diff --git a/packages/qualys_vmdr/changelog.yml b/packages/qualys_vmdr/changelog.yml index ef9763913ba..242723800a1 100644 --- a/packages/qualys_vmdr/changelog.yml +++ b/packages/qualys_vmdr/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "6.19.1" + changes: + - description: Record missing KB entries in `knowledge_base.status` instead of `error.message`, so they no longer mark documents as `pipeline_error`. + type: bugfix + link: https://github.com/elastic/integrations/pull/20052 - version: "6.19.0" changes: - description: Use new `release` field for agentless deployment mode to establish as beta. diff --git a/packages/qualys_vmdr/data_stream/asset_host_detection/_dev/test/pipeline/test-asset-host-detection-events.json b/packages/qualys_vmdr/data_stream/asset_host_detection/_dev/test/pipeline/test-asset-host-detection-events.json index d19343c116f..edef6ec7c52 100644 --- a/packages/qualys_vmdr/data_stream/asset_host_detection/_dev/test/pipeline/test-asset-host-detection-events.json +++ b/packages/qualys_vmdr/data_stream/asset_host_detection/_dev/test/pipeline/test-asset-host-detection-events.json @@ -5,6 +5,12 @@ "interval_id": "86fae5c8-3209-4b86-ac48-4b5ba6e7adb5", "interval_start": "2025-05-20T22:57:42.484Z", "message": "{\"DETECTION_LIST\":{\"FIRST_FOUND_DATETIME\":\"2019-11-06T09:41:57Z\",\"IS_DISABLED\":\"0\",\"IS_IGNORED\":\"0\",\"LAST_FOUND_DATETIME\":\"2019-11-11T23:29:53Z\",\"LAST_PROCESSED_DATETIME\":\"2019-11-12T15:00:26Z\",\"LAST_TEST_DATETIME\":\"2019-11-11T23:29:53Z\",\"LAST_UPDATE_DATETIME\":\"2019-11-12T15:00:26Z\",\"QID\":\"256716\",\"RESULTS\":\"Package\\tInstalled Version\\tRequired Version;;rsync\\t3.1.2-12.el7_9.tuxcare.els1.x86_64\\t3.1.2-12.el7_9.tuxcare.els2;;CentOS Linux release 7.9 (Final, ELS by Cloudlinux)\",\"SEVERITY\":\"4\",\"SSL\":\"0\",\"STATUS\":\"Active\",\"TIMES_FOUND\":\"10\",\"TYPE\":\"Confirmed\",\"UNIQUE_VULN_ID\":\"2029338482\"},\"DNS\":\"user-staging.example.net\",\"DNS_DATA\":{\"DOMAIN\":\"example.net\",\"FQDN\":\"user-staging.example.net\",\"HOSTNAME\":\"user-staging\"},\"ID\":\"117163093\",\"IP\":\"81.2.69.192\",\"KNOWLEDGE_BASE\":{\"CATEGORY\":\"CentOS\",\"CODE_MODIFIED_DATETIME\":\"2019-11-04T10:48:40Z\",\"CONSEQUENCE\":\"This vulnerability could be exploited to gain complete access to sensitive information. Malicious users could also use this vulnerability to change all the contents or configuration on the system. Additionally this vulnerability can also be used to cause a complete denial of service and could render the resource completely unavailable.\",\"CORRELATION\":{\"EXPLOITS\":{\"EXPLT_SRC\":[{\"EXPLT_LIST\":{\"EXPLT\":[{\"DESC\":\"A buffer overflow flaw was found, in versions from 2.6.34 to 5.2.x, in the way Linux kernel's vhost functionality that translates virtqueue buffers to IOVs, logged the buffer descriptors during migration. A privileged guest user able to pass descriptors with invalid length to the host when migration is underway, could use this flaw to increase their privileges on the host.\",\"LINK\":\"https://www.openwall.com/lists/oss-security/2019/09/17/1\",\"REF\":\"CVE-2019-14835\"}]},\"SRC_NAME\":\"nist-nvd2\"},{\"EXPLT_LIST\":{\"EXPLT\":[{\"DESC\":\"A buffer overflow flaw was found, in versions from 2.6.34 to 5.2.x, in the way Linux kernel's vhost functionality that translates virtqueue buffers to IOVs, logged the buffer descriptors during migration. A privileged guest user able to pass descriptors with invalid length to the host when migration is underway, could use this flaw to increase their privileges on the host.\",\"LINK\":\"https://www.openwall.com/lists/oss-security/2019/09/17/1\",\"REF\":\"CVE-2019-14835\"}]},\"SRC_NAME\":\"nvd\"}]}},\"CVE_LIST\":[\"CVE-2019-14835\"],\"CVSS\":{\"BASE\":\"7.2\",\"TEMPORAL\":\"5.6\",\"VECTOR_STRING\":\"CVSS:2.0/AV:L/AC:L/Au:N/C:C/I:C/A:C/E:POC/RL:OF/RC:C\"},\"CVSS_V3\":{\"BASE\":\"7.8\",\"CVSS3_VERSION\":\"3.1\",\"TEMPORAL\":\"7.0\",\"VECTOR_STRING\":\"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C\"},\"DIAGNOSIS\":\"CentOS has released security update for kernel to fix the vulnerabilities.

Affected Products:

centos 7\",\"DISCOVERY\":{\"ADDITIONAL_INFO\":\"Patch Available, Exploit Available\",\"AUTH_TYPE_LIST\":{\"AUTH_TYPE\":[\"Unix\"]},\"REMOTE\":\"0\"},\"LAST_SERVICE_MODIFICATION_DATETIME\":\"2024-03-01T00:00:02Z\",\"PATCHABLE\":\"1\",\"PCI_FLAG\":\"1\",\"PUBLISHED_DATETIME\":\"2019-11-04T10:48:40Z\",\"QID\":\"256716\",\"SEVERITY_LEVEL\":\"4\",\"SOFTWARE_LIST\":{\"SOFTWARE\":[{\"PRODUCT\":\"kernel\",\"VENDOR\":\"centos\"}]},\"SOLUTION\":\"To resolve this issue, upgrade to the latest packages which contain a patch. Refer to CentOS advisory centos 7 for updates and patch information.\\n

Patch:
\\nFollowing are links for downloading patches to fix the vulnerabilities:\\n

CESA-2019:2829:centos 7\",\"THREAT_INTELLIGENCE\":{\"THREAT_INTEL\":[{\"#text\":\"Exploit_Public\",\"id\":\"2\"},{\"#text\":\"High_Lateral_Movement\",\"id\":\"4\"},{\"#text\":\"Easy_Exploit\",\"id\":\"5\"},{\"#text\":\"High_Data_Loss\",\"id\":\"6\"},{\"#text\":\"Denial_of_Service\",\"id\":\"7\"}]},\"TITLE\":\"CentOS Security Update for kernel (CESA-2019:2829)\",\"VENDOR_REFERENCE_LIST\":{\"VENDOR_REFERENCE\":[{\"ID\":\"CESA-2019:2829 centos 7\",\"URL\":\"https://lists.centos.org/pipermail/centos-announce/2019-October/023457.html\"}]},\"VULN_TYPE\":\"Vulnerability\"},\"LAST_PC_SCANNED_DATE\":\"2019-11-11T22:25:02Z\",\"LAST_SCAN_DATETIME\":\"2019-11-12T15:00:26Z\",\"LAST_VM_AUTH_SCANNED_DATE\":\"2019-11-11T23:29:53Z\",\"LAST_VM_SCANNED_DATE\":\"2019-11-11T23:29:53Z\",\"NETWORK_ID\":\"0\",\"OS\":\"CentOS Linux 7.4.1708\",\"QG_HOSTID\":\"19260abb-8547-467e-928d-73c13f13ea3c\",\"TRACKING_METHOD\":\"AGENT\"}" + }, + { + "@timestamp": "2025-12-01T10:15:00.000Z", + "interval_id": "9d69b1dc-8e86-4946-809e-577433b1d999", + "interval_start": "2025-12-01T10:15:00Z", + "message": "{\"DETECTION_LIST\":{\"FIRST_FOUND_DATETIME\":\"2019-11-06T09:41:57Z\",\"IS_DISABLED\":\"0\",\"IS_IGNORED\":\"0\",\"LAST_FOUND_DATETIME\":\"2019-11-11T23:29:53Z\",\"LAST_PROCESSED_DATETIME\":\"2019-11-12T15:00:26Z\",\"LAST_TEST_DATETIME\":\"2019-11-11T23:29:53Z\",\"LAST_UPDATE_DATETIME\":\"2019-11-12T15:00:26Z\",\"QID\":\"256716\",\"SEVERITY\":\"4\",\"SSL\":\"0\",\"STATUS\":\"Active\",\"TIMES_FOUND\":\"10\",\"TYPE\":\"Confirmed\",\"UNIQUE_VULN_ID\":\"2029338483\"},\"DNS\":\"user-noKB.example.net\",\"DNS_DATA\":{\"DOMAIN\":\"example.net\",\"FQDN\":\"user-noKB.example.net\",\"HOSTNAME\":\"user-noKB\"},\"ID\":\"117163099\",\"IP\":\"81.2.69.193\",\"LAST_PC_SCANNED_DATE\":\"2019-11-11T22:25:02Z\",\"LAST_SCAN_DATETIME\":\"2019-11-12T15:00:26Z\",\"LAST_VM_AUTH_SCANNED_DATE\":\"2019-11-11T23:29:53Z\",\"LAST_VM_SCANNED_DATE\":\"2019-11-11T23:29:53Z\",\"NETWORK_ID\":\"0\",\"OS\":\"CentOS Linux 7.4.1708\",\"QG_HOSTID\":\"19260abb-8547-467e-928d-73c13f13ea3d\",\"TRACKING_METHOD\":\"AGENT\"}" } ] } \ No newline at end of file diff --git a/packages/qualys_vmdr/data_stream/asset_host_detection/_dev/test/pipeline/test-asset-host-detection-events.json-expected.json b/packages/qualys_vmdr/data_stream/asset_host_detection/_dev/test/pipeline/test-asset-host-detection-events.json-expected.json index fb3921d37fd..3f538c05923 100644 --- a/packages/qualys_vmdr/data_stream/asset_host_detection/_dev/test/pipeline/test-asset-host-detection-events.json-expected.json +++ b/packages/qualys_vmdr/data_stream/asset_host_detection/_dev/test/pipeline/test-asset-host-detection-events.json-expected.json @@ -139,6 +139,7 @@ "solution": { "value": "To resolve this issue, upgrade to the latest packages which contain a patch. Refer to CentOS advisory centos 7 for updates and patch information.\n

Patch:
\nFollowing are links for downloading patches to fix the vulnerabilities:\n

CESA-2019:2829:centos 7" }, + "status": "found", "threat_intelligence": { "intel": [ { @@ -261,6 +262,110 @@ "severity": "High", "title": "CentOS Security Update for kernel (CESA-2019:2829)" } + }, + { + "@timestamp": "2025-12-01T10:15:00.000Z", + "cloud": { + "instance": { + "name": "user-noKB" + } + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "category": [ + "vulnerability" + ], + "id": "2029338483", + "kind": "alert", + "original": "{\"DETECTION_LIST\":{\"FIRST_FOUND_DATETIME\":\"2019-11-06T09:41:57Z\",\"IS_DISABLED\":\"0\",\"IS_IGNORED\":\"0\",\"LAST_FOUND_DATETIME\":\"2019-11-11T23:29:53Z\",\"LAST_PROCESSED_DATETIME\":\"2019-11-12T15:00:26Z\",\"LAST_TEST_DATETIME\":\"2019-11-11T23:29:53Z\",\"LAST_UPDATE_DATETIME\":\"2019-11-12T15:00:26Z\",\"QID\":\"256716\",\"SEVERITY\":\"4\",\"SSL\":\"0\",\"STATUS\":\"Active\",\"TIMES_FOUND\":\"10\",\"TYPE\":\"Confirmed\",\"UNIQUE_VULN_ID\":\"2029338483\"},\"DNS\":\"user-noKB.example.net\",\"DNS_DATA\":{\"DOMAIN\":\"example.net\",\"FQDN\":\"user-noKB.example.net\",\"HOSTNAME\":\"user-noKB\"},\"ID\":\"117163099\",\"IP\":\"81.2.69.193\",\"LAST_PC_SCANNED_DATE\":\"2019-11-11T22:25:02Z\",\"LAST_SCAN_DATETIME\":\"2019-11-12T15:00:26Z\",\"LAST_VM_AUTH_SCANNED_DATE\":\"2019-11-11T23:29:53Z\",\"LAST_VM_SCANNED_DATE\":\"2019-11-11T23:29:53Z\",\"NETWORK_ID\":\"0\",\"OS\":\"CentOS Linux 7.4.1708\",\"QG_HOSTID\":\"19260abb-8547-467e-928d-73c13f13ea3d\",\"TRACKING_METHOD\":\"AGENT\"}", + "type": [ + "info" + ] + }, + "host": { + "hostname": "user-noKB", + "id": "117163099", + "ip": [ + "81.2.69.193" + ], + "name": "user-noKB.example.net", + "os": { + "full": "CentOS Linux 7.4.1708", + "platform": "linux", + "type": "linux" + } + }, + "observer": { + "vendor": "Qualys VMDR" + }, + "qualys_vmdr": { + "asset_host_detection": { + "dns": "user-noKB.example.net", + "dns_data": { + "domain": "example.net", + "fqdn": "user-noKB.example.net", + "hostname": "user-noKB" + }, + "id": "117163099", + "interval_id": "9d69b1dc-8e86-4946-809e-577433b1d999", + "interval_start": "2025-12-01T10:15:00.000Z", + "ip": "81.2.69.193", + "knowledge_base": { + "status": "not_found" + }, + "last_pc_scanned_date": "2019-11-11T22:25:02.000Z", + "last_scan_datetime": "2019-11-12T15:00:26.000Z", + "last_vm_auth_scanned_date": "2019-11-11T23:29:53.000Z", + "last_vm_scanned_date": "2019-11-11T23:29:53.000Z", + "network_id": "0", + "os": "CentOS Linux 7.4.1708", + "qg_hostid": "19260abb-8547-467e-928d-73c13f13ea3d", + "tracking_method": "AGENT", + "vulnerability": { + "first_found_datetime": "2019-11-06T09:41:57.000Z", + "is_disabled": false, + "is_ignored": false, + "last_found_datetime": "2019-11-11T23:29:53.000Z", + "last_processed_datetime": "2019-11-12T15:00:26.000Z", + "last_test_datetime": "2019-11-11T23:29:53.000Z", + "last_update_datetime": "2019-11-12T15:00:26.000Z", + "qid": 256716, + "severity": 4, + "ssl": "0", + "status": "Active", + "times_found": 10, + "type": "Confirmed", + "unique_vuln_id": "2029338483" + } + } + }, + "related": { + "hosts": [ + "user-noKB", + "user-noKB.example.net", + "117163099", + "19260abb-8547-467e-928d-73c13f13ea3d" + ], + "ip": [ + "81.2.69.193" + ] + }, + "resource": { + "id": "117163099", + "name": "user-noKB.example.net" + }, + "tags": [ + "preserve_original_event", + "preserve_duplicate_custom_fields", + "provider_cloud_data" + ], + "vulnerability": { + "scanner": { + "vendor": "Qualys" + } + } } ] } diff --git a/packages/qualys_vmdr/data_stream/asset_host_detection/_dev/test/pipeline/test-asset-host-detection.log b/packages/qualys_vmdr/data_stream/asset_host_detection/_dev/test/pipeline/test-asset-host-detection.log index 9076a5324dd..1a9dd3ff0c3 100644 --- a/packages/qualys_vmdr/data_stream/asset_host_detection/_dev/test/pipeline/test-asset-host-detection.log +++ b/packages/qualys_vmdr/data_stream/asset_host_detection/_dev/test/pipeline/test-asset-host-detection.log @@ -6,3 +6,4 @@ {"interval_id":"9d69b1dc-abcd-4946-1234-577abcdef843","interval_start":"2025-06-10T14:29:00Z","DETECTION_LIST":{"FIRST_FOUND_DATETIME":"2019-11-06T09:41:57Z","IS_DISABLED":"0","IS_IGNORED":"0","LAST_FOUND_DATETIME":"2019-11-11T23:29:53Z","LAST_PROCESSED_DATETIME":"2019-11-12T15:00:26Z","LAST_TEST_DATETIME":"2019-11-11T23:29:53Z","LAST_UPDATE_DATETIME":"2019-11-12T15:00:26Z","QID":"212346","RESULTS":"Package\tInstalled Version\tRequired Version\nkernel-devel\t3.10.0-1062.1.1.el7.x86_64\t3.10.0-1062.1.2.el7\nkernel\t3.10.0-1062.1.1.el7.x86_64\t3.10.0-1062.1.2.el7","SEVERITY":"4","SSL":"0","STATUS":"Active","TIMES_FOUND":"10","TYPE":"Confirmed","UNIQUE_VULN_ID":"2012345682"},"DNS":"user-staging.example.net","DNS_DATA":{"DOMAIN":"example.net","FQDN":"user-staging.example.net","HOSTNAME":"user-staging"},"ID":"111234563","IP":"175.16.199.1","KNOWLEDGE_BASE":{"CATEGORY":"CentOS","CODE_MODIFIED_DATETIME":"2019-11-04T10:48:40Z","CONSEQUENCE":"This vulnerability could be exploited to gain complete access to sensitive information. Malicious users could also use this vulnerability to change all the contents or configuration on the system. Additionally this vulnerability can also be used to cause a complete denial of service and could render the resource completely unavailable.","CORRELATION":{"EXPLOITS":{"EXPLT_SRC":[{"EXPLT_LIST":{"EXPLT":[{"DESC":"A buffer overflow flaw was found, in versions from 2.6.34 to 5.2.x, in the way Linux kernel's vhost functionality that translates virtqueue buffers to IOVs, logged the buffer descriptors during migration. A privileged guest user able to pass descriptors with invalid length to the host when migration is underway, could use this flaw to increase their privileges on the host.","LINK":"https://www.openwall.com/lists/oss-security/2019/09/17/1","REF":"CVE-2019-14835"}]},"SRC_NAME":"nist-nvd2"},{"EXPLT_LIST":{"EXPLT":[{"DESC":"A buffer overflow flaw was found, in versions from 2.6.34 to 5.2.x, in the way Linux kernel's vhost functionality that translates virtqueue buffers to IOVs, logged the buffer descriptors during migration. A privileged guest user able to pass descriptors with invalid length to the host when migration is underway, could use this flaw to increase their privileges on the host.","LINK":"https://www.openwall.com/lists/oss-security/2019/09/17/1","REF":"CVE-2019-14835"}]},"SRC_NAME":"nvd"}]}},"CVE_LIST":["CVE-2019-14835"],"CVSS":{"BASE":"7.2","TEMPORAL":"5.6","VECTOR_STRING":"CVSS:2.0/AV:L/AC:L/Au:N/C:C/I:C/A:C/E:POC/RL:OF/RC:C"},"DIAGNOSIS":"CentOS has released security update for kernel to fix the vulnerabilities.

Affected Products:

centos 7","DISCOVERY":{"ADDITIONAL_INFO":"Patch Available, Exploit Available","AUTH_TYPE_LIST":{"AUTH_TYPE":["Unix"]},"REMOTE":"0"},"LAST_SERVICE_MODIFICATION_DATETIME":"2024-05-01T00:00:02Z","PATCHABLE":"1","PCI_FLAG":"1","PUBLISHED_DATETIME":"2019-11-04T10:48:40Z","QID":"212346","SEVERITY_LEVEL":"4","SOFTWARE_LIST":{"SOFTWARE":[{"PRODUCT":"kernel","VENDOR":"centos"}]},"SOLUTION":"To resolve this issue, upgrade to the latest packages which contain a patch. Refer to CentOS advisory centos 7 for updates and patch information.\n

Patch:
\nFollowing are links for downloading patches to fix the vulnerabilities:\n

CESA-2019:2829:centos 7","THREAT_INTELLIGENCE":{"THREAT_INTEL":[{"#text":"Exploit_Public","id":"2"},{"#text":"High_Lateral_Movement","id":"4"},{"#text":"Easy_Exploit","id":"5"},{"#text":"High_Data_Loss","id":"6"},{"#text":"Denial_of_Service","id":"7"}]},"TITLE":"CentOS Security Update for kernel (CESA-2019:2829)","VENDOR_REFERENCE_LIST":{"VENDOR_REFERENCE":[{"ID":"CESA-2019:2829 centos 7","URL":"https://lists.centos.org/pipermail/centos-announce/2019-October/023457.html"}]},"VULN_TYPE":"Vulnerability"},"LAST_PC_SCANNED_DATE":"2019-11-11T22:25:02Z","LAST_SCAN_DATETIME":"2019-11-12T15:00:26Z","LAST_VM_AUTH_SCANNED_DATE":"2019-11-11T23:29:53Z","LAST_VM_SCANNED_DATE":"2019-11-11T23:29:53Z","NETWORK_ID":"0","OS":"CentOS Linux 7.4.1708","QG_HOSTID":"19260abb-1234-5678-9012-73cabcdefa3c","TRACKING_METHOD":"AGENT"} {"DETECTION_LIST":{"FIRST_FOUND_DATETIME":"2025-07-22T19:57:38Z","IS_DISABLED":"0","IS_IGNORED":"0","LAST_FOUND_DATETIME":"2025-07-24T09:57:38Z","LAST_PROCESSED_DATETIME":"2025-07-24T09:57:38Z","LAST_TEST_DATETIME":"2025-07-24T09:57:38Z","LAST_UPDATE_DATETIME":"2025-07-24T09:57:38Z","QDS":{"#text":"35","severity":"LOW"},"QDS_FACTORS":{"QDS_FACTOR":[{"#text":"No_Patch,High_Data_Loss,High_Lateral_Movement","name":"RTI"},{"#text":"7.3","name":"CVSS"},{"#text":"v2","name":"CVSS_version"},{"#text":"3.0","name":"QID_severity"}]},"QID":"12345","RESULTS":"HKLM\\System\\CurrentControlSet\\Services\\LanManWorkstation\\Parameters requiresecuritysignature = 0","SEVERITY":"3","SSL":"0","STATUS":"Active","TIMES_FOUND":"4","TYPE":"Confirmed","UNIQUE_VULN_ID":"10123456787"},"DNS":"es-pabcde02","DNS_DATA":{"DOMAIN":"","FQDN":"","HOSTNAME":"es-pabcde02"},"ID":"1123456787","IP":"1.128.0.1","KNOWLEDGE_BASE":{"CATEGORY":"Windows","CODE_MODIFIED_DATETIME":"2023-04-26T06:24:46Z","CONSEQUENCE":"Unauthorized users sniffing the network could catch many challenge/response exchanges and replay the whole thing to grab particular session keys, and then authenticate on the Domain Controller.","CVE_LIST":[],"CVSS":{"BASE":{"#text":"7.3","source":"service"},"TEMPORAL":"5.9","VECTOR_STRING":"CVSS:2.0/AV:A/AC:M/Au:N/C:C/I:C/A:N/E:U/RL:W/RC:C"},"DIAGNOSIS":"This host does not seem to be using SMB (Server Message Block) signing. SMB signing is a security mechanism in the SMB protocol and is also known as security signatures. SMB signing is designed to help improve the security of the SMB protocol.\n

\nSMB signing adds security to a network using NetBIOS, avoiding man-in-the-middle attacks.\n

\nWhen SMB signing is enabled on both the client and server SMB sessions are authenticated between the machines on a packet by packet basis.

\n\nQID Detection Logic:
\nThis checks from the registry value of RequireSecuritySignature and EnableSecuritySignature from HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\LanmanWorkStation\\Parameters for client and HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\LanmanServer\\Parameters for servers to check if SMB signing is required or enabled or disabled.

\n\nNote: On 5/28/2020 the QID was updated to check for client SMB signing behavior via the registry key HKEY_LOCAL_MACHINE\\SystemCurrent\\ControlSetServices\\LanmanWorkStation\\Parameters. The complete detection logic is explained above.

","DISCOVERY":{"AUTH_TYPE_LIST":{"AUTH_TYPE":["Windows"]},"REMOTE":"1"},"LAST_SERVICE_MODIFICATION_DATETIME":"2024-10-25T05:00:01Z","PATCHABLE":"0","PCI_FLAG":"1","PUBLISHED_DATETIME":"1999-01-01T08:00:00Z","QID":"12345","SEVERITY_LEVEL":"3","SOFTWARE_LIST":{"SOFTWARE":[{"PRODUCT":"smb","VENDOR":"multi-vendor"}]},"SOLUTION":"Without SMB signing, a device could intercept SMB network packets from an originating computer, alter their contents, and broadcast them to the destination computer. Since, digitally signing the packets enables the recipient of the packets to confirm their point of origination and their authenticity, it is recommended that SMB signing is enabled and required.\n

\nPlease refer to Microsoft's article 887429 and The Basics of SMB Signing (covering both SMB1 and SMB2) for information on enabling SMB signing. \n

\nFor Windows Server 2008 R2, Windows Server 2012, please refer to Microsoft's article Require SMB Security Signatures for information on enabling SMB signing. For group policies please refer to Microsoft's article Modify Security Policies in Default Domain Controllers Policy\n

\nFor UNIX systems

\n\nTo require samba clients running "smbclient" to use packet signing, add the following to the "[global]" section of the Samba configuration file:

\n\nclient signing = mandatory\n

","THREAT_INTELLIGENCE":{"THREAT_INTEL":[{"#text":"High_Lateral_Movement","id":"4"},{"#text":"High_Data_Loss","id":"6"},{"#text":"No_Patch","id":"8"}]},"TITLE":"SMB Signing Disabled or SMB Signing Not Required","VULN_TYPE":"Vulnerability"},"LAST_SCAN_DATETIME":"2025-07-24T09:57:38Z","LAST_VM_AUTH_SCANNED_DATE":"2025-07-24T09:57:38Z","LAST_VM_SCANNED_DATE":"2025-07-24T09:57:38Z","LAST_VM_SCANNED_DURATION":"175","NETBIOS":"ES-pabcde02","NETWORK_ID":"0","OS":"Windows 11 Pro 64 bit Edition Version 22H2","QG_HOSTID":"69abcde8-1234-4134-5678-19abcdeffa0a","TRACKING_METHOD":"AGENT","interval_id":"f10d9ca1-1234-4e4f-9546-f4ab94dc901d","interval_start":"2025-07-24T13:19:37.031904353Z"} {"DETECTION_LIST":{"CVE":"CVE-2023-48161,CVE-2024-21208,CVE-2024-21210,CVE-2024-21217,CVE-2024-21235","FIRST_FOUND_DATETIME":"2025-11-22T19:57:38Z","IS_DISABLED":"0","IS_IGNORED":"0","LAST_FOUND_DATETIME":"2025-11-24T09:57:38Z","LAST_PROCESSED_DATETIME":"2025-11-24T09:57:38Z","LAST_TEST_DATETIME":"2025-11-24T09:57:38Z","LAST_UPDATE_DATETIME":"2025-11-24T09:57:38Z","LATEST_VULNERABILITY_DETECTION_SOURCE":"Cloud Agent","MITRE_TACTIC_NAME":"lateral-movement, privilege-escalation","MITRE_TECHNIQUE_NAME":"Exploitation of Remote Services, Exploitation for Privilege Escalation","MITRE_TACTIC_ID":"TA0008, TA0004","MITRE_TECHNIQUE_ID":"T1210, T1068","QDS":{"#text":"35","severity":"LOW"},"QDS_FACTORS":{"QDS_FACTOR":[{"#text":"No_Patch,High_Data_Loss,High_Lateral_Movement","name":"RTI"},{"#text":"7.3","name":"CVSS"},{"#text":"v2","name":"CVSS_version"},{"#text":"3.0","name":"QID_severity"}]},"QID":"33335","RESULTS":"HKLM\\System\\CurrentControlSet\\Services\\LanManWorkstation\\Parameters requiresecuritysignature = 0","SEVERITY":"3","SSL":"0","STATUS":"Active","TIMES_FOUND":"4","TYPE":"Confirmed","UNIQUE_VULN_ID":"10333356787","VULNERABILITY_DETECTION_SOURCES":"Cloud Agent,Internal Scanner"},"DNS":"es-abcde03","DNS_DATA":{"DOMAIN":"","FQDN":"","HOSTNAME":"es-abcde03"},"ID":"1333356787","IP":"1.128.0.1","KNOWLEDGE_BASE":{"CATEGORY":"Windows","CODE_MODIFIED_DATETIME":"2023-04-26T06:24:46Z","CONSEQUENCE":"Unauthorized users sniffing the network could catch many challenge/response exchanges and replay the whole thing to grab particular session keys, and then authenticate on the Domain Controller.","CVE_LIST":[],"CVSS":{"BASE":{"#text":"7.3","source":"service"},"TEMPORAL":"5.9","VECTOR_STRING":"CVSS:2.0/AV:A/AC:M/Au:N/C:C/I:C/A:N/E:U/RL:W/RC:C"},"DIAGNOSIS":"This host does not seem to be using SMB (Server Message Block) signing. SMB signing is a security mechanism in the SMB protocol and is also known as security signatures. SMB signing is designed to help improve the security of the SMB protocol.\n

\nSMB signing adds security to a network using NetBIOS, avoiding man-in-the-middle attacks.\n

\nWhen SMB signing is enabled on both the client and server SMB sessions are authenticated between the machines on a packet by packet basis.

\n\nQID Detection Logic:
\nThis checks from the registry value of RequireSecuritySignature and EnableSecuritySignature from HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\LanmanWorkStation\\Parameters for client and HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\LanmanServer\\Parameters for servers to check if SMB signing is required or enabled or disabled.

\n\nNote: On 5/28/2020 the QID was updated to check for client SMB signing behavior via the registry key HKEY_LOCAL_MACHINE\\SystemCurrent\\ControlSetServices\\LanmanWorkStation\\Parameters. The complete detection logic is explained above.

","DISCOVERY":{"AUTH_TYPE_LIST":{"AUTH_TYPE":["Windows"]},"REMOTE":"1"},"LAST_SERVICE_MODIFICATION_DATETIME":"2024-10-25T05:00:01Z","PATCHABLE":"0","PCI_FLAG":"1","PUBLISHED_DATETIME":"1999-01-01T08:00:00Z","QID":"33335","SEVERITY_LEVEL":"3","SOFTWARE_LIST":{"SOFTWARE":[{"PRODUCT":"smb","VENDOR":"multi-vendor"}]},"SOLUTION":"Without SMB signing, a device could intercept SMB network packets from an originating computer, alter their contents, and broadcast them to the destination computer. Since, digitally signing the packets enables the recipient of the packets to confirm their point of origination and their authenticity, it is recommended that SMB signing is enabled and required.\n

\nPlease refer to Microsoft's article 887429 and The Basics of SMB Signing (covering both SMB1 and SMB2) for information on enabling SMB signing. \n

\nFor Windows Server 2008 R2, Windows Server 2012, please refer to Microsoft's article Require SMB Security Signatures for information on enabling SMB signing. For group policies please refer to Microsoft's article Modify Security Policies in Default Domain Controllers Policy\n

\nFor UNIX systems

\n\nTo require samba clients running "smbclient" to use packet signing, add the following to the "[global]" section of the Samba configuration file:

\n\nclient signing = mandatory\n

","THREAT_INTELLIGENCE":{"THREAT_INTEL":[{"#text":"High_Lateral_Movement","id":"4"},{"#text":"High_Data_Loss","id":"6"},{"#text":"No_Patch","id":"8"}]},"TITLE":"SMB Signing Disabled or SMB Signing Not Required","VULN_TYPE":"Vulnerability"},"LAST_SCAN_DATETIME":"2025-11-24T09:57:38Z","LAST_VM_AUTH_SCANNED_DATE":"2025-11-24T09:57:38Z","LAST_VM_SCANNED_DATE":"2025-11-24T09:57:38Z","LAST_VM_SCANNED_DURATION":"175","NETBIOS":"ES-abcde03","NETWORK_ID":"0","OS":"Windows 11 Pro 64 bit Edition Version 22H2","QG_HOSTID":"69abcde8-3333-4134-5678-19abcdeffa0a","TRACKING_METHOD":"AGENT","interval_id":"f10d9ab1-3333-4e4f-9546-f4ab94dc901d","interval_start":"2025-11-24T13:19:37.031904353Z"} +{"interval_id":"9d69b1dc-8e86-4946-809e-577433b1d999","interval_start":"2025-12-01T10:15:00Z","DETECTION_LIST":{"FIRST_FOUND_DATETIME":"2019-11-06T09:41:57Z","IS_DISABLED":"0","IS_IGNORED":"0","LAST_FOUND_DATETIME":"2019-11-11T23:29:53Z","LAST_PROCESSED_DATETIME":"2019-11-12T15:00:26Z","LAST_TEST_DATETIME":"2019-11-11T23:29:53Z","LAST_UPDATE_DATETIME":"2019-11-12T15:00:26Z","QID":"256716","SEVERITY":"4","SSL":"0","STATUS":"Active","TIMES_FOUND":"10","TYPE":"Confirmed","UNIQUE_VULN_ID":"2029338483"},"DNS":"user-noKB.example.net","DNS_DATA":{"DOMAIN":"example.net","FQDN":"user-noKB.example.net","HOSTNAME":"user-noKB"},"ID":"117163099","IP":"81.2.69.193","LAST_PC_SCANNED_DATE":"2019-11-11T22:25:02Z","LAST_SCAN_DATETIME":"2019-11-12T15:00:26Z","LAST_VM_AUTH_SCANNED_DATE":"2019-11-11T23:29:53Z","LAST_VM_SCANNED_DATE":"2019-11-11T23:29:53Z","NETWORK_ID":"0","OS":"CentOS Linux 7.4.1708","QG_HOSTID":"19260abb-8547-467e-928d-73c13f13ea3d","TRACKING_METHOD":"AGENT"} diff --git a/packages/qualys_vmdr/data_stream/asset_host_detection/_dev/test/pipeline/test-asset-host-detection.log-expected.json b/packages/qualys_vmdr/data_stream/asset_host_detection/_dev/test/pipeline/test-asset-host-detection.log-expected.json index 7ea71664bf7..7dfe4de15c9 100644 --- a/packages/qualys_vmdr/data_stream/asset_host_detection/_dev/test/pipeline/test-asset-host-detection.log-expected.json +++ b/packages/qualys_vmdr/data_stream/asset_host_detection/_dev/test/pipeline/test-asset-host-detection.log-expected.json @@ -140,6 +140,7 @@ "solution": { "value": "To resolve this issue, upgrade to the latest packages which contain a patch. Refer to CentOS advisory centos 7 for updates and patch information.\n

Patch:
\nFollowing are links for downloading patches to fix the vulnerabilities:\n

CESA-2019:2829:centos 7" }, + "status": "found", "threat_intelligence": { "intel": [ { @@ -413,6 +414,7 @@ "solution": { "value": "Refer to Ubuntu security advisory USN-7022-1 for updates and patch information.\n

Patch:
\nFollowing are links for downloading patches to fix the vulnerabilities:\n

USN-7022-1:Ubuntu Linux" }, + "status": "found", "threat_intelligence": { "intel": [ { @@ -1127,6 +1129,7 @@ "solution": { "value": "Refer to Ubuntu security advisory USN-6605-1 for updates and patch information.\n

Patch:
\nFollowing are links for downloading patches to fix the vulnerabilities:\n

USN-6605-1:Ubuntu Linux" }, + "status": "found", "threat_intelligence": { "intel": [ { @@ -1806,6 +1809,7 @@ "solution": { "value": "To resolve this issue, upgrade to the latest packages which contain a patch. Refer to CentOS advisory centos 7 for updates and patch information.\n

Patch:
\nFollowing are links for downloading patches to fix the vulnerabilities:\n

CESA-2019:2829:centos 7" }, + "status": "found", "threat_intelligence": { "intel": [ { @@ -2068,6 +2072,7 @@ "solution": { "value": "To resolve this issue, upgrade to the latest packages which contain a patch. Refer to CentOS advisory centos 7 for updates and patch information.\n

Patch:
\nFollowing are links for downloading patches to fix the vulnerabilities:\n

CESA-2019:2829:centos 7" }, + "status": "found", "threat_intelligence": { "intel": [ { @@ -2332,6 +2337,7 @@ "solution": { "value": "To resolve this issue, upgrade to the latest packages which contain a patch. Refer to CentOS advisory centos 7 for updates and patch information.\n

Patch:
\nFollowing are links for downloading patches to fix the vulnerabilities:\n

CESA-2019:2829:centos 7" }, + "status": "found", "threat_intelligence": { "intel": [ { @@ -2550,6 +2556,7 @@ "solution": { "value": "Without SMB signing, a device could intercept SMB network packets from an originating computer, alter their contents, and broadcast them to the destination computer. Since, digitally signing the packets enables the recipient of the packets to confirm their point of origination and their authenticity, it is recommended that SMB signing is enabled and required.\n

\nPlease refer to Microsoft's article 887429 and The Basics of SMB Signing (covering both SMB1 and SMB2) for information on enabling SMB signing. \n

\nFor Windows Server 2008 R2, Windows Server 2012, please refer to Microsoft's article Require SMB Security Signatures for information on enabling SMB signing. For group policies please refer to Microsoft's article Modify Security Policies in Default Domain Controllers Policy\n

\nFor UNIX systems

\n\nTo require samba clients running "smbclient" to use packet signing, add the following to the "[global]" section of the Samba configuration file:

\n\nclient signing = mandatory\n

" }, + "status": "found", "threat_intelligence": { "intel": [ { @@ -2745,6 +2752,7 @@ "solution": { "value": "Without SMB signing, a device could intercept SMB network packets from an originating computer, alter their contents, and broadcast them to the destination computer. Since, digitally signing the packets enables the recipient of the packets to confirm their point of origination and their authenticity, it is recommended that SMB signing is enabled and required.\n

\nPlease refer to Microsoft's article 887429 and The Basics of SMB Signing (covering both SMB1 and SMB2) for information on enabling SMB signing. \n

\nFor Windows Server 2008 R2, Windows Server 2012, please refer to Microsoft's article Require SMB Security Signatures for information on enabling SMB signing. For group policies please refer to Microsoft's article Modify Security Policies in Default Domain Controllers Policy\n

\nFor UNIX systems

\n\nTo require samba clients running "smbclient" to use packet signing, add the following to the "[global]" section of the Samba configuration file:

\n\nclient signing = mandatory\n

" }, + "status": "found", "threat_intelligence": { "intel": [ { @@ -2879,6 +2887,109 @@ "severity": "High", "title": "SMB Signing Disabled or SMB Signing Not Required" } + }, + { + "cloud": { + "instance": { + "name": "user-noKB" + } + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "category": [ + "vulnerability" + ], + "id": "2029338483", + "kind": "alert", + "original": "{\"interval_id\":\"9d69b1dc-8e86-4946-809e-577433b1d999\",\"interval_start\":\"2025-12-01T10:15:00Z\",\"DETECTION_LIST\":{\"FIRST_FOUND_DATETIME\":\"2019-11-06T09:41:57Z\",\"IS_DISABLED\":\"0\",\"IS_IGNORED\":\"0\",\"LAST_FOUND_DATETIME\":\"2019-11-11T23:29:53Z\",\"LAST_PROCESSED_DATETIME\":\"2019-11-12T15:00:26Z\",\"LAST_TEST_DATETIME\":\"2019-11-11T23:29:53Z\",\"LAST_UPDATE_DATETIME\":\"2019-11-12T15:00:26Z\",\"QID\":\"256716\",\"SEVERITY\":\"4\",\"SSL\":\"0\",\"STATUS\":\"Active\",\"TIMES_FOUND\":\"10\",\"TYPE\":\"Confirmed\",\"UNIQUE_VULN_ID\":\"2029338483\"},\"DNS\":\"user-noKB.example.net\",\"DNS_DATA\":{\"DOMAIN\":\"example.net\",\"FQDN\":\"user-noKB.example.net\",\"HOSTNAME\":\"user-noKB\"},\"ID\":\"117163099\",\"IP\":\"81.2.69.193\",\"LAST_PC_SCANNED_DATE\":\"2019-11-11T22:25:02Z\",\"LAST_SCAN_DATETIME\":\"2019-11-12T15:00:26Z\",\"LAST_VM_AUTH_SCANNED_DATE\":\"2019-11-11T23:29:53Z\",\"LAST_VM_SCANNED_DATE\":\"2019-11-11T23:29:53Z\",\"NETWORK_ID\":\"0\",\"OS\":\"CentOS Linux 7.4.1708\",\"QG_HOSTID\":\"19260abb-8547-467e-928d-73c13f13ea3d\",\"TRACKING_METHOD\":\"AGENT\"}", + "type": [ + "info" + ] + }, + "host": { + "hostname": "user-noKB", + "id": "117163099", + "ip": [ + "81.2.69.193" + ], + "name": "user-noKB.example.net", + "os": { + "full": "CentOS Linux 7.4.1708", + "platform": "linux", + "type": "linux" + } + }, + "observer": { + "vendor": "Qualys VMDR" + }, + "qualys_vmdr": { + "asset_host_detection": { + "dns": "user-noKB.example.net", + "dns_data": { + "domain": "example.net", + "fqdn": "user-noKB.example.net", + "hostname": "user-noKB" + }, + "id": "117163099", + "interval_id": "9d69b1dc-8e86-4946-809e-577433b1d999", + "interval_start": "2025-12-01T10:15:00.000Z", + "ip": "81.2.69.193", + "knowledge_base": { + "status": "not_found" + }, + "last_pc_scanned_date": "2019-11-11T22:25:02.000Z", + "last_scan_datetime": "2019-11-12T15:00:26.000Z", + "last_vm_auth_scanned_date": "2019-11-11T23:29:53.000Z", + "last_vm_scanned_date": "2019-11-11T23:29:53.000Z", + "network_id": "0", + "os": "CentOS Linux 7.4.1708", + "qg_hostid": "19260abb-8547-467e-928d-73c13f13ea3d", + "tracking_method": "AGENT", + "vulnerability": { + "first_found_datetime": "2019-11-06T09:41:57.000Z", + "is_disabled": false, + "is_ignored": false, + "last_found_datetime": "2019-11-11T23:29:53.000Z", + "last_processed_datetime": "2019-11-12T15:00:26.000Z", + "last_test_datetime": "2019-11-11T23:29:53.000Z", + "last_update_datetime": "2019-11-12T15:00:26.000Z", + "qid": 256716, + "severity": 4, + "ssl": "0", + "status": "Active", + "times_found": 10, + "type": "Confirmed", + "unique_vuln_id": "2029338483" + } + } + }, + "related": { + "hosts": [ + "user-noKB", + "user-noKB.example.net", + "117163099", + "19260abb-8547-467e-928d-73c13f13ea3d" + ], + "ip": [ + "81.2.69.193" + ] + }, + "resource": { + "id": "117163099", + "name": "user-noKB.example.net" + }, + "tags": [ + "preserve_original_event", + "preserve_duplicate_custom_fields", + "provider_cloud_data" + ], + "vulnerability": { + "scanner": { + "vendor": "Qualys" + } + } } ] } diff --git a/packages/qualys_vmdr/data_stream/asset_host_detection/elasticsearch/ingest_pipeline/default.yml b/packages/qualys_vmdr/data_stream/asset_host_detection/elasticsearch/ingest_pipeline/default.yml index 319f210e6b8..ed260c6e062 100644 --- a/packages/qualys_vmdr/data_stream/asset_host_detection/elasticsearch/ingest_pipeline/default.yml +++ b/packages/qualys_vmdr/data_stream/asset_host_detection/elasticsearch/ingest_pipeline/default.yml @@ -1672,15 +1672,21 @@ processors: target_field: qualys_vmdr.asset_host_detection.vulnerability.qds_factors.text ignore_missing: true # Handle KNOWLEDGE_BASE - - append: - field: error.message - if: ctx.json?.KNOWLEDGE_BASE == null || ctx.json.KNOWLEDGE_BASE.size() == 0 - value: 'Qualys QID not found in the Knowledge Base' - pipeline: name: '{{ IngestPipeline "pipeline_knowledge_base" }}' if: ctx.json?.KNOWLEDGE_BASE != null && ctx.json.KNOWLEDGE_BASE.size() > 0 tag: pipeline_knowledge_base ignore_missing_pipeline: true + - set: + field: qualys_vmdr.asset_host_detection.knowledge_base.status + tag: set_knowledge_base_status_found + value: found + if: ctx.qualys_vmdr?.asset_host_detection?.knowledge_base != null + - set: + field: qualys_vmdr.asset_host_detection.knowledge_base.status + tag: set_knowledge_base_status_not_found + value: not_found + if: ctx.qualys_vmdr?.asset_host_detection?.knowledge_base == null - set: field: vulnerability.score.base tag: set_vulnerability_score_base_from_knowledge_base_cvss_v3_base @@ -1776,10 +1782,10 @@ processors: - fingerprint: tag: fingerprint_event_original description: > - When deduplication is enabled, fingerprint the event.original value + When deduplication is enabled, fingerprint the event.original value in attempt to prevent the same event from being indexed more than once. if: ctx.event?.original != null && ctx._conf?.enable_deduplication == true - fields: + fields: - event.original target_field: _id - set: diff --git a/packages/qualys_vmdr/data_stream/asset_host_detection/fields/fields.yml b/packages/qualys_vmdr/data_stream/asset_host_detection/fields/fields.yml index 8621c972fcb..a56607efc5b 100644 --- a/packages/qualys_vmdr/data_stream/asset_host_detection/fields/fields.yml +++ b/packages/qualys_vmdr/data_stream/asset_host_detection/fields/fields.yml @@ -537,3 +537,6 @@ type: keyword - name: vuln_type type: keyword + - name: status + type: keyword + description: Indicates whether the QID was found in the Knowledge Base (`found`) or not (`not_found`). diff --git a/packages/qualys_vmdr/docs/README.md b/packages/qualys_vmdr/docs/README.md index 42dd78f0c86..e3da005e7aa 100644 --- a/packages/qualys_vmdr/docs/README.md +++ b/packages/qualys_vmdr/docs/README.md @@ -537,6 +537,7 @@ An example event for `asset_host_detection` looks as following: | qualys_vmdr.asset_host_detection.knowledge_base.software_list.vendor | | keyword | | qualys_vmdr.asset_host_detection.knowledge_base.solution.comment | | match_only_text | | qualys_vmdr.asset_host_detection.knowledge_base.solution.value | | match_only_text | +| qualys_vmdr.asset_host_detection.knowledge_base.status | Indicates whether the QID was found in the Knowledge Base (`found`) or not (`not_found`). | keyword | | qualys_vmdr.asset_host_detection.knowledge_base.supported_modules | | keyword | | qualys_vmdr.asset_host_detection.knowledge_base.threat_intelligence.intel.id | | keyword | | qualys_vmdr.asset_host_detection.knowledge_base.threat_intelligence.intel.text | | keyword | diff --git a/packages/qualys_vmdr/elasticsearch/transform/latest_cdr_vulnerabilities/fields/fields.yml b/packages/qualys_vmdr/elasticsearch/transform/latest_cdr_vulnerabilities/fields/fields.yml index 6f587c07243..2d95eec1729 100644 --- a/packages/qualys_vmdr/elasticsearch/transform/latest_cdr_vulnerabilities/fields/fields.yml +++ b/packages/qualys_vmdr/elasticsearch/transform/latest_cdr_vulnerabilities/fields/fields.yml @@ -521,6 +521,9 @@ type: match_only_text - name: value type: match_only_text + - name: status + type: keyword + description: Indicates whether the QID was found in the Knowledge Base (`found`) or not (`not_found`). - name: supported_modules type: keyword - name: threat_intelligence diff --git a/packages/qualys_vmdr/manifest.yml b/packages/qualys_vmdr/manifest.yml index f7a82f3f8ba..24f84cfc317 100644 --- a/packages/qualys_vmdr/manifest.yml +++ b/packages/qualys_vmdr/manifest.yml @@ -1,7 +1,7 @@ format_version: "3.4.0" name: qualys_vmdr title: Qualys VMDR -version: "6.19.0" +version: "6.19.1" description: Collect data from Qualys VMDR platform with Elastic Agent. type: integration categories: