Vulnerability_incident_active_only does not seem to apply

[PekkaJalonen]

Hi,

Tested with version 0.3.0 and setting this value vulnerability_incident_active_only=true (I think it is default, but just to ensure i set it in configuration).

I have tested with old Firefox installer which had vulnerabilities, collect alerts to Wazuh and then finally removed the old software from my machine. Wazuh shows that the vulnerability is not anymore active on the endpoint and by looking at Wazuh alerts, last finding is 3th of June.

Now when running enrichment of the vulnerability, it triggers and creates finding, alert and incident case even thought the vulnerability does not exists anymore(has not been active for a week). If I open the alert in opencti, it shows "last seen 3.6."

[misje]

What are the alerts that caused the sightings (rule IDs)? Were any alerts dropped due to too many results (check the summary note)? If this vulnerability was found in many agents, that would produce a lot of results, and you may end up missing the "Solved" event.

I just tested for a severity I know was solved and it worked for me. Here is a query to look for solved severities with few hits:

GET _search
{
  "query": {
    "term": {
      "data.vulnerability.status": "Solved"
    }
  },
  "size": 0,
  "aggs": {
    "fjas": {
      "terms": {
        "field": "data.vulnerability.cve",
        "order": {
          "_count": "asc"
        },
        "size": 10
      }
    }
  }
}

It doesn't sound like it would be an issue for you if you just created these events, especially if you haven't changed the default value in search.order_by, sorting by timestamp. At least let's figure out whether your results included a Resolved alert (23502).

[PekkaJalonen]

Hello, sorry for bothering with this issue, this can be closed. Reason was too high log_alert_level in wazuh. Solved vulnerabilities raises level 3 alert and I had level 6, so wazuh did not raise alerts when those were fixed.

Additional question here related to this. I see that the connector adds NOTE for finding the Solved alert, but does it adjust the relationships or anything else, or just updates the note? I known you have a long backlog, but as features for future, it would be nice to have possibility to have example label added to alert or if workflow is enabled for alerts, update it in opencti when finding is fixed.

[misje]

Reason was too high log_alert_level in wazuh.

That makes sense. This setting is actually very useless, and I added a note in the documentation about this. I am sure someone finds use for it one day, but as you just found out, it can lead to confusion. Several key alerts have a low priority, like syscheck. If you set it higher than 3, then looking for file hashes will also no work, as well as searching for many other SCOs.

The new setting in 0.3.0 allows you to ignore alert rule IDs, which is much more useful. I'm also thinking of adding a very customiseable setting allowing you to ignore alerts with a lambda expression, where you can use any information in the alert and the STIX entity being looked up.

Additional question here related to this. I see that the connector adds NOTE for finding the Solved alert, but does it adjust the relationships or anything else, or just updates the note? I known you have a long backlog, but as features for future, it would be nice to have possibility to have example label added to alert or if workflow is enabled for alerts, update it in opencti when finding is fixed.

I'm very open for suggestions. If I understand you correctly, you want the connector to close incidents it produced when the indicator is no longer active? I just checked an export of a case/incident, and I don't see any STIX extensions for status. I doubt I will be able to set it, but I'll ask Filigran to be sure. Adding a label is possible, but I'd prefer if this was useful for other kinds of entities as well. Perhaps something similar to my previous mention, a setting that lets you specify a lambda that inspects the alert and entity and possibly creates labels. I'll experiment with it one day.

[misje]

I'll close this issue. Feel free to continue the discussion on how you're using the connector, and how you want to use it for vulnerabilities in a new GitHub "discussion".