diff --git a/packages/m365_defender/_dev/deploy/docker/docker-compose.yml b/packages/m365_defender/_dev/deploy/docker/docker-compose.yml index 2420f10bdbf..0645f755725 100644 --- a/packages/m365_defender/_dev/deploy/docker/docker-compose.yml +++ b/packages/m365_defender/_dev/deploy/docker/docker-compose.yml @@ -32,6 +32,7 @@ services: - 8080 volumes: - ./vulnerability-http-mock-config.yml:/config.yml + - ./download-vulnerability.log.gz:/download-vulnerability.log.gz environment: PORT: 8080 command: diff --git a/packages/m365_defender/_dev/deploy/docker/download-vulnerability.log.gz b/packages/m365_defender/_dev/deploy/docker/download-vulnerability.log.gz new file mode 100644 index 00000000000..11a271da18b Binary files /dev/null and b/packages/m365_defender/_dev/deploy/docker/download-vulnerability.log.gz differ diff --git a/packages/m365_defender/_dev/deploy/docker/vulnerability-http-mock-config.yml b/packages/m365_defender/_dev/deploy/docker/vulnerability-http-mock-config.yml index 8b12306ff7c..89bc6e65f7c 100644 --- a/packages/m365_defender/_dev/deploy/docker/vulnerability-http-mock-config.yml +++ b/packages/m365_defender/_dev/deploy/docker/vulnerability-http-mock-config.yml @@ -7,459 +7,33 @@ rules: Content-Type: - "application/json" body: |- - {"token_type":"Bearer","expires_in":3599,"ext_expires_in":3599,"access_token":"xxxx"} - - path: /api/vulnerabilities/machinesVulnerabilities - methods: ['GET'] + {"token_type":"Bearer","expires_in":3599,"ext_expires_in":3599,"access_token":"topsecretaccesstokenthatshouldnotbeleakedforabit"} + - path: /api/machines/SoftwareVulnerabilitiesExport + methods: ["GET"] query_params: - $top: 10000 - $skip: 0 + sasValidHours: "2" request_headers: - Authorization: - - "Bearer xxxx" + authorization: ["Bearer topsecretaccesstokenthatshouldnotbeleakedforabit"] responses: - status_code: 200 headers: Content-Type: - - application/json - body: | - {{ minify_json ` - { - "@odata.context": "https://api.securitycenter.microsoft.com/api/$metadata#Collection(microsoft.windowsDefenderATP.api.PublicAssetVulnerabilityDto)", - "@odata.count": 5, - "value": [ - { - "id": "94819846155826828d1603b913c67fe336d81295-_-CVE-2025-3074-_-microsoft-_-edge_chromium-based-_-134.0.3124.72-_-", - "cveId": "CVE-2025-3074", - "machineId": "94819846155826828d1603b913c67fe336d81295", - "fixingKbId": null, - "productName": "edge_chromium-based", - "productVendor": "microsoft", - "productVersion": "134.0.3124.72", - "severity": "Medium" - }, - { - "id": "c473dc518718ab3d14ced2bd0870665a533070e0-_-CVE-2025-3074-_-microsoft-_-edge_chromium-based-_-133.0.3065.92-_-", - "cveId": "CVE-2025-3074", - "machineId": "c473dc518718ab3d14ced2bd0870665a533070e0", - "fixingKbId": null, - "productName": "edge_chromium-based", - "productVendor": "microsoft", - "productVersion": "133.0.3065.92", - "severity": "Medium" - }, - { - "id": "c4ca2eb56d52f0a9378d3265541ba02403b76d67-_-CVE-2025-3073-_-microsoft-_-edge_chromium-based-_-133.0.3065.92-_-", - "cveId": "CVE-2025-3073", - "machineId": "c4ca2eb56d52f0a9378d3265541ba02403b76d67", - "fixingKbId": null, - "productName": "edge_chromium-based", - "productVendor": "microsoft", - "productVersion": "133.0.3065.92", - "severity": "Medium" - }, - { - "id": "c4ca2eb56d52f0a9378d3265541ba02403b76d67-_-CVE-2025-3073-_-google-_-chrome-_-134.0.6998.118-_-", - "cveId": "CVE-2025-3073", - "machineId": "c4ca2eb56d52f0a9378d3265541ba02403b76d67", - "fixingKbId": null, - "productName": "chrome", - "productVendor": "google", - "productVersion": "134.0.6998.118", - "severity": "Medium" - }, - { - "id": "6825811b97340ed50d858e6285c7a7878248ca75-_-CVE-2025-26635-_-microsoft-_-windows_10-_-10.0.19045.5011-_-5055518", - "cveId": "CVE-2025-26635", - "machineId": "6825811b97340ed50d858e6285c7a7878248ca75", - "fixingKbId": "5055518", - "productName": "windows_10", - "productVendor": "microsoft", - "productVersion": "10.0.19045.5011", - "severity": "Medium" - } - ] - } - `}} - - path: /api/machines - methods: ['GET'] - query_params: - $top: 10000 - $skip: 0 - request_headers: - Authorization: - - "Bearer xxxx" - responses: - - status_code: 200 - headers: - Content-Type: - - application/json - body: | - {{ minify_json ` - { - "@odata.context": "https://api.securitycenter.microsoft.com/api/$metadata#Machines", - "value": [ - { - "id": "94819846155826828d1603b913c67fe336d81295", - "mergedIntoMachineId": null, - "isPotentialDuplication": false, - "isExcluded": false, - "exclusionReason": null, - "computerDnsName": "bdp3449-ub20-2-4a4f31e2-46ea-4c26-ad89-f09ad1d5fe01", - "firstSeen": "2025-01-08T13:05:05.3483549Z", - "lastSeen": "2025-01-08T13:15:03.694371Z", - "osPlatform": "Ubuntu", - "osVersion": null, - "osProcessor": "x64", - "version": "20.4", - "lastIpAddress": "175.16.199.0", - "lastExternalIpAddress": "1.128.0.0", - "agentVersion": "30.124092.2.0", - "osBuild": 6, - "healthStatus": "Inactive", - "deviceValue": "Normal", - "rbacGroupId": 0, - "rbacGroupName": null, - "riskScore": "None", - "exposureLevel": "Low", - "isAadJoined": false, - "aadDeviceId": null, - "machineTags": ["test tag"], - "onboardingStatus": "Onboarded", - "osArchitecture": "64-bit", - "managedBy": "MicrosoftDefenderForEndpoint", - "managedByStatus": "Success", - "ipAddresses": [ - { - "ipAddress": "216.160.83.56", - "macAddress": "000C2910F1DA", - "type": "Other", - "operationalStatus": "Up" - } - ], - "vmMetadata": null - }, - { - "id": "c473dc518718ab3d14ced2bd0870665a533070e0", - "mergedIntoMachineId": null, - "isPotentialDuplication": false, - "isExcluded": false, - "exclusionReason": null, - "computerDnsName": "bdp3449-ub20-2-a415f17e-ce8d-4ce2-a8b4-83b674e7017e", - "firstSeen": "2025-01-09T20:29:06.2413437Z", - "lastSeen": "2025-01-09T20:57:23.4538904Z", - "osPlatform": "Ubuntu", - "osVersion": null, - "osProcessor": "x64", - "version": "20.4", - "lastIpAddress": "81.2.69.142", - "lastExternalIpAddress": "81.2.69.144", - "agentVersion": "30.124092.2.0", - "osBuild": 6, - "healthStatus": "Inactive", - "deviceValue": "Normal", - "rbacGroupId": 0, - "rbacGroupName": null, - "riskScore": "None", - "exposureLevel": "Low", - "isAadJoined": false, - "aadDeviceId": null, - "machineTags": [], - "onboardingStatus": "Onboarded", - "osArchitecture": "64-bit", - "managedBy": "MicrosoftDefenderForEndpoint", - "managedByStatus": "Success", - "ipAddresses": [ - { - "ipAddress": "81.2.69.192", - "macAddress": "000C2910F1DA", - "type": "Other", - "operationalStatus": "Up" - }, - { - "ipAddress": "2a02:cf40::", - "macAddress": "000C2910F1DA", - "type": "Other", - "operationalStatus": "Up" - } - ], - "vmMetadata": null - }, - { - "id": "c4ca2eb56d52f0a9378d3265541ba02403b76d67", - "mergedIntoMachineId": null, - "isPotentialDuplication": false, - "isExcluded": false, - "exclusionReason": null, - "computerDnsName": "bdp3449-ub20-2-1602ff76-ed7f-4c94-b550-2f727b4782d4", - "firstSeen": "2025-01-09T14:01:35.8022227Z", - "lastSeen": "2025-01-09T14:22:34.8819165Z", - "osPlatform": "Ubuntu", - "osVersion": null, - "osProcessor": "x64", - "version": "20.4", - "lastIpAddress": "81.2.69.192", - "lastExternalIpAddress": "89.160.20.112", - "agentVersion": "30.124092.2.0", - "osBuild": 6, - "healthStatus": "Inactive", - "deviceValue": "Normal", - "rbacGroupId": 0, - "rbacGroupName": null, - "riskScore": "None", - "exposureLevel": "Low", - "isAadJoined": false, - "aadDeviceId": null, - "machineTags": [], - "onboardingStatus": "Onboarded", - "osArchitecture": "64-bit", - "managedBy": "MicrosoftDefenderForEndpoint", - "managedByStatus": "Success", - "ipAddresses": [ - { - "ipAddress": "81.2.69.192", - "macAddress": "000C2910F1DA", - "type": "Other", - "operationalStatus": "Up" - }, - { - "ipAddress": "2a02:cf40::", - "macAddress": "000C2910F1DA", - "type": "Other", - "operationalStatus": "Up" - } - ], - "vmMetadata": null - }, - { - "id": "6825811b97340ed50d858e6285c7a7878248ca75", - "mergedIntoMachineId": null, - "isPotentialDuplication": false, - "isExcluded": false, - "exclusionReason": null, - "computerDnsName": "bdp3449-ub20-2-ab4d04af-68dc-4fee-9c16-6545265b3276", - "firstSeen": "2025-01-09T06:29:21.587607Z", - "lastSeen": "2025-01-09T06:56:38.3119183Z", - "osPlatform": "Ubuntu", - "osVersion": null, - "osProcessor": "x64", - "version": "20.4", - "lastIpAddress": "81.2.69.192", - "lastExternalIpAddress": "89.160.20.112", - "agentVersion": "30.124092.2.0", - "osBuild": 6, - "healthStatus": "Inactive", - "deviceValue": "Normal", - "rbacGroupId": 0, - "rbacGroupName": null, - "riskScore": "Medium", - "exposureLevel": "Low", - "isAadJoined": false, - "aadDeviceId": null, - "machineTags": ["test"], - "onboardingStatus": "Onboarded", - "osArchitecture": "64-bit", - "managedBy": "MicrosoftDefenderForEndpoint", - "managedByStatus": "Success", - "ipAddresses": [ - { - "ipAddress": "81.2.69.192", - "macAddress": "000C2910F1DA", - "type": "Other", - "operationalStatus": "Up" - } - ], - "vmMetadata": null - }, - { - "id": "08a037be5ffcf0e85c0817a202a95e86dbb65124", - "mergedIntoMachineId": null, - "isPotentialDuplication": false, - "isExcluded": false, - "exclusionReason": null, - "computerDnsName": "bdp3449-ub20-2-3a95cdb2-c6ea-4761-b24e-02b71889b8bb", - "firstSeen": "2025-01-09T07:29:19.0754397Z", - "lastSeen": "2025-01-09T07:54:33.335749Z", - "osPlatform": "Ubuntu", - "osVersion": null, - "osProcessor": "x64", - "version": "20.4", - "lastIpAddress": "67.43.156.0", - "lastExternalIpAddress": "175.16.199.0", - "agentVersion": "30.124092.2.0", - "osBuild": 6, - "healthStatus": "Inactive", - "deviceValue": "Normal", - "rbacGroupId": 0, - "rbacGroupName": null, - "riskScore": "High", - "exposureLevel": "Low", - "isAadJoined": false, - "aadDeviceId": null, - "machineTags": [], - "onboardingStatus": "Onboarded", - "osArchitecture": "64-bit", - "managedBy": "MicrosoftDefenderForEndpoint", - "managedByStatus": "Success", - "ipAddresses": [ - { - "ipAddress": "67.43.156.0", - "macAddress": "000C2910F1DA", - "type": "Other", - "operationalStatus": "Up" - } - ], - "vmMetadata": null - } - ] - } - `}} - - path: /api/vulnerabilities - methods: ['GET'] - query_params: - $top: 2 - $skip: 0 - request_headers: - Authorization: - - "Bearer xxxx" - responses: - - status_code: 200 - headers: - Content-Type: - - application/json - body: | - {{ minify_json ` - { - "@odata.context": "https://api.securitycenter.microsoft.com/api/$metadata#Vulnerabilities", - "@odata.count": 2, - "value": [ - { - "id": "CVE-2025-3074", - "name": "CVE-2025-3074", - "description": "Summary: An inappropriate implementation in the Downloads feature of Google Chrome versions prior to 135.0.7049.52 could allow a remote attacker to perform UI spoofing via a crafted HTML page. This vulnerability, classified with a low severity by Chromium, may also enable bypassing security restrictions when a victim visits a specially crafted website. Impact: Exploitation of this vulnerability could lead to UI spoofing or bypassing security restrictions, potentially compromising user trust and security. AdditionalInformation: This vulnerability is associated with Google Chrome and has implications for Microsoft Edge (Chromium-based) due to shared code ingestion. Refer to Google Chrome Releases for further details. Remediation: Apply the latest patches and updates provided by the respective vendors. [Generated by AI]", - "severity": "Medium", - "cvssV3": 6.5, - "cvssVector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N/E:U/RL:O/RC:C", - "exposedMachines": 2, - "publishedOn": "2025-04-01T00:00:00Z", - "updatedOn": "2025-04-08T00:00:00Z", - "firstDetected": "2025-04-01T19:52:39Z", - "patchFirstAvailable": null, - "publicExploit": false, - "exploitVerified": false, - "exploitInKit": false, - "exploitTypes": [], - "exploitUris": [], - "cveSupportability": "Supported", - "tags": ["test"], - "epss": 0.00111 - }, - { - "id": "CVE-2025-3073", - "name": "CVE-2025-3073", - "description": "Summary: An inappropriate implementation in the Autofill feature of Google Chrome versions prior to 135.0.7049.52 allows a remote attacker to perform UI spoofing by convincing a user to interact with a crafted HTML page. This vulnerability is categorized with a Chromium security severity rating of Low. Impact: Exploitation of this vulnerability could enable an attacker to bypass security restrictions, potentially leading to unauthorized actions or data exposure. AdditionalInformation: This vulnerability is also relevant to Microsoft Edge (Chromium-based), as it ingests Chromium. Refer to Google Chrome Releases for further details. Remediation: Apply the latest patches and updates provided by the respective vendors. [Generated by AI]", - "severity": "Medium", - "cvssV3": 6.5, - "cvssVector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N/E:U/RL:O/RC:C", - "exposedMachines": 1, - "publishedOn": "2025-04-01T00:00:00Z", - "updatedOn": "2025-04-08T00:00:00Z", - "firstDetected": "2025-04-01T19:52:39Z", - "patchFirstAvailable": null, - "publicExploit": false, - "exploitVerified": false, - "exploitInKit": false, - "exploitTypes": [], - "exploitUris": [], - "cveSupportability": "Supported", - "tags": ["test"], - "epss": 0.00111 - } - ] - } - `}} - - path: /api/vulnerabilities - methods: ['GET'] - query_params: - $top: 2 - $skip: 2 - request_headers: - Authorization: - - "Bearer xxxx" - responses: - - status_code: 