From ba8280baef952587a115950ec1ee1fe20d309218 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Cl=C3=A9ment=20Fouque?=
<67908012+clement-fouque@users.noreply.github.com>
Date: Wed, 4 Sep 2024 01:16:43 +0200
Subject: [PATCH] [qualys_vmdr] Rename and convert fields. Lower case
`cloud.provider` (#10966)
* Rename fields to match Qualys name.
* Convert numeric fields to long/integer.
* Lowercase `cloud.provider` field.
---
packages/qualys_vmdr/changelog.yml | 11 +
...est-asset-host-detection.log-expected.json | 310 +++++++-----------
.../elasticsearch/ingest_pipeline/default.yml | 109 ++++--
.../asset_host_detection/fields/fields.yml | 75 ++---
.../asset_host_detection/sample_event.json | 50 ++-
packages/qualys_vmdr/docs/README.md | 82 ++---
packages/qualys_vmdr/manifest.yml | 2 +-
7 files changed, 293 insertions(+), 346 deletions(-)
diff --git a/packages/qualys_vmdr/changelog.yml b/packages/qualys_vmdr/changelog.yml
index 54ce9607a1f..425941ca013 100644
--- a/packages/qualys_vmdr/changelog.yml
+++ b/packages/qualys_vmdr/changelog.yml
@@ -1,4 +1,15 @@
# newer versions go on top
+- version: "5.0.0"
+ changes:
+ - description: Rename fields to match Qualys name.
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/10966
+ - description: Convert numeric fields to long/integer.
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/10966
+ - description: Lowercase `cloud.provider` field.
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/10966
- version: "4.3.0"
changes:
- description: Allow user configuration of cloud metadata collection.
diff --git a/packages/qualys_vmdr/data_stream/asset_host_detection/_dev/test/pipeline/test-asset-host-detection.log-expected.json b/packages/qualys_vmdr/data_stream/asset_host_detection/_dev/test/pipeline/test-asset-host-detection.log-expected.json
index cb8dac6e87a..c693c1036d0 100644
--- a/packages/qualys_vmdr/data_stream/asset_host_detection/_dev/test/pipeline/test-asset-host-detection.log-expected.json
+++ b/packages/qualys_vmdr/data_stream/asset_host_detection/_dev/test/pipeline/test-asset-host-detection.log-expected.json
@@ -6,7 +6,7 @@
"id": "i-07f91cxxx3axxxb3f",
"name": "abc10"
},
- "provider": "AWS",
+ "provider": "aws",
"service": {
"name": "EC2"
}
@@ -35,7 +35,7 @@
},
"qualys_vmdr": {
"asset_host_detection": {
- "asset_id": "27858031",
+ "asset_id": 27858031,
"cloud_provider": "AWS",
"cloud_provider_tags": {
"cloud_tag": [
@@ -133,35 +133,27 @@
],
"tracking_method": "IP",
"vulnerability": {
- "affect": {
- "exploitable_config": "config1",
- "running": {
- "kernel": "kernel1",
- "service": "service1"
- }
- },
+ "affect_exploitable_config": "config1",
+ "affect_running_kernel": "kernel1",
+ "affect_running_service": "service1",
"asset_cve": "cve3",
- "first": {
- "found_datetime": "2023-05-30T07:46:15.000Z",
- "reopened_datetime": "2023-05-22T02:09:49.000Z"
- },
+ "first_found_datetime": "2023-05-30T07:46:15.000Z",
+ "first_reopened_datetime": "2023-05-22T02:09:49.000Z",
"fqdn": "exchb10.exchb10.local",
"instance": "instance1",
"is_disabled": true,
"is_ignored": false,
- "last": {
- "fixed_datetime": "2023-05-22T02:09:49.000Z",
- "found_datetime": "2023-05-30T07:46:15.000Z",
- "processed_datetime": "2023-05-30T07:48:14.000Z",
- "reopened_datetime": "2023-05-22T02:09:49.000Z",
- "test_datetime": "2023-05-30T07:46:15.000Z",
- "update_datetime": "2023-05-30T07:48:14.000Z"
- },
+ "last_fixed_datetime": "2023-05-22T02:09:49.000Z",
+ "last_found_datetime": "2023-05-30T07:46:15.000Z",
+ "last_processed_datetime": "2023-05-30T07:48:14.000Z",
+ "last_reopened_datetime": "2023-05-22T02:09:49.000Z",
+ "last_test_datetime": "2023-05-30T07:46:15.000Z",
+ "last_update_datetime": "2023-05-30T07:48:14.000Z",
"port": 443,
"protocol": "tcp",
"qds": {
- "severity": "MEDIUM",
- "text": "50"
+ "score": 50,
+ "severity": "MEDIUM"
},
"qds_factors": [
{
@@ -173,16 +165,14 @@
"text": "5.0"
}
],
- "qid": "11827",
+ "qid": 11827,
"results": "X-Content-Type-Options HTTP Header missing on port 443.\n\nGET / HTTP/1.0\nHost: 81.2.69.192\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:93.0) Gecko/20100101 Firefox/93.0\n\n\n\nHTTP/1.1 200 OK\nContent-Type: text/html\nLast-Modified: Fri, 29 Mar 2019 10:51:17 GMT\nAccept-Ranges: bytes\nETag: "135e2b561de6d41:0"\nServer: Microsoft-IIS/10.0\nX-Powered-By: ASP.NET\nDate: Tue, 30 May 2023 05:56:00 GMT\nConnection: keep-alive\nContent-Length: 703\n\nStrict-Transport-Security HTTP Header missing on port 443.",
"service": "service1",
"severity": 2,
"ssl": "0",
"status": "New",
- "times": {
- "found": 1,
- "reopened": 2
- },
+ "times_found": 1,
+ "times_reopened": 2,
"type": "Confirmed"
}
}
@@ -236,7 +226,7 @@
},
"qualys_vmdr": {
"asset_host_detection": {
- "asset_id": "27858031",
+ "asset_id": 27858031,
"dns": "abc10.fdgshb10.local",
"dns_data": {
"domain": "abc10.local",
@@ -259,21 +249,17 @@
},
"tracking_method": "IP",
"vulnerability": {
- "first": {
- "found_datetime": "2023-05-30T07:46:15.000Z"
- },
+ "first_found_datetime": "2023-05-30T07:46:15.000Z",
"is_ignored": false,
- "last": {
- "found_datetime": "2023-05-30T07:46:15.000Z",
- "processed_datetime": "2023-05-30T07:48:14.000Z",
- "test_datetime": "2023-05-30T07:46:15.000Z",
- "update_datetime": "2023-05-30T07:48:14.000Z"
- },
+ "last_found_datetime": "2023-05-30T07:46:15.000Z",
+ "last_processed_datetime": "2023-05-30T07:48:14.000Z",
+ "last_test_datetime": "2023-05-30T07:46:15.000Z",
+ "last_update_datetime": "2023-05-30T07:48:14.000Z",
"port": 443,
"protocol": "tcp",
"qds": {
- "severity": "MEDIUM",
- "text": "50"
+ "score": 50,
+ "severity": "MEDIUM"
},
"qds_factors": [
{
@@ -285,14 +271,12 @@
"text": "5.0"
}
],
- "qid": "11827",
+ "qid": 11827,
"results": "X-Content-Type-Options HTTP Header missing on port 443.\n\nGET / HTTP/1.0\nHost: 81.2.69.192\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:93.0) Gecko/20100101 Firefox/93.0\n\n\n\nHTTP/1.1 200 OK\nContent-Type: text/html\nLast-Modified: Fri, 29 Mar 2019 10:51:17 GMT\nAccept-Ranges: bytes\nETag: "135e2b561de6d41:0"\nServer: Microsoft-IIS/10.0\nX-Powered-By: ASP.NET\nDate: Tue, 30 May 2023 05:56:00 GMT\nConnection: keep-alive\nContent-Length: 703\n\nStrict-Transport-Security HTTP Header missing on port 443.",
"severity": 2,
"ssl": "0",
"status": "New",
- "times": {
- "found": 1
- },
+ "times_found": 1,
"type": "Confirmed"
}
}
@@ -343,7 +327,7 @@
},
"qualys_vmdr": {
"asset_host_detection": {
- "asset_id": "27858031",
+ "asset_id": 27858031,
"dns": "abc10.fdgshb10.local",
"dns_data": {
"domain": "abc10.local",
@@ -372,22 +356,18 @@
],
"tracking_method": "IP",
"vulnerability": {
- "first": {
- "found_datetime": "2023-05-30T07:46:15.000Z"
- },
+ "first_found_datetime": "2023-05-30T07:46:15.000Z",
"is_disabled": true,
"is_ignored": false,
- "last": {
- "found_datetime": "2023-05-30T07:46:15.000Z",
- "processed_datetime": "2023-05-30T07:48:14.000Z",
- "test_datetime": "2023-05-30T07:46:15.000Z",
- "update_datetime": "2023-05-30T07:48:14.000Z"
- },
+ "last_found_datetime": "2023-05-30T07:46:15.000Z",
+ "last_processed_datetime": "2023-05-30T07:48:14.000Z",
+ "last_test_datetime": "2023-05-30T07:46:15.000Z",
+ "last_update_datetime": "2023-05-30T07:48:14.000Z",
"port": 443,
"protocol": "tcp",
"qds": {
- "severity": "MEDIUM",
- "text": "50"
+ "score": 50,
+ "severity": "MEDIUM"
},
"qds_factors": [
{
@@ -399,14 +379,12 @@
"text": "5.0"
}
],
- "qid": "11827",
+ "qid": 11827,
"results": "X-Content-Type-Options HTTP Header missing on port 443.\n\nGET / HTTP/1.0\nHost: 81.2.69.192\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:93.0) Gecko/20100101 Firefox/93.0\n\n\n\nHTTP/1.1 200 OK\nContent-Type: text/html\nLast-Modified: Fri, 29 Mar 2019 10:51:17 GMT\nAccept-Ranges: bytes\nETag: "135e2b561de6d41:0"\nServer: Microsoft-IIS/10.0\nX-Powered-By: ASP.NET\nDate: Tue, 30 May 2023 05:56:00 GMT\nConnection: keep-alive\nContent-Length: 703\n\nStrict-Transport-Security HTTP Header missing on port 443.",
"severity": 2,
"ssl": "0",
"status": "New",
- "times": {
- "found": 1
- },
+ "times_found": 1,
"type": "Confirmed"
}
}
@@ -457,7 +435,7 @@
},
"qualys_vmdr": {
"asset_host_detection": {
- "asset_id": "27858031",
+ "asset_id": 27858031,
"dns": "abc10.fdgshb10.local",
"dns_data": {
"domain": "abc10.local",
@@ -480,22 +458,18 @@
},
"tracking_method": "IP",
"vulnerability": {
- "first": {
- "found_datetime": "2023-05-30T07:46:15.000Z"
- },
+ "first_found_datetime": "2023-05-30T07:46:15.000Z",
"is_disabled": true,
"is_ignored": false,
- "last": {
- "found_datetime": "2023-05-30T07:46:15.000Z",
- "processed_datetime": "2023-05-30T07:48:14.000Z",
- "test_datetime": "2023-05-30T07:46:15.000Z",
- "update_datetime": "2023-05-30T07:48:14.000Z"
- },
+ "last_found_datetime": "2023-05-30T07:46:15.000Z",
+ "last_processed_datetime": "2023-05-30T07:48:14.000Z",
+ "last_test_datetime": "2023-05-30T07:46:15.000Z",
+ "last_update_datetime": "2023-05-30T07:48:14.000Z",
"port": 443,
"protocol": "tcp",
"qds": {
- "severity": "MEDIUM",
- "text": "50"
+ "score": 50,
+ "severity": "MEDIUM"
},
"qds_factors": [
{
@@ -507,14 +481,12 @@
"text": "5.0"
}
],
- "qid": "11827",
+ "qid": 11827,
"results": "X-Content-Type-Options HTTP Header missing on port 443.\n\nGET / HTTP/1.0\nHost: 81.2.69.192\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:93.0) Gecko/20100101 Firefox/93.0\n\n\n\nHTTP/1.1 200 OK\nContent-Type: text/html\nLast-Modified: Fri, 29 Mar 2019 10:51:17 GMT\nAccept-Ranges: bytes\nETag: "135e2b561de6d41:0"\nServer: Microsoft-IIS/10.0\nX-Powered-By: ASP.NET\nDate: Tue, 30 May 2023 05:56:00 GMT\nConnection: keep-alive\nContent-Length: 703\n\nStrict-Transport-Security HTTP Header missing on port 443.",
"severity": 2,
"ssl": "0",
"status": "New",
- "times": {
- "found": 1
- },
+ "times_found": 1,
"type": "Confirmed"
}
}
@@ -565,7 +537,7 @@
},
"qualys_vmdr": {
"asset_host_detection": {
- "asset_id": "27858031",
+ "asset_id": 27858031,
"dns": "abc10.fdgshb10.local",
"dns_data": {
"domain": "abc10.local",
@@ -631,7 +603,7 @@
},
"qualys_vmdr": {
"asset_host_detection": {
- "asset_id": "27703780",
+ "asset_id": 27703780,
"dns": "win-d24ck5nn676.ldap.local",
"dns_data": {
"domain": "ldap.local",
@@ -652,20 +624,14 @@
},
"tracking_method": "IP",
"vulnerability": {
- "first": {
- "found_datetime": "2023-05-30T11:49:24.000Z"
- },
+ "first_found_datetime": "2023-05-30T11:49:24.000Z",
"is_disabled": false,
- "last": {
- "found_datetime": "2023-06-17T12:47:54.000Z",
- "processed_datetime": "2023-06-17T13:20:12.000Z"
- },
- "qid": "70028",
+ "last_found_datetime": "2023-06-17T12:47:54.000Z",
+ "last_processed_datetime": "2023-06-17T13:20:12.000Z",
+ "qid": 70028,
"results": "User Name\t(none)\nDomain\t(none)\nAuthentication Scheme\tNULL session\nSecurity\tUser-based\nSMBv1 Signing\tDisabled\nDiscovery Method\tUnable to log in using credentials provided by user, fallback to NULL session\nCIFS Signing\tdefault",
"severity": 1,
- "times": {
- "found": 38
- },
+ "times_found": 38,
"type": "Info"
}
}
@@ -692,7 +658,7 @@
"id": "i-07f91cxxx3axxxb3f",
"name": "abc10"
},
- "provider": "AWS",
+ "provider": "aws",
"service": {
"name": "EC2"
}
@@ -721,7 +687,7 @@
},
"qualys_vmdr": {
"asset_host_detection": {
- "asset_id": "27858031",
+ "asset_id": 27858031,
"cloud_provider": "AWS",
"cloud_provider_tags": {
"cloud_tag": {
@@ -807,22 +773,18 @@
],
"tracking_method": "IP",
"vulnerability": {
- "first": {
- "found_datetime": "2023-05-30T07:46:15.000Z"
- },
+ "first_found_datetime": "2023-05-30T07:46:15.000Z",
"is_disabled": true,
"is_ignored": false,
- "last": {
- "found_datetime": "2023-05-30T07:46:15.000Z",
- "processed_datetime": "2023-05-30T07:48:14.000Z",
- "test_datetime": "2023-05-30T07:46:15.000Z",
- "update_datetime": "2023-05-30T07:48:14.000Z"
- },
+ "last_found_datetime": "2023-05-30T07:46:15.000Z",
+ "last_processed_datetime": "2023-05-30T07:48:14.000Z",
+ "last_test_datetime": "2023-05-30T07:46:15.000Z",
+ "last_update_datetime": "2023-05-30T07:48:14.000Z",
"port": 443,
"protocol": "tcp",
"qds": {
- "severity": "MEDIUM",
- "text": "50"
+ "score": 50,
+ "severity": "MEDIUM"
},
"qds_factors": [
{
@@ -834,14 +796,12 @@
"text": "5.0"
}
],
- "qid": "11827",
+ "qid": 11827,
"results": "X-Content-Type-Options HTTP Header missing on port 443.\n\nGET / HTTP/1.0\nHost: 81.2.69.192\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:93.0) Gecko/20100101 Firefox/93.0\n\n\n\nHTTP/1.1 200 OK\nContent-Type: text/html\nLast-Modified: Fri, 29 Mar 2019 10:51:17 GMT\nAccept-Ranges: bytes\nETag: "135e2b561de6d41:0"\nServer: Microsoft-IIS/10.0\nX-Powered-By: ASP.NET\nDate: Tue, 30 May 2023 05:56:00 GMT\nConnection: keep-alive\nContent-Length: 703\n\nStrict-Transport-Security HTTP Header missing on port 443.",
"severity": 2,
"ssl": "0",
"status": "New",
- "times": {
- "found": 1
- },
+ "times_found": 1,
"type": "Confirmed"
}
}
@@ -877,7 +837,7 @@
"id": "i-07f91cxxx3axxxb3f",
"name": "abc10"
},
- "provider": "AWS",
+ "provider": "aws",
"service": {
"name": "EC2"
}
@@ -906,7 +866,7 @@
},
"qualys_vmdr": {
"asset_host_detection": {
- "asset_id": "27858031",
+ "asset_id": 27858031,
"cloud_provider": "AWS",
"cloud_provider_tags": {
"cloud_tag": [
@@ -976,35 +936,27 @@
],
"tracking_method": "IP",
"vulnerability": {
- "affect": {
- "exploitable_config": "config1",
- "running": {
- "kernel": "kernel1",
- "service": "service1"
- }
- },
+ "affect_exploitable_config": "config1",
+ "affect_running_kernel": "kernel1",
+ "affect_running_service": "service1",
"asset_cve": "cve3",
- "first": {
- "found_datetime": "2023-05-30T07:46:15.000Z",
- "reopened_datetime": "2023-05-22T02:09:49.000Z"
- },
+ "first_found_datetime": "2023-05-30T07:46:15.000Z",
+ "first_reopened_datetime": "2023-05-22T02:09:49.000Z",
"fqdn": "exchb10.exchb10.local",
"instance": "instance1",
"is_disabled": true,
"is_ignored": false,
- "last": {
- "fixed_datetime": "2023-05-22T02:09:49.000Z",
- "found_datetime": "2023-05-30T07:46:15.000Z",
- "processed_datetime": "2023-05-30T07:48:14.000Z",
- "reopened_datetime": "2023-05-22T02:09:49.000Z",
- "test_datetime": "2023-05-30T07:46:15.000Z",
- "update_datetime": "2023-05-30T07:48:14.000Z"
- },
+ "last_fixed_datetime": "2023-05-22T02:09:49.000Z",
+ "last_found_datetime": "2023-05-30T07:46:15.000Z",
+ "last_processed_datetime": "2023-05-30T07:48:14.000Z",
+ "last_reopened_datetime": "2023-05-22T02:09:49.000Z",
+ "last_test_datetime": "2023-05-30T07:46:15.000Z",
+ "last_update_datetime": "2023-05-30T07:48:14.000Z",
"port": 443,
"protocol": "tcp",
"qds": {
- "severity": "MEDIUM",
- "text": "50"
+ "score": 50,
+ "severity": "MEDIUM"
},
"qds_factors": [
{
@@ -1016,16 +968,14 @@
"text": "5.0"
}
],
- "qid": "11827",
+ "qid": 11827,
"results": "X-Content-Type-Options HTTP Header missing on port 443.\n\nGET / HTTP/1.0\nHost: 81.2.69.192\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:93.0) Gecko/20100101 Firefox/93.0\n\n\n\nHTTP/1.1 200 OK\nContent-Type: text/html\nLast-Modified: Fri, 29 Mar 2019 10:51:17 GMT\nAccept-Ranges: bytes\nETag: "135e2b561de6d41:0"\nServer: Microsoft-IIS/10.0\nX-Powered-By: ASP.NET\nDate: Tue, 30 May 2023 05:56:00 GMT\nConnection: keep-alive\nContent-Length: 703\n\nStrict-Transport-Security HTTP Header missing on port 443.",
"service": "service1",
"severity": 2,
"ssl": "0",
"status": "New",
- "times": {
- "found": 1,
- "reopened": 2
- },
+ "times_found": 1,
+ "times_reopened": 2,
"type": "Confirmed"
}
}
@@ -1065,7 +1015,7 @@
"123456789123"
]
},
- "provider": "Google",
+ "provider": "google",
"service": {
"name": "GCP"
}
@@ -1094,7 +1044,7 @@
},
"qualys_vmdr": {
"asset_host_detection": {
- "asset_id": "27858031",
+ "asset_id": 27858031,
"cloud_provider": "Google",
"cloud_provider_tags": {
"cloud_tag": [
@@ -1164,35 +1114,27 @@
],
"tracking_method": "IP",
"vulnerability": {
- "affect": {
- "exploitable_config": "config1",
- "running": {
- "kernel": "kernel1",
- "service": "service1"
- }
- },
+ "affect_exploitable_config": "config1",
+ "affect_running_kernel": "kernel1",
+ "affect_running_service": "service1",
"asset_cve": "cve3",
- "first": {
- "found_datetime": "2023-05-30T07:46:15.000Z",
- "reopened_datetime": "2023-05-22T02:09:49.000Z"
- },
+ "first_found_datetime": "2023-05-30T07:46:15.000Z",
+ "first_reopened_datetime": "2023-05-22T02:09:49.000Z",
"fqdn": "exchb10.exchb10.local",
"instance": "instance1",
"is_disabled": true,
"is_ignored": false,
- "last": {
- "fixed_datetime": "2023-05-22T02:09:49.000Z",
- "found_datetime": "2023-05-30T07:46:15.000Z",
- "processed_datetime": "2023-05-30T07:48:14.000Z",
- "reopened_datetime": "2023-05-22T02:09:49.000Z",
- "test_datetime": "2023-05-30T07:46:15.000Z",
- "update_datetime": "2023-05-30T07:48:14.000Z"
- },
+ "last_fixed_datetime": "2023-05-22T02:09:49.000Z",
+ "last_found_datetime": "2023-05-30T07:46:15.000Z",
+ "last_processed_datetime": "2023-05-30T07:48:14.000Z",
+ "last_reopened_datetime": "2023-05-22T02:09:49.000Z",
+ "last_test_datetime": "2023-05-30T07:46:15.000Z",
+ "last_update_datetime": "2023-05-30T07:48:14.000Z",
"port": 443,
"protocol": "tcp",
"qds": {
- "severity": "MEDIUM",
- "text": "50"
+ "score": 50,
+ "severity": "MEDIUM"
},
"qds_factors": [
{
@@ -1204,16 +1146,14 @@
"text": "5.0"
}
],
- "qid": "11827",
+ "qid": 11827,
"results": "X-Content-Type-Options HTTP Header missing on port 443.\n\nGET / HTTP/1.0\nHost: 81.2.69.192\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:93.0) Gecko/20100101 Firefox/93.0\n\n\n\nHTTP/1.1 200 OK\nContent-Type: text/html\nLast-Modified: Fri, 29 Mar 2019 10:51:17 GMT\nAccept-Ranges: bytes\nETag: "135e2b561de6d41:0"\nServer: Microsoft-IIS/10.0\nX-Powered-By: ASP.NET\nDate: Tue, 30 May 2023 05:56:00 GMT\nConnection: keep-alive\nContent-Length: 703\n\nStrict-Transport-Security HTTP Header missing on port 443.",
"service": "service1",
"severity": 2,
"ssl": "0",
"status": "New",
- "times": {
- "found": 1,
- "reopened": 2
- },
+ "times_found": 1,
+ "times_reopened": 2,
"type": "Confirmed"
}
}
@@ -1248,7 +1188,7 @@
"00000000-0000-0000-0000-000000000000"
]
},
- "provider": "Azure",
+ "provider": "azure",
"region": [
"eastus2"
],
@@ -1280,7 +1220,7 @@
},
"qualys_vmdr": {
"asset_host_detection": {
- "asset_id": "27858031",
+ "asset_id": 27858031,
"cloud_provider": "Azure",
"cloud_provider_tags": {
"cloud_tag": [
@@ -1350,35 +1290,27 @@
],
"tracking_method": "IP",
"vulnerability": {
- "affect": {
- "exploitable_config": "config1",
- "running": {
- "kernel": "kernel1",
- "service": "service1"
- }
- },
+ "affect_exploitable_config": "config1",
+ "affect_running_kernel": "kernel1",
+ "affect_running_service": "service1",
"asset_cve": "cve3",
- "first": {
- "found_datetime": "2023-05-30T07:46:15.000Z",
- "reopened_datetime": "2023-05-22T02:09:49.000Z"
- },
+ "first_found_datetime": "2023-05-30T07:46:15.000Z",
+ "first_reopened_datetime": "2023-05-22T02:09:49.000Z",
"fqdn": "exchb10.exchb10.local",
"instance": "instance1",
"is_disabled": true,
"is_ignored": false,
- "last": {
- "fixed_datetime": "2023-05-22T02:09:49.000Z",
- "found_datetime": "2023-05-30T07:46:15.000Z",
- "processed_datetime": "2023-05-30T07:48:14.000Z",
- "reopened_datetime": "2023-05-22T02:09:49.000Z",
- "test_datetime": "2023-05-30T07:46:15.000Z",
- "update_datetime": "2023-05-30T07:48:14.000Z"
- },
+ "last_fixed_datetime": "2023-05-22T02:09:49.000Z",
+ "last_found_datetime": "2023-05-30T07:46:15.000Z",
+ "last_processed_datetime": "2023-05-30T07:48:14.000Z",
+ "last_reopened_datetime": "2023-05-22T02:09:49.000Z",
+ "last_test_datetime": "2023-05-30T07:46:15.000Z",
+ "last_update_datetime": "2023-05-30T07:48:14.000Z",
"port": 443,
"protocol": "tcp",
"qds": {
- "severity": "MEDIUM",
- "text": "50"
+ "score": 50,
+ "severity": "MEDIUM"
},
"qds_factors": [
{
@@ -1390,16 +1322,14 @@
"text": "5.0"
}
],
- "qid": "11827",
+ "qid": 11827,
"results": "X-Content-Type-Options HTTP Header missing on port 443.\n\nGET / HTTP/1.0\nHost: 81.2.69.192\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:93.0) Gecko/20100101 Firefox/93.0\n\n\n\nHTTP/1.1 200 OK\nContent-Type: text/html\nLast-Modified: Fri, 29 Mar 2019 10:51:17 GMT\nAccept-Ranges: bytes\nETag: "135e2b561de6d41:0"\nServer: Microsoft-IIS/10.0\nX-Powered-By: ASP.NET\nDate: Tue, 30 May 2023 05:56:00 GMT\nConnection: keep-alive\nContent-Length: 703\n\nStrict-Transport-Security HTTP Header missing on port 443.",
"service": "service1",
"severity": 2,
"ssl": "0",
"status": "New",
- "times": {
- "found": 1,
- "reopened": 2
- },
+ "times_found": 1,
+ "times_reopened": 2,
"type": "Confirmed"
}
}
diff --git a/packages/qualys_vmdr/data_stream/asset_host_detection/elasticsearch/ingest_pipeline/default.yml b/packages/qualys_vmdr/data_stream/asset_host_detection/elasticsearch/ingest_pipeline/default.yml
index a6a44a7605c..0e0f43a6434 100644
--- a/packages/qualys_vmdr/data_stream/asset_host_detection/elasticsearch/ingest_pipeline/default.yml
+++ b/packages/qualys_vmdr/data_stream/asset_host_detection/elasticsearch/ingest_pipeline/default.yml
@@ -59,11 +59,16 @@ processors:
- append:
field: error.message
value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
- - rename:
+ - convert:
field: json.ASSET_ID
- tag: rename_ASSET_ID
target_field: qualys_vmdr.asset_host_detection.asset_id
+ tag: convert_ASSET_ID_to_long
+ type: long
ignore_missing: true
+ on_failure:
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
- rename:
field: json.DNS
tag: rename_DNS
@@ -171,12 +176,12 @@ processors:
tag: rename_CLOUD_PROVIDER
target_field: qualys_vmdr.asset_host_detection.cloud_provider
ignore_missing: true
- - set:
- field: cloud.provider
- tag: set_cloud_provider
- copy_from: qualys_vmdr.asset_host_detection.cloud_provider
+ - lowercase:
+ field: qualys_vmdr.asset_host_detection.cloud_provider
+ target_field: cloud.provider
+ tag: lowercase_cloud_provider
if: ctx._conf?.want_provider_cloud == true
- ignore_empty_value: true
+ ignore_missing: true
- rename:
field: json.QG_HOSTID
tag: rename_QG_HOSTID
@@ -1021,19 +1026,19 @@ processors:
if: ctx.qualys_vmdr?.asset_host_detection?.vulnerability?.AFFECT_RUNNING_KERNEL != null
field: qualys_vmdr.asset_host_detection.vulnerability.AFFECT_RUNNING_KERNEL
tag: rename_qualys_vmdr_asset_host_detection_vulnerability_AFFECT_RUNNING_KERNEL_1
- target_field: qualys_vmdr.asset_host_detection.vulnerability.affect.running.kernel
+ target_field: qualys_vmdr.asset_host_detection.vulnerability.affect_running_kernel
ignore_missing: true
- rename:
if: ctx.qualys_vmdr?.asset_host_detection?.vulnerability?.AFFECT_RUNNING_SERVICE != null
field: qualys_vmdr.asset_host_detection.vulnerability.AFFECT_RUNNING_SERVICE
tag: rename_qualys_vmdr_asset_host_detection_vulnerability_AFFECT_RUNNING_SERVICE_1
- target_field: qualys_vmdr.asset_host_detection.vulnerability.affect.running.service
+ target_field: qualys_vmdr.asset_host_detection.vulnerability.affect_running_service
ignore_missing: true
- rename:
if: ctx.qualys_vmdr?.asset_host_detection?.vulnerability?.AFFECT_EXPLOITABLE_CONFIG != null
field: qualys_vmdr.asset_host_detection.vulnerability.AFFECT_EXPLOITABLE_CONFIG
tag: rename_qualys_vmdr_asset_host_detection_vulnerability_AFFECT_EXPLOITABLE_CONFIG_1
- target_field: qualys_vmdr.asset_host_detection.vulnerability.affect.exploitable_config
+ target_field: qualys_vmdr.asset_host_detection.vulnerability.affect_exploitable_config
ignore_missing: true
- rename:
if: ctx.qualys_vmdr?.asset_host_detection?.vulnerability?.ASSET_CVE != null
@@ -1047,6 +1052,15 @@ processors:
tag: rename_qualys_vmdr_asset_host_detection_vulnerability_QID_1
target_field: qualys_vmdr.asset_host_detection.vulnerability.qid
ignore_missing: true
+ - convert:
+ field: qualys_vmdr.asset_host_detection.vulnerability.qid
+ tag: convert_qualys_vmdr_asset_host_detection_vulnerability_qid_1_to_integer
+ type: integer
+ ignore_missing: true
+ on_failure:
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
- rename:
if: ctx.qualys_vmdr?.asset_host_detection?.vulnerability?.RESULTS != null
field: qualys_vmdr.asset_host_detection.vulnerability.RESULTS
@@ -1072,11 +1086,20 @@ processors:
target_field: qualys_vmdr.asset_host_detection.vulnerability.qds
ignore_missing: true
- rename:
- if: ctx.qualys_vmdr?.asset_host_detection?.vulnerability != null
+ if: ctx.qualys_vmdr?.asset_host_detection?.vulnerability?.qds != null
field: qualys_vmdr.asset_host_detection.vulnerability.qds.#text
tag: rename_qualys_vmdr_asset_host_detection_vulnerability_qds_#text_1
- target_field: qualys_vmdr.asset_host_detection.vulnerability.qds.text
+ target_field: qualys_vmdr.asset_host_detection.vulnerability.qds.score
+ ignore_missing: true
+ - convert:
+ field: qualys_vmdr.asset_host_detection.vulnerability.qds.score
+ tag: convert_qualys_vmdr_asset_host_detection_vulnerability_qds_score_1_to_long
+ type: long
ignore_missing: true
+ on_failure:
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
- rename:
if: ctx.qualys_vmdr?.asset_host_detection?.vulnerability?.SSL != null
field: qualys_vmdr.asset_host_detection.vulnerability.SSL
@@ -1087,7 +1110,7 @@ processors:
if: ctx.qualys_vmdr?.asset_host_detection?.vulnerability?.FIRST_FOUND_DATETIME != null
field: qualys_vmdr.asset_host_detection.vulnerability.FIRST_FOUND_DATETIME
tag: date_qualys_vmdr_asset_host_detection_vulnerability_FIRST_FOUND_DATETIME_1
- target_field: qualys_vmdr.asset_host_detection.vulnerability.first.found_datetime
+ target_field: qualys_vmdr.asset_host_detection.vulnerability.first_found_datetime
formats:
- ISO8601
ignore_failure: true
@@ -1099,7 +1122,7 @@ processors:
if: ctx.qualys_vmdr?.asset_host_detection?.vulnerability?.FIRST_REOPENED_DATETIME != null
field: qualys_vmdr.asset_host_detection.vulnerability.FIRST_REOPENED_DATETIME
tag: date_qualys_vmdr_asset_host_detection_vulnerability_FIRST_REOPENED_DATETIME_1
- target_field: qualys_vmdr.asset_host_detection.vulnerability.first.reopened_datetime
+ target_field: qualys_vmdr.asset_host_detection.vulnerability.first_reopened_datetime
formats:
- ISO8601
ignore_failure: true
@@ -1111,7 +1134,7 @@ processors:
if: ctx.qualys_vmdr?.asset_host_detection?.vulnerability?.LAST_FOUND_DATETIME != null
field: qualys_vmdr.asset_host_detection.vulnerability.LAST_FOUND_DATETIME
tag: date_qualys_vmdr_asset_host_detection_vulnerability_LAST_FOUND_DATETIME_1
- target_field: qualys_vmdr.asset_host_detection.vulnerability.last.found_datetime
+ target_field: qualys_vmdr.asset_host_detection.vulnerability.last_found_datetime
formats:
- ISO8601
ignore_failure: true
@@ -1122,7 +1145,7 @@ processors:
- date:
field: qualys_vmdr.asset_host_detection.vulnerability.LAST_REOPENED_DATETIME
tag: date_qualys_vmdr_asset_host_detection_vulnerability_LAST_REOPENED_DATETIME_1
- target_field: qualys_vmdr.asset_host_detection.vulnerability.last.reopened_datetime
+ target_field: qualys_vmdr.asset_host_detection.vulnerability.last_reopened_datetime
formats:
- ISO8601
ignore_failure: true
@@ -1133,7 +1156,7 @@ processors:
- date:
field: qualys_vmdr.asset_host_detection.vulnerability.LAST_PROCESSED_DATETIME
tag: date_qualys_vmdr_asset_host_detection_vulnerability_LAST_PROCESSED_DATETIME_1
- target_field: qualys_vmdr.asset_host_detection.vulnerability.last.processed_datetime
+ target_field: qualys_vmdr.asset_host_detection.vulnerability.last_processed_datetime
formats:
- ISO8601
ignore_failure: true
@@ -1145,7 +1168,7 @@ processors:
if: ctx.qualys_vmdr?.asset_host_detection?.vulnerability?.LAST_TEST_DATETIME != null
field: qualys_vmdr.asset_host_detection.vulnerability.LAST_TEST_DATETIME
tag: date_qualys_vmdr_asset_host_detection_vulnerability_LAST_TEST_DATETIME_1
- target_field: qualys_vmdr.asset_host_detection.vulnerability.last.test_datetime
+ target_field: qualys_vmdr.asset_host_detection.vulnerability.last_test_datetime
formats:
- ISO8601
ignore_failure: true
@@ -1157,7 +1180,7 @@ processors:
if: ctx.qualys_vmdr?.asset_host_detection?.vulnerability?.LAST_UPDATE_DATETIME != null
field: qualys_vmdr.asset_host_detection.vulnerability.LAST_UPDATE_DATETIME
tag: date_qualys_vmdr_asset_host_detection_vulnerability_LAST_UPDATE_DATETIME_1
- target_field: qualys_vmdr.asset_host_detection.vulnerability.last.update_datetime
+ target_field: qualys_vmdr.asset_host_detection.vulnerability.last_update_datetime
formats:
- ISO8601
ignore_failure: true
@@ -1169,7 +1192,7 @@ processors:
if: ctx.qualys_vmdr?.asset_host_detection?.vulnerability?.LAST_FIXED_DATETIME != null
field: qualys_vmdr.asset_host_detection.vulnerability.LAST_FIXED_DATETIME
tag: date_qualys_vmdr_asset_host_detection_vulnerability_LAST_FIXED_DATETIME_1
- target_field: qualys_vmdr.asset_host_detection.vulnerability.last.fixed_datetime
+ target_field: qualys_vmdr.asset_host_detection.vulnerability.last_fixed_datetime
formats:
- ISO8601
ignore_failure: true
@@ -1213,7 +1236,7 @@ processors:
- convert:
if: ctx.qualys_vmdr?.asset_host_detection?.vulnerability?.TIMES_FOUND != null
field: qualys_vmdr.asset_host_detection.vulnerability.TIMES_FOUND
- target_field: qualys_vmdr.asset_host_detection.vulnerability.times.found
+ target_field: qualys_vmdr.asset_host_detection.vulnerability.times_found
tag: convert_qualys_vmdr_asset_host_detection_vulnerability_TIMES_FOUND_to_long_1
type: long
ignore_missing: true
@@ -1224,7 +1247,7 @@ processors:
- convert:
if: ctx.qualys_vmdr?.asset_host_detection?.vulnerability?.TIMES_REOPENED != null
field: qualys_vmdr.asset_host_detection.vulnerability.TIMES_REOPENED
- target_field: qualys_vmdr.asset_host_detection.vulnerability.times.reopened
+ target_field: qualys_vmdr.asset_host_detection.vulnerability.times_reopened
tag: convert_qualys_vmdr_asset_host_detection_vulnerability_TIMES_REOPENED_to_long_1
type: long
ignore_missing: true
@@ -1298,8 +1321,17 @@ processors:
if: ctx.qualys_vmdr?.asset_host_detection?.vulnerability?.qds != null
field: qualys_vmdr.asset_host_detection.vulnerability.qds.#text
tag: rename_qualys_vmdr_asset_host_detection_vulnerability_qds_#text_2
- target_field: qualys_vmdr.asset_host_detection.vulnerability.qds.text
+ target_field: qualys_vmdr.asset_host_detection.vulnerability.qds.score
ignore_missing: true
+ - convert:
+ field: qualys_vmdr.asset_host_detection.vulnerability.qds.score
+ tag: convert_qualys_vmdr_asset_host_detection_vulnerability_qds_score_2_to_integer
+ type: integer
+ ignore_missing: true
+ on_failure:
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
- convert:
field: qualys_vmdr.asset_host_detection.vulnerability.PORT
target_field: qualys_vmdr.asset_host_detection.vulnerability.port
@@ -1348,7 +1380,7 @@ processors:
field: qualys_vmdr.asset_host_detection.vulnerability.LAST_UPDATE_DATETIME
tag: date_qualys_vmdr_asset_host_detection_vulnerability_LAST_UPDATE_DATETIME_2
if: (!(ctx.qualys_vmdr?.asset_host_detection?.vulnerability != null)) && ctx.qualys_vmdr?.asset_host_detection?.list?.LAST_UPDATE_DATETIME != null && ctx.qualys_vmdr.asset_host_detection.vulnerability.LAST_UPDATE_DATETIME != ''
- target_field: qualys_vmdr.asset_host_detection.vulnerability.last.update_datetime
+ target_field: qualys_vmdr.asset_host_detection.vulnerability.last_update_datetime
formats:
- ISO8601
on_failure:
@@ -1359,7 +1391,7 @@ processors:
field: qualys_vmdr.asset_host_detection.vulnerability.LAST_FIXED_DATETIME
tag: date_qualys_vmdr_asset_host_detection_vulnerability_LAST_FIXED_DATETIME_2
if: (!(ctx.qualys_vmdr?.asset_host_detection?.vulnerability != null)) && ctx.qualys_vmdr?.asset_host_detection?.list?.LAST_FIXED_DATETIME != null && ctx.qualys_vmdr.asset_host_detection.vulnerability.LAST_FIXED_DATETIME != ''
- target_field: qualys_vmdr.asset_host_detection.vulnerability.last.fixed_datetime
+ target_field: qualys_vmdr.asset_host_detection.vulnerability.last_fixed_datetime
formats:
- ISO8601
on_failure:
@@ -1370,7 +1402,7 @@ processors:
field: qualys_vmdr.asset_host_detection.vulnerability.LAST_TEST_DATETIME
tag: date_qualys_vmdr_asset_host_detection_vulnerability_LAST_TEST_DATETIME_2
if: (!(ctx.qualys_vmdr?.asset_host_detection?.vulnerability != null)) && ctx.qualys_vmdr?.asset_host_detection?.list?.LAST_TEST_DATETIME != null && ctx.qualys_vmdr.asset_host_detection.vulnerability.LAST_TEST_DATETIME != ''
- target_field: qualys_vmdr.asset_host_detection.vulnerability.last.test_datetime
+ target_field: qualys_vmdr.asset_host_detection.vulnerability.last_test_datetime
formats:
- ISO8601
on_failure:
@@ -1381,7 +1413,7 @@ processors:
field: qualys_vmdr.asset_host_detection.vulnerability.LAST_PROCESSED_DATETIME
tag: date_qualys_vmdr_asset_host_detection_vulnerability_LAST_PROCESSED_DATETIME_2
if: (!(ctx.qualys_vmdr?.asset_host_detection?.vulnerability != null)) && ctx.qualys_vmdr?.asset_host_detection?.list?.LAST_PROCESSED_DATETIME != null && ctx.qualys_vmdr.asset_host_detection.vulnerability.LAST_PROCESSED_DATETIME != ''
- target_field: qualys_vmdr.asset_host_detection.vulnerability.last.processed_datetime
+ target_field: qualys_vmdr.asset_host_detection.vulnerability.last_processed_datetime
formats:
- ISO8601
on_failure:
@@ -1392,7 +1424,7 @@ processors:
field: qualys_vmdr.asset_host_detection.vulnerability.LAST_FOUND_DATETIME
tag: date_qualys_vmdr_asset_host_detection_vulnerability_LAST_FOUND_DATETIME_2
if: (!(ctx.qualys_vmdr?.asset_host_detection?.vulnerability != null)) && ctx.qualys_vmdr?.asset_host_detection?.list?.LAST_FOUND_DATETIME != null && ctx.qualys_vmdr.asset_host_detection.vulnerability.LAST_FOUND_DATETIME != ''
- target_field: qualys_vmdr.asset_host_detection.vulnerability.last.found_datetime
+ target_field: qualys_vmdr.asset_host_detection.vulnerability.last_found_datetime
formats:
- ISO8601
on_failure:
@@ -1403,7 +1435,7 @@ processors:
field: qualys_vmdr.asset_host_detection.vulnerability.LAST_REOPENED_DATETIME
tag: date_qualys_vmdr_asset_host_detection_vulnerability_LAST_REOPENED_DATETIME_2
if: (!(ctx.qualys_vmdr?.asset_host_detection?.vulnerability != null)) && ctx.qualys_vmdr?.asset_host_detection?.list?.LAST_REOPENED_DATETIME != null && ctx.qualys_vmdr.asset_host_detection.vulnerability.LAST_REOPENED_DATETIME != ''
- target_field: qualys_vmdr.asset_host_detection.vulnerability.last.reopened_datetime
+ target_field: qualys_vmdr.asset_host_detection.vulnerability.last_reopened_datetime
formats:
- ISO8601
on_failure:
@@ -1414,7 +1446,7 @@ processors:
field: qualys_vmdr.asset_host_detection.vulnerability.FIRST_FOUND_DATETIME
tag: date_qualys_vmdr_asset_host_detection_vulnerability_FIRST_FOUND_DATETIME_2
if: (!(ctx.qualys_vmdr?.asset_host_detection?.vulnerability != null)) && ctx.qualys_vmdr?.asset_host_detection?.list?.FIRST_FOUND_DATETIME != null && ctx.qualys_vmdr.asset_host_detection.vulnerability.FIRST_FOUND_DATETIME != ''
- target_field: qualys_vmdr.asset_host_detection.vulnerability.first.found_datetime
+ target_field: qualys_vmdr.asset_host_detection.vulnerability.first_found_datetime
formats:
- ISO8601
on_failure:
@@ -1425,7 +1457,7 @@ processors:
field: qualys_vmdr.asset_host_detection.vulnerability.FIRST_REOPENED_DATETIME
tag: date_qualys_vmdr_asset_host_detection_vulnerability_FIRST_REOPENED_DATETIME_2
if: (!(ctx.qualys_vmdr?.asset_host_detection?.vulnerability != null)) && ctx.qualys_vmdr?.asset_host_detection?.list?.FIRST_REOPENED_DATETIME != null && ctx.qualys_vmdr.asset_host_detection.vulnerability.FIRST_REOPENED_DATETIME != ''
- target_field: qualys_vmdr.asset_host_detection.vulnerability.first.reopened_datetime
+ target_field: qualys_vmdr.asset_host_detection.vulnerability.first_reopened_datetime
formats:
- ISO8601
on_failure:
@@ -1457,6 +1489,15 @@ processors:
tag: rename_qualys_vmdr_asset_host_detection_vulnerability_QID_2
target_field: qualys_vmdr.asset_host_detection.vulnerability.qid
ignore_missing: true
+ - convert:
+ field: qualys_vmdr.asset_host_detection.vulnerability.qid
+ tag: convert_qualys_vmdr_asset_host_detection_vulnerability_QID_2_to_long
+ type: long
+ ignore_missing: true
+ on_failure:
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
- rename:
field: qualys_vmdr.asset_host_detection.vulnerability.PROTOCOL
tag: rename_qualys_vmdr_asset_host_detection_vulnerability_PROTOCOL_2
@@ -1486,17 +1527,17 @@ processors:
- rename:
field: qualys_vmdr.asset_host_detection.vulnerability.AFFECT_RUNNING_KERNEL
tag: rename_qualys_vmdr_asset_host_detection_vulnerability_AFFECT_RUNNING_KERNEL_2
- target_field: qualys_vmdr.asset_host_detection.vulnerability.affect.running.kernel
+ target_field: qualys_vmdr.asset_host_detection.vulnerability.affect_running_kernel
ignore_missing: true
- rename:
field: qualys_vmdr.asset_host_detection.vulnerability.AFFECT_RUNNING_SERVICE
tag: rename_qualys_vmdr_asset_host_detection_vulnerability_AFFECT_RUNNING_SERVICE_2
- target_field: qualys_vmdr.asset_host_detection.vulnerability.affect.running.service
+ target_field: qualys_vmdr.asset_host_detection.vulnerability.affect_running_service
ignore_missing: true
- rename:
field: qualys_vmdr.asset_host_detection.vulnerability.AFFECT_EXPLOITABLE_CONFIG
tag: rename_qualys_vmdr_asset_host_detection_vulnerability_AFFECT_EXPLOITABLE_CONFIG_2
- target_field: qualys_vmdr.asset_host_detection.vulnerability.affect.exploitable_config
+ target_field: qualys_vmdr.asset_host_detection.vulnerability.affect_exploitable_config
ignore_missing: true
- rename:
field: qualys_vmdr.asset_host_detection.vulnerability.ASSET_CVE
diff --git a/packages/qualys_vmdr/data_stream/asset_host_detection/fields/fields.yml b/packages/qualys_vmdr/data_stream/asset_host_detection/fields/fields.yml
index 225a988395a..48f8685974b 100644
--- a/packages/qualys_vmdr/data_stream/asset_host_detection/fields/fields.yml
+++ b/packages/qualys_vmdr/data_stream/asset_host_detection/fields/fields.yml
@@ -2,7 +2,7 @@
type: group
fields:
- name: asset_id
- type: keyword
+ type: long
- name: cloud_provider
type: keyword
- name: cloud_provider_tags
@@ -55,27 +55,18 @@
- name: vulnerability
type: group
fields:
- - name: affect
- type: group
- fields:
- - name: exploitable_config
- type: keyword
- - name: running
- type: group
- fields:
- - name: kernel
- type: keyword
- - name: service
- type: keyword
+ - name: affect_running_kernel
+ type: keyword
+ - name: affect_running_service
+ type: keyword
+ - name: affect_exploitable_config
+ type: keyword
- name: asset_cve
type: keyword
- - name: first
- type: group
- fields:
- - name: found_datetime
- type: date
- - name: reopened_datetime
- type: date
+ - name: first_found_datetime
+ type: date
+ - name: first_reopened_datetime
+ type: date
- name: fqdn
type: keyword
- name: instance
@@ -84,21 +75,18 @@
type: boolean
- name: is_ignored
type: boolean
- - name: last
- type: group
- fields:
- - name: fixed_datetime
- type: date
- - name: found_datetime
- type: date
- - name: processed_datetime
- type: date
- - name: reopened_datetime
- type: date
- - name: test_datetime
- type: date
- - name: update_datetime
- type: date
+ - name: last_fixed_datetime
+ type: date
+ - name: last_found_datetime
+ type: date
+ - name: last_processed_datetime
+ type: date
+ - name: last_reopened_datetime
+ type: date
+ - name: last_test_datetime
+ type: date
+ - name: last_update_datetime
+ type: date
- name: port
type: long
- name: protocol
@@ -108,8 +96,8 @@
fields:
- name: severity
type: keyword
- - name: text
- type: keyword
+ - name: score
+ type: integer
- name: qds_factors
type: group
fields:
@@ -118,7 +106,7 @@
- name: text
type: keyword
- name: qid
- type: keyword
+ type: integer
- name: results
type: keyword
- name: service
@@ -129,13 +117,10 @@
type: keyword
- name: status
type: keyword
- - name: times
- type: group
- fields:
- - name: found
- type: long
- - name: reopened
- type: long
+ - name: times_found
+ type: long
+ - name: times_reopened
+ type: long
- name: type
type: keyword
- name: unique_vuln_id
diff --git a/packages/qualys_vmdr/data_stream/asset_host_detection/sample_event.json b/packages/qualys_vmdr/data_stream/asset_host_detection/sample_event.json
index e5edd0aef71..6546586cf71 100644
--- a/packages/qualys_vmdr/data_stream/asset_host_detection/sample_event.json
+++ b/packages/qualys_vmdr/data_stream/asset_host_detection/sample_event.json
@@ -1,24 +1,24 @@
{
- "@timestamp": "2024-07-31T09:02:37.604Z",
+ "@timestamp": "2024-09-03T21:58:42.109Z",
"agent": {
- "ephemeral_id": "eecc68c0-2fc1-4b86-8af2-5e5550371ada",
- "id": "9cd1c977-707f-42bb-894c-63b2d362bdec",
- "name": "docker-fleet-agent",
+ "ephemeral_id": "a359e9ae-1899-4fa4-9274-489732cf28b8",
+ "id": "f5bb6a54-2f0f-43e3-8016-d1510e71d83c",
+ "name": "elastic-agent-32019",
"type": "filebeat",
- "version": "8.13.0"
+ "version": "8.15.0"
},
"data_stream": {
"dataset": "qualys_vmdr.asset_host_detection",
- "namespace": "88345",
+ "namespace": "34087",
"type": "logs"
},
"ecs": {
"version": "8.11.0"
},
"elastic_agent": {
- "id": "9cd1c977-707f-42bb-894c-63b2d362bdec",
+ "id": "f5bb6a54-2f0f-43e3-8016-d1510e71d83c",
"snapshot": false,
- "version": "8.13.0"
+ "version": "8.15.0"
},
"event": {
"agent_id_status": "verified",
@@ -26,7 +26,7 @@
"host"
],
"dataset": "qualys_vmdr.asset_host_detection",
- "ingested": "2024-07-31T09:02:49Z",
+ "ingested": "2024-09-03T21:58:45Z",
"kind": "alert",
"original": "\n\n\n \n 2023-07-03T06:51:41Z\n \n \n 12048633\n 10.50.2.111\n IP\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n 2023-07-03T06:25:17Z\n 2023-07-03T06:23:47Z\n 1113\n 2023-06-28T09:58:12Z\n \n \n 5555555555\n 197595\n Confirmed\n 3\n 0\n \n Active\n 2021-02-05T04:50:45Z\n 2024-03-08T20:15:41Z\n 35\n \n \n \n \n \n \n 5393\n 2024-03-08T20:15:41Z\n 2024-03-08T20:15:41Z\n 2022-12-14T06:52:57Z\n 0\n 0\n 0\n 2024-03-08T20:15:41Z\n \n \n 6666666666\n 197597\n Confirmed\n 5\n 0\n \n Active\n 2021-02-05T04:50:45Z\n 2024-03-08T20:15:41Z\n 95\n \n \n \n \n \n \n \n \n \n \n \n 5393\n 2024-03-08T20:15:41Z\n 2024-03-08T20:15:41Z\n 2022-12-14T06:52:57Z\n 0\n 0\n 0\n 2024-03-08T20:15:41Z\n \n \n \n \n \n 1980\n 1000 record limit exceeded. Use URL to get next batch of results.\n \n \n \n",
"type": [
@@ -52,26 +52,18 @@
"last_vm_scanned_duration": 1113,
"tracking_method": "IP",
"vulnerability": {
- "affect": {
- "running": {
- "kernel": "0"
- }
- },
- "first": {
- "found_datetime": "2021-02-05T04:50:45.000Z"
- },
+ "affect_running_kernel": "0",
+ "first_found_datetime": "2021-02-05T04:50:45.000Z",
"is_disabled": false,
"is_ignored": false,
- "last": {
- "fixed_datetime": "2022-12-14T06:52:57.000Z",
- "found_datetime": "2024-03-08T20:15:41.000Z",
- "processed_datetime": "2024-03-08T20:15:41.000Z",
- "test_datetime": "2024-03-08T20:15:41.000Z",
- "update_datetime": "2024-03-08T20:15:41.000Z"
- },
+ "last_fixed_datetime": "2022-12-14T06:52:57.000Z",
+ "last_found_datetime": "2024-03-08T20:15:41.000Z",
+ "last_processed_datetime": "2024-03-08T20:15:41.000Z",
+ "last_test_datetime": "2024-03-08T20:15:41.000Z",
+ "last_update_datetime": "2024-03-08T20:15:41.000Z",
"qds": {
- "severity": "LOW",
- "text": "35"
+ "score": 35,
+ "severity": "LOW"
},
"qds_factors": [
{
@@ -91,14 +83,12 @@
"text": "AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H"
}
],
- "qid": "197595",
+ "qid": 197595,
"results": "Package Installed Version Required Version\nlinux-cloud-tools-4.4.0 1074-aws_4.4.0-1074.84 1092\nlinux-aws-tools-4.4.0 1074_4.4.0-1074.84 1092\nlinux-aws-headers-4.4.0 1074_4.15.0-1126.135 1092\nlinux-tools-4.4.0 1074-aws_4.4.0-1074.84 1092\nlinux-aws-cloud-tools-4.4.0 1074_4.4.0-1074.84 1092",
"severity": 3,
"ssl": "0",
"status": "Active",
- "times": {
- "found": 5393
- },
+ "times_found": 5393,
"type": "Confirmed",
"unique_vuln_id": "5555555555"
}
diff --git a/packages/qualys_vmdr/docs/README.md b/packages/qualys_vmdr/docs/README.md
index 41c5f9c3d16..75dc85d1c2c 100644
--- a/packages/qualys_vmdr/docs/README.md
+++ b/packages/qualys_vmdr/docs/README.md
@@ -96,26 +96,26 @@ An example event for `asset_host_detection` looks as following:
```json
{
- "@timestamp": "2024-07-31T09:02:37.604Z",
+ "@timestamp": "2024-09-03T21:58:42.109Z",
"agent": {
- "ephemeral_id": "eecc68c0-2fc1-4b86-8af2-5e5550371ada",
- "id": "9cd1c977-707f-42bb-894c-63b2d362bdec",
- "name": "docker-fleet-agent",
+ "ephemeral_id": "a359e9ae-1899-4fa4-9274-489732cf28b8",
+ "id": "f5bb6a54-2f0f-43e3-8016-d1510e71d83c",
+ "name": "elastic-agent-32019",
"type": "filebeat",
- "version": "8.13.0"
+ "version": "8.15.0"
},
"data_stream": {
"dataset": "qualys_vmdr.asset_host_detection",
- "namespace": "88345",
+ "namespace": "34087",
"type": "logs"
},
"ecs": {
"version": "8.11.0"
},
"elastic_agent": {
- "id": "9cd1c977-707f-42bb-894c-63b2d362bdec",
+ "id": "f5bb6a54-2f0f-43e3-8016-d1510e71d83c",
"snapshot": false,
- "version": "8.13.0"
+ "version": "8.15.0"
},
"event": {
"agent_id_status": "verified",
@@ -123,7 +123,7 @@ An example event for `asset_host_detection` looks as following:
"host"
],
"dataset": "qualys_vmdr.asset_host_detection",
- "ingested": "2024-07-31T09:02:49Z",
+ "ingested": "2024-09-03T21:58:45Z",
"kind": "alert",
"original": "\n\n\n \n 2023-07-03T06:51:41Z\n \n \n 12048633\n 10.50.2.111\n IP\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n 2023-07-03T06:25:17Z\n 2023-07-03T06:23:47Z\n 1113\n 2023-06-28T09:58:12Z\n \n \n 5555555555\n 197595\n Confirmed\n 3\n 0\n \n Active\n 2021-02-05T04:50:45Z\n 2024-03-08T20:15:41Z\n 35\n \n \n \n \n \n \n 5393\n 2024-03-08T20:15:41Z\n 2024-03-08T20:15:41Z\n 2022-12-14T06:52:57Z\n 0\n 0\n 0\n 2024-03-08T20:15:41Z\n \n \n 6666666666\n 197597\n Confirmed\n 5\n 0\n \n Active\n 2021-02-05T04:50:45Z\n 2024-03-08T20:15:41Z\n 95\n \n \n \n \n \n \n \n \n \n \n \n 5393\n 2024-03-08T20:15:41Z\n 2024-03-08T20:15:41Z\n 2022-12-14T06:52:57Z\n 0\n 0\n 0\n 2024-03-08T20:15:41Z\n \n \n \n \n \n 1980\n 1000 record limit exceeded. Use URL to get next batch of results.\n \n \n \n",
"type": [
@@ -149,26 +149,18 @@ An example event for `asset_host_detection` looks as following:
"last_vm_scanned_duration": 1113,
"tracking_method": "IP",
"vulnerability": {
- "affect": {
- "running": {
- "kernel": "0"
- }
- },
- "first": {
- "found_datetime": "2021-02-05T04:50:45.000Z"
- },
+ "affect_running_kernel": "0",
+ "first_found_datetime": "2021-02-05T04:50:45.000Z",
"is_disabled": false,
"is_ignored": false,
- "last": {
- "fixed_datetime": "2022-12-14T06:52:57.000Z",
- "found_datetime": "2024-03-08T20:15:41.000Z",
- "processed_datetime": "2024-03-08T20:15:41.000Z",
- "test_datetime": "2024-03-08T20:15:41.000Z",
- "update_datetime": "2024-03-08T20:15:41.000Z"
- },
+ "last_fixed_datetime": "2022-12-14T06:52:57.000Z",
+ "last_found_datetime": "2024-03-08T20:15:41.000Z",
+ "last_processed_datetime": "2024-03-08T20:15:41.000Z",
+ "last_test_datetime": "2024-03-08T20:15:41.000Z",
+ "last_update_datetime": "2024-03-08T20:15:41.000Z",
"qds": {
- "severity": "LOW",
- "text": "35"
+ "score": 35,
+ "severity": "LOW"
},
"qds_factors": [
{
@@ -188,14 +180,12 @@ An example event for `asset_host_detection` looks as following:
"text": "AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H"
}
],
- "qid": "197595",
+ "qid": 197595,
"results": "Package Installed Version Required Version\nlinux-cloud-tools-4.4.0 1074-aws_4.4.0-1074.84 1092\nlinux-aws-tools-4.4.0 1074_4.4.0-1074.84 1092\nlinux-aws-headers-4.4.0 1074_4.15.0-1126.135 1092\nlinux-tools-4.4.0 1074-aws_4.4.0-1074.84 1092\nlinux-aws-cloud-tools-4.4.0 1074_4.4.0-1074.84 1092",
"severity": 3,
"ssl": "0",
"status": "Active",
- "times": {
- "found": 5393
- },
+ "times_found": 5393,
"type": "Confirmed",
"unique_vuln_id": "5555555555"
}
@@ -231,7 +221,7 @@ An example event for `asset_host_detection` looks as following:
| event.module | Event module. | constant_keyword |
| input.type | Type of filebeat input. | keyword |
| log.offset | Log offset. | long |
-| qualys_vmdr.asset_host_detection.asset_id | | keyword |
+| qualys_vmdr.asset_host_detection.asset_id | | long |
| qualys_vmdr.asset_host_detection.cloud_provider | | keyword |
| qualys_vmdr.asset_host_detection.cloud_provider_tags.cloud_tag.last_success_date | | date |
| qualys_vmdr.asset_host_detection.cloud_provider_tags.cloud_tag.name | | keyword |
@@ -280,36 +270,36 @@ An example event for `asset_host_detection` looks as following:
| qualys_vmdr.asset_host_detection.tags.id | | keyword |
| qualys_vmdr.asset_host_detection.tags.name | | keyword |
| qualys_vmdr.asset_host_detection.tracking_method | | keyword |
-| qualys_vmdr.asset_host_detection.vulnerability.affect.exploitable_config | | keyword |
-| qualys_vmdr.asset_host_detection.vulnerability.affect.running.kernel | | keyword |
-| qualys_vmdr.asset_host_detection.vulnerability.affect.running.service | | keyword |
+| qualys_vmdr.asset_host_detection.vulnerability.affect_exploitable_config | | keyword |
+| qualys_vmdr.asset_host_detection.vulnerability.affect_running_kernel | | keyword |
+| qualys_vmdr.asset_host_detection.vulnerability.affect_running_service | | keyword |
| qualys_vmdr.asset_host_detection.vulnerability.asset_cve | | keyword |
-| qualys_vmdr.asset_host_detection.vulnerability.first.found_datetime | | date |
-| qualys_vmdr.asset_host_detection.vulnerability.first.reopened_datetime | | date |
+| qualys_vmdr.asset_host_detection.vulnerability.first_found_datetime | | date |
+| qualys_vmdr.asset_host_detection.vulnerability.first_reopened_datetime | | date |
| qualys_vmdr.asset_host_detection.vulnerability.fqdn | | keyword |
| qualys_vmdr.asset_host_detection.vulnerability.instance | | keyword |
| qualys_vmdr.asset_host_detection.vulnerability.is_disabled | | boolean |
| qualys_vmdr.asset_host_detection.vulnerability.is_ignored | | boolean |
-| qualys_vmdr.asset_host_detection.vulnerability.last.fixed_datetime | | date |
-| qualys_vmdr.asset_host_detection.vulnerability.last.found_datetime | | date |
-| qualys_vmdr.asset_host_detection.vulnerability.last.processed_datetime | | date |
-| qualys_vmdr.asset_host_detection.vulnerability.last.reopened_datetime | | date |
-| qualys_vmdr.asset_host_detection.vulnerability.last.test_datetime | | date |
-| qualys_vmdr.asset_host_detection.vulnerability.last.update_datetime | | date |
+| qualys_vmdr.asset_host_detection.vulnerability.last_fixed_datetime | | date |
+| qualys_vmdr.asset_host_detection.vulnerability.last_found_datetime | | date |
+| qualys_vmdr.asset_host_detection.vulnerability.last_processed_datetime | | date |
+| qualys_vmdr.asset_host_detection.vulnerability.last_reopened_datetime | | date |
+| qualys_vmdr.asset_host_detection.vulnerability.last_test_datetime | | date |
+| qualys_vmdr.asset_host_detection.vulnerability.last_update_datetime | | date |
| qualys_vmdr.asset_host_detection.vulnerability.port | | long |
| qualys_vmdr.asset_host_detection.vulnerability.protocol | | keyword |
+| qualys_vmdr.asset_host_detection.vulnerability.qds.score | | integer |
| qualys_vmdr.asset_host_detection.vulnerability.qds.severity | | keyword |
-| qualys_vmdr.asset_host_detection.vulnerability.qds.text | | keyword |
| qualys_vmdr.asset_host_detection.vulnerability.qds_factors.name | | keyword |
| qualys_vmdr.asset_host_detection.vulnerability.qds_factors.text | | keyword |
-| qualys_vmdr.asset_host_detection.vulnerability.qid | | keyword |
+| qualys_vmdr.asset_host_detection.vulnerability.qid | | integer |
| qualys_vmdr.asset_host_detection.vulnerability.results | | keyword |
| qualys_vmdr.asset_host_detection.vulnerability.service | | keyword |
| qualys_vmdr.asset_host_detection.vulnerability.severity | | long |
| qualys_vmdr.asset_host_detection.vulnerability.ssl | | keyword |
| qualys_vmdr.asset_host_detection.vulnerability.status | | keyword |
-| qualys_vmdr.asset_host_detection.vulnerability.times.found | | long |
-| qualys_vmdr.asset_host_detection.vulnerability.times.reopened | | long |
+| qualys_vmdr.asset_host_detection.vulnerability.times_found | | long |
+| qualys_vmdr.asset_host_detection.vulnerability.times_reopened | | long |
| qualys_vmdr.asset_host_detection.vulnerability.type | | keyword |
| qualys_vmdr.asset_host_detection.vulnerability.unique_vuln_id | | keyword |
diff --git a/packages/qualys_vmdr/manifest.yml b/packages/qualys_vmdr/manifest.yml
index 633e29e3379..afabb3ef2dd 100644
--- a/packages/qualys_vmdr/manifest.yml
+++ b/packages/qualys_vmdr/manifest.yml
@@ -1,7 +1,7 @@
format_version: "3.0.2"
name: qualys_vmdr
title: Qualys VMDR
-version: "4.3.0"
+version: "5.0.0"
description: Collect data from Qualys VMDR platform with Elastic Agent.
type: integration
categories: