search

wazuh / wazuh-qa

Wazuh - Quality Assurance
GNU General Public License v2.0
60 stars 30 forks source link

Update E2E method to filter wazuh-states-vulnerabilities by detected_at instead of timestamp #5239

Closed Rebits closed 1 week ago

Rebits commented 2 weeks ago

Description

In 4.8.0-beta5 it changed the index structure for wazuh-states-vulnerabilities.

In previous stages, vulnerability indices contain a timestamp field like the following:

{
   "_index":"wazuh-states-vulnerabilities",
   "_id":"master_008_b28978ba313613635f07ea1aae582041f387b2cc_CVE-2024-0741",
   "_score":1.1063815,
   "_source":{
      "@timestamp":"2024-03-06T15:51:08.761Z",
      "agent":{
         "ephemeral_id":"master",
         "id":"008",
         "name":"agent1",
         "type":"wazuh",
         "version":"v4.8.0"
      },
      "ecs":{
         "version":"8.11.0"
      },
      "host":{
         "os":{
            "full":"CentOS Linux 7.9.2009",
            "kernel":"3.10.0-1160.102.1.el7.x86_64",
            "name":"CentOS Linux",
            "platform":"centos",
            "type":"centos",
            "version":"7.9.2009"
         }
      },
      "package":{
         "architecture":"x86_64",
         "description":"Mozilla Firefox Web browser",
         "installed":"2024-03-06T15:51:04.000Z",
         "name":"firefox",
         "size":275922442,
         "type":"rpm",
         "version":"91.13.0-1.el7.centos"
      },
      "vulnerability":{
         "category":"Packages",
         "classification":"CVSS",
         "description":"An out of bounds write in ANGLE could have allowed an attacker to corrupt memory leading to a potentially exploitable crash. This vulnerability affects Firefox < 122, Firefox ESR < 115.7, and Thunderbird < 115.7.",
         "enumeration":"CVE",
         "id":"CVE-2024-0741",
         "reference":"https://bugzilla.mozilla.org/show_bug.cgi?id=1864587, https://lists.debian.org/debian-lts-announce/2024/01/msg00015.html, https://lists.debian.org/debian-lts-announce/2024/01/msg00022.html, https://www.mozilla.org/security/advisories/mfsa2024-01/, https://www.mozilla.org/security/advisories/mfsa2024-02/, https://www.mozilla.org/security/advisories/mfsa2024-04/",
         "scanner":{
            "vendor":"Wazuh"
         },
         "score":{
            "base":6.5,
            "version":"3.1"
         },
         "severity":"Medium"
      },
      "wazuh":{
         "cluster":{
            "name":"wazuh"
         },
         "manager":{
            "name":"ip-172-31-7-184"
         }
      }
   }
},

Now, this field was removed, including a detected_at value in the vulnerability field:

{
   "_index":"wazuh-states-vulnerabilities",
   "_id":"node01_002_HTOFC4PYXP_CVE-1999-1301",
   "_score":1.0,
   "_source":{
      "agent":{
         "ephemeral_id":"node01",
         "id":"002",
         "name":"1-m7MtocT5LYkPKjNC-debian8",
         "type":"wazuh"
      },
      "host":{
         "os":{
            "full":"Ubuntu 20.04.6LTS(FocalFossa)",
            "kernel":"6.2.6-76060206-generic",
            "name":"Ubuntu",
            "platform":"ubuntu",
            "type":"ubuntu",
            "version":"20.04.6.4.18.0-305.12.1.el8_4.x86_64"
         }
      },
      "package":{
         "name":"freebsd",
         "size":6,
         "version":"2.0"
      },
      "vulnerability":{
         "category":"Packages",
         "classification":"CVSS",
         "description":"A design flaw in the Z-Modem protocol allows the remote sender of a file to execute arbitrary programs on the client, as implemented in rz in the rzsz module of FreeBSD before 2.1.5, and possibly other programs.",
         "detected_at":"2024-04-15T15:46:48.356Z",
         "enumeration":"CVE",
         "id":"CVE-1999-1301",
         "published_at":"1996-07-16T04:00:00Z",
         "reference":"ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/old/FreeBSD-SA-96:17.rzsz.asc, http://ciac.llnl.gov/ciac/bulletins/g-31.shtml, http://www.iss.net/security_center/static/7540.php",
         "scanner":{
            "vendor":"Wazuh"
         },
         "score":{
            "base":7.5,
            "version":"2.0"
         },
         "severity":"High"
      },
      "wazuh":{
         "cluster":{
            "name":"wazuh"
         },
         "manager":{
            "name":"rhel-manager"
         },
         "schema":{
            "version":"1.0.0"
         }
      }
   }
},
Rebits commented 1 week ago

Moved ETA to allow final review to 24/04/2024

davidjiglesias commented 1 week ago

LGTM