Open PekkaJalonen opened 3 months ago
misje
commented
3 months ago I've already tested out the new vulnerability detection module, and the changes do not affect this connector. The same events are created when vulnerabilities are found and resolved in 4.8.0. The new (optional) index is not used, but it is perhaps something I will look into in the future, if it is of any use.
PekkaJalonen
commented
3 months ago You are fast as always, thanks for the support. I will close this issue.
PekkaJalonen
commented
3 months ago Hello, actually I think that there are some issues with this. I just tested this. Wazuh connector is only collecting vulnerabilities where vulnerability alerts are from the old vulnerability-detector. I can still get sightings from the old alerts collected before upgrade to 4.8.0. But anything collected after that with the new vulnerability detection model, does not give any results.
When I lookup one vulnerability in Wazuh 4.8.0 from the new vulnerability detection dashboard, and enrich the vulnerability in opencti, I get 0 sigthings.
PekkaJalonen
commented
3 months ago If agents are running old wazuh version, those will still report to rule.group:vulnerability-detector, but when agent are upgraded to 4.8.0, those alerts will not showup anymore, instead the data will be found from the new index only.
UPDATE: Seem that this is incorrect, new agents are generating findings and Wazuh manager still uses vulnerability-detector as location for alerts.
misje
commented
3 months ago I'm sorry, you're absolutely right. I almost don't believe that this is intentional, because now Wazuh doesn't appear to log any historical information that a vulnerability was present in a system. I created an issue about this in the Wazuh project and I hope I'm either wrong, and that this is a configuration issue, or that they realise that this is a big step back. This isn't just a bummer for this connector, but I really want to see events for when a vulnerability was present and solved, not just the current state.
In the worst case, I can add support for looking for the vulnerability data in the the index. Most features should remain intact, apart from the fact that only active vulnerabilities can be found.
misje
commented
3 months ago As you also have discovered, there are a number of issues with Wazuh 4.8.0 (the one you have filed is quite the surprising one!). There appears to be missing events for the docker module too. I think I'll be waiting for updates from Wazuh before I spend any time on workarounds for this issue.
PekkaJalonen
commented
3 months ago Understandable, it looks to be challenging even getting any answers from Wazuh. Also one big issue with vulnerability-detection is that it does not follow any grouping/labels which all other alert collection does. So you cannot trigger alerts per group of agent or grant accesses per group of agents, everything is in a single pile of machines etc. Release is a total mess!
PekkaJalonen
commented
3 weeks ago Based on discussions after these changes, it looks like the vulnerability-detector is still used for alerts. What has changed is, that the machines will run a baseline line collection. For the first initial scan, no alerts will be triggered(there is an issue where they will fix this initial scan as part of release 5.0). Also, alerts for same vulnerabilities will not trigger anymore multiple times, only on changes (new, fixed etc).
The new indice wazuh-states-vulnerabilities is used for the new Vulnerability Detection dashboard.
So, basically your awesome work has not gone to waste. Still relevant even if wazuh has some shortcomings which they hopefully fix soon.
misje
commented
1 week ago I have seen some alerts since I first raised the issue, but I haven't looked into exactly what it took to make them. Your explanation makes sense. Even if I don't understand why they went this way.
Their new index is useless when what I want is to look up historical data, not just the current state. Even if it could provide some use.
It sounds like there is no need to remove the vulnerability support, then. That's good!
misje
commented
1 week ago What would be the summary of how this works in the connector?
Hello,
Does the connector support new vulnerability-detection in wazuh?
The latest Wazuh release creates new wazuh-states-vulnerabilities* index to which it generates findings, and the older vulnerability detector will be deprecated.