200 - headers: - Content-Type: - - application/json - body: | + - "application/json" + body: |- {{ minify_json ` - { - "@odata.context": "https://api.securitycenter.microsoft.com/api/$metadata#Vulnerabilities", - "@odata.count": 2, - "value": [ - { - "id": "CVE-2025-26635", - "name": "CVE-2025-26635", - "description": "Summary: A vulnerability in Windows Hellos authentication mechanism permits an authorized attacker to bypass its security feature remotely over a network. Impact: Exploitation of this vulnerability could allow unauthorized access to systems, potentially leading to data breaches or further network compromise. Remediation: Apply the latest patches and updates provided by the respective vendors. [Generated by AI]", - "severity": "Medium", - "cvssV3": 6.5, - "cvssVector": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N/E:U/RL:O/RC:C", - "exposedMachines": 1, - "publishedOn": "2025-04-08T07:00:00Z", - "updatedOn": "2025-04-09T20:03:01.577Z", - "firstDetected": "2025-04-08T18:00:48Z", - "patchFirstAvailable": null, - "publicExploit": false, - "exploitVerified": false, - "exploitInKit": false, - "exploitTypes": [], - "exploitUris": [], - "cveSupportability": "Supported", - "tags": [], - "epss": 0.00052 - }, - { - "id": "CVE-2025-3437", - "name": "CVE-2025-3437", - "description": "Summary: The Motors – Car Dealership & Classified Listings Plugin for WordPress contains a vulnerability in its ajax_actions.php file, where several functions lack proper capability checks. This flaw exists in all versions up to and including 1.4.66, allowing authenticated attackers with Subscriber-level access or higher to perform unauthorized data modifications. Impact: Exploitation of this vulnerability could lead to unauthorized changes to the plugins setup, potentially compromising the integrity of the affected WordPress site. Remediation: Upgrade to a version of Stylemixthemes Motors - Car Dealer, Classifieds & Listing later than 1.4.66. [Generated by AI]", - "severity": "Medium", - "cvssV3": 4.3, - "cvssVector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", - "exposedMachines": 0, - "publishedOn": "2025-04-08T10:15:19.413Z", - "updatedOn": "2025-04-08T18:13:53.347Z", - "firstDetected": null, - "patchFirstAvailable": null, - "publicExploit": false, - "exploitVerified": false, - "exploitInKit": false, - "exploitTypes": [], - "exploitUris": [], - "cveSupportability": "NotSupported", - "tags": [], - "epss": 0.00025 - } - ] - } + { + "@odata.context": "https://api.security.microsoft.com/api/$metadata#microsoft.windowsDefenderATP.api.ExportFilesResponse", + "exportFiles": [ + "http://svc-m365-defender-vulnerability-cel:8080/path/to/vuln" + ], + "generatedTime": "2025-10-09T00:00:00Z" + } `}} - - path: /api/vulnerabilities - methods: ['GET'] - query_params: - $top: 2 - $skip: 4 - request_headers: - Authorization: - - "Bearer xxxx" + - path: /path/to/vuln + methods: ["GET"] responses: - status_code: 200 headers: Content-Type: - - application/json - body: | - {{ minify_json ` - { - "@odata.context": "https://api.securitycenter.microsoft.com/api/$metadata#Vulnerabilities", - "@odata.count": 0, - "value": [] - } - `}} - \ No newline at end of file + - "application/octet-stream" + body: '{{file "/download-vulnerability.log.gz"}}' diff --git a/packages/m365_defender/changelog.yml b/packages/m365_defender/changelog.yml index e4eacf6324c..2fa1c59c622 100644 --- a/packages/m365_defender/changelog.yml +++ b/packages/m365_defender/changelog.yml @@ -1,4 +1,16 @@ # newer versions go on top +- version: "5.0.0" + changes: + - description: | + Fetch vulnerability data using SoftwareVulnerabilitiesExport API endpoint. + type: enhancement + link: https://github.com/elastic/integrations/pull/15603 + - description: | + The following fields are no longer available in the new implementation: "cloud.provider", "cloud.resource_id", + "cloud.instance.id", "host.geo", "host.ip", "host.risk.calculated_level", "related.ip", + "vulnerability.description", "vulnerability.published_date", "vulnerability.score.version". + type: breaking-change + link: https://github.com/elastic/integrations/pull/15603 - version: "4.2.0" changes: - description: Prevent updating fleet health status to degraded. diff --git a/packages/m365_defender/data_stream/vulnerability/_dev/test/pipeline/test-vulnerability.log b/packages/m365_defender/data_stream/vulnerability/_dev/test/pipeline/test-vulnerability.log index ae2e38774fc..5265aa6d6af 100644 --- a/packages/m365_defender/data_stream/vulnerability/_dev/test/pipeline/test-vulnerability.log +++ b/packages/m365_defender/data_stream/vulnerability/_dev/test/pipeline/test-vulnerability.log @@ -1,6 +1,4 @@ -{"affectedMachine":{"id":"86c0491db8ff7e8dcad520288b7759fa27793ce1-_-CVE-2024-11168-_-red_hat-_-python-unversioned-command_for_linux-_-0:3.9.18-3.el9_4.6-_-","cveId":"CVE-2024-11168","machineId":"86c0491db8ff7e8dcad520288b7759fa27793ce1","fixingKbId":null,"productName":"python-unversioned-command_for_linux","productVendor":"red_hat","productVersion":"0:3.9.18-3.el9_4.6","severity":"Medium","mergedIntoMachineId":null,"isPotentialDuplication":false,"isExcluded":false,"exclusionReason":null,"computerDnsName":"C-Lab-33","firstSeen":"2024-11-06T09:57:53.476232Z","lastSeen":"2025-05-12T04:13:23.7778534Z","osPlatform":"RedHatEnterpriseLinux","osVersion":null,"osProcessor":"x64","version":"9.4","lastIpAddress":"89.160.20.112","lastExternalIpAddress":"175.16.199.0","agentVersion":"30.124082.4.0","osBuild":null,"healthStatus":"Active","deviceValue":"Normal","rbacGroupId":0,"rbacGroupName":null,"riskScore":"High","exposureLevel":"High","isAadJoined":false,"aadDeviceId":null,"machineTags":["C-Lab-Linux"],"onboardingStatus":"Onboarded","osArchitecture":"64-bit","managedBy":"MicrosoftDefenderForEndpoint","managedByStatus":"Success","ipAddresses":[{"ipAddress":"89.160.20.112","macAddress":"00505681A42F","type":"Other","operationalStatus":"Up"},{"ipAddress":"67.43.156.0","macAddress":"000000000000","type":"Other","operationalStatus":"Up"}],"vmMetadata":null},"id":"CVE-2024-11168","name":"CVE-2024-11168","description":"Summary: Pythons CPython implementation contains a vulnerability (CVE-2024-11168) in the urllib.parse.urlsplit() and urlparse() functions, where bracketed hosts (`[]`) are improperly validated. This issue allows non-IPv6 or non-IPvFuture hosts, violating RFC 3986 standards. If a URL is processed by multiple parsers, this flaw could enable Server-Side Request Forgery (SSRF) attacks. Impact: Exploitation of this vulnerability could allow attackers to conduct SSRF attacks, potentially leading to unauthorized access to internal systems or sensitive data. AdditionalInformation: This vulnerability affects Python versions prior to 3.9.19-7. It is recommended to review the CVE page for further technical details and associated CVSS scores. Remediation: Upgrade to Python version 3.9.21 or later. [Generated by AI]","severity":"Medium","cvssV3":6.3,"cvssVector":"CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:N/R:X/V:X/RE:X/U:X","exposedMachines":2,"publishedOn":"2023-04-25T16:00:00Z","updatedOn":"2025-04-11T22:15:28.96Z","firstDetected":"2025-05-02T05:36:57Z","patchFirstAvailable":null,"publicExploit":false,"exploitVerified":false,"exploitInKit":false,"exploitTypes":["Remote"],"exploitUris":[],"cveSupportability":"Supported","tags":[],"epss":0.00154} -{"affectedMachine":{"aadDeviceId":"79dc383d-1ba1-4ac9-9dca-792e881a5034","agentVersion":"10.8760.19045.5011","computerDnsName":"c-lab-14","cveId":"CVE-2025-24062","deviceValue":"Normal","exclusionReason":null,"exposureLevel":"High","firstSeen":"2024-11-05T11:55:28.5899758Z","fixingKbId":"5055518","healthStatus":"Active","id":"fd43e5b3ba69b8ecffb165017d9c8687f24e246a-_-CVE-2025-24062-_-microsoft-_-windows_10-_-10.0.19045.5011-_-5055518","ipAddresses":[{"ipAddress":"1.128.0.0","macAddress":"00505683B889","operationalStatus":"Up","type":"Ethernet"},{"ipAddress":"2a02:cf40::","macAddress":"00505683B889","operationalStatus":"Up","type":"Ethernet"},{"ipAddress":"81.2.69.192","macAddress":null,"operationalStatus":"Up","type":"SoftwareLoopback"}],"isAadJoined":true,"isExcluded":false,"isPotentialDuplication":false,"lastExternalIpAddress":"89.160.20.112","lastIpAddress":"175.16.199.0","lastSeen":"2025-04-21T08:24:41.3833512Z","machineId":"fd43e5b3ba69b8ecffb165017d9c8687f24e246a","machineTags":[],"managedBy":"Intune","managedByStatus":"Unknown","mergedIntoMachineId":null,"onboardingStatus":"Onboarded","osArchitecture":"64-bit","osBuild":19045,"osPlatform":"Windows10","osProcessor":"x64","osVersion":null,"productName":"windows_10","productVendor":"microsoft","productVersion":"10.0.19045.5011","rbacGroupId":0,"rbacGroupName":null,"riskScore":"None","severity":"High","version":"22H2","vmMetadata":null},"cveSupportability":"Supported","cvssV3":7.8,"cvssVector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C","description":"Summary: An improper input validation vulnerability exists in the Windows DWM Core Library, which could allow an authorized attacker to locally elevate their privileges. Impact: Successful exploitation of this vulnerability could result in unauthorized privilege escalation, potentially compromising system integrity. Remediation: Apply the latest patches and updates provided by the respective vendors. [Generated by AI]","epss":0.00073,"exploitInKit":false,"exploitTypes":["PrivilegeEscalation"],"exploitUris":[],"exploitVerified":false,"exposedMachines":7,"firstDetected":"2025-04-08T18:00:48Z","id":"CVE-2025-24062","name":"CVE-2025-24062","patchFirstAvailable":null,"publicExploit":false,"publishedOn":"2025-04-08T07:00:00Z","severity":"High","tags":["test"],"updatedOn":"2025-04-09T20:03:01.577Z"} -{"affectedMachine":null,"id":"CVE-2025-47828","name":"CVE-2025-47828","description":"Summary: The Lumi H5P-Nodejs-library versions prior to 2025-04-05 are vulnerable to cross-site scripting (XSS) due to the omission of a sanitizeHtml call for plain text strings. This