Vulnerable version of OpenSSH detected on Ubuntu Linux
", + "protocol": "TCP", + "solution_fix": "Download and apply the upgrade from: https://ftp.openbsd.org/pub/OpenBSD/OpenSSH
", + "solution_id": "openbsd-openssh-upgrade-latest", + "solution_summary": "Upgrade to the latest version of OpenSSH", + "solution_type": "rollup", + "status": "VULNERABLE_VERS", + "vulnerability_id": "openbsd-openssh-cve-2024-6387" + }, + { + "check_id": null, + "first_found": "2025-05-08T06:51:31Z", + "key": "", + "last_found": "2025-05-08T06:51:31.736Z", + "nic": null, + "port": 22, + "proof": "Consult the product documentation for instructions to disable any insecure MD5 or 96-bit HMAC algorithms within the SSH configuration.
", + "solution_id": "ssh-weak-message-authentication-code-algorithms", + "solution_summary": "Disable any MD5 or 96-bit HMAC algorithms within the SSH configuration", + "solution_type": "workaround", + "status": "VULNERABLE_VERS", + "vulnerability_id": "ssh-weak-message-authentication-code-algorithms" + } + ] + }, + { + "assessed_for_policies": false, + "assessed_for_vulnerabilities": true, + "critical_vulnerabilities": 0, + "exploits": 0, + "id": "452534235-25a7-40a3-9321-28ce0b5cc90e-default-asset-199", + "ip": "10.1.0.128", + "last_assessed_for_vulnerabilities": "2020-03-20T19:19:42.611Z", + "last_scan_end": "2020-03-20T19:19:42.611Z", + "last_scan_start": "2020-03-20T19:18:13.611Z", + "malware_kits": 0, + "moderate_vulnerabilities": 2, + "os_architecture": "x86_64", + "os_description": "CentOS Linux 2.6.18", + "os_family": "Linux", + "os_name": "Linux", + "os_system_name": "CentOS Linux", + "os_type": "General", + "os_vendor": "CentOS", + "os_version": "2.6.18", + "risk_score": 0, + "severe_vulnerabilities": 0, + "tags": [ + { + "name": "lab", + "type": "SITE" + } + ], + "total_vulnerabilities": 2, + "new": [], + "remediated": [] + } + ], + "metadata": { + "number": 0, + "size": 2, + "totalResources": 2195, + "totalPages": 1098, + "cursor": null + }, + "links": [ + { + "href": "https://us.api.insight.rapid7.com:443/vm/v4/integration/assets?page=0&size=2", + "rel": "first" + }, + { + "href": "https://us.api.insight.rapid7.com:443/vm/v4/integration/assets?page=0&size=2", + "rel": "self" + }, + { + "href": "https://us.api.insight.rapid7.com:443/vm/v4/integration/assets?page=1&size=2&cursor=1542252837:::_S:::12474375-34a7-40a3-9821-28db0b5cc90e-default-asset-10", + "rel": "next" + }, + { + "href": "https://us.api.insight.rapid7.com:443/vm/v4/integration/assets?page=1097&size=2", + "rel": "last" + } + ] + } + `}} - path: /vm/v4/integration/vulnerabilities methods: ["POST"] responses: - status_code: 200 - body: | - {"data":[{"added":"2018-05-16T00:00:00Z","categories":"7-Zip","cves":"CVE-2008-6536","cvss_v2_access_complexity":"low","cvss_v2_access_vector":"network","cvss_v2_authentication":"none","cvss_v2_availability_impact":"complete","cvss_v2_confidentiality_impact":"complete","cvss_v2_exploit_score":9.996799,"cvss_v2_impact_score":10.000845,"cvss_v2_integrity_impact":"complete","cvss_v2_score":10,"cvss_v2_vector":"AV:N/AC:L/Au:N/C:C/I:C/A:C","cvss_v3_attack_complexity":null,"cvss_v3_attack_vector":null,"cvss_v3_availability_impact":null,"cvss_v3_confidentiality_impact":null,"cvss_v3_exploit_score":0,"cvss_v3_impact_score":0,"cvss_v3_integrity_impact":null,"cvss_v3_privileges_required":null,"cvss_v3_scope":null,"cvss_v3_score":0,"cvss_v3_user_interaction":null,"cvss_v3_vector":null,"denial_of_service":false,"description":"Unspecified vulnerability in 7-zip before 4.5.7 has unknown impact and remote attack vectors, as demonstrated by the PROTOS GENOME test suite for Archive Formats (c10).","exploits":[],"id":"7-zip-cve-2008-6536","links":[{"href":"http://www.securityfocus.com/bid/28285","id":"28285","rel":"advisory","source":"bid"},{"href":"https://exchange.xforce.ibmcloud.com/vulnerabilities/41247","id":"41247","rel":"advisory","source":"xf"},{"href":"http://nvd.nist.gov/vuln/detail/CVE-2008-6536","id":"CVE-2008-6536","rel":"advisory","source":"cve"},{"href":"http://www.cert.fi/haavoittuvuudet/joint-advisory-archive-formats.html","id":"http://www.cert.fi/haavoittuvuudet/joint-advisory-archive-formats.html","rel":"advisory","source":"url"},{"href":"http://www.ee.oulu.fi/research/ouspg/protos/testing/c10/archive/","id":"http://www.ee.oulu.fi/research/ouspg/protos/testing/c10/archive/","rel":"advisory","source":"url"},{"href":"http://www.securityfocus.com/bid/28285","id":"http://www.securityfocus.com/bid/28285","rel":"advisory","source":"url"},{"href":"http://www.vupen.com/english/advisories/2008/0914/references","id":"http://www.vupen.com/english/advisories/2008/0914/references","rel":"advisory","source":"url"},{"href":"http://www.xerox.com/download/security/security-bulletin/16287-4d6b7b0c81f7b/cert_XRX13-003_v1.0.pdf","id":"http://www.xerox.com/download/security/security-bulletin/16287-4d6b7b0c81f7b/cert_XRX13-003_v1.0.pdf","rel":"advisory","source":"url"},{"href":"https://exchange.xforce.ibmcloud.com/vulnerabilities/41247","id":"https://exchange.xforce.ibmcloud.com/vulnerabilities/41247","rel":"advisory","source":"url"}],"malware_kits":[],"modified":"2018-06-08T00:00:00Z","pci_cvss_score":10,"pci_fail":true,"pci_severity_score":5,"pci_special_notes":"","pci_status":"fail","published":"2009-03-29T00:00:00Z","references":"bid:28285,xf:41247,cve:CVE-2008-6536,url:http://www.cert.fi/haavoittuvuudet/joint-advisory-archive-formats.html,url:http://www.ee.oulu.fi/research/ouspg/protos/testing/c10/archive/,url:http://www.securityfocus.com/bid/28285,url:http://www.vupen.com/english/advisories/2008/0914/references,url:http://www.xerox.com/download/security/security-bulletin/16287-4d6b7b0c81f7b/cert_XRX13-003_v1.0.pdf,url:https://exchange.xforce.ibmcloud.com/vulnerabilities/41247","risk_score":885.16,"severity":"critical","severity_score":10,"title":"7-Zip: CVE-2008-6536: Unspecified vulnerability in 7-zip before 4.5.7"},{"added":"2018-05-16T00:00:00Z","categories":"7-Zip,Remote Execution","cves":"CVE-2016-2334","cvss_v2_access_complexity":"medium","cvss_v2_access_vector":"network","cvss_v2_authentication":"none","cvss_v2_availability_impact":"complete","cvss_v2_confidentiality_impact":"complete","cvss_v2_exploit_score":8.5888,"cvss_v2_impact_score":10.000845,"cvss_v2_integrity_impact":"complete","cvss_v2_score":9.3,"cvss_v2_vector":"AV:N/AC:M/Au:N/C:C/I:C/A:C","cvss_v3_attack_complexity":"low","cvss_v3_attack_vector":"local","cvss_v3_availability_impact":"high","cvss_v3_confidentiality_impact":"high","cvss_v3_exploit_score":1.8345766,"cvss_v3_impact_score":5.873119,"cvss_v3_integrity_impact":"high","cvss_v3_privileges_required":"none","cvss_v3_scope":"unchanged","cvss_v3_score":7.8,"cvss_v3_user_interaction":"required","cvss_v3_vector":"CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H","denial_of_service":false,"description":"Heap-based buffer overflow in the NArchive::NHfs::CHandler::ExtractZlibFile method in 7zip before 16.00 and p7zip allows remote attackers to execute arbitrary code via a crafted HFS+ image.","exploits":[],"id":"7-zip-cve-2016-2334","links":[{"href":"http://www.securityfocus.com/bid/90531","id":"90531","rel":"advisory","source":"bid"},{"href":"http://nvd.nist.gov/vuln/detail/CVE-2016-2334","id":"CVE-2016-2334","rel":"advisory","source":"cve"},{"href":"http://blog.talosintel.com/2016/05/multiple-7-zip-vulnerabilities.html","id":"http://blog.talosintel.com/2016/05/multiple-7-zip-vulnerabilities.html","rel":"advisory","source":"url"},{"href":"http://blog.talosintelligence.com/2017/11/exploiting-cve-2016-2334.html","id":"http://blog.talosintelligence.com/2017/11/exploiting-cve-2016-2334.html","rel":"advisory","source":"url"},{"href":"http://www.oracle.com/technetwork/topics/security/bulletinoct2016-3090566.html","id":"http://www.oracle.com/technetwork/topics/security/bulletinoct2016-3090566.html","rel":"advisory","source":"url"},{"href":"http://www.securityfocus.com/bid/90531","id":"http://www.securityfocus.com/bid/90531","rel":"advisory","source":"url"},{"href":"http://www.securitytracker.com/id/1035876","id":"http://www.securitytracker.com/id/1035876","rel":"advisory","source":"url"},{"href":"http://www.talosintel.com/reports/TALOS-2016-0093/","id":"http://www.talosintel.com/reports/TALOS-2016-0093/","rel":"advisory","source":"url"},{"href":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DNYIQAU3FKFBNFPK6GKYTSVRHQA7PTYT/","id":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DNYIQAU3FKFBNFPK6GKYTSVRHQA7PTYT/","rel":"advisory","source":"url"},{"href":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DTGWICT3KYYDPDXRNO5SXD32GZICGRIR/","id":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DTGWICT3KYYDPDXRNO5SXD32GZICGRIR/","rel":"advisory","source":"url"},{"href":"https://security.gentoo.org/glsa/201701-27","id":"https://security.gentoo.org/glsa/201701-27","rel":"advisory","source":"url"}],"malware_kits":[],"modified":"2018-06-08T00:00:00Z","pci_cvss_score":9.3,"pci_fail":true,"pci_severity_score":5,"pci_special_notes":"","pci_status":"fail","published":"2016-12-13T00:00:00Z","references":"bid:90531,cve:CVE-2016-2334,url:http://blog.talosintel.com/2016/05/multiple-7-zip-vulnerabilities.html,url:http://blog.talosintelligence.com/2017/11/exploiting-cve-2016-2334.html,url:http://www.oracle.com/technetwork/topics/security/bulletinoct2016-3090566.html,url:http://www.securityfocus.com/bid/90531,url:http://www.securitytracker.com/id/1035876,url:http://www.talosintel.com/reports/TALOS-2016-0093/,url:https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DNYIQAU3FKFBNFPK6GKYTSVRHQA7PTYT/,url:https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DTGWICT3KYYDPDXRNO5SXD32GZICGRIR/,url:https://security.gentoo.org/glsa/201701-27","risk_score":582.82,"severity":"critical","severity_score":9,"title":"7-Zip: CVE-2016-2334: Heap-based buffer overflow vulnerability"}],"metadata":{"number":0,"size":2,"totalResources":81631,"totalPages":40816,"cursor":"-37745434:::_S:::7-zip-cve-2016-2334"},"links":[{"href":"https://us.api.insight.rapid7.com:443/vm/v4/integration/vulnerabilities?page=0&size=2&sort=id,asc","rel":"first"},{"href":"https://us.api.insight.rapid7.com:443/vm/v4/integration/vulnerabilities?page=0&size=2&sort=id,asc","rel":"self"},{"href":"https://us.api.insight.rapid7.com:443/vm/v4/integration/vulnerabilities?page=1&size=2&sort=id,asc&cursor=-37745434:::_S:::7-zip-cve-2016-2334","rel":"next"},{"href":"https://us.api.insight.rapid7.com:443/vm/v4/integration/vulnerabilities?page=40815&size=2&sort=id,asc","rel":"last"}]} + body: |- + {{ minify_json ` + { + "data": [ + { + "added": "2018-05-16T00:00:00Z", + "categories": "7-Zip", + "cves": "CVE-2008-6536", + "cvss_v2_access_complexity": "low", + "cvss_v2_access_vector": "network", + "cvss_v2_authentication": "none", + "cvss_v2_availability_impact": "complete", + "cvss_v2_confidentiality_impact": "complete", + "cvss_v2_exploit_score": 9.996799, + "cvss_v2_impact_score": 10.000845, + "cvss_v2_integrity_impact": "complete", + "cvss_v2_score": 10, + "cvss_v2_vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C", + "cvss_v3_attack_complexity": null, + "cvss_v3_attack_vector": null, + "cvss_v3_availability_impact": null, + "cvss_v3_confidentiality_impact": null, + "cvss_v3_exploit_score": 0, + "cvss_v3_impact_score": 0, + "cvss_v3_integrity_impact": null, + "cvss_v3_privileges_required": null, + "cvss_v3_scope": null, + "cvss_v3_score": 0, + "cvss_v3_user_interaction": null, + "cvss_v3_vector": null, + "denial_of_service": false, + "description": "Unspecified vulnerability in 7-zip before 4.5.7 has unknown impact and remote attack vectors, as demonstrated by the PROTOS GENOME test suite for Archive Formats (c10).", + "exploits": [], + "id": "7-zip-cve-2008-6536", + "links": [ + { + "href": "http://www.securityfocus.com/bid/28285", + "id": "28285", + "rel": "advisory", + "source": "bid" + }, + { + "href": "https://exchange.xforce.ibmcloud.com/vulnerabilities/41247", + "id": "41247", + "rel": "advisory", + "source": "xf" + }, + { + "href": "http://nvd.nist.gov/vuln/detail/CVE-2008-6536", + "id": "CVE-2008-6536", + "rel": "advisory", + "source": "cve" + }, + { + "href": "http://www.cert.fi/haavoittuvuudet/joint-advisory-archive-formats.html", + "id": "http://www.cert.fi/haavoittuvuudet/joint-advisory-archive-formats.html", + "rel": "advisory", + "source": "url" + }, + { + "href": "http://www.ee.oulu.fi/research/ouspg/protos/testing/c10/archive/", + "id": "http://www.ee.oulu.fi/research/ouspg/protos/testing/c10/archive/", + "rel": "advisory", + "source": "url" + }, + { + "href": "http://www.securityfocus.com/bid/28285", + "id": "http://www.securityfocus.com/bid/28285", + "rel": "advisory", + "source": "url" + }, + { + "href": "http://www.vupen.com/english/advisories/2008/0914/references", + "id": "http://www.vupen.com/english/advisories/2008/0914/references", + "rel": "advisory", + "source": "url" + }, + { + "href": "http://www.xerox.com/download/security/security-bulletin/16287-4d6b7b0c81f7b/cert_XRX13-003_v1.0.pdf", + "id": "http://www.xerox.com/download/security/security-bulletin/16287-4d6b7b0c81f7b/cert_XRX13-003_v1.0.pdf", + "rel": "advisory", + "source": "url" + }, + { + "href": "https://exchange.xforce.ibmcloud.com/vulnerabilities/41247", + "id": "https://exchange.xforce.ibmcloud.com/vulnerabilities/41247", + "rel": "advisory", + "source": "url" + } + ], + "malware_kits": [], + "modified": "2018-06-08T00:00:00Z", + "pci_cvss_score": 10, + "pci_fail": true, + "pci_severity_score": 5, + "pci_special_notes": "", + "pci_status": "fail", + "published": "2009-03-29T00:00:00Z", + "references": "bid:28285,xf:41247,cve:CVE-2008-6536,url:http://www.cert.fi/haavoittuvuudet/joint-advisory-archive-formats.html,url:http://www.ee.oulu.fi/research/ouspg/protos/testing/c10/archive/,url:http://www.securityfocus.com/bid/28285,url:http://www.vupen.com/english/advisories/2008/0914/references,url:http://www.xerox.com/download/security/security-bulletin/16287-4d6b7b0c81f7b/cert_XRX13-003_v1.0.pdf,url:https://exchange.xforce.ibmcloud.com/vulnerabilities/41247", + "risk_score": 885.16, + "severity": "critical", + "severity_score": 10, + "title": "7-Zip: CVE-2008-6536: Unspecified vulnerability in 7-zip before 4.5.7" + }, + { + "added": "2018-05-16T00:00:00Z", + "categories": "7-Zip,Remote Execution", + "cves": "CVE-2016-2334", + "cvss_v2_access_complexity": "medium", + "cvss_v2_access_vector": "network", + "cvss_v2_authentication": "none", + "cvss_v2_availability_impact": "complete", + "cvss_v2_confidentiality_impact": "complete", + "cvss_v2_exploit_score": 8.5888, + "cvss_v2_impact_score": 10.000845, + "cvss_v2_integrity_impact": "complete", + "cvss_v2_score": 9.3, + "cvss_v2_vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C", + "cvss_v3_attack_complexity": "low", + "cvss_v3_attack_vector": "local", + "cvss_v3_availability_impact": "high", + "cvss_v3_confidentiality_impact": "high", + "cvss_v3_exploit_score": 1.8345766, + "cvss_v3_impact_score": 5.873119, + "cvss_v3_integrity_impact": "high", + "cvss_v3_privileges_required": "none", + "cvss_v3_scope": "unchanged", + "cvss_v3_score": 7.8, + "cvss_v3_user_interaction": "required", + "cvss_v3_vector": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "denial_of_service": false, + "description": "Heap-based buffer overflow in the NArchive::NHfs::CHandler::ExtractZlibFile method in 7zip before 16.00 and p7zip allows remote attackers to execute arbitrary code via a crafted HFS+ image.", + "exploits": [], + "id": "7-zip-cve-2016-2334", + "links": [ + { + "href": "http://www.securityfocus.com/bid/90531", + "id": "90531", + "rel": "advisory", + "source": "bid" + }, + { + "href": "http://nvd.nist.gov/vuln/detail/CVE-2016-2334", + "id": "CVE-2016-2334", + "rel": "advisory", + "source": "cve" + }, + { + "href": "http://blog.talosintel.com/2016/05/multiple-7-zip-vulnerabilities.html", + "id": "http://blog.talosintel.com/2016/05/multiple-7-zip-vulnerabilities.html", + "rel": "advisory", + "source": "url" + }, + { + "href": "http://blog.talosintelligence.com/2017/11/exploiting-cve-2016-2334.html", + "id": "http://blog.talosintelligence.com/2017/11/exploiting-cve-2016-2334.html", + "rel": "advisory", + "source": "url" + }, + { + "href": "http://www.oracle.com/technetwork/topics/security/bulletinoct2016-3090566.html", + "id": "http://www.oracle.com/technetwork/topics/security/bulletinoct2016-3090566.html", + "rel": "advisory", + "source": "url" + }, + { + "href": "http://www.securityfocus.com/bid/90531", + "id": "http://www.securityfocus.com/bid/90531", + "rel": "advisory", + "source": "url" + }, + { + "href": "http://www.securitytracker.com/id/1035876", + "id": "http://www.securitytracker.com/id/1035876", + "rel": "advisory", + "source": "url" + }, + { + "href": "http://www.talosintel.com/reports/TALOS-2016-0093/", + "id": "http://www.talosintel.com/reports/TALOS-2016-0093/", + "rel": "advisory", + "source": "url" + }, + { + "href": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DNYIQAU3FKFBNFPK6GKYTSVRHQA7PTYT/", + "id": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DNYIQAU3FKFBNFPK6GKYTSVRHQA7PTYT/", + "rel": "advisory", + "source": "url" + }, + { + "href": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DTGWICT3KYYDPDXRNO5SXD32GZICGRIR/", + "id": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DTGWICT3KYYDPDXRNO5SXD32GZICGRIR/", + "rel": "advisory", + "source": "url" + }, + { + "href": "https://security.gentoo.org/glsa/201701-27", + "id": "https://security.gentoo.org/glsa/201701-27", + "rel": "advisory", + "source": "url" + } + ], + "malware_kits": [], + "modified": "2018-06-08T00:00:00Z", + "pci_cvss_score": 9.3, + "pci_fail": true, + "pci_severity_score": 5, + "pci_special_notes": "", + "pci_status": "fail", + "published": "2016-12-13T00:00:00Z", + "references": "bid:90531,cve:CVE-2016-2334,url:http://blog.talosintel.com/2016/05/multiple-7-zip-vulnerabilities.html,url:http://blog.talosintelligence.com/2017/11/exploiting-cve-2016-2334.html,url:http://www.oracle.com/technetwork/topics/security/bulletinoct2016-3090566.html,url:http://www.securityfocus.com/bid/90531,url:http://www.securitytracker.com/id/1035876,url:http://www.talosintel.com/reports/TALOS-2016-0093/,url:https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DNYIQAU3FKFBNFPK6GKYTSVRHQA7PTYT/,url:https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DTGWICT3KYYDPDXRNO5SXD32GZICGRIR/,url:https://security.gentoo.org/glsa/201701-27", + "risk_score": 582.82, + "severity": "critical", + "severity_score": 9, + "title": "7-Zip: CVE-2016-2334: Heap-based buffer overflow vulnerability" + } + ], + "metadata": { + "number": 0, + "size": 2, + "totalResources": 81631, + "totalPages": 40816, + "cursor": "-37745434:::_S:::7-zip-cve-2016-2334" + }, + "links": [ + { + "href": "https://us.api.insight.rapid7.com:443/vm/v4/integration/vulnerabilities?page=0&size=2&sort=id,asc", + "rel": "first" + }, + { + "href": "https://us.api.insight.rapid7.com:443/vm/v4/integration/vulnerabilities?page=0&size=2&sort=id,asc", + "rel": "self" + }, + { + "href": "https://us.api.insight.rapid7.com:443/vm/v4/integration/vulnerabilities?page=1&size=2&sort=id,asc&cursor=-37745434:::_S:::7-zip-cve-2016-2334", + "rel": "next" + }, + { + "href": "https://us.api.insight.rapid7.com:443/vm/v4/integration/vulnerabilities?page=40815&size=2&sort=id,asc", + "rel": "last" + } + ] + } + `}} diff --git a/packages/rapid7_insightvm/changelog.yml b/packages/rapid7_insightvm/changelog.yml index 3b184554348..33728ff07cf 100644 --- a/packages/rapid7_insightvm/changelog.yml +++ b/packages/rapid7_insightvm/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "1.17.0" + changes: + - description: Expand documents to map each vulnerability per asset. + type: enhancement + link: https://github.com/elastic/integrations/pull/13878 - version: "1.16.0" changes: - description: Update Kibana constraint to support 9.0.0. diff --git a/packages/rapid7_insightvm/data_stream/asset/_dev/test/pipeline/test-asset.log b/packages/rapid7_insightvm/data_stream/asset/_dev/test/pipeline/test-asset.log index f0dd0a77b5c..4461759a829 100644 --- a/packages/rapid7_insightvm/data_stream/asset/_dev/test/pipeline/test-asset.log +++ b/packages/rapid7_insightvm/data_stream/asset/_dev/test/pipeline/test-asset.log @@ -1,3 +1,4 @@ {"assessed_for_policies":false,"assessed_for_vulnerabilities":true,"critical_vulnerabilities":0,"exploits":0,"id":"452534235-25a7-40a3-9321-28ce0b5cc90e-default-asset-199","ip":"10.1.0.128","last_assessed_for_vulnerabilities":"2020-03-20T19:19:42.611Z","last_scan_end":"2020-03-20T19:19:42.611Z","last_scan_start":"2020-03-20T19:18:13.611Z","malware_kits":0,"moderate_vulnerabilities":2,"os_architecture":"x86_64","os_description":"CentOS Linux 2.6.18","os_family":"Linux","os_name":"Linux","os_system_name":"CentOS Linux","os_type":"General","os_vendor":"CentOS","os_version":"2.6.18","risk_score":0,"severe_vulnerabilities":0,"tags":[{"name":"lab","type":"SITE"}],"total_vulnerabilities":2,"new":[],"remediated":[]} {"assessed_for_policies":false,"assessed_for_vulnerabilities":true,"critical_vulnerabilities":1,"exploits":9,"host_name":"HOST.domain.com","id":"452534235-25a7-40a3-9321-28ce0b5cc90e-default-asset-198","ip":"10.4.24.164","last_scan_end":"2020-03-20T19:12:39.766Z","last_scan_start":"2020-03-20T19:05:06.766Z","malware_kits":0,"moderate_vulnerabilities":11,"os_architecture":"","os_description":"Ubuntu Linux 12.04","os_family":"Linux","os_name":"Linux","os_system_name":"Ubuntu Linux","os_type":"","os_vendor":"Ubuntu","os_version":"12.04","risk_score":12251.76171875,"severe_vulnerabilities":16,"tags":[{"name":"all_assets2","type":"CUSTOM"},{"name":"all_assets","type":"CUSTOM"},{"name":"Linux","type":"CUSTOM"},{"name":"docker hosts","type":"SITE"},{"name":"lab","type":"SITE"}],"total_vulnerabilities":28,"new":[],"remediated":[],"unique_identifiers":{"id":"4421d73dfe04f594df731e6bcd8156a","source":"R7 Agent"}} {"data":[],"metadata":{"number":0,"size":0,"totalResources":2195,"totalPages":2195,"cursor":null},"links":[{"href":"https://us.api.insight.rapid7.com:443/vm/v4/integration/assets?page=0&size=2","rel":"first"},{"href":"https://us.api.insight.rapid7.com:443/vm/v4/integration/assets?page=0&size=2","rel":"self"},{"href":"https://us.api.insight.rapid7.com:443/vm/v4/integration/assets?page=1097&size=2","rel":"last"}]} +{"assessed_for_policies":false,"assessed_for_vulnerabilities":true,"credential_assessments":[{"port":22,"protocol":"TCP","status":"NO_CREDS_SUPPLIED"}],"critical_vulnerabilities":1,"exploits":1,"id":"8bcfe121-1234-5678-9012-c4a6abcdabcde-default-asset-4","ip":"175.16.199.1","last_assessed_for_vulnerabilities":"2025-05-08T06:51:31.736Z","last_scan_end":"2025-05-08T06:51:31.736Z","last_scan_start":"2025-05-08T06:51:19.193Z","mac":"00:00:5E:00:53:00","malware_kits":0,"moderate_vulnerabilities":0,"os_architecture":"","os_description":"Ubuntu Linux","os_family":"Linux","os_name":"Linux","os_system_name":"Ubuntu Linux","os_type":"","os_vendor":"Ubuntu","risk_score":1268,"severe_vulnerabilities":1,"tags":[{"name":"test","type":"SITE"}],"total_vulnerabilities":2,"unique_identifiers":[],"new":[],"remediated":[],"same":{"check_id":null,"first_found":"2025-05-08T06:51:31Z","key":"","last_found":"2025-05-08T06:51:31.736Z","nic":null,"port":22,"proof":"Vulnerable version of OpenSSH detected on Ubuntu Linux
","protocol":"TCP","solution_fix":"Download and apply the upgrade from: https://ftp.openbsd.org/pub/OpenBSD/OpenSSH
","solution_id":"openbsd-openssh-upgrade-latest","solution_summary":"Upgrade to the latest version of OpenSSH","solution_type":"rollup","status":"VULNERABLE_VERS","vulnerability_id":"openbsd-openssh-cve-2024-6387"}} diff --git a/packages/rapid7_insightvm/data_stream/asset/_dev/test/pipeline/test-asset.log-expected.json b/packages/rapid7_insightvm/data_stream/asset/_dev/test/pipeline/test-asset.log-expected.json index 72495111434..63fd8e3f46b 100644 --- a/packages/rapid7_insightvm/data_stream/asset/_dev/test/pipeline/test-asset.log-expected.json +++ b/packages/rapid7_insightvm/data_stream/asset/_dev/test/pipeline/test-asset.log-expected.json @@ -175,6 +175,113 @@ "preserve_duplicate_custom_fields" ] }, - null + null, + { + "ecs": { + "version": "8.11.0" + }, + "event": { + "category": [ + "host" + ], + "kind": "state", + "original": "{\"assessed_for_policies\":false,\"assessed_for_vulnerabilities\":true,\"credential_assessments\":[{\"port\":22,\"protocol\":\"TCP\",\"status\":\"NO_CREDS_SUPPLIED\"}],\"critical_vulnerabilities\":1,\"exploits\":1,\"id\":\"8bcfe121-1234-5678-9012-c4a6abcdabcde-default-asset-4\",\"ip\":\"175.16.199.1\",\"last_assessed_for_vulnerabilities\":\"2025-05-08T06:51:31.736Z\",\"last_scan_end\":\"2025-05-08T06:51:31.736Z\",\"last_scan_start\":\"2025-05-08T06:51:19.193Z\",\"mac\":\"00:00:5E:00:53:00\",\"malware_kits\":0,\"moderate_vulnerabilities\":0,\"os_architecture\":\"\",\"os_description\":\"Ubuntu Linux\",\"os_family\":\"Linux\",\"os_name\":\"Linux\",\"os_system_name\":\"Ubuntu Linux\",\"os_type\":\"\",\"os_vendor\":\"Ubuntu\",\"risk_score\":1268,\"severe_vulnerabilities\":1,\"tags\":[{\"name\":\"test\",\"type\":\"SITE\"}],\"total_vulnerabilities\":2,\"unique_identifiers\":[],\"new\":[],\"remediated\":[],\"same\":{\"check_id\":null,\"first_found\":\"2025-05-08T06:51:31Z\",\"key\":\"\",\"last_found\":\"2025-05-08T06:51:31.736Z\",\"nic\":null,\"port\":22,\"proof\":\"Vulnerable version of OpenSSH detected on Ubuntu Linux
\",\"protocol\":\"TCP\",\"solution_fix\":\"Download and apply the upgrade from: https://ftp.openbsd.org/pub/OpenBSD/OpenSSH
\",\"solution_id\":\"openbsd-openssh-upgrade-latest\",\"solution_summary\":\"Upgrade to the latest version of OpenSSH\",\"solution_type\":\"rollup\",\"status\":\"VULNERABLE_VERS\",\"vulnerability_id\":\"openbsd-openssh-cve-2024-6387\"}}", + "type": [ + "info" + ] + }, + "host": { + "id": "8bcfe121-1234-5678-9012-c4a6abcdabcde-default-asset-4", + "ip": [ + "175.16.199.1" + ], + "mac": [ + "00-00-5E-00-53-00" + ], + "os": { + "family": "Linux", + "full": "Ubuntu Linux", + "name": "Linux" + }, + "risk": { + "static_score": 1268.0 + } + }, + "network": { + "transport": [ + "tcp" + ] + }, + "rapid7": { + "insightvm": { + "asset": { + "assessed_for_policies": false, + "assessed_for_vulnerabilities": true, + "credential_assessments": [ + { + "port": 22, + "protocol": "TCP", + "status": "NO_CREDS_SUPPLIED" + } + ], + "critical_vulnerabilities": 1, + "exploits": 1, + "id": "8bcfe121-1234-5678-9012-c4a6abcdabcde-default-asset-4", + "ip": "175.16.199.1", + "last_assessed_for_vulnerabilities": "2025-05-08T06:51:31.736Z", + "last_scan_end": "2025-05-08T06:51:31.736Z", + "last_scan_start": "2025-05-08T06:51:19.193Z", + "mac": "00-00-5E-00-53-00", + "malware_kits": 0, + "moderate_vulnerabilities": 0, + "os": { + "description": "Ubuntu Linux", + "family": "Linux", + "name": "Linux", + "system_name": "Ubuntu Linux", + "vendor": "Ubuntu" + }, + "risk_score": 1268.0, + "same": { + "first_found": "2025-05-08T06:51:31.000Z", + "last_found": "2025-05-08T06:51:31.736Z", + "port": 22, + "proof": "Running SSH service\n\nProduct OpenSSH exists -- OpenBSD OpenSSH 8.9p1\n\nVulnerable version of product OpenSSH found -- OpenBSD OpenSSH 8.9p1\n\n\nVulnerable version of OpenSSH detected on Ubuntu Linux", + "protocol": "TCP", + "solution": { + "fix": "Download and apply the upgrade from: https://ftp.openbsd.org/pub/OpenBSD/OpenSSH", + "id": "openbsd-openssh-upgrade-latest", + "summary": "Upgrade to the latest version of OpenSSH", + "type": "rollup" + }, + "status": "VULNERABLE_VERS", + "vulnerability_id": "openbsd-openssh-cve-2024-6387" + }, + "severe_vulnerabilities": 1, + "tags": [ + { + "name": "test", + "type": "SITE" + } + ], + "total_vulnerabilities": 2 + } + } + }, + "related": { + "ip": [ + "175.16.199.1" + ] + }, + "tags": [ + "preserve_original_event", + "preserve_duplicate_custom_fields" + ], + "vulnerability": { + "id": [ + "openbsd-openssh-cve-2024-6387" + ] + } + } ] -} \ No newline at end of file +} diff --git a/packages/rapid7_insightvm/data_stream/asset/_dev/test/system/test-default-config.yml b/packages/rapid7_insightvm/data_stream/asset/_dev/test/system/test-default-config.yml index 4fbe591765e..b18e80a7fd7 100644 --- a/packages/rapid7_insightvm/data_stream/asset/_dev/test/system/test-default-config.yml +++ b/packages/rapid7_insightvm/data_stream/asset/_dev/test/system/test-default-config.yml @@ -8,3 +8,5 @@ data_stream: preserve_original_event: true preserve_duplicate_custom_fields: true enable_request_tracer: true +assert: + hit_count: 3 diff --git a/packages/rapid7_insightvm/data_stream/asset/agent/stream/httpjson.yml.hbs b/packages/rapid7_insightvm/data_stream/asset/agent/stream/httpjson.yml.hbs index ce81332d649..a5d9cd44c0c 100644 --- a/packages/rapid7_insightvm/data_stream/asset/agent/stream/httpjson.yml.hbs +++ b/packages/rapid7_insightvm/data_stream/asset/agent/stream/httpjson.yml.hbs @@ -28,14 +28,7 @@ request.transforms: - set: target: url.params.size value: {{batch_size}} - - set: - target: url.params.comparisonTime - value: '[[formatDate (now (parseDuration "-{{interval}}")) "RFC3339"]]' response.pagination: - - set: - target: url.params.comparisonTime - value: '[[.last_response.url.params.Get "comparisonTime"]]' - fail_on_template_error: true - set: target: url.params.cursor value: '[[if index .last_response.body.metadata "cursor"]][[.last_response.body.metadata.cursor]][[end]]' @@ -43,6 +36,10 @@ response.pagination: response.split: target: body.data ignore_empty_value: true + split: + target: body.same + keep_parent: true + ignore_empty_value: true tags: {{#if preserve_original_event}} - preserve_original_event diff --git a/packages/rapid7_insightvm/data_stream/asset/elasticsearch/ingest_pipeline/default.yml b/packages/rapid7_insightvm/data_stream/asset/elasticsearch/ingest_pipeline/default.yml index 3facf5cda33..a5eddcbc741 100644 --- a/packages/rapid7_insightvm/data_stream/asset/elasticsearch/ingest_pipeline/default.yml +++ b/packages/rapid7_insightvm/data_stream/asset/elasticsearch/ingest_pipeline/default.yml @@ -209,10 +209,12 @@ processors: field: json.mac target_field: rapid7.insightvm.asset.mac ignore_missing: true - - set: + - append: field: host.mac - copy_from: rapid7.insightvm.asset.mac - ignore_empty_value: true + tag: append_asset_mac_into_host_mac + value: '{{{rapid7.insightvm.asset.mac}}}' + allow_duplicates: false + if: ctx.rapid7?.insightvm?.asset?.mac != null - convert: field: json.malware_kits tag: 'convert_malware_kits_to_long' @@ -514,112 +516,123 @@ processors: field: host.risk.static_score copy_from: rapid7.insightvm.asset.risk_score ignore_empty_value: true - - foreach: - field: json.same - if: ctx.json?.same instanceof List - processor: - date: - field: _ingest._value.first_found - target_field: _ingest._value.first_found - formats: - - ISO8601 - on_failure: - - remove: - field: _ingest._value.first_found - ignore_missing: true - - foreach: - field: json.same - if: ctx.json?.same instanceof List - processor: - date: - field: _ingest._value.last_found - target_field: _ingest._value.last_found - formats: - - ISO8601 - on_failure: - - remove: - field: _ingest._value.last_found - ignore_missing: true - - foreach: - field: json.same - if: ctx.json?.same instanceof List - processor: - convert: - field: _ingest._value.port - tag: 'convert_same_port_to_long' - type: long - ignore_missing: true - on_failure: - - remove: - field: _ingest._value.port - ignore_missing: true - - append: - field: error.message - value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' - - foreach: - field: json.same - if: ctx.json?.same instanceof List - processor: - append: - field: vulnerability.id - value: '{{{_ingest._value.vulnerability_id}}}' - allow_duplicates: false - - foreach: - field: json.same - if: ctx.json?.same instanceof List - processor: - html_strip: - field: _ingest._value.solution_fix - target_field: _ingest._value.solution.fix - ignore_missing: true - on_failure: - - rename: - field: _ingest._value.solution_fix - target_field: _ingest._value.solution.fix - ignore_missing: true - - foreach: - field: json.same - if: ctx.json?.same instanceof List - processor: - html_strip: - field: _ingest._value.proof - ignore_missing: true - ignore_failure: true - - foreach: - field: json.same - if: ctx.json?.same instanceof List - processor: - rename: - field: _ingest._value.solution_id - target_field: _ingest._value.solution.id - ignore_missing: true - - foreach: - field: json.same - if: ctx.json?.same instanceof List - processor: - rename: - field: _ingest._value.solution_summary - target_field: _ingest._value.solution.summary - ignore_missing: true - - foreach: - field: json.same - if: ctx.json?.same instanceof List - processor: - rename: - field: _ingest._value.solution_type - target_field: _ingest._value.solution.type - ignore_missing: true - - foreach: - field: json.same - if: ctx.json?.same instanceof List - processor: - remove: - field: _ingest._value.solution_fix - ignore_missing: true - rename: - field: json.same - target_field: rapid7.insightvm.asset.same + field: json.same.check_id + tag: rename_same_check_id + target_field: rapid7.insightvm.asset.same.check_id + ignore_missing: true + - date: + field: json.same.first_found + tag: date_same_first_found + target_field: rapid7.insightvm.asset.same.first_found + formats: + - ISO8601 + if: ctx.json?.same?.first_found != null && ctx.json.same.first_found != '' + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - rename: + field: json.same.key + tag: rename_same_key + target_field: rapid7.insightvm.asset.same.key + ignore_missing: true + - date: + field: json.same.last_found + tag: date_same_last_found + target_field: rapid7.insightvm.asset.same.last_found + formats: + - ISO8601 + if: ctx.json?.same?.last_found != null && ctx.json.same.last_found != '' + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - rename: + field: json.same.nic + tag: rename_same_nic + target_field: rapid7.insightvm.asset.same.nic + ignore_missing: true + - convert: + field: json.same.port + tag: convert_same_port_to_long + type: long + target_field: rapid7.insightvm.asset.same.port + ignore_missing: true + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - html_strip: + field: json.same.proof + tag: html_strip_same_proof + target_field: rapid7.insightvm.asset.same.proof + ignore_missing: true + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - trim: + field: rapid7.insightvm.asset.same.proof + tag: trim_same_proof + ignore_missing: true + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - rename: + field: json.same.protocol + tag: rename_same_protocol + target_field: rapid7.insightvm.asset.same.protocol + ignore_missing: true + - html_strip: + field: json.same.solution_fix + tag: html_strip_same_solution_fix + target_field: rapid7.insightvm.asset.same.solution.fix + ignore_missing: true + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - trim: + field: rapid7.insightvm.asset.same.solution.fix + tag: trim_same_solution_fix + ignore_missing: true + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - rename: + field: json.same.solution_id + tag: rename_same_solution_id + target_field: rapid7.insightvm.asset.same.solution.id + ignore_missing: true + - rename: + field: json.same.solution_summary + tag: rename_same_solution_summary + target_field: rapid7.insightvm.asset.same.solution.summary + ignore_missing: true + - rename: + field: json.same.solution_type + tag: rename_same_solution_type + target_field: rapid7.insightvm.asset.same.solution.type + ignore_missing: true + - rename: + field: json.same.status + tag: rename_same_status + target_field: rapid7.insightvm.asset.same.status + ignore_missing: true + - rename: + field: json.same.vulnerability_id + tag: rename_same_vulnerability_id + target_field: rapid7.insightvm.asset.same.vulnerability_id ignore_missing: true + - append: + field: vulnerability.id + tag: append_same_vulnerability_id_into_vulnerability_id + value: '{{{rapid7.insightvm.asset.same.vulnerability_id}}}' + allow_duplicates: false + if: ctx.rapid7?.insightvm?.asset?.same?.vulnerability_id != null - convert: field: json.severe_vulnerabilities tag: 'convert_severe_vulnerabilities_to_long' @@ -670,6 +683,7 @@ processors: - rapid7.insightvm.asset.os.description - rapid7.insightvm.asset.os.name - rapid7.insightvm.asset.os.version + - rapid7.insightvm.asset.same.vulnerability_id ignore_missing: true - foreach: field: rapid7.insightvm.asset.new @@ -689,15 +703,6 @@ processors: field: - _ingest._value.vulnerability_id ignore_missing: true - - foreach: - field: rapid7.insightvm.asset.same - if: ctx.rapid7?.insightvm?.asset?.same instanceof List && (ctx.tags == null || !(ctx.tags.contains('preserve_duplicate_custom_fields'))) - ignore_failure: true - processor: - remove: - field: - - _ingest._value.vulnerability_id - ignore_missing: true - script: lang: painless description: Drops null/empty values recursively. @@ -727,7 +732,7 @@ processors: on_failure: - append: field: error.message - value: '{{{_ingest.on_failure_message}}}' + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' - set: field: event.kind value: pipeline_error diff --git a/packages/rapid7_insightvm/data_stream/asset/fields/fields.yml b/packages/rapid7_insightvm/data_stream/asset/fields/fields.yml index f04056a212e..a8939317fba 100644 --- a/packages/rapid7_insightvm/data_stream/asset/fields/fields.yml +++ b/packages/rapid7_insightvm/data_stream/asset/fields/fields.yml @@ -190,6 +190,9 @@ - name: last_found type: date description: The most recent time the vulnerability was discovered. + - name: nic + type: keyword + description: The NIC of the vulnerability finding. - name: port type: long description: For services vulnerabilities, the port that is vulnerable. diff --git a/packages/rapid7_insightvm/data_stream/asset/sample_event.json b/packages/rapid7_insightvm/data_stream/asset/sample_event.json index ae8e306a6f3..f30d70f55b2 100644 --- a/packages/rapid7_insightvm/data_stream/asset/sample_event.json +++ b/packages/rapid7_insightvm/data_stream/asset/sample_event.json @@ -1,87 +1,113 @@ { - "@timestamp": "2023-05-23T16:17:06.996Z", + "@timestamp": "2025-05-13T12:18:50.388Z", "agent": { - "ephemeral_id": "163d2260-4499-492b-bbd5-4d90487865b9", - "id": "c157ef08-38bb-40dd-bae1-c6bc8c8f02fa", - "name": "docker-fleet-agent", + "ephemeral_id": "9bdec071-fe61-4ab8-bb89-67f2ccd46f17", + "id": "0adaf99a-f0e5-4dfd-95fc-582f8f0057d9", + "name": "elastic-agent-42288", "type": "filebeat", - "version": "8.9.0" + "version": "8.13.0" }, "data_stream": { "dataset": "rapid7_insightvm.asset", - "namespace": "ep", + "namespace": "50081", "type": "logs" }, "ecs": { "version": "8.11.0" }, "elastic_agent": { - "id": "c157ef08-38bb-40dd-bae1-c6bc8c8f02fa", - "snapshot": true, - "version": "8.9.0" + "id": "0adaf99a-f0e5-4dfd-95fc-582f8f0057d9", + "snapshot": false, + "version": "8.13.0" }, "event": { "agent_id_status": "verified", "category": [ "host" ], - "created": "2023-05-23T16:17:06.996Z", + "created": "2025-05-13T12:18:50.388Z", "dataset": "rapid7_insightvm.asset", - "ingested": "2023-05-23T16:17:08Z", + "ingested": "2025-05-13T12:18:53Z", "kind": "state", - "original": "{\"assessed_for_policies\":false,\"assessed_for_vulnerabilities\":true,\"critical_vulnerabilities\":0,\"exploits\":0,\"id\":\"452534235-25a7-40a3-9321-28ce0b5cc90e-default-asset-199\",\"ip\":\"10.1.0.128\",\"last_assessed_for_vulnerabilities\":\"2020-03-20T19:19:42.611Z\",\"last_scan_end\":\"2020-03-20T19:19:42.611Z\",\"last_scan_start\":\"2020-03-20T19:18:13.611Z\",\"malware_kits\":0,\"moderate_vulnerabilities\":2,\"new\":[],\"os_architecture\":\"x86_64\",\"os_description\":\"CentOS Linux 2.6.18\",\"os_family\":\"Linux\",\"os_name\":\"Linux\",\"os_system_name\":\"CentOS Linux\",\"os_type\":\"General\",\"os_vendor\":\"CentOS\",\"os_version\":\"2.6.18\",\"remediated\":[],\"risk_score\":0,\"severe_vulnerabilities\":0,\"tags\":[{\"name\":\"lab\",\"type\":\"SITE\"}],\"total_vulnerabilities\":2}", + "original": "{\"assessed_for_policies\":false,\"assessed_for_vulnerabilities\":true,\"credential_assessments\":[{\"port\":22,\"protocol\":\"TCP\",\"status\":\"NO_CREDS_SUPPLIED\"}],\"critical_vulnerabilities\":1,\"exploits\":1,\"id\":\"8bcfe121-1234-5678-9012-c4a6abcdabcde-default-asset-4\",\"ip\":\"175.16.199.1\",\"last_assessed_for_vulnerabilities\":\"2025-05-08T06:51:31.736Z\",\"last_scan_end\":\"2025-05-08T06:51:31.736Z\",\"last_scan_start\":\"2025-05-08T06:51:19.193Z\",\"mac\":\"00:00:5E:00:53:00\",\"malware_kits\":0,\"moderate_vulnerabilities\":0,\"new\":[],\"os_architecture\":\"\",\"os_description\":\"Ubuntu Linux\",\"os_family\":\"Linux\",\"os_name\":\"Linux\",\"os_system_name\":\"Ubuntu Linux\",\"os_type\":\"\",\"os_vendor\":\"Ubuntu\",\"remediated\":[],\"risk_score\":1268,\"same\":{\"check_id\":null,\"first_found\":\"2025-05-08T06:51:31Z\",\"key\":\"\",\"last_found\":\"2025-05-08T06:51:31.736Z\",\"nic\":null,\"port\":22,\"proof\":\"\\u003cp\\u003e\\u003cul\\u003e\\u003cli\\u003eRunning SSH service\\u003c/li\\u003e\\u003cli\\u003eProduct OpenSSH exists -- OpenBSD OpenSSH 8.9p1\\u003c/li\\u003e\\u003cli\\u003eVulnerable version of product OpenSSH found -- OpenBSD OpenSSH 8.9p1\\u003c/li\\u003e\\u003c/ul\\u003e\\u003cp\\u003eVulnerable version of OpenSSH detected on Ubuntu Linux\\u003c/p\\u003e\\u003c/p\\u003e\",\"protocol\":\"TCP\",\"solution_fix\":\"\\u003cp\\u003eDownload and apply the upgrade from: \\u003ca href=\\\"https://ftp.openbsd.org/pub/OpenBSD/OpenSSH\\\"\\u003ehttps://ftp.openbsd.org/pub/OpenBSD/OpenSSH\\u003c/a\\u003e\\u003c/p\\u003e\",\"solution_id\":\"openbsd-openssh-upgrade-latest\",\"solution_summary\":\"Upgrade to the latest version of OpenSSH\",\"solution_type\":\"rollup\",\"status\":\"VULNERABLE_VERS\",\"vulnerability_id\":\"openbsd-openssh-cve-2024-6387\"},\"severe_vulnerabilities\":1,\"tags\":[{\"name\":\"test\",\"type\":\"SITE\"}],\"total_vulnerabilities\":2,\"unique_identifiers\":[]}", "type": [ "info" ] }, "host": { - "architecture": "x86_64", - "id": "452534235-25a7-40a3-9321-28ce0b5cc90e-default-asset-199", + "id": "8bcfe121-1234-5678-9012-c4a6abcdabcde-default-asset-4", "ip": [ - "10.1.0.128" + "175.16.199.1" + ], + "mac": [ + "00-00-5E-00-53-00" ], "os": { "family": "Linux", - "full": "CentOS Linux 2.6.18", - "name": "Linux", - "version": "2.6.18" + "full": "Ubuntu Linux", + "name": "Linux" }, "risk": { - "static_score": 0 + "static_score": 1268 } }, "input": { "type": "httpjson" }, + "network": { + "transport": [ + "tcp" + ] + }, "rapid7": { "insightvm": { "asset": { "assessed_for_policies": false, "assessed_for_vulnerabilities": true, - "critical_vulnerabilities": 0, - "exploits": 0, - "id": "452534235-25a7-40a3-9321-28ce0b5cc90e-default-asset-199", - "ip": "10.1.0.128", - "last_assessed_for_vulnerabilities": "2020-03-20T19:19:42.611Z", - "last_scan_end": "2020-03-20T19:19:42.611Z", - "last_scan_start": "2020-03-20T19:18:13.611Z", + "credential_assessments": [ + { + "port": 22, + "protocol": "TCP", + "status": "NO_CREDS_SUPPLIED" + } + ], + "critical_vulnerabilities": 1, + "exploits": 1, + "id": "8bcfe121-1234-5678-9012-c4a6abcdabcde-default-asset-4", + "ip": "175.16.199.1", + "last_assessed_for_vulnerabilities": "2025-05-08T06:51:31.736Z", + "last_scan_end": "2025-05-08T06:51:31.736Z", + "last_scan_start": "2025-05-08T06:51:19.193Z", + "mac": "00-00-5E-00-53-00", "malware_kits": 0, - "moderate_vulnerabilities": 2, + "moderate_vulnerabilities": 0, "os": { - "architecture": "x86_64", - "description": "CentOS Linux 2.6.18", + "description": "Ubuntu Linux", "family": "Linux", "name": "Linux", - "system_name": "CentOS Linux", - "type": "General", - "vendor": "CentOS", - "version": "2.6.18" + "system_name": "Ubuntu Linux", + "vendor": "Ubuntu" }, - "risk_score": 0, - "severe_vulnerabilities": 0, + "risk_score": 1268, + "same": { + "first_found": "2025-05-08T06:51:31.000Z", + "last_found": "2025-05-08T06:51:31.736Z", + "port": 22, + "proof": "Running SSH service\n\nProduct OpenSSH exists -- OpenBSD OpenSSH 8.9p1\n\nVulnerable version of product OpenSSH found -- OpenBSD OpenSSH 8.9p1\n\n\nVulnerable version of OpenSSH detected on Ubuntu Linux", + "protocol": "TCP", + "solution": { + "fix": "Download and apply the upgrade from: https://ftp.openbsd.org/pub/OpenBSD/OpenSSH", + "id": "openbsd-openssh-upgrade-latest", + "summary": "Upgrade to the latest version of OpenSSH", + "type": "rollup" + }, + "status": "VULNERABLE_VERS", + "vulnerability_id": "openbsd-openssh-cve-2024-6387" + }, + "severe_vulnerabilities": 1, "tags": [ { - "name": "lab", + "name": "test", "type": "SITE" } ], @@ -91,7 +117,7 @@ }, "related": { "ip": [ - "10.1.0.128" + "175.16.199.1" ] }, "tags": [ @@ -99,5 +125,10 @@ "preserve_duplicate_custom_fields", "forwarded", "rapid7_insightvm-asset" - ] -} \ No newline at end of file + ], + "vulnerability": { + "id": [ + "openbsd-openssh-cve-2024-6387" + ] + } +} diff --git a/packages/rapid7_insightvm/data_stream/vulnerability/_dev/test/pipeline/test-vulnerability.log-expected.json b/packages/rapid7_insightvm/data_stream/vulnerability/_dev/test/pipeline/test-vulnerability.log-expected.json index 43719aa976c..453b97d8582 100644 --- a/packages/rapid7_insightvm/data_stream/vulnerability/_dev/test/pipeline/test-vulnerability.log-expected.json +++ b/packages/rapid7_insightvm/data_stream/vulnerability/_dev/test/pipeline/test-vulnerability.log-expected.json @@ -325,4 +325,4 @@ }, null ] -} \ No newline at end of file +} diff --git a/packages/rapid7_insightvm/docs/README.md b/packages/rapid7_insightvm/docs/README.md index 3d8cc0ce549..3c157511a6f 100644 --- a/packages/rapid7_insightvm/docs/README.md +++ b/packages/rapid7_insightvm/docs/README.md @@ -38,89 +38,115 @@ An example event for `asset` looks as following: ```json { - "@timestamp": "2023-05-23T16:17:06.996Z", + "@timestamp": "2025-05-13T12:18:50.388Z", "agent": { - "ephemeral_id": "163d2260-4499-492b-bbd5-4d90487865b9", - "id": "c157ef08-38bb-40dd-bae1-c6bc8c8f02fa", - "name": "docker-fleet-agent", + "ephemeral_id": "9bdec071-fe61-4ab8-bb89-67f2ccd46f17", + "id": "0adaf99a-f0e5-4dfd-95fc-582f8f0057d9", + "name": "elastic-agent-42288", "type": "filebeat", - "version": "8.9.0" + "version": "8.13.0" }, "data_stream": { "dataset": "rapid7_insightvm.asset", - "namespace": "ep", + "namespace": "50081", "type": "logs" }, "ecs": { "version": "8.11.0" }, "elastic_agent": { - "id": "c157ef08-38bb-40dd-bae1-c6bc8c8f02fa", - "snapshot": true, - "version": "8.9.0" + "id": "0adaf99a-f0e5-4dfd-95fc-582f8f0057d9", + "snapshot": false, + "version": "8.13.0" }, "event": { "agent_id_status": "verified", "category": [ "host" ], - "created": "2023-05-23T16:17:06.996Z", + "created": "2025-05-13T12:18:50.388Z", "dataset": "rapid7_insightvm.asset", - "ingested": "2023-05-23T16:17:08Z", + "ingested": "2025-05-13T12:18:53Z", "kind": "state", - "original": "{\"assessed_for_policies\":false,\"assessed_for_vulnerabilities\":true,\"critical_vulnerabilities\":0,\"exploits\":0,\"id\":\"452534235-25a7-40a3-9321-28ce0b5cc90e-default-asset-199\",\"ip\":\"10.1.0.128\",\"last_assessed_for_vulnerabilities\":\"2020-03-20T19:19:42.611Z\",\"last_scan_end\":\"2020-03-20T19:19:42.611Z\",\"last_scan_start\":\"2020-03-20T19:18:13.611Z\",\"malware_kits\":0,\"moderate_vulnerabilities\":2,\"new\":[],\"os_architecture\":\"x86_64\",\"os_description\":\"CentOS Linux 2.6.18\",\"os_family\":\"Linux\",\"os_name\":\"Linux\",\"os_system_name\":\"CentOS Linux\",\"os_type\":\"General\",\"os_vendor\":\"CentOS\",\"os_version\":\"2.6.18\",\"remediated\":[],\"risk_score\":0,\"severe_vulnerabilities\":0,\"tags\":[{\"name\":\"lab\",\"type\":\"SITE\"}],\"total_vulnerabilities\":2}", + "original": "{\"assessed_for_policies\":false,\"assessed_for_vulnerabilities\":true,\"credential_assessments\":[{\"port\":22,\"protocol\":\"TCP\",\"status\":\"NO_CREDS_SUPPLIED\"}],\"critical_vulnerabilities\":1,\"exploits\":1,\"id\":\"8bcfe121-1234-5678-9012-c4a6abcdabcde-default-asset-4\",\"ip\":\"175.16.199.1\",\"last_assessed_for_vulnerabilities\":\"2025-05-08T06:51:31.736Z\",\"last_scan_end\":\"2025-05-08T06:51:31.736Z\",\"last_scan_start\":\"2025-05-08T06:51:19.193Z\",\"mac\":\"00:00:5E:00:53:00\",\"malware_kits\":0,\"moderate_vulnerabilities\":0,\"new\":[],\"os_architecture\":\"\",\"os_description\":\"Ubuntu Linux\",\"os_family\":\"Linux\",\"os_name\":\"Linux\",\"os_system_name\":\"Ubuntu Linux\",\"os_type\":\"\",\"os_vendor\":\"Ubuntu\",\"remediated\":[],\"risk_score\":1268,\"same\":{\"check_id\":null,\"first_found\":\"2025-05-08T06:51:31Z\",\"key\":\"\",\"last_found\":\"2025-05-08T06:51:31.736Z\",\"nic\":null,\"port\":22,\"proof\":\"\\u003cp\\u003e\\u003cul\\u003e\\u003cli\\u003eRunning SSH service\\u003c/li\\u003e\\u003cli\\u003eProduct OpenSSH exists -- OpenBSD OpenSSH 8.9p1\\u003c/li\\u003e\\u003cli\\u003eVulnerable version of product OpenSSH found -- OpenBSD OpenSSH 8.9p1\\u003c/li\\u003e\\u003c/ul\\u003e\\u003cp\\u003eVulnerable version of OpenSSH detected on Ubuntu Linux\\u003c/p\\u003e\\u003c/p\\u003e\",\"protocol\":\"TCP\",\"solution_fix\":\"\\u003cp\\u003eDownload and apply the upgrade from: \\u003ca href=\\\"https://ftp.openbsd.org/pub/OpenBSD/OpenSSH\\\"\\u003ehttps://ftp.openbsd.org/pub/OpenBSD/OpenSSH\\u003c/a\\u003e\\u003c/p\\u003e\",\"solution_id\":\"openbsd-openssh-upgrade-latest\",\"solution_summary\":\"Upgrade to the latest version of OpenSSH\",\"solution_type\":\"rollup\",\"status\":\"VULNERABLE_VERS\",\"vulnerability_id\":\"openbsd-openssh-cve-2024-6387\"},\"severe_vulnerabilities\":1,\"tags\":[{\"name\":\"test\",\"type\":\"SITE\"}],\"total_vulnerabilities\":2,\"unique_identifiers\":[]}", "type": [ "info" ] }, "host": { - "architecture": "x86_64", - "id": "452534235-25a7-40a3-9321-28ce0b5cc90e-default-asset-199", + "id": "8bcfe121-1234-5678-9012-c4a6abcdabcde-default-asset-4", "ip": [ - "10.1.0.128" + "175.16.199.1" + ], + "mac": [ + "00-00-5E-00-53-00" ], "os": { "family": "Linux", - "full": "CentOS Linux 2.6.18", - "name": "Linux", - "version": "2.6.18" + "full": "Ubuntu Linux", + "name": "Linux" }, "risk": { - "static_score": 0 + "static_score": 1268 } }, "input": { "type": "httpjson" }, + "network": { + "transport": [ + "tcp" + ] + }, "rapid7": { "insightvm": { "asset": { "assessed_for_policies": false, "assessed_for_vulnerabilities": true, - "critical_vulnerabilities": 0, - "exploits": 0, - "id": "452534235-25a7-40a3-9321-28ce0b5cc90e-default-asset-199", - "ip": "10.1.0.128", - "last_assessed_for_vulnerabilities": "2020-03-20T19:19:42.611Z", - "last_scan_end": "2020-03-20T19:19:42.611Z", - "last_scan_start": "2020-03-20T19:18:13.611Z", + "credential_assessments": [ + { + "port": 22, + "protocol": "TCP", + "status": "NO_CREDS_SUPPLIED" + } + ], + "critical_vulnerabilities": 1, + "exploits": 1, + "id": "8bcfe121-1234-5678-9012-c4a6abcdabcde-default-asset-4", + "ip": "175.16.199.1", + "last_assessed_for_vulnerabilities": "2025-05-08T06:51:31.736Z", + "last_scan_end": "2025-05-08T06:51:31.736Z", + "last_scan_start": "2025-05-08T06:51:19.193Z", + "mac": "00-00-5E-00-53-00", "malware_kits": 0, - "moderate_vulnerabilities": 2, + "moderate_vulnerabilities": 0, "os": { - "architecture": "x86_64", - "description": "CentOS Linux 2.6.18", + "description": "Ubuntu Linux", "family": "Linux", "name": "Linux", - "system_name": "CentOS Linux", - "type": "General", - "vendor": "CentOS", - "version": "2.6.18" + "system_name": "Ubuntu Linux", + "vendor": "Ubuntu" + }, + "risk_score": 1268, + "same": { + "first_found": "2025-05-08T06:51:31.000Z", + "last_found": "2025-05-08T06:51:31.736Z", + "port": 22, + "proof": "Running SSH service\n\nProduct OpenSSH exists -- OpenBSD OpenSSH 8.9p1\n\nVulnerable version of product OpenSSH found -- OpenBSD OpenSSH 8.9p1\n\n\nVulnerable version of OpenSSH detected on Ubuntu Linux", + "protocol": "TCP", + "solution": { + "fix": "Download and apply the upgrade from: https://ftp.openbsd.org/pub/OpenBSD/OpenSSH", + "id": "openbsd-openssh-upgrade-latest", + "summary": "Upgrade to the latest version of OpenSSH", + "type": "rollup" + }, + "status": "VULNERABLE_VERS", + "vulnerability_id": "openbsd-openssh-cve-2024-6387" }, - "risk_score": 0, - "severe_vulnerabilities": 0, + "severe_vulnerabilities": 1, "tags": [ { - "name": "lab", + "name": "test", "type": "SITE" } ], @@ -130,7 +156,7 @@ An example event for `asset` looks as following: }, "related": { "ip": [ - "10.1.0.128" + "175.16.199.1" ] }, "tags": [ @@ -138,7 +164,12 @@ An example event for `asset` looks as following: "preserve_duplicate_custom_fields", "forwarded", "rapid7_insightvm-asset" - ] + ], + "vulnerability": { + "id": [ + "openbsd-openssh-cve-2024-6387" + ] + } } ``` @@ -209,6 +240,7 @@ An example event for `asset` looks as following: | rapid7.insightvm.asset.same.first_found | The first time the vulnerability was discovered. | date | | rapid7.insightvm.asset.same.key | The identifier of the assessment key. | keyword | | rapid7.insightvm.asset.same.last_found | The most recent time the vulnerability was discovered. | date | +| rapid7.insightvm.asset.same.nic | The NIC of the vulnerability finding. | keyword | | rapid7.insightvm.asset.same.port | For services vulnerabilities, the port that is vulnerable. | long | | rapid7.insightvm.asset.same.proof | The identifier of the vulnerability proof. | keyword | | rapid7.insightvm.asset.same.protocol | For services vulnerabilities, the protocol that is vulnerable. | keyword | diff --git a/packages/rapid7_insightvm/manifest.yml b/packages/rapid7_insightvm/manifest.yml index f86fc252ee3..bda3aefccbb 100644 --- a/packages/rapid7_insightvm/manifest.yml +++ b/packages/rapid7_insightvm/manifest.yml @@ -1,7 +1,7 @@ format_version: "3.0.2" name: rapid7_insightvm title: Rapid7 InsightVM -version: "1.16.0" +version: "1.17.0" source: license: "Elastic-2.0" description: Collect logs from Rapid7 InsightVM with Elastic Agent.