https://www.first.org/cvss/specification-document)' + example: 5.5, 6.6 + flat_name: host.os.vulnerability.cvss.score.base + level: extended + name: cvss.score.base + order: 0 + original_fieldset: os + short: CVSS Base score. + type: long +host.os.vulnerability.cvss.score.evironmental: + description: 'The Common Vulnerability Scoring System (CVSS) is an open framework + for communicating the characteristics and severity of software vulnerabilities. + Scores can range from 0.0 to 10.0, with 10.0 being the most severe. + + Environmental scores cover an assessment for any modified Base metrics, confidentiality, + integrity, and availability requirements. For example (ex. https://www.first.org/cvss/specification-document)' + example: 5.5, 6.6 + flat_name: host.os.vulnerability.cvss.score.evironmental + level: extended + name: cvss.score.evironmental + order: 2 + original_fieldset: os + short: CVSS Environmental score. + type: long +host.os.vulnerability.cvss.score.temporal: + description: 'The Common Vulnerability Scoring System (CVSS) is an open framework + for communicating the characteristics and severity of software vulnerabilities. + Scores can range from 0.0 to 10.0, with 10.0 being the most severe. + + Temporal scores cover an assessment for code maturity, remediation level, and + confidence. For example (ex. https://www.first.org/cvss/specification-document)' + example: 5.5, 6.6 + flat_name: host.os.vulnerability.cvss.score.temporal + level: extended + name: cvss.score.temporal + order: 1 + original_fieldset: os + short: CVSS Temporal score. + type: long +host.os.vulnerability.detected.first: + description: The first time that the vulnerability was observed on the asset. + example: YYYY-MM-DD-HH-MM + flat_name: host.os.vulnerability.detected.first + level: extended + name: detected.first + order: 8 + original_fieldset: os + short: Vulnerability first observed. + type: date +host.os.vulnerability.detected.last: + description: The last time that the vulnerability was observed on the asset. + example: YYYY-MM-DD-HH-MM + flat_name: host.os.vulnerability.detected.last + level: extended + name: detected.last + order: 9 + original_fieldset: os + short: Vulnerability last observed. + type: date +host.os.vulnerability.scanned.first: + description: The first time that the asset was scanned for vulnerabilities. + example: YYYY-MM-DD-HH-MM + flat_name: host.os.vulnerability.scanned.first + level: extended + name: scanned.first + order: 10 + original_fieldset: os + short: Asset first scanned. + type: date +host.os.vulnerability.scanned.last: + description: The last time that the asset was scanned for vulnerabilities. + example: YYYY-MM-DD-HH-MM + flat_name: host.os.vulnerability.scanned.last + level: extended + name: scanned.last + order: 11 + original_fieldset: os + short: Asset last scanned. + type: date +host.os.vulnerability.severity: + description: The severity of the vulnerability can help with metrics and internal + prioritization regarding remediation. For example (ex. https://nvd.nist.gov/vuln-metrics/cvss) + example: Critical, High, Medium, Low, None + flat_name: host.os.vulnerability.severity + ignore_above: 1024 + level: extended + name: severity + order: 6 + original_fieldset: os + short: Severity of the vulnerability. + type: keyword +host.os.vulnerability.status: + description: 'The current status of the vulerability on the asset: + + New - The first time a vulnerability is detected by a scan the status is set to + New. Active - A vulnerability detected by two or more scans is set to Active. + Fixed - A vulnerability was verified by the most recent scan as fixed, and this + vulnerability was detected by the previous scan. Re-Opened - A vulnerability was + reopened by the most recent scan, and this vulnerability was verified as fixed + by the previous scan. + + For example (ex. https://qualysguard.qualys.com/qwebhelp/fo_portal/scans/vulnerability_status.htm)' + example: New, Active, Fixed, Re-Opened + flat_name: host.os.vulnerability.status + ignore_above: 1024 + level: extended + name: status + order: 7 + original_fieldset: os + short: Status of the vulnerability. + type: keyword host.type: description: 'Type of host. @@ -2209,6 +2541,172 @@ host.user.name: original_fieldset: user short: Short name or login of the user. type: keyword +host.vulnerability.category: + description: The type of system or architecture that the vulnerability affects. + These may be platform-specific (for example, Debian or SUSE) or general (for example, + Database or Firewall). For example (ex. https://qualysguard.qualys.com/qwebhelp/fo_portal/knowledgebase/vulnerability_categories.htm) + example: AIX, Firewall, Malware, Office Application, Solaris, Windows + flat_name: host.vulnerability.category + ignore_above: 1024 + level: extended + name: category + order: 3 + original_fieldset: vulnerability + short: Category of a vulnerabilty. + type: keyword +host.vulnerability.cve.description: + description: 'The Common Vulnerability and Exposures (CVE) list is an open source + list for publicly known cybersecurity vulnerabilities providing an identification + number, a description, and at least one public reference. + + The description of the vulnerability that provides additional context of the vulnerability. + For example (ex. https://cve.mitre.org/about/faqs.html#cve_entry_descriptions_created)' + example: In Keybase before 2.12.6 on macOS, the move RPC to the Helper was susceptible + to time-to-check-time-to-use bugs and would also allow one user of the system + (who didn't have root access) to tamper with another's installs. + flat_name: host.vulnerability.cve.description + ignore_above: 1024 + level: extended + name: cve.description + order: 4 + original_fieldset: vulnerability + short: Description of the vulnerability. + type: keyword +host.vulnerability.cve.id: + description: 'The Common Vulnerability and Exposures (CVE) list is an open source + list for publicly known cybersecurity vulnerabilities providing an identification + number, a description, and at least one public reference. + + The identification (ID) is the number portion of a CVE Entry. It includes the + year the vulnerability ID was requested followed by a sequence number. CVE-YYYY-NNNNN. + For example (ex. https://cve.mitre.org/about/faqs.html#what_is_cve_id)' + example: CVE-2019-00001, CVE-2019-00002 + flat_name: host.vulnerability.cve.id + ignore_above: 1024 + level: extended + name: cve.id + order: 5 + original_fieldset: vulnerability + short: ID of the vulnerability. + type: keyword +host.vulnerability.cvss.score.base: + description: 'The Common Vulnerability Scoring System (CVSS) is an open framework + for communicating the characteristics and severity of software vulnerabilities. + Scores can range from 0.0 to 10.0, with 10.0 being the most severe. + + Base scores cover an assessment for exploitability metrics (attack vector, complexity, + privileges, and user interaction), impact metrics (confidentialy, integrity, and + availability), and scope. For example (ex. https://www.first.org/cvss/specification-document)' + example: 5.5, 6.6 + flat_name: host.vulnerability.cvss.score.base + level: extended + name: cvss.score.base + order: 0 + original_fieldset: vulnerability + short: CVSS Base score. + type: long +host.vulnerability.cvss.score.evironmental: + description: 'The Common Vulnerability Scoring System (CVSS) is an open framework + for communicating the characteristics and severity of software vulnerabilities. + Scores can range from 0.0 to 10.0, with 10.0 being the most severe. + + Environmental scores cover an assessment for any modified Base metrics, confidentiality, + integrity, and availability requirements. For example (ex. https://www.first.org/cvss/specification-document)' + example: 5.5, 6.6 + flat_name: host.vulnerability.cvss.score.evironmental + level: extended + name: cvss.score.evironmental + order: 2 + original_fieldset: vulnerability + short: CVSS Environmental score. + type: long +host.vulnerability.cvss.score.temporal: + description: 'The Common Vulnerability Scoring System (CVSS) is an open framework + for communicating the characteristics and severity of software vulnerabilities. + Scores can range from 0.0 to 10.0, with 10.0 being the most severe. + + Temporal scores cover an assessment for code maturity, remediation level, and + confidence. For example (ex. https://www.first.org/cvss/specification-document)' + example: 5.5, 6.6 + flat_name: host.vulnerability.cvss.score.temporal + level: extended + name: cvss.score.temporal + order: 1 + original_fieldset: vulnerability + short: CVSS Temporal score. + type: long +host.vulnerability.detected.first: + description: The first time that the vulnerability was observed on the asset. + example: YYYY-MM-DD-HH-MM + flat_name: host.vulnerability.detected.first + level: extended + name: detected.first + order: 8 + original_fieldset: vulnerability + short: Vulnerability first observed. + type: date +host.vulnerability.detected.last: + description: The last time that the vulnerability was observed on the asset. + example: YYYY-MM-DD-HH-MM + flat_name: host.vulnerability.detected.last + level: extended + name: detected.last + order: 9 + original_fieldset: vulnerability + short: Vulnerability last observed. + type: date +host.vulnerability.scanned.first: + description: The first time that the asset was scanned for vulnerabilities. + example: YYYY-MM-DD-HH-MM + flat_name: host.vulnerability.scanned.first + level: extended + name: scanned.first + order: 10 + original_fieldset: vulnerability + short: Asset first scanned. + type: date +host.vulnerability.scanned.last: + description: The last time that the asset was scanned for vulnerabilities. + example: YYYY-MM-DD-HH-MM + flat_name: host.vulnerability.scanned.last + level: extended + name: scanned.last + order: 11 + original_fieldset: vulnerability + short: Asset last scanned. + type: date +host.vulnerability.severity: + description: The severity of the vulnerability can help with metrics and internal + prioritization regarding remediation. For example (ex. https://nvd.nist.gov/vuln-metrics/cvss) + example: Critical, High, Medium, Low, None + flat_name: host.vulnerability.severity + ignore_above: 1024 + level: extended + name: severity + order: 6 + original_fieldset: vulnerability + short: Severity of the vulnerability. + type: keyword +host.vulnerability.status: + description: 'The current status of the vulerability on the asset: + + New - The first time a vulnerability is detected by a scan the status is set to + New. Active - A vulnerability detected by two or more scans is set to Active. + Fixed - A vulnerability was verified by the most recent scan as fixed, and this + vulnerability was detected by the previous scan. Re-Opened - A vulnerability was + reopened by the most recent scan, and this vulnerability was verified as fixed + by the previous scan. + + For example (ex. https://qualysguard.qualys.com/qwebhelp/fo_portal/scans/vulnerability_status.htm)' + example: New, Active, Fixed, Re-Opened + flat_name: host.vulnerability.status + ignore_above: 1024 + level: extended + name: status + order: 7 + original_fieldset: vulnerability + short: Status of the vulnerability. + type: keyword http.request.body.bytes: description: Size in bytes of the request body. example: 887 @@ -2840,6 +3338,172 @@ observer.os.version: original_fieldset: os short: Operating system version as a raw string. type: keyword +observer.os.vulnerability.category: + description: The type of system or architecture that the vulnerability affects. + These may be platform-specific (for example, Debian or SUSE) or general (for example, + Database or Firewall). For example (ex. https://qualysguard.qualys.com/qwebhelp/fo_portal/knowledgebase/vulnerability_categories.htm) + example: AIX, Firewall, Malware, Office Application, Solaris, Windows + flat_name: observer.os.vulnerability.category + ignore_above: 1024 + level: extended + name: category + order: 3 + original_fieldset: os + short: Category of a vulnerabilty. + type: keyword +observer.os.vulnerability.cve.description: + description: 'The Common Vulnerability and Exposures (CVE) list is an open source + list for publicly known cybersecurity vulnerabilities providing an identification + number, a description, and at least one public reference. + + The description of the vulnerability that provides additional context of the vulnerability. + For example (ex. https://cve.mitre.org/about/faqs.html#cve_entry_descriptions_created)' + example: In Keybase before 2.12.6 on macOS, the move RPC to the Helper was susceptible + to time-to-check-time-to-use bugs and would also allow one user of the system + (who didn't have root access) to tamper with another's installs. + flat_name: observer.os.vulnerability.cve.description + ignore_above: 1024 + level: extended + name: cve.description + order: 4 + original_fieldset: os + short: Description of the vulnerability. + type: keyword +observer.os.vulnerability.cve.id: + description: 'The Common Vulnerability and Exposures (CVE) list is an open source + list for publicly known cybersecurity vulnerabilities providing an identification + number, a description, and at least one public reference. + + The identification (ID) is the number portion of a CVE Entry. It includes the + year the vulnerability ID was requested followed by a sequence number. CVE-YYYY-NNNNN. + For example (ex. https://cve.mitre.org/about/faqs.html#what_is_cve_id)' + example: CVE-2019-00001, CVE-2019-00002 + flat_name: observer.os.vulnerability.cve.id + ignore_above: 1024 + level: extended + name: cve.id + order: 5 + original_fieldset: os + short: ID of the vulnerability. + type: keyword +observer.os.vulnerability.cvss.score.base: + description: 'The Common Vulnerability Scoring System (CVSS) is an open framework + for communicating the characteristics and severity of software vulnerabilities. + Scores can range from 0.0 to 10.0, with 10.0 being the most severe. + + Base scores cover an assessment for exploitability metrics (attack vector, complexity, + privileges, and user interaction), impact metrics (confidentialy, integrity, and + availability), and scope. For example (ex. https://www.first.org/cvss/specification-document)' + example: 5.5, 6.6 + flat_name: observer.os.vulnerability.cvss.score.base + level: extended + name: cvss.score.base + order: 0 + original_fieldset: os + short: CVSS Base score. + type: long +observer.os.vulnerability.cvss.score.evironmental: + description: 'The Common Vulnerability Scoring System (CVSS) is an open framework + for communicating the characteristics and severity of software vulnerabilities. + Scores can range from 0.0 to 10.0, with 10.0 being the most severe. + + Environmental scores cover an assessment for any modified Base metrics, confidentiality, + integrity, and availability requirements. For example (ex. https://www.first.org/cvss/specification-document)' + example: 5.5, 6.6 + flat_name: observer.os.vulnerability.cvss.score.evironmental + level: extended + name: cvss.score.evironmental + order: 2 + original_fieldset: os + short: CVSS Environmental score. + type: long +observer.os.vulnerability.cvss.score.temporal: + description: 'The Common Vulnerability Scoring System (CVSS) is an open framework + for communicating the characteristics and severity of software vulnerabilities. + Scores can range from 0.0 to 10.0, with 10.0 being the most severe. + + Temporal scores cover an assessment for code maturity, remediation level, and + confidence. For example (ex. https://www.first.org/cvss/specification-document)' + example: 5.5, 6.6 + flat_name: observer.os.vulnerability.cvss.score.temporal + level: extended + name: cvss.score.temporal + order: 1 + original_fieldset: os + short: CVSS Temporal score. + type: long +observer.os.vulnerability.detected.first: + description: The first time that the vulnerability was observed on the asset. + example: YYYY-MM-DD-HH-MM + flat_name: observer.os.vulnerability.detected.first + level: extended + name: detected.first + order: 8 + original_fieldset: os + short: Vulnerability first observed. + type: date +observer.os.vulnerability.detected.last: + description: The last time that the vulnerability was observed on the asset. + example: YYYY-MM-DD-HH-MM + flat_name: observer.os.vulnerability.detected.last + level: extended + name: detected.last + order: 9 + original_fieldset: os + short: Vulnerability last observed. + type: date +observer.os.vulnerability.scanned.first: + description: The first time that the asset was scanned for vulnerabilities. + example: YYYY-MM-DD-HH-MM + flat_name: observer.os.vulnerability.scanned.first + level: extended + name: scanned.first + order: 10 + original_fieldset: os + short: Asset first scanned. + type: date +observer.os.vulnerability.scanned.last: + description: The last time that the asset was scanned for vulnerabilities. + example: YYYY-MM-DD-HH-MM + flat_name: observer.os.vulnerability.scanned.last + level: extended + name: scanned.last + order: 11 + original_fieldset: os + short: Asset last scanned. + type: date +observer.os.vulnerability.severity: + description: The severity of the vulnerability can help with metrics and internal + prioritization regarding remediation. For example (ex. https://nvd.nist.gov/vuln-metrics/cvss) + example: Critical, High, Medium, Low, None + flat_name: observer.os.vulnerability.severity + ignore_above: 1024 + level: extended + name: severity + order: 6 + original_fieldset: os + short: Severity of the vulnerability. + type: keyword +observer.os.vulnerability.status: + description: 'The current status of the vulerability on the asset: + + New - The first time a vulnerability is detected by a scan the status is set to + New. Active - A vulnerability detected by two or more scans is set to Active. + Fixed - A vulnerability was verified by the most recent scan as fixed, and this + vulnerability was detected by the previous scan. Re-Opened - A vulnerability was + reopened by the most recent scan, and this vulnerability was verified as fixed + by the previous scan. + + For example (ex. https://qualysguard.qualys.com/qwebhelp/fo_portal/scans/vulnerability_status.htm)' + example: New, Active, Fixed, Re-Opened + flat_name: observer.os.vulnerability.status + ignore_above: 1024 + level: extended + name: status + order: 7 + original_fieldset: os + short: Status of the vulnerability. + type: keyword observer.product: description: The product name of the observer. example: s200 @@ -2891,6 +3555,172 @@ observer.version: order: 6 short: Observer version. type: keyword +observer.vulnerability.category: + description: The type of system or architecture that the vulnerability affects. + These may be platform-specific (for example, Debian or SUSE) or general (for example, + Database or Firewall). For example (ex. https://qualysguard.qualys.com/qwebhelp/fo_portal/knowledgebase/vulnerability_categories.htm) + example: AIX, Firewall, Malware, Office Application, Solaris, Windows + flat_name: observer.vulnerability.category + ignore_above: 1024 + level: extended + name: category + order: 3 + original_fieldset: vulnerability + short: Category of a vulnerabilty. + type: keyword +observer.vulnerability.cve.description: + description: 'The Common Vulnerability and Exposures (CVE) list is an open source + list for publicly known cybersecurity vulnerabilities providing an identification + number, a description, and at least one public reference. + + The description of the vulnerability that provides additional context of the vulnerability. + For example (ex. https://cve.mitre.org/about/faqs.html#cve_entry_descriptions_created)' + example: In Keybase before 2.12.6 on macOS, the move RPC to the Helper was susceptible + to time-to-check-time-to-use bugs and would also allow one user of the system + (who didn't have root access) to tamper with another's installs. + flat_name: observer.vulnerability.cve.description + ignore_above: 1024 + level: extended + name: cve.description + order: 4 + original_fieldset: vulnerability + short: Description of the vulnerability. + type: keyword +observer.vulnerability.cve.id: + description: 'The Common Vulnerability and Exposures (CVE) list is an open source + list for publicly known cybersecurity vulnerabilities providing an identification + number, a description, and at least one public reference. + + The identification (ID) is the number portion of a CVE Entry. It includes the + year the vulnerability ID was requested followed by a sequence number. CVE-YYYY-NNNNN. + For example (ex. https://cve.mitre.org/about/faqs.html#what_is_cve_id)' + example: CVE-2019-00001, CVE-2019-00002 + flat_name: observer.vulnerability.cve.id + ignore_above: 1024 + level: extended + name: cve.id + order: 5 + original_fieldset: vulnerability + short: ID of the vulnerability. + type: keyword +observer.vulnerability.cvss.score.base: + description: 'The Common Vulnerability Scoring System (CVSS) is an open framework + for communicating the characteristics and severity of software vulnerabilities. + Scores can range from 0.0 to 10.0, with 10.0 being the most severe. + + Base scores cover an assessment for exploitability metrics (attack vector, complexity, + privileges, and user interaction), impact metrics (confidentialy, integrity, and + availability), and scope. For example (ex. https://www.first.org/cvss/specification-document)' + example: 5.5, 6.6 + flat_name: observer.vulnerability.cvss.score.base + level: extended + name: cvss.score.base + order: 0 + original_fieldset: vulnerability + short: CVSS Base score. + type: long +observer.vulnerability.cvss.score.evironmental: + description: 'The Common Vulnerability Scoring System (CVSS) is an open framework + for communicating the characteristics and severity of software vulnerabilities. + Scores can range from 0.0 to 10.0, with 10.0 being the most severe. + + Environmental scores cover an assessment for any modified Base metrics, confidentiality, + integrity, and availability requirements. For example (ex. https://www.first.org/cvss/specification-document)' + example: 5.5, 6.6 + flat_name: observer.vulnerability.cvss.score.evironmental + level: extended + name: cvss.score.evironmental + order: 2 + original_fieldset: vulnerability + short: CVSS Environmental score. + type: long +observer.vulnerability.cvss.score.temporal: + description: 'The Common Vulnerability Scoring System (CVSS) is an open framework + for communicating the characteristics and severity of software vulnerabilities. + Scores can range from 0.0 to 10.0, with 10.0 being the most severe. + + Temporal scores cover an assessment for code maturity, remediation level, and + confidence. For example (ex. https://www.first.org/cvss/specification-document)' + example: 5.5, 6.6 + flat_name: observer.vulnerability.cvss.score.temporal + level: extended + name: cvss.score.temporal + order: 1 + original_fieldset: vulnerability + short: CVSS Temporal score. + type: long +observer.vulnerability.detected.first: + description: The first time that the vulnerability was observed on the asset. + example: YYYY-MM-DD-HH-MM + flat_name: observer.vulnerability.detected.first + level: extended + name: detected.first + order: 8 + original_fieldset: vulnerability + short: Vulnerability first observed. + type: date +observer.vulnerability.detected.last: + description: The last time that the vulnerability was observed on the asset. + example: YYYY-MM-DD-HH-MM + flat_name: observer.vulnerability.detected.last + level: extended + name: detected.last + order: 9 + original_fieldset: vulnerability + short: Vulnerability last observed. + type: date +observer.vulnerability.scanned.first: + description: The first time that the asset was scanned for vulnerabilities. + example: YYYY-MM-DD-HH-MM + flat_name: observer.vulnerability.scanned.first + level: extended + name: scanned.first + order: 10 + original_fieldset: vulnerability + short: Asset first scanned. + type: date +observer.vulnerability.scanned.last: + description: The last time that the asset was scanned for vulnerabilities. + example: YYYY-MM-DD-HH-MM + flat_name: observer.vulnerability.scanned.last + level: extended + name: scanned.last + order: 11 + original_fieldset: vulnerability + short: Asset last scanned. + type: date +observer.vulnerability.severity: + description: The severity of the vulnerability can help with metrics and internal + prioritization regarding remediation. For example (ex. https://nvd.nist.gov/vuln-metrics/cvss) + example: Critical, High, Medium, Low, None + flat_name: observer.vulnerability.severity + ignore_above: 1024 + level: extended + name: severity + order: 6 + original_fieldset: vulnerability + short: Severity of the vulnerability. + type: keyword +observer.vulnerability.status: + description: 'The current status of the vulerability on the asset: + + New - The first time a vulnerability is detected by a scan the status is set to + New. Active - A vulnerability detected by two or more scans is set to Active. + Fixed - A vulnerability was verified by the most recent scan as fixed, and this + vulnerability was detected by the previous scan. Re-Opened - A vulnerability was + reopened by the most recent scan, and this vulnerability was verified as fixed + by the previous scan. + + For example (ex. https://qualysguard.qualys.com/qwebhelp/fo_portal/scans/vulnerability_status.htm)' + example: New, Active, Fixed, Re-Opened + flat_name: observer.vulnerability.status + ignore_above: 1024 + level: extended + name: status + order: 7 + original_fieldset: vulnerability + short: Status of the vulnerability. + type: keyword organization.id: description: Unique identifier for the organization. flat_name: organization.id @@ -2969,6 +3799,172 @@ os.version: order: 4 short: Operating system version as a raw string. type: keyword +os.vulnerability.category: + description: The type of system or architecture that the vulnerability affects. + These may be platform-specific (for example, Debian or SUSE) or general (for example, + Database or Firewall). For example (ex. https://qualysguard.qualys.com/qwebhelp/fo_portal/knowledgebase/vulnerability_categories.htm) + example: AIX, Firewall, Malware, Office Application, Solaris, Windows + flat_name: os.vulnerability.category + ignore_above: 1024 + level: extended + name: category + order: 3 + original_fieldset: vulnerability + short: Category of a vulnerabilty. + type: keyword +os.vulnerability.cve.description: + description: 'The Common Vulnerability and Exposures (CVE) list is an open source + list for publicly known cybersecurity vulnerabilities providing an identification + number, a description, and at least one public reference. + + The description of the vulnerability that provides additional context of the vulnerability. + For example (ex. https://cve.mitre.org/about/faqs.html#cve_entry_descriptions_created)' + example: In Keybase before 2.12.6 on macOS, the move RPC to the Helper was susceptible + to time-to-check-time-to-use bugs and would also allow one user of the system + (who didn't have root access) to tamper with another's installs. + flat_name: os.vulnerability.cve.description + ignore_above: 1024 + level: extended + name: cve.description + order: 4 + original_fieldset: vulnerability + short: Description of the vulnerability. + type: keyword +os.vulnerability.cve.id: + description: 'The Common Vulnerability and Exposures (CVE) list is an open source + list for publicly known cybersecurity vulnerabilities providing an identification + number, a description, and at least one public reference. + + The identification (ID) is the number portion of a CVE Entry. It includes the + year the vulnerability ID was requested followed by a sequence number. CVE-YYYY-NNNNN. + For example (ex. https://cve.mitre.org/about/faqs.html#what_is_cve_id)' + example: CVE-2019-00001, CVE-2019-00002 + flat_name: os.vulnerability.cve.id + ignore_above: 1024 + level: extended + name: cve.id + order: 5 + original_fieldset: vulnerability + short: ID of the vulnerability. + type: keyword +os.vulnerability.cvss.score.base: + description: 'The Common Vulnerability Scoring System (CVSS) is an open framework + for communicating the characteristics and severity of software vulnerabilities. + Scores can range from 0.0 to 10.0, with 10.0 being the most severe. + + Base scores cover an assessment for exploitability metrics (attack vector, complexity, + privileges, and user interaction), impact metrics (confidentialy, integrity, and + availability), and scope. For example (ex. https://www.first.org/cvss/specification-document)' + example: 5.5, 6.6 + flat_name: os.vulnerability.cvss.score.base + level: extended + name: cvss.score.base + order: 0 + original_fieldset: vulnerability + short: CVSS Base score. + type: long +os.vulnerability.cvss.score.evironmental: + description: 'The Common Vulnerability Scoring System (CVSS) is an open framework + for communicating the characteristics and severity of software vulnerabilities. + Scores can range from 0.0 to 10.0, with 10.0 being the most severe. + + Environmental scores cover an assessment for any modified Base metrics, confidentiality, + integrity, and availability requirements. For example (ex. https://www.first.org/cvss/specification-document)' + example: 5.5, 6.6 + flat_name: os.vulnerability.cvss.score.evironmental + level: extended + name: cvss.score.evironmental + order: 2 + original_fieldset: vulnerability + short: CVSS Environmental score. + type: long +os.vulnerability.cvss.score.temporal: + description: 'The Common Vulnerability Scoring System (CVSS) is an open framework + for communicating the characteristics and severity of software vulnerabilities. + Scores can range from 0.0 to 10.0, with 10.0 being the most severe. + + Temporal scores cover an assessment for code maturity, remediation level, and + confidence. For example (ex. https://www.first.org/cvss/specification-document)' + example: 5.5, 6.6 + flat_name: os.vulnerability.cvss.score.temporal + level: extended + name: cvss.score.temporal + order: 1 + original_fieldset: vulnerability + short: CVSS Temporal score. + type: long +os.vulnerability.detected.first: + description: The first time that the vulnerability was observed on the asset. + example: YYYY-MM-DD-HH-MM + flat_name: os.vulnerability.detected.first + level: extended + name: detected.first + order: 8 + original_fieldset: vulnerability + short: Vulnerability first observed. + type: date +os.vulnerability.detected.last: + description: The last time that the vulnerability was observed on the asset. + example: YYYY-MM-DD-HH-MM + flat_name: os.vulnerability.detected.last + level: extended + name: detected.last + order: 9 + original_fieldset: vulnerability + short: Vulnerability last observed. + type: date +os.vulnerability.scanned.first: + description: The first time that the asset was scanned for vulnerabilities. + example: YYYY-MM-DD-HH-MM + flat_name: os.vulnerability.scanned.first + level: extended + name: scanned.first + order: 10 + original_fieldset: vulnerability + short: Asset first scanned. + type: date +os.vulnerability.scanned.last: + description: The last time that the asset was scanned for vulnerabilities. + example: YYYY-MM-DD-HH-MM + flat_name: os.vulnerability.scanned.last + level: extended + name: scanned.last + order: 11 + original_fieldset: vulnerability + short: Asset last scanned. + type: date +os.vulnerability.severity: + description: The severity of the vulnerability can help with metrics and internal + prioritization regarding remediation. For example (ex. https://nvd.nist.gov/vuln-metrics/cvss) + example: Critical, High, Medium, Low, None + flat_name: os.vulnerability.severity + ignore_above: 1024 + level: extended + name: severity + order: 6 + original_fieldset: vulnerability + short: Severity of the vulnerability. + type: keyword +os.vulnerability.status: + description: 'The current status of the vulerability on the asset: + + New - The first time a vulnerability is detected by a scan the status is set to + New. Active - A vulnerability detected by two or more scans is set to Active. + Fixed - A vulnerability was verified by the most recent scan as fixed, and this + vulnerability was detected by the previous scan. Re-Opened - A vulnerability was + reopened by the most recent scan, and this vulnerability was verified as fixed + by the previous scan. + + For example (ex. https://qualysguard.qualys.com/qwebhelp/fo_portal/scans/vulnerability_status.htm)' + example: New, Active, Fixed, Re-Opened + flat_name: os.vulnerability.status + ignore_above: 1024 + level: extended + name: status + order: 7 + original_fieldset: vulnerability + short: Status of the vulnerability. + type: keyword package.architecture: description: Package architecture. example: x86_64 @@ -4505,6 +5501,172 @@ user_agent.os.version: original_fieldset: os short: Operating system version as a raw string. type: keyword +user_agent.os.vulnerability.category: + description: The type of system or architecture that the vulnerability affects. + These may be platform-specific (for example, Debian or SUSE) or general (for example, + Database or Firewall). For example (ex. https://qualysguard.qualys.com/qwebhelp/fo_portal/knowledgebase/vulnerability_categories.htm) + example: AIX, Firewall, Malware, Office Application, Solaris, Windows + flat_name: user_agent.os.vulnerability.category + ignore_above: 1024 + level: extended + name: category + order: 3 + original_fieldset: os + short: Category of a vulnerabilty. + type: keyword +user_agent.os.vulnerability.cve.description: + description: 'The Common Vulnerability and Exposures (CVE) list is an open source + list for publicly known cybersecurity vulnerabilities providing an identification + number, a description, and at least one public reference. + + The description of the vulnerability that provides additional context of the vulnerability. + For example (ex. https://cve.mitre.org/about/faqs.html#cve_entry_descriptions_created)' + example: In Keybase before 2.12.6 on macOS, the move RPC to the Helper was susceptible + to time-to-check-time-to-use bugs and would also allow one user of the system + (who didn't have root access) to tamper with another's installs. + flat_name: user_agent.os.vulnerability.cve.description + ignore_above: 1024 + level: extended + name: cve.description + order: 4 + original_fieldset: os + short: Description of the vulnerability. + type: keyword +user_agent.os.vulnerability.cve.id: + description: 'The Common Vulnerability and Exposures (CVE) list is an open source + list for publicly known cybersecurity vulnerabilities providing an identification + number, a description, and at least one public reference. + + The identification (ID) is the number portion of a CVE Entry. It includes the + year the vulnerability ID was requested followed by a sequence number. CVE-YYYY-NNNNN. + For example (ex. https://cve.mitre.org/about/faqs.html#what_is_cve_id)' + example: CVE-2019-00001, CVE-2019-00002 + flat_name: user_agent.os.vulnerability.cve.id + ignore_above: 1024 + level: extended + name: cve.id + order: 5 + original_fieldset: os + short: ID of the vulnerability. + type: keyword +user_agent.os.vulnerability.cvss.score.base: + description: 'The Common Vulnerability Scoring System (CVSS) is an open framework + for communicating the characteristics and severity of software vulnerabilities. + Scores can range from 0.0 to 10.0, with 10.0 being the most severe. + + Base scores cover an assessment for exploitability metrics (attack vector, complexity, + privileges, and user interaction), impact metrics (confidentialy, integrity, and + availability), and scope. For example (ex. https://www.first.org/cvss/specification-document)' + example: 5.5, 6.6 + flat_name: user_agent.os.vulnerability.cvss.score.base + level: extended + name: cvss.score.base + order: 0 + original_fieldset: os + short: CVSS Base score. + type: long +user_agent.os.vulnerability.cvss.score.evironmental: + description: 'The Common Vulnerability Scoring System (CVSS) is an open framework + for communicating the characteristics and severity of software vulnerabilities. + Scores can range from 0.0 to 10.0, with 10.0 being the most severe. + + Environmental scores cover an assessment for any modified Base metrics, confidentiality, + integrity, and availability requirements. For example (ex. https://www.first.org/cvss/specification-document)' + example: 5.5, 6.6 + flat_name: user_agent.os.vulnerability.cvss.score.evironmental + level: extended + name: cvss.score.evironmental + order: 2 + original_fieldset: os + short: CVSS Environmental score. + type: long +user_agent.os.vulnerability.cvss.score.temporal: + description: 'The Common Vulnerability Scoring System (CVSS) is an open framework + for communicating the characteristics and severity of software vulnerabilities. + Scores can range from 0.0 to 10.0, with 10.0 being the most severe. + + Temporal scores cover an assessment for code maturity, remediation level, and + confidence. For example (ex. https://www.first.org/cvss/specification-document)' + example: 5.5, 6.6 + flat_name: user_agent.os.vulnerability.cvss.score.temporal + level: extended + name: cvss.score.temporal + order: 1 + original_fieldset: os + short: CVSS Temporal score. + type: long +user_agent.os.vulnerability.detected.first: + description: The first time that the vulnerability was observed on the asset. + example: YYYY-MM-DD-HH-MM + flat_name: user_agent.os.vulnerability.detected.first + level: extended + name: detected.first + order: 8 + original_fieldset: os + short: Vulnerability first observed. + type: date +user_agent.os.vulnerability.detected.last: + description: The last time that the vulnerability was observed on the asset. + example: YYYY-MM-DD-HH-MM + flat_name: user_agent.os.vulnerability.detected.last + level: extended + name: detected.last + order: 9 + original_fieldset: os + short: Vulnerability last observed. + type: date +user_agent.os.vulnerability.scanned.first: + description: The first time that the asset was scanned for vulnerabilities. + example: YYYY-MM-DD-HH-MM + flat_name: user_agent.os.vulnerability.scanned.first + level: extended + name: scanned.first + order: 10 + original_fieldset: os + short: Asset first scanned. + type: date +user_agent.os.vulnerability.scanned.last: + description: The last time that the asset was scanned for vulnerabilities. + example: YYYY-MM-DD-HH-MM + flat_name: user_agent.os.vulnerability.scanned.last + level: extended + name: scanned.last + order: 11 + original_fieldset: os + short: Asset last scanned. + type: date +user_agent.os.vulnerability.severity: + description: The severity of the vulnerability can help with metrics and internal + prioritization regarding remediation. For example (ex. https://nvd.nist.gov/vuln-metrics/cvss) + example: Critical, High, Medium, Low, None + flat_name: user_agent.os.vulnerability.severity + ignore_above: 1024 + level: extended + name: severity + order: 6 + original_fieldset: os + short: Severity of the vulnerability. + type: keyword +user_agent.os.vulnerability.status: + description: 'The current status of the vulerability on the asset: + + New - The first time a vulnerability is detected by a scan the status is set to + New. Active - A vulnerability detected by two or more scans is set to Active. + Fixed - A vulnerability was verified by the most recent scan as fixed, and this + vulnerability was detected by the previous scan. Re-Opened - A vulnerability was + reopened by the most recent scan, and this vulnerability was verified as fixed + by the previous scan. + + For example (ex. https://qualysguard.qualys.com/qwebhelp/fo_portal/scans/vulnerability_status.htm)' + example: New, Active, Fixed, Re-Opened + flat_name: user_agent.os.vulnerability.status + ignore_above: 1024 + level: extended + name: status + order: 7 + original_fieldset: os + short: Status of the vulnerability. + type: keyword user_agent.version: description: Version of the user agent. example: 12.0 @@ -4515,3 +5677,157 @@ user_agent.version: order: 2 short: Version of the user agent. type: keyword +vulnerability.category: + description: The type of system or architecture that the vulnerability affects. + These may be platform-specific (for example, Debian or SUSE) or general (for example, + Database or Firewall). For example (ex. https://qualysguard.qualys.com/qwebhelp/fo_portal/knowledgebase/vulnerability_categories.htm) + example: AIX, Firewall, Malware, Office Application, Solaris, Windows + flat_name: vulnerability.category + ignore_above: 1024 + level: extended + name: category + order: 3 + short: Category of a vulnerabilty. + type: keyword +vulnerability.cve.description: + description: 'The Common Vulnerability and Exposures (CVE) list is an open source + list for publicly known cybersecurity vulnerabilities providing an identification + number, a description, and at least one public reference. + + The description of the vulnerability that provides additional context of the vulnerability. + For example (ex. https://cve.mitre.org/about/faqs.html#cve_entry_descriptions_created)' + example: In Keybase before 2.12.6 on macOS, the move RPC to the Helper was susceptible + to time-to-check-time-to-use bugs and would also allow one user of the system + (who didn't have root access) to tamper with another's installs. + flat_name: vulnerability.cve.description + ignore_above: 1024 + level: extended + name: cve.description + order: 4 + short: Description of the vulnerability. + type: keyword +vulnerability.cve.id: + description: 'The Common Vulnerability and Exposures (CVE) list is an open source + list for publicly known cybersecurity vulnerabilities providing an identification + number, a description, and at least one public reference. + + The identification (ID) is the number portion of a CVE Entry. It includes the + year the vulnerability ID was requested followed by a sequence number. CVE-YYYY-NNNNN. + For example (ex. https://cve.mitre.org/about/faqs.html#what_is_cve_id)' + example: CVE-2019-00001, CVE-2019-00002 + flat_name: vulnerability.cve.id + ignore_above: 1024 + level: extended + name: cve.id + order: 5 + short: ID of the vulnerability. + type: keyword +vulnerability.cvss.score.base: + description: 'The Common Vulnerability Scoring System (CVSS) is an open framework + for communicating the characteristics and severity of software vulnerabilities. + Scores can range from 0.0 to 10.0, with 10.0 being the most severe. + + Base scores cover an assessment for exploitability metrics (attack vector, complexity, + privileges, and user interaction), impact metrics (confidentialy, integrity, and + availability), and scope. For example (ex. https://www.first.org/cvss/specification-document)' + example: 5.5, 6.6 + flat_name: vulnerability.cvss.score.base + level: extended + name: cvss.score.base + order: 0 + short: CVSS Base score. + type: long +vulnerability.cvss.score.evironmental: + description: 'The Common Vulnerability Scoring System (CVSS) is an open framework + for communicating the characteristics and severity of software vulnerabilities. + Scores can range from 0.0 to 10.0, with 10.0 being the most severe. + + Environmental scores cover an assessment for any modified Base metrics, confidentiality, + integrity, and availability requirements. For example (ex. https://www.first.org/cvss/specification-document)' + example: 5.5, 6.6 + flat_name: vulnerability.cvss.score.evironmental + level: extended + name: cvss.score.evironmental + order: 2 + short: CVSS Environmental score. + type: long +vulnerability.cvss.score.temporal: + description: 'The Common Vulnerability Scoring System (CVSS) is an open framework + for communicating the characteristics and severity of software vulnerabilities. + Scores can range from 0.0 to 10.0, with 10.0 being the most severe. + + Temporal scores cover an assessment for code maturity, remediation level, and + confidence. For example (ex. https://www.first.org/cvss/specification-document)' + example: 5.5, 6.6 + flat_name: vulnerability.cvss.score.temporal + level: extended + name: cvss.score.temporal + order: 1 + short: CVSS Temporal score. + type: long +vulnerability.detected.first: + description: The first time that the vulnerability was observed on the asset. + example: YYYY-MM-DD-HH-MM + flat_name: vulnerability.detected.first + level: extended + name: detected.first + order: 8 + short: Vulnerability first observed. + type: date +vulnerability.detected.last: + description: The last time that the vulnerability was observed on the asset. + example: YYYY-MM-DD-HH-MM + flat_name: vulnerability.detected.last + level: extended + name: detected.last + order: 9 + short: Vulnerability last observed. + type: date +vulnerability.scanned.first: + description: The first time that the asset was scanned for vulnerabilities. + example: YYYY-MM-DD-HH-MM + flat_name: vulnerability.scanned.first + level: extended + name: scanned.first + order: 10 + short: Asset first scanned. + type: date +vulnerability.scanned.last: + description: The last time that the asset was scanned for vulnerabilities. + example: YYYY-MM-DD-HH-MM + flat_name: vulnerability.scanned.last + level: extended + name: scanned.last + order: 11 + short: Asset last scanned. + type: date +vulnerability.severity: + description: The severity of the vulnerability can help with metrics and internal + prioritization regarding remediation. For example (ex. https://nvd.nist.gov/vuln-metrics/cvss) + example: Critical, High, Medium, Low, None + flat_name: vulnerability.severity + ignore_above: 1024 + level: extended + name: severity + order: 6 + short: Severity of the vulnerability. + type: keyword +vulnerability.status: + description: 'The current status of the vulerability on the asset: + + New - The first time a vulnerability is detected by a scan the status is set to + New. Active - A vulnerability detected by two or more scans is set to Active. + Fixed - A vulnerability was verified by the most recent scan as fixed, and this + vulnerability was detected by the previous scan. Re-Opened - A vulnerability was + reopened by the most recent scan, and this vulnerability was verified as fixed + by the previous scan. + + For example (ex. https://qualysguard.qualys.com/qwebhelp/fo_portal/scans/vulnerability_status.htm)' + example: New, Active, Fixed, Re-Opened + flat_name: vulnerability.status + ignore_above: 1024 + level: extended + name: status + order: 7 + short: Status of the vulnerability. + type: keyword diff --git a/generated/ecs/ecs_nested.yml b/generated/ecs/ecs_nested.yml index 942ee5dfef..5fac7b8b6e 100644 --- a/generated/ecs/ecs_nested.yml +++ b/generated/ecs/ecs_nested.yml @@ -551,9 +551,176 @@ client: original_fieldset: user short: Short name or login of the user. type: keyword + vulnerability.category: + description: The type of system or architecture that the vulnerability affects. + These may be platform-specific (for example, Debian or SUSE) or general (for + example, Database or Firewall). For example (ex. https://qualysguard.qualys.com/qwebhelp/fo_portal/knowledgebase/vulnerability_categories.htm) + example: AIX, Firewall, Malware, Office Application, Solaris, Windows + flat_name: client.vulnerability.category + ignore_above: 1024 + level: extended + name: category + order: 3 + original_fieldset: vulnerability + short: Category of a vulnerabilty. + type: keyword + vulnerability.cve.description: + description: 'The Common Vulnerability and Exposures (CVE) list is an open source + list for publicly known cybersecurity vulnerabilities providing an identification + number, a description, and at least one public reference. + + The description of the vulnerability that provides additional context of the + vulnerability. For example (ex. https://cve.mitre.org/about/faqs.html#cve_entry_descriptions_created)' + example: In Keybase before 2.12.6 on macOS, the move RPC to the Helper was susceptible + to time-to-check-time-to-use bugs and would also allow one user of the system + (who didn't have root access) to tamper with another's installs. + flat_name: client.vulnerability.cve.description + ignore_above: 1024 + level: extended + name: cve.description + order: 4 + original_fieldset: vulnerability + short: Description of the vulnerability. + type: keyword + vulnerability.cve.id: + description: 'The Common Vulnerability and Exposures (CVE) list is an open source + list for publicly known cybersecurity vulnerabilities providing an identification + number, a description, and at least one public reference. + + The identification (ID) is the number portion of a CVE Entry. It includes + the year the vulnerability ID was requested followed by a sequence number. + CVE-YYYY-NNNNN. For example (ex. https://cve.mitre.org/about/faqs.html#what_is_cve_id)' + example: CVE-2019-00001, CVE-2019-00002 + flat_name: client.vulnerability.cve.id + ignore_above: 1024 + level: extended + name: cve.id + order: 5 + original_fieldset: vulnerability + short: ID of the vulnerability. + type: keyword + vulnerability.cvss.score.base: + description: 'The Common Vulnerability Scoring System (CVSS) is an open framework + for communicating the characteristics and severity of software vulnerabilities. + Scores can range from 0.0 to 10.0, with 10.0 being the most severe. + + Base scores cover an assessment for exploitability metrics (attack vector, + complexity, privileges, and user interaction), impact metrics (confidentialy, + integrity, and availability), and scope. For example (ex. https://www.first.org/cvss/specification-document)' + example: 5.5, 6.6 + flat_name: client.vulnerability.cvss.score.base + level: extended + name: cvss.score.base + order: 0 + original_fieldset: vulnerability + short: CVSS Base score. + type: long + vulnerability.cvss.score.evironmental: + description: 'The Common Vulnerability Scoring System (CVSS) is an open framework + for communicating the characteristics and severity of software vulnerabilities. + Scores can range from 0.0 to 10.0, with 10.0 being the most severe. + + Environmental scores cover an assessment for any modified Base metrics, confidentiality, + integrity, and availability requirements. For example (ex. https://www.first.org/cvss/specification-document)' + example: 5.5, 6.6 + flat_name: client.vulnerability.cvss.score.evironmental + level: extended + name: cvss.score.evironmental + order: 2 + original_fieldset: vulnerability + short: CVSS Environmental score. + type: long + vulnerability.cvss.score.temporal: + description: 'The Common Vulnerability Scoring System (CVSS) is an open framework + for communicating the characteristics and severity of software vulnerabilities. + Scores can range from 0.0 to 10.0, with 10.0 being the most severe. + + Temporal scores cover an assessment for code maturity, remediation level, + and confidence. For example (ex. https://www.first.org/cvss/specification-document)' + example: 5.5, 6.6 + flat_name: client.vulnerability.cvss.score.temporal + level: extended + name: cvss.score.temporal + order: 1 + original_fieldset: vulnerability + short: CVSS Temporal score. + type: long + vulnerability.detected.first: + description: The first time that the vulnerability was observed on the asset. + example: YYYY-MM-DD-HH-MM + flat_name: client.vulnerability.detected.first + level: extended + name: detected.first + order: 8 + original_fieldset: vulnerability + short: Vulnerability first observed. + type: date + vulnerability.detected.last: + description: The last time that the vulnerability was observed on the asset. + example: YYYY-MM-DD-HH-MM + flat_name: client.vulnerability.detected.last + level: extended + name: detected.last + order: 9 + original_fieldset: vulnerability + short: Vulnerability last observed. + type: date + vulnerability.scanned.first: + description: The first time that the asset was scanned for vulnerabilities. + example: YYYY-MM-DD-HH-MM + flat_name: client.vulnerability.scanned.first + level: extended + name: scanned.first + order: 10 + original_fieldset: vulnerability + short: Asset first scanned. + type: date + vulnerability.scanned.last: + description: The last time that the asset was scanned for vulnerabilities. + example: YYYY-MM-DD-HH-MM + flat_name: client.vulnerability.scanned.last + level: extended + name: scanned.last + order: 11 + original_fieldset: vulnerability + short: Asset last scanned. + type: date + vulnerability.severity: + description: The severity of the vulnerability can help with metrics and internal + prioritization regarding remediation. For example (ex. https://nvd.nist.gov/vuln-metrics/cvss) + example: Critical, High, Medium, Low, None + flat_name: client.vulnerability.severity + ignore_above: 1024 + level: extended + name: severity + order: 6 + original_fieldset: vulnerability + short: Severity of the vulnerability. + type: keyword + vulnerability.status: + description: 'The current status of the vulerability on the asset: + + New - The first time a vulnerability is detected by a scan the status is set + to New. Active - A vulnerability detected by two or more scans is set to Active. + Fixed - A vulnerability was verified by the most recent scan as fixed, and + this vulnerability was detected by the previous scan. Re-Opened - A vulnerability + was reopened by the most recent scan, and this vulnerability was verified + as fixed by the previous scan. + + For example (ex. https://qualysguard.qualys.com/qwebhelp/fo_portal/scans/vulnerability_status.htm)' + example: New, Active, Fixed, Re-Opened + flat_name: client.vulnerability.status + ignore_above: 1024 + level: extended + name: status + order: 7 + original_fieldset: vulnerability + short: Status of the vulnerability. + type: keyword group: 2 name: client nestings: + - vulnerability - geo - as - user @@ -2386,6 +2553,172 @@ host: original_fieldset: os short: Operating system version as a raw string. type: keyword + os.vulnerability.category: + description: The type of system or architecture that the vulnerability affects. + These may be platform-specific (for example, Debian or SUSE) or general (for + example, Database or Firewall). For example (ex. https://qualysguard.qualys.com/qwebhelp/fo_portal/knowledgebase/vulnerability_categories.htm) + example: AIX, Firewall, Malware, Office Application, Solaris, Windows + flat_name: host.os.vulnerability.category + ignore_above: 1024 + level: extended + name: category + order: 3 + original_fieldset: os + short: Category of a vulnerabilty. + type: keyword + os.vulnerability.cve.description: + description: 'The Common Vulnerability and Exposures (CVE) list is an open source + list for publicly known cybersecurity vulnerabilities providing an identification + number, a description, and at least one public reference. + + The description of the vulnerability that provides additional context of the + vulnerability. For example (ex. https://cve.mitre.org/about/faqs.html#cve_entry_descriptions_created)' + example: In Keybase before 2.12.6 on macOS, the move RPC to the Helper was susceptible + to time-to-check-time-to-use bugs and would also allow one user of the system + (who didn't have root access) to tamper with another's installs. + flat_name: host.os.vulnerability.cve.description + ignore_above: 1024 + level: extended + name: cve.description + order: 4 + original_fieldset: os + short: Description of the vulnerability. + type: keyword + os.vulnerability.cve.id: + description: 'The Common Vulnerability and Exposures (CVE) list is an open source + list for publicly known cybersecurity vulnerabilities providing an identification + number, a description, and at least one public reference. + + The identification (ID) is the number portion of a CVE Entry. It includes + the year the vulnerability ID was requested followed by a sequence number. + CVE-YYYY-NNNNN. For example (ex. https://cve.mitre.org/about/faqs.html#what_is_cve_id)' + example: CVE-2019-00001, CVE-2019-00002 + flat_name: host.os.vulnerability.cve.id + ignore_above: 1024 + level: extended + name: cve.id + order: 5 + original_fieldset: os + short: ID of the vulnerability. + type: keyword + os.vulnerability.cvss.score.base: + description: 'The Common Vulnerability Scoring System (CVSS) is an open framework + for communicating the characteristics and severity of software vulnerabilities. + Scores can range from 0.0 to 10.0, with 10.0 being the most severe. + + Base scores cover an assessment for exploitability metrics (attack vector, + complexity, privileges, and user interaction), impact metrics (confidentialy, + integrity, and availability), and scope. For example (ex. https://www.first.org/cvss/specification-document)' + example: 5.5, 6.6 + flat_name: host.os.vulnerability.cvss.score.base + level: extended + name: cvss.score.base + order: 0 + original_fieldset: os + short: CVSS Base score. + type: long + os.vulnerability.cvss.score.evironmental: + description: 'The Common Vulnerability Scoring System (CVSS) is an open framework + for communicating the characteristics and severity of software vulnerabilities. + Scores can range from 0.0 to 10.0, with 10.0 being the most severe. + + Environmental scores cover an assessment for any modified Base metrics, confidentiality, + integrity, and availability requirements. For example (ex. https://www.first.org/cvss/specification-document)' + example: 5.5, 6.6 + flat_name: host.os.vulnerability.cvss.score.evironmental + level: extended + name: cvss.score.evironmental + order: 2 + original_fieldset: os + short: CVSS Environmental score. + type: long + os.vulnerability.cvss.score.temporal: + description: 'The Common Vulnerability Scoring System (CVSS) is an open framework + for communicating the characteristics and severity of software vulnerabilities. + Scores can range from 0.0 to 10.0, with 10.0 being the most severe. + + Temporal scores cover an assessment for code maturity, remediation level, + and confidence. For example (ex. https://www.first.org/cvss/specification-document)' + example: 5.5, 6.6 + flat_name: host.os.vulnerability.cvss.score.temporal + level: extended + name: cvss.score.temporal + order: 1 + original_fieldset: os + short: CVSS Temporal score. + type: long + os.vulnerability.detected.first: + description: The first time that the vulnerability was observed on the asset. + example: YYYY-MM-DD-HH-MM + flat_name: host.os.vulnerability.detected.first + level: extended + name: detected.first + order: 8 + original_fieldset: os + short: Vulnerability first observed. + type: date + os.vulnerability.detected.last: + description: The last time that the vulnerability was observed on the asset. + example: YYYY-MM-DD-HH-MM + flat_name: host.os.vulnerability.detected.last + level: extended + name: detected.last + order: 9 + original_fieldset: os + short: Vulnerability last observed. + type: date + os.vulnerability.scanned.first: + description: The first time that the asset was scanned for vulnerabilities. + example: YYYY-MM-DD-HH-MM + flat_name: host.os.vulnerability.scanned.first + level: extended + name: scanned.first + order: 10 + original_fieldset: os + short: Asset first scanned. + type: date + os.vulnerability.scanned.last: + description: The last time that the asset was scanned for vulnerabilities. + example: YYYY-MM-DD-HH-MM + flat_name: host.os.vulnerability.scanned.last + level: extended + name: scanned.last + order: 11 + original_fieldset: os + short: Asset last scanned. + type: date + os.vulnerability.severity: + description: The severity of the vulnerability can help with metrics and internal + prioritization regarding remediation. For example (ex. https://nvd.nist.gov/vuln-metrics/cvss) + example: Critical, High, Medium, Low, None + flat_name: host.os.vulnerability.severity + ignore_above: 1024 + level: extended + name: severity + order: 6 + original_fieldset: os + short: Severity of the vulnerability. + type: keyword + os.vulnerability.status: + description: 'The current status of the vulerability on the asset: + + New - The first time a vulnerability is detected by a scan the status is set + to New. Active - A vulnerability detected by two or more scans is set to Active. + Fixed - A vulnerability was verified by the most recent scan as fixed, and + this vulnerability was detected by the previous scan. Re-Opened - A vulnerability + was reopened by the most recent scan, and this vulnerability was verified + as fixed by the previous scan. + + For example (ex. https://qualysguard.qualys.com/qwebhelp/fo_portal/scans/vulnerability_status.htm)' + example: New, Active, Fixed, Re-Opened + flat_name: host.os.vulnerability.status + ignore_above: 1024 + level: extended + name: status + order: 7 + original_fieldset: os + short: Status of the vulnerability. + type: keyword type: description: 'Type of host. @@ -2508,9 +2841,176 @@ host: original_fieldset: user short: Short name or login of the user. type: keyword + vulnerability.category: + description: The type of system or architecture that the vulnerability affects. + These may be platform-specific (for example, Debian or SUSE) or general (for + example, Database or Firewall). For example (ex. https://qualysguard.qualys.com/qwebhelp/fo_portal/knowledgebase/vulnerability_categories.htm) + example: AIX, Firewall, Malware, Office Application, Solaris, Windows + flat_name: host.vulnerability.category + ignore_above: 1024 + level: extended + name: category + order: 3 + original_fieldset: vulnerability + short: Category of a vulnerabilty. + type: keyword + vulnerability.cve.description: + description: 'The Common Vulnerability and Exposures (CVE) list is an open source + list for publicly known cybersecurity vulnerabilities providing an identification + number, a description, and at least one public reference. + + The description of the vulnerability that provides additional context of the + vulnerability. For example (ex. https://cve.mitre.org/about/faqs.html#cve_entry_descriptions_created)' + example: In Keybase before 2.12.6 on macOS, the move RPC to the Helper was susceptible + to time-to-check-time-to-use bugs and would also allow one user of the system + (who didn't have root access) to tamper with another's installs. + flat_name: host.vulnerability.cve.description + ignore_above: 1024 + level: extended + name: cve.description + order: 4 + original_fieldset: vulnerability + short: Description of the vulnerability. + type: keyword + vulnerability.cve.id: + description: 'The Common Vulnerability and Exposures (CVE) list is an open source + list for publicly known cybersecurity vulnerabilities providing an identification + number, a description, and at least one public reference. + + The identification (ID) is the number portion of a CVE Entry. It includes + the year the vulnerability ID was requested followed by a sequence number. + CVE-YYYY-NNNNN. For example (ex. https://cve.mitre.org/about/faqs.html#what_is_cve_id)' + example: CVE-2019-00001, CVE-2019-00002 + flat_name: host.vulnerability.cve.id + ignore_above: 1024 + level: extended + name: cve.id + order: 5 + original_fieldset: vulnerability + short: ID of the vulnerability. + type: keyword + vulnerability.cvss.score.base: + description: 'The Common Vulnerability Scoring System (CVSS) is an open framework + for communicating the characteristics and severity of software vulnerabilities. + Scores can range from 0.0 to 10.0, with 10.0 being the most severe. + + Base scores cover an assessment for exploitability metrics (attack vector, + complexity, privileges, and user interaction), impact metrics (confidentialy, + integrity, and availability), and scope. For example (ex. https://www.first.org/cvss/specification-document)' + example: 5.5, 6.6 + flat_name: host.vulnerability.cvss.score.base + level: extended + name: cvss.score.base + order: 0 + original_fieldset: vulnerability + short: CVSS Base score. + type: long + vulnerability.cvss.score.evironmental: + description: 'The Common Vulnerability Scoring System (CVSS) is an open framework + for communicating the characteristics and severity of software vulnerabilities. + Scores can range from 0.0 to 10.0, with 10.0 being the most severe. + + Environmental scores cover an assessment for any modified Base metrics, confidentiality, + integrity, and availability requirements. For example (ex. https://www.first.org/cvss/specification-document)' + example: 5.5, 6.6 + flat_name: host.vulnerability.cvss.score.evironmental + level: extended + name: cvss.score.evironmental + order: 2 + original_fieldset: vulnerability + short: CVSS Environmental score. + type: long + vulnerability.cvss.score.temporal: + description: 'The Common Vulnerability Scoring System (CVSS) is an open framework + for communicating the characteristics and severity of software vulnerabilities. + Scores can range from 0.0 to 10.0, with 10.0 being the most severe. + + Temporal scores cover an assessment for code maturity, remediation level, + and confidence. For example (ex. https://www.first.org/cvss/specification-document)' + example: 5.5, 6.6 + flat_name: host.vulnerability.cvss.score.temporal + level: extended + name: cvss.score.temporal + order: 1 + original_fieldset: vulnerability + short: CVSS Temporal score. + type: long + vulnerability.detected.first: + description: The first time that the vulnerability was observed on the asset. + example: YYYY-MM-DD-HH-MM + flat_name: host.vulnerability.detected.first + level: extended + name: detected.first + order: 8 + original_fieldset: vulnerability + short: Vulnerability first observed. + type: date + vulnerability.detected.last: + description: The last time that the vulnerability was observed on the asset. + example: YYYY-MM-DD-HH-MM + flat_name: host.vulnerability.detected.last + level: extended + name: detected.last + order: 9 + original_fieldset: vulnerability + short: Vulnerability last observed. + type: date + vulnerability.scanned.first: + description: The first time that the asset was scanned for vulnerabilities. + example: YYYY-MM-DD-HH-MM + flat_name: host.vulnerability.scanned.first + level: extended + name: scanned.first + order: 10 + original_fieldset: vulnerability + short: Asset first scanned. + type: date + vulnerability.scanned.last: + description: The last time that the asset was scanned for vulnerabilities. + example: YYYY-MM-DD-HH-MM + flat_name: host.vulnerability.scanned.last + level: extended + name: scanned.last + order: 11 + original_fieldset: vulnerability + short: Asset last scanned. + type: date + vulnerability.severity: + description: The severity of the vulnerability can help with metrics and internal + prioritization regarding remediation. For example (ex. https://nvd.nist.gov/vuln-metrics/cvss) + example: Critical, High, Medium, Low, None + flat_name: host.vulnerability.severity + ignore_above: 1024 + level: extended + name: severity + order: 6 + original_fieldset: vulnerability + short: Severity of the vulnerability. + type: keyword + vulnerability.status: + description: 'The current status of the vulerability on the asset: + + New - The first time a vulnerability is detected by a scan the status is set + to New. Active - A vulnerability detected by two or more scans is set to Active. + Fixed - A vulnerability was verified by the most recent scan as fixed, and + this vulnerability was detected by the previous scan. Re-Opened - A vulnerability + was reopened by the most recent scan, and this vulnerability was verified + as fixed by the previous scan. + + For example (ex. https://qualysguard.qualys.com/qwebhelp/fo_portal/scans/vulnerability_status.htm)' + example: New, Active, Fixed, Re-Opened + flat_name: host.vulnerability.status + ignore_above: 1024 + level: extended + name: status + order: 7 + original_fieldset: vulnerability + short: Status of the vulnerability. + type: keyword group: 2 name: host nestings: + - vulnerability - geo - os - user @@ -3172,6 +3672,172 @@ observer: original_fieldset: os short: Operating system version as a raw string. type: keyword + os.vulnerability.category: + description: The type of system or architecture that the vulnerability affects. + These may be platform-specific (for example, Debian or SUSE) or general (for + example, Database or Firewall). For example (ex. https://qualysguard.qualys.com/qwebhelp/fo_portal/knowledgebase/vulnerability_categories.htm) + example: AIX, Firewall, Malware, Office Application, Solaris, Windows + flat_name: observer.os.vulnerability.category + ignore_above: 1024 + level: extended + name: category + order: 3 + original_fieldset: os + short: Category of a vulnerabilty. + type: keyword + os.vulnerability.cve.description: + description: 'The Common Vulnerability and Exposures (CVE) list is an open source + list for publicly known cybersecurity vulnerabilities providing an identification + number, a description, and at least one public reference. + + The description of the vulnerability that provides additional context of the + vulnerability. For example (ex. https://cve.mitre.org/about/faqs.html#cve_entry_descriptions_created)' + example: In Keybase before 2.12.6 on macOS, the move RPC to the Helper was susceptible + to time-to-check-time-to-use bugs and would also allow one user of the system + (who didn't have root access) to tamper with another's installs. + flat_name: observer.os.vulnerability.cve.description + ignore_above: 1024 + level: extended + name: cve.description + order: 4 + original_fieldset: os + short: Description of the vulnerability. + type: keyword + os.vulnerability.cve.id: + description: 'The Common Vulnerability and Exposures (CVE) list is an open source + list for publicly known cybersecurity vulnerabilities providing an identification + number, a description, and at least one public reference. + + The identification (ID) is the number portion of a CVE Entry. It includes + the year the vulnerability ID was requested followed by a sequence number. + CVE-YYYY-NNNNN. For example (ex. https://cve.mitre.org/about/faqs.html#what_is_cve_id)' + example: CVE-2019-00001, CVE-2019-00002 + flat_name: observer.os.vulnerability.cve.id + ignore_above: 1024 + level: extended + name: cve.id + order: 5 + original_fieldset: os + short: ID of the vulnerability. + type: keyword + os.vulnerability.cvss.score.base: + description: 'The Common Vulnerability Scoring System (CVSS) is an open framework + for communicating the characteristics and severity of software vulnerabilities. + Scores can range from 0.0 to 10.0, with 10.0 being the most severe. + + Base scores cover an assessment for exploitability metrics (attack vector, + complexity, privileges, and user interaction), impact metrics (confidentialy, + integrity, and availability), and scope. For example (ex. https://www.first.org/cvss/specification-document)' + example: 5.5, 6.6 + flat_name: observer.os.vulnerability.cvss.score.base + level: extended + name: cvss.score.base + order: 0 + original_fieldset: os + short: CVSS Base score. + type: long + os.vulnerability.cvss.score.evironmental: + description: 'The Common Vulnerability Scoring System (CVSS) is an open framework + for communicating the characteristics and severity of software vulnerabilities. + Scores can range from 0.0 to 10.0, with 10.0 being the most severe. + + Environmental scores cover an assessment for any modified Base metrics, confidentiality, + integrity, and availability requirements. For example (ex. https://www.first.org/cvss/specification-document)' + example: 5.5, 6.6 + flat_name: observer.os.vulnerability.cvss.score.evironmental + level: extended + name: cvss.score.evironmental + order: 2 + original_fieldset: os + short: CVSS Environmental score. + type: long + os.vulnerability.cvss.score.temporal: + description: 'The Common Vulnerability Scoring System (CVSS) is an open framework + for communicating the characteristics and severity of software vulnerabilities. + Scores can range from 0.0 to 10.0, with 10.0 being the most severe. + + Temporal scores cover an assessment for code maturity, remediation level, + and confidence. For example (ex. https://www.first.org/cvss/specification-document)' + example: 5.5, 6.6 + flat_name: observer.os.vulnerability.cvss.score.temporal + level: extended + name: cvss.score.temporal + order: 1 + original_fieldset: os + short: CVSS Temporal score. + type: long + os.vulnerability.detected.first: + description: The first time that the vulnerability was observed on the asset. + example: YYYY-MM-DD-HH-MM + flat_name: observer.os.vulnerability.detected.first + level: extended + name: detected.first + order: 8 + original_fieldset: os + short: Vulnerability first observed. + type: date + os.vulnerability.detected.last: + description: The last time that the vulnerability was observed on the asset. + example: YYYY-MM-DD-HH-MM + flat_name: observer.os.vulnerability.detected.last + level: extended + name: detected.last + order: 9 + original_fieldset: os + short: Vulnerability last observed. + type: date + os.vulnerability.scanned.first: + description: The first time that the asset was scanned for vulnerabilities. + example: YYYY-MM-DD-HH-MM + flat_name: observer.os.vulnerability.scanned.first + level: extended + name: scanned.first + order: 10 + original_fieldset: os + short: Asset first scanned. + type: date + os.vulnerability.scanned.last: + description: The last time that the asset was scanned for vulnerabilities. + example: YYYY-MM-DD-HH-MM + flat_name: observer.os.vulnerability.scanned.last + level: extended + name: scanned.last + order: 11 + original_fieldset: os + short: Asset last scanned. + type: date + os.vulnerability.severity: + description: The severity of the vulnerability can help with metrics and internal + prioritization regarding remediation. For example (ex. https://nvd.nist.gov/vuln-metrics/cvss) + example: Critical, High, Medium, Low, None + flat_name: observer.os.vulnerability.severity + ignore_above: 1024 + level: extended + name: severity + order: 6 + original_fieldset: os + short: Severity of the vulnerability. + type: keyword + os.vulnerability.status: + description: 'The current status of the vulerability on the asset: + + New - The first time a vulnerability is detected by a scan the status is set + to New. Active - A vulnerability detected by two or more scans is set to Active. + Fixed - A vulnerability was verified by the most recent scan as fixed, and + this vulnerability was detected by the previous scan. Re-Opened - A vulnerability + was reopened by the most recent scan, and this vulnerability was verified + as fixed by the previous scan. + + For example (ex. https://qualysguard.qualys.com/qwebhelp/fo_portal/scans/vulnerability_status.htm)' + example: New, Active, Fixed, Re-Opened + flat_name: observer.os.vulnerability.status + ignore_above: 1024 + level: extended + name: status + order: 7 + original_fieldset: os + short: Status of the vulnerability. + type: keyword product: description: The product name of the observer. example: s200 @@ -3223,9 +3889,176 @@ observer: order: 6 short: Observer version. type: keyword + vulnerability.category: + description: The type of system or architecture that the vulnerability affects. + These may be platform-specific (for example, Debian or SUSE) or general (for + example, Database or Firewall). For example (ex. https://qualysguard.qualys.com/qwebhelp/fo_portal/knowledgebase/vulnerability_categories.htm) + example: AIX, Firewall, Malware, Office Application, Solaris, Windows + flat_name: observer.vulnerability.category + ignore_above: 1024 + level: extended + name: category + order: 3 + original_fieldset: vulnerability + short: Category of a vulnerabilty. + type: keyword + vulnerability.cve.description: + description: 'The Common Vulnerability and Exposures (CVE) list is an open source + list for publicly known cybersecurity vulnerabilities providing an identification + number, a description, and at least one public reference. + + The description of the vulnerability that provides additional context of the + vulnerability. For example (ex. https://cve.mitre.org/about/faqs.html#cve_entry_descriptions_created)' + example: In Keybase before 2.12.6 on macOS, the move RPC to the Helper was susceptible + to time-to-check-time-to-use bugs and would also allow one user of the system + (who didn't have root access) to tamper with another's installs. + flat_name: observer.vulnerability.cve.description + ignore_above: 1024 + level: extended + name: cve.description + order: 4 + original_fieldset: vulnerability + short: Description of the vulnerability. + type: keyword + vulnerability.cve.id: + description: 'The Common Vulnerability and Exposures (CVE) list is an open source + list for publicly known cybersecurity vulnerabilities providing an identification + number, a description, and at least one public reference. + + The identification (ID) is the number portion of a CVE Entry. It includes + the year the vulnerability ID was requested followed by a sequence number. + CVE-YYYY-NNNNN. For example (ex. https://cve.mitre.org/about/faqs.html#what_is_cve_id)' + example: CVE-2019-00001, CVE-2019-00002 + flat_name: observer.vulnerability.cve.id + ignore_above: 1024 + level: extended + name: cve.id + order: 5 + original_fieldset: vulnerability + short: ID of the vulnerability. + type: keyword + vulnerability.cvss.score.base: + description: 'The Common Vulnerability Scoring System (CVSS) is an open framework + for communicating the characteristics and severity of software vulnerabilities. + Scores can range from 0.0 to 10.0, with 10.0 being the most severe. + + Base scores cover an assessment for exploitability metrics (attack vector, + complexity, privileges, and user interaction), impact metrics (confidentialy, + integrity, and availability), and scope. For example (ex. https://www.first.org/cvss/specification-document)' + example: 5.5, 6.6 + flat_name: observer.vulnerability.cvss.score.base + level: extended + name: cvss.score.base + order: 0 + original_fieldset: vulnerability + short: CVSS Base score. + type: long + vulnerability.cvss.score.evironmental: + description: 'The Common Vulnerability Scoring System (CVSS) is an open framework + for communicating the characteristics and severity of software vulnerabilities. + Scores can range from 0.0 to 10.0, with 10.0 being the most severe. + + Environmental scores cover an assessment for any modified Base metrics, confidentiality, + integrity, and availability requirements. For example (ex. https://www.first.org/cvss/specification-document)' + example: 5.5, 6.6 + flat_name: observer.vulnerability.cvss.score.evironmental + level: extended + name: cvss.score.evironmental + order: 2 + original_fieldset: vulnerability + short: CVSS Environmental score. + type: long + vulnerability.cvss.score.temporal: + description: 'The Common Vulnerability Scoring System (CVSS) is an open framework + for communicating the characteristics and severity of software vulnerabilities. + Scores can range from 0.0 to 10.0, with 10.0 being the most severe. + + Temporal scores cover an assessment for code maturity, remediation level, + and confidence. For example (ex. https://www.first.org/cvss/specification-document)' + example: 5.5, 6.6 + flat_name: observer.vulnerability.cvss.score.temporal + level: extended + name: cvss.score.temporal + order: 1 + original_fieldset: vulnerability + short: CVSS Temporal score. + type: long + vulnerability.detected.first: + description: The first time that the vulnerability was observed on the asset. + example: YYYY-MM-DD-HH-MM + flat_name: observer.vulnerability.detected.first + level: extended + name: detected.first + order: 8 + original_fieldset: vulnerability + short: Vulnerability first observed. + type: date + vulnerability.detected.last: + description: The last time that the vulnerability was observed on the asset. + example: YYYY-MM-DD-HH-MM + flat_name: observer.vulnerability.detected.last + level: extended + name: detected.last + order: 9 + original_fieldset: vulnerability + short: Vulnerability last observed. + type: date + vulnerability.scanned.first: + description: The first time that the asset was scanned for vulnerabilities. + example: YYYY-MM-DD-HH-MM + flat_name: observer.vulnerability.scanned.first + level: extended + name: scanned.first + order: 10 + original_fieldset: vulnerability + short: Asset first scanned. + type: date + vulnerability.scanned.last: + description: The last time that the asset was scanned for vulnerabilities. + example: YYYY-MM-DD-HH-MM + flat_name: observer.vulnerability.scanned.last + level: extended + name: scanned.last + order: 11 + original_fieldset: vulnerability + short: Asset last scanned. + type: date + vulnerability.severity: + description: The severity of the vulnerability can help with metrics and internal + prioritization regarding remediation. For example (ex. https://nvd.nist.gov/vuln-metrics/cvss) + example: Critical, High, Medium, Low, None + flat_name: observer.vulnerability.severity + ignore_above: 1024 + level: extended + name: severity + order: 6 + original_fieldset: vulnerability + short: Severity of the vulnerability. + type: keyword + vulnerability.status: + description: 'The current status of the vulerability on the asset: + + New - The first time a vulnerability is detected by a scan the status is set + to New. Active - A vulnerability detected by two or more scans is set to Active. + Fixed - A vulnerability was verified by the most recent scan as fixed, and + this vulnerability was detected by the previous scan. Re-Opened - A vulnerability + was reopened by the most recent scan, and this vulnerability was verified + as fixed by the previous scan. + + For example (ex. https://qualysguard.qualys.com/qwebhelp/fo_portal/scans/vulnerability_status.htm)' + example: New, Active, Fixed, Re-Opened + flat_name: observer.vulnerability.status + ignore_above: 1024 + level: extended + name: status + order: 7 + original_fieldset: vulnerability + short: Status of the vulnerability. + type: keyword group: 2 name: observer nestings: + - vulnerability - geo - os prefix: observer. @@ -3326,8 +4159,176 @@ os: order: 4 short: Operating system version as a raw string. type: keyword + vulnerability.category: + description: The type of system or architecture that the vulnerability affects. + These may be platform-specific (for example, Debian or SUSE) or general (for + example, Database or Firewall). For example (ex. https://qualysguard.qualys.com/qwebhelp/fo_portal/knowledgebase/vulnerability_categories.htm) + example: AIX, Firewall, Malware, Office Application, Solaris, Windows + flat_name: os.vulnerability.category + ignore_above: 1024 + level: extended + name: category + order: 3 + original_fieldset: vulnerability + short: Category of a vulnerabilty. + type: keyword + vulnerability.cve.description: + description: 'The Common Vulnerability and Exposures (CVE) list is an open source + list for publicly known cybersecurity vulnerabilities providing an identification + number, a description, and at least one public reference. + + The description of the vulnerability that provides additional context of the + vulnerability. For example (ex. https://cve.mitre.org/about/faqs.html#cve_entry_descriptions_created)' + example: In Keybase before 2.12.6 on macOS, the move RPC to the Helper was susceptible + to time-to-check-time-to-use bugs and would also allow one user of the system + (who didn't have root access) to tamper with another's installs. + flat_name: os.vulnerability.cve.description + ignore_above: 1024 + level: extended + name: cve.description + order: 4 + original_fieldset: vulnerability + short: Description of the vulnerability. + type: keyword + vulnerability.cve.id: + description: 'The Common Vulnerability and Exposures (CVE) list is an open source + list for publicly known cybersecurity vulnerabilities providing an identification + number, a description, and at least one public reference. + + The identification (ID) is the number portion of a CVE Entry. It includes + the year the vulnerability ID was requested followed by a sequence number. + CVE-YYYY-NNNNN. For example (ex. https://cve.mitre.org/about/faqs.html#what_is_cve_id)' + example: CVE-2019-00001, CVE-2019-00002 + flat_name: os.vulnerability.cve.id + ignore_above: 1024 + level: extended + name: cve.id + order: 5 + original_fieldset: vulnerability + short: ID of the vulnerability. + type: keyword + vulnerability.cvss.score.base: + description: 'The Common Vulnerability Scoring System (CVSS) is an open framework + for communicating the characteristics and severity of software vulnerabilities. + Scores can range from 0.0 to 10.0, with 10.0 being the most severe. + + Base scores cover an assessment for exploitability metrics (attack vector, + complexity, privileges, and user interaction), impact metrics (confidentialy, + integrity, and availability), and scope. For example (ex. https://www.first.org/cvss/specification-document)' + example: 5.5, 6.6 + flat_name: os.vulnerability.cvss.score.base + level: extended + name: cvss.score.base + order: 0 + original_fieldset: vulnerability + short: CVSS Base score. + type: long + vulnerability.cvss.score.evironmental: + description: 'The Common Vulnerability Scoring System (CVSS) is an open framework + for communicating the characteristics and severity of software vulnerabilities. + Scores can range from 0.0 to 10.0, with 10.0 being the most severe. + + Environmental scores cover an assessment for any modified Base metrics, confidentiality, + integrity, and availability requirements. For example (ex. https://www.first.org/cvss/specification-document)' + example: 5.5, 6.6 + flat_name: os.vulnerability.cvss.score.evironmental + level: extended + name: cvss.score.evironmental + order: 2 + original_fieldset: vulnerability + short: CVSS Environmental score. + type: long + vulnerability.cvss.score.temporal: + description: 'The Common Vulnerability Scoring System (CVSS) is an open framework + for communicating the characteristics and severity of software vulnerabilities. + Scores can range from 0.0 to 10.0, with 10.0 being the most severe. + + Temporal scores cover an assessment for code maturity, remediation level, + and confidence. For example (ex. https://www.first.org/cvss/specification-document)' + example: 5.5, 6.6 + flat_name: os.vulnerability.cvss.score.temporal + level: extended + name: cvss.score.temporal + order: 1 + original_fieldset: vulnerability + short: CVSS Temporal score. + type: long + vulnerability.detected.first: + description: The first time that the vulnerability was observed on the asset. + example: YYYY-MM-DD-HH-MM + flat_name: os.vulnerability.detected.first + level: extended + name: detected.first + order: 8 + original_fieldset: vulnerability + short: Vulnerability first observed. + type: date + vulnerability.detected.last: + description: The last time that the vulnerability was observed on the asset. + example: YYYY-MM-DD-HH-MM + flat_name: os.vulnerability.detected.last + level: extended + name: detected.last + order: 9 + original_fieldset: vulnerability + short: Vulnerability last observed. + type: date + vulnerability.scanned.first: + description: The first time that the asset was scanned for vulnerabilities. + example: YYYY-MM-DD-HH-MM + flat_name: os.vulnerability.scanned.first + level: extended + name: scanned.first + order: 10 + original_fieldset: vulnerability + short: Asset first scanned. + type: date + vulnerability.scanned.last: + description: The last time that the asset was scanned for vulnerabilities. + example: YYYY-MM-DD-HH-MM + flat_name: os.vulnerability.scanned.last + level: extended + name: scanned.last + order: 11 + original_fieldset: vulnerability + short: Asset last scanned. + type: date + vulnerability.severity: + description: The severity of the vulnerability can help with metrics and internal + prioritization regarding remediation. For example (ex. https://nvd.nist.gov/vuln-metrics/cvss) + example: Critical, High, Medium, Low, None + flat_name: os.vulnerability.severity + ignore_above: 1024 + level: extended + name: severity + order: 6 + original_fieldset: vulnerability + short: Severity of the vulnerability. + type: keyword + vulnerability.status: + description: 'The current status of the vulerability on the asset: + + New - The first time a vulnerability is detected by a scan the status is set + to New. Active - A vulnerability detected by two or more scans is set to Active. + Fixed - A vulnerability was verified by the most recent scan as fixed, and + this vulnerability was detected by the previous scan. Re-Opened - A vulnerability + was reopened by the most recent scan, and this vulnerability was verified + as fixed by the previous scan. + + For example (ex. https://qualysguard.qualys.com/qwebhelp/fo_portal/scans/vulnerability_status.htm)' + example: New, Active, Fixed, Re-Opened + flat_name: os.vulnerability.status + ignore_above: 1024 + level: extended + name: status + order: 7 + original_fieldset: vulnerability + short: Status of the vulnerability. + type: keyword group: 2 name: os + nestings: + - vulnerability prefix: os. reusable: expected: @@ -5033,6 +6034,172 @@ user_agent: original_fieldset: os short: Operating system version as a raw string. type: keyword + os.vulnerability.category: + description: The type of system or architecture that the vulnerability affects. + These may be platform-specific (for example, Debian or SUSE) or general (for + example, Database or Firewall). For example (ex. https://qualysguard.qualys.com/qwebhelp/fo_portal/knowledgebase/vulnerability_categories.htm) + example: AIX, Firewall, Malware, Office Application, Solaris, Windows + flat_name: user_agent.os.vulnerability.category + ignore_above: 1024 + level: extended + name: category + order: 3 + original_fieldset: os + short: Category of a vulnerabilty. + type: keyword + os.vulnerability.cve.description: + description: 'The Common Vulnerability and Exposures (CVE) list is an open source + list for publicly known cybersecurity vulnerabilities providing an identification + number, a description, and at least one public reference. + + The description of the vulnerability that provides additional context of the + vulnerability. For example (ex. https://cve.mitre.org/about/faqs.html#cve_entry_descriptions_created)' + example: In Keybase before 2.12.6 on macOS, the move RPC to the Helper was susceptible + to time-to-check-time-to-use bugs and would also allow one user of the system + (who didn't have root access) to tamper with another's installs. + flat_name: user_agent.os.vulnerability.cve.description + ignore_above: 1024 + level: extended + name: cve.description + order: 4 + original_fieldset: os + short: Description of the vulnerability. + type: keyword + os.vulnerability.cve.id: + description: 'The Common Vulnerability and Exposures (CVE) list is an open source + list for publicly known cybersecurity vulnerabilities providing an identification + number, a description, and at least one public reference. + + The identification (ID) is the number portion of a CVE Entry. It includes + the year the vulnerability ID was requested followed by a sequence number. + CVE-YYYY-NNNNN. For example (ex. https://cve.mitre.org/about/faqs.html#what_is_cve_id)' + example: CVE-2019-00001, CVE-2019-00002 + flat_name: user_agent.os.vulnerability.cve.id + ignore_above: 1024 + level: extended + name: cve.id + order: 5 + original_fieldset: os + short: ID of the vulnerability. + type: keyword + os.vulnerability.cvss.score.base: + description: 'The Common Vulnerability Scoring System (CVSS) is an open framework + for communicating the characteristics and severity of software vulnerabilities. + Scores can range from 0.0 to 10.0, with 10.0 being the most severe. + + Base scores cover an assessment for exploitability metrics (attack vector, + complexity, privileges, and user interaction), impact metrics (confidentialy, + integrity, and availability), and scope. For example (ex. https://www.first.org/cvss/specification-document)' + example: 5.5, 6.6 + flat_name: user_agent.os.vulnerability.cvss.score.base + level: extended + name: cvss.score.base + order: 0 + original_fieldset: os + short: CVSS Base score. + type: long + os.vulnerability.cvss.score.evironmental: + description: 'The Common Vulnerability Scoring System (CVSS) is an open framework + for communicating the characteristics and severity of software vulnerabilities. + Scores can range from 0.0 to 10.0, with 10.0 being the most severe. + + Environmental scores cover an assessment for any modified Base metrics, confidentiality, + integrity, and availability requirements. For example (ex. https://www.first.org/cvss/specification-document)' + example: 5.5, 6.6 + flat_name: user_agent.os.vulnerability.cvss.score.evironmental + level: extended + name: cvss.score.evironmental + order: 2 + original_fieldset: os + short: CVSS Environmental score. + type: long + os.vulnerability.cvss.score.temporal: + description: 'The Common Vulnerability Scoring System (CVSS) is an open framework + for communicating the characteristics and severity of software vulnerabilities. + Scores can range from 0.0 to 10.0, with 10.0 being the most severe. + + Temporal scores cover an assessment for code maturity, remediation level, + and confidence. For example (ex. https://www.first.org/cvss/specification-document)' + example: 5.5, 6.6 + flat_name: user_agent.os.vulnerability.cvss.score.temporal + level: extended + name: cvss.score.temporal + order: 1 + original_fieldset: os + short: CVSS Temporal score. + type: long + os.vulnerability.detected.first: + description: The first time that the vulnerability was observed on the asset. + example: YYYY-MM-DD-HH-MM + flat_name: user_agent.os.vulnerability.detected.first + level: extended + name: detected.first + order: 8 + original_fieldset: os + short: Vulnerability first observed. + type: date + os.vulnerability.detected.last: + description: The last time that the vulnerability was observed on the asset. + example: YYYY-MM-DD-HH-MM + flat_name: user_agent.os.vulnerability.detected.last + level: extended + name: detected.last + order: 9 + original_fieldset: os + short: Vulnerability last observed. + type: date + os.vulnerability.scanned.first: + description: The first time that the asset was scanned for vulnerabilities. + example: YYYY-MM-DD-HH-MM + flat_name: user_agent.os.vulnerability.scanned.first + level: extended + name: scanned.first + order: 10 + original_fieldset: os + short: Asset first scanned. + type: date + os.vulnerability.scanned.last: + description: The last time that the asset was scanned for vulnerabilities. + example: YYYY-MM-DD-HH-MM + flat_name: user_agent.os.vulnerability.scanned.last + level: extended + name: scanned.last + order: 11 + original_fieldset: os + short: Asset last scanned. + type: date + os.vulnerability.severity: + description: The severity of the vulnerability can help with metrics and internal + prioritization regarding remediation. For example (ex. https://nvd.nist.gov/vuln-metrics/cvss) + example: Critical, High, Medium, Low, None + flat_name: user_agent.os.vulnerability.severity + ignore_above: 1024 + level: extended + name: severity + order: 6 + original_fieldset: os + short: Severity of the vulnerability. + type: keyword + os.vulnerability.status: + description: 'The current status of the vulerability on the asset: + + New - The first time a vulnerability is detected by a scan the status is set + to New. Active - A vulnerability detected by two or more scans is set to Active. + Fixed - A vulnerability was verified by the most recent scan as fixed, and + this vulnerability was detected by the previous scan. Re-Opened - A vulnerability + was reopened by the most recent scan, and this vulnerability was verified + as fixed by the previous scan. + + For example (ex. https://qualysguard.qualys.com/qwebhelp/fo_portal/scans/vulnerability_status.htm)' + example: New, Active, Fixed, Re-Opened + flat_name: user_agent.os.vulnerability.status + ignore_above: 1024 + level: extended + name: status + order: 7 + original_fieldset: os + short: Status of the vulnerability. + type: keyword version: description: Version of the user agent. example: 12.0 @@ -5051,3 +6218,176 @@ user_agent: short: Fields to describe a browser user_agent string. title: User agent type: group +vulnerability: + description: 'The vulnerability fields describe information about a vulnerabilty + that is relevant to an event. + + Fields can have one entry or multiple entries.' + fields: + category: + description: The type of system or architecture that the vulnerability affects. + These may be platform-specific (for example, Debian or SUSE) or general (for + example, Database or Firewall). For example (ex. https://qualysguard.qualys.com/qwebhelp/fo_portal/knowledgebase/vulnerability_categories.htm) + example: AIX, Firewall, Malware, Office Application, Solaris, Windows + flat_name: vulnerability.category + ignore_above: 1024 + level: extended + name: category + order: 3 + short: Category of a vulnerabilty. + type: keyword + cve.description: + description: 'The Common Vulnerability and Exposures (CVE) list is an open source + list for publicly known cybersecurity vulnerabilities providing an identification + number, a description, and at least one public reference. + + The description of the vulnerability that provides additional context of the + vulnerability. For example (ex. https://cve.mitre.org/about/faqs.html#cve_entry_descriptions_created)' + example: In Keybase before 2.12.6 on macOS, the move RPC to the Helper was susceptible + to time-to-check-time-to-use bugs and would also allow one user of the system + (who didn't have root access) to tamper with another's installs. + flat_name: vulnerability.cve.description + ignore_above: 1024 + level: extended + name: cve.description + order: 4 + short: Description of the vulnerability. + type: keyword + cve.id: + description: 'The Common Vulnerability and Exposures (CVE) list is an open source + list for publicly known cybersecurity vulnerabilities providing an identification + number, a description, and at least one public reference. + + The identification (ID) is the number portion of a CVE Entry. It includes + the year the vulnerability ID was requested followed by a sequence number. + CVE-YYYY-NNNNN. For example (ex. https://cve.mitre.org/about/faqs.html#what_is_cve_id)' + example: CVE-2019-00001, CVE-2019-00002 + flat_name: vulnerability.cve.id + ignore_above: 1024 + level: extended + name: cve.id + order: 5 + short: ID of the vulnerability. + type: keyword + cvss.score.base: + description: 'The Common Vulnerability Scoring System (CVSS) is an open framework + for communicating the characteristics and severity of software vulnerabilities. + Scores can range from 0.0 to 10.0, with 10.0 being the most severe. + + Base scores cover an assessment for exploitability metrics (attack vector, + complexity, privileges, and user interaction), impact metrics (confidentialy, + integrity, and availability), and scope. For example (ex. https://www.first.org/cvss/specification-document)' + example: 5.5, 6.6 + flat_name: vulnerability.cvss.score.base + level: extended + name: cvss.score.base + order: 0 + short: CVSS Base score. + type: long + cvss.score.evironmental: + description: 'The Common Vulnerability Scoring System (CVSS) is an open framework + for communicating the characteristics and severity of software vulnerabilities. + Scores can range from 0.0 to 10.0, with 10.0 being the most severe. + + Environmental scores cover an assessment for any modified Base metrics, confidentiality, + integrity, and availability requirements. For example (ex. https://www.first.org/cvss/specification-document)' + example: 5.5, 6.6 + flat_name: vulnerability.cvss.score.evironmental + level: extended + name: cvss.score.evironmental + order: 2 + short: CVSS Environmental score. + type: long + cvss.score.temporal: + description: 'The Common Vulnerability Scoring System (CVSS) is an open framework + for communicating the characteristics and severity of software vulnerabilities. + Scores can range from 0.0 to 10.0, with 10.0 being the most severe. + + Temporal scores cover an assessment for code maturity, remediation level, + and confidence. For example (ex. https://www.first.org/cvss/specification-document)' + example: 5.5, 6.6 + flat_name: vulnerability.cvss.score.temporal + level: extended + name: cvss.score.temporal + order: 1 + short: CVSS Temporal score. + type: long + detected.first: + description: The first time that the vulnerability was observed on the asset. + example: YYYY-MM-DD-HH-MM + flat_name: vulnerability.detected.first + level: extended + name: detected.first + order: 8 + short: Vulnerability first observed. + type: date + detected.last: + description: The last time that the vulnerability was observed on the asset. + example: YYYY-MM-DD-HH-MM + flat_name: vulnerability.detected.last + level: extended + name: detected.last + order: 9 + short: Vulnerability last observed. + type: date + scanned.first: + description: The first time that the asset was scanned for vulnerabilities. + example: YYYY-MM-DD-HH-MM + flat_name: vulnerability.scanned.first + level: extended + name: scanned.first + order: 10 + short: Asset first scanned. + type: date + scanned.last: + description: The last time that the asset was scanned for vulnerabilities. + example: YYYY-MM-DD-HH-MM + flat_name: vulnerability.scanned.last + level: extended + name: scanned.last + order: 11 + short: Asset last scanned. + type: date + severity: + description: The severity of the vulnerability can help with metrics and internal + prioritization regarding remediation. For example (ex. https://nvd.nist.gov/vuln-metrics/cvss) + example: Critical, High, Medium, Low, None + flat_name: vulnerability.severity + ignore_above: 1024 + level: extended + name: severity + order: 6 + short: Severity of the vulnerability. + type: keyword + status: + description: 'The current status of the vulerability on the asset: + + New - The first time a vulnerability is detected by a scan the status is set + to New. Active - A vulnerability detected by two or more scans is set to Active. + Fixed - A vulnerability was verified by the most recent scan as fixed, and + this vulnerability was detected by the previous scan. Re-Opened - A vulnerability + was reopened by the most recent scan, and this vulnerability was verified + as fixed by the previous scan. + + For example (ex. https://qualysguard.qualys.com/qwebhelp/fo_portal/scans/vulnerability_status.htm)' + example: New, Active, Fixed, Re-Opened + flat_name: vulnerability.status + ignore_above: 1024 + level: extended + name: status + order: 7 + short: Status of the vulnerability. + type: keyword + group: 2 + name: vulnerability + prefix: vulnerability. + reusable: + expected: + - client + - host + - os + - observer + top_level: true + short: Fields to describe the vulnerabilty relevant to an event. + title: Vulnerability + type: group diff --git a/generated/elasticsearch/6/template.json b/generated/elasticsearch/6/template.json index d4940b74c5..dca9db8870 100644 --- a/generated/elasticsearch/6/template.json +++ b/generated/elasticsearch/6/template.json @@ -199,6 +199,71 @@ "type": "keyword" } } + }, + "vulnerability": { + "properties": { + "category": { + "ignore_above": 1024, + "type": "keyword" + }, + "cve": { + "properties": { + "description": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "cvss": { + "properties": { + "score": { + "properties": { + "base": { + "type": "long" + }, + "evironmental": { + "type": "long" + }, + "temporal": { + "type": "long" + } + } + } + } + }, + "detected": { + "properties": { + "first": { + "type": "date" + }, + "last": { + "type": "date" + } + } + }, + "scanned": { + "properties": { + "first": { + "type": "date" + }, + "last": { + "type": "date" + } + } + }, + "severity": { + "ignore_above": 1024, + "type": "keyword" + }, + "status": { + "ignore_above": 1024, + "type": "keyword" + } + } } } }, @@ -858,6 +923,71 @@ "version": { "ignore_above": 1024, "type": "keyword" + }, + "vulnerability": { + "properties": { + "category": { + "ignore_above": 1024, + "type": "keyword" + }, + "cve": { + "properties": { + "description": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "cvss": { + "properties": { + "score": { + "properties": { + "base": { + "type": "long" + }, + "evironmental": { + "type": "long" + }, + "temporal": { + "type": "long" + } + } + } + } + }, + "detected": { + "properties": { + "first": { + "type": "date" + }, + "last": { + "type": "date" + } + } + }, + "scanned": { + "properties": { + "first": { + "type": "date" + }, + "last": { + "type": "date" + } + } + }, + "severity": { + "ignore_above": 1024, + "type": "keyword" + }, + "status": { + "ignore_above": 1024, + "type": "keyword" + } + } } } }, @@ -911,6 +1041,71 @@ "type": "keyword" } } + }, + "vulnerability": { + "properties": { + "category": { + "ignore_above": 1024, + "type": "keyword" + }, + "cve": { + "properties": { + "description": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "cvss": { + "properties": { + "score": { + "properties": { + "base": { + "type": "long" + }, + "evironmental": { + "type": "long" + }, + "temporal": { + "type": "long" + } + } + } + } + }, + "detected": { + "properties": { + "first": { + "type": "date" + }, + "last": { + "type": "date" + } + } + }, + "scanned": { + "properties": { + "first": { + "type": "date" + }, + "last": { + "type": "date" + } + } + }, + "severity": { + "ignore_above": 1024, + "type": "keyword" + }, + "status": { + "ignore_above": 1024, + "type": "keyword" + } + } } } }, @@ -1164,6 +1359,71 @@ "version": { "ignore_above": 1024, "type": "keyword" + }, + "vulnerability": { + "properties": { + "category": { + "ignore_above": 1024, + "type": "keyword" + }, + "cve": { + "properties": { + "description": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "cvss": { + "properties": { + "score": { + "properties": { + "base": { + "type": "long" + }, + "evironmental": { + "type": "long" + }, + "temporal": { + "type": "long" + } + } + } + } + }, + "detected": { + "properties": { + "first": { + "type": "date" + }, + "last": { + "type": "date" + } + } + }, + "scanned": { + "properties": { + "first": { + "type": "date" + }, + "last": { + "type": "date" + } + } + }, + "severity": { + "ignore_above": 1024, + "type": "keyword" + }, + "status": { + "ignore_above": 1024, + "type": "keyword" + } + } } } }, @@ -1186,6 +1446,71 @@ "version": { "ignore_above": 1024, "type": "keyword" + }, + "vulnerability": { + "properties": { + "category": { + "ignore_above": 1024, + "type": "keyword" + }, + "cve": { + "properties": { + "description": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "cvss": { + "properties": { + "score": { + "properties": { + "base": { + "type": "long" + }, + "evironmental": { + "type": "long" + }, + "temporal": { + "type": "long" + } + } + } + } + }, + "detected": { + "properties": { + "first": { + "type": "date" + }, + "last": { + "type": "date" + } + } + }, + "scanned": { + "properties": { + "first": { + "type": "date" + }, + "last": { + "type": "date" + } + } + }, + "severity": { + "ignore_above": 1024, + "type": "keyword" + }, + "status": { + "ignore_above": 1024, + "type": "keyword" + } + } } } }, @@ -1226,6 +1551,71 @@ "version": { "ignore_above": 1024, "type": "keyword" + }, + "vulnerability": { + "properties": { + "category": { + "ignore_above": 1024, + "type": "keyword" + }, + "cve": { + "properties": { + "description": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "cvss": { + "properties": { + "score": { + "properties": { + "base": { + "type": "long" + }, + "evironmental": { + "type": "long" + }, + "temporal": { + "type": "long" + } + } + } + } + }, + "detected": { + "properties": { + "first": { + "type": "date" + }, + "last": { + "type": "date" + } + } + }, + "scanned": { + "properties": { + "first": { + "type": "date" + }, + "last": { + "type": "date" + } + } + }, + "severity": { + "ignore_above": 1024, + "type": "keyword" + }, + "status": { + "ignore_above": 1024, + "type": "keyword" + } + } } } }, @@ -1866,6 +2256,71 @@ "version": { "ignore_above": 1024, "type": "keyword" + }, + "vulnerability": { + "properties": { + "category": { + "ignore_above": 1024, + "type": "keyword" + }, + "cve": { + "properties": { + "description": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "cvss": { + "properties": { + "score": { + "properties": { + "base": { + "type": "long" + }, + "evironmental": { + "type": "long" + }, + "temporal": { + "type": "long" + } + } + } + } + }, + "detected": { + "properties": { + "first": { + "type": "date" + }, + "last": { + "type": "date" + } + } + }, + "scanned": { + "properties": { + "first": { + "type": "date" + }, + "last": { + "type": "date" + } + } + }, + "severity": { + "ignore_above": 1024, + "type": "keyword" + }, + "status": { + "ignore_above": 1024, + "type": "keyword" + } + } } } }, @@ -1874,6 +2329,71 @@ "type": "keyword" } } + }, + "vulnerability": { + "properties": { + "category": { + "ignore_above": 1024, + "type": "keyword" + }, + "cve": { + "properties": { + "description": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "cvss": { + "properties": { + "score": { + "properties": { + "base": { + "type": "long" + }, + "evironmental": { + "type": "long" + }, + "temporal": { + "type": "long" + } + } + } + } + }, + "detected": { + "properties": { + "first": { + "type": "date" + }, + "last": { + "type": "date" + } + } + }, + "scanned": { + "properties": { + "first": { + "type": "date" + }, + "last": { + "type": "date" + } + } + }, + "severity": { + "ignore_above": 1024, + "type": "keyword" + }, + "status": { + "ignore_above": 1024, + "type": "keyword" + } + } } } } diff --git a/generated/elasticsearch/7/template.json b/generated/elasticsearch/7/template.json index 8ae0c64e9a..58e76ee3fc 100644 --- a/generated/elasticsearch/7/template.json +++ b/generated/elasticsearch/7/template.json @@ -198,6 +198,71 @@ "type": "keyword" } } + }, + "vulnerability": { + "properties": { + "category": { + "ignore_above": 1024, + "type": "keyword" + }, + "cve": { + "properties": { + "description": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "cvss": { + "properties": { + "score": { + "properties": { + "base": { + "type": "long" + }, + "evironmental": { + "type": "long" + }, + "temporal": { + "type": "long" + } + } + } + } + }, + "detected": { + "properties": { + "first": { + "type": "date" + }, + "last": { + "type": "date" + } + } + }, + "scanned": { + "properties": { + "first": { + "type": "date" + }, + "last": { + "type": "date" + } + } + }, + "severity": { + "ignore_above": 1024, + "type": "keyword" + }, + "status": { + "ignore_above": 1024, + "type": "keyword" + } + } } } }, @@ -857,6 +922,71 @@ "version": { "ignore_above": 1024, "type": "keyword" + }, + "vulnerability": { + "properties": { + "category": { + "ignore_above": 1024, + "type": "keyword" + }, + "cve": { + "properties": { + "description": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "cvss": { + "properties": { + "score": { + "properties": { + "base": { + "type": "long" + }, + "evironmental": { + "type": "long" + }, + "temporal": { + "type": "long" + } + } + } + } + }, + "detected": { + "properties": { + "first": { + "type": "date" + }, + "last": { + "type": "date" + } + } + }, + "scanned": { + "properties": { + "first": { + "type": "date" + }, + "last": { + "type": "date" + } + } + }, + "severity": { + "ignore_above": 1024, + "type": "keyword" + }, + "status": { + "ignore_above": 1024, + "type": "keyword" + } + } } } }, @@ -910,6 +1040,71 @@ "type": "keyword" } } + }, + "vulnerability": { + "properties": { + "category": { + "ignore_above": 1024, + "type": "keyword" + }, + "cve": { + "properties": { + "description": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "cvss": { + "properties": { + "score": { + "properties": { + "base": { + "type": "long" + }, + "evironmental": { + "type": "long" + }, + "temporal": { + "type": "long" + } + } + } + } + }, + "detected": { + "properties": { + "first": { + "type": "date" + }, + "last": { + "type": "date" + } + } + }, + "scanned": { + "properties": { + "first": { + "type": "date" + }, + "last": { + "type": "date" + } + } + }, + "severity": { + "ignore_above": 1024, + "type": "keyword" + }, + "status": { + "ignore_above": 1024, + "type": "keyword" + } + } } } }, @@ -1163,6 +1358,71 @@ "version": { "ignore_above": 1024, "type": "keyword" + }, + "vulnerability": { + "properties": { + "category": { + "ignore_above": 1024, + "type": "keyword" + }, + "cve": { + "properties": { + "description": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "cvss": { + "properties": { + "score": { + "properties": { + "base": { + "type": "long" + }, + "evironmental": { + "type": "long" + }, + "temporal": { + "type": "long" + } + } + } + } + }, + "detected": { + "properties": { + "first": { + "type": "date" + }, + "last": { + "type": "date" + } + } + }, + "scanned": { + "properties": { + "first": { + "type": "date" + }, + "last": { + "type": "date" + } + } + }, + "severity": { + "ignore_above": 1024, + "type": "keyword" + }, + "status": { + "ignore_above": 1024, + "type": "keyword" + } + } } } }, @@ -1185,6 +1445,71 @@ "version": { "ignore_above": 1024, "type": "keyword" + }, + "vulnerability": { + "properties": { + "category": { + "ignore_above": 1024, + "type": "keyword" + }, + "cve": { + "properties": { + "description": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "cvss": { + "properties": { + "score": { + "properties": { + "base": { + "type": "long" + }, + "evironmental": { + "type": "long" + }, + "temporal": { + "type": "long" + } + } + } + } + }, + "detected": { + "properties": { + "first": { + "type": "date" + }, + "last": { + "type": "date" + } + } + }, + "scanned": { + "properties": { + "first": { + "type": "date" + }, + "last": { + "type": "date" + } + } + }, + "severity": { + "ignore_above": 1024, + "type": "keyword" + }, + "status": { + "ignore_above": 1024, + "type": "keyword" + } + } } } }, @@ -1225,6 +1550,71 @@ "version": { "ignore_above": 1024, "type": "keyword" + }, + "vulnerability": { + "properties": { + "category": { + "ignore_above": 1024, + "type": "keyword" + }, + "cve": { + "properties": { + "description": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "cvss": { + "properties": { + "score": { + "properties": { + "base": { + "type": "long" + }, + "evironmental": { + "type": "long" + }, + "temporal": { + "type": "long" + } + } + } + } + }, + "detected": { + "properties": { + "first": { + "type": "date" + }, + "last": { + "type": "date" + } + } + }, + "scanned": { + "properties": { + "first": { + "type": "date" + }, + "last": { + "type": "date" + } + } + }, + "severity": { + "ignore_above": 1024, + "type": "keyword" + }, + "status": { + "ignore_above": 1024, + "type": "keyword" + } + } } } }, @@ -1865,6 +2255,71 @@ "version": { "ignore_above": 1024, "type": "keyword" + }, + "vulnerability": { + "properties": { + "category": { + "ignore_above": 1024, + "type": "keyword" + }, + "cve": { + "properties": { + "description": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "cvss": { + "properties": { + "score": { + "properties": { + "base": { + "type": "long" + }, + "evironmental": { + "type": "long" + }, + "temporal": { + "type": "long" + } + } + } + } + }, + "detected": { + "properties": { + "first": { + "type": "date" + }, + "last": { + "type": "date" + } + } + }, + "scanned": { + "properties": { + "first": { + "type": "date" + }, + "last": { + "type": "date" + } + } + }, + "severity": { + "ignore_above": 1024, + "type": "keyword" + }, + "status": { + "ignore_above": 1024, + "type": "keyword" + } + } } } }, @@ -1873,6 +2328,71 @@ "type": "keyword" } } + }, + "vulnerability": { + "properties": { + "category": { + "ignore_above": 1024, + "type": "keyword" + }, + "cve": { + "properties": { + "description": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "cvss": { + "properties": { + "score": { + "properties": { + "base": { + "type": "long" + }, + "evironmental": { + "type": "long" + }, + "temporal": { + "type": "long" + } + } + } + } + }, + "detected": { + "properties": { + "first": { + "type": "date" + }, + "last": { + "type": "date" + } + } + }, + "scanned": { + "properties": { + "first": { + "type": "date" + }, + "last": { + "type": "date" + } + } + }, + "severity": { + "ignore_above": 1024, + "type": "keyword" + }, + "status": { + "ignore_above": 1024, + "type": "keyword" + } + } } } }, diff --git a/generated/legacy/template.json b/generated/legacy/template.json index d8bdc4e974..2f04ab095f 100644 --- a/generated/legacy/template.json +++ b/generated/legacy/template.json @@ -1249,6 +1249,71 @@ "type": "keyword" } } + }, + "vulnerability": { + "properties": { + "category": { + "ignore_above": 1024, + "type": "keyword" + }, + "cve": { + "properties": { + "description": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "cvss": { + "properties": { + "score": { + "properties": { + "base": { + "type": "long" + }, + "evironmental": { + "type": "long" + }, + "temporal": { + "type": "long" + } + } + } + } + }, + "detected": { + "properties": { + "first": { + "type": "date" + }, + "last": { + "type": "date" + } + } + }, + "scanned": { + "properties": { + "first": { + "type": "date" + }, + "last": { + "type": "date" + } + } + }, + "severity": { + "ignore_above": 1024, + "type": "keyword" + }, + "status": { + "ignore_above": 1024, + "type": "keyword" + } + } } } } diff --git a/schema.json b/schema.json index 29136b9e6e..dc6f98a59e 100644 --- a/schema.json +++ b/schema.json @@ -2955,5 +2955,134 @@ "name": "user_agent", "title": "User agent", "type": "group" + }, + "vulnerability": { + "description": "The vulnerability fields describe information about a vulnerabilty that is relevant to an event.\nFields can have one entry or multiple entries.\n", + "fields": { + "vulnerability.category": { + "description": "The type of system or architecture that the vulnerability affects. These may be platform-specific (for example, Debian or SUSE) or general (for example, Database or Firewall). For example (ex. https://qualysguard.qualys.com/qwebhelp/fo_portal/knowledgebase/vulnerability_categories.htm)", + "example": "AIX, Firewall, Malware, Office Application, Solaris, Windows", + "footnote": "", + "group": 2, + "level": "extended", + "name": "vulnerability.category", + "required": false, + "type": "keyword" + }, + "vulnerability.cve.description": { + "description": "The Common Vulnerability and Exposures (CVE) list is an open source list for publicly known cybersecurity vulnerabilities providing an identification number, a description, and at least one public reference.\nThe description of the vulnerability that provides additional context of the vulnerability. For example (ex. https://cve.mitre.org/about/faqs.html#cve_entry_descriptions_created)", + "example": "In Keybase before 2.12.6 on macOS, the move RPC to the Helper was susceptible to time-to-check-time-to-use bugs and would also allow one user of the system (who didn't have root access) to tamper with another's installs.", + "footnote": "", + "group": 2, + "level": "extended", + "name": "vulnerability.cve.description", + "required": false, + "type": "keyword" + }, + "vulnerability.cve.id": { + "description": "The Common Vulnerability and Exposures (CVE) list is an open source list for publicly known cybersecurity vulnerabilities providing an identification number, a description, and at least one public reference.\nThe identification (ID) is the number portion of a CVE Entry. It includes the year the vulnerability ID was requested followed by a sequence number. CVE-YYYY-NNNNN. For example (ex. https://cve.mitre.org/about/faqs.html#what_is_cve_id)", + "example": "CVE-2019-00001, CVE-2019-00002", + "footnote": "", + "group": 2, + "level": "extended", + "name": "vulnerability.cve.id", + "required": false, + "type": "keyword" + }, + "vulnerability.cvss.score.base": { + "description": "The Common Vulnerability Scoring System (CVSS) is an open framework for communicating the characteristics and severity of software vulnerabilities. Scores can range from 0.0 to 10.0, with 10.0 being the most severe.\nBase scores cover an assessment for exploitability metrics (attack vector, complexity, privileges, and user interaction), impact metrics (confidentialy, integrity, and availability), and scope. For example (ex. https://www.first.org/cvss/specification-document)", + "example": "5.5, 6.6", + "footnote": "", + "group": 2, + "level": "extended", + "name": "vulnerability.cvss.score.base", + "required": false, + "type": "long" + }, + "vulnerability.cvss.score.evironmental": { + "description": "The Common Vulnerability Scoring System (CVSS) is an open framework for communicating the characteristics and severity of software vulnerabilities. Scores can range from 0.0 to 10.0, with 10.0 being the most severe.\nEnvironmental scores cover an assessment for any modified Base metrics, confidentiality, integrity, and availability requirements. For example (ex. https://www.first.org/cvss/specification-document)", + "example": "5.5, 6.6", + "footnote": "", + "group": 2, + "level": "extended", + "name": "vulnerability.cvss.score.evironmental", + "required": false, + "type": "long" + }, + "vulnerability.cvss.score.temporal": { + "description": "The Common Vulnerability Scoring System (CVSS) is an open framework for communicating the characteristics and severity of software vulnerabilities. Scores can range from 0.0 to 10.0, with 10.0 being the most severe.\nTemporal scores cover an assessment for code maturity, remediation level, and confidence. For example (ex. https://www.first.org/cvss/specification-document)", + "example": "5.5, 6.6", + "footnote": "", + "group": 2, + "level": "extended", + "name": "vulnerability.cvss.score.temporal", + "required": false, + "type": "long" + }, + "vulnerability.detected.first": { + "description": "The first time that the vulnerability was observed on the asset.", + "example": "YYYY-MM-DD-HH-MM", + "footnote": "", + "group": 2, + "level": "extended", + "name": "vulnerability.detected.first", + "required": false, + "type": "date" + }, + "vulnerability.detected.last": { + "description": "The last time that the vulnerability was observed on the asset.", + "example": "YYYY-MM-DD-HH-MM", + "footnote": "", + "group": 2, + "level": "extended", + "name": "vulnerability.detected.last", + "required": false, + "type": "date" + }, + "vulnerability.scanned.first": { + "description": "The first time that the asset was scanned for vulnerabilities.", + "example": "YYYY-MM-DD-HH-MM", + "footnote": "", + "group": 2, + "level": "extended", + "name": "vulnerability.scanned.first", + "required": false, + "type": "date" + }, + "vulnerability.scanned.last": { + "description": "The last time that the asset was scanned for vulnerabilities.", + "example": "YYYY-MM-DD-HH-MM", + "footnote": "", + "group": 2, + "level": "extended", + "name": "vulnerability.scanned.last", + "required": false, + "type": "date" + }, + "vulnerability.severity": { + "description": "The severity of the vulnerability can help with metrics and internal prioritization regarding remediation. For example (ex. https://nvd.nist.gov/vuln-metrics/cvss)", + "example": "Critical, High, Medium, Low, None", + "footnote": "", + "group": 2, + "level": "extended", + "name": "vulnerability.severity", + "required": false, + "type": "keyword" + }, + "vulnerability.status": { + "description": "The current status of the vulerability on the asset:\nNew - The first time a vulnerability is detected by a scan the status is set to New. Active - A vulnerability detected by two or more scans is set to Active. Fixed - A vulnerability was verified by the most recent scan as fixed, and this vulnerability was detected by the previous scan. Re-Opened - A vulnerability was reopened by the most recent scan, and this vulnerability was verified as fixed by the previous scan.\nFor example (ex. https://qualysguard.qualys.com/qwebhelp/fo_portal/scans/vulnerability_status.htm)", + "example": "New, Active, Fixed, Re-Opened", + "footnote": "", + "group": 2, + "level": "extended", + "name": "vulnerability.status", + "required": false, + "type": "keyword" + } + }, + "group": 2, + "name": "vulnerability", + "title": "Vulnerability", + "type": "group" } } \ No newline at end of file diff --git a/schemas/vulnerability.yml b/schemas/vulnerability.yml new file mode 100644 index 0000000000..1b152e6f42 --- /dev/null +++ b/schemas/vulnerability.yml @@ -0,0 +1,144 @@ +--- +- name: vulnerability + title: Vulnerability + group: 2 + short: Fields to describe the vulnerabilty relevant to an event. + description: > + The vulnerability fields describe information about a vulnerabilty that is relevant to an event. + + Fields can have one entry or multiple entries. + + reusable: + top_level: true + expected: + - client + - host + - os + - observer + type: group + fields: + + - name: cvss.score.base + level: extended + type: long + short: CVSS Base score. + description: > + The Common Vulnerability Scoring System (CVSS) is an open framework for communicating the characteristics and severity of software vulnerabilities. Scores can range from 0.0 to 10.0, with 10.0 being the most severe. + + Base scores cover an assessment for exploitability metrics (attack vector, complexity, privileges, and user interaction), impact metrics (confidentialy, integrity, and availability), and scope. For example (ex. https://www.first.org/cvss/specification-document) + + example: 5.5, 6.6 + + - name: cvss.score.temporal + level: extended + type: long + short: CVSS Temporal score. + description: > + The Common Vulnerability Scoring System (CVSS) is an open framework for communicating the characteristics and severity of software vulnerabilities. Scores can range from 0.0 to 10.0, with 10.0 being the most severe. + + Temporal scores cover an assessment for code maturity, remediation level, and confidence. For example (ex. https://www.first.org/cvss/specification-document) + + example: 5.5, 6.6 + + - name: cvss.score.evironmental + level: extended + type: long + short: CVSS Environmental score. + description: > + The Common Vulnerability Scoring System (CVSS) is an open framework for communicating the characteristics and severity of software vulnerabilities. Scores can range from 0.0 to 10.0, with 10.0 being the most severe. + + Environmental scores cover an assessment for any modified Base metrics, confidentiality, integrity, and availability requirements. For example (ex. https://www.first.org/cvss/specification-document) + + example: 5.5, 6.6 + + - name: category + level: extended + type: keyword + short: Category of a vulnerabilty. + description: > + The type of system or architecture that the vulnerability affects. These may be platform-specific (for example, Debian or SUSE) or general (for example, Database or Firewall). For example (ex. https://qualysguard.qualys.com/qwebhelp/fo_portal/knowledgebase/vulnerability_categories.htm) + + example: AIX, Firewall, Malware, Office Application, Solaris, Windows + + - name: cve.description + level: extended + type: keyword + short: Description of the vulnerability. + description: > + The Common Vulnerability and Exposures (CVE) list is an open source list for publicly known cybersecurity vulnerabilities providing an identification number, a description, and at least one public reference. + + The description of the vulnerability that provides additional context of the vulnerability. For example (ex. https://cve.mitre.org/about/faqs.html#cve_entry_descriptions_created) + + example: In Keybase before 2.12.6 on macOS, the move RPC to the Helper was susceptible to time-to-check-time-to-use bugs and would also allow one user of the system (who didn't have root access) to tamper with another's installs. + + - name: cve.id + level: extended + type: keyword + short: ID of the vulnerability. + description: > + The Common Vulnerability and Exposures (CVE) list is an open source list for publicly known cybersecurity vulnerabilities providing an identification number, a description, and at least one public reference. + + The identification (ID) is the number portion of a CVE Entry. It includes the year the vulnerability ID was requested followed by a sequence number. CVE-YYYY-NNNNN. For example (ex. https://cve.mitre.org/about/faqs.html#what_is_cve_id) + + example: CVE-2019-00001, CVE-2019-00002 + + - name: severity + level: extended + type: keyword + short: Severity of the vulnerability. + description: > + The severity of the vulnerability can help with metrics and internal prioritization regarding remediation. For example (ex. https://nvd.nist.gov/vuln-metrics/cvss) + + example: Critical, High, Medium, Low, None + + - name: status + level: extended + type: keyword + short: Status of the vulnerability. + description: > + The current status of the vulerability on the asset: + + New - The first time a vulnerability is detected by a scan the status is set to New. + Active - A vulnerability detected by two or more scans is set to Active. + Fixed - A vulnerability was verified by the most recent scan as fixed, and this vulnerability was detected by the previous scan. + Re-Opened - A vulnerability was reopened by the most recent scan, and this vulnerability was verified as fixed by the previous scan. + + For example (ex. https://qualysguard.qualys.com/qwebhelp/fo_portal/scans/vulnerability_status.htm) + + example: New, Active, Fixed, Re-Opened + + - name: detected.first + level: extended + type: date + short: Vulnerability first observed. + description: > + The first time that the vulnerability was observed on the asset. + + example: YYYY-MM-DD-HH-MM + + - name: detected.last + level: extended + type: date + short: Vulnerability last observed. + description: > + The last time that the vulnerability was observed on the asset. + + example: YYYY-MM-DD-HH-MM + + - name: scanned.first + level: extended + type: date + short: Asset first scanned. + description: > + The first time that the asset was scanned for vulnerabilities. + + example: YYYY-MM-DD-HH-MM + + - name: scanned.last + level: extended + type: date + short: Asset last scanned. + description: > + The last time that the asset was scanned for vulnerabilities. + + example: YYYY-MM-DD-HH-MM diff --git a/scripts/go.mod b/scripts/go.mod index f1c1c9c239..8f287b93a0 100644 --- a/scripts/go.mod +++ b/scripts/go.mod @@ -14,3 +14,5 @@ require ( gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127 // indirect gopkg.in/yaml.v2 v2.2.2 // indirect ) + +go 1.13 From f505030ae00e47c4970b63f1040c51642c74bd4b Mon Sep 17 00:00:00 2001 From: "Andrew D. Pease" <7442091+peasead@users.noreply.github.com> Date: Tue, 22 Oct 2019 10:40:56 -0700 Subject: [PATCH 02/36] added CVSS version field data --- schemas/vulnerability.yml | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/schemas/vulnerability.yml b/schemas/vulnerability.yml index 1b152e6f42..dcc3bb6608 100644 --- a/schemas/vulnerability.yml +++ b/schemas/vulnerability.yml @@ -38,7 +38,16 @@ Temporal scores cover an assessment for code maturity, remediation level, and confidence. For example (ex. https://www.first.org/cvss/specification-document) - example: 5.5, 6.6 + - name: cvss.score.version + level: extended + type: long + short: CVSS version. + description: > + The National Vulnerability Database (NVD) provides qualitative severity rankings of "Low", "Medium", and "High" for CVSS v2.0 base score ranges in addition to the severity ratings for CVSS v3.0 as they are defined in the CVSS v3.0 specification. + + CVSS is owned and managed by FIRST.Org, Inc. (FIRST), a US-based non-profit organization, whose mission is to help computer security incident response teams across the world. For example (ex. https://nvd.nist.gov/vuln-metrics/cvss) + + example: 2.0, 3.0 - name: cvss.score.evironmental level: extended From 02c4ecc13089e3c90935ce4fe0caf2da058a1589 Mon Sep 17 00:00:00 2001 From: "Andrew D. Pease" <7442091+peasead@users.noreply.github.com> Date: Tue, 22 Oct 2019 10:46:59 -0700 Subject: [PATCH 03/36] add scan ID --- schemas/vulnerability.yml | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/schemas/vulnerability.yml b/schemas/vulnerability.yml index dcc3bb6608..840d85122a 100644 --- a/schemas/vulnerability.yml +++ b/schemas/vulnerability.yml @@ -151,3 +151,12 @@ The last time that the asset was scanned for vulnerabilities. example: YYYY-MM-DD-HH-MM + + - name: id + level: extended + type: keyword + short: Scan identification number. + description: > + The report or scan identification number. + + example: 20191018.0001, SCAN0001 From 1cb64669ce854adcb39dd6701d96ac849754012e Mon Sep 17 00:00:00 2001 From: "Andrew D. Pease" <7442091+peasead@users.noreply.github.com> Date: Tue, 22 Oct 2019 11:00:21 -0700 Subject: [PATCH 04/36] removed reusable field sets --- schemas/vulnerability.yml | 7 ------- 1 file changed, 7 deletions(-) diff --git a/schemas/vulnerability.yml b/schemas/vulnerability.yml index 840d85122a..b7a1f90f70 100644 --- a/schemas/vulnerability.yml +++ b/schemas/vulnerability.yml @@ -8,13 +8,6 @@ Fields can have one entry or multiple entries. - reusable: - top_level: true - expected: - - client - - host - - os - - observer type: group fields: From 50a637a7bf04153094c83429e38abddfc64c94e9 Mon Sep 17 00:00:00 2001 From: "Andrew D. Pease" <7442091+peasead@users.noreply.github.com> Date: Thu, 7 Nov 2019 15:13:49 -0500 Subject: [PATCH 05/36] removed detected/scanned.first/last --- schemas/vulnerability.yml | 36 ------------------------------------ 1 file changed, 36 deletions(-) diff --git a/schemas/vulnerability.yml b/schemas/vulnerability.yml index b7a1f90f70..37b219b027 100644 --- a/schemas/vulnerability.yml +++ b/schemas/vulnerability.yml @@ -109,42 +109,6 @@ example: New, Active, Fixed, Re-Opened - - name: detected.first - level: extended - type: date - short: Vulnerability first observed. - description: > - The first time that the vulnerability was observed on the asset. - - example: YYYY-MM-DD-HH-MM - - - name: detected.last - level: extended - type: date - short: Vulnerability last observed. - description: > - The last time that the vulnerability was observed on the asset. - - example: YYYY-MM-DD-HH-MM - - - name: scanned.first - level: extended - type: date - short: Asset first scanned. - description: > - The first time that the asset was scanned for vulnerabilities. - - example: YYYY-MM-DD-HH-MM - - - name: scanned.last - level: extended - type: date - short: Asset last scanned. - description: > - The last time that the asset was scanned for vulnerabilities. - - example: YYYY-MM-DD-HH-MM - - name: id level: extended type: keyword From e621165d703757ffca0aca8e859e6ed260fd6f6f Mon Sep 17 00:00:00 2001 From: "Andrew D. Pease" <7442091+peasead@users.noreply.github.com> Date: Thu, 7 Nov 2019 15:15:19 -0500 Subject: [PATCH 06/36] updated description --- schemas/vulnerability.yml | 2 -- 1 file changed, 2 deletions(-) diff --git a/schemas/vulnerability.yml b/schemas/vulnerability.yml index 37b219b027..c683f20630 100644 --- a/schemas/vulnerability.yml +++ b/schemas/vulnerability.yml @@ -6,8 +6,6 @@ description: > The vulnerability fields describe information about a vulnerabilty that is relevant to an event. - Fields can have one entry or multiple entries. - type: group fields: From c631a5fd33bea0acd6cbd6ca6f9e9ed95d042b84 Mon Sep 17 00:00:00 2001 From: "Andrew D. Pease" <7442091+peasead@users.noreply.github.com> Date: Thu, 7 Nov 2019 15:37:47 -0500 Subject: [PATCH 07/36] added and refined vuln classification and enumeration --- schemas/vulnerability.yml | 78 +++++++++++++++++++++++++++------------ 1 file changed, 55 insertions(+), 23 deletions(-) diff --git a/schemas/vulnerability.yml b/schemas/vulnerability.yml index c683f20630..fcb9194f37 100644 --- a/schemas/vulnerability.yml +++ b/schemas/vulnerability.yml @@ -9,47 +9,74 @@ type: group fields: - - name: cvss.score.base + - name: classification + level: extended + type: keyword + short: Classification of the vulnerability. + description: > + The classification of the vulnerability scoring system. For example (ex. https://www.first.org/cvss/) + + example: CVSS + + - name: enumeration + level: extended + type: keyword + short: Enumeration of the vulnerability. + description: > + The enumeration of the common identifiers for publicaly known vulnerabilities. For example (ex. https://cve.mitre.org/about/) + + example: CVE + + - name: url + level: extended + type: keyword + short: URL describing the vulnerability. + description: > + A URL to a resource that provides additional information, context, and mitigations for the identified vulnerabiltiy. For example (ex. https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=ssh) + + example: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6111 + + - name: score.base level: extended type: long - short: CVSS Base score. + short: Vulnerability Base score. description: > - The Common Vulnerability Scoring System (CVSS) is an open framework for communicating the characteristics and severity of software vulnerabilities. Scores can range from 0.0 to 10.0, with 10.0 being the most severe. + Scores can range from 0.0 to 10.0, with 10.0 being the most severe. Base scores cover an assessment for exploitability metrics (attack vector, complexity, privileges, and user interaction), impact metrics (confidentialy, integrity, and availability), and scope. For example (ex. https://www.first.org/cvss/specification-document) example: 5.5, 6.6 - - name: cvss.score.temporal + - name: score.temporal level: extended type: long - short: CVSS Temporal score. + short: Vulnerability Temporal score. description: > - The Common Vulnerability Scoring System (CVSS) is an open framework for communicating the characteristics and severity of software vulnerabilities. Scores can range from 0.0 to 10.0, with 10.0 being the most severe. + Scores can range from 0.0 to 10.0, with 10.0 being the most severe. Temporal scores cover an assessment for code maturity, remediation level, and confidence. For example (ex. https://www.first.org/cvss/specification-document) - - name: cvss.score.version + - name: score.evironmental level: extended type: long - short: CVSS version. + short: Vulnerability Environmental score. description: > - The National Vulnerability Database (NVD) provides qualitative severity rankings of "Low", "Medium", and "High" for CVSS v2.0 base score ranges in addition to the severity ratings for CVSS v3.0 as they are defined in the CVSS v3.0 specification. + Scores can range from 0.0 to 10.0, with 10.0 being the most severe. - CVSS is owned and managed by FIRST.Org, Inc. (FIRST), a US-based non-profit organization, whose mission is to help computer security incident response teams across the world. For example (ex. https://nvd.nist.gov/vuln-metrics/cvss) + Environmental scores cover an assessment for any modified Base metrics, confidentiality, integrity, and availability requirements. For example (ex. https://www.first.org/cvss/specification-document) - example: 2.0, 3.0 + example: 5.5, 6.6 - - name: cvss.score.evironmental + - name: score.version level: extended type: long - short: CVSS Environmental score. + short: CVSS version. description: > - The Common Vulnerability Scoring System (CVSS) is an open framework for communicating the characteristics and severity of software vulnerabilities. Scores can range from 0.0 to 10.0, with 10.0 being the most severe. + The National Vulnerability Database (NVD) provides qualitative severity rankings of "Low", "Medium", and "High" for CVSS v2.0 base score ranges in addition to the severity ratings for CVSS v3.0 as they are defined in the CVSS v3.0 specification. - Environmental scores cover an assessment for any modified Base metrics, confidentiality, integrity, and availability requirements. For example (ex. https://www.first.org/cvss/specification-document) + CVSS is owned and managed by FIRST.Org, Inc. (FIRST), a US-based non-profit organization, whose mission is to help computer security incident response teams across the world. For example (ex. https://nvd.nist.gov/vuln-metrics/cvss) - example: 5.5, 6.6 + example: 2.0, 3.0 - name: category level: extended @@ -60,27 +87,32 @@ example: AIX, Firewall, Malware, Office Application, Solaris, Windows - - name: cve.description + - name: description level: extended type: keyword short: Description of the vulnerability. description: > - The Common Vulnerability and Exposures (CVE) list is an open source list for publicly known cybersecurity vulnerabilities providing an identification number, a description, and at least one public reference. - The description of the vulnerability that provides additional context of the vulnerability. For example (ex. https://cve.mitre.org/about/faqs.html#cve_entry_descriptions_created) example: In Keybase before 2.12.6 on macOS, the move RPC to the Helper was susceptible to time-to-check-time-to-use bugs and would also allow one user of the system (who didn't have root access) to tamper with another's installs. - - name: cve.id + - name: scanner.id level: extended type: keyword short: ID of the vulnerability. description: > - The Common Vulnerability and Exposures (CVE) list is an open source list for publicly known cybersecurity vulnerabilities providing an identification number, a description, and at least one public reference. + The identification (ID) is the number portion of a vulnerability entry. It includes a unique identification number for the vulnerability. For example (ex. https://cve.mitre.org/about/faqs.html#what_is_cve_id) - The identification (ID) is the number portion of a CVE Entry. It includes the year the vulnerability ID was requested followed by a sequence number. CVE-YYYY-NNNNN. For example (ex. https://cve.mitre.org/about/faqs.html#what_is_cve_id) + example: CVE-2019-00001, CVE-2019-00002, QID: 38739 + + - name: scanner.name + level: extended + type: keyword + short: Name of the scanner vendor. + description: > + The name of the vulnerability scanner vendor. - example: CVE-2019-00001, CVE-2019-00002 + example: Tenable, Qualys - name: severity level: extended From b05a5e0998f1d0f5b098be66cd66b7abf36972a7 Mon Sep 17 00:00:00 2001 From: "Andrew D. Pease" <7442091+peasead@users.noreply.github.com> Date: Thu, 7 Nov 2019 15:38:46 -0500 Subject: [PATCH 08/36] changes scanner.name to .vendor --- schemas/vulnerability.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/schemas/vulnerability.yml b/schemas/vulnerability.yml index fcb9194f37..c0e2450afe 100644 --- a/schemas/vulnerability.yml +++ b/schemas/vulnerability.yml @@ -105,7 +105,7 @@ example: CVE-2019-00001, CVE-2019-00002, QID: 38739 - - name: scanner.name + - name: scanner.vendor level: extended type: keyword short: Name of the scanner vendor. From 04bae168ad751b27cb93f26c8052cc4518b94641 Mon Sep 17 00:00:00 2001 From: Andrew Pease Date: Mon, 18 Nov 2019 08:48:34 -0600 Subject: [PATCH 09/36] added changelog --- CHANGELOG.next.md | 13 +------------ 1 file changed, 1 insertion(+), 12 deletions(-) diff --git a/CHANGELOG.next.md b/CHANGELOG.next.md index edc5cf66f4..c5208115c0 100644 --- a/CHANGELOG.next.md +++ b/CHANGELOG.next.md @@ -3,18 +3,9 @@ - Please insert your changelog line ordered by PR ID. Thanks, you're awesome :-) --> -## Unreleased - -### Breaking changes - -### Bugfixes - ### Added -### Improvements - -### Deprecated - +* Added `vulnerability.*` fields to represent vulnerability information. #581 ### Bugfixes -### Added - ### Improvements ### Deprecated From 9a0f1433b78a193da8fe014f41771f58d417879f Mon Sep 17 00:00:00 2001 From: Andrew Pease Date: Mon, 18 Nov 2019 08:58:00 -0600 Subject: [PATCH 10/36] adjusted long description to 80-90 chars --- schemas/vulnerability.yml | 64 ++++++++++++++++++++++++++++----------- 1 file changed, 46 insertions(+), 18 deletions(-) diff --git a/schemas/vulnerability.yml b/schemas/vulnerability.yml index c0e2450afe..ad800a8b0b 100644 --- a/schemas/vulnerability.yml +++ b/schemas/vulnerability.yml @@ -4,7 +4,8 @@ group: 2 short: Fields to describe the vulnerabilty relevant to an event. description: > - The vulnerability fields describe information about a vulnerabilty that is relevant to an event. + The vulnerability fields describe information about a vulnerabilty that is + relevant to an event. type: group fields: @@ -14,7 +15,8 @@ type: keyword short: Classification of the vulnerability. description: > - The classification of the vulnerability scoring system. For example (ex. https://www.first.org/cvss/) + The classification of the vulnerability scoring system. + For example (https://www.first.org/cvss/) example: CVSS @@ -23,7 +25,8 @@ type: keyword short: Enumeration of the vulnerability. description: > - The enumeration of the common identifiers for publicaly known vulnerabilities. For example (ex. https://cve.mitre.org/about/) + The enumeration of the common identifiers for publicaly known vulnerabilities. + For example (https://cve.mitre.org/about/) example: CVE @@ -32,7 +35,9 @@ type: keyword short: URL describing the vulnerability. description: > - A URL to a resource that provides additional information, context, and mitigations for the identified vulnerabiltiy. For example (ex. https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=ssh) + A URL to a resource that provides additional information, context, and + mitigations for the identified vulnerabiltiy. + For example (https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=ssh) example: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6111 @@ -43,7 +48,10 @@ description: > Scores can range from 0.0 to 10.0, with 10.0 being the most severe. - Base scores cover an assessment for exploitability metrics (attack vector, complexity, privileges, and user interaction), impact metrics (confidentialy, integrity, and availability), and scope. For example (ex. https://www.first.org/cvss/specification-document) + Base scores cover an assessment for exploitability metrics (attack vector, + complexity, privileges, and user interaction), impact metrics (confidentialy, + integrity, and availability), and scope. + For example (https://www.first.org/cvss/specification-document) example: 5.5, 6.6 @@ -54,7 +62,9 @@ description: > Scores can range from 0.0 to 10.0, with 10.0 being the most severe. - Temporal scores cover an assessment for code maturity, remediation level, and confidence. For example (ex. https://www.first.org/cvss/specification-document) + Temporal scores cover an assessment for code maturity, remediation level, and + confidence. + For example (https://www.first.org/cvss/specification-document) - name: score.evironmental level: extended @@ -63,7 +73,9 @@ description: > Scores can range from 0.0 to 10.0, with 10.0 being the most severe. - Environmental scores cover an assessment for any modified Base metrics, confidentiality, integrity, and availability requirements. For example (ex. https://www.first.org/cvss/specification-document) + Environmental scores cover an assessment for any modified Base metrics, + confidentiality, integrity, and availability requirements. + For example (https://www.first.org/cvss/specification-document) example: 5.5, 6.6 @@ -72,9 +84,14 @@ type: long short: CVSS version. description: > - The National Vulnerability Database (NVD) provides qualitative severity rankings of "Low", "Medium", and "High" for CVSS v2.0 base score ranges in addition to the severity ratings for CVSS v3.0 as they are defined in the CVSS v3.0 specification. + The National Vulnerability Database (NVD) provides qualitative severity rankings + of "Low", "Medium", and "High" for CVSS v2.0 base score ranges in addition to the + severity ratings for CVSS v3.0 as they are defined in the CVSS v3.0 specification. - CVSS is owned and managed by FIRST.Org, Inc. (FIRST), a US-based non-profit organization, whose mission is to help computer security incident response teams across the world. For example (ex. https://nvd.nist.gov/vuln-metrics/cvss) + CVSS is owned and managed by FIRST.Org, Inc. (FIRST), a US-based non-profit + organization, whose mission is to help computer security incident response teams + across the world. + For example (https://nvd.nist.gov/vuln-metrics/cvss) example: 2.0, 3.0 @@ -83,7 +100,10 @@ type: keyword short: Category of a vulnerabilty. description: > - The type of system or architecture that the vulnerability affects. These may be platform-specific (for example, Debian or SUSE) or general (for example, Database or Firewall). For example (ex. https://qualysguard.qualys.com/qwebhelp/fo_portal/knowledgebase/vulnerability_categories.htm) + The type of system or architecture that the vulnerability affects. These may be + platform-specific (for example, Debian or SUSE) or general (for example, Database + or Firewall). + For example (https://qualysguard.qualys.com/qwebhelp/fo_portal/knowledgebase/vulnerability_categories.htm) example: AIX, Firewall, Malware, Office Application, Solaris, Windows @@ -92,16 +112,22 @@ type: keyword short: Description of the vulnerability. description: > - The description of the vulnerability that provides additional context of the vulnerability. For example (ex. https://cve.mitre.org/about/faqs.html#cve_entry_descriptions_created) + The description of the vulnerability that provides additional context of the + vulnerability. + For example (https://cve.mitre.org/about/faqs.html#cve_entry_descriptions_created) - example: In Keybase before 2.12.6 on macOS, the move RPC to the Helper was susceptible to time-to-check-time-to-use bugs and would also allow one user of the system (who didn't have root access) to tamper with another's installs. + example: In Keybase before 2.12.6 on macOS, the move RPC to the Helper was + susceptible to time-to-check-time-to-use bugs and would also allow one user of the + system (who didn't have root access) to tamper with another's installs. - name: scanner.id level: extended type: keyword short: ID of the vulnerability. description: > - The identification (ID) is the number portion of a vulnerability entry. It includes a unique identification number for the vulnerability. For example (ex. https://cve.mitre.org/about/faqs.html#what_is_cve_id) + The identification (ID) is the number portion of a vulnerability entry. It + includes a unique identification number for the vulnerability. + For example (https://cve.mitre.org/about/faqs.html#what_is_cve_id) example: CVE-2019-00001, CVE-2019-00002, QID: 38739 @@ -119,7 +145,9 @@ type: keyword short: Severity of the vulnerability. description: > - The severity of the vulnerability can help with metrics and internal prioritization regarding remediation. For example (ex. https://nvd.nist.gov/vuln-metrics/cvss) + The severity of the vulnerability can help with metrics and internal + prioritization regarding remediation. + For example (https://nvd.nist.gov/vuln-metrics/cvss) example: Critical, High, Medium, Low, None @@ -130,12 +158,12 @@ description: > The current status of the vulerability on the asset: - New - The first time a vulnerability is detected by a scan the status is set to New. + New - First time a vulnerability is detected by a scan the status is set to New. Active - A vulnerability detected by two or more scans is set to Active. - Fixed - A vulnerability was verified by the most recent scan as fixed, and this vulnerability was detected by the previous scan. - Re-Opened - A vulnerability was reopened by the most recent scan, and this vulnerability was verified as fixed by the previous scan. + Fixed - A vulnerability was verified by the most recent scan as Fixed. + Re-Opened - A vulnerability was reopened by the most recent scan. - For example (ex. https://qualysguard.qualys.com/qwebhelp/fo_portal/scans/vulnerability_status.htm) + For example (https://qualysguard.qualys.com/qwebhelp/fo_portal/scans/vulnerability_status.htm) example: New, Active, Fixed, Re-Opened From 9b26b0dc01dbb83bf64d33617b5ff2eb5fc8c2b1 Mon Sep 17 00:00:00 2001 From: Andrew Pease Date: Mon, 18 Nov 2019 09:02:38 -0600 Subject: [PATCH 11/36] changed enumeration to reference, clarified description --- schemas/vulnerability.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/schemas/vulnerability.yml b/schemas/vulnerability.yml index ad800a8b0b..aa7ff16ca4 100644 --- a/schemas/vulnerability.yml +++ b/schemas/vulnerability.yml @@ -20,12 +20,12 @@ example: CVSS - - name: enumeration + - name: reference level: extended type: keyword - short: Enumeration of the vulnerability. + short: Reference of the vulnerability. description: > - The enumeration of the common identifiers for publicaly known vulnerabilities. + The type of identifier used for this vulnerability. For example (https://cve.mitre.org/about/) example: CVE From e4838d6275645a351368d3d7ee2769624474eeb7 Mon Sep 17 00:00:00 2001 From: Andrew Pease Date: Mon, 18 Nov 2019 09:03:05 -0600 Subject: [PATCH 12/36] changed score.base to float type --- schemas/vulnerability.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/schemas/vulnerability.yml b/schemas/vulnerability.yml index aa7ff16ca4..2e2e93d688 100644 --- a/schemas/vulnerability.yml +++ b/schemas/vulnerability.yml @@ -43,7 +43,7 @@ - name: score.base level: extended - type: long + type: float short: Vulnerability Base score. description: > Scores can range from 0.0 to 10.0, with 10.0 being the most severe. From f8c20c9950430db7ee263f812b43ad419aaa1dbe Mon Sep 17 00:00:00 2001 From: Andrew Pease Date: Mon, 18 Nov 2019 09:03:32 -0600 Subject: [PATCH 13/36] changed score.temporal to float --- schemas/vulnerability.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/schemas/vulnerability.yml b/schemas/vulnerability.yml index 2e2e93d688..6dfb580dd0 100644 --- a/schemas/vulnerability.yml +++ b/schemas/vulnerability.yml @@ -57,7 +57,7 @@ - name: score.temporal level: extended - type: long + type: float short: Vulnerability Temporal score. description: > Scores can range from 0.0 to 10.0, with 10.0 being the most severe. From fb1d72373d8a933131b97d67744908fb6322a9e3 Mon Sep 17 00:00:00 2001 From: Andrew Pease Date: Mon, 18 Nov 2019 09:03:49 -0600 Subject: [PATCH 14/36] changed score.environmental to float --- schemas/vulnerability.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/schemas/vulnerability.yml b/schemas/vulnerability.yml index 6dfb580dd0..806762cb7d 100644 --- a/schemas/vulnerability.yml +++ b/schemas/vulnerability.yml @@ -68,7 +68,7 @@ - name: score.evironmental level: extended - type: long + type: float short: Vulnerability Environmental score. description: > Scores can range from 0.0 to 10.0, with 10.0 being the most severe. From 4039c7e2aa4575c1e50699d0c71fbefbfd3f3cd6 Mon Sep 17 00:00:00 2001 From: Andrew Pease Date: Mon, 18 Nov 2019 09:04:45 -0600 Subject: [PATCH 15/36] fixed spelling errors in environmental --- schemas/vulnerability.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/schemas/vulnerability.yml b/schemas/vulnerability.yml index 806762cb7d..197621aa20 100644 --- a/schemas/vulnerability.yml +++ b/schemas/vulnerability.yml @@ -66,7 +66,7 @@ confidence. For example (https://www.first.org/cvss/specification-document) - - name: score.evironmental + - name: score.environmental level: extended type: float short: Vulnerability Environmental score. From 0b89b5fdb5c0b3bab3d4a9224089ef376ddbab49 Mon Sep 17 00:00:00 2001 From: Andrew Pease Date: Mon, 18 Nov 2019 09:05:16 -0600 Subject: [PATCH 16/36] changed score.version to keyword type --- schemas/vulnerability.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/schemas/vulnerability.yml b/schemas/vulnerability.yml index 197621aa20..67f4e06ad2 100644 --- a/schemas/vulnerability.yml +++ b/schemas/vulnerability.yml @@ -81,7 +81,7 @@ - name: score.version level: extended - type: long + type: keyword short: CVSS version. description: > The National Vulnerability Database (NVD) provides qualitative severity rankings From a3454da868805427af99fd74eaa84685be45a23e Mon Sep 17 00:00:00 2001 From: Andrew Pease Date: Mon, 18 Nov 2019 09:07:09 -0600 Subject: [PATCH 17/36] bulleted status for ease-of-view --- schemas/vulnerability.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/schemas/vulnerability.yml b/schemas/vulnerability.yml index 67f4e06ad2..b0cfa160f2 100644 --- a/schemas/vulnerability.yml +++ b/schemas/vulnerability.yml @@ -158,10 +158,10 @@ description: > The current status of the vulerability on the asset: - New - First time a vulnerability is detected by a scan the status is set to New. - Active - A vulnerability detected by two or more scans is set to Active. - Fixed - A vulnerability was verified by the most recent scan as Fixed. - Re-Opened - A vulnerability was reopened by the most recent scan. + * New - First time a vulnerability is detected by a scan the status is set to New. + * Active - A vulnerability detected by two or more scans is set to Active. + * Fixed - A vulnerability was verified by the most recent scan as Fixed. + * Re-Opened - A vulnerability was reopened by the most recent scan. For example (https://qualysguard.qualys.com/qwebhelp/fo_portal/scans/vulnerability_status.htm) From a46dde8eafba7a7d07801393377d654b34ef4314 Mon Sep 17 00:00:00 2001 From: Andrew Pease Date: Mon, 18 Nov 2019 09:10:21 -0600 Subject: [PATCH 18/36] changed to single examples --- schemas/vulnerability.yml | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/schemas/vulnerability.yml b/schemas/vulnerability.yml index b0cfa160f2..b5631439de 100644 --- a/schemas/vulnerability.yml +++ b/schemas/vulnerability.yml @@ -53,7 +53,7 @@ integrity, and availability), and scope. For example (https://www.first.org/cvss/specification-document) - example: 5.5, 6.6 + example: 5.5 - name: score.temporal level: extended @@ -77,7 +77,7 @@ confidentiality, integrity, and availability requirements. For example (https://www.first.org/cvss/specification-document) - example: 5.5, 6.6 + example: 5.5 - name: score.version level: extended @@ -93,7 +93,7 @@ across the world. For example (https://nvd.nist.gov/vuln-metrics/cvss) - example: 2.0, 3.0 + example: 2.0 - name: category level: extended @@ -105,7 +105,7 @@ or Firewall). For example (https://qualysguard.qualys.com/qwebhelp/fo_portal/knowledgebase/vulnerability_categories.htm) - example: AIX, Firewall, Malware, Office Application, Solaris, Windows + example: Firewall - name: description level: extended @@ -129,7 +129,7 @@ includes a unique identification number for the vulnerability. For example (https://cve.mitre.org/about/faqs.html#what_is_cve_id) - example: CVE-2019-00001, CVE-2019-00002, QID: 38739 + example: CVE-2019-00001 - name: scanner.vendor level: extended @@ -138,7 +138,7 @@ description: > The name of the vulnerability scanner vendor. - example: Tenable, Qualys + example: Tenable - name: severity level: extended @@ -149,7 +149,7 @@ prioritization regarding remediation. For example (https://nvd.nist.gov/vuln-metrics/cvss) - example: Critical, High, Medium, Low, None + example: Critical - name: status level: extended @@ -165,7 +165,7 @@ For example (https://qualysguard.qualys.com/qwebhelp/fo_portal/scans/vulnerability_status.htm) - example: New, Active, Fixed, Re-Opened + example: New - name: id level: extended @@ -174,4 +174,4 @@ description: > The report or scan identification number. - example: 20191018.0001, SCAN0001 + example: 20191018.0001 From a763111cd2a9c8b3f15be37074b2584c0ff28b52 Mon Sep 17 00:00:00 2001 From: Andrew Pease Date: Mon, 18 Nov 2019 09:11:29 -0600 Subject: [PATCH 19/36] changed id to report_id for clarity --- schemas/vulnerability.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/schemas/vulnerability.yml b/schemas/vulnerability.yml index b5631439de..5def4b4da3 100644 --- a/schemas/vulnerability.yml +++ b/schemas/vulnerability.yml @@ -167,7 +167,7 @@ example: New - - name: id + - name: report_id level: extended type: keyword short: Scan identification number. From f6315ee2bd4a3cbad22a0951218782fb319397fb Mon Sep 17 00:00:00 2001 From: Andrew Pease Date: Mon, 18 Nov 2019 09:29:30 -0600 Subject: [PATCH 20/36] removed an unescaped character --- schemas/vulnerability.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/schemas/vulnerability.yml b/schemas/vulnerability.yml index 5def4b4da3..a5153d536f 100644 --- a/schemas/vulnerability.yml +++ b/schemas/vulnerability.yml @@ -118,7 +118,7 @@ example: In Keybase before 2.12.6 on macOS, the move RPC to the Helper was susceptible to time-to-check-time-to-use bugs and would also allow one user of the - system (who didn't have root access) to tamper with another's installs. + system (who didn't have root access) to tamper with another install. - name: scanner.id level: extended From e28dd359f620b527d16f2a3506af8bf069c15408 Mon Sep 17 00:00:00 2001 From: Andrew Pease Date: Mon, 18 Nov 2019 09:38:16 -0600 Subject: [PATCH 21/36] shortened the description example --- schemas/vulnerability.yml | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/schemas/vulnerability.yml b/schemas/vulnerability.yml index a5153d536f..778d89f1b8 100644 --- a/schemas/vulnerability.yml +++ b/schemas/vulnerability.yml @@ -116,9 +116,7 @@ vulnerability. For example (https://cve.mitre.org/about/faqs.html#cve_entry_descriptions_created) - example: In Keybase before 2.12.6 on macOS, the move RPC to the Helper was - susceptible to time-to-check-time-to-use bugs and would also allow one user of the - system (who didn't have root access) to tamper with another install. + example: In macOS before 2.12.6, there is a vulnerability in the RPC... - name: scanner.id level: extended From 791220f281545a206a639cbd33281a8a94df2bea Mon Sep 17 00:00:00 2001 From: Andrew Pease Date: Mon, 18 Nov 2019 09:41:20 -0600 Subject: [PATCH 22/36] from make --- code/go/ecs/vulnerability.go | 121 +- docs/field-details.asciidoc | 159 +-- generated/beats/fields.ecs.yml | 895 ++------------ generated/csv/fields.csv | 110 +- generated/ecs/ecs_flat.yml | 1455 +++------------------- generated/ecs/ecs_nested.yml | 1473 +++-------------------- generated/elasticsearch/6/template.json | 523 +------- generated/elasticsearch/7/template.json | 523 +------- generated/legacy/template.json | 68 +- schema.json | 120 +- 10 files changed, 698 insertions(+), 4749 deletions(-) diff --git a/code/go/ecs/vulnerability.go b/code/go/ecs/vulnerability.go index 6b077cbbc0..13757e557b 100644 --- a/code/go/ecs/vulnerability.go +++ b/code/go/ecs/vulnerability.go @@ -19,90 +19,85 @@ package ecs -import ( - "time" -) - // The vulnerability fields describe information about a vulnerabilty that is // relevant to an event. -// Fields can have one entry or multiple entries. type Vulnerability struct { - // The Common Vulnerability Scoring System (CVSS) is an open framework for - // communicating the characteristics and severity of software - // vulnerabilities. Scores can range from 0.0 to 10.0, with 10.0 being the - // most severe. + // The classification of the vulnerability scoring system. For example + // (https://www.first.org/cvss/) + Classification string `ecs:"classification"` + + // The type of identifier used for this vulnerability. For example + // (https://cve.mitre.org/about/) + Reference string `ecs:"reference"` + + // A URL to a resource that provides additional information, context, and + // mitigations for the identified vulnerabiltiy. For example + // (https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=ssh) + Url string `ecs:"url"` + + // Scores can range from 0.0 to 10.0, with 10.0 being the most severe. // Base scores cover an assessment for exploitability metrics (attack // vector, complexity, privileges, and user interaction), impact metrics // (confidentialy, integrity, and availability), and scope. For example - // (ex. https://www.first.org/cvss/specification-document) - CvssScoreBase int64 `ecs:"cvss.score.base"` + // (https://www.first.org/cvss/specification-document) + ScoreBase float64 `ecs:"score.base"` - // The Common Vulnerability Scoring System (CVSS) is an open framework for - // communicating the characteristics and severity of software - // vulnerabilities. Scores can range from 0.0 to 10.0, with 10.0 being the - // most severe. + // Scores can range from 0.0 to 10.0, with 10.0 being the most severe. // Temporal scores cover an assessment for code maturity, remediation - // level, and confidence. For example (ex. - // https://www.first.org/cvss/specification-document) - CvssScoreTemporal int64 `ecs:"cvss.score.temporal"` - - // The Common Vulnerability Scoring System (CVSS) is an open framework for - // communicating the characteristics and severity of software - // vulnerabilities. Scores can range from 0.0 to 10.0, with 10.0 being the - // most severe. + // level, and confidence. For example + // (https://www.first.org/cvss/specification-document) + ScoreTemporal float64 `ecs:"score.temporal"` + + // Scores can range from 0.0 to 10.0, with 10.0 being the most severe. // Environmental scores cover an assessment for any modified Base metrics, // confidentiality, integrity, and availability requirements. For example - // (ex. https://www.first.org/cvss/specification-document) - CvssScoreEvironmental int64 `ecs:"cvss.score.evironmental"` + // (https://www.first.org/cvss/specification-document) + ScoreEnvironmental float64 `ecs:"score.environmental"` + + // The National Vulnerability Database (NVD) provides qualitative severity + // rankings of "Low", "Medium", and "High" for CVSS v2.0 base score ranges + // in addition to the severity ratings for CVSS v3.0 as they are defined in + // the CVSS v3.0 specification. + // CVSS is owned and managed by FIRST.Org, Inc. (FIRST), a US-based + // non-profit organization, whose mission is to help computer security + // incident response teams across the world. For example + // (https://nvd.nist.gov/vuln-metrics/cvss) + ScoreVersion string `ecs:"score.version"` // The type of system or architecture that the vulnerability affects. These // may be platform-specific (for example, Debian or SUSE) or general (for - // example, Database or Firewall). For example (ex. - // https://qualysguard.qualys.com/qwebhelp/fo_portal/knowledgebase/vulnerability_categories.htm) + // example, Database or Firewall). For example + // (https://qualysguard.qualys.com/qwebhelp/fo_portal/knowledgebase/vulnerability_categories.htm) Category string `ecs:"category"` - // The Common Vulnerability and Exposures (CVE) list is an open source list - // for publicly known cybersecurity vulnerabilities providing an - // identification number, a description, and at least one public reference. // The description of the vulnerability that provides additional context of - // the vulnerability. For example (ex. - // https://cve.mitre.org/about/faqs.html#cve_entry_descriptions_created) - CveDescription string `ecs:"cve.description"` - - // The Common Vulnerability and Exposures (CVE) list is an open source list - // for publicly known cybersecurity vulnerabilities providing an - // identification number, a description, and at least one public reference. - // The identification (ID) is the number portion of a CVE Entry. It - // includes the year the vulnerability ID was requested followed by a - // sequence number. CVE-YYYY-NNNNN. For example (ex. - // https://cve.mitre.org/about/faqs.html#what_is_cve_id) - CveID string `ecs:"cve.id"` + // the vulnerability. For example + // (https://cve.mitre.org/about/faqs.html#cve_entry_descriptions_created) + Description string `ecs:"description"` + + // The identification (ID) is the number portion of a vulnerability entry. + // It includes a unique identification number for the vulnerability. For + // example (https://cve.mitre.org/about/faqs.html#what_is_cve_id) + ScannerID string `ecs:"scanner.id"` + + // The name of the vulnerability scanner vendor. + ScannerVendor string `ecs:"scanner.vendor"` // The severity of the vulnerability can help with metrics and internal - // prioritization regarding remediation. For example (ex. - // https://nvd.nist.gov/vuln-metrics/cvss) + // prioritization regarding remediation. For example + // (https://nvd.nist.gov/vuln-metrics/cvss) Severity string `ecs:"severity"` // The current status of the vulerability on the asset: - // New - The first time a vulnerability is detected by a scan the status is - // set to New. Active - A vulnerability detected by two or more scans is - // set to Active. Fixed - A vulnerability was verified by the most recent - // scan as fixed, and this vulnerability was detected by the previous scan. - // Re-Opened - A vulnerability was reopened by the most recent scan, and - // this vulnerability was verified as fixed by the previous scan. - // For example (ex. - // https://qualysguard.qualys.com/qwebhelp/fo_portal/scans/vulnerability_status.htm) + // * New - First time a vulnerability is detected by a scan the status is + // set to New. * Active - A vulnerability detected by two or more scans is + // set to Active. * Fixed - A vulnerability was verified by the most recent + // scan as Fixed. * Re-Opened - A vulnerability was reopened by the most + // recent scan. + // For example + // (https://qualysguard.qualys.com/qwebhelp/fo_portal/scans/vulnerability_status.htm) Status string `ecs:"status"` - // The first time that the vulnerability was observed on the asset. - DetectedFirst time.Time `ecs:"detected.first"` - - // The last time that the vulnerability was observed on the asset. - DetectedLast time.Time `ecs:"detected.last"` - - // The first time that the asset was scanned for vulnerabilities. - ScannedFirst time.Time `ecs:"scanned.first"` - - // The last time that the asset was scanned for vulnerabilities. - ScannedLast time.Time `ecs:"scanned.last"` + // The report or scan identification number. + ReportID string `ecs:"report_id"` } diff --git a/docs/field-details.asciidoc b/docs/field-details.asciidoc index 2d69abc11b..2afd6835a2 100644 --- a/docs/field-details.asciidoc +++ b/docs/field-details.asciidoc @@ -387,12 +387,6 @@ example: `co.uk` // =============================================================== -| <> -| Fields to describe the vulnerabilty relevant to an event. - -// =============================================================== - - |===== [[ecs-cloud]] @@ -2029,12 +2023,6 @@ example: `1325` // =============================================================== -| <> -| Fields to describe the vulnerabilty relevant to an event. - -// =============================================================== - - |===== [[ecs-http]] @@ -2650,12 +2638,6 @@ type: keyword // =============================================================== -| <> -| Fields to describe the vulnerabilty relevant to an event. - -// =============================================================== - - |===== [[ecs-organization]] @@ -2787,24 +2769,6 @@ Note also that the `os` fields are not expected to be used directly at the top l -[[ecs-os-nestings]] -===== Field sets that can be nested under Operating System - -[options="header"] -|===== -| Nested fields | Description - -// =============================================================== - - -| <> -| Fields to describe the vulnerabilty relevant to an event. - -// =============================================================== - - -|===== - [[ecs-package]] === Package Fields @@ -4148,8 +4112,6 @@ example: `12.0` The vulnerability fields describe information about a vulnerabilty that is relevant to an event. -Fields can have one entry or multiple entries. - ==== Vulnerability Field Details [options="header"] @@ -4159,131 +4121,140 @@ Fields can have one entry or multiple entries. // =============================================================== | vulnerability.category -| The type of system or architecture that the vulnerability affects. These may be platform-specific (for example, Debian or SUSE) or general (for example, Database or Firewall). For example (ex. https://qualysguard.qualys.com/qwebhelp/fo_portal/knowledgebase/vulnerability_categories.htm) +| The type of system or architecture that the vulnerability affects. These may be platform-specific (for example, Debian or SUSE) or general (for example, Database or Firewall). For example (https://qualysguard.qualys.com/qwebhelp/fo_portal/knowledgebase/vulnerability_categories.htm) type: keyword -example: `AIX, Firewall, Malware, Office Application, Solaris, Windows` +example: `Firewall` | extended // =============================================================== -| vulnerability.cve.description -| The Common Vulnerability and Exposures (CVE) list is an open source list for publicly known cybersecurity vulnerabilities providing an identification number, a description, and at least one public reference. - -The description of the vulnerability that provides additional context of the vulnerability. For example (ex. https://cve.mitre.org/about/faqs.html#cve_entry_descriptions_created) +| vulnerability.classification +| The classification of the vulnerability scoring system. For example (https://www.first.org/cvss/) type: keyword -example: `In Keybase before 2.12.6 on macOS, the move RPC to the Helper was susceptible to time-to-check-time-to-use bugs and would also allow one user of the system (who didn't have root access) to tamper with another's installs.` +example: `CVSS` | extended // =============================================================== -| vulnerability.cve.id -| The Common Vulnerability and Exposures (CVE) list is an open source list for publicly known cybersecurity vulnerabilities providing an identification number, a description, and at least one public reference. - -The identification (ID) is the number portion of a CVE Entry. It includes the year the vulnerability ID was requested followed by a sequence number. CVE-YYYY-NNNNN. For example (ex. https://cve.mitre.org/about/faqs.html#what_is_cve_id) +| vulnerability.description +| The description of the vulnerability that provides additional context of the vulnerability. For example (https://cve.mitre.org/about/faqs.html#cve_entry_descriptions_created) type: keyword -example: `CVE-2019-00001, CVE-2019-00002` +example: `In macOS before 2.12.6, there is a vulnerability in the RPC...` | extended // =============================================================== -| vulnerability.cvss.score.base -| The Common Vulnerability Scoring System (CVSS) is an open framework for communicating the characteristics and severity of software vulnerabilities. Scores can range from 0.0 to 10.0, with 10.0 being the most severe. - -Base scores cover an assessment for exploitability metrics (attack vector, complexity, privileges, and user interaction), impact metrics (confidentialy, integrity, and availability), and scope. For example (ex. https://www.first.org/cvss/specification-document) +| vulnerability.reference +| The type of identifier used for this vulnerability. For example (https://cve.mitre.org/about/) -type: long +type: keyword -example: `5.5, 6.6` +example: `CVE` | extended // =============================================================== -| vulnerability.cvss.score.evironmental -| The Common Vulnerability Scoring System (CVSS) is an open framework for communicating the characteristics and severity of software vulnerabilities. Scores can range from 0.0 to 10.0, with 10.0 being the most severe. +| vulnerability.report_id +| The report or scan identification number. -Environmental scores cover an assessment for any modified Base metrics, confidentiality, integrity, and availability requirements. For example (ex. https://www.first.org/cvss/specification-document) - -type: long +type: keyword -example: `5.5, 6.6` +example: `20191018.0001` | extended // =============================================================== -| vulnerability.cvss.score.temporal -| The Common Vulnerability Scoring System (CVSS) is an open framework for communicating the characteristics and severity of software vulnerabilities. Scores can range from 0.0 to 10.0, with 10.0 being the most severe. +| vulnerability.scanner.id +| The identification (ID) is the number portion of a vulnerability entry. It includes a unique identification number for the vulnerability. For example (https://cve.mitre.org/about/faqs.html#what_is_cve_id) + +type: keyword -Temporal scores cover an assessment for code maturity, remediation level, and confidence. For example (ex. https://www.first.org/cvss/specification-document) +example: `CVE-2019-00001` -type: long +| extended + +// =============================================================== + +| vulnerability.scanner.vendor +| The name of the vulnerability scanner vendor. + +type: keyword -example: `5.5, 6.6` +example: `Tenable` | extended // =============================================================== -| vulnerability.detected.first -| The first time that the vulnerability was observed on the asset. +| vulnerability.score.base +| Scores can range from 0.0 to 10.0, with 10.0 being the most severe. -type: date +Base scores cover an assessment for exploitability metrics (attack vector, complexity, privileges, and user interaction), impact metrics (confidentialy, integrity, and availability), and scope. For example (https://www.first.org/cvss/specification-document) + +type: float -example: `YYYY-MM-DD-HH-MM` +example: `5.5` | extended // =============================================================== -| vulnerability.detected.last -| The last time that the vulnerability was observed on the asset. +| vulnerability.score.environmental +| Scores can range from 0.0 to 10.0, with 10.0 being the most severe. -type: date +Environmental scores cover an assessment for any modified Base metrics, confidentiality, integrity, and availability requirements. For example (https://www.first.org/cvss/specification-document) -example: `YYYY-MM-DD-HH-MM` +type: float + +example: `5.5` | extended // =============================================================== -| vulnerability.scanned.first -| The first time that the asset was scanned for vulnerabilities. +| vulnerability.score.temporal +| Scores can range from 0.0 to 10.0, with 10.0 being the most severe. + +Temporal scores cover an assessment for code maturity, remediation level, and confidence. For example (https://www.first.org/cvss/specification-document) + +type: float -type: date -example: `YYYY-MM-DD-HH-MM` | extended // =============================================================== -| vulnerability.scanned.last -| The last time that the asset was scanned for vulnerabilities. +| vulnerability.score.version +| The National Vulnerability Database (NVD) provides qualitative severity rankings of "Low", "Medium", and "High" for CVSS v2.0 base score ranges in addition to the severity ratings for CVSS v3.0 as they are defined in the CVSS v3.0 specification. -type: date +CVSS is owned and managed by FIRST.Org, Inc. (FIRST), a US-based non-profit organization, whose mission is to help computer security incident response teams across the world. For example (https://nvd.nist.gov/vuln-metrics/cvss) + +type: keyword -example: `YYYY-MM-DD-HH-MM` +example: `2.0` | extended // =============================================================== | vulnerability.severity -| The severity of the vulnerability can help with metrics and internal prioritization regarding remediation. For example (ex. https://nvd.nist.gov/vuln-metrics/cvss) +| The severity of the vulnerability can help with metrics and internal prioritization regarding remediation. For example (https://nvd.nist.gov/vuln-metrics/cvss) type: keyword -example: `Critical, High, Medium, Low, None` +example: `Critical` | extended @@ -4292,25 +4263,27 @@ example: `Critical, High, Medium, Low, None` | vulnerability.status | The current status of the vulerability on the asset: -New - The first time a vulnerability is detected by a scan the status is set to New. Active - A vulnerability detected by two or more scans is set to Active. Fixed - A vulnerability was verified by the most recent scan as fixed, and this vulnerability was detected by the previous scan. Re-Opened - A vulnerability was reopened by the most recent scan, and this vulnerability was verified as fixed by the previous scan. +* New - First time a vulnerability is detected by a scan the status is set to New. * Active - A vulnerability detected by two or more scans is set to Active. * Fixed - A vulnerability was verified by the most recent scan as Fixed. * Re-Opened - A vulnerability was reopened by the most recent scan. -For example (ex. https://qualysguard.qualys.com/qwebhelp/fo_portal/scans/vulnerability_status.htm) +For example (https://qualysguard.qualys.com/qwebhelp/fo_portal/scans/vulnerability_status.htm) type: keyword -example: `New, Active, Fixed, Re-Opened` +example: `New` | extended // =============================================================== -|===== - -==== Field Reuse +| vulnerability.url +| A URL to a resource that provides additional information, context, and mitigations for the identified vulnerabiltiy. For example (https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=ssh) -The `vulnerability` fields are expected to be nested at: `client.vulnerability`, `host.vulnerability`, `observer.vulnerability`, `os.vulnerability`. +type: keyword -Note also that the `vulnerability` fields may be used directly at the top level. +example: `https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6111` +| extended +// =============================================================== +|===== diff --git a/generated/beats/fields.ecs.yml b/generated/beats/fields.ecs.yml index c9ce425bbf..9053506e40 100644 --- a/generated/beats/fields.ecs.yml +++ b/generated/beats/fields.ecs.yml @@ -352,112 +352,6 @@ ignore_above: 1024 description: Short name or login of the user. example: albert - - name: vulnerability.category - level: extended - type: keyword - ignore_above: 1024 - description: The type of system or architecture that the vulnerability affects. - These may be platform-specific (for example, Debian or SUSE) or general (for - example, Database or Firewall). For example (ex. https://qualysguard.qualys.com/qwebhelp/fo_portal/knowledgebase/vulnerability_categories.htm) - example: AIX, Firewall, Malware, Office Application, Solaris, Windows - - name: vulnerability.cve.description - level: extended - type: keyword - ignore_above: 1024 - description: 'The Common Vulnerability and Exposures (CVE) list is an open source - list for publicly known cybersecurity vulnerabilities providing an identification - number, a description, and at least one public reference. - - The description of the vulnerability that provides additional context of the - vulnerability. For example (ex. https://cve.mitre.org/about/faqs.html#cve_entry_descriptions_created)' - example: In Keybase before 2.12.6 on macOS, the move RPC to the Helper was susceptible - to time-to-check-time-to-use bugs and would also allow one user of the system - (who didn't have root access) to tamper with another's installs. - - name: vulnerability.cve.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The Common Vulnerability and Exposures (CVE) list is an open source - list for publicly known cybersecurity vulnerabilities providing an identification - number, a description, and at least one public reference. - - The identification (ID) is the number portion of a CVE Entry. It includes - the year the vulnerability ID was requested followed by a sequence number. - CVE-YYYY-NNNNN. For example (ex. https://cve.mitre.org/about/faqs.html#what_is_cve_id)' - example: CVE-2019-00001, CVE-2019-00002 - - name: vulnerability.cvss.score.base - level: extended - type: long - description: 'The Common Vulnerability Scoring System (CVSS) is an open framework - for communicating the characteristics and severity of software vulnerabilities. - Scores can range from 0.0 to 10.0, with 10.0 being the most severe. - - Base scores cover an assessment for exploitability metrics (attack vector, - complexity, privileges, and user interaction), impact metrics (confidentialy, - integrity, and availability), and scope. For example (ex. https://www.first.org/cvss/specification-document)' - example: 5.5, 6.6 - - name: vulnerability.cvss.score.evironmental - level: extended - type: long - description: 'The Common Vulnerability Scoring System (CVSS) is an open framework - for communicating the characteristics and severity of software vulnerabilities. - Scores can range from 0.0 to 10.0, with 10.0 being the most severe. - - Environmental scores cover an assessment for any modified Base metrics, confidentiality, - integrity, and availability requirements. For example (ex. https://www.first.org/cvss/specification-document)' - example: 5.5, 6.6 - - name: vulnerability.cvss.score.temporal - level: extended - type: long - description: 'The Common Vulnerability Scoring System (CVSS) is an open framework - for communicating the characteristics and severity of software vulnerabilities. - Scores can range from 0.0 to 10.0, with 10.0 being the most severe. - - Temporal scores cover an assessment for code maturity, remediation level, - and confidence. For example (ex. https://www.first.org/cvss/specification-document)' - example: 5.5, 6.6 - - name: vulnerability.detected.first - level: extended - type: date - description: The first time that the vulnerability was observed on the asset. - example: YYYY-MM-DD-HH-MM - - name: vulnerability.detected.last - level: extended - type: date - description: The last time that the vulnerability was observed on the asset. - example: YYYY-MM-DD-HH-MM - - name: vulnerability.scanned.first - level: extended - type: date - description: The first time that the asset was scanned for vulnerabilities. - example: YYYY-MM-DD-HH-MM - - name: vulnerability.scanned.last - level: extended - type: date - description: The last time that the asset was scanned for vulnerabilities. - example: YYYY-MM-DD-HH-MM - - name: vulnerability.severity - level: extended - type: keyword - ignore_above: 1024 - description: The severity of the vulnerability can help with metrics and internal - prioritization regarding remediation. For example (ex. https://nvd.nist.gov/vuln-metrics/cvss) - example: Critical, High, Medium, Low, None - - name: vulnerability.status - level: extended - type: keyword - ignore_above: 1024 - description: 'The current status of the vulerability on the asset: - - New - The first time a vulnerability is detected by a scan the status is set - to New. Active - A vulnerability detected by two or more scans is set to Active. - Fixed - A vulnerability was verified by the most recent scan as fixed, and - this vulnerability was detected by the previous scan. Re-Opened - A vulnerability - was reopened by the most recent scan, and this vulnerability was verified - as fixed by the previous scan. - - For example (ex. https://qualysguard.qualys.com/qwebhelp/fo_portal/scans/vulnerability_status.htm)' - example: New, Active, Fixed, Re-Opened - name: cloud title: Cloud group: 2 @@ -1599,112 +1493,6 @@ ignore_above: 1024 description: Operating system version as a raw string. example: 10.14.1 - - name: os.vulnerability.category - level: extended - type: keyword - ignore_above: 1024 - description: The type of system or architecture that the vulnerability affects. - These may be platform-specific (for example, Debian or SUSE) or general (for - example, Database or Firewall). For example (ex. https://qualysguard.qualys.com/qwebhelp/fo_portal/knowledgebase/vulnerability_categories.htm) - example: AIX, Firewall, Malware, Office Application, Solaris, Windows - - name: os.vulnerability.cve.description - level: extended - type: keyword - ignore_above: 1024 - description: 'The Common Vulnerability and Exposures (CVE) list is an open source - list for publicly known cybersecurity vulnerabilities providing an identification - number, a description, and at least one public reference. - - The description of the vulnerability that provides additional context of the - vulnerability. For example (ex. https://cve.mitre.org/about/faqs.html#cve_entry_descriptions_created)' - example: In Keybase before 2.12.6 on macOS, the move RPC to the Helper was susceptible - to time-to-check-time-to-use bugs and would also allow one user of the system - (who didn't have root access) to tamper with another's installs. - - name: os.vulnerability.cve.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The Common Vulnerability and Exposures (CVE) list is an open source - list for publicly known cybersecurity vulnerabilities providing an identification - number, a description, and at least one public reference. - - The identification (ID) is the number portion of a CVE Entry. It includes - the year the vulnerability ID was requested followed by a sequence number. - CVE-YYYY-NNNNN. For example (ex. https://cve.mitre.org/about/faqs.html#what_is_cve_id)' - example: CVE-2019-00001, CVE-2019-00002 - - name: os.vulnerability.cvss.score.base - level: extended - type: long - description: 'The Common Vulnerability Scoring System (CVSS) is an open framework - for communicating the characteristics and severity of software vulnerabilities. - Scores can range from 0.0 to 10.0, with 10.0 being the most severe. - - Base scores cover an assessment for exploitability metrics (attack vector, - complexity, privileges, and user interaction), impact metrics (confidentialy, - integrity, and availability), and scope. For example (ex. https://www.first.org/cvss/specification-document)' - example: 5.5, 6.6 - - name: os.vulnerability.cvss.score.evironmental - level: extended - type: long - description: 'The Common Vulnerability Scoring System (CVSS) is an open framework - for communicating the characteristics and severity of software vulnerabilities. - Scores can range from 0.0 to 10.0, with 10.0 being the most severe. - - Environmental scores cover an assessment for any modified Base metrics, confidentiality, - integrity, and availability requirements. For example (ex. https://www.first.org/cvss/specification-document)' - example: 5.5, 6.6 - - name: os.vulnerability.cvss.score.temporal - level: extended - type: long - description: 'The Common Vulnerability Scoring System (CVSS) is an open framework - for communicating the characteristics and severity of software vulnerabilities. - Scores can range from 0.0 to 10.0, with 10.0 being the most severe. - - Temporal scores cover an assessment for code maturity, remediation level, - and confidence. For example (ex. https://www.first.org/cvss/specification-document)' - example: 5.5, 6.6 - - name: os.vulnerability.detected.first - level: extended - type: date - description: The first time that the vulnerability was observed on the asset. - example: YYYY-MM-DD-HH-MM - - name: os.vulnerability.detected.last - level: extended - type: date - description: The last time that the vulnerability was observed on the asset. - example: YYYY-MM-DD-HH-MM - - name: os.vulnerability.scanned.first - level: extended - type: date - description: The first time that the asset was scanned for vulnerabilities. - example: YYYY-MM-DD-HH-MM - - name: os.vulnerability.scanned.last - level: extended - type: date - description: The last time that the asset was scanned for vulnerabilities. - example: YYYY-MM-DD-HH-MM - - name: os.vulnerability.severity - level: extended - type: keyword - ignore_above: 1024 - description: The severity of the vulnerability can help with metrics and internal - prioritization regarding remediation. For example (ex. https://nvd.nist.gov/vuln-metrics/cvss) - example: Critical, High, Medium, Low, None - - name: os.vulnerability.status - level: extended - type: keyword - ignore_above: 1024 - description: 'The current status of the vulerability on the asset: - - New - The first time a vulnerability is detected by a scan the status is set - to New. Active - A vulnerability detected by two or more scans is set to Active. - Fixed - A vulnerability was verified by the most recent scan as fixed, and - this vulnerability was detected by the previous scan. Re-Opened - A vulnerability - was reopened by the most recent scan, and this vulnerability was verified - as fixed by the previous scan. - - For example (ex. https://qualysguard.qualys.com/qwebhelp/fo_portal/scans/vulnerability_status.htm)' - example: New, Active, Fixed, Re-Opened - name: type level: core type: keyword @@ -1774,112 +1562,6 @@ ignore_above: 1024 description: Short name or login of the user. example: albert - - name: vulnerability.category - level: extended - type: keyword - ignore_above: 1024 - description: The type of system or architecture that the vulnerability affects. - These may be platform-specific (for example, Debian or SUSE) or general (for - example, Database or Firewall). For example (ex. https://qualysguard.qualys.com/qwebhelp/fo_portal/knowledgebase/vulnerability_categories.htm) - example: AIX, Firewall, Malware, Office Application, Solaris, Windows - - name: vulnerability.cve.description - level: extended - type: keyword - ignore_above: 1024 - description: 'The Common Vulnerability and Exposures (CVE) list is an open source - list for publicly known cybersecurity vulnerabilities providing an identification - number, a description, and at least one public reference. - - The description of the vulnerability that provides additional context of the - vulnerability. For example (ex. https://cve.mitre.org/about/faqs.html#cve_entry_descriptions_created)' - example: In Keybase before 2.12.6 on macOS, the move RPC to the Helper was susceptible - to time-to-check-time-to-use bugs and would also allow one user of the system - (who didn't have root access) to tamper with another's installs. - - name: vulnerability.cve.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The Common Vulnerability and Exposures (CVE) list is an open source - list for publicly known cybersecurity vulnerabilities providing an identification - number, a description, and at least one public reference. - - The identification (ID) is the number portion of a CVE Entry. It includes - the year the vulnerability ID was requested followed by a sequence number. - CVE-YYYY-NNNNN. For example (ex. https://cve.mitre.org/about/faqs.html#what_is_cve_id)' - example: CVE-2019-00001, CVE-2019-00002 - - name: vulnerability.cvss.score.base - level: extended - type: long - description: 'The Common Vulnerability Scoring System (CVSS) is an open framework - for communicating the characteristics and severity of software vulnerabilities. - Scores can range from 0.0 to 10.0, with 10.0 being the most severe. - - Base scores cover an assessment for exploitability metrics (attack vector, - complexity, privileges, and user interaction), impact metrics (confidentialy, - integrity, and availability), and scope. For example (ex. https://www.first.org/cvss/specification-document)' - example: 5.5, 6.6 - - name: vulnerability.cvss.score.evironmental - level: extended - type: long - description: 'The Common Vulnerability Scoring System (CVSS) is an open framework - for communicating the characteristics and severity of software vulnerabilities. - Scores can range from 0.0 to 10.0, with 10.0 being the most severe. - - Environmental scores cover an assessment for any modified Base metrics, confidentiality, - integrity, and availability requirements. For example (ex. https://www.first.org/cvss/specification-document)' - example: 5.5, 6.6 - - name: vulnerability.cvss.score.temporal - level: extended - type: long - description: 'The Common Vulnerability Scoring System (CVSS) is an open framework - for communicating the characteristics and severity of software vulnerabilities. - Scores can range from 0.0 to 10.0, with 10.0 being the most severe. - - Temporal scores cover an assessment for code maturity, remediation level, - and confidence. For example (ex. https://www.first.org/cvss/specification-document)' - example: 5.5, 6.6 - - name: vulnerability.detected.first - level: extended - type: date - description: The first time that the vulnerability was observed on the asset. - example: YYYY-MM-DD-HH-MM - - name: vulnerability.detected.last - level: extended - type: date - description: The last time that the vulnerability was observed on the asset. - example: YYYY-MM-DD-HH-MM - - name: vulnerability.scanned.first - level: extended - type: date - description: The first time that the asset was scanned for vulnerabilities. - example: YYYY-MM-DD-HH-MM - - name: vulnerability.scanned.last - level: extended - type: date - description: The last time that the asset was scanned for vulnerabilities. - example: YYYY-MM-DD-HH-MM - - name: vulnerability.severity - level: extended - type: keyword - ignore_above: 1024 - description: The severity of the vulnerability can help with metrics and internal - prioritization regarding remediation. For example (ex. https://nvd.nist.gov/vuln-metrics/cvss) - example: Critical, High, Medium, Low, None - - name: vulnerability.status - level: extended - type: keyword - ignore_above: 1024 - description: 'The current status of the vulerability on the asset: - - New - The first time a vulnerability is detected by a scan the status is set - to New. Active - A vulnerability detected by two or more scans is set to Active. - Fixed - A vulnerability was verified by the most recent scan as fixed, and - this vulnerability was detected by the previous scan. Re-Opened - A vulnerability - was reopened by the most recent scan, and this vulnerability was verified - as fixed by the previous scan. - - For example (ex. https://qualysguard.qualys.com/qwebhelp/fo_portal/scans/vulnerability_status.htm)' - example: New, Active, Fixed, Re-Opened - name: http title: HTTP group: 2 @@ -2307,112 +1989,6 @@ ignore_above: 1024 description: Operating system version as a raw string. example: 10.14.1 - - name: os.vulnerability.category - level: extended - type: keyword - ignore_above: 1024 - description: The type of system or architecture that the vulnerability affects. - These may be platform-specific (for example, Debian or SUSE) or general (for - example, Database or Firewall). For example (ex. https://qualysguard.qualys.com/qwebhelp/fo_portal/knowledgebase/vulnerability_categories.htm) - example: AIX, Firewall, Malware, Office Application, Solaris, Windows - - name: os.vulnerability.cve.description - level: extended - type: keyword - ignore_above: 1024 - description: 'The Common Vulnerability and Exposures (CVE) list is an open source - list for publicly known cybersecurity vulnerabilities providing an identification - number, a description, and at least one public reference. - - The description of the vulnerability that provides additional context of the - vulnerability. For example (ex. https://cve.mitre.org/about/faqs.html#cve_entry_descriptions_created)' - example: In Keybase before 2.12.6 on macOS, the move RPC to the Helper was susceptible - to time-to-check-time-to-use bugs and would also allow one user of the system - (who didn't have root access) to tamper with another's installs. - - name: os.vulnerability.cve.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The Common Vulnerability and Exposures (CVE) list is an open source - list for publicly known cybersecurity vulnerabilities providing an identification - number, a description, and at least one public reference. - - The identification (ID) is the number portion of a CVE Entry. It includes - the year the vulnerability ID was requested followed by a sequence number. - CVE-YYYY-NNNNN. For example (ex. https://cve.mitre.org/about/faqs.html#what_is_cve_id)' - example: CVE-2019-00001, CVE-2019-00002 - - name: os.vulnerability.cvss.score.base - level: extended - type: long - description: 'The Common Vulnerability Scoring System (CVSS) is an open framework - for communicating the characteristics and severity of software vulnerabilities. - Scores can range from 0.0 to 10.0, with 10.0 being the most severe. - - Base scores cover an assessment for exploitability metrics (attack vector, - complexity, privileges, and user interaction), impact metrics (confidentialy, - integrity, and availability), and scope. For example (ex. https://www.first.org/cvss/specification-document)' - example: 5.5, 6.6 - - name: os.vulnerability.cvss.score.evironmental - level: extended - type: long - description: 'The Common Vulnerability Scoring System (CVSS) is an open framework - for communicating the characteristics and severity of software vulnerabilities. - Scores can range from 0.0 to 10.0, with 10.0 being the most severe. - - Environmental scores cover an assessment for any modified Base metrics, confidentiality, - integrity, and availability requirements. For example (ex. https://www.first.org/cvss/specification-document)' - example: 5.5, 6.6 - - name: os.vulnerability.cvss.score.temporal - level: extended - type: long - description: 'The Common Vulnerability Scoring System (CVSS) is an open framework - for communicating the characteristics and severity of software vulnerabilities. - Scores can range from 0.0 to 10.0, with 10.0 being the most severe. - - Temporal scores cover an assessment for code maturity, remediation level, - and confidence. For example (ex. https://www.first.org/cvss/specification-document)' - example: 5.5, 6.6 - - name: os.vulnerability.detected.first - level: extended - type: date - description: The first time that the vulnerability was observed on the asset. - example: YYYY-MM-DD-HH-MM - - name: os.vulnerability.detected.last - level: extended - type: date - description: The last time that the vulnerability was observed on the asset. - example: YYYY-MM-DD-HH-MM - - name: os.vulnerability.scanned.first - level: extended - type: date - description: The first time that the asset was scanned for vulnerabilities. - example: YYYY-MM-DD-HH-MM - - name: os.vulnerability.scanned.last - level: extended - type: date - description: The last time that the asset was scanned for vulnerabilities. - example: YYYY-MM-DD-HH-MM - - name: os.vulnerability.severity - level: extended - type: keyword - ignore_above: 1024 - description: The severity of the vulnerability can help with metrics and internal - prioritization regarding remediation. For example (ex. https://nvd.nist.gov/vuln-metrics/cvss) - example: Critical, High, Medium, Low, None - - name: os.vulnerability.status - level: extended - type: keyword - ignore_above: 1024 - description: 'The current status of the vulerability on the asset: - - New - The first time a vulnerability is detected by a scan the status is set - to New. Active - A vulnerability detected by two or more scans is set to Active. - Fixed - A vulnerability was verified by the most recent scan as fixed, and - this vulnerability was detected by the previous scan. Re-Opened - A vulnerability - was reopened by the most recent scan, and this vulnerability was verified - as fixed by the previous scan. - - For example (ex. https://qualysguard.qualys.com/qwebhelp/fo_portal/scans/vulnerability_status.htm)' - example: New, Active, Fixed, Re-Opened - name: product level: extended type: keyword @@ -2444,112 +2020,6 @@ type: keyword ignore_above: 1024 description: Observer version. - - name: vulnerability.category - level: extended - type: keyword - ignore_above: 1024 - description: The type of system or architecture that the vulnerability affects. - These may be platform-specific (for example, Debian or SUSE) or general (for - example, Database or Firewall). For example (ex. https://qualysguard.qualys.com/qwebhelp/fo_portal/knowledgebase/vulnerability_categories.htm) - example: AIX, Firewall, Malware, Office Application, Solaris, Windows - - name: vulnerability.cve.description - level: extended - type: keyword - ignore_above: 1024 - description: 'The Common Vulnerability and Exposures (CVE) list is an open source - list for publicly known cybersecurity vulnerabilities providing an identification - number, a description, and at least one public reference. - - The description of the vulnerability that provides additional context of the - vulnerability. For example (ex. https://cve.mitre.org/about/faqs.html#cve_entry_descriptions_created)' - example: In Keybase before 2.12.6 on macOS, the move RPC to the Helper was susceptible - to time-to-check-time-to-use bugs and would also allow one user of the system - (who didn't have root access) to tamper with another's installs. - - name: vulnerability.cve.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The Common Vulnerability and Exposures (CVE) list is an open source - list for publicly known cybersecurity vulnerabilities providing an identification - number, a description, and at least one public reference. - - The identification (ID) is the number portion of a CVE Entry. It includes - the year the vulnerability ID was requested followed by a sequence number. - CVE-YYYY-NNNNN. For example (ex. https://cve.mitre.org/about/faqs.html#what_is_cve_id)' - example: CVE-2019-00001, CVE-2019-00002 - - name: vulnerability.cvss.score.base - level: extended - type: long - description: 'The Common Vulnerability Scoring System (CVSS) is an open framework - for communicating the characteristics and severity of software vulnerabilities. - Scores can range from 0.0 to 10.0, with 10.0 being the most severe. - - Base scores cover an assessment for exploitability metrics (attack vector, - complexity, privileges, and user interaction), impact metrics (confidentialy, - integrity, and availability), and scope. For example (ex. https://www.first.org/cvss/specification-document)' - example: 5.5, 6.6 - - name: vulnerability.cvss.score.evironmental - level: extended - type: long - description: 'The Common Vulnerability Scoring System (CVSS) is an open framework - for communicating the characteristics and severity of software vulnerabilities. - Scores can range from 0.0 to 10.0, with 10.0 being the most severe. - - Environmental scores cover an assessment for any modified Base metrics, confidentiality, - integrity, and availability requirements. For example (ex. https://www.first.org/cvss/specification-document)' - example: 5.5, 6.6 - - name: vulnerability.cvss.score.temporal - level: extended - type: long - description: 'The Common Vulnerability Scoring System (CVSS) is an open framework - for communicating the characteristics and severity of software vulnerabilities. - Scores can range from 0.0 to 10.0, with 10.0 being the most severe. - - Temporal scores cover an assessment for code maturity, remediation level, - and confidence. For example (ex. https://www.first.org/cvss/specification-document)' - example: 5.5, 6.6 - - name: vulnerability.detected.first - level: extended - type: date - description: The first time that the vulnerability was observed on the asset. - example: YYYY-MM-DD-HH-MM - - name: vulnerability.detected.last - level: extended - type: date - description: The last time that the vulnerability was observed on the asset. - example: YYYY-MM-DD-HH-MM - - name: vulnerability.scanned.first - level: extended - type: date - description: The first time that the asset was scanned for vulnerabilities. - example: YYYY-MM-DD-HH-MM - - name: vulnerability.scanned.last - level: extended - type: date - description: The last time that the asset was scanned for vulnerabilities. - example: YYYY-MM-DD-HH-MM - - name: vulnerability.severity - level: extended - type: keyword - ignore_above: 1024 - description: The severity of the vulnerability can help with metrics and internal - prioritization regarding remediation. For example (ex. https://nvd.nist.gov/vuln-metrics/cvss) - example: Critical, High, Medium, Low, None - - name: vulnerability.status - level: extended - type: keyword - ignore_above: 1024 - description: 'The current status of the vulerability on the asset: - - New - The first time a vulnerability is detected by a scan the status is set - to New. Active - A vulnerability detected by two or more scans is set to Active. - Fixed - A vulnerability was verified by the most recent scan as fixed, and - this vulnerability was detected by the previous scan. Re-Opened - A vulnerability - was reopened by the most recent scan, and this vulnerability was verified - as fixed by the previous scan. - - For example (ex. https://qualysguard.qualys.com/qwebhelp/fo_portal/scans/vulnerability_status.htm)' - example: New, Active, Fixed, Re-Opened - name: organization title: Organization group: 2 @@ -2612,112 +2082,6 @@ ignore_above: 1024 description: Operating system version as a raw string. example: 10.14.1 - - name: vulnerability.category - level: extended - type: keyword - ignore_above: 1024 - description: The type of system or architecture that the vulnerability affects. - These may be platform-specific (for example, Debian or SUSE) or general (for - example, Database or Firewall). For example (ex. https://qualysguard.qualys.com/qwebhelp/fo_portal/knowledgebase/vulnerability_categories.htm) - example: AIX, Firewall, Malware, Office Application, Solaris, Windows - - name: vulnerability.cve.description - level: extended - type: keyword - ignore_above: 1024 - description: 'The Common Vulnerability and Exposures (CVE) list is an open source - list for publicly known cybersecurity vulnerabilities providing an identification - number, a description, and at least one public reference. - - The description of the vulnerability that provides additional context of the - vulnerability. For example (ex. https://cve.mitre.org/about/faqs.html#cve_entry_descriptions_created)' - example: In Keybase before 2.12.6 on macOS, the move RPC to the Helper was susceptible - to time-to-check-time-to-use bugs and would also allow one user of the system - (who didn't have root access) to tamper with another's installs. - - name: vulnerability.cve.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The Common Vulnerability and Exposures (CVE) list is an open source - list for publicly known cybersecurity vulnerabilities providing an identification - number, a description, and at least one public reference. - - The identification (ID) is the number portion of a CVE Entry. It includes - the year the vulnerability ID was requested followed by a sequence number. - CVE-YYYY-NNNNN. For example (ex. https://cve.mitre.org/about/faqs.html#what_is_cve_id)' - example: CVE-2019-00001, CVE-2019-00002 - - name: vulnerability.cvss.score.base - level: extended - type: long - description: 'The Common Vulnerability Scoring System (CVSS) is an open framework - for communicating the characteristics and severity of software vulnerabilities. - Scores can range from 0.0 to 10.0, with 10.0 being the most severe. - - Base scores cover an assessment for exploitability metrics (attack vector, - complexity, privileges, and user interaction), impact metrics (confidentialy, - integrity, and availability), and scope. For example (ex. https://www.first.org/cvss/specification-document)' - example: 5.5, 6.6 - - name: vulnerability.cvss.score.evironmental - level: extended - type: long - description: 'The Common Vulnerability Scoring System (CVSS) is an open framework - for communicating the characteristics and severity of software vulnerabilities. - Scores can range from 0.0 to 10.0, with 10.0 being the most severe. - - Environmental scores cover an assessment for any modified Base metrics, confidentiality, - integrity, and availability requirements. For example (ex. https://www.first.org/cvss/specification-document)' - example: 5.5, 6.6 - - name: vulnerability.cvss.score.temporal - level: extended - type: long - description: 'The Common Vulnerability Scoring System (CVSS) is an open framework - for communicating the characteristics and severity of software vulnerabilities. - Scores can range from 0.0 to 10.0, with 10.0 being the most severe. - - Temporal scores cover an assessment for code maturity, remediation level, - and confidence. For example (ex. https://www.first.org/cvss/specification-document)' - example: 5.5, 6.6 - - name: vulnerability.detected.first - level: extended - type: date - description: The first time that the vulnerability was observed on the asset. - example: YYYY-MM-DD-HH-MM - - name: vulnerability.detected.last - level: extended - type: date - description: The last time that the vulnerability was observed on the asset. - example: YYYY-MM-DD-HH-MM - - name: vulnerability.scanned.first - level: extended - type: date - description: The first time that the asset was scanned for vulnerabilities. - example: YYYY-MM-DD-HH-MM - - name: vulnerability.scanned.last - level: extended - type: date - description: The last time that the asset was scanned for vulnerabilities. - example: YYYY-MM-DD-HH-MM - - name: vulnerability.severity - level: extended - type: keyword - ignore_above: 1024 - description: The severity of the vulnerability can help with metrics and internal - prioritization regarding remediation. For example (ex. https://nvd.nist.gov/vuln-metrics/cvss) - example: Critical, High, Medium, Low, None - - name: vulnerability.status - level: extended - type: keyword - ignore_above: 1024 - description: 'The current status of the vulerability on the asset: - - New - The first time a vulnerability is detected by a scan the status is set - to New. Active - A vulnerability detected by two or more scans is set to Active. - Fixed - A vulnerability was verified by the most recent scan as fixed, and - this vulnerability was detected by the previous scan. Re-Opened - A vulnerability - was reopened by the most recent scan, and this vulnerability was verified - as fixed by the previous scan. - - For example (ex. https://qualysguard.qualys.com/qwebhelp/fo_portal/scans/vulnerability_status.htm)' - example: New, Active, Fixed, Re-Opened - name: package title: Package group: 2 @@ -3777,112 +3141,6 @@ ignore_above: 1024 description: Operating system version as a raw string. example: 10.14.1 - - name: os.vulnerability.category - level: extended - type: keyword - ignore_above: 1024 - description: The type of system or architecture that the vulnerability affects. - These may be platform-specific (for example, Debian or SUSE) or general (for - example, Database or Firewall). For example (ex. https://qualysguard.qualys.com/qwebhelp/fo_portal/knowledgebase/vulnerability_categories.htm) - example: AIX, Firewall, Malware, Office Application, Solaris, Windows - - name: os.vulnerability.cve.description - level: extended - type: keyword - ignore_above: 1024 - description: 'The Common Vulnerability and Exposures (CVE) list is an open source - list for publicly known cybersecurity vulnerabilities providing an identification - number, a description, and at least one public reference. - - The description of the vulnerability that provides additional context of the - vulnerability. For example (ex. https://cve.mitre.org/about/faqs.html#cve_entry_descriptions_created)' - example: In Keybase before 2.12.6 on macOS, the move RPC to the Helper was susceptible - to time-to-check-time-to-use bugs and would also allow one user of the system - (who didn't have root access) to tamper with another's installs. - - name: os.vulnerability.cve.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The Common Vulnerability and Exposures (CVE) list is an open source - list for publicly known cybersecurity vulnerabilities providing an identification - number, a description, and at least one public reference. - - The identification (ID) is the number portion of a CVE Entry. It includes - the year the vulnerability ID was requested followed by a sequence number. - CVE-YYYY-NNNNN. For example (ex. https://cve.mitre.org/about/faqs.html#what_is_cve_id)' - example: CVE-2019-00001, CVE-2019-00002 - - name: os.vulnerability.cvss.score.base - level: extended - type: long - description: 'The Common Vulnerability Scoring System (CVSS) is an open framework - for communicating the characteristics and severity of software vulnerabilities. - Scores can range from 0.0 to 10.0, with 10.0 being the most severe. - - Base scores cover an assessment for exploitability metrics (attack vector, - complexity, privileges, and user interaction), impact metrics (confidentialy, - integrity, and availability), and scope. For example (ex. https://www.first.org/cvss/specification-document)' - example: 5.5, 6.6 - - name: os.vulnerability.cvss.score.evironmental - level: extended - type: long - description: 'The Common Vulnerability Scoring System (CVSS) is an open framework - for communicating the characteristics and severity of software vulnerabilities. - Scores can range from 0.0 to 10.0, with 10.0 being the most severe. - - Environmental scores cover an assessment for any modified Base metrics, confidentiality, - integrity, and availability requirements. For example (ex. https://www.first.org/cvss/specification-document)' - example: 5.5, 6.6 - - name: os.vulnerability.cvss.score.temporal - level: extended - type: long - description: 'The Common Vulnerability Scoring System (CVSS) is an open framework - for communicating the characteristics and severity of software vulnerabilities. - Scores can range from 0.0 to 10.0, with 10.0 being the most severe. - - Temporal scores cover an assessment for code maturity, remediation level, - and confidence. For example (ex. https://www.first.org/cvss/specification-document)' - example: 5.5, 6.6 - - name: os.vulnerability.detected.first - level: extended - type: date - description: The first time that the vulnerability was observed on the asset. - example: YYYY-MM-DD-HH-MM - - name: os.vulnerability.detected.last - level: extended - type: date - description: The last time that the vulnerability was observed on the asset. - example: YYYY-MM-DD-HH-MM - - name: os.vulnerability.scanned.first - level: extended - type: date - description: The first time that the asset was scanned for vulnerabilities. - example: YYYY-MM-DD-HH-MM - - name: os.vulnerability.scanned.last - level: extended - type: date - description: The last time that the asset was scanned for vulnerabilities. - example: YYYY-MM-DD-HH-MM - - name: os.vulnerability.severity - level: extended - type: keyword - ignore_above: 1024 - description: The severity of the vulnerability can help with metrics and internal - prioritization regarding remediation. For example (ex. https://nvd.nist.gov/vuln-metrics/cvss) - example: Critical, High, Medium, Low, None - - name: os.vulnerability.status - level: extended - type: keyword - ignore_above: 1024 - description: 'The current status of the vulerability on the asset: - - New - The first time a vulnerability is detected by a scan the status is set - to New. Active - A vulnerability detected by two or more scans is set to Active. - Fixed - A vulnerability was verified by the most recent scan as fixed, and - this vulnerability was detected by the previous scan. Re-Opened - A vulnerability - was reopened by the most recent scan, and this vulnerability was verified - as fixed by the previous scan. - - For example (ex. https://qualysguard.qualys.com/qwebhelp/fo_portal/scans/vulnerability_status.htm)' - example: New, Active, Fixed, Re-Opened - name: version level: extended type: keyword @@ -3892,10 +3150,8 @@ - name: vulnerability title: Vulnerability group: 2 - description: 'The vulnerability fields describe information about a vulnerabilty + description: The vulnerability fields describe information about a vulnerabilty that is relevant to an event. - - Fields can have one entry or multiple entries.' type: group fields: - name: category @@ -3904,103 +3160,110 @@ ignore_above: 1024 description: The type of system or architecture that the vulnerability affects. These may be platform-specific (for example, Debian or SUSE) or general (for - example, Database or Firewall). For example (ex. https://qualysguard.qualys.com/qwebhelp/fo_portal/knowledgebase/vulnerability_categories.htm) - example: AIX, Firewall, Malware, Office Application, Solaris, Windows - - name: cve.description + example, Database or Firewall). For example (https://qualysguard.qualys.com/qwebhelp/fo_portal/knowledgebase/vulnerability_categories.htm) + example: Firewall + - name: classification level: extended type: keyword ignore_above: 1024 - description: 'The Common Vulnerability and Exposures (CVE) list is an open source - list for publicly known cybersecurity vulnerabilities providing an identification - number, a description, and at least one public reference. - - The description of the vulnerability that provides additional context of the - vulnerability. For example (ex. https://cve.mitre.org/about/faqs.html#cve_entry_descriptions_created)' - example: In Keybase before 2.12.6 on macOS, the move RPC to the Helper was susceptible - to time-to-check-time-to-use bugs and would also allow one user of the system - (who didn't have root access) to tamper with another's installs. - - name: cve.id + description: The classification of the vulnerability scoring system. For example + (https://www.first.org/cvss/) + example: CVSS + - name: description level: extended type: keyword ignore_above: 1024 - description: 'The Common Vulnerability and Exposures (CVE) list is an open source - list for publicly known cybersecurity vulnerabilities providing an identification - number, a description, and at least one public reference. - - The identification (ID) is the number portion of a CVE Entry. It includes - the year the vulnerability ID was requested followed by a sequence number. - CVE-YYYY-NNNNN. For example (ex. https://cve.mitre.org/about/faqs.html#what_is_cve_id)' - example: CVE-2019-00001, CVE-2019-00002 - - name: cvss.score.base + description: The description of the vulnerability that provides additional context + of the vulnerability. For example (https://cve.mitre.org/about/faqs.html#cve_entry_descriptions_created) + example: In macOS before 2.12.6, there is a vulnerability in the RPC... + - name: reference level: extended - type: long - description: 'The Common Vulnerability Scoring System (CVSS) is an open framework - for communicating the characteristics and severity of software vulnerabilities. - Scores can range from 0.0 to 10.0, with 10.0 being the most severe. + type: keyword + ignore_above: 1024 + description: The type of identifier used for this vulnerability. For example + (https://cve.mitre.org/about/) + example: CVE + - name: report_id + level: extended + type: keyword + ignore_above: 1024 + description: The report or scan identification number. + example: 20191018.0001 + - name: scanner.id + level: extended + type: keyword + ignore_above: 1024 + description: The identification (ID) is the number portion of a vulnerability + entry. It includes a unique identification number for the vulnerability. For + example (https://cve.mitre.org/about/faqs.html#what_is_cve_id) + example: CVE-2019-00001 + - name: scanner.vendor + level: extended + type: keyword + ignore_above: 1024 + description: The name of the vulnerability scanner vendor. + example: Tenable + - name: score.base + level: extended + type: float + description: 'Scores can range from 0.0 to 10.0, with 10.0 being the most severe. Base scores cover an assessment for exploitability metrics (attack vector, complexity, privileges, and user interaction), impact metrics (confidentialy, - integrity, and availability), and scope. For example (ex. https://www.first.org/cvss/specification-document)' - example: 5.5, 6.6 - - name: cvss.score.evironmental + integrity, and availability), and scope. For example (https://www.first.org/cvss/specification-document)' + example: 5.5 + - name: score.environmental level: extended - type: long - description: 'The Common Vulnerability Scoring System (CVSS) is an open framework - for communicating the characteristics and severity of software vulnerabilities. - Scores can range from 0.0 to 10.0, with 10.0 being the most severe. + type: float + description: 'Scores can range from 0.0 to 10.0, with 10.0 being the most severe. Environmental scores cover an assessment for any modified Base metrics, confidentiality, - integrity, and availability requirements. For example (ex. https://www.first.org/cvss/specification-document)' - example: 5.5, 6.6 - - name: cvss.score.temporal + integrity, and availability requirements. For example (https://www.first.org/cvss/specification-document)' + example: 5.5 + - name: score.temporal level: extended - type: long - description: 'The Common Vulnerability Scoring System (CVSS) is an open framework - for communicating the characteristics and severity of software vulnerabilities. - Scores can range from 0.0 to 10.0, with 10.0 being the most severe. + type: float + description: 'Scores can range from 0.0 to 10.0, with 10.0 being the most severe. Temporal scores cover an assessment for code maturity, remediation level, - and confidence. For example (ex. https://www.first.org/cvss/specification-document)' - example: 5.5, 6.6 - - name: detected.first + and confidence. For example (https://www.first.org/cvss/specification-document)' + - name: score.version level: extended - type: date - description: The first time that the vulnerability was observed on the asset. - example: YYYY-MM-DD-HH-MM - - name: detected.last - level: extended - type: date - description: The last time that the vulnerability was observed on the asset. - example: YYYY-MM-DD-HH-MM - - name: scanned.first - level: extended - type: date - description: The first time that the asset was scanned for vulnerabilities. - example: YYYY-MM-DD-HH-MM - - name: scanned.last - level: extended - type: date - description: The last time that the asset was scanned for vulnerabilities. - example: YYYY-MM-DD-HH-MM + type: keyword + ignore_above: 1024 + description: 'The National Vulnerability Database (NVD) provides qualitative + severity rankings of "Low", "Medium", and "High" for CVSS v2.0 base score + ranges in addition to the severity ratings for CVSS v3.0 as they are defined + in the CVSS v3.0 specification. + + CVSS is owned and managed by FIRST.Org, Inc. (FIRST), a US-based non-profit + organization, whose mission is to help computer security incident response + teams across the world. For example (https://nvd.nist.gov/vuln-metrics/cvss)' + example: 2.0 - name: severity level: extended type: keyword ignore_above: 1024 description: The severity of the vulnerability can help with metrics and internal - prioritization regarding remediation. For example (ex. https://nvd.nist.gov/vuln-metrics/cvss) - example: Critical, High, Medium, Low, None + prioritization regarding remediation. For example (https://nvd.nist.gov/vuln-metrics/cvss) + example: Critical - name: status level: extended type: keyword ignore_above: 1024 description: 'The current status of the vulerability on the asset: - New - The first time a vulnerability is detected by a scan the status is set - to New. Active - A vulnerability detected by two or more scans is set to Active. - Fixed - A vulnerability was verified by the most recent scan as fixed, and - this vulnerability was detected by the previous scan. Re-Opened - A vulnerability - was reopened by the most recent scan, and this vulnerability was verified - as fixed by the previous scan. + * New - First time a vulnerability is detected by a scan the status is set + to New. * Active - A vulnerability detected by two or more scans is set to + Active. * Fixed - A vulnerability was verified by the most recent scan as + Fixed. * Re-Opened - A vulnerability was reopened by the most recent scan. - For example (ex. https://qualysguard.qualys.com/qwebhelp/fo_portal/scans/vulnerability_status.htm)' - example: New, Active, Fixed, Re-Opened + For example (https://qualysguard.qualys.com/qwebhelp/fo_portal/scans/vulnerability_status.htm)' + example: New + - name: url + level: extended + type: keyword + ignore_above: 1024 + description: A URL to a resource that provides additional information, context, + and mitigations for the identified vulnerabiltiy. For example (https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=ssh) + example: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6111 diff --git a/generated/csv/fields.csv b/generated/csv/fields.csv index 3bc28e7f14..3900e57056 100644 --- a/generated/csv/fields.csv +++ b/generated/csv/fields.csv @@ -40,18 +40,6 @@ client.user.group.name,keyword,extended,,1.2.0-dev client.user.hash,keyword,extended,,1.2.0-dev client.user.id,keyword,core,,1.2.0-dev client.user.name,keyword,core,albert,1.2.0-dev -client.vulnerability.category,keyword,extended,"AIX, Firewall, Malware, Office Application, Solaris, Windows",1.2.0-dev -client.vulnerability.cve.description,keyword,extended,"In Keybase before 2.12.6 on macOS, the move RPC to the Helper was susceptible to time-to-check-time-to-use bugs and would also allow one user of the system (who didn't have root access) to tamper with another's installs.",1.2.0-dev -client.vulnerability.cve.id,keyword,extended,"CVE-2019-00001, CVE-2019-00002",1.2.0-dev -client.vulnerability.cvss.score.base,long,extended,"5.5, 6.6",1.2.0-dev -client.vulnerability.cvss.score.evironmental,long,extended,"5.5, 6.6",1.2.0-dev -client.vulnerability.cvss.score.temporal,long,extended,"5.5, 6.6",1.2.0-dev -client.vulnerability.detected.first,date,extended,YYYY-MM-DD-HH-MM,1.2.0-dev -client.vulnerability.detected.last,date,extended,YYYY-MM-DD-HH-MM,1.2.0-dev -client.vulnerability.scanned.first,date,extended,YYYY-MM-DD-HH-MM,1.2.0-dev -client.vulnerability.scanned.last,date,extended,YYYY-MM-DD-HH-MM,1.2.0-dev -client.vulnerability.severity,keyword,extended,"Critical, High, Medium, Low, None",1.2.0-dev -client.vulnerability.status,keyword,extended,"New, Active, Fixed, Re-Opened",1.2.0-dev cloud.account.id,keyword,extended,666777888999,1.2.0-dev cloud.availability_zone,keyword,extended,us-east-1c,1.2.0-dev cloud.instance.id,keyword,extended,i-1234567890abcdef0,1.2.0-dev @@ -197,18 +185,6 @@ host.os.kernel,keyword,extended,4.4.0-112-generic,1.2.0-dev host.os.name,keyword,extended,Mac OS X,1.2.0-dev host.os.platform,keyword,extended,darwin,1.2.0-dev host.os.version,keyword,extended,10.14.1,1.2.0-dev -host.os.vulnerability.category,keyword,extended,"AIX, Firewall, Malware, Office Application, Solaris, Windows",1.2.0-dev -host.os.vulnerability.cve.description,keyword,extended,"In Keybase before 2.12.6 on macOS, the move RPC to the Helper was susceptible to time-to-check-time-to-use bugs and would also allow one user of the system (who didn't have root access) to tamper with another's installs.",1.2.0-dev -host.os.vulnerability.cve.id,keyword,extended,"CVE-2019-00001, CVE-2019-00002",1.2.0-dev -host.os.vulnerability.cvss.score.base,long,extended,"5.5, 6.6",1.2.0-dev -host.os.vulnerability.cvss.score.evironmental,long,extended,"5.5, 6.6",1.2.0-dev -host.os.vulnerability.cvss.score.temporal,long,extended,"5.5, 6.6",1.2.0-dev -host.os.vulnerability.detected.first,date,extended,YYYY-MM-DD-HH-MM,1.2.0-dev -host.os.vulnerability.detected.last,date,extended,YYYY-MM-DD-HH-MM,1.2.0-dev -host.os.vulnerability.scanned.first,date,extended,YYYY-MM-DD-HH-MM,1.2.0-dev -host.os.vulnerability.scanned.last,date,extended,YYYY-MM-DD-HH-MM,1.2.0-dev -host.os.vulnerability.severity,keyword,extended,"Critical, High, Medium, Low, None",1.2.0-dev -host.os.vulnerability.status,keyword,extended,"New, Active, Fixed, Re-Opened",1.2.0-dev host.type,keyword,core,,1.2.0-dev host.uptime,long,extended,1325,1.2.0-dev host.user.domain,keyword,extended,,1.2.0-dev @@ -220,18 +196,6 @@ host.user.group.name,keyword,extended,,1.2.0-dev host.user.hash,keyword,extended,,1.2.0-dev host.user.id,keyword,core,,1.2.0-dev host.user.name,keyword,core,albert,1.2.0-dev -host.vulnerability.category,keyword,extended,"AIX, Firewall, Malware, Office Application, Solaris, Windows",1.2.0-dev -host.vulnerability.cve.description,keyword,extended,"In Keybase before 2.12.6 on macOS, the move RPC to the Helper was susceptible to time-to-check-time-to-use bugs and would also allow one user of the system (who didn't have root access) to tamper with another's installs.",1.2.0-dev -host.vulnerability.cve.id,keyword,extended,"CVE-2019-00001, CVE-2019-00002",1.2.0-dev -host.vulnerability.cvss.score.base,long,extended,"5.5, 6.6",1.2.0-dev -host.vulnerability.cvss.score.evironmental,long,extended,"5.5, 6.6",1.2.0-dev -host.vulnerability.cvss.score.temporal,long,extended,"5.5, 6.6",1.2.0-dev -host.vulnerability.detected.first,date,extended,YYYY-MM-DD-HH-MM,1.2.0-dev -host.vulnerability.detected.last,date,extended,YYYY-MM-DD-HH-MM,1.2.0-dev -host.vulnerability.scanned.first,date,extended,YYYY-MM-DD-HH-MM,1.2.0-dev -host.vulnerability.scanned.last,date,extended,YYYY-MM-DD-HH-MM,1.2.0-dev -host.vulnerability.severity,keyword,extended,"Critical, High, Medium, Low, None",1.2.0-dev -host.vulnerability.status,keyword,extended,"New, Active, Fixed, Re-Opened",1.2.0-dev http.request.body.bytes,long,extended,887,1.2.0-dev http.request.body.content,keyword,extended,Hello world,1.2.0-dev http.request.bytes,long,extended,1437,1.2.0-dev @@ -283,35 +247,11 @@ observer.os.kernel,keyword,extended,4.4.0-112-generic,1.2.0-dev observer.os.name,keyword,extended,Mac OS X,1.2.0-dev observer.os.platform,keyword,extended,darwin,1.2.0-dev observer.os.version,keyword,extended,10.14.1,1.2.0-dev -observer.os.vulnerability.category,keyword,extended,"AIX, Firewall, Malware, Office Application, Solaris, Windows",1.2.0-dev -observer.os.vulnerability.cve.description,keyword,extended,"In Keybase before 2.12.6 on macOS, the move RPC to the Helper was susceptible to time-to-check-time-to-use bugs and would also allow one user of the system (who didn't have root access) to tamper with another's installs.",1.2.0-dev -observer.os.vulnerability.cve.id,keyword,extended,"CVE-2019-00001, CVE-2019-00002",1.2.0-dev -observer.os.vulnerability.cvss.score.base,long,extended,"5.5, 6.6",1.2.0-dev -observer.os.vulnerability.cvss.score.evironmental,long,extended,"5.5, 6.6",1.2.0-dev -observer.os.vulnerability.cvss.score.temporal,long,extended,"5.5, 6.6",1.2.0-dev -observer.os.vulnerability.detected.first,date,extended,YYYY-MM-DD-HH-MM,1.2.0-dev -observer.os.vulnerability.detected.last,date,extended,YYYY-MM-DD-HH-MM,1.2.0-dev -observer.os.vulnerability.scanned.first,date,extended,YYYY-MM-DD-HH-MM,1.2.0-dev -observer.os.vulnerability.scanned.last,date,extended,YYYY-MM-DD-HH-MM,1.2.0-dev -observer.os.vulnerability.severity,keyword,extended,"Critical, High, Medium, Low, None",1.2.0-dev -observer.os.vulnerability.status,keyword,extended,"New, Active, Fixed, Re-Opened",1.2.0-dev observer.product,keyword,extended,s200,1.2.0-dev observer.serial_number,keyword,extended,,1.2.0-dev observer.type,keyword,core,firewall,1.2.0-dev observer.vendor,keyword,core,Symantec,1.2.0-dev observer.version,keyword,core,,1.2.0-dev -observer.vulnerability.category,keyword,extended,"AIX, Firewall, Malware, Office Application, Solaris, Windows",1.2.0-dev -observer.vulnerability.cve.description,keyword,extended,"In Keybase before 2.12.6 on macOS, the move RPC to the Helper was susceptible to time-to-check-time-to-use bugs and would also allow one user of the system (who didn't have root access) to tamper with another's installs.",1.2.0-dev -observer.vulnerability.cve.id,keyword,extended,"CVE-2019-00001, CVE-2019-00002",1.2.0-dev -observer.vulnerability.cvss.score.base,long,extended,"5.5, 6.6",1.2.0-dev -observer.vulnerability.cvss.score.evironmental,long,extended,"5.5, 6.6",1.2.0-dev -observer.vulnerability.cvss.score.temporal,long,extended,"5.5, 6.6",1.2.0-dev -observer.vulnerability.detected.first,date,extended,YYYY-MM-DD-HH-MM,1.2.0-dev -observer.vulnerability.detected.last,date,extended,YYYY-MM-DD-HH-MM,1.2.0-dev -observer.vulnerability.scanned.first,date,extended,YYYY-MM-DD-HH-MM,1.2.0-dev -observer.vulnerability.scanned.last,date,extended,YYYY-MM-DD-HH-MM,1.2.0-dev -observer.vulnerability.severity,keyword,extended,"Critical, High, Medium, Low, None",1.2.0-dev -observer.vulnerability.status,keyword,extended,"New, Active, Fixed, Re-Opened",1.2.0-dev organization.id,keyword,extended,,1.2.0-dev organization.name,keyword,extended,,1.2.0-dev os.family,keyword,extended,debian,1.2.0-dev @@ -320,18 +260,6 @@ os.kernel,keyword,extended,4.4.0-112-generic,1.2.0-dev os.name,keyword,extended,Mac OS X,1.2.0-dev os.platform,keyword,extended,darwin,1.2.0-dev os.version,keyword,extended,10.14.1,1.2.0-dev -os.vulnerability.category,keyword,extended,"AIX, Firewall, Malware, Office Application, Solaris, Windows",1.2.0-dev -os.vulnerability.cve.description,keyword,extended,"In Keybase before 2.12.6 on macOS, the move RPC to the Helper was susceptible to time-to-check-time-to-use bugs and would also allow one user of the system (who didn't have root access) to tamper with another's installs.",1.2.0-dev -os.vulnerability.cve.id,keyword,extended,"CVE-2019-00001, CVE-2019-00002",1.2.0-dev -os.vulnerability.cvss.score.base,long,extended,"5.5, 6.6",1.2.0-dev -os.vulnerability.cvss.score.evironmental,long,extended,"5.5, 6.6",1.2.0-dev -os.vulnerability.cvss.score.temporal,long,extended,"5.5, 6.6",1.2.0-dev -os.vulnerability.detected.first,date,extended,YYYY-MM-DD-HH-MM,1.2.0-dev -os.vulnerability.detected.last,date,extended,YYYY-MM-DD-HH-MM,1.2.0-dev -os.vulnerability.scanned.first,date,extended,YYYY-MM-DD-HH-MM,1.2.0-dev -os.vulnerability.scanned.last,date,extended,YYYY-MM-DD-HH-MM,1.2.0-dev -os.vulnerability.severity,keyword,extended,"Critical, High, Medium, Low, None",1.2.0-dev -os.vulnerability.status,keyword,extended,"New, Active, Fixed, Re-Opened",1.2.0-dev package.architecture,keyword,extended,x86_64,1.2.0-dev package.checksum,keyword,extended,68b329da9893e34099c7d8ad5cb9c940,1.2.0-dev package.description,keyword,extended,Open source programming language to build simple/reliable/efficient software.,1.2.0-dev @@ -466,28 +394,18 @@ user_agent.os.kernel,keyword,extended,4.4.0-112-generic,1.2.0-dev user_agent.os.name,keyword,extended,Mac OS X,1.2.0-dev user_agent.os.platform,keyword,extended,darwin,1.2.0-dev user_agent.os.version,keyword,extended,10.14.1,1.2.0-dev -user_agent.os.vulnerability.category,keyword,extended,"AIX, Firewall, Malware, Office Application, Solaris, Windows",1.2.0-dev -user_agent.os.vulnerability.cve.description,keyword,extended,"In Keybase before 2.12.6 on macOS, the move RPC to the Helper was susceptible to time-to-check-time-to-use bugs and would also allow one user of the system (who didn't have root access) to tamper with another's installs.",1.2.0-dev -user_agent.os.vulnerability.cve.id,keyword,extended,"CVE-2019-00001, CVE-2019-00002",1.2.0-dev -user_agent.os.vulnerability.cvss.score.base,long,extended,"5.5, 6.6",1.2.0-dev -user_agent.os.vulnerability.cvss.score.evironmental,long,extended,"5.5, 6.6",1.2.0-dev -user_agent.os.vulnerability.cvss.score.temporal,long,extended,"5.5, 6.6",1.2.0-dev -user_agent.os.vulnerability.detected.first,date,extended,YYYY-MM-DD-HH-MM,1.2.0-dev -user_agent.os.vulnerability.detected.last,date,extended,YYYY-MM-DD-HH-MM,1.2.0-dev -user_agent.os.vulnerability.scanned.first,date,extended,YYYY-MM-DD-HH-MM,1.2.0-dev -user_agent.os.vulnerability.scanned.last,date,extended,YYYY-MM-DD-HH-MM,1.2.0-dev -user_agent.os.vulnerability.severity,keyword,extended,"Critical, High, Medium, Low, None",1.2.0-dev -user_agent.os.vulnerability.status,keyword,extended,"New, Active, Fixed, Re-Opened",1.2.0-dev user_agent.version,keyword,extended,12.0,1.2.0-dev -vulnerability.category,keyword,extended,"AIX, Firewall, Malware, Office Application, Solaris, Windows",1.2.0-dev -vulnerability.cve.description,keyword,extended,"In Keybase before 2.12.6 on macOS, the move RPC to the Helper was susceptible to time-to-check-time-to-use bugs and would also allow one user of the system (who didn't have root access) to tamper with another's installs.",1.2.0-dev -vulnerability.cve.id,keyword,extended,"CVE-2019-00001, CVE-2019-00002",1.2.0-dev -vulnerability.cvss.score.base,long,extended,"5.5, 6.6",1.2.0-dev -vulnerability.cvss.score.evironmental,long,extended,"5.5, 6.6",1.2.0-dev -vulnerability.cvss.score.temporal,long,extended,"5.5, 6.6",1.2.0-dev -vulnerability.detected.first,date,extended,YYYY-MM-DD-HH-MM,1.2.0-dev -vulnerability.detected.last,date,extended,YYYY-MM-DD-HH-MM,1.2.0-dev -vulnerability.scanned.first,date,extended,YYYY-MM-DD-HH-MM,1.2.0-dev -vulnerability.scanned.last,date,extended,YYYY-MM-DD-HH-MM,1.2.0-dev -vulnerability.severity,keyword,extended,"Critical, High, Medium, Low, None",1.2.0-dev -vulnerability.status,keyword,extended,"New, Active, Fixed, Re-Opened",1.2.0-dev +vulnerability.category,keyword,extended,Firewall,1.2.0-dev +vulnerability.classification,keyword,extended,CVSS,1.2.0-dev +vulnerability.description,keyword,extended,"In macOS before 2.12.6, there is a vulnerability in the RPC...",1.2.0-dev +vulnerability.reference,keyword,extended,CVE,1.2.0-dev +vulnerability.report_id,keyword,extended,20191018.0001,1.2.0-dev +vulnerability.scanner.id,keyword,extended,CVE-2019-00001,1.2.0-dev +vulnerability.scanner.vendor,keyword,extended,Tenable,1.2.0-dev +vulnerability.score.base,float,extended,5.5,1.2.0-dev +vulnerability.score.environmental,float,extended,5.5,1.2.0-dev +vulnerability.score.temporal,float,extended,,1.2.0-dev +vulnerability.score.version,keyword,extended,2.0,1.2.0-dev +vulnerability.severity,keyword,extended,Critical,1.2.0-dev +vulnerability.status,keyword,extended,New,1.2.0-dev +vulnerability.url,keyword,extended,https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6111,1.2.0-dev diff --git a/generated/ecs/ecs_flat.yml b/generated/ecs/ecs_flat.yml index 0b41268b4c..b83a63d6cd 100644 --- a/generated/ecs/ecs_flat.yml +++ b/generated/ecs/ecs_flat.yml @@ -442,172 +442,6 @@ client.user.name: original_fieldset: user short: Short name or login of the user. type: keyword -client.vulnerability.category: - description: The type of system or architecture that the vulnerability affects. - These may be platform-specific (for example, Debian or SUSE) or general (for example, - Database or Firewall). For example (ex. https://qualysguard.qualys.com/qwebhelp/fo_portal/knowledgebase/vulnerability_categories.htm) - example: AIX, Firewall, Malware, Office Application, Solaris, Windows - flat_name: client.vulnerability.category - ignore_above: 1024 - level: extended - name: category - order: 3 - original_fieldset: vulnerability - short: Category of a vulnerabilty. - type: keyword -client.vulnerability.cve.description: - description: 'The Common Vulnerability and Exposures (CVE) list is an open source - list for publicly known cybersecurity vulnerabilities providing an identification - number, a description, and at least one public reference. - - The description of the vulnerability that provides additional context of the vulnerability. - For example (ex. https://cve.mitre.org/about/faqs.html#cve_entry_descriptions_created)' - example: In Keybase before 2.12.6 on macOS, the move RPC to the Helper was susceptible - to time-to-check-time-to-use bugs and would also allow one user of the system - (who didn't have root access) to tamper with another's installs. - flat_name: client.vulnerability.cve.description - ignore_above: 1024 - level: extended - name: cve.description - order: 4 - original_fieldset: vulnerability - short: Description of the vulnerability. - type: keyword -client.vulnerability.cve.id: - description: 'The Common Vulnerability and Exposures (CVE) list is an open source - list for publicly known cybersecurity vulnerabilities providing an identification - number, a description, and at least one public reference. - - The identification (ID) is the number portion of a CVE Entry. It includes the - year the vulnerability ID was requested followed by a sequence number. CVE-YYYY-NNNNN. - For example (ex. https://cve.mitre.org/about/faqs.html#what_is_cve_id)' - example: CVE-2019-00001, CVE-2019-00002 - flat_name: client.vulnerability.cve.id - ignore_above: 1024 - level: extended - name: cve.id - order: 5 - original_fieldset: vulnerability - short: ID of the vulnerability. - type: keyword -client.vulnerability.cvss.score.base: - description: 'The Common Vulnerability Scoring System (CVSS) is an open framework - for communicating the characteristics and severity of software vulnerabilities. - Scores can range from 0.0 to 10.0, with 10.0 being the most severe. - - Base scores cover an assessment for exploitability metrics (attack vector, complexity, - privileges, and user interaction), impact metrics (confidentialy, integrity, and - availability), and scope. For example (ex. https://www.first.org/cvss/specification-document)' - example: 5.5, 6.6 - flat_name: client.vulnerability.cvss.score.base - level: extended - name: cvss.score.base - order: 0 - original_fieldset: vulnerability - short: CVSS Base score. - type: long -client.vulnerability.cvss.score.evironmental: - description: 'The Common Vulnerability Scoring System (CVSS) is an open framework - for communicating the characteristics and severity of software vulnerabilities. - Scores can range from 0.0 to 10.0, with 10.0 being the most severe. - - Environmental scores cover an assessment for any modified Base metrics, confidentiality, - integrity, and availability requirements. For example (ex. https://www.first.org/cvss/specification-document)' - example: 5.5, 6.6 - flat_name: client.vulnerability.cvss.score.evironmental - level: extended - name: cvss.score.evironmental - order: 2 - original_fieldset: vulnerability - short: CVSS Environmental score. - type: long -client.vulnerability.cvss.score.temporal: - description: 'The Common Vulnerability Scoring System (CVSS) is an open framework - for communicating the characteristics and severity of software vulnerabilities. - Scores can range from 0.0 to 10.0, with 10.0 being the most severe. - - Temporal scores cover an assessment for code maturity, remediation level, and - confidence. For example (ex. https://www.first.org/cvss/specification-document)' - example: 5.5, 6.6 - flat_name: client.vulnerability.cvss.score.temporal - level: extended - name: cvss.score.temporal - order: 1 - original_fieldset: vulnerability - short: CVSS Temporal score. - type: long -client.vulnerability.detected.first: - description: The first time that the vulnerability was observed on the asset. - example: YYYY-MM-DD-HH-MM - flat_name: client.vulnerability.detected.first - level: extended - name: detected.first - order: 8 - original_fieldset: vulnerability - short: Vulnerability first observed. - type: date -client.vulnerability.detected.last: - description: The last time that the vulnerability was observed on the asset. - example: YYYY-MM-DD-HH-MM - flat_name: client.vulnerability.detected.last - level: extended - name: detected.last - order: 9 - original_fieldset: vulnerability - short: Vulnerability last observed. - type: date -client.vulnerability.scanned.first: - description: The first time that the asset was scanned for vulnerabilities. - example: YYYY-MM-DD-HH-MM - flat_name: client.vulnerability.scanned.first - level: extended - name: scanned.first - order: 10 - original_fieldset: vulnerability - short: Asset first scanned. - type: date -client.vulnerability.scanned.last: - description: The last time that the asset was scanned for vulnerabilities. - example: YYYY-MM-DD-HH-MM - flat_name: client.vulnerability.scanned.last - level: extended - name: scanned.last - order: 11 - original_fieldset: vulnerability - short: Asset last scanned. - type: date -client.vulnerability.severity: - description: The severity of the vulnerability can help with metrics and internal - prioritization regarding remediation. For example (ex. https://nvd.nist.gov/vuln-metrics/cvss) - example: Critical, High, Medium, Low, None - flat_name: client.vulnerability.severity - ignore_above: 1024 - level: extended - name: severity - order: 6 - original_fieldset: vulnerability - short: Severity of the vulnerability. - type: keyword -client.vulnerability.status: - description: 'The current status of the vulerability on the asset: - - New - The first time a vulnerability is detected by a scan the status is set to - New. Active - A vulnerability detected by two or more scans is set to Active. - Fixed - A vulnerability was verified by the most recent scan as fixed, and this - vulnerability was detected by the previous scan. Re-Opened - A vulnerability was - reopened by the most recent scan, and this vulnerability was verified as fixed - by the previous scan. - - For example (ex. https://qualysguard.qualys.com/qwebhelp/fo_portal/scans/vulnerability_status.htm)' - example: New, Active, Fixed, Re-Opened - flat_name: client.vulnerability.status - ignore_above: 1024 - level: extended - name: status - order: 7 - original_fieldset: vulnerability - short: Status of the vulnerability. - type: keyword cloud.account.id: description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. @@ -2254,172 +2088,6 @@ host.os.version: original_fieldset: os short: Operating system version as a raw string. type: keyword -host.os.vulnerability.category: - description: The type of system or architecture that the vulnerability affects. - These may be platform-specific (for example, Debian or SUSE) or general (for example, - Database or Firewall). For example (ex. https://qualysguard.qualys.com/qwebhelp/fo_portal/knowledgebase/vulnerability_categories.htm) - example: AIX, Firewall, Malware, Office Application, Solaris, Windows - flat_name: host.os.vulnerability.category - ignore_above: 1024 - level: extended - name: category - order: 3 - original_fieldset: os - short: Category of a vulnerabilty. - type: keyword -host.os.vulnerability.cve.description: - description: 'The Common Vulnerability and Exposures (CVE) list is an open source - list for publicly known cybersecurity vulnerabilities providing an identification - number, a description, and at least one public reference. - - The description of the vulnerability that provides additional context of the vulnerability. - For example (ex. https://cve.mitre.org/about/faqs.html#cve_entry_descriptions_created)' - example: In Keybase before 2.12.6 on macOS, the move RPC to the Helper was susceptible - to time-to-check-time-to-use bugs and would also allow one user of the system - (who didn't have root access) to tamper with another's installs. - flat_name: host.os.vulnerability.cve.description - ignore_above: 1024 - level: extended - name: cve.description - order: 4 - original_fieldset: os - short: Description of the vulnerability. - type: keyword -host.os.vulnerability.cve.id: - description: 'The Common Vulnerability and Exposures (CVE) list is an open source - list for publicly known cybersecurity vulnerabilities providing an identification - number, a description, and at least one public reference. - - The identification (ID) is the number portion of a CVE Entry. It includes the - year the vulnerability ID was requested followed by a sequence number. CVE-YYYY-NNNNN. - For example (ex. https://cve.mitre.org/about/faqs.html#what_is_cve_id)' - example: CVE-2019-00001, CVE-2019-00002 - flat_name: host.os.vulnerability.cve.id - ignore_above: 1024 - level: extended - name: cve.id - order: 5 - original_fieldset: os - short: ID of the vulnerability. - type: keyword -host.os.vulnerability.cvss.score.base: - description: 'The Common Vulnerability Scoring System (CVSS) is an open framework - for communicating the characteristics and severity of software vulnerabilities. - Scores can range from 0.0 to 10.0, with 10.0 being the most severe. - - Base scores cover an assessment for exploitability metrics (attack vector, complexity, - privileges, and user interaction), impact metrics (confidentialy, integrity, and - availability), and scope. For example (ex. https://www.first.org/cvss/specification-document)' - example: 5.5, 6.6 - flat_name: host.os.vulnerability.cvss.score.base - level: extended - name: cvss.score.base - order: 0 - original_fieldset: os - short: CVSS Base score. - type: long -host.os.vulnerability.cvss.score.evironmental: - description: 'The Common Vulnerability Scoring System (CVSS) is an open framework - for communicating the characteristics and severity of software vulnerabilities. - Scores can range from 0.0 to 10.0, with 10.0 being the most severe. - - Environmental scores cover an assessment for any modified Base metrics, confidentiality, - integrity, and availability requirements. For example (ex. https://www.first.org/cvss/specification-document)' - example: 5.5, 6.6 - flat_name: host.os.vulnerability.cvss.score.evironmental - level: extended - name: cvss.score.evironmental - order: 2 - original_fieldset: os - short: CVSS Environmental score. - type: long -host.os.vulnerability.cvss.score.temporal: - description: 'The Common Vulnerability Scoring System (CVSS) is an open framework - for communicating the characteristics and severity of software vulnerabilities. - Scores can range from 0.0 to 10.0, with 10.0 being the most severe. - - Temporal scores cover an assessment for code maturity, remediation level, and - confidence. For example (ex. https://www.first.org/cvss/specification-document)' - example: 5.5, 6.6 - flat_name: host.os.vulnerability.cvss.score.temporal - level: extended - name: cvss.score.temporal - order: 1 - original_fieldset: os - short: CVSS Temporal score. - type: long -host.os.vulnerability.detected.first: - description: The first time that the vulnerability was observed on the asset. - example: YYYY-MM-DD-HH-MM - flat_name: host.os.vulnerability.detected.first - level: extended - name: detected.first - order: 8 - original_fieldset: os - short: Vulnerability first observed. - type: date -host.os.vulnerability.detected.last: - description: The last time that the vulnerability was observed on the asset. - example: YYYY-MM-DD-HH-MM - flat_name: host.os.vulnerability.detected.last - level: extended - name: detected.last - order: 9 - original_fieldset: os - short: Vulnerability last observed. - type: date -host.os.vulnerability.scanned.first: - description: The first time that the asset was scanned for vulnerabilities. - example: YYYY-MM-DD-HH-MM - flat_name: host.os.vulnerability.scanned.first - level: extended - name: scanned.first - order: 10 - original_fieldset: os - short: Asset first scanned. - type: date -host.os.vulnerability.scanned.last: - description: The last time that the asset was scanned for vulnerabilities. - example: YYYY-MM-DD-HH-MM - flat_name: host.os.vulnerability.scanned.last - level: extended - name: scanned.last - order: 11 - original_fieldset: os - short: Asset last scanned. - type: date -host.os.vulnerability.severity: - description: The severity of the vulnerability can help with metrics and internal - prioritization regarding remediation. For example (ex. https://nvd.nist.gov/vuln-metrics/cvss) - example: Critical, High, Medium, Low, None - flat_name: host.os.vulnerability.severity - ignore_above: 1024 - level: extended - name: severity - order: 6 - original_fieldset: os - short: Severity of the vulnerability. - type: keyword -host.os.vulnerability.status: - description: 'The current status of the vulerability on the asset: - - New - The first time a vulnerability is detected by a scan the status is set to - New. Active - A vulnerability detected by two or more scans is set to Active. - Fixed - A vulnerability was verified by the most recent scan as fixed, and this - vulnerability was detected by the previous scan. Re-Opened - A vulnerability was - reopened by the most recent scan, and this vulnerability was verified as fixed - by the previous scan. - - For example (ex. https://qualysguard.qualys.com/qwebhelp/fo_portal/scans/vulnerability_status.htm)' - example: New, Active, Fixed, Re-Opened - flat_name: host.os.vulnerability.status - ignore_above: 1024 - level: extended - name: status - order: 7 - original_fieldset: os - short: Status of the vulnerability. - type: keyword host.type: description: 'Type of host. @@ -2541,172 +2209,6 @@ host.user.name: original_fieldset: user short: Short name or login of the user. type: keyword -host.vulnerability.category: - description: The type of system or architecture that the vulnerability affects. - These may be platform-specific (for example, Debian or SUSE) or general (for example, - Database or Firewall). For example (ex. https://qualysguard.qualys.com/qwebhelp/fo_portal/knowledgebase/vulnerability_categories.htm) - example: AIX, Firewall, Malware, Office Application, Solaris, Windows - flat_name: host.vulnerability.category - ignore_above: 1024 - level: extended - name: category - order: 3 - original_fieldset: vulnerability - short: Category of a vulnerabilty. - type: keyword -host.vulnerability.cve.description: - description: 'The Common Vulnerability and Exposures (CVE) list is an open source - list for publicly known cybersecurity vulnerabilities providing an identification - number, a description, and at least one public reference. - - The description of the vulnerability that provides additional context of the vulnerability. - For example (ex. https://cve.mitre.org/about/faqs.html#cve_entry_descriptions_created)' - example: In Keybase before 2.12.6 on macOS, the move RPC to the Helper was susceptible - to time-to-check-time-to-use bugs and would also allow one user of the system - (who didn't have root access) to tamper with another's installs. - flat_name: host.vulnerability.cve.description - ignore_above: 1024 - level: extended - name: cve.description - order: 4 - original_fieldset: vulnerability - short: Description of the vulnerability. - type: keyword -host.vulnerability.cve.id: - description: 'The Common Vulnerability and Exposures (CVE) list is an open source - list for publicly known cybersecurity vulnerabilities providing an identification - number, a description, and at least one public reference. - - The identification (ID) is the number portion of a CVE Entry. It includes the - year the vulnerability ID was requested followed by a sequence number. CVE-YYYY-NNNNN. - For example (ex. https://cve.mitre.org/about/faqs.html#what_is_cve_id)' - example: CVE-2019-00001, CVE-2019-00002 - flat_name: host.vulnerability.cve.id - ignore_above: 1024 - level: extended - name: cve.id - order: 5 - original_fieldset: vulnerability - short: ID of the vulnerability. - type: keyword -host.vulnerability.cvss.score.base: - description: 'The Common Vulnerability Scoring System (CVSS) is an open framework - for communicating the characteristics and severity of software vulnerabilities. - Scores can range from 0.0 to 10.0, with 10.0 being the most severe. - - Base scores cover an assessment for exploitability metrics (attack vector, complexity, - privileges, and user interaction), impact metrics (confidentialy, integrity, and - availability), and scope. For example (ex. https://www.first.org/cvss/specification-document)' - example: 5.5, 6.6 - flat_name: host.vulnerability.cvss.score.base - level: extended - name: cvss.score.base - order: 0 - original_fieldset: vulnerability - short: CVSS Base score. - type: long -host.vulnerability.cvss.score.evironmental: - description: 'The Common Vulnerability Scoring System (CVSS) is an open framework - for communicating the characteristics and severity of software vulnerabilities. - Scores can range from 0.0 to 10.0, with 10.0 being the most severe. - - Environmental scores cover an assessment for any modified Base metrics, confidentiality, - integrity, and availability requirements. For example (ex. https://www.first.org/cvss/specification-document)' - example: 5.5, 6.6 - flat_name: host.vulnerability.cvss.score.evironmental - level: extended - name: cvss.score.evironmental - order: 2 - original_fieldset: vulnerability - short: CVSS Environmental score. - type: long -host.vulnerability.cvss.score.temporal: - description: 'The Common Vulnerability Scoring System (CVSS) is an open framework - for communicating the characteristics and severity of software vulnerabilities. - Scores can range from 0.0 to 10.0, with 10.0 being the most severe. - - Temporal scores cover an assessment for code maturity, remediation level, and - confidence. For example (ex. https://www.first.org/cvss/specification-document)' - example: 5.5, 6.6 - flat_name: host.vulnerability.cvss.score.temporal - level: extended - name: cvss.score.temporal - order: 1 - original_fieldset: vulnerability - short: CVSS Temporal score. - type: long -host.vulnerability.detected.first: - description: The first time that the vulnerability was observed on the asset. - example: YYYY-MM-DD-HH-MM - flat_name: host.vulnerability.detected.first - level: extended - name: detected.first - order: 8 - original_fieldset: vulnerability - short: Vulnerability first observed. - type: date -host.vulnerability.detected.last: - description: The last time that the vulnerability was observed on the asset. - example: YYYY-MM-DD-HH-MM - flat_name: host.vulnerability.detected.last - level: extended - name: detected.last - order: 9 - original_fieldset: vulnerability - short: Vulnerability last observed. - type: date -host.vulnerability.scanned.first: - description: The first time that the asset was scanned for vulnerabilities. - example: YYYY-MM-DD-HH-MM - flat_name: host.vulnerability.scanned.first - level: extended - name: scanned.first - order: 10 - original_fieldset: vulnerability - short: Asset first scanned. - type: date -host.vulnerability.scanned.last: - description: The last time that the asset was scanned for vulnerabilities. - example: YYYY-MM-DD-HH-MM - flat_name: host.vulnerability.scanned.last - level: extended - name: scanned.last - order: 11 - original_fieldset: vulnerability - short: Asset last scanned. - type: date -host.vulnerability.severity: - description: The severity of the vulnerability can help with metrics and internal - prioritization regarding remediation. For example (ex. https://nvd.nist.gov/vuln-metrics/cvss) - example: Critical, High, Medium, Low, None - flat_name: host.vulnerability.severity - ignore_above: 1024 - level: extended - name: severity - order: 6 - original_fieldset: vulnerability - short: Severity of the vulnerability. - type: keyword -host.vulnerability.status: - description: 'The current status of the vulerability on the asset: - - New - The first time a vulnerability is detected by a scan the status is set to - New. Active - A vulnerability detected by two or more scans is set to Active. - Fixed - A vulnerability was verified by the most recent scan as fixed, and this - vulnerability was detected by the previous scan. Re-Opened - A vulnerability was - reopened by the most recent scan, and this vulnerability was verified as fixed - by the previous scan. - - For example (ex. https://qualysguard.qualys.com/qwebhelp/fo_portal/scans/vulnerability_status.htm)' - example: New, Active, Fixed, Re-Opened - flat_name: host.vulnerability.status - ignore_above: 1024 - level: extended - name: status - order: 7 - original_fieldset: vulnerability - short: Status of the vulnerability. - type: keyword http.request.body.bytes: description: Size in bytes of the request body. example: 887 @@ -3338,213 +2840,47 @@ observer.os.version: original_fieldset: os short: Operating system version as a raw string. type: keyword -observer.os.vulnerability.category: - description: The type of system or architecture that the vulnerability affects. - These may be platform-specific (for example, Debian or SUSE) or general (for example, - Database or Firewall). For example (ex. https://qualysguard.qualys.com/qwebhelp/fo_portal/knowledgebase/vulnerability_categories.htm) - example: AIX, Firewall, Malware, Office Application, Solaris, Windows - flat_name: observer.os.vulnerability.category +observer.product: + description: The product name of the observer. + example: s200 + flat_name: observer.product ignore_above: 1024 level: extended - name: category - order: 3 - original_fieldset: os - short: Category of a vulnerabilty. + name: product + order: 4 + short: The product name of the observer. type: keyword -observer.os.vulnerability.cve.description: - description: 'The Common Vulnerability and Exposures (CVE) list is an open source - list for publicly known cybersecurity vulnerabilities providing an identification - number, a description, and at least one public reference. - - The description of the vulnerability that provides additional context of the vulnerability. - For example (ex. https://cve.mitre.org/about/faqs.html#cve_entry_descriptions_created)' - example: In Keybase before 2.12.6 on macOS, the move RPC to the Helper was susceptible - to time-to-check-time-to-use bugs and would also allow one user of the system - (who didn't have root access) to tamper with another's installs. - flat_name: observer.os.vulnerability.cve.description +observer.serial_number: + description: Observer serial number. + flat_name: observer.serial_number ignore_above: 1024 level: extended - name: cve.description - order: 4 - original_fieldset: os - short: Description of the vulnerability. + name: serial_number + order: 7 + short: Observer serial number. type: keyword -observer.os.vulnerability.cve.id: - description: 'The Common Vulnerability and Exposures (CVE) list is an open source - list for publicly known cybersecurity vulnerabilities providing an identification - number, a description, and at least one public reference. +observer.type: + description: 'The type of the observer the data is coming from. - The identification (ID) is the number portion of a CVE Entry. It includes the - year the vulnerability ID was requested followed by a sequence number. CVE-YYYY-NNNNN. - For example (ex. https://cve.mitre.org/about/faqs.html#what_is_cve_id)' - example: CVE-2019-00001, CVE-2019-00002 - flat_name: observer.os.vulnerability.cve.id + There is no predefined list of observer types. Some examples are `forwarder`, + `firewall`, `ids`, `ips`, `proxy`, `poller`, `sensor`, `APM server`.' + example: firewall + flat_name: observer.type ignore_above: 1024 - level: extended - name: cve.id + level: core + name: type + order: 8 + short: The type of the observer the data is coming from. + type: keyword +observer.vendor: + description: Vendor name of the observer. + example: Symantec + flat_name: observer.vendor + ignore_above: 1024 + level: core + name: vendor order: 5 - original_fieldset: os - short: ID of the vulnerability. - type: keyword -observer.os.vulnerability.cvss.score.base: - description: 'The Common Vulnerability Scoring System (CVSS) is an open framework - for communicating the characteristics and severity of software vulnerabilities. - Scores can range from 0.0 to 10.0, with 10.0 being the most severe. - - Base scores cover an assessment for exploitability metrics (attack vector, complexity, - privileges, and user interaction), impact metrics (confidentialy, integrity, and - availability), and scope. For example (ex. https://www.first.org/cvss/specification-document)' - example: 5.5, 6.6 - flat_name: observer.os.vulnerability.cvss.score.base - level: extended - name: cvss.score.base - order: 0 - original_fieldset: os - short: CVSS Base score. - type: long -observer.os.vulnerability.cvss.score.evironmental: - description: 'The Common Vulnerability Scoring System (CVSS) is an open framework - for communicating the characteristics and severity of software vulnerabilities. - Scores can range from 0.0 to 10.0, with 10.0 being the most severe. - - Environmental scores cover an assessment for any modified Base metrics, confidentiality, - integrity, and availability requirements. For example (ex. https://www.first.org/cvss/specification-document)' - example: 5.5, 6.6 - flat_name: observer.os.vulnerability.cvss.score.evironmental - level: extended - name: cvss.score.evironmental - order: 2 - original_fieldset: os - short: CVSS Environmental score. - type: long -observer.os.vulnerability.cvss.score.temporal: - description: 'The Common Vulnerability Scoring System (CVSS) is an open framework - for communicating the characteristics and severity of software vulnerabilities. - Scores can range from 0.0 to 10.0, with 10.0 being the most severe. - - Temporal scores cover an assessment for code maturity, remediation level, and - confidence. For example (ex. https://www.first.org/cvss/specification-document)' - example: 5.5, 6.6 - flat_name: observer.os.vulnerability.cvss.score.temporal - level: extended - name: cvss.score.temporal - order: 1 - original_fieldset: os - short: CVSS Temporal score. - type: long -observer.os.vulnerability.detected.first: - description: The first time that the vulnerability was observed on the asset. - example: YYYY-MM-DD-HH-MM - flat_name: observer.os.vulnerability.detected.first - level: extended - name: detected.first - order: 8 - original_fieldset: os - short: Vulnerability first observed. - type: date -observer.os.vulnerability.detected.last: - description: The last time that the vulnerability was observed on the asset. - example: YYYY-MM-DD-HH-MM - flat_name: observer.os.vulnerability.detected.last - level: extended - name: detected.last - order: 9 - original_fieldset: os - short: Vulnerability last observed. - type: date -observer.os.vulnerability.scanned.first: - description: The first time that the asset was scanned for vulnerabilities. - example: YYYY-MM-DD-HH-MM - flat_name: observer.os.vulnerability.scanned.first - level: extended - name: scanned.first - order: 10 - original_fieldset: os - short: Asset first scanned. - type: date -observer.os.vulnerability.scanned.last: - description: The last time that the asset was scanned for vulnerabilities. - example: YYYY-MM-DD-HH-MM - flat_name: observer.os.vulnerability.scanned.last - level: extended - name: scanned.last - order: 11 - original_fieldset: os - short: Asset last scanned. - type: date -observer.os.vulnerability.severity: - description: The severity of the vulnerability can help with metrics and internal - prioritization regarding remediation. For example (ex. https://nvd.nist.gov/vuln-metrics/cvss) - example: Critical, High, Medium, Low, None - flat_name: observer.os.vulnerability.severity - ignore_above: 1024 - level: extended - name: severity - order: 6 - original_fieldset: os - short: Severity of the vulnerability. - type: keyword -observer.os.vulnerability.status: - description: 'The current status of the vulerability on the asset: - - New - The first time a vulnerability is detected by a scan the status is set to - New. Active - A vulnerability detected by two or more scans is set to Active. - Fixed - A vulnerability was verified by the most recent scan as fixed, and this - vulnerability was detected by the previous scan. Re-Opened - A vulnerability was - reopened by the most recent scan, and this vulnerability was verified as fixed - by the previous scan. - - For example (ex. https://qualysguard.qualys.com/qwebhelp/fo_portal/scans/vulnerability_status.htm)' - example: New, Active, Fixed, Re-Opened - flat_name: observer.os.vulnerability.status - ignore_above: 1024 - level: extended - name: status - order: 7 - original_fieldset: os - short: Status of the vulnerability. - type: keyword -observer.product: - description: The product name of the observer. - example: s200 - flat_name: observer.product - ignore_above: 1024 - level: extended - name: product - order: 4 - short: The product name of the observer. - type: keyword -observer.serial_number: - description: Observer serial number. - flat_name: observer.serial_number - ignore_above: 1024 - level: extended - name: serial_number - order: 7 - short: Observer serial number. - type: keyword -observer.type: - description: 'The type of the observer the data is coming from. - - There is no predefined list of observer types. Some examples are `forwarder`, - `firewall`, `ids`, `ips`, `proxy`, `poller`, `sensor`, `APM server`.' - example: firewall - flat_name: observer.type - ignore_above: 1024 - level: core - name: type - order: 8 - short: The type of the observer the data is coming from. - type: keyword -observer.vendor: - description: Vendor name of the observer. - example: Symantec - flat_name: observer.vendor - ignore_above: 1024 - level: core - name: vendor - order: 5 - short: Vendor name of the observer. + short: Vendor name of the observer. type: keyword observer.version: description: Observer version. @@ -3555,172 +2891,6 @@ observer.version: order: 6 short: Observer version. type: keyword -observer.vulnerability.category: - description: The type of system or architecture that the vulnerability affects. - These may be platform-specific (for example, Debian or SUSE) or general (for example, - Database or Firewall). For example (ex. https://qualysguard.qualys.com/qwebhelp/fo_portal/knowledgebase/vulnerability_categories.htm) - example: AIX, Firewall, Malware, Office Application, Solaris, Windows - flat_name: observer.vulnerability.category - ignore_above: 1024 - level: extended - name: category - order: 3 - original_fieldset: vulnerability - short: Category of a vulnerabilty. - type: keyword -observer.vulnerability.cve.description: - description: 'The Common Vulnerability and Exposures (CVE) list is an open source - list for publicly known cybersecurity vulnerabilities providing an identification - number, a description, and at least one public reference. - - The description of the vulnerability that provides additional context of the vulnerability. - For example (ex. https://cve.mitre.org/about/faqs.html#cve_entry_descriptions_created)' - example: In Keybase before 2.12.6 on macOS, the move RPC to the Helper was susceptible - to time-to-check-time-to-use bugs and would also allow one user of the system - (who didn't have root access) to tamper with another's installs. - flat_name: observer.vulnerability.cve.description - ignore_above: 1024 - level: extended - name: cve.description - order: 4 - original_fieldset: vulnerability - short: Description of the vulnerability. - type: keyword -observer.vulnerability.cve.id: - description: 'The Common Vulnerability and Exposures (CVE) list is an open source - list for publicly known cybersecurity vulnerabilities providing an identification - number, a description, and at least one public reference. - - The identification (ID) is the number portion of a CVE Entry. It includes the - year the vulnerability ID was requested followed by a sequence number. CVE-YYYY-NNNNN. - For example (ex. https://cve.mitre.org/about/faqs.html#what_is_cve_id)' - example: CVE-2019-00001, CVE-2019-00002 - flat_name: observer.vulnerability.cve.id - ignore_above: 1024 - level: extended - name: cve.id - order: 5 - original_fieldset: vulnerability - short: ID of the vulnerability. - type: keyword -observer.vulnerability.cvss.score.base: - description: 'The Common Vulnerability Scoring System (CVSS) is an open framework - for communicating the characteristics and severity of software vulnerabilities. - Scores can range from 0.0 to 10.0, with 10.0 being the most severe. - - Base scores cover an assessment for exploitability metrics (attack vector, complexity, - privileges, and user interaction), impact metrics (confidentialy, integrity, and - availability), and scope. For example (ex. https://www.first.org/cvss/specification-document)' - example: 5.5, 6.6 - flat_name: observer.vulnerability.cvss.score.base - level: extended - name: cvss.score.base - order: 0 - original_fieldset: vulnerability - short: CVSS Base score. - type: long -observer.vulnerability.cvss.score.evironmental: - description: 'The Common Vulnerability Scoring System (CVSS) is an open framework - for communicating the characteristics and severity of software vulnerabilities. - Scores can range from 0.0 to 10.0, with 10.0 being the most severe. - - Environmental scores cover an assessment for any modified Base metrics, confidentiality, - integrity, and availability requirements. For example (ex. https://www.first.org/cvss/specification-document)' - example: 5.5, 6.6 - flat_name: observer.vulnerability.cvss.score.evironmental - level: extended - name: cvss.score.evironmental - order: 2 - original_fieldset: vulnerability - short: CVSS Environmental score. - type: long -observer.vulnerability.cvss.score.temporal: - description: 'The Common Vulnerability Scoring System (CVSS) is an open framework - for communicating the characteristics and severity of software vulnerabilities. - Scores can range from 0.0 to 10.0, with 10.0 being the most severe. - - Temporal scores cover an assessment for code maturity, remediation level, and - confidence. For example (ex. https://www.first.org/cvss/specification-document)' - example: 5.5, 6.6 - flat_name: observer.vulnerability.cvss.score.temporal - level: extended - name: cvss.score.temporal - order: 1 - original_fieldset: vulnerability - short: CVSS Temporal score. - type: long -observer.vulnerability.detected.first: - description: The first time that the vulnerability was observed on the asset. - example: YYYY-MM-DD-HH-MM - flat_name: observer.vulnerability.detected.first - level: extended - name: detected.first - order: 8 - original_fieldset: vulnerability - short: Vulnerability first observed. - type: date -observer.vulnerability.detected.last: - description: The last time that the vulnerability was observed on the asset. - example: YYYY-MM-DD-HH-MM - flat_name: observer.vulnerability.detected.last - level: extended - name: detected.last - order: 9 - original_fieldset: vulnerability - short: Vulnerability last observed. - type: date -observer.vulnerability.scanned.first: - description: The first time that the asset was scanned for vulnerabilities. - example: YYYY-MM-DD-HH-MM - flat_name: observer.vulnerability.scanned.first - level: extended - name: scanned.first - order: 10 - original_fieldset: vulnerability - short: Asset first scanned. - type: date -observer.vulnerability.scanned.last: - description: The last time that the asset was scanned for vulnerabilities. - example: YYYY-MM-DD-HH-MM - flat_name: observer.vulnerability.scanned.last - level: extended - name: scanned.last - order: 11 - original_fieldset: vulnerability - short: Asset last scanned. - type: date -observer.vulnerability.severity: - description: The severity of the vulnerability can help with metrics and internal - prioritization regarding remediation. For example (ex. https://nvd.nist.gov/vuln-metrics/cvss) - example: Critical, High, Medium, Low, None - flat_name: observer.vulnerability.severity - ignore_above: 1024 - level: extended - name: severity - order: 6 - original_fieldset: vulnerability - short: Severity of the vulnerability. - type: keyword -observer.vulnerability.status: - description: 'The current status of the vulerability on the asset: - - New - The first time a vulnerability is detected by a scan the status is set to - New. Active - A vulnerability detected by two or more scans is set to Active. - Fixed - A vulnerability was verified by the most recent scan as fixed, and this - vulnerability was detected by the previous scan. Re-Opened - A vulnerability was - reopened by the most recent scan, and this vulnerability was verified as fixed - by the previous scan. - - For example (ex. https://qualysguard.qualys.com/qwebhelp/fo_portal/scans/vulnerability_status.htm)' - example: New, Active, Fixed, Re-Opened - flat_name: observer.vulnerability.status - ignore_above: 1024 - level: extended - name: status - order: 7 - original_fieldset: vulnerability - short: Status of the vulnerability. - type: keyword organization.id: description: Unique identifier for the organization. flat_name: organization.id @@ -3799,172 +2969,6 @@ os.version: order: 4 short: Operating system version as a raw string. type: keyword -os.vulnerability.category: - description: The type of system or architecture that the vulnerability affects. - These may be platform-specific (for example, Debian or SUSE) or general (for example, - Database or Firewall). For example (ex. https://qualysguard.qualys.com/qwebhelp/fo_portal/knowledgebase/vulnerability_categories.htm) - example: AIX, Firewall, Malware, Office Application, Solaris, Windows - flat_name: os.vulnerability.category - ignore_above: 1024 - level: extended - name: category - order: 3 - original_fieldset: vulnerability - short: Category of a vulnerabilty. - type: keyword -os.vulnerability.cve.description: - description: 'The Common Vulnerability and Exposures (CVE) list is an open source - list for publicly known cybersecurity vulnerabilities providing an identification - number, a description, and at least one public reference. - - The description of the vulnerability that provides additional context of the vulnerability. - For example (ex. https://cve.mitre.org/about/faqs.html#cve_entry_descriptions_created)' - example: In Keybase before 2.12.6 on macOS, the move RPC to the Helper was susceptible - to time-to-check-time-to-use bugs and would also allow one user of the system - (who didn't have root access) to tamper with another's installs. - flat_name: os.vulnerability.cve.description - ignore_above: 1024 - level: extended - name: cve.description - order: 4 - original_fieldset: vulnerability - short: Description of the vulnerability. - type: keyword -os.vulnerability.cve.id: - description: 'The Common Vulnerability and Exposures (CVE) list is an open source - list for publicly known cybersecurity vulnerabilities providing an identification - number, a description, and at least one public reference. - - The identification (ID) is the number portion of a CVE Entry. It includes the - year the vulnerability ID was requested followed by a sequence number. CVE-YYYY-NNNNN. - For example (ex. https://cve.mitre.org/about/faqs.html#what_is_cve_id)' - example: CVE-2019-00001, CVE-2019-00002 - flat_name: os.vulnerability.cve.id - ignore_above: 1024 - level: extended - name: cve.id - order: 5 - original_fieldset: vulnerability - short: ID of the vulnerability. - type: keyword -os.vulnerability.cvss.score.base: - description: 'The Common Vulnerability Scoring System (CVSS) is an open framework - for communicating the characteristics and severity of software vulnerabilities. - Scores can range from 0.0 to 10.0, with 10.0 being the most severe. - - Base scores cover an assessment for exploitability metrics (attack vector, complexity, - privileges, and user interaction), impact metrics (confidentialy, integrity, and - availability), and scope. For example (ex. https://www.first.org/cvss/specification-document)' - example: 5.5, 6.6 - flat_name: os.vulnerability.cvss.score.base - level: extended - name: cvss.score.base - order: 0 - original_fieldset: vulnerability - short: CVSS Base score. - type: long -os.vulnerability.cvss.score.evironmental: - description: 'The Common Vulnerability Scoring System (CVSS) is an open framework - for communicating the characteristics and severity of software vulnerabilities. - Scores can range from 0.0 to 10.0, with 10.0 being the most severe. - - Environmental scores cover an assessment for any modified Base metrics, confidentiality, - integrity, and availability requirements. For example (ex. https://www.first.org/cvss/specification-document)' - example: 5.5, 6.6 - flat_name: os.vulnerability.cvss.score.evironmental - level: extended - name: cvss.score.evironmental - order: 2 - original_fieldset: vulnerability - short: CVSS Environmental score. - type: long -os.vulnerability.cvss.score.temporal: - description: 'The Common Vulnerability Scoring System (CVSS) is an open framework - for communicating the characteristics and severity of software vulnerabilities. - Scores can range from 0.0 to 10.0, with 10.0 being the most severe. - - Temporal scores cover an assessment for code maturity, remediation level, and - confidence. For example (ex. https://www.first.org/cvss/specification-document)' - example: 5.5, 6.6 - flat_name: os.vulnerability.cvss.score.temporal - level: extended - name: cvss.score.temporal - order: 1 - original_fieldset: vulnerability - short: CVSS Temporal score. - type: long -os.vulnerability.detected.first: - description: The first time that the vulnerability was observed on the asset. - example: YYYY-MM-DD-HH-MM - flat_name: os.vulnerability.detected.first - level: extended - name: detected.first - order: 8 - original_fieldset: vulnerability - short: Vulnerability first observed. - type: date -os.vulnerability.detected.last: - description: The last time that the vulnerability was observed on the asset. - example: YYYY-MM-DD-HH-MM - flat_name: os.vulnerability.detected.last - level: extended - name: detected.last - order: 9 - original_fieldset: vulnerability - short: Vulnerability last observed. - type: date -os.vulnerability.scanned.first: - description: The first time that the asset was scanned for vulnerabilities. - example: YYYY-MM-DD-HH-MM - flat_name: os.vulnerability.scanned.first - level: extended - name: scanned.first - order: 10 - original_fieldset: vulnerability - short: Asset first scanned. - type: date -os.vulnerability.scanned.last: - description: The last time that the asset was scanned for vulnerabilities. - example: YYYY-MM-DD-HH-MM - flat_name: os.vulnerability.scanned.last - level: extended - name: scanned.last - order: 11 - original_fieldset: vulnerability - short: Asset last scanned. - type: date -os.vulnerability.severity: - description: The severity of the vulnerability can help with metrics and internal - prioritization regarding remediation. For example (ex. https://nvd.nist.gov/vuln-metrics/cvss) - example: Critical, High, Medium, Low, None - flat_name: os.vulnerability.severity - ignore_above: 1024 - level: extended - name: severity - order: 6 - original_fieldset: vulnerability - short: Severity of the vulnerability. - type: keyword -os.vulnerability.status: - description: 'The current status of the vulerability on the asset: - - New - The first time a vulnerability is detected by a scan the status is set to - New. Active - A vulnerability detected by two or more scans is set to Active. - Fixed - A vulnerability was verified by the most recent scan as fixed, and this - vulnerability was detected by the previous scan. Re-Opened - A vulnerability was - reopened by the most recent scan, and this vulnerability was verified as fixed - by the previous scan. - - For example (ex. https://qualysguard.qualys.com/qwebhelp/fo_portal/scans/vulnerability_status.htm)' - example: New, Active, Fixed, Re-Opened - flat_name: os.vulnerability.status - ignore_above: 1024 - level: extended - name: status - order: 7 - original_fieldset: vulnerability - short: Status of the vulnerability. - type: keyword package.architecture: description: Package architecture. example: x86_64 @@ -5501,172 +4505,6 @@ user_agent.os.version: original_fieldset: os short: Operating system version as a raw string. type: keyword -user_agent.os.vulnerability.category: - description: The type of system or architecture that the vulnerability affects. - These may be platform-specific (for example, Debian or SUSE) or general (for example, - Database or Firewall). For example (ex. https://qualysguard.qualys.com/qwebhelp/fo_portal/knowledgebase/vulnerability_categories.htm) - example: AIX, Firewall, Malware, Office Application, Solaris, Windows - flat_name: user_agent.os.vulnerability.category - ignore_above: 1024 - level: extended - name: category - order: 3 - original_fieldset: os - short: Category of a vulnerabilty. - type: keyword -user_agent.os.vulnerability.cve.description: - description: 'The Common Vulnerability and Exposures (CVE) list is an open source - list for publicly known cybersecurity vulnerabilities providing an identification - number, a description, and at least one public reference. - - The description of the vulnerability that provides additional context of the vulnerability. - For example (ex. https://cve.mitre.org/about/faqs.html#cve_entry_descriptions_created)' - example: In Keybase before 2.12.6 on macOS, the move RPC to the Helper was susceptible - to time-to-check-time-to-use bugs and would also allow one user of the system - (who didn't have root access) to tamper with another's installs. - flat_name: user_agent.os.vulnerability.cve.description - ignore_above: 1024 - level: extended - name: cve.description - order: 4 - original_fieldset: os - short: Description of the vulnerability. - type: keyword -user_agent.os.vulnerability.cve.id: - description: 'The Common Vulnerability and Exposures (CVE) list is an open source - list for publicly known cybersecurity vulnerabilities providing an identification - number, a description, and at least one public reference. - - The identification (ID) is the number portion of a CVE Entry. It includes the - year the vulnerability ID was requested followed by a sequence number. CVE-YYYY-NNNNN. - For example (ex. https://cve.mitre.org/about/faqs.html#what_is_cve_id)' - example: CVE-2019-00001, CVE-2019-00002 - flat_name: user_agent.os.vulnerability.cve.id - ignore_above: 1024 - level: extended - name: cve.id - order: 5 - original_fieldset: os - short: ID of the vulnerability. - type: keyword -user_agent.os.vulnerability.cvss.score.base: - description: 'The Common Vulnerability Scoring System (CVSS) is an open framework - for communicating the characteristics and severity of software vulnerabilities. - Scores can range from 0.0 to 10.0, with 10.0 being the most severe. - - Base scores cover an assessment for exploitability metrics (attack vector, complexity, - privileges, and user interaction), impact metrics (confidentialy, integrity, and - availability), and scope. For example (ex. https://www.first.org/cvss/specification-document)' - example: 5.5, 6.6 - flat_name: user_agent.os.vulnerability.cvss.score.base - level: extended - name: cvss.score.base - order: 0 - original_fieldset: os - short: CVSS Base score. - type: long -user_agent.os.vulnerability.cvss.score.evironmental: - description: 'The Common Vulnerability Scoring System (CVSS) is an open framework - for communicating the characteristics and severity of software vulnerabilities. - Scores can range from 0.0 to 10.0, with 10.0 being the most severe. - - Environmental scores cover an assessment for any modified Base metrics, confidentiality, - integrity, and availability requirements. For example (ex. https://www.first.org/cvss/specification-document)' - example: 5.5, 6.6 - flat_name: user_agent.os.vulnerability.cvss.score.evironmental - level: extended - name: cvss.score.evironmental - order: 2 - original_fieldset: os - short: CVSS Environmental score. - type: long -user_agent.os.vulnerability.cvss.score.temporal: - description: 'The Common Vulnerability Scoring System (CVSS) is an open framework - for communicating the characteristics and severity of software vulnerabilities. - Scores can range from 0.0 to 10.0, with 10.0 being the most severe. - - Temporal scores cover an assessment for code maturity, remediation level, and - confidence. For example (ex. https://www.first.org/cvss/specification-document)' - example: 5.5, 6.6 - flat_name: user_agent.os.vulnerability.cvss.score.temporal - level: extended - name: cvss.score.temporal - order: 1 - original_fieldset: os - short: CVSS Temporal score. - type: long -user_agent.os.vulnerability.detected.first: - description: The first time that the vulnerability was observed on the asset. - example: YYYY-MM-DD-HH-MM - flat_name: user_agent.os.vulnerability.detected.first - level: extended - name: detected.first - order: 8 - original_fieldset: os - short: Vulnerability first observed. - type: date -user_agent.os.vulnerability.detected.last: - description: The last time that the vulnerability was observed on the asset. - example: YYYY-MM-DD-HH-MM - flat_name: user_agent.os.vulnerability.detected.last - level: extended - name: detected.last - order: 9 - original_fieldset: os - short: Vulnerability last observed. - type: date -user_agent.os.vulnerability.scanned.first: - description: The first time that the asset was scanned for vulnerabilities. - example: YYYY-MM-DD-HH-MM - flat_name: user_agent.os.vulnerability.scanned.first - level: extended - name: scanned.first - order: 10 - original_fieldset: os - short: Asset first scanned. - type: date -user_agent.os.vulnerability.scanned.last: - description: The last time that the asset was scanned for vulnerabilities. - example: YYYY-MM-DD-HH-MM - flat_name: user_agent.os.vulnerability.scanned.last - level: extended - name: scanned.last - order: 11 - original_fieldset: os - short: Asset last scanned. - type: date -user_agent.os.vulnerability.severity: - description: The severity of the vulnerability can help with metrics and internal - prioritization regarding remediation. For example (ex. https://nvd.nist.gov/vuln-metrics/cvss) - example: Critical, High, Medium, Low, None - flat_name: user_agent.os.vulnerability.severity - ignore_above: 1024 - level: extended - name: severity - order: 6 - original_fieldset: os - short: Severity of the vulnerability. - type: keyword -user_agent.os.vulnerability.status: - description: 'The current status of the vulerability on the asset: - - New - The first time a vulnerability is detected by a scan the status is set to - New. Active - A vulnerability detected by two or more scans is set to Active. - Fixed - A vulnerability was verified by the most recent scan as fixed, and this - vulnerability was detected by the previous scan. Re-Opened - A vulnerability was - reopened by the most recent scan, and this vulnerability was verified as fixed - by the previous scan. - - For example (ex. https://qualysguard.qualys.com/qwebhelp/fo_portal/scans/vulnerability_status.htm)' - example: New, Active, Fixed, Re-Opened - flat_name: user_agent.os.vulnerability.status - ignore_above: 1024 - level: extended - name: status - order: 7 - original_fieldset: os - short: Status of the vulnerability. - type: keyword user_agent.version: description: Version of the user agent. example: 12.0 @@ -5680,154 +4518,167 @@ user_agent.version: vulnerability.category: description: The type of system or architecture that the vulnerability affects. These may be platform-specific (for example, Debian or SUSE) or general (for example, - Database or Firewall). For example (ex. https://qualysguard.qualys.com/qwebhelp/fo_portal/knowledgebase/vulnerability_categories.htm) - example: AIX, Firewall, Malware, Office Application, Solaris, Windows + Database or Firewall). For example (https://qualysguard.qualys.com/qwebhelp/fo_portal/knowledgebase/vulnerability_categories.htm) + example: Firewall flat_name: vulnerability.category ignore_above: 1024 level: extended name: category - order: 3 + order: 7 short: Category of a vulnerabilty. type: keyword -vulnerability.cve.description: - description: 'The Common Vulnerability and Exposures (CVE) list is an open source - list for publicly known cybersecurity vulnerabilities providing an identification - number, a description, and at least one public reference. - - The description of the vulnerability that provides additional context of the vulnerability. - For example (ex. https://cve.mitre.org/about/faqs.html#cve_entry_descriptions_created)' - example: In Keybase before 2.12.6 on macOS, the move RPC to the Helper was susceptible - to time-to-check-time-to-use bugs and would also allow one user of the system - (who didn't have root access) to tamper with another's installs. - flat_name: vulnerability.cve.description +vulnerability.classification: + description: The classification of the vulnerability scoring system. For example + (https://www.first.org/cvss/) + example: CVSS + flat_name: vulnerability.classification ignore_above: 1024 level: extended - name: cve.description - order: 4 + name: classification + order: 0 + short: Classification of the vulnerability. + type: keyword +vulnerability.description: + description: The description of the vulnerability that provides additional context + of the vulnerability. For example (https://cve.mitre.org/about/faqs.html#cve_entry_descriptions_created) + example: In macOS before 2.12.6, there is a vulnerability in the RPC... + flat_name: vulnerability.description + ignore_above: 1024 + level: extended + name: description + order: 8 short: Description of the vulnerability. type: keyword -vulnerability.cve.id: - description: 'The Common Vulnerability and Exposures (CVE) list is an open source - list for publicly known cybersecurity vulnerabilities providing an identification - number, a description, and at least one public reference. - - The identification (ID) is the number portion of a CVE Entry. It includes the - year the vulnerability ID was requested followed by a sequence number. CVE-YYYY-NNNNN. - For example (ex. https://cve.mitre.org/about/faqs.html#what_is_cve_id)' - example: CVE-2019-00001, CVE-2019-00002 - flat_name: vulnerability.cve.id +vulnerability.reference: + description: The type of identifier used for this vulnerability. For example (https://cve.mitre.org/about/) + example: CVE + flat_name: vulnerability.reference ignore_above: 1024 level: extended - name: cve.id - order: 5 + name: reference + order: 1 + short: Reference of the vulnerability. + type: keyword +vulnerability.report_id: + description: The report or scan identification number. + example: 20191018.0001 + flat_name: vulnerability.report_id + ignore_above: 1024 + level: extended + name: report_id + order: 13 + short: Scan identification number. + type: keyword +vulnerability.scanner.id: + description: The identification (ID) is the number portion of a vulnerability entry. + It includes a unique identification number for the vulnerability. For example + (https://cve.mitre.org/about/faqs.html#what_is_cve_id) + example: CVE-2019-00001 + flat_name: vulnerability.scanner.id + ignore_above: 1024 + level: extended + name: scanner.id + order: 9 short: ID of the vulnerability. type: keyword -vulnerability.cvss.score.base: - description: 'The Common Vulnerability Scoring System (CVSS) is an open framework - for communicating the characteristics and severity of software vulnerabilities. - Scores can range from 0.0 to 10.0, with 10.0 being the most severe. +vulnerability.scanner.vendor: + description: The name of the vulnerability scanner vendor. + example: Tenable + flat_name: vulnerability.scanner.vendor + ignore_above: 1024 + level: extended + name: scanner.vendor + order: 10 + short: Name of the scanner vendor. + type: keyword +vulnerability.score.base: + description: 'Scores can range from 0.0 to 10.0, with 10.0 being the most severe. Base scores cover an assessment for exploitability metrics (attack vector, complexity, privileges, and user interaction), impact metrics (confidentialy, integrity, and - availability), and scope. For example (ex. https://www.first.org/cvss/specification-document)' - example: 5.5, 6.6 - flat_name: vulnerability.cvss.score.base + availability), and scope. For example (https://www.first.org/cvss/specification-document)' + example: 5.5 + flat_name: vulnerability.score.base level: extended - name: cvss.score.base - order: 0 - short: CVSS Base score. - type: long -vulnerability.cvss.score.evironmental: - description: 'The Common Vulnerability Scoring System (CVSS) is an open framework - for communicating the characteristics and severity of software vulnerabilities. - Scores can range from 0.0 to 10.0, with 10.0 being the most severe. + name: score.base + order: 3 + short: Vulnerability Base score. + type: float +vulnerability.score.environmental: + description: 'Scores can range from 0.0 to 10.0, with 10.0 being the most severe. Environmental scores cover an assessment for any modified Base metrics, confidentiality, - integrity, and availability requirements. For example (ex. https://www.first.org/cvss/specification-document)' - example: 5.5, 6.6 - flat_name: vulnerability.cvss.score.evironmental + integrity, and availability requirements. For example (https://www.first.org/cvss/specification-document)' + example: 5.5 + flat_name: vulnerability.score.environmental level: extended - name: cvss.score.evironmental - order: 2 - short: CVSS Environmental score. - type: long -vulnerability.cvss.score.temporal: - description: 'The Common Vulnerability Scoring System (CVSS) is an open framework - for communicating the characteristics and severity of software vulnerabilities. - Scores can range from 0.0 to 10.0, with 10.0 being the most severe. + name: score.environmental + order: 5 + short: Vulnerability Environmental score. + type: float +vulnerability.score.temporal: + description: 'Scores can range from 0.0 to 10.0, with 10.0 being the most severe. Temporal scores cover an assessment for code maturity, remediation level, and - confidence. For example (ex. https://www.first.org/cvss/specification-document)' - example: 5.5, 6.6 - flat_name: vulnerability.cvss.score.temporal - level: extended - name: cvss.score.temporal - order: 1 - short: CVSS Temporal score. - type: long -vulnerability.detected.first: - description: The first time that the vulnerability was observed on the asset. - example: YYYY-MM-DD-HH-MM - flat_name: vulnerability.detected.first - level: extended - name: detected.first - order: 8 - short: Vulnerability first observed. - type: date -vulnerability.detected.last: - description: The last time that the vulnerability was observed on the asset. - example: YYYY-MM-DD-HH-MM - flat_name: vulnerability.detected.last - level: extended - name: detected.last - order: 9 - short: Vulnerability last observed. - type: date -vulnerability.scanned.first: - description: The first time that the asset was scanned for vulnerabilities. - example: YYYY-MM-DD-HH-MM - flat_name: vulnerability.scanned.first + confidence. For example (https://www.first.org/cvss/specification-document)' + flat_name: vulnerability.score.temporal level: extended - name: scanned.first - order: 10 - short: Asset first scanned. - type: date -vulnerability.scanned.last: - description: The last time that the asset was scanned for vulnerabilities. - example: YYYY-MM-DD-HH-MM - flat_name: vulnerability.scanned.last + name: score.temporal + order: 4 + short: Vulnerability Temporal score. + type: float +vulnerability.score.version: + description: 'The National Vulnerability Database (NVD) provides qualitative severity + rankings of "Low", "Medium", and "High" for CVSS v2.0 base score ranges in addition + to the severity ratings for CVSS v3.0 as they are defined in the CVSS v3.0 specification. + + CVSS is owned and managed by FIRST.Org, Inc. (FIRST), a US-based non-profit organization, + whose mission is to help computer security incident response teams across the + world. For example (https://nvd.nist.gov/vuln-metrics/cvss)' + example: 2.0 + flat_name: vulnerability.score.version + ignore_above: 1024 level: extended - name: scanned.last - order: 11 - short: Asset last scanned. - type: date + name: score.version + order: 6 + short: CVSS version. + type: keyword vulnerability.severity: description: The severity of the vulnerability can help with metrics and internal - prioritization regarding remediation. For example (ex. https://nvd.nist.gov/vuln-metrics/cvss) - example: Critical, High, Medium, Low, None + prioritization regarding remediation. For example (https://nvd.nist.gov/vuln-metrics/cvss) + example: Critical flat_name: vulnerability.severity ignore_above: 1024 level: extended name: severity - order: 6 + order: 11 short: Severity of the vulnerability. type: keyword vulnerability.status: description: 'The current status of the vulerability on the asset: - New - The first time a vulnerability is detected by a scan the status is set to - New. Active - A vulnerability detected by two or more scans is set to Active. - Fixed - A vulnerability was verified by the most recent scan as fixed, and this - vulnerability was detected by the previous scan. Re-Opened - A vulnerability was - reopened by the most recent scan, and this vulnerability was verified as fixed - by the previous scan. + * New - First time a vulnerability is detected by a scan the status is set to + New. * Active - A vulnerability detected by two or more scans is set to Active. + * Fixed - A vulnerability was verified by the most recent scan as Fixed. * Re-Opened + - A vulnerability was reopened by the most recent scan. - For example (ex. https://qualysguard.qualys.com/qwebhelp/fo_portal/scans/vulnerability_status.htm)' - example: New, Active, Fixed, Re-Opened + For example (https://qualysguard.qualys.com/qwebhelp/fo_portal/scans/vulnerability_status.htm)' + example: New flat_name: vulnerability.status ignore_above: 1024 level: extended name: status - order: 7 + order: 12 short: Status of the vulnerability. type: keyword +vulnerability.url: + description: A URL to a resource that provides additional information, context, + and mitigations for the identified vulnerabiltiy. For example (https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=ssh) + example: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6111 + flat_name: vulnerability.url + ignore_above: 1024 + level: extended + name: url + order: 2 + short: URL describing the vulnerability. + type: keyword diff --git a/generated/ecs/ecs_nested.yml b/generated/ecs/ecs_nested.yml index 5fac7b8b6e..184cfb7965 100644 --- a/generated/ecs/ecs_nested.yml +++ b/generated/ecs/ecs_nested.yml @@ -551,176 +551,9 @@ client: original_fieldset: user short: Short name or login of the user. type: keyword - vulnerability.category: - description: The type of system or architecture that the vulnerability affects. - These may be platform-specific (for example, Debian or SUSE) or general (for - example, Database or Firewall). For example (ex. https://qualysguard.qualys.com/qwebhelp/fo_portal/knowledgebase/vulnerability_categories.htm) - example: AIX, Firewall, Malware, Office Application, Solaris, Windows - flat_name: client.vulnerability.category - ignore_above: 1024 - level: extended - name: category - order: 3 - original_fieldset: vulnerability - short: Category of a vulnerabilty. - type: keyword - vulnerability.cve.description: - description: 'The Common Vulnerability and Exposures (CVE) list is an open source - list for publicly known cybersecurity vulnerabilities providing an identification - number, a description, and at least one public reference. - - The description of the vulnerability that provides additional context of the - vulnerability. For example (ex. https://cve.mitre.org/about/faqs.html#cve_entry_descriptions_created)' - example: In Keybase before 2.12.6 on macOS, the move RPC to the Helper was susceptible - to time-to-check-time-to-use bugs and would also allow one user of the system - (who didn't have root access) to tamper with another's installs. - flat_name: client.vulnerability.cve.description - ignore_above: 1024 - level: extended - name: cve.description - order: 4 - original_fieldset: vulnerability - short: Description of the vulnerability. - type: keyword - vulnerability.cve.id: - description: 'The Common Vulnerability and Exposures (CVE) list is an open source - list for publicly known cybersecurity vulnerabilities providing an identification - number, a description, and at least one public reference. - - The identification (ID) is the number portion of a CVE Entry. It includes - the year the vulnerability ID was requested followed by a sequence number. - CVE-YYYY-NNNNN. For example (ex. https://cve.mitre.org/about/faqs.html#what_is_cve_id)' - example: CVE-2019-00001, CVE-2019-00002 - flat_name: client.vulnerability.cve.id - ignore_above: 1024 - level: extended - name: cve.id - order: 5 - original_fieldset: vulnerability - short: ID of the vulnerability. - type: keyword - vulnerability.cvss.score.base: - description: 'The Common Vulnerability Scoring System (CVSS) is an open framework - for communicating the characteristics and severity of software vulnerabilities. - Scores can range from 0.0 to 10.0, with 10.0 being the most severe. - - Base scores cover an assessment for exploitability metrics (attack vector, - complexity, privileges, and user interaction), impact metrics (confidentialy, - integrity, and availability), and scope. For example (ex. https://www.first.org/cvss/specification-document)' - example: 5.5, 6.6 - flat_name: client.vulnerability.cvss.score.base - level: extended - name: cvss.score.base - order: 0 - original_fieldset: vulnerability - short: CVSS Base score. - type: long - vulnerability.cvss.score.evironmental: - description: 'The Common Vulnerability Scoring System (CVSS) is an open framework - for communicating the characteristics and severity of software vulnerabilities. - Scores can range from 0.0 to 10.0, with 10.0 being the most severe. - - Environmental scores cover an assessment for any modified Base metrics, confidentiality, - integrity, and availability requirements. For example (ex. https://www.first.org/cvss/specification-document)' - example: 5.5, 6.6 - flat_name: client.vulnerability.cvss.score.evironmental - level: extended - name: cvss.score.evironmental - order: 2 - original_fieldset: vulnerability - short: CVSS Environmental score. - type: long - vulnerability.cvss.score.temporal: - description: 'The Common Vulnerability Scoring System (CVSS) is an open framework - for communicating the characteristics and severity of software vulnerabilities. - Scores can range from 0.0 to 10.0, with 10.0 being the most severe. - - Temporal scores cover an assessment for code maturity, remediation level, - and confidence. For example (ex. https://www.first.org/cvss/specification-document)' - example: 5.5, 6.6 - flat_name: client.vulnerability.cvss.score.temporal - level: extended - name: cvss.score.temporal - order: 1 - original_fieldset: vulnerability - short: CVSS Temporal score. - type: long - vulnerability.detected.first: - description: The first time that the vulnerability was observed on the asset. - example: YYYY-MM-DD-HH-MM - flat_name: client.vulnerability.detected.first - level: extended - name: detected.first - order: 8 - original_fieldset: vulnerability - short: Vulnerability first observed. - type: date - vulnerability.detected.last: - description: The last time that the vulnerability was observed on the asset. - example: YYYY-MM-DD-HH-MM - flat_name: client.vulnerability.detected.last - level: extended - name: detected.last - order: 9 - original_fieldset: vulnerability - short: Vulnerability last observed. - type: date - vulnerability.scanned.first: - description: The first time that the asset was scanned for vulnerabilities. - example: YYYY-MM-DD-HH-MM - flat_name: client.vulnerability.scanned.first - level: extended - name: scanned.first - order: 10 - original_fieldset: vulnerability - short: Asset first scanned. - type: date - vulnerability.scanned.last: - description: The last time that the asset was scanned for vulnerabilities. - example: YYYY-MM-DD-HH-MM - flat_name: client.vulnerability.scanned.last - level: extended - name: scanned.last - order: 11 - original_fieldset: vulnerability - short: Asset last scanned. - type: date - vulnerability.severity: - description: The severity of the vulnerability can help with metrics and internal - prioritization regarding remediation. For example (ex. https://nvd.nist.gov/vuln-metrics/cvss) - example: Critical, High, Medium, Low, None - flat_name: client.vulnerability.severity - ignore_above: 1024 - level: extended - name: severity - order: 6 - original_fieldset: vulnerability - short: Severity of the vulnerability. - type: keyword - vulnerability.status: - description: 'The current status of the vulerability on the asset: - - New - The first time a vulnerability is detected by a scan the status is set - to New. Active - A vulnerability detected by two or more scans is set to Active. - Fixed - A vulnerability was verified by the most recent scan as fixed, and - this vulnerability was detected by the previous scan. Re-Opened - A vulnerability - was reopened by the most recent scan, and this vulnerability was verified - as fixed by the previous scan. - - For example (ex. https://qualysguard.qualys.com/qwebhelp/fo_portal/scans/vulnerability_status.htm)' - example: New, Active, Fixed, Re-Opened - flat_name: client.vulnerability.status - ignore_above: 1024 - level: extended - name: status - order: 7 - original_fieldset: vulnerability - short: Status of the vulnerability. - type: keyword group: 2 name: client nestings: - - vulnerability - geo - as - user @@ -2553,172 +2386,6 @@ host: original_fieldset: os short: Operating system version as a raw string. type: keyword - os.vulnerability.category: - description: The type of system or architecture that the vulnerability affects. - These may be platform-specific (for example, Debian or SUSE) or general (for - example, Database or Firewall). For example (ex. https://qualysguard.qualys.com/qwebhelp/fo_portal/knowledgebase/vulnerability_categories.htm) - example: AIX, Firewall, Malware, Office Application, Solaris, Windows - flat_name: host.os.vulnerability.category - ignore_above: 1024 - level: extended - name: category - order: 3 - original_fieldset: os - short: Category of a vulnerabilty. - type: keyword - os.vulnerability.cve.description: - description: 'The Common Vulnerability and Exposures (CVE) list is an open source - list for publicly known cybersecurity vulnerabilities providing an identification - number, a description, and at least one public reference. - - The description of the vulnerability that provides additional context of the - vulnerability. For example (ex. https://cve.mitre.org/about/faqs.html#cve_entry_descriptions_created)' - example: In Keybase before 2.12.6 on macOS, the move RPC to the Helper was susceptible - to time-to-check-time-to-use bugs and would also allow one user of the system - (who didn't have root access) to tamper with another's installs. - flat_name: host.os.vulnerability.cve.description - ignore_above: 1024 - level: extended - name: cve.description - order: 4 - original_fieldset: os - short: Description of the vulnerability. - type: keyword - os.vulnerability.cve.id: - description: 'The Common Vulnerability and Exposures (CVE) list is an open source - list for publicly known cybersecurity vulnerabilities providing an identification - number, a description, and at least one public reference. - - The identification (ID) is the number portion of a CVE Entry. It includes - the year the vulnerability ID was requested followed by a sequence number. - CVE-YYYY-NNNNN. For example (ex. https://cve.mitre.org/about/faqs.html#what_is_cve_id)' - example: CVE-2019-00001, CVE-2019-00002 - flat_name: host.os.vulnerability.cve.id - ignore_above: 1024 - level: extended - name: cve.id - order: 5 - original_fieldset: os - short: ID of the vulnerability. - type: keyword - os.vulnerability.cvss.score.base: - description: 'The Common Vulnerability Scoring System (CVSS) is an open framework - for communicating the characteristics and severity of software vulnerabilities. - Scores can range from 0.0 to 10.0, with 10.0 being the most severe. - - Base scores cover an assessment for exploitability metrics (attack vector, - complexity, privileges, and user interaction), impact metrics (confidentialy, - integrity, and availability), and scope. For example (ex. https://www.first.org/cvss/specification-document)' - example: 5.5, 6.6 - flat_name: host.os.vulnerability.cvss.score.base - level: extended - name: cvss.score.base - order: 0 - original_fieldset: os - short: CVSS Base score. - type: long - os.vulnerability.cvss.score.evironmental: - description: 'The Common Vulnerability Scoring System (CVSS) is an open framework - for communicating the characteristics and severity of software vulnerabilities. - Scores can range from 0.0 to 10.0, with 10.0 being the most severe. - - Environmental scores cover an assessment for any modified Base metrics, confidentiality, - integrity, and availability requirements. For example (ex. https://www.first.org/cvss/specification-document)' - example: 5.5, 6.6 - flat_name: host.os.vulnerability.cvss.score.evironmental - level: extended - name: cvss.score.evironmental - order: 2 - original_fieldset: os - short: CVSS Environmental score. - type: long - os.vulnerability.cvss.score.temporal: - description: 'The Common Vulnerability Scoring System (CVSS) is an open framework - for communicating the characteristics and severity of software vulnerabilities. - Scores can range from 0.0 to 10.0, with 10.0 being the most severe. - - Temporal scores cover an assessment for code maturity, remediation level, - and confidence. For example (ex. https://www.first.org/cvss/specification-document)' - example: 5.5, 6.6 - flat_name: host.os.vulnerability.cvss.score.temporal - level: extended - name: cvss.score.temporal - order: 1 - original_fieldset: os - short: CVSS Temporal score. - type: long - os.vulnerability.detected.first: - description: The first time that the vulnerability was observed on the asset. - example: YYYY-MM-DD-HH-MM - flat_name: host.os.vulnerability.detected.first - level: extended - name: detected.first - order: 8 - original_fieldset: os - short: Vulnerability first observed. - type: date - os.vulnerability.detected.last: - description: The last time that the vulnerability was observed on the asset. - example: YYYY-MM-DD-HH-MM - flat_name: host.os.vulnerability.detected.last - level: extended - name: detected.last - order: 9 - original_fieldset: os - short: Vulnerability last observed. - type: date - os.vulnerability.scanned.first: - description: The first time that the asset was scanned for vulnerabilities. - example: YYYY-MM-DD-HH-MM - flat_name: host.os.vulnerability.scanned.first - level: extended - name: scanned.first - order: 10 - original_fieldset: os - short: Asset first scanned. - type: date - os.vulnerability.scanned.last: - description: The last time that the asset was scanned for vulnerabilities. - example: YYYY-MM-DD-HH-MM - flat_name: host.os.vulnerability.scanned.last - level: extended - name: scanned.last - order: 11 - original_fieldset: os - short: Asset last scanned. - type: date - os.vulnerability.severity: - description: The severity of the vulnerability can help with metrics and internal - prioritization regarding remediation. For example (ex. https://nvd.nist.gov/vuln-metrics/cvss) - example: Critical, High, Medium, Low, None - flat_name: host.os.vulnerability.severity - ignore_above: 1024 - level: extended - name: severity - order: 6 - original_fieldset: os - short: Severity of the vulnerability. - type: keyword - os.vulnerability.status: - description: 'The current status of the vulerability on the asset: - - New - The first time a vulnerability is detected by a scan the status is set - to New. Active - A vulnerability detected by two or more scans is set to Active. - Fixed - A vulnerability was verified by the most recent scan as fixed, and - this vulnerability was detected by the previous scan. Re-Opened - A vulnerability - was reopened by the most recent scan, and this vulnerability was verified - as fixed by the previous scan. - - For example (ex. https://qualysguard.qualys.com/qwebhelp/fo_portal/scans/vulnerability_status.htm)' - example: New, Active, Fixed, Re-Opened - flat_name: host.os.vulnerability.status - ignore_above: 1024 - level: extended - name: status - order: 7 - original_fieldset: os - short: Status of the vulnerability. - type: keyword type: description: 'Type of host. @@ -2841,176 +2508,9 @@ host: original_fieldset: user short: Short name or login of the user. type: keyword - vulnerability.category: - description: The type of system or architecture that the vulnerability affects. - These may be platform-specific (for example, Debian or SUSE) or general (for - example, Database or Firewall). For example (ex. https://qualysguard.qualys.com/qwebhelp/fo_portal/knowledgebase/vulnerability_categories.htm) - example: AIX, Firewall, Malware, Office Application, Solaris, Windows - flat_name: host.vulnerability.category - ignore_above: 1024 - level: extended - name: category - order: 3 - original_fieldset: vulnerability - short: Category of a vulnerabilty. - type: keyword - vulnerability.cve.description: - description: 'The Common Vulnerability and Exposures (CVE) list is an open source - list for publicly known cybersecurity vulnerabilities providing an identification - number, a description, and at least one public reference. - - The description of the vulnerability that provides additional context of the - vulnerability. For example (ex. https://cve.mitre.org/about/faqs.html#cve_entry_descriptions_created)' - example: In Keybase before 2.12.6 on macOS, the move RPC to the Helper was susceptible - to time-to-check-time-to-use bugs and would also allow one user of the system - (who didn't have root access) to tamper with another's installs. - flat_name: host.vulnerability.cve.description - ignore_above: 1024 - level: extended - name: cve.description - order: 4 - original_fieldset: vulnerability - short: Description of the vulnerability. - type: keyword - vulnerability.cve.id: - description: 'The Common Vulnerability and Exposures (CVE) list is an open source - list for publicly known cybersecurity vulnerabilities providing an identification - number, a description, and at least one public reference. - - The identification (ID) is the number portion of a CVE Entry. It includes - the year the vulnerability ID was requested followed by a sequence number. - CVE-YYYY-NNNNN. For example (ex. https://cve.mitre.org/about/faqs.html#what_is_cve_id)' - example: CVE-2019-00001, CVE-2019-00002 - flat_name: host.vulnerability.cve.id - ignore_above: 1024 - level: extended - name: cve.id - order: 5 - original_fieldset: vulnerability - short: ID of the vulnerability. - type: keyword - vulnerability.cvss.score.base: - description: 'The Common Vulnerability Scoring System (CVSS) is an open framework - for communicating the characteristics and severity of software vulnerabilities. - Scores can range from 0.0 to 10.0, with 10.0 being the most severe. - - Base scores cover an assessment for exploitability metrics (attack vector, - complexity, privileges, and user interaction), impact metrics (confidentialy, - integrity, and availability), and scope. For example (ex. https://www.first.org/cvss/specification-document)' - example: 5.5, 6.6 - flat_name: host.vulnerability.cvss.score.base - level: extended - name: cvss.score.base - order: 0 - original_fieldset: vulnerability - short: CVSS Base score. - type: long - vulnerability.cvss.score.evironmental: - description: 'The Common Vulnerability Scoring System (CVSS) is an open framework - for communicating the characteristics and severity of software vulnerabilities. - Scores can range from 0.0 to 10.0, with 10.0 being the most severe. - - Environmental scores cover an assessment for any modified Base metrics, confidentiality, - integrity, and availability requirements. For example (ex. https://www.first.org/cvss/specification-document)' - example: 5.5, 6.6 - flat_name: host.vulnerability.cvss.score.evironmental - level: extended - name: cvss.score.evironmental - order: 2 - original_fieldset: vulnerability - short: CVSS Environmental score. - type: long - vulnerability.cvss.score.temporal: - description: 'The Common Vulnerability Scoring System (CVSS) is an open framework - for communicating the characteristics and severity of software vulnerabilities. - Scores can range from 0.0 to 10.0, with 10.0 being the most severe. - - Temporal scores cover an assessment for code maturity, remediation level, - and confidence. For example (ex. https://www.first.org/cvss/specification-document)' - example: 5.5, 6.6 - flat_name: host.vulnerability.cvss.score.temporal - level: extended - name: cvss.score.temporal - order: 1 - original_fieldset: vulnerability - short: CVSS Temporal score. - type: long - vulnerability.detected.first: - description: The first time that the vulnerability was observed on the asset. - example: YYYY-MM-DD-HH-MM - flat_name: host.vulnerability.detected.first - level: extended - name: detected.first - order: 8 - original_fieldset: vulnerability - short: Vulnerability first observed. - type: date - vulnerability.detected.last: - description: The last time that the vulnerability was observed on the asset. - example: YYYY-MM-DD-HH-MM - flat_name: host.vulnerability.detected.last - level: extended - name: detected.last - order: 9 - original_fieldset: vulnerability - short: Vulnerability last observed. - type: date - vulnerability.scanned.first: - description: The first time that the asset was scanned for vulnerabilities. - example: YYYY-MM-DD-HH-MM - flat_name: host.vulnerability.scanned.first - level: extended - name: scanned.first - order: 10 - original_fieldset: vulnerability - short: Asset first scanned. - type: date - vulnerability.scanned.last: - description: The last time that the asset was scanned for vulnerabilities. - example: YYYY-MM-DD-HH-MM - flat_name: host.vulnerability.scanned.last - level: extended - name: scanned.last - order: 11 - original_fieldset: vulnerability - short: Asset last scanned. - type: date - vulnerability.severity: - description: The severity of the vulnerability can help with metrics and internal - prioritization regarding remediation. For example (ex. https://nvd.nist.gov/vuln-metrics/cvss) - example: Critical, High, Medium, Low, None - flat_name: host.vulnerability.severity - ignore_above: 1024 - level: extended - name: severity - order: 6 - original_fieldset: vulnerability - short: Severity of the vulnerability. - type: keyword - vulnerability.status: - description: 'The current status of the vulerability on the asset: - - New - The first time a vulnerability is detected by a scan the status is set - to New. Active - A vulnerability detected by two or more scans is set to Active. - Fixed - A vulnerability was verified by the most recent scan as fixed, and - this vulnerability was detected by the previous scan. Re-Opened - A vulnerability - was reopened by the most recent scan, and this vulnerability was verified - as fixed by the previous scan. - - For example (ex. https://qualysguard.qualys.com/qwebhelp/fo_portal/scans/vulnerability_status.htm)' - example: New, Active, Fixed, Re-Opened - flat_name: host.vulnerability.status - ignore_above: 1024 - level: extended - name: status - order: 7 - original_fieldset: vulnerability - short: Status of the vulnerability. - type: keyword group: 2 name: host nestings: - - vulnerability - geo - os - user @@ -3672,213 +3172,47 @@ observer: original_fieldset: os short: Operating system version as a raw string. type: keyword - os.vulnerability.category: - description: The type of system or architecture that the vulnerability affects. - These may be platform-specific (for example, Debian or SUSE) or general (for - example, Database or Firewall). For example (ex. https://qualysguard.qualys.com/qwebhelp/fo_portal/knowledgebase/vulnerability_categories.htm) - example: AIX, Firewall, Malware, Office Application, Solaris, Windows - flat_name: observer.os.vulnerability.category + product: + description: The product name of the observer. + example: s200 + flat_name: observer.product ignore_above: 1024 level: extended - name: category - order: 3 - original_fieldset: os - short: Category of a vulnerabilty. + name: product + order: 4 + short: The product name of the observer. type: keyword - os.vulnerability.cve.description: - description: 'The Common Vulnerability and Exposures (CVE) list is an open source - list for publicly known cybersecurity vulnerabilities providing an identification - number, a description, and at least one public reference. - - The description of the vulnerability that provides additional context of the - vulnerability. For example (ex. https://cve.mitre.org/about/faqs.html#cve_entry_descriptions_created)' - example: In Keybase before 2.12.6 on macOS, the move RPC to the Helper was susceptible - to time-to-check-time-to-use bugs and would also allow one user of the system - (who didn't have root access) to tamper with another's installs. - flat_name: observer.os.vulnerability.cve.description + serial_number: + description: Observer serial number. + flat_name: observer.serial_number ignore_above: 1024 level: extended - name: cve.description - order: 4 - original_fieldset: os - short: Description of the vulnerability. + name: serial_number + order: 7 + short: Observer serial number. type: keyword - os.vulnerability.cve.id: - description: 'The Common Vulnerability and Exposures (CVE) list is an open source - list for publicly known cybersecurity vulnerabilities providing an identification - number, a description, and at least one public reference. + type: + description: 'The type of the observer the data is coming from. - The identification (ID) is the number portion of a CVE Entry. It includes - the year the vulnerability ID was requested followed by a sequence number. - CVE-YYYY-NNNNN. For example (ex. https://cve.mitre.org/about/faqs.html#what_is_cve_id)' - example: CVE-2019-00001, CVE-2019-00002 - flat_name: observer.os.vulnerability.cve.id + There is no predefined list of observer types. Some examples are `forwarder`, + `firewall`, `ids`, `ips`, `proxy`, `poller`, `sensor`, `APM server`.' + example: firewall + flat_name: observer.type ignore_above: 1024 - level: extended - name: cve.id + level: core + name: type + order: 8 + short: The type of the observer the data is coming from. + type: keyword + vendor: + description: Vendor name of the observer. + example: Symantec + flat_name: observer.vendor + ignore_above: 1024 + level: core + name: vendor order: 5 - original_fieldset: os - short: ID of the vulnerability. - type: keyword - os.vulnerability.cvss.score.base: - description: 'The Common Vulnerability Scoring System (CVSS) is an open framework - for communicating the characteristics and severity of software vulnerabilities. - Scores can range from 0.0 to 10.0, with 10.0 being the most severe. - - Base scores cover an assessment for exploitability metrics (attack vector, - complexity, privileges, and user interaction), impact metrics (confidentialy, - integrity, and availability), and scope. For example (ex. https://www.first.org/cvss/specification-document)' - example: 5.5, 6.6 - flat_name: observer.os.vulnerability.cvss.score.base - level: extended - name: cvss.score.base - order: 0 - original_fieldset: os - short: CVSS Base score. - type: long - os.vulnerability.cvss.score.evironmental: - description: 'The Common Vulnerability Scoring System (CVSS) is an open framework - for communicating the characteristics and severity of software vulnerabilities. - Scores can range from 0.0 to 10.0, with 10.0 being the most severe. - - Environmental scores cover an assessment for any modified Base metrics, confidentiality, - integrity, and availability requirements. For example (ex. https://www.first.org/cvss/specification-document)' - example: 5.5, 6.6 - flat_name: observer.os.vulnerability.cvss.score.evironmental - level: extended - name: cvss.score.evironmental - order: 2 - original_fieldset: os - short: CVSS Environmental score. - type: long - os.vulnerability.cvss.score.temporal: - description: 'The Common Vulnerability Scoring System (CVSS) is an open framework - for communicating the characteristics and severity of software vulnerabilities. - Scores can range from 0.0 to 10.0, with 10.0 being the most severe. - - Temporal scores cover an assessment for code maturity, remediation level, - and confidence. For example (ex. https://www.first.org/cvss/specification-document)' - example: 5.5, 6.6 - flat_name: observer.os.vulnerability.cvss.score.temporal - level: extended - name: cvss.score.temporal - order: 1 - original_fieldset: os - short: CVSS Temporal score. - type: long - os.vulnerability.detected.first: - description: The first time that the vulnerability was observed on the asset. - example: YYYY-MM-DD-HH-MM - flat_name: observer.os.vulnerability.detected.first - level: extended - name: detected.first - order: 8 - original_fieldset: os - short: Vulnerability first observed. - type: date - os.vulnerability.detected.last: - description: The last time that the vulnerability was observed on the asset. - example: YYYY-MM-DD-HH-MM - flat_name: observer.os.vulnerability.detected.last - level: extended - name: detected.last - order: 9 - original_fieldset: os - short: Vulnerability last observed. - type: date - os.vulnerability.scanned.first: - description: The first time that the asset was scanned for vulnerabilities. - example: YYYY-MM-DD-HH-MM - flat_name: observer.os.vulnerability.scanned.first - level: extended - name: scanned.first - order: 10 - original_fieldset: os - short: Asset first scanned. - type: date - os.vulnerability.scanned.last: - description: The last time that the asset was scanned for vulnerabilities. - example: YYYY-MM-DD-HH-MM - flat_name: observer.os.vulnerability.scanned.last - level: extended - name: scanned.last - order: 11 - original_fieldset: os - short: Asset last scanned. - type: date - os.vulnerability.severity: - description: The severity of the vulnerability can help with metrics and internal - prioritization regarding remediation. For example (ex. https://nvd.nist.gov/vuln-metrics/cvss) - example: Critical, High, Medium, Low, None - flat_name: observer.os.vulnerability.severity - ignore_above: 1024 - level: extended - name: severity - order: 6 - original_fieldset: os - short: Severity of the vulnerability. - type: keyword - os.vulnerability.status: - description: 'The current status of the vulerability on the asset: - - New - The first time a vulnerability is detected by a scan the status is set - to New. Active - A vulnerability detected by two or more scans is set to Active. - Fixed - A vulnerability was verified by the most recent scan as fixed, and - this vulnerability was detected by the previous scan. Re-Opened - A vulnerability - was reopened by the most recent scan, and this vulnerability was verified - as fixed by the previous scan. - - For example (ex. https://qualysguard.qualys.com/qwebhelp/fo_portal/scans/vulnerability_status.htm)' - example: New, Active, Fixed, Re-Opened - flat_name: observer.os.vulnerability.status - ignore_above: 1024 - level: extended - name: status - order: 7 - original_fieldset: os - short: Status of the vulnerability. - type: keyword - product: - description: The product name of the observer. - example: s200 - flat_name: observer.product - ignore_above: 1024 - level: extended - name: product - order: 4 - short: The product name of the observer. - type: keyword - serial_number: - description: Observer serial number. - flat_name: observer.serial_number - ignore_above: 1024 - level: extended - name: serial_number - order: 7 - short: Observer serial number. - type: keyword - type: - description: 'The type of the observer the data is coming from. - - There is no predefined list of observer types. Some examples are `forwarder`, - `firewall`, `ids`, `ips`, `proxy`, `poller`, `sensor`, `APM server`.' - example: firewall - flat_name: observer.type - ignore_above: 1024 - level: core - name: type - order: 8 - short: The type of the observer the data is coming from. - type: keyword - vendor: - description: Vendor name of the observer. - example: Symantec - flat_name: observer.vendor - ignore_above: 1024 - level: core - name: vendor - order: 5 - short: Vendor name of the observer. + short: Vendor name of the observer. type: keyword version: description: Observer version. @@ -3889,176 +3223,9 @@ observer: order: 6 short: Observer version. type: keyword - vulnerability.category: - description: The type of system or architecture that the vulnerability affects. - These may be platform-specific (for example, Debian or SUSE) or general (for - example, Database or Firewall). For example (ex. https://qualysguard.qualys.com/qwebhelp/fo_portal/knowledgebase/vulnerability_categories.htm) - example: AIX, Firewall, Malware, Office Application, Solaris, Windows - flat_name: observer.vulnerability.category - ignore_above: 1024 - level: extended - name: category - order: 3 - original_fieldset: vulnerability - short: Category of a vulnerabilty. - type: keyword - vulnerability.cve.description: - description: 'The Common Vulnerability and Exposures (CVE) list is an open source - list for publicly known cybersecurity vulnerabilities providing an identification - number, a description, and at least one public reference. - - The description of the vulnerability that provides additional context of the - vulnerability. For example (ex. https://cve.mitre.org/about/faqs.html#cve_entry_descriptions_created)' - example: In Keybase before 2.12.6 on macOS, the move RPC to the Helper was susceptible - to time-to-check-time-to-use bugs and would also allow one user of the system - (who didn't have root access) to tamper with another's installs. - flat_name: observer.vulnerability.cve.description - ignore_above: 1024 - level: extended - name: cve.description - order: 4 - original_fieldset: vulnerability - short: Description of the vulnerability. - type: keyword - vulnerability.cve.id: - description: 'The Common Vulnerability and Exposures (CVE) list is an open source - list for publicly known cybersecurity vulnerabilities providing an identification - number, a description, and at least one public reference. - - The identification (ID) is the number portion of a CVE Entry. It includes - the year the vulnerability ID was requested followed by a sequence number. - CVE-YYYY-NNNNN. For example (ex. https://cve.mitre.org/about/faqs.html#what_is_cve_id)' - example: CVE-2019-00001, CVE-2019-00002 - flat_name: observer.vulnerability.cve.id - ignore_above: 1024 - level: extended - name: cve.id - order: 5 - original_fieldset: vulnerability - short: ID of the vulnerability. - type: keyword - vulnerability.cvss.score.base: - description: 'The Common Vulnerability Scoring System (CVSS) is an open framework - for communicating the characteristics and severity of software vulnerabilities. - Scores can range from 0.0 to 10.0, with 10.0 being the most severe. - - Base scores cover an assessment for exploitability metrics (attack vector, - complexity, privileges, and user interaction), impact metrics (confidentialy, - integrity, and availability), and scope. For example (ex. https://www.first.org/cvss/specification-document)' - example: 5.5, 6.6 - flat_name: observer.vulnerability.cvss.score.base - level: extended - name: cvss.score.base - order: 0 - original_fieldset: vulnerability - short: CVSS Base score. - type: long - vulnerability.cvss.score.evironmental: - description: 'The Common Vulnerability Scoring System (CVSS) is an open framework - for communicating the characteristics and severity of software vulnerabilities. - Scores can range from 0.0 to 10.0, with 10.0 being the most severe. - - Environmental scores cover an assessment for any modified Base metrics, confidentiality, - integrity, and availability requirements. For example (ex. https://www.first.org/cvss/specification-document)' - example: 5.5, 6.6 - flat_name: observer.vulnerability.cvss.score.evironmental - level: extended - name: cvss.score.evironmental - order: 2 - original_fieldset: vulnerability - short: CVSS Environmental score. - type: long - vulnerability.cvss.score.temporal: - description: 'The Common Vulnerability Scoring System (CVSS) is an open framework - for communicating the characteristics and severity of software vulnerabilities. - Scores can range from 0.0 to 10.0, with 10.0 being the most severe. - - Temporal scores cover an assessment for code maturity, remediation level, - and confidence. For example (ex. https://www.first.org/cvss/specification-document)' - example: 5.5, 6.6 - flat_name: observer.vulnerability.cvss.score.temporal - level: extended - name: cvss.score.temporal - order: 1 - original_fieldset: vulnerability - short: CVSS Temporal score. - type: long - vulnerability.detected.first: - description: The first time that the vulnerability was observed on the asset. - example: YYYY-MM-DD-HH-MM - flat_name: observer.vulnerability.detected.first - level: extended - name: detected.first - order: 8 - original_fieldset: vulnerability - short: Vulnerability first observed. - type: date - vulnerability.detected.last: - description: The last time that the vulnerability was observed on the asset. - example: YYYY-MM-DD-HH-MM - flat_name: observer.vulnerability.detected.last - level: extended - name: detected.last - order: 9 - original_fieldset: vulnerability - short: Vulnerability last observed. - type: date - vulnerability.scanned.first: - description: The first time that the asset was scanned for vulnerabilities. - example: YYYY-MM-DD-HH-MM - flat_name: observer.vulnerability.scanned.first - level: extended - name: scanned.first - order: 10 - original_fieldset: vulnerability - short: Asset first scanned. - type: date - vulnerability.scanned.last: - description: The last time that the asset was scanned for vulnerabilities. - example: YYYY-MM-DD-HH-MM - flat_name: observer.vulnerability.scanned.last - level: extended - name: scanned.last - order: 11 - original_fieldset: vulnerability - short: Asset last scanned. - type: date - vulnerability.severity: - description: The severity of the vulnerability can help with metrics and internal - prioritization regarding remediation. For example (ex. https://nvd.nist.gov/vuln-metrics/cvss) - example: Critical, High, Medium, Low, None - flat_name: observer.vulnerability.severity - ignore_above: 1024 - level: extended - name: severity - order: 6 - original_fieldset: vulnerability - short: Severity of the vulnerability. - type: keyword - vulnerability.status: - description: 'The current status of the vulerability on the asset: - - New - The first time a vulnerability is detected by a scan the status is set - to New. Active - A vulnerability detected by two or more scans is set to Active. - Fixed - A vulnerability was verified by the most recent scan as fixed, and - this vulnerability was detected by the previous scan. Re-Opened - A vulnerability - was reopened by the most recent scan, and this vulnerability was verified - as fixed by the previous scan. - - For example (ex. https://qualysguard.qualys.com/qwebhelp/fo_portal/scans/vulnerability_status.htm)' - example: New, Active, Fixed, Re-Opened - flat_name: observer.vulnerability.status - ignore_above: 1024 - level: extended - name: status - order: 7 - original_fieldset: vulnerability - short: Status of the vulnerability. - type: keyword group: 2 name: observer nestings: - - vulnerability - geo - os prefix: observer. @@ -4159,176 +3326,8 @@ os: order: 4 short: Operating system version as a raw string. type: keyword - vulnerability.category: - description: The type of system or architecture that the vulnerability affects. - These may be platform-specific (for example, Debian or SUSE) or general (for - example, Database or Firewall). For example (ex. https://qualysguard.qualys.com/qwebhelp/fo_portal/knowledgebase/vulnerability_categories.htm) - example: AIX, Firewall, Malware, Office Application, Solaris, Windows - flat_name: os.vulnerability.category - ignore_above: 1024 - level: extended - name: category - order: 3 - original_fieldset: vulnerability - short: Category of a vulnerabilty. - type: keyword - vulnerability.cve.description: - description: 'The Common Vulnerability and Exposures (CVE) list is an open source - list for publicly known cybersecurity vulnerabilities providing an identification - number, a description, and at least one public reference. - - The description of the vulnerability that provides additional context of the - vulnerability. For example (ex. https://cve.mitre.org/about/faqs.html#cve_entry_descriptions_created)' - example: In Keybase before 2.12.6 on macOS, the move RPC to the Helper was susceptible - to time-to-check-time-to-use bugs and would also allow one user of the system - (who didn't have root access) to tamper with another's installs. - flat_name: os.vulnerability.cve.description - ignore_above: 1024 - level: extended - name: cve.description - order: 4 - original_fieldset: vulnerability - short: Description of the vulnerability. - type: keyword - vulnerability.cve.id: - description: 'The Common Vulnerability and Exposures (CVE) list is an open source - list for publicly known cybersecurity vulnerabilities providing an identification - number, a description, and at least one public reference. - - The identification (ID) is the number portion of a CVE Entry. It includes - the year the vulnerability ID was requested followed by a sequence number. - CVE-YYYY-NNNNN. For example (ex. https://cve.mitre.org/about/faqs.html#what_is_cve_id)' - example: CVE-2019-00001, CVE-2019-00002 - flat_name: os.vulnerability.cve.id - ignore_above: 1024 - level: extended - name: cve.id - order: 5 - original_fieldset: vulnerability - short: ID of the vulnerability. - type: keyword - vulnerability.cvss.score.base: - description: 'The Common Vulnerability Scoring System (CVSS) is an open framework - for communicating the characteristics and severity of software vulnerabilities. - Scores can range from 0.0 to 10.0, with 10.0 being the most severe. - - Base scores cover an assessment for exploitability metrics (attack vector, - complexity, privileges, and user interaction), impact metrics (confidentialy, - integrity, and availability), and scope. For example (ex. https://www.first.org/cvss/specification-document)' - example: 5.5, 6.6 - flat_name: os.vulnerability.cvss.score.base - level: extended - name: cvss.score.base - order: 0 - original_fieldset: vulnerability - short: CVSS Base score. - type: long - vulnerability.cvss.score.evironmental: - description: 'The Common Vulnerability Scoring System (CVSS) is an open framework - for communicating the characteristics and severity of software vulnerabilities. - Scores can range from 0.0 to 10.0, with 10.0 being the most severe. - - Environmental scores cover an assessment for any modified Base metrics, confidentiality, - integrity, and availability requirements. For example (ex. https://www.first.org/cvss/specification-document)' - example: 5.5, 6.6 - flat_name: os.vulnerability.cvss.score.evironmental - level: extended - name: cvss.score.evironmental - order: 2 - original_fieldset: vulnerability - short: CVSS Environmental score. - type: long - vulnerability.cvss.score.temporal: - description: 'The Common Vulnerability Scoring System (CVSS) is an open framework - for communicating the characteristics and severity of software vulnerabilities. - Scores can range from 0.0 to 10.0, with 10.0 being the most severe. - - Temporal scores cover an assessment for code maturity, remediation level, - and confidence. For example (ex. https://www.first.org/cvss/specification-document)' - example: 5.5, 6.6 - flat_name: os.vulnerability.cvss.score.temporal - level: extended - name: cvss.score.temporal - order: 1 - original_fieldset: vulnerability - short: CVSS Temporal score. - type: long - vulnerability.detected.first: - description: The first time that the vulnerability was observed on the asset. - example: YYYY-MM-DD-HH-MM - flat_name: os.vulnerability.detected.first - level: extended - name: detected.first - order: 8 - original_fieldset: vulnerability - short: Vulnerability first observed. - type: date - vulnerability.detected.last: - description: The last time that the vulnerability was observed on the asset. - example: YYYY-MM-DD-HH-MM - flat_name: os.vulnerability.detected.last - level: extended - name: detected.last - order: 9 - original_fieldset: vulnerability - short: Vulnerability last observed. - type: date - vulnerability.scanned.first: - description: The first time that the asset was scanned for vulnerabilities. - example: YYYY-MM-DD-HH-MM - flat_name: os.vulnerability.scanned.first - level: extended - name: scanned.first - order: 10 - original_fieldset: vulnerability - short: Asset first scanned. - type: date - vulnerability.scanned.last: - description: The last time that the asset was scanned for vulnerabilities. - example: YYYY-MM-DD-HH-MM - flat_name: os.vulnerability.scanned.last - level: extended - name: scanned.last - order: 11 - original_fieldset: vulnerability - short: Asset last scanned. - type: date - vulnerability.severity: - description: The severity of the vulnerability can help with metrics and internal - prioritization regarding remediation. For example (ex. https://nvd.nist.gov/vuln-metrics/cvss) - example: Critical, High, Medium, Low, None - flat_name: os.vulnerability.severity - ignore_above: 1024 - level: extended - name: severity - order: 6 - original_fieldset: vulnerability - short: Severity of the vulnerability. - type: keyword - vulnerability.status: - description: 'The current status of the vulerability on the asset: - - New - The first time a vulnerability is detected by a scan the status is set - to New. Active - A vulnerability detected by two or more scans is set to Active. - Fixed - A vulnerability was verified by the most recent scan as fixed, and - this vulnerability was detected by the previous scan. Re-Opened - A vulnerability - was reopened by the most recent scan, and this vulnerability was verified - as fixed by the previous scan. - - For example (ex. https://qualysguard.qualys.com/qwebhelp/fo_portal/scans/vulnerability_status.htm)' - example: New, Active, Fixed, Re-Opened - flat_name: os.vulnerability.status - ignore_above: 1024 - level: extended - name: status - order: 7 - original_fieldset: vulnerability - short: Status of the vulnerability. - type: keyword group: 2 name: os - nestings: - - vulnerability prefix: os. reusable: expected: @@ -6034,172 +5033,6 @@ user_agent: original_fieldset: os short: Operating system version as a raw string. type: keyword - os.vulnerability.category: - description: The type of system or architecture that the vulnerability affects. - These may be platform-specific (for example, Debian or SUSE) or general (for - example, Database or Firewall). For example (ex. https://qualysguard.qualys.com/qwebhelp/fo_portal/knowledgebase/vulnerability_categories.htm) - example: AIX, Firewall, Malware, Office Application, Solaris, Windows - flat_name: user_agent.os.vulnerability.category - ignore_above: 1024 - level: extended - name: category - order: 3 - original_fieldset: os - short: Category of a vulnerabilty. - type: keyword - os.vulnerability.cve.description: - description: 'The Common Vulnerability and Exposures (CVE) list is an open source - list for publicly known cybersecurity vulnerabilities providing an identification - number, a description, and at least one public reference. - - The description of the vulnerability that provides additional context of the - vulnerability. For example (ex. https://cve.mitre.org/about/faqs.html#cve_entry_descriptions_created)' - example: In Keybase before 2.12.6 on macOS, the move RPC to the Helper was susceptible - to time-to-check-time-to-use bugs and would also allow one user of the system - (who didn't have root access) to tamper with another's installs. - flat_name: user_agent.os.vulnerability.cve.description - ignore_above: 1024 - level: extended - name: cve.description - order: 4 - original_fieldset: os - short: Description of the vulnerability. - type: keyword - os.vulnerability.cve.id: - description: 'The Common Vulnerability and Exposures (CVE) list is an open source - list for publicly known cybersecurity vulnerabilities providing an identification - number, a description, and at least one public reference. - - The identification (ID) is the number portion of a CVE Entry. It includes - the year the vulnerability ID was requested followed by a sequence number. - CVE-YYYY-NNNNN. For example (ex. https://cve.mitre.org/about/faqs.html#what_is_cve_id)' - example: CVE-2019-00001, CVE-2019-00002 - flat_name: user_agent.os.vulnerability.cve.id - ignore_above: 1024 - level: extended - name: cve.id - order: 5 - original_fieldset: os - short: ID of the vulnerability. - type: keyword - os.vulnerability.cvss.score.base: - description: 'The Common Vulnerability Scoring System (CVSS) is an open framework - for communicating the characteristics and severity of software vulnerabilities. - Scores can range from 0.0 to 10.0, with 10.0 being the most severe. - - Base scores cover an assessment for exploitability metrics (attack vector, - complexity, privileges, and user interaction), impact metrics (confidentialy, - integrity, and availability), and scope. For example (ex. https://www.first.org/cvss/specification-document)' - example: 5.5, 6.6 - flat_name: user_agent.os.vulnerability.cvss.score.base - level: extended - name: cvss.score.base - order: 0 - original_fieldset: os - short: CVSS Base score. - type: long - os.vulnerability.cvss.score.evironmental: - description: 'The Common Vulnerability Scoring System (CVSS) is an open framework - for communicating the characteristics and severity of software vulnerabilities. - Scores can range from 0.0 to 10.0, with 10.0 being the most severe. - - Environmental scores cover an assessment for any modified Base metrics, confidentiality, - integrity, and availability requirements. For example (ex. https://www.first.org/cvss/specification-document)' - example: 5.5, 6.6 - flat_name: user_agent.os.vulnerability.cvss.score.evironmental - level: extended - name: cvss.score.evironmental - order: 2 - original_fieldset: os - short: CVSS Environmental score. - type: long - os.vulnerability.cvss.score.temporal: - description: 'The Common Vulnerability Scoring System (CVSS) is an open framework - for communicating the characteristics and severity of software vulnerabilities. - Scores can range from 0.0 to 10.0, with 10.0 being the most severe. - - Temporal scores cover an assessment for code maturity, remediation level, - and confidence. For example (ex. https://www.first.org/cvss/specification-document)' - example: 5.5, 6.6 - flat_name: user_agent.os.vulnerability.cvss.score.temporal - level: extended - name: cvss.score.temporal - order: 1 - original_fieldset: os - short: CVSS Temporal score. - type: long - os.vulnerability.detected.first: - description: The first time that the vulnerability was observed on the asset. - example: YYYY-MM-DD-HH-MM - flat_name: user_agent.os.vulnerability.detected.first - level: extended - name: detected.first - order: 8 - original_fieldset: os - short: Vulnerability first observed. - type: date - os.vulnerability.detected.last: - description: The last time that the vulnerability was observed on the asset. - example: YYYY-MM-DD-HH-MM - flat_name: user_agent.os.vulnerability.detected.last - level: extended - name: detected.last - order: 9 - original_fieldset: os - short: Vulnerability last observed. - type: date - os.vulnerability.scanned.first: - description: The first time that the asset was scanned for vulnerabilities. - example: YYYY-MM-DD-HH-MM - flat_name: user_agent.os.vulnerability.scanned.first - level: extended - name: scanned.first - order: 10 - original_fieldset: os - short: Asset first scanned. - type: date - os.vulnerability.scanned.last: - description: The last time that the asset was scanned for vulnerabilities. - example: YYYY-MM-DD-HH-MM - flat_name: user_agent.os.vulnerability.scanned.last - level: extended - name: scanned.last - order: 11 - original_fieldset: os - short: Asset last scanned. - type: date - os.vulnerability.severity: - description: The severity of the vulnerability can help with metrics and internal - prioritization regarding remediation. For example (ex. https://nvd.nist.gov/vuln-metrics/cvss) - example: Critical, High, Medium, Low, None - flat_name: user_agent.os.vulnerability.severity - ignore_above: 1024 - level: extended - name: severity - order: 6 - original_fieldset: os - short: Severity of the vulnerability. - type: keyword - os.vulnerability.status: - description: 'The current status of the vulerability on the asset: - - New - The first time a vulnerability is detected by a scan the status is set - to New. Active - A vulnerability detected by two or more scans is set to Active. - Fixed - A vulnerability was verified by the most recent scan as fixed, and - this vulnerability was detected by the previous scan. Re-Opened - A vulnerability - was reopened by the most recent scan, and this vulnerability was verified - as fixed by the previous scan. - - For example (ex. https://qualysguard.qualys.com/qwebhelp/fo_portal/scans/vulnerability_status.htm)' - example: New, Active, Fixed, Re-Opened - flat_name: user_agent.os.vulnerability.status - ignore_above: 1024 - level: extended - name: status - order: 7 - original_fieldset: os - short: Status of the vulnerability. - type: keyword version: description: Version of the user agent. example: 12.0 @@ -6219,175 +5052,181 @@ user_agent: title: User agent type: group vulnerability: - description: 'The vulnerability fields describe information about a vulnerabilty + description: The vulnerability fields describe information about a vulnerabilty that is relevant to an event. - - Fields can have one entry or multiple entries.' fields: category: description: The type of system or architecture that the vulnerability affects. These may be platform-specific (for example, Debian or SUSE) or general (for - example, Database or Firewall). For example (ex. https://qualysguard.qualys.com/qwebhelp/fo_portal/knowledgebase/vulnerability_categories.htm) - example: AIX, Firewall, Malware, Office Application, Solaris, Windows + example, Database or Firewall). For example (https://qualysguard.qualys.com/qwebhelp/fo_portal/knowledgebase/vulnerability_categories.htm) + example: Firewall flat_name: vulnerability.category ignore_above: 1024 level: extended name: category - order: 3 + order: 7 short: Category of a vulnerabilty. type: keyword - cve.description: - description: 'The Common Vulnerability and Exposures (CVE) list is an open source - list for publicly known cybersecurity vulnerabilities providing an identification - number, a description, and at least one public reference. - - The description of the vulnerability that provides additional context of the - vulnerability. For example (ex. https://cve.mitre.org/about/faqs.html#cve_entry_descriptions_created)' - example: In Keybase before 2.12.6 on macOS, the move RPC to the Helper was susceptible - to time-to-check-time-to-use bugs and would also allow one user of the system - (who didn't have root access) to tamper with another's installs. - flat_name: vulnerability.cve.description + classification: + description: The classification of the vulnerability scoring system. For example + (https://www.first.org/cvss/) + example: CVSS + flat_name: vulnerability.classification ignore_above: 1024 level: extended - name: cve.description - order: 4 + name: classification + order: 0 + short: Classification of the vulnerability. + type: keyword + description: + description: The description of the vulnerability that provides additional context + of the vulnerability. For example (https://cve.mitre.org/about/faqs.html#cve_entry_descriptions_created) + example: In macOS before 2.12.6, there is a vulnerability in the RPC... + flat_name: vulnerability.description + ignore_above: 1024 + level: extended + name: description + order: 8 short: Description of the vulnerability. type: keyword - cve.id: - description: 'The Common Vulnerability and Exposures (CVE) list is an open source - list for publicly known cybersecurity vulnerabilities providing an identification - number, a description, and at least one public reference. - - The identification (ID) is the number portion of a CVE Entry. It includes - the year the vulnerability ID was requested followed by a sequence number. - CVE-YYYY-NNNNN. For example (ex. https://cve.mitre.org/about/faqs.html#what_is_cve_id)' - example: CVE-2019-00001, CVE-2019-00002 - flat_name: vulnerability.cve.id + reference: + description: The type of identifier used for this vulnerability. For example + (https://cve.mitre.org/about/) + example: CVE + flat_name: vulnerability.reference ignore_above: 1024 level: extended - name: cve.id - order: 5 + name: reference + order: 1 + short: Reference of the vulnerability. + type: keyword + report_id: + description: The report or scan identification number. + example: 20191018.0001 + flat_name: vulnerability.report_id + ignore_above: 1024 + level: extended + name: report_id + order: 13 + short: Scan identification number. + type: keyword + scanner.id: + description: The identification (ID) is the number portion of a vulnerability + entry. It includes a unique identification number for the vulnerability. For + example (https://cve.mitre.org/about/faqs.html#what_is_cve_id) + example: CVE-2019-00001 + flat_name: vulnerability.scanner.id + ignore_above: 1024 + level: extended + name: scanner.id + order: 9 short: ID of the vulnerability. type: keyword - cvss.score.base: - description: 'The Common Vulnerability Scoring System (CVSS) is an open framework - for communicating the characteristics and severity of software vulnerabilities. - Scores can range from 0.0 to 10.0, with 10.0 being the most severe. + scanner.vendor: + description: The name of the vulnerability scanner vendor. + example: Tenable + flat_name: vulnerability.scanner.vendor + ignore_above: 1024 + level: extended + name: scanner.vendor + order: 10 + short: Name of the scanner vendor. + type: keyword + score.base: + description: 'Scores can range from 0.0 to 10.0, with 10.0 being the most severe. Base scores cover an assessment for exploitability metrics (attack vector, complexity, privileges, and user interaction), impact metrics (confidentialy, - integrity, and availability), and scope. For example (ex. https://www.first.org/cvss/specification-document)' - example: 5.5, 6.6 - flat_name: vulnerability.cvss.score.base + integrity, and availability), and scope. For example (https://www.first.org/cvss/specification-document)' + example: 5.5 + flat_name: vulnerability.score.base level: extended - name: cvss.score.base - order: 0 - short: CVSS Base score. - type: long - cvss.score.evironmental: - description: 'The Common Vulnerability Scoring System (CVSS) is an open framework - for communicating the characteristics and severity of software vulnerabilities. - Scores can range from 0.0 to 10.0, with 10.0 being the most severe. + name: score.base + order: 3 + short: Vulnerability Base score. + type: float + score.environmental: + description: 'Scores can range from 0.0 to 10.0, with 10.0 being the most severe. Environmental scores cover an assessment for any modified Base metrics, confidentiality, - integrity, and availability requirements. For example (ex. https://www.first.org/cvss/specification-document)' - example: 5.5, 6.6 - flat_name: vulnerability.cvss.score.evironmental + integrity, and availability requirements. For example (https://www.first.org/cvss/specification-document)' + example: 5.5 + flat_name: vulnerability.score.environmental level: extended - name: cvss.score.evironmental - order: 2 - short: CVSS Environmental score. - type: long - cvss.score.temporal: - description: 'The Common Vulnerability Scoring System (CVSS) is an open framework - for communicating the characteristics and severity of software vulnerabilities. - Scores can range from 0.0 to 10.0, with 10.0 being the most severe. + name: score.environmental + order: 5 + short: Vulnerability Environmental score. + type: float + score.temporal: + description: 'Scores can range from 0.0 to 10.0, with 10.0 being the most severe. Temporal scores cover an assessment for code maturity, remediation level, - and confidence. For example (ex. https://www.first.org/cvss/specification-document)' - example: 5.5, 6.6 - flat_name: vulnerability.cvss.score.temporal + and confidence. For example (https://www.first.org/cvss/specification-document)' + flat_name: vulnerability.score.temporal level: extended - name: cvss.score.temporal - order: 1 - short: CVSS Temporal score. - type: long - detected.first: - description: The first time that the vulnerability was observed on the asset. - example: YYYY-MM-DD-HH-MM - flat_name: vulnerability.detected.first - level: extended - name: detected.first - order: 8 - short: Vulnerability first observed. - type: date - detected.last: - description: The last time that the vulnerability was observed on the asset. - example: YYYY-MM-DD-HH-MM - flat_name: vulnerability.detected.last - level: extended - name: detected.last - order: 9 - short: Vulnerability last observed. - type: date - scanned.first: - description: The first time that the asset was scanned for vulnerabilities. - example: YYYY-MM-DD-HH-MM - flat_name: vulnerability.scanned.first - level: extended - name: scanned.first - order: 10 - short: Asset first scanned. - type: date - scanned.last: - description: The last time that the asset was scanned for vulnerabilities. - example: YYYY-MM-DD-HH-MM - flat_name: vulnerability.scanned.last + name: score.temporal + order: 4 + short: Vulnerability Temporal score. + type: float + score.version: + description: 'The National Vulnerability Database (NVD) provides qualitative + severity rankings of "Low", "Medium", and "High" for CVSS v2.0 base score + ranges in addition to the severity ratings for CVSS v3.0 as they are defined + in the CVSS v3.0 specification. + + CVSS is owned and managed by FIRST.Org, Inc. (FIRST), a US-based non-profit + organization, whose mission is to help computer security incident response + teams across the world. For example (https://nvd.nist.gov/vuln-metrics/cvss)' + example: 2.0 + flat_name: vulnerability.score.version + ignore_above: 1024 level: extended - name: scanned.last - order: 11 - short: Asset last scanned. - type: date + name: score.version + order: 6 + short: CVSS version. + type: keyword severity: description: The severity of the vulnerability can help with metrics and internal - prioritization regarding remediation. For example (ex. https://nvd.nist.gov/vuln-metrics/cvss) - example: Critical, High, Medium, Low, None + prioritization regarding remediation. For example (https://nvd.nist.gov/vuln-metrics/cvss) + example: Critical flat_name: vulnerability.severity ignore_above: 1024 level: extended name: severity - order: 6 + order: 11 short: Severity of the vulnerability. type: keyword status: description: 'The current status of the vulerability on the asset: - New - The first time a vulnerability is detected by a scan the status is set - to New. Active - A vulnerability detected by two or more scans is set to Active. - Fixed - A vulnerability was verified by the most recent scan as fixed, and - this vulnerability was detected by the previous scan. Re-Opened - A vulnerability - was reopened by the most recent scan, and this vulnerability was verified - as fixed by the previous scan. + * New - First time a vulnerability is detected by a scan the status is set + to New. * Active - A vulnerability detected by two or more scans is set to + Active. * Fixed - A vulnerability was verified by the most recent scan as + Fixed. * Re-Opened - A vulnerability was reopened by the most recent scan. - For example (ex. https://qualysguard.qualys.com/qwebhelp/fo_portal/scans/vulnerability_status.htm)' - example: New, Active, Fixed, Re-Opened + For example (https://qualysguard.qualys.com/qwebhelp/fo_portal/scans/vulnerability_status.htm)' + example: New flat_name: vulnerability.status ignore_above: 1024 level: extended name: status - order: 7 + order: 12 short: Status of the vulnerability. type: keyword + url: + description: A URL to a resource that provides additional information, context, + and mitigations for the identified vulnerabiltiy. For example (https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=ssh) + example: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6111 + flat_name: vulnerability.url + ignore_above: 1024 + level: extended + name: url + order: 2 + short: URL describing the vulnerability. + type: keyword group: 2 name: vulnerability prefix: vulnerability. - reusable: - expected: - - client - - host - - os - - observer - top_level: true short: Fields to describe the vulnerabilty relevant to an event. title: Vulnerability type: group diff --git a/generated/elasticsearch/6/template.json b/generated/elasticsearch/6/template.json index dca9db8870..f18da86d3e 100644 --- a/generated/elasticsearch/6/template.json +++ b/generated/elasticsearch/6/template.json @@ -199,71 +199,6 @@ "type": "keyword" } } - }, - "vulnerability": { - "properties": { - "category": { - "ignore_above": 1024, - "type": "keyword" - }, - "cve": { - "properties": { - "description": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "cvss": { - "properties": { - "score": { - "properties": { - "base": { - "type": "long" - }, - "evironmental": { - "type": "long" - }, - "temporal": { - "type": "long" - } - } - } - } - }, - "detected": { - "properties": { - "first": { - "type": "date" - }, - "last": { - "type": "date" - } - } - }, - "scanned": { - "properties": { - "first": { - "type": "date" - }, - "last": { - "type": "date" - } - } - }, - "severity": { - "ignore_above": 1024, - "type": "keyword" - }, - "status": { - "ignore_above": 1024, - "type": "keyword" - } - } } } }, @@ -923,71 +858,6 @@ "version": { "ignore_above": 1024, "type": "keyword" - }, - "vulnerability": { - "properties": { - "category": { - "ignore_above": 1024, - "type": "keyword" - }, - "cve": { - "properties": { - "description": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "cvss": { - "properties": { - "score": { - "properties": { - "base": { - "type": "long" - }, - "evironmental": { - "type": "long" - }, - "temporal": { - "type": "long" - } - } - } - } - }, - "detected": { - "properties": { - "first": { - "type": "date" - }, - "last": { - "type": "date" - } - } - }, - "scanned": { - "properties": { - "first": { - "type": "date" - }, - "last": { - "type": "date" - } - } - }, - "severity": { - "ignore_above": 1024, - "type": "keyword" - }, - "status": { - "ignore_above": 1024, - "type": "keyword" - } - } } } }, @@ -1041,71 +911,6 @@ "type": "keyword" } } - }, - "vulnerability": { - "properties": { - "category": { - "ignore_above": 1024, - "type": "keyword" - }, - "cve": { - "properties": { - "description": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "cvss": { - "properties": { - "score": { - "properties": { - "base": { - "type": "long" - }, - "evironmental": { - "type": "long" - }, - "temporal": { - "type": "long" - } - } - } - } - }, - "detected": { - "properties": { - "first": { - "type": "date" - }, - "last": { - "type": "date" - } - } - }, - "scanned": { - "properties": { - "first": { - "type": "date" - }, - "last": { - "type": "date" - } - } - }, - "severity": { - "ignore_above": 1024, - "type": "keyword" - }, - "status": { - "ignore_above": 1024, - "type": "keyword" - } - } } } }, @@ -1359,71 +1164,6 @@ "version": { "ignore_above": 1024, "type": "keyword" - }, - "vulnerability": { - "properties": { - "category": { - "ignore_above": 1024, - "type": "keyword" - }, - "cve": { - "properties": { - "description": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "cvss": { - "properties": { - "score": { - "properties": { - "base": { - "type": "long" - }, - "evironmental": { - "type": "long" - }, - "temporal": { - "type": "long" - } - } - } - } - }, - "detected": { - "properties": { - "first": { - "type": "date" - }, - "last": { - "type": "date" - } - } - }, - "scanned": { - "properties": { - "first": { - "type": "date" - }, - "last": { - "type": "date" - } - } - }, - "severity": { - "ignore_above": 1024, - "type": "keyword" - }, - "status": { - "ignore_above": 1024, - "type": "keyword" - } - } } } }, @@ -1446,71 +1186,6 @@ "version": { "ignore_above": 1024, "type": "keyword" - }, - "vulnerability": { - "properties": { - "category": { - "ignore_above": 1024, - "type": "keyword" - }, - "cve": { - "properties": { - "description": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "cvss": { - "properties": { - "score": { - "properties": { - "base": { - "type": "long" - }, - "evironmental": { - "type": "long" - }, - "temporal": { - "type": "long" - } - } - } - } - }, - "detected": { - "properties": { - "first": { - "type": "date" - }, - "last": { - "type": "date" - } - } - }, - "scanned": { - "properties": { - "first": { - "type": "date" - }, - "last": { - "type": "date" - } - } - }, - "severity": { - "ignore_above": 1024, - "type": "keyword" - }, - "status": { - "ignore_above": 1024, - "type": "keyword" - } - } } } }, @@ -1551,71 +1226,6 @@ "version": { "ignore_above": 1024, "type": "keyword" - }, - "vulnerability": { - "properties": { - "category": { - "ignore_above": 1024, - "type": "keyword" - }, - "cve": { - "properties": { - "description": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "cvss": { - "properties": { - "score": { - "properties": { - "base": { - "type": "long" - }, - "evironmental": { - "type": "long" - }, - "temporal": { - "type": "long" - } - } - } - } - }, - "detected": { - "properties": { - "first": { - "type": "date" - }, - "last": { - "type": "date" - } - } - }, - "scanned": { - "properties": { - "first": { - "type": "date" - }, - "last": { - "type": "date" - } - } - }, - "severity": { - "ignore_above": 1024, - "type": "keyword" - }, - "status": { - "ignore_above": 1024, - "type": "keyword" - } - } } } }, @@ -2256,71 +1866,6 @@ "version": { "ignore_above": 1024, "type": "keyword" - }, - "vulnerability": { - "properties": { - "category": { - "ignore_above": 1024, - "type": "keyword" - }, - "cve": { - "properties": { - "description": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "cvss": { - "properties": { - "score": { - "properties": { - "base": { - "type": "long" - }, - "evironmental": { - "type": "long" - }, - "temporal": { - "type": "long" - } - } - } - } - }, - "detected": { - "properties": { - "first": { - "type": "date" - }, - "last": { - "type": "date" - } - } - }, - "scanned": { - "properties": { - "first": { - "type": "date" - }, - "last": { - "type": "date" - } - } - }, - "severity": { - "ignore_above": 1024, - "type": "keyword" - }, - "status": { - "ignore_above": 1024, - "type": "keyword" - } - } } } }, @@ -2336,52 +1881,48 @@ "ignore_above": 1024, "type": "keyword" }, - "cve": { + "classification": { + "ignore_above": 1024, + "type": "keyword" + }, + "description": { + "ignore_above": 1024, + "type": "keyword" + }, + "reference": { + "ignore_above": 1024, + "type": "keyword" + }, + "report_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "scanner": { "properties": { - "description": { + "id": { "ignore_above": 1024, "type": "keyword" }, - "id": { + "vendor": { "ignore_above": 1024, "type": "keyword" } } }, - "cvss": { + "score": { "properties": { - "score": { - "properties": { - "base": { - "type": "long" - }, - "evironmental": { - "type": "long" - }, - "temporal": { - "type": "long" - } - } - } - } - }, - "detected": { - "properties": { - "first": { - "type": "date" + "base": { + "type": "float" }, - "last": { - "type": "date" - } - } - }, - "scanned": { - "properties": { - "first": { - "type": "date" + "environmental": { + "type": "float" }, - "last": { - "type": "date" + "temporal": { + "type": "float" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" } } }, @@ -2392,6 +1933,10 @@ "status": { "ignore_above": 1024, "type": "keyword" + }, + "url": { + "ignore_above": 1024, + "type": "keyword" } } } diff --git a/generated/elasticsearch/7/template.json b/generated/elasticsearch/7/template.json index 58e76ee3fc..911d85ebd3 100644 --- a/generated/elasticsearch/7/template.json +++ b/generated/elasticsearch/7/template.json @@ -198,71 +198,6 @@ "type": "keyword" } } - }, - "vulnerability": { - "properties": { - "category": { - "ignore_above": 1024, - "type": "keyword" - }, - "cve": { - "properties": { - "description": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "cvss": { - "properties": { - "score": { - "properties": { - "base": { - "type": "long" - }, - "evironmental": { - "type": "long" - }, - "temporal": { - "type": "long" - } - } - } - } - }, - "detected": { - "properties": { - "first": { - "type": "date" - }, - "last": { - "type": "date" - } - } - }, - "scanned": { - "properties": { - "first": { - "type": "date" - }, - "last": { - "type": "date" - } - } - }, - "severity": { - "ignore_above": 1024, - "type": "keyword" - }, - "status": { - "ignore_above": 1024, - "type": "keyword" - } - } } } }, @@ -922,71 +857,6 @@ "version": { "ignore_above": 1024, "type": "keyword" - }, - "vulnerability": { - "properties": { - "category": { - "ignore_above": 1024, - "type": "keyword" - }, - "cve": { - "properties": { - "description": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "cvss": { - "properties": { - "score": { - "properties": { - "base": { - "type": "long" - }, - "evironmental": { - "type": "long" - }, - "temporal": { - "type": "long" - } - } - } - } - }, - "detected": { - "properties": { - "first": { - "type": "date" - }, - "last": { - "type": "date" - } - } - }, - "scanned": { - "properties": { - "first": { - "type": "date" - }, - "last": { - "type": "date" - } - } - }, - "severity": { - "ignore_above": 1024, - "type": "keyword" - }, - "status": { - "ignore_above": 1024, - "type": "keyword" - } - } } } }, @@ -1040,71 +910,6 @@ "type": "keyword" } } - }, - "vulnerability": { - "properties": { - "category": { - "ignore_above": 1024, - "type": "keyword" - }, - "cve": { - "properties": { - "description": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "cvss": { - "properties": { - "score": { - "properties": { - "base": { - "type": "long" - }, - "evironmental": { - "type": "long" - }, - "temporal": { - "type": "long" - } - } - } - } - }, - "detected": { - "properties": { - "first": { - "type": "date" - }, - "last": { - "type": "date" - } - } - }, - "scanned": { - "properties": { - "first": { - "type": "date" - }, - "last": { - "type": "date" - } - } - }, - "severity": { - "ignore_above": 1024, - "type": "keyword" - }, - "status": { - "ignore_above": 1024, - "type": "keyword" - } - } } } }, @@ -1358,71 +1163,6 @@ "version": { "ignore_above": 1024, "type": "keyword" - }, - "vulnerability": { - "properties": { - "category": { - "ignore_above": 1024, - "type": "keyword" - }, - "cve": { - "properties": { - "description": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "cvss": { - "properties": { - "score": { - "properties": { - "base": { - "type": "long" - }, - "evironmental": { - "type": "long" - }, - "temporal": { - "type": "long" - } - } - } - } - }, - "detected": { - "properties": { - "first": { - "type": "date" - }, - "last": { - "type": "date" - } - } - }, - "scanned": { - "properties": { - "first": { - "type": "date" - }, - "last": { - "type": "date" - } - } - }, - "severity": { - "ignore_above": 1024, - "type": "keyword" - }, - "status": { - "ignore_above": 1024, - "type": "keyword" - } - } } } }, @@ -1445,71 +1185,6 @@ "version": { "ignore_above": 1024, "type": "keyword" - }, - "vulnerability": { - "properties": { - "category": { - "ignore_above": 1024, - "type": "keyword" - }, - "cve": { - "properties": { - "description": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "cvss": { - "properties": { - "score": { - "properties": { - "base": { - "type": "long" - }, - "evironmental": { - "type": "long" - }, - "temporal": { - "type": "long" - } - } - } - } - }, - "detected": { - "properties": { - "first": { - "type": "date" - }, - "last": { - "type": "date" - } - } - }, - "scanned": { - "properties": { - "first": { - "type": "date" - }, - "last": { - "type": "date" - } - } - }, - "severity": { - "ignore_above": 1024, - "type": "keyword" - }, - "status": { - "ignore_above": 1024, - "type": "keyword" - } - } } } }, @@ -1550,71 +1225,6 @@ "version": { "ignore_above": 1024, "type": "keyword" - }, - "vulnerability": { - "properties": { - "category": { - "ignore_above": 1024, - "type": "keyword" - }, - "cve": { - "properties": { - "description": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "cvss": { - "properties": { - "score": { - "properties": { - "base": { - "type": "long" - }, - "evironmental": { - "type": "long" - }, - "temporal": { - "type": "long" - } - } - } - } - }, - "detected": { - "properties": { - "first": { - "type": "date" - }, - "last": { - "type": "date" - } - } - }, - "scanned": { - "properties": { - "first": { - "type": "date" - }, - "last": { - "type": "date" - } - } - }, - "severity": { - "ignore_above": 1024, - "type": "keyword" - }, - "status": { - "ignore_above": 1024, - "type": "keyword" - } - } } } }, @@ -2255,71 +1865,6 @@ "version": { "ignore_above": 1024, "type": "keyword" - }, - "vulnerability": { - "properties": { - "category": { - "ignore_above": 1024, - "type": "keyword" - }, - "cve": { - "properties": { - "description": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "cvss": { - "properties": { - "score": { - "properties": { - "base": { - "type": "long" - }, - "evironmental": { - "type": "long" - }, - "temporal": { - "type": "long" - } - } - } - } - }, - "detected": { - "properties": { - "first": { - "type": "date" - }, - "last": { - "type": "date" - } - } - }, - "scanned": { - "properties": { - "first": { - "type": "date" - }, - "last": { - "type": "date" - } - } - }, - "severity": { - "ignore_above": 1024, - "type": "keyword" - }, - "status": { - "ignore_above": 1024, - "type": "keyword" - } - } } } }, @@ -2335,52 +1880,48 @@ "ignore_above": 1024, "type": "keyword" }, - "cve": { + "classification": { + "ignore_above": 1024, + "type": "keyword" + }, + "description": { + "ignore_above": 1024, + "type": "keyword" + }, + "reference": { + "ignore_above": 1024, + "type": "keyword" + }, + "report_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "scanner": { "properties": { - "description": { + "id": { "ignore_above": 1024, "type": "keyword" }, - "id": { + "vendor": { "ignore_above": 1024, "type": "keyword" } } }, - "cvss": { + "score": { "properties": { - "score": { - "properties": { - "base": { - "type": "long" - }, - "evironmental": { - "type": "long" - }, - "temporal": { - "type": "long" - } - } - } - } - }, - "detected": { - "properties": { - "first": { - "type": "date" + "base": { + "type": "float" }, - "last": { - "type": "date" - } - } - }, - "scanned": { - "properties": { - "first": { - "type": "date" + "environmental": { + "type": "float" }, - "last": { - "type": "date" + "temporal": { + "type": "float" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" } } }, @@ -2391,6 +1932,10 @@ "status": { "ignore_above": 1024, "type": "keyword" + }, + "url": { + "ignore_above": 1024, + "type": "keyword" } } } diff --git a/generated/legacy/template.json b/generated/legacy/template.json index 2f04ab095f..a00b07ae6f 100644 --- a/generated/legacy/template.json +++ b/generated/legacy/template.json @@ -1256,52 +1256,48 @@ "ignore_above": 1024, "type": "keyword" }, - "cve": { + "classification": { + "ignore_above": 1024, + "type": "keyword" + }, + "description": { + "ignore_above": 1024, + "type": "keyword" + }, + "reference": { + "ignore_above": 1024, + "type": "keyword" + }, + "report_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "scanner": { "properties": { - "description": { + "id": { "ignore_above": 1024, "type": "keyword" }, - "id": { + "vendor": { "ignore_above": 1024, "type": "keyword" } } }, - "cvss": { + "score": { "properties": { - "score": { - "properties": { - "base": { - "type": "long" - }, - "evironmental": { - "type": "long" - }, - "temporal": { - "type": "long" - } - } - } - } - }, - "detected": { - "properties": { - "first": { - "type": "date" + "base": { + "type": "float" }, - "last": { - "type": "date" - } - } - }, - "scanned": { - "properties": { - "first": { - "type": "date" + "environmental": { + "type": "float" }, - "last": { - "type": "date" + "temporal": { + "type": "float" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" } } }, @@ -1312,6 +1308,10 @@ "status": { "ignore_above": 1024, "type": "keyword" + }, + "url": { + "ignore_above": 1024, + "type": "keyword" } } } diff --git a/schema.json b/schema.json index dc6f98a59e..602acb1b4c 100644 --- a/schema.json +++ b/schema.json @@ -2957,11 +2957,11 @@ "type": "group" }, "vulnerability": { - "description": "The vulnerability fields describe information about a vulnerabilty that is relevant to an event.\nFields can have one entry or multiple entries.\n", + "description": "The vulnerability fields describe information about a vulnerabilty that is relevant to an event.\n", "fields": { "vulnerability.category": { - "description": "The type of system or architecture that the vulnerability affects. These may be platform-specific (for example, Debian or SUSE) or general (for example, Database or Firewall). For example (ex. https://qualysguard.qualys.com/qwebhelp/fo_portal/knowledgebase/vulnerability_categories.htm)", - "example": "AIX, Firewall, Malware, Office Application, Solaris, Windows", + "description": "The type of system or architecture that the vulnerability affects. These may be platform-specific (for example, Debian or SUSE) or general (for example, Database or Firewall). For example (https://qualysguard.qualys.com/qwebhelp/fo_portal/knowledgebase/vulnerability_categories.htm)", + "example": "Firewall", "footnote": "", "group": 2, "level": "extended", @@ -2969,99 +2969,109 @@ "required": false, "type": "keyword" }, - "vulnerability.cve.description": { - "description": "The Common Vulnerability and Exposures (CVE) list is an open source list for publicly known cybersecurity vulnerabilities providing an identification number, a description, and at least one public reference.\nThe description of the vulnerability that provides additional context of the vulnerability. For example (ex. https://cve.mitre.org/about/faqs.html#cve_entry_descriptions_created)", - "example": "In Keybase before 2.12.6 on macOS, the move RPC to the Helper was susceptible to time-to-check-time-to-use bugs and would also allow one user of the system (who didn't have root access) to tamper with another's installs.", + "vulnerability.classification": { + "description": "The classification of the vulnerability scoring system. For example (https://www.first.org/cvss/)", + "example": "CVSS", "footnote": "", "group": 2, "level": "extended", - "name": "vulnerability.cve.description", + "name": "vulnerability.classification", "required": false, "type": "keyword" }, - "vulnerability.cve.id": { - "description": "The Common Vulnerability and Exposures (CVE) list is an open source list for publicly known cybersecurity vulnerabilities providing an identification number, a description, and at least one public reference.\nThe identification (ID) is the number portion of a CVE Entry. It includes the year the vulnerability ID was requested followed by a sequence number. CVE-YYYY-NNNNN. For example (ex. https://cve.mitre.org/about/faqs.html#what_is_cve_id)", - "example": "CVE-2019-00001, CVE-2019-00002", + "vulnerability.description": { + "description": "The description of the vulnerability that provides additional context of the vulnerability. For example (https://cve.mitre.org/about/faqs.html#cve_entry_descriptions_created)", + "example": "In macOS before 2.12.6, there is a vulnerability in the RPC...", "footnote": "", "group": 2, "level": "extended", - "name": "vulnerability.cve.id", + "name": "vulnerability.description", "required": false, "type": "keyword" }, - "vulnerability.cvss.score.base": { - "description": "The Common Vulnerability Scoring System (CVSS) is an open framework for communicating the characteristics and severity of software vulnerabilities. Scores can range from 0.0 to 10.0, with 10.0 being the most severe.\nBase scores cover an assessment for exploitability metrics (attack vector, complexity, privileges, and user interaction), impact metrics (confidentialy, integrity, and availability), and scope. For example (ex. https://www.first.org/cvss/specification-document)", - "example": "5.5, 6.6", + "vulnerability.reference": { + "description": "The type of identifier used for this vulnerability. For example (https://cve.mitre.org/about/)", + "example": "CVE", "footnote": "", "group": 2, "level": "extended", - "name": "vulnerability.cvss.score.base", + "name": "vulnerability.reference", "required": false, - "type": "long" + "type": "keyword" }, - "vulnerability.cvss.score.evironmental": { - "description": "The Common Vulnerability Scoring System (CVSS) is an open framework for communicating the characteristics and severity of software vulnerabilities. Scores can range from 0.0 to 10.0, with 10.0 being the most severe.\nEnvironmental scores cover an assessment for any modified Base metrics, confidentiality, integrity, and availability requirements. For example (ex. https://www.first.org/cvss/specification-document)", - "example": "5.5, 6.6", + "vulnerability.report_id": { + "description": "The report or scan identification number.", + "example": "20191018.0001", "footnote": "", "group": 2, "level": "extended", - "name": "vulnerability.cvss.score.evironmental", + "name": "vulnerability.report_id", "required": false, - "type": "long" + "type": "keyword" }, - "vulnerability.cvss.score.temporal": { - "description": "The Common Vulnerability Scoring System (CVSS) is an open framework for communicating the characteristics and severity of software vulnerabilities. Scores can range from 0.0 to 10.0, with 10.0 being the most severe.\nTemporal scores cover an assessment for code maturity, remediation level, and confidence. For example (ex. https://www.first.org/cvss/specification-document)", - "example": "5.5, 6.6", + "vulnerability.scanner.id": { + "description": "The identification (ID) is the number portion of a vulnerability entry. It includes a unique identification number for the vulnerability. For example (https://cve.mitre.org/about/faqs.html#what_is_cve_id)", + "example": "CVE-2019-00001", "footnote": "", "group": 2, "level": "extended", - "name": "vulnerability.cvss.score.temporal", + "name": "vulnerability.scanner.id", "required": false, - "type": "long" + "type": "keyword" }, - "vulnerability.detected.first": { - "description": "The first time that the vulnerability was observed on the asset.", - "example": "YYYY-MM-DD-HH-MM", + "vulnerability.scanner.vendor": { + "description": "The name of the vulnerability scanner vendor.", + "example": "Tenable", "footnote": "", "group": 2, "level": "extended", - "name": "vulnerability.detected.first", + "name": "vulnerability.scanner.vendor", "required": false, - "type": "date" + "type": "keyword" }, - "vulnerability.detected.last": { - "description": "The last time that the vulnerability was observed on the asset.", - "example": "YYYY-MM-DD-HH-MM", + "vulnerability.score.base": { + "description": "Scores can range from 0.0 to 10.0, with 10.0 being the most severe.\nBase scores cover an assessment for exploitability metrics (attack vector, complexity, privileges, and user interaction), impact metrics (confidentialy, integrity, and availability), and scope. For example (https://www.first.org/cvss/specification-document)", + "example": "5.5", "footnote": "", "group": 2, "level": "extended", - "name": "vulnerability.detected.last", + "name": "vulnerability.score.base", "required": false, - "type": "date" + "type": "float" }, - "vulnerability.scanned.first": { - "description": "The first time that the asset was scanned for vulnerabilities.", - "example": "YYYY-MM-DD-HH-MM", + "vulnerability.score.environmental": { + "description": "Scores can range from 0.0 to 10.0, with 10.0 being the most severe.\nEnvironmental scores cover an assessment for any modified Base metrics, confidentiality, integrity, and availability requirements. For example (https://www.first.org/cvss/specification-document)", + "example": "5.5", "footnote": "", "group": 2, "level": "extended", - "name": "vulnerability.scanned.first", + "name": "vulnerability.score.environmental", "required": false, - "type": "date" + "type": "float" }, - "vulnerability.scanned.last": { - "description": "The last time that the asset was scanned for vulnerabilities.", - "example": "YYYY-MM-DD-HH-MM", + "vulnerability.score.temporal": { + "description": "Scores can range from 0.0 to 10.0, with 10.0 being the most severe.\nTemporal scores cover an assessment for code maturity, remediation level, and confidence. For example (https://www.first.org/cvss/specification-document)", + "example": "", "footnote": "", "group": 2, "level": "extended", - "name": "vulnerability.scanned.last", + "name": "vulnerability.score.temporal", "required": false, - "type": "date" + "type": "float" + }, + "vulnerability.score.version": { + "description": "The National Vulnerability Database (NVD) provides qualitative severity rankings of \"Low\", \"Medium\", and \"High\" for CVSS v2.0 base score ranges in addition to the severity ratings for CVSS v3.0 as they are defined in the CVSS v3.0 specification.\nCVSS is owned and managed by FIRST.Org, Inc. (FIRST), a US-based non-profit organization, whose mission is to help computer security incident response teams across the world. For example (https://nvd.nist.gov/vuln-metrics/cvss)", + "example": "2.0", + "footnote": "", + "group": 2, + "level": "extended", + "name": "vulnerability.score.version", + "required": false, + "type": "keyword" }, "vulnerability.severity": { - "description": "The severity of the vulnerability can help with metrics and internal prioritization regarding remediation. For example (ex. https://nvd.nist.gov/vuln-metrics/cvss)", - "example": "Critical, High, Medium, Low, None", + "description": "The severity of the vulnerability can help with metrics and internal prioritization regarding remediation. For example (https://nvd.nist.gov/vuln-metrics/cvss)", + "example": "Critical", "footnote": "", "group": 2, "level": "extended", @@ -3070,14 +3080,24 @@ "type": "keyword" }, "vulnerability.status": { - "description": "The current status of the vulerability on the asset:\nNew - The first time a vulnerability is detected by a scan the status is set to New. Active - A vulnerability detected by two or more scans is set to Active. Fixed - A vulnerability was verified by the most recent scan as fixed, and this vulnerability was detected by the previous scan. Re-Opened - A vulnerability was reopened by the most recent scan, and this vulnerability was verified as fixed by the previous scan.\nFor example (ex. https://qualysguard.qualys.com/qwebhelp/fo_portal/scans/vulnerability_status.htm)", - "example": "New, Active, Fixed, Re-Opened", + "description": "The current status of the vulerability on the asset:\n* New - First time a vulnerability is detected by a scan the status is set to New. * Active - A vulnerability detected by two or more scans is set to Active. * Fixed - A vulnerability was verified by the most recent scan as Fixed. * Re-Opened - A vulnerability was reopened by the most recent scan.\nFor example (https://qualysguard.qualys.com/qwebhelp/fo_portal/scans/vulnerability_status.htm)", + "example": "New", "footnote": "", "group": 2, "level": "extended", "name": "vulnerability.status", "required": false, "type": "keyword" + }, + "vulnerability.url": { + "description": "A URL to a resource that provides additional information, context, and mitigations for the identified vulnerabiltiy. For example (https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=ssh)", + "example": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6111", + "footnote": "", + "group": 2, + "level": "extended", + "name": "vulnerability.url", + "required": false, + "type": "keyword" } }, "group": 2, From 0a03d5b90bb02257e3d03cbeb3c2364e1c82f0f1 Mon Sep 17 00:00:00 2001 From: Andrew Pease Date: Mon, 18 Nov 2019 09:47:24 -0600 Subject: [PATCH 23/36] working with formatting for status --- schemas/vulnerability.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/schemas/vulnerability.yml b/schemas/vulnerability.yml index 778d89f1b8..31b9e17c2b 100644 --- a/schemas/vulnerability.yml +++ b/schemas/vulnerability.yml @@ -159,7 +159,7 @@ * New - First time a vulnerability is detected by a scan the status is set to New. * Active - A vulnerability detected by two or more scans is set to Active. * Fixed - A vulnerability was verified by the most recent scan as Fixed. - * Re-Opened - A vulnerability was reopened by the most recent scan. + * Re-Opened - A vulnerability was reopened by the most recent scan. For example (https://qualysguard.qualys.com/qwebhelp/fo_portal/scans/vulnerability_status.htm) From 040a3e520fe3010031b4b2877d91878df83fa73e Mon Sep 17 00:00:00 2001 From: Andrew Pease Date: Mon, 18 Nov 2019 09:47:41 -0600 Subject: [PATCH 24/36] from make --- docs/field-details.asciidoc | 2 +- generated/beats/fields.ecs.yml | 14 ++++++-------- generated/ecs/ecs_flat.yml | 13 +++++-------- generated/ecs/ecs_nested.yml | 14 ++++++-------- schema.json | 2 +- 5 files changed, 19 insertions(+), 26 deletions(-) diff --git a/docs/field-details.asciidoc b/docs/field-details.asciidoc index 2afd6835a2..addd1c6ade 100644 --- a/docs/field-details.asciidoc +++ b/docs/field-details.asciidoc @@ -4263,7 +4263,7 @@ example: `Critical` | vulnerability.status | The current status of the vulerability on the asset: -* New - First time a vulnerability is detected by a scan the status is set to New. * Active - A vulnerability detected by two or more scans is set to Active. * Fixed - A vulnerability was verified by the most recent scan as Fixed. * Re-Opened - A vulnerability was reopened by the most recent scan. +* New - First time a vulnerability is detected by a scan the status is set to New. * Active - A vulnerability detected by two or more scans is set to Active. * Fixed - A vulnerability was verified by the most recent scan as Fixed. * Re-Opened - A vulnerability was reopened by the most recent scan. For example (https://qualysguard.qualys.com/qwebhelp/fo_portal/scans/vulnerability_status.htm) diff --git a/generated/beats/fields.ecs.yml b/generated/beats/fields.ecs.yml index 9053506e40..8a8751d43e 100644 --- a/generated/beats/fields.ecs.yml +++ b/generated/beats/fields.ecs.yml @@ -3251,14 +3251,12 @@ level: extended type: keyword ignore_above: 1024 - description: 'The current status of the vulerability on the asset: - - * New - First time a vulnerability is detected by a scan the status is set - to New. * Active - A vulnerability detected by two or more scans is set to - Active. * Fixed - A vulnerability was verified by the most recent scan as - Fixed. * Re-Opened - A vulnerability was reopened by the most recent scan. - - For example (https://qualysguard.qualys.com/qwebhelp/fo_portal/scans/vulnerability_status.htm)' + description: "The current status of the vulerability on the asset:\n* New -\ + \ First time a vulnerability is detected by a scan the status is set to New.\ + \ * Active - A vulnerability detected by two or more scans is set to Active.\ + \ * Fixed - A vulnerability was verified by the most recent scan as Fixed.\ + \ * Re-Opened - A vulnerability was reopened by the most recent scan. \n\ + For example (https://qualysguard.qualys.com/qwebhelp/fo_portal/scans/vulnerability_status.htm)" example: New - name: url level: extended diff --git a/generated/ecs/ecs_flat.yml b/generated/ecs/ecs_flat.yml index b83a63d6cd..2832c23cda 100644 --- a/generated/ecs/ecs_flat.yml +++ b/generated/ecs/ecs_flat.yml @@ -4655,14 +4655,11 @@ vulnerability.severity: short: Severity of the vulnerability. type: keyword vulnerability.status: - description: 'The current status of the vulerability on the asset: - - * New - First time a vulnerability is detected by a scan the status is set to - New. * Active - A vulnerability detected by two or more scans is set to Active. - * Fixed - A vulnerability was verified by the most recent scan as Fixed. * Re-Opened - - A vulnerability was reopened by the most recent scan. - - For example (https://qualysguard.qualys.com/qwebhelp/fo_portal/scans/vulnerability_status.htm)' + description: "The current status of the vulerability on the asset:\n* New - First\ + \ time a vulnerability is detected by a scan the status is set to New. * Active\ + \ - A vulnerability detected by two or more scans is set to Active. * Fixed -\ + \ A vulnerability was verified by the most recent scan as Fixed. * Re-Opened -\ + \ A vulnerability was reopened by the most recent scan. \nFor example (https://qualysguard.qualys.com/qwebhelp/fo_portal/scans/vulnerability_status.htm)" example: New flat_name: vulnerability.status ignore_above: 1024 diff --git a/generated/ecs/ecs_nested.yml b/generated/ecs/ecs_nested.yml index 184cfb7965..709501c846 100644 --- a/generated/ecs/ecs_nested.yml +++ b/generated/ecs/ecs_nested.yml @@ -5197,14 +5197,12 @@ vulnerability: short: Severity of the vulnerability. type: keyword status: - description: 'The current status of the vulerability on the asset: - - * New - First time a vulnerability is detected by a scan the status is set - to New. * Active - A vulnerability detected by two or more scans is set to - Active. * Fixed - A vulnerability was verified by the most recent scan as - Fixed. * Re-Opened - A vulnerability was reopened by the most recent scan. - - For example (https://qualysguard.qualys.com/qwebhelp/fo_portal/scans/vulnerability_status.htm)' + description: "The current status of the vulerability on the asset:\n* New -\ + \ First time a vulnerability is detected by a scan the status is set to New.\ + \ * Active - A vulnerability detected by two or more scans is set to Active.\ + \ * Fixed - A vulnerability was verified by the most recent scan as Fixed.\ + \ * Re-Opened - A vulnerability was reopened by the most recent scan. \n\ + For example (https://qualysguard.qualys.com/qwebhelp/fo_portal/scans/vulnerability_status.htm)" example: New flat_name: vulnerability.status ignore_above: 1024 diff --git a/schema.json b/schema.json index 602acb1b4c..11efd97ea5 100644 --- a/schema.json +++ b/schema.json @@ -3080,7 +3080,7 @@ "type": "keyword" }, "vulnerability.status": { - "description": "The current status of the vulerability on the asset:\n* New - First time a vulnerability is detected by a scan the status is set to New. * Active - A vulnerability detected by two or more scans is set to Active. * Fixed - A vulnerability was verified by the most recent scan as Fixed. * Re-Opened - A vulnerability was reopened by the most recent scan.\nFor example (https://qualysguard.qualys.com/qwebhelp/fo_portal/scans/vulnerability_status.htm)", + "description": "The current status of the vulerability on the asset:\n* New - First time a vulnerability is detected by a scan the status is set to New. * Active - A vulnerability detected by two or more scans is set to Active. * Fixed - A vulnerability was verified by the most recent scan as Fixed. * Re-Opened - A vulnerability was reopened by the most recent scan. \nFor example (https://qualysguard.qualys.com/qwebhelp/fo_portal/scans/vulnerability_status.htm)", "example": "New", "footnote": "", "group": 2, From 42cc5554f2ac560ccf7184f332c06b7b0c509dba Mon Sep 17 00:00:00 2001 From: Andrew Pease Date: Mon, 18 Nov 2019 10:10:16 -0600 Subject: [PATCH 25/36] working more with formatting bullet list --- schemas/vulnerability.yml | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/schemas/vulnerability.yml b/schemas/vulnerability.yml index 31b9e17c2b..a251276e1c 100644 --- a/schemas/vulnerability.yml +++ b/schemas/vulnerability.yml @@ -156,10 +156,11 @@ description: > The current status of the vulerability on the asset: - * New - First time a vulnerability is detected by a scan the status is set to New. - * Active - A vulnerability detected by two or more scans is set to Active. - * Fixed - A vulnerability was verified by the most recent scan as Fixed. - * Re-Opened - A vulnerability was reopened by the most recent scan. + Recommended values are: + * New - First time a vulnerability is detected by a scan the status is set to New. + * Active - A vulnerability detected by two or more scans is set to Active. + * Fixed - A vulnerability was verified by the most recent scan as Fixed. + * Re-Opened - A vulnerability was reopened by the most recent scan. For example (https://qualysguard.qualys.com/qwebhelp/fo_portal/scans/vulnerability_status.htm) From d9d8da534af03820e5b7bcbdead8a4fd7a8fa421 Mon Sep 17 00:00:00 2001 From: Andrew Pease Date: Mon, 18 Nov 2019 10:10:32 -0600 Subject: [PATCH 26/36] from make --- code/go/ecs/vulnerability.go | 14 +++++++++----- docs/field-details.asciidoc | 12 +++++++++++- generated/beats/fields.ecs.yml | 12 ++++++------ generated/ecs/ecs_flat.yml | 11 ++++++----- generated/ecs/ecs_nested.yml | 12 ++++++------ schema.json | 2 +- 6 files changed, 39 insertions(+), 24 deletions(-) diff --git a/code/go/ecs/vulnerability.go b/code/go/ecs/vulnerability.go index 13757e557b..7e8cd4b7ec 100644 --- a/code/go/ecs/vulnerability.go +++ b/code/go/ecs/vulnerability.go @@ -89,11 +89,15 @@ type Vulnerability struct { Severity string `ecs:"severity"` // The current status of the vulerability on the asset: - // * New - First time a vulnerability is detected by a scan the status is - // set to New. * Active - A vulnerability detected by two or more scans is - // set to Active. * Fixed - A vulnerability was verified by the most recent - // scan as Fixed. * Re-Opened - A vulnerability was reopened by the most - // recent scan. + // Recommended values are: + // * New - First time a vulnerability is detected by a scan the status is + // set to New. + // * Active - A vulnerability detected by two or more scans is set to + // Active. + // * Fixed - A vulnerability was verified by the most recent scan as + // Fixed. + // * Re-Opened - A vulnerability was reopened by the most recent scan. + // // For example // (https://qualysguard.qualys.com/qwebhelp/fo_portal/scans/vulnerability_status.htm) Status string `ecs:"status"` diff --git a/docs/field-details.asciidoc b/docs/field-details.asciidoc index addd1c6ade..635ed43c8e 100644 --- a/docs/field-details.asciidoc +++ b/docs/field-details.asciidoc @@ -4263,7 +4263,17 @@ example: `Critical` | vulnerability.status | The current status of the vulerability on the asset: -* New - First time a vulnerability is detected by a scan the status is set to New. * Active - A vulnerability detected by two or more scans is set to Active. * Fixed - A vulnerability was verified by the most recent scan as Fixed. * Re-Opened - A vulnerability was reopened by the most recent scan. +Recommended values are: + + * New - First time a vulnerability is detected by a scan the status is set to New. + + * Active - A vulnerability detected by two or more scans is set to Active. + + * Fixed - A vulnerability was verified by the most recent scan as Fixed. + + * Re-Opened - A vulnerability was reopened by the most recent scan. + + For example (https://qualysguard.qualys.com/qwebhelp/fo_portal/scans/vulnerability_status.htm) diff --git a/generated/beats/fields.ecs.yml b/generated/beats/fields.ecs.yml index 8a8751d43e..fd8bac204d 100644 --- a/generated/beats/fields.ecs.yml +++ b/generated/beats/fields.ecs.yml @@ -3251,12 +3251,12 @@ level: extended type: keyword ignore_above: 1024 - description: "The current status of the vulerability on the asset:\n* New -\ - \ First time a vulnerability is detected by a scan the status is set to New.\ - \ * Active - A vulnerability detected by two or more scans is set to Active.\ - \ * Fixed - A vulnerability was verified by the most recent scan as Fixed.\ - \ * Re-Opened - A vulnerability was reopened by the most recent scan. \n\ - For example (https://qualysguard.qualys.com/qwebhelp/fo_portal/scans/vulnerability_status.htm)" + description: "The current status of the vulerability on the asset:\nRecommended\ + \ values are:\n * New - First time a vulnerability is detected by a scan\ + \ the status is set to New.\n * Active - A vulnerability detected by two\ + \ or more scans is set to Active.\n * Fixed - A vulnerability was verified\ + \ by the most recent scan as Fixed.\n * Re-Opened - A vulnerability was reopened\ + \ by the most recent scan.\n\nFor example (https://qualysguard.qualys.com/qwebhelp/fo_portal/scans/vulnerability_status.htm)" example: New - name: url level: extended diff --git a/generated/ecs/ecs_flat.yml b/generated/ecs/ecs_flat.yml index 2832c23cda..3d514fdccc 100644 --- a/generated/ecs/ecs_flat.yml +++ b/generated/ecs/ecs_flat.yml @@ -4655,11 +4655,12 @@ vulnerability.severity: short: Severity of the vulnerability. type: keyword vulnerability.status: - description: "The current status of the vulerability on the asset:\n* New - First\ - \ time a vulnerability is detected by a scan the status is set to New. * Active\ - \ - A vulnerability detected by two or more scans is set to Active. * Fixed -\ - \ A vulnerability was verified by the most recent scan as Fixed. * Re-Opened -\ - \ A vulnerability was reopened by the most recent scan. \nFor example (https://qualysguard.qualys.com/qwebhelp/fo_portal/scans/vulnerability_status.htm)" + description: "The current status of the vulerability on the asset:\nRecommended\ + \ values are:\n * New - First time a vulnerability is detected by a scan the\ + \ status is set to New.\n * Active - A vulnerability detected by two or more\ + \ scans is set to Active.\n * Fixed - A vulnerability was verified by the most\ + \ recent scan as Fixed.\n * Re-Opened - A vulnerability was reopened by the most\ + \ recent scan.\n\nFor example (https://qualysguard.qualys.com/qwebhelp/fo_portal/scans/vulnerability_status.htm)" example: New flat_name: vulnerability.status ignore_above: 1024 diff --git a/generated/ecs/ecs_nested.yml b/generated/ecs/ecs_nested.yml index 709501c846..3563057512 100644 --- a/generated/ecs/ecs_nested.yml +++ b/generated/ecs/ecs_nested.yml @@ -5197,12 +5197,12 @@ vulnerability: short: Severity of the vulnerability. type: keyword status: - description: "The current status of the vulerability on the asset:\n* New -\ - \ First time a vulnerability is detected by a scan the status is set to New.\ - \ * Active - A vulnerability detected by two or more scans is set to Active.\ - \ * Fixed - A vulnerability was verified by the most recent scan as Fixed.\ - \ * Re-Opened - A vulnerability was reopened by the most recent scan. \n\ - For example (https://qualysguard.qualys.com/qwebhelp/fo_portal/scans/vulnerability_status.htm)" + description: "The current status of the vulerability on the asset:\nRecommended\ + \ values are:\n * New - First time a vulnerability is detected by a scan\ + \ the status is set to New.\n * Active - A vulnerability detected by two\ + \ or more scans is set to Active.\n * Fixed - A vulnerability was verified\ + \ by the most recent scan as Fixed.\n * Re-Opened - A vulnerability was reopened\ + \ by the most recent scan.\n\nFor example (https://qualysguard.qualys.com/qwebhelp/fo_portal/scans/vulnerability_status.htm)" example: New flat_name: vulnerability.status ignore_above: 1024 diff --git a/schema.json b/schema.json index 11efd97ea5..3172bb1e0b 100644 --- a/schema.json +++ b/schema.json @@ -3080,7 +3080,7 @@ "type": "keyword" }, "vulnerability.status": { - "description": "The current status of the vulerability on the asset:\n* New - First time a vulnerability is detected by a scan the status is set to New. * Active - A vulnerability detected by two or more scans is set to Active. * Fixed - A vulnerability was verified by the most recent scan as Fixed. * Re-Opened - A vulnerability was reopened by the most recent scan. \nFor example (https://qualysguard.qualys.com/qwebhelp/fo_portal/scans/vulnerability_status.htm)", + "description": "The current status of the vulerability on the asset:\nRecommended values are:\n * New - First time a vulnerability is detected by a scan the status is set to New.\n * Active - A vulnerability detected by two or more scans is set to Active.\n * Fixed - A vulnerability was verified by the most recent scan as Fixed.\n * Re-Opened - A vulnerability was reopened by the most recent scan.\n\nFor example (https://qualysguard.qualys.com/qwebhelp/fo_portal/scans/vulnerability_status.htm)", "example": "New", "footnote": "", "group": 2, From 902dd9d9286494860e4551bcc4a10a0fe1682535 Mon Sep 17 00:00:00 2001 From: Andrew Pease Date: Mon, 18 Nov 2019 13:53:27 -0600 Subject: [PATCH 27/36] added empty sections back --- CHANGELOG.next.md | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/CHANGELOG.next.md b/CHANGELOG.next.md index c5208115c0..93701c3b10 100644 --- a/CHANGELOG.next.md +++ b/CHANGELOG.next.md @@ -3,6 +3,16 @@ - Please insert your changelog line ordered by PR ID. Thanks, you're awesome :-) --> +## Unreleased + +### Breaking changes + +### Bugfixes + +### Improvements + +### Deprecated + ### Added * Added `vulnerability.*` fields to represent vulnerability information. #581 From 83fcd4dd31015a1f9ea9788a29e07a89c28f30c7 Mon Sep 17 00:00:00 2001 From: Andrew Pease Date: Mon, 18 Nov 2019 14:54:16 -0600 Subject: [PATCH 28/36] Removed status --- schemas/vulnerability.yml | 17 ----------------- 1 file changed, 17 deletions(-) diff --git a/schemas/vulnerability.yml b/schemas/vulnerability.yml index a251276e1c..3666248412 100644 --- a/schemas/vulnerability.yml +++ b/schemas/vulnerability.yml @@ -149,23 +149,6 @@ example: Critical - - name: status - level: extended - type: keyword - short: Status of the vulnerability. - description: > - The current status of the vulerability on the asset: - - Recommended values are: - * New - First time a vulnerability is detected by a scan the status is set to New. - * Active - A vulnerability detected by two or more scans is set to Active. - * Fixed - A vulnerability was verified by the most recent scan as Fixed. - * Re-Opened - A vulnerability was reopened by the most recent scan. - - For example (https://qualysguard.qualys.com/qwebhelp/fo_portal/scans/vulnerability_status.htm) - - example: New - - name: report_id level: extended type: keyword From d345faa5abce59e8132979f1165999a300a04ee9 Mon Sep 17 00:00:00 2001 From: Andrew Pease Date: Mon, 18 Nov 2019 14:56:24 -0600 Subject: [PATCH 29/36] updated reference and enumeration --- schemas/vulnerability.yml | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/schemas/vulnerability.yml b/schemas/vulnerability.yml index 3666248412..90af779460 100644 --- a/schemas/vulnerability.yml +++ b/schemas/vulnerability.yml @@ -20,22 +20,22 @@ example: CVSS - - name: reference + - name: enumeration level: extended type: keyword - short: Reference of the vulnerability. + short: Identifier of the vulnerability. description: > The type of identifier used for this vulnerability. For example (https://cve.mitre.org/about/) example: CVE - - name: url + - name: reference level: extended type: keyword - short: URL describing the vulnerability. + short: Reference of the vulnerability. description: > - A URL to a resource that provides additional information, context, and + A resource that provides additional information, context, and mitigations for the identified vulnerabiltiy. For example (https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=ssh) From 4f07e0111898fc522bdf30160bfc80d4634d0f19 Mon Sep 17 00:00:00 2001 From: Andrew Pease Date: Mon, 18 Nov 2019 15:00:22 -0600 Subject: [PATCH 30/36] changed scanner.id to a simpler id --- schemas/vulnerability.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/schemas/vulnerability.yml b/schemas/vulnerability.yml index 90af779460..789ca3f146 100644 --- a/schemas/vulnerability.yml +++ b/schemas/vulnerability.yml @@ -118,7 +118,7 @@ example: In macOS before 2.12.6, there is a vulnerability in the RPC... - - name: scanner.id + - name: id level: extended type: keyword short: ID of the vulnerability. From 0c0fb1e024acc0fd5469b11b28d892cfc79d858a Mon Sep 17 00:00:00 2001 From: Andrew Pease Date: Mon, 18 Nov 2019 15:04:07 -0600 Subject: [PATCH 31/36] from make --- code/go/ecs/vulnerability.go | 22 ++------ docs/field-details.asciidoc | 61 +++++++--------------- generated/beats/fields.ecs.yml | 41 ++++++--------- generated/csv/fields.csv | 7 ++- generated/ecs/ecs_flat.yml | 67 ++++++++++--------------- generated/ecs/ecs_nested.yml | 67 ++++++++++--------------- generated/elasticsearch/6/template.json | 20 +++----- generated/elasticsearch/7/template.json | 20 +++----- generated/legacy/template.json | 20 +++----- schema.json | 50 ++++++++---------- 10 files changed, 136 insertions(+), 239 deletions(-) diff --git a/code/go/ecs/vulnerability.go b/code/go/ecs/vulnerability.go index 7e8cd4b7ec..d1825bfe45 100644 --- a/code/go/ecs/vulnerability.go +++ b/code/go/ecs/vulnerability.go @@ -28,12 +28,12 @@ type Vulnerability struct { // The type of identifier used for this vulnerability. For example // (https://cve.mitre.org/about/) - Reference string `ecs:"reference"` + Enumeration string `ecs:"enumeration"` - // A URL to a resource that provides additional information, context, and + // A resource that provides additional information, context, and // mitigations for the identified vulnerabiltiy. For example // (https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=ssh) - Url string `ecs:"url"` + Reference string `ecs:"reference"` // Scores can range from 0.0 to 10.0, with 10.0 being the most severe. // Base scores cover an assessment for exploitability metrics (attack @@ -78,7 +78,7 @@ type Vulnerability struct { // The identification (ID) is the number portion of a vulnerability entry. // It includes a unique identification number for the vulnerability. For // example (https://cve.mitre.org/about/faqs.html#what_is_cve_id) - ScannerID string `ecs:"scanner.id"` + ID string `ecs:"id"` // The name of the vulnerability scanner vendor. ScannerVendor string `ecs:"scanner.vendor"` @@ -88,20 +88,6 @@ type Vulnerability struct { // (https://nvd.nist.gov/vuln-metrics/cvss) Severity string `ecs:"severity"` - // The current status of the vulerability on the asset: - // Recommended values are: - // * New - First time a vulnerability is detected by a scan the status is - // set to New. - // * Active - A vulnerability detected by two or more scans is set to - // Active. - // * Fixed - A vulnerability was verified by the most recent scan as - // Fixed. - // * Re-Opened - A vulnerability was reopened by the most recent scan. - // - // For example - // (https://qualysguard.qualys.com/qwebhelp/fo_portal/scans/vulnerability_status.htm) - Status string `ecs:"status"` - // The report or scan identification number. ReportID string `ecs:"report_id"` } diff --git a/docs/field-details.asciidoc b/docs/field-details.asciidoc index 635ed43c8e..9503e76c89 100644 --- a/docs/field-details.asciidoc +++ b/docs/field-details.asciidoc @@ -4153,7 +4153,7 @@ example: `In macOS before 2.12.6, there is a vulnerability in the RPC...` // =============================================================== -| vulnerability.reference +| vulnerability.enumeration | The type of identifier used for this vulnerability. For example (https://cve.mitre.org/about/) type: keyword @@ -4164,23 +4164,34 @@ example: `CVE` // =============================================================== -| vulnerability.report_id -| The report or scan identification number. +| vulnerability.id +| The identification (ID) is the number portion of a vulnerability entry. It includes a unique identification number for the vulnerability. For example (https://cve.mitre.org/about/faqs.html#what_is_cve_id) type: keyword -example: `20191018.0001` +example: `CVE-2019-00001` | extended // =============================================================== -| vulnerability.scanner.id -| The identification (ID) is the number portion of a vulnerability entry. It includes a unique identification number for the vulnerability. For example (https://cve.mitre.org/about/faqs.html#what_is_cve_id) +| vulnerability.reference +| A resource that provides additional information, context, and mitigations for the identified vulnerabiltiy. For example (https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=ssh) type: keyword -example: `CVE-2019-00001` +example: `https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6111` + +| extended + +// =============================================================== + +| vulnerability.report_id +| The report or scan identification number. + +type: keyword + +example: `20191018.0001` | extended @@ -4260,40 +4271,4 @@ example: `Critical` // =============================================================== -| vulnerability.status -| The current status of the vulerability on the asset: - -Recommended values are: - - * New - First time a vulnerability is detected by a scan the status is set to New. - - * Active - A vulnerability detected by two or more scans is set to Active. - - * Fixed - A vulnerability was verified by the most recent scan as Fixed. - - * Re-Opened - A vulnerability was reopened by the most recent scan. - - - -For example (https://qualysguard.qualys.com/qwebhelp/fo_portal/scans/vulnerability_status.htm) - -type: keyword - -example: `New` - -| extended - -// =============================================================== - -| vulnerability.url -| A URL to a resource that provides additional information, context, and mitigations for the identified vulnerabiltiy. For example (https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=ssh) - -type: keyword - -example: `https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6111` - -| extended - -// =============================================================== - |===== diff --git a/generated/beats/fields.ecs.yml b/generated/beats/fields.ecs.yml index fd8bac204d..110bccfea5 100644 --- a/generated/beats/fields.ecs.yml +++ b/generated/beats/fields.ecs.yml @@ -3176,20 +3176,14 @@ description: The description of the vulnerability that provides additional context of the vulnerability. For example (https://cve.mitre.org/about/faqs.html#cve_entry_descriptions_created) example: In macOS before 2.12.6, there is a vulnerability in the RPC... - - name: reference + - name: enumeration level: extended type: keyword ignore_above: 1024 description: The type of identifier used for this vulnerability. For example (https://cve.mitre.org/about/) example: CVE - - name: report_id - level: extended - type: keyword - ignore_above: 1024 - description: The report or scan identification number. - example: 20191018.0001 - - name: scanner.id + - name: id level: extended type: keyword ignore_above: 1024 @@ -3197,6 +3191,19 @@ entry. It includes a unique identification number for the vulnerability. For example (https://cve.mitre.org/about/faqs.html#what_is_cve_id) example: CVE-2019-00001 + - name: reference + level: extended + type: keyword + ignore_above: 1024 + description: A resource that provides additional information, context, and mitigations + for the identified vulnerabiltiy. For example (https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=ssh) + example: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6111 + - name: report_id + level: extended + type: keyword + ignore_above: 1024 + description: The report or scan identification number. + example: 20191018.0001 - name: scanner.vendor level: extended type: keyword @@ -3247,21 +3254,3 @@ description: The severity of the vulnerability can help with metrics and internal prioritization regarding remediation. For example (https://nvd.nist.gov/vuln-metrics/cvss) example: Critical - - name: status - level: extended - type: keyword - ignore_above: 1024 - description: "The current status of the vulerability on the asset:\nRecommended\ - \ values are:\n * New - First time a vulnerability is detected by a scan\ - \ the status is set to New.\n * Active - A vulnerability detected by two\ - \ or more scans is set to Active.\n * Fixed - A vulnerability was verified\ - \ by the most recent scan as Fixed.\n * Re-Opened - A vulnerability was reopened\ - \ by the most recent scan.\n\nFor example (https://qualysguard.qualys.com/qwebhelp/fo_portal/scans/vulnerability_status.htm)" - example: New - - name: url - level: extended - type: keyword - ignore_above: 1024 - description: A URL to a resource that provides additional information, context, - and mitigations for the identified vulnerabiltiy. For example (https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=ssh) - example: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6111 diff --git a/generated/csv/fields.csv b/generated/csv/fields.csv index 3900e57056..9d513440b2 100644 --- a/generated/csv/fields.csv +++ b/generated/csv/fields.csv @@ -398,14 +398,13 @@ user_agent.version,keyword,extended,12.0,1.2.0-dev vulnerability.category,keyword,extended,Firewall,1.2.0-dev vulnerability.classification,keyword,extended,CVSS,1.2.0-dev vulnerability.description,keyword,extended,"In macOS before 2.12.6, there is a vulnerability in the RPC...",1.2.0-dev -vulnerability.reference,keyword,extended,CVE,1.2.0-dev +vulnerability.enumeration,keyword,extended,CVE,1.2.0-dev +vulnerability.id,keyword,extended,CVE-2019-00001,1.2.0-dev +vulnerability.reference,keyword,extended,https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6111,1.2.0-dev vulnerability.report_id,keyword,extended,20191018.0001,1.2.0-dev -vulnerability.scanner.id,keyword,extended,CVE-2019-00001,1.2.0-dev vulnerability.scanner.vendor,keyword,extended,Tenable,1.2.0-dev vulnerability.score.base,float,extended,5.5,1.2.0-dev vulnerability.score.environmental,float,extended,5.5,1.2.0-dev vulnerability.score.temporal,float,extended,,1.2.0-dev vulnerability.score.version,keyword,extended,2.0,1.2.0-dev vulnerability.severity,keyword,extended,Critical,1.2.0-dev -vulnerability.status,keyword,extended,New,1.2.0-dev -vulnerability.url,keyword,extended,https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6111,1.2.0-dev diff --git a/generated/ecs/ecs_flat.yml b/generated/ecs/ecs_flat.yml index 3d514fdccc..ce6ef499d8 100644 --- a/generated/ecs/ecs_flat.yml +++ b/generated/ecs/ecs_flat.yml @@ -4549,14 +4549,37 @@ vulnerability.description: order: 8 short: Description of the vulnerability. type: keyword -vulnerability.reference: +vulnerability.enumeration: description: The type of identifier used for this vulnerability. For example (https://cve.mitre.org/about/) example: CVE + flat_name: vulnerability.enumeration + ignore_above: 1024 + level: extended + name: enumeration + order: 1 + short: Identifier of the vulnerability. + type: keyword +vulnerability.id: + description: The identification (ID) is the number portion of a vulnerability entry. + It includes a unique identification number for the vulnerability. For example + (https://cve.mitre.org/about/faqs.html#what_is_cve_id) + example: CVE-2019-00001 + flat_name: vulnerability.id + ignore_above: 1024 + level: extended + name: id + order: 9 + short: ID of the vulnerability. + type: keyword +vulnerability.reference: + description: A resource that provides additional information, context, and mitigations + for the identified vulnerabiltiy. For example (https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=ssh) + example: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6111 flat_name: vulnerability.reference ignore_above: 1024 level: extended name: reference - order: 1 + order: 2 short: Reference of the vulnerability. type: keyword vulnerability.report_id: @@ -4566,21 +4589,9 @@ vulnerability.report_id: ignore_above: 1024 level: extended name: report_id - order: 13 + order: 12 short: Scan identification number. type: keyword -vulnerability.scanner.id: - description: The identification (ID) is the number portion of a vulnerability entry. - It includes a unique identification number for the vulnerability. For example - (https://cve.mitre.org/about/faqs.html#what_is_cve_id) - example: CVE-2019-00001 - flat_name: vulnerability.scanner.id - ignore_above: 1024 - level: extended - name: scanner.id - order: 9 - short: ID of the vulnerability. - type: keyword vulnerability.scanner.vendor: description: The name of the vulnerability scanner vendor. example: Tenable @@ -4654,29 +4665,3 @@ vulnerability.severity: order: 11 short: Severity of the vulnerability. type: keyword -vulnerability.status: - description: "The current status of the vulerability on the asset:\nRecommended\ - \ values are:\n * New - First time a vulnerability is detected by a scan the\ - \ status is set to New.\n * Active - A vulnerability detected by two or more\ - \ scans is set to Active.\n * Fixed - A vulnerability was verified by the most\ - \ recent scan as Fixed.\n * Re-Opened - A vulnerability was reopened by the most\ - \ recent scan.\n\nFor example (https://qualysguard.qualys.com/qwebhelp/fo_portal/scans/vulnerability_status.htm)" - example: New - flat_name: vulnerability.status - ignore_above: 1024 - level: extended - name: status - order: 12 - short: Status of the vulnerability. - type: keyword -vulnerability.url: - description: A URL to a resource that provides additional information, context, - and mitigations for the identified vulnerabiltiy. For example (https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=ssh) - example: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6111 - flat_name: vulnerability.url - ignore_above: 1024 - level: extended - name: url - order: 2 - short: URL describing the vulnerability. - type: keyword diff --git a/generated/ecs/ecs_nested.yml b/generated/ecs/ecs_nested.yml index 3563057512..2197760faa 100644 --- a/generated/ecs/ecs_nested.yml +++ b/generated/ecs/ecs_nested.yml @@ -5089,15 +5089,38 @@ vulnerability: order: 8 short: Description of the vulnerability. type: keyword - reference: + enumeration: description: The type of identifier used for this vulnerability. For example (https://cve.mitre.org/about/) example: CVE + flat_name: vulnerability.enumeration + ignore_above: 1024 + level: extended + name: enumeration + order: 1 + short: Identifier of the vulnerability. + type: keyword + id: + description: The identification (ID) is the number portion of a vulnerability + entry. It includes a unique identification number for the vulnerability. For + example (https://cve.mitre.org/about/faqs.html#what_is_cve_id) + example: CVE-2019-00001 + flat_name: vulnerability.id + ignore_above: 1024 + level: extended + name: id + order: 9 + short: ID of the vulnerability. + type: keyword + reference: + description: A resource that provides additional information, context, and mitigations + for the identified vulnerabiltiy. For example (https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=ssh) + example: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6111 flat_name: vulnerability.reference ignore_above: 1024 level: extended name: reference - order: 1 + order: 2 short: Reference of the vulnerability. type: keyword report_id: @@ -5107,21 +5130,9 @@ vulnerability: ignore_above: 1024 level: extended name: report_id - order: 13 + order: 12 short: Scan identification number. type: keyword - scanner.id: - description: The identification (ID) is the number portion of a vulnerability - entry. It includes a unique identification number for the vulnerability. For - example (https://cve.mitre.org/about/faqs.html#what_is_cve_id) - example: CVE-2019-00001 - flat_name: vulnerability.scanner.id - ignore_above: 1024 - level: extended - name: scanner.id - order: 9 - short: ID of the vulnerability. - type: keyword scanner.vendor: description: The name of the vulnerability scanner vendor. example: Tenable @@ -5196,32 +5207,6 @@ vulnerability: order: 11 short: Severity of the vulnerability. type: keyword - status: - description: "The current status of the vulerability on the asset:\nRecommended\ - \ values are:\n * New - First time a vulnerability is detected by a scan\ - \ the status is set to New.\n * Active - A vulnerability detected by two\ - \ or more scans is set to Active.\n * Fixed - A vulnerability was verified\ - \ by the most recent scan as Fixed.\n * Re-Opened - A vulnerability was reopened\ - \ by the most recent scan.\n\nFor example (https://qualysguard.qualys.com/qwebhelp/fo_portal/scans/vulnerability_status.htm)" - example: New - flat_name: vulnerability.status - ignore_above: 1024 - level: extended - name: status - order: 12 - short: Status of the vulnerability. - type: keyword - url: - description: A URL to a resource that provides additional information, context, - and mitigations for the identified vulnerabiltiy. For example (https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=ssh) - example: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6111 - flat_name: vulnerability.url - ignore_above: 1024 - level: extended - name: url - order: 2 - short: URL describing the vulnerability. - type: keyword group: 2 name: vulnerability prefix: vulnerability. diff --git a/generated/elasticsearch/6/template.json b/generated/elasticsearch/6/template.json index f18da86d3e..b331b81391 100644 --- a/generated/elasticsearch/6/template.json +++ b/generated/elasticsearch/6/template.json @@ -1889,6 +1889,14 @@ "ignore_above": 1024, "type": "keyword" }, + "enumeration": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, "reference": { "ignore_above": 1024, "type": "keyword" @@ -1899,10 +1907,6 @@ }, "scanner": { "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, "vendor": { "ignore_above": 1024, "type": "keyword" @@ -1929,14 +1933,6 @@ "severity": { "ignore_above": 1024, "type": "keyword" - }, - "status": { - "ignore_above": 1024, - "type": "keyword" - }, - "url": { - "ignore_above": 1024, - "type": "keyword" } } } diff --git a/generated/elasticsearch/7/template.json b/generated/elasticsearch/7/template.json index 911d85ebd3..60ed064b5e 100644 --- a/generated/elasticsearch/7/template.json +++ b/generated/elasticsearch/7/template.json @@ -1888,6 +1888,14 @@ "ignore_above": 1024, "type": "keyword" }, + "enumeration": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, "reference": { "ignore_above": 1024, "type": "keyword" @@ -1898,10 +1906,6 @@ }, "scanner": { "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, "vendor": { "ignore_above": 1024, "type": "keyword" @@ -1928,14 +1932,6 @@ "severity": { "ignore_above": 1024, "type": "keyword" - }, - "status": { - "ignore_above": 1024, - "type": "keyword" - }, - "url": { - "ignore_above": 1024, - "type": "keyword" } } } diff --git a/generated/legacy/template.json b/generated/legacy/template.json index a00b07ae6f..b9156c0dce 100644 --- a/generated/legacy/template.json +++ b/generated/legacy/template.json @@ -1264,6 +1264,14 @@ "ignore_above": 1024, "type": "keyword" }, + "enumeration": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, "reference": { "ignore_above": 1024, "type": "keyword" @@ -1274,10 +1282,6 @@ }, "scanner": { "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, "vendor": { "ignore_above": 1024, "type": "keyword" @@ -1304,14 +1308,6 @@ "severity": { "ignore_above": 1024, "type": "keyword" - }, - "status": { - "ignore_above": 1024, - "type": "keyword" - }, - "url": { - "ignore_above": 1024, - "type": "keyword" } } } diff --git a/schema.json b/schema.json index 3172bb1e0b..b16bffe46f 100644 --- a/schema.json +++ b/schema.json @@ -2989,33 +2989,43 @@ "required": false, "type": "keyword" }, - "vulnerability.reference": { + "vulnerability.enumeration": { "description": "The type of identifier used for this vulnerability. For example (https://cve.mitre.org/about/)", "example": "CVE", "footnote": "", "group": 2, "level": "extended", - "name": "vulnerability.reference", + "name": "vulnerability.enumeration", "required": false, "type": "keyword" }, - "vulnerability.report_id": { - "description": "The report or scan identification number.", - "example": "20191018.0001", + "vulnerability.id": { + "description": "The identification (ID) is the number portion of a vulnerability entry. It includes a unique identification number for the vulnerability. For example (https://cve.mitre.org/about/faqs.html#what_is_cve_id)", + "example": "CVE-2019-00001", "footnote": "", "group": 2, "level": "extended", - "name": "vulnerability.report_id", + "name": "vulnerability.id", "required": false, "type": "keyword" }, - "vulnerability.scanner.id": { - "description": "The identification (ID) is the number portion of a vulnerability entry. It includes a unique identification number for the vulnerability. For example (https://cve.mitre.org/about/faqs.html#what_is_cve_id)", - "example": "CVE-2019-00001", + "vulnerability.reference": { + "description": "A resource that provides additional information, context, and mitigations for the identified vulnerabiltiy. For example (https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=ssh)", + "example": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6111", + "footnote": "", + "group": 2, + "level": "extended", + "name": "vulnerability.reference", + "required": false, + "type": "keyword" + }, + "vulnerability.report_id": { + "description": "The report or scan identification number.", + "example": "20191018.0001", "footnote": "", "group": 2, "level": "extended", - "name": "vulnerability.scanner.id", + "name": "vulnerability.report_id", "required": false, "type": "keyword" }, @@ -3078,26 +3088,6 @@ "name": "vulnerability.severity", "required": false, "type": "keyword" - }, - "vulnerability.status": { - "description": "The current status of the vulerability on the asset:\nRecommended values are:\n * New - First time a vulnerability is detected by a scan the status is set to New.\n * Active - A vulnerability detected by two or more scans is set to Active.\n * Fixed - A vulnerability was verified by the most recent scan as Fixed.\n * Re-Opened - A vulnerability was reopened by the most recent scan.\n\nFor example (https://qualysguard.qualys.com/qwebhelp/fo_portal/scans/vulnerability_status.htm)", - "example": "New", - "footnote": "", - "group": 2, - "level": "extended", - "name": "vulnerability.status", - "required": false, - "type": "keyword" - }, - "vulnerability.url": { - "description": "A URL to a resource that provides additional information, context, and mitigations for the identified vulnerabiltiy. For example (https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=ssh)", - "example": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6111", - "footnote": "", - "group": 2, - "level": "extended", - "name": "vulnerability.url", - "required": false, - "type": "keyword" } }, "group": 2, From 343078e7fea5802c8a165a3cb03e67877480723d Mon Sep 17 00:00:00 2001 From: Andrew Pease Date: Tue, 19 Nov 2019 09:11:53 -0600 Subject: [PATCH 32/36] removed unnecessary example from reference --- schemas/vulnerability.yml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/schemas/vulnerability.yml b/schemas/vulnerability.yml index 789ca3f146..6bbed16c93 100644 --- a/schemas/vulnerability.yml +++ b/schemas/vulnerability.yml @@ -37,8 +37,7 @@ description: > A resource that provides additional information, context, and mitigations for the identified vulnerabiltiy. - For example (https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=ssh) - + example: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6111 - name: score.base From 4c4863877831eb19f6e6acc54343fb84c29a7bea Mon Sep 17 00:00:00 2001 From: Andrew Pease Date: Tue, 19 Nov 2019 09:16:24 -0600 Subject: [PATCH 33/36] fixed vulnerability typos --- schemas/vulnerability.yml | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/schemas/vulnerability.yml b/schemas/vulnerability.yml index 6bbed16c93..4d45d1f427 100644 --- a/schemas/vulnerability.yml +++ b/schemas/vulnerability.yml @@ -2,9 +2,9 @@ - name: vulnerability title: Vulnerability group: 2 - short: Fields to describe the vulnerabilty relevant to an event. + short: Fields to describe the vulnerability relevant to an event. description: > - The vulnerability fields describe information about a vulnerabilty that is + The vulnerability fields describe information about a vulnerability that is relevant to an event. type: group @@ -36,8 +36,8 @@ short: Reference of the vulnerability. description: > A resource that provides additional information, context, and - mitigations for the identified vulnerabiltiy. - + mitigations for the identified vulnerability. + example: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6111 - name: score.base @@ -97,7 +97,7 @@ - name: category level: extended type: keyword - short: Category of a vulnerabilty. + short: Category of a vulnerability. description: > The type of system or architecture that the vulnerability affects. These may be platform-specific (for example, Debian or SUSE) or general (for example, Database From 9fe371a35b0ebb9660535984c6d64122c12b9f32 Mon Sep 17 00:00:00 2001 From: Andrew Pease Date: Tue, 19 Nov 2019 09:33:40 -0600 Subject: [PATCH 34/36] from make --- code/go/ecs/vulnerability.go | 5 ++--- docs/field-details.asciidoc | 4 ++-- docs/fields.asciidoc | 2 +- generated/beats/fields.ecs.yml | 4 ++-- generated/ecs/ecs_flat.yml | 4 ++-- generated/ecs/ecs_nested.yml | 8 ++++---- schema.json | 4 ++-- 7 files changed, 15 insertions(+), 16 deletions(-) diff --git a/code/go/ecs/vulnerability.go b/code/go/ecs/vulnerability.go index d1825bfe45..718c20321b 100644 --- a/code/go/ecs/vulnerability.go +++ b/code/go/ecs/vulnerability.go @@ -19,7 +19,7 @@ package ecs -// The vulnerability fields describe information about a vulnerabilty that is +// The vulnerability fields describe information about a vulnerability that is // relevant to an event. type Vulnerability struct { // The classification of the vulnerability scoring system. For example @@ -31,8 +31,7 @@ type Vulnerability struct { Enumeration string `ecs:"enumeration"` // A resource that provides additional information, context, and - // mitigations for the identified vulnerabiltiy. For example - // (https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=ssh) + // mitigations for the identified vulnerability. Reference string `ecs:"reference"` // Scores can range from 0.0 to 10.0, with 10.0 being the most severe. diff --git a/docs/field-details.asciidoc b/docs/field-details.asciidoc index 9503e76c89..9876341e2f 100644 --- a/docs/field-details.asciidoc +++ b/docs/field-details.asciidoc @@ -4110,7 +4110,7 @@ example: `12.0` [[ecs-vulnerability]] === Vulnerability Fields -The vulnerability fields describe information about a vulnerabilty that is relevant to an event. +The vulnerability fields describe information about a vulnerability that is relevant to an event. ==== Vulnerability Field Details @@ -4176,7 +4176,7 @@ example: `CVE-2019-00001` // =============================================================== | vulnerability.reference -| A resource that provides additional information, context, and mitigations for the identified vulnerabiltiy. For example (https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=ssh) +| A resource that provides additional information, context, and mitigations for the identified vulnerability. type: keyword diff --git a/docs/fields.asciidoc b/docs/fields.asciidoc index 1072ef7cf9..fcc1cb529b 100644 --- a/docs/fields.asciidoc +++ b/docs/fields.asciidoc @@ -84,7 +84,7 @@ all fields are defined. | <> | Fields to describe a browser user_agent string. -| <> | Fields to describe the vulnerabilty relevant to an event. +| <> | Fields to describe the vulnerability relevant to an event. |===== diff --git a/generated/beats/fields.ecs.yml b/generated/beats/fields.ecs.yml index 110bccfea5..6272f082ac 100644 --- a/generated/beats/fields.ecs.yml +++ b/generated/beats/fields.ecs.yml @@ -3150,7 +3150,7 @@ - name: vulnerability title: Vulnerability group: 2 - description: The vulnerability fields describe information about a vulnerabilty + description: The vulnerability fields describe information about a vulnerability that is relevant to an event. type: group fields: @@ -3196,7 +3196,7 @@ type: keyword ignore_above: 1024 description: A resource that provides additional information, context, and mitigations - for the identified vulnerabiltiy. For example (https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=ssh) + for the identified vulnerability. example: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6111 - name: report_id level: extended diff --git a/generated/ecs/ecs_flat.yml b/generated/ecs/ecs_flat.yml index ce6ef499d8..d99f872277 100644 --- a/generated/ecs/ecs_flat.yml +++ b/generated/ecs/ecs_flat.yml @@ -4525,7 +4525,7 @@ vulnerability.category: level: extended name: category order: 7 - short: Category of a vulnerabilty. + short: Category of a vulnerability. type: keyword vulnerability.classification: description: The classification of the vulnerability scoring system. For example @@ -4573,7 +4573,7 @@ vulnerability.id: type: keyword vulnerability.reference: description: A resource that provides additional information, context, and mitigations - for the identified vulnerabiltiy. For example (https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=ssh) + for the identified vulnerability. example: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6111 flat_name: vulnerability.reference ignore_above: 1024 diff --git a/generated/ecs/ecs_nested.yml b/generated/ecs/ecs_nested.yml index 2197760faa..904dc387f7 100644 --- a/generated/ecs/ecs_nested.yml +++ b/generated/ecs/ecs_nested.yml @@ -5052,7 +5052,7 @@ user_agent: title: User agent type: group vulnerability: - description: The vulnerability fields describe information about a vulnerabilty + description: The vulnerability fields describe information about a vulnerability that is relevant to an event. fields: category: @@ -5065,7 +5065,7 @@ vulnerability: level: extended name: category order: 7 - short: Category of a vulnerabilty. + short: Category of a vulnerability. type: keyword classification: description: The classification of the vulnerability scoring system. For example @@ -5114,7 +5114,7 @@ vulnerability: type: keyword reference: description: A resource that provides additional information, context, and mitigations - for the identified vulnerabiltiy. For example (https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=ssh) + for the identified vulnerability. example: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6111 flat_name: vulnerability.reference ignore_above: 1024 @@ -5210,6 +5210,6 @@ vulnerability: group: 2 name: vulnerability prefix: vulnerability. - short: Fields to describe the vulnerabilty relevant to an event. + short: Fields to describe the vulnerability relevant to an event. title: Vulnerability type: group diff --git a/schema.json b/schema.json index b16bffe46f..dea19a7dd3 100644 --- a/schema.json +++ b/schema.json @@ -2957,7 +2957,7 @@ "type": "group" }, "vulnerability": { - "description": "The vulnerability fields describe information about a vulnerabilty that is relevant to an event.\n", + "description": "The vulnerability fields describe information about a vulnerability that is relevant to an event.\n", "fields": { "vulnerability.category": { "description": "The type of system or architecture that the vulnerability affects. These may be platform-specific (for example, Debian or SUSE) or general (for example, Database or Firewall). For example (https://qualysguard.qualys.com/qwebhelp/fo_portal/knowledgebase/vulnerability_categories.htm)", @@ -3010,7 +3010,7 @@ "type": "keyword" }, "vulnerability.reference": { - "description": "A resource that provides additional information, context, and mitigations for the identified vulnerabiltiy. For example (https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=ssh)", + "description": "A resource that provides additional information, context, and mitigations for the identified vulnerability.", "example": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6111", "footnote": "", "group": 2, From e5035dcab3c1b059f268425bb5262b9fbc566b93 Mon Sep 17 00:00:00 2001 From: Andrew Pease Date: Tue, 19 Nov 2019 10:44:15 -0600 Subject: [PATCH 35/36] changed category to an array. --- schemas/vulnerability.yml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/schemas/vulnerability.yml b/schemas/vulnerability.yml index 4d45d1f427..a9fcab3b71 100644 --- a/schemas/vulnerability.yml +++ b/schemas/vulnerability.yml @@ -104,7 +104,9 @@ or Firewall). For example (https://qualysguard.qualys.com/qwebhelp/fo_portal/knowledgebase/vulnerability_categories.htm) - example: Firewall + This field must be an array. + + example: '["Firewall"]' - name: description level: extended From 98a8ea86bd72f1ee97f1f763624fb2cd3636ebb5 Mon Sep 17 00:00:00 2001 From: Andrew Pease Date: Tue, 19 Nov 2019 11:55:57 -0600 Subject: [PATCH 36/36] from make --- code/go/ecs/vulnerability.go | 1 + docs/field-details.asciidoc | 4 +++- generated/beats/fields.ecs.yml | 6 ++++-- generated/csv/fields.csv | 2 +- generated/ecs/ecs_flat.yml | 6 ++++-- generated/ecs/ecs_nested.yml | 6 ++++-- schema.json | 4 ++-- 7 files changed, 19 insertions(+), 10 deletions(-) diff --git a/code/go/ecs/vulnerability.go b/code/go/ecs/vulnerability.go index 718c20321b..97b0402856 100644 --- a/code/go/ecs/vulnerability.go +++ b/code/go/ecs/vulnerability.go @@ -67,6 +67,7 @@ type Vulnerability struct { // may be platform-specific (for example, Debian or SUSE) or general (for // example, Database or Firewall). For example // (https://qualysguard.qualys.com/qwebhelp/fo_portal/knowledgebase/vulnerability_categories.htm) + // This field must be an array. Category string `ecs:"category"` // The description of the vulnerability that provides additional context of diff --git a/docs/field-details.asciidoc b/docs/field-details.asciidoc index 9876341e2f..cd918cf99f 100644 --- a/docs/field-details.asciidoc +++ b/docs/field-details.asciidoc @@ -4123,9 +4123,11 @@ The vulnerability fields describe information about a vulnerability that is rele | vulnerability.category | The type of system or architecture that the vulnerability affects. These may be platform-specific (for example, Debian or SUSE) or general (for example, Database or Firewall). For example (https://qualysguard.qualys.com/qwebhelp/fo_portal/knowledgebase/vulnerability_categories.htm) +This field must be an array. + type: keyword -example: `Firewall` +example: `["Firewall"]` | extended diff --git a/generated/beats/fields.ecs.yml b/generated/beats/fields.ecs.yml index 6272f082ac..855215ee90 100644 --- a/generated/beats/fields.ecs.yml +++ b/generated/beats/fields.ecs.yml @@ -3158,10 +3158,12 @@ level: extended type: keyword ignore_above: 1024 - description: The type of system or architecture that the vulnerability affects. + description: 'The type of system or architecture that the vulnerability affects. These may be platform-specific (for example, Debian or SUSE) or general (for example, Database or Firewall). For example (https://qualysguard.qualys.com/qwebhelp/fo_portal/knowledgebase/vulnerability_categories.htm) - example: Firewall + + This field must be an array.' + example: '["Firewall"]' - name: classification level: extended type: keyword diff --git a/generated/csv/fields.csv b/generated/csv/fields.csv index 9d513440b2..be07b61689 100644 --- a/generated/csv/fields.csv +++ b/generated/csv/fields.csv @@ -395,7 +395,7 @@ user_agent.os.name,keyword,extended,Mac OS X,1.2.0-dev user_agent.os.platform,keyword,extended,darwin,1.2.0-dev user_agent.os.version,keyword,extended,10.14.1,1.2.0-dev user_agent.version,keyword,extended,12.0,1.2.0-dev -vulnerability.category,keyword,extended,Firewall,1.2.0-dev +vulnerability.category,keyword,extended,"[""Firewall""]",1.2.0-dev vulnerability.classification,keyword,extended,CVSS,1.2.0-dev vulnerability.description,keyword,extended,"In macOS before 2.12.6, there is a vulnerability in the RPC...",1.2.0-dev vulnerability.enumeration,keyword,extended,CVE,1.2.0-dev diff --git a/generated/ecs/ecs_flat.yml b/generated/ecs/ecs_flat.yml index d99f872277..257c6dfcf6 100644 --- a/generated/ecs/ecs_flat.yml +++ b/generated/ecs/ecs_flat.yml @@ -4516,10 +4516,12 @@ user_agent.version: short: Version of the user agent. type: keyword vulnerability.category: - description: The type of system or architecture that the vulnerability affects. + description: 'The type of system or architecture that the vulnerability affects. These may be platform-specific (for example, Debian or SUSE) or general (for example, Database or Firewall). For example (https://qualysguard.qualys.com/qwebhelp/fo_portal/knowledgebase/vulnerability_categories.htm) - example: Firewall + + This field must be an array.' + example: '["Firewall"]' flat_name: vulnerability.category ignore_above: 1024 level: extended diff --git a/generated/ecs/ecs_nested.yml b/generated/ecs/ecs_nested.yml index 904dc387f7..9ad8ffd58c 100644 --- a/generated/ecs/ecs_nested.yml +++ b/generated/ecs/ecs_nested.yml @@ -5056,10 +5056,12 @@ vulnerability: that is relevant to an event. fields: category: - description: The type of system or architecture that the vulnerability affects. + description: 'The type of system or architecture that the vulnerability affects. These may be platform-specific (for example, Debian or SUSE) or general (for example, Database or Firewall). For example (https://qualysguard.qualys.com/qwebhelp/fo_portal/knowledgebase/vulnerability_categories.htm) - example: Firewall + + This field must be an array.' + example: '["Firewall"]' flat_name: vulnerability.category ignore_above: 1024 level: extended diff --git a/schema.json b/schema.json index dea19a7dd3..34e5fdfda8 100644 --- a/schema.json +++ b/schema.json @@ -2960,8 +2960,8 @@ "description": "The vulnerability fields describe information about a vulnerability that is relevant to an event.\n", "fields": { "vulnerability.category": { - "description": "The type of system or architecture that the vulnerability affects. These may be platform-specific (for example, Debian or SUSE) or general (for example, Database or Firewall). For example (https://qualysguard.qualys.com/qwebhelp/fo_portal/knowledgebase/vulnerability_categories.htm)", - "example": "Firewall", + "description": "The type of system or architecture that the vulnerability affects. These may be platform-specific (for example, Debian or SUSE) or general (for example, Database or Firewall). For example (https://qualysguard.qualys.com/qwebhelp/fo_portal/knowledgebase/vulnerability_categories.htm)\nThis field must be an array.", + "example": "[\"Firewall\"]", "footnote": "", "group": 2, "level": "extended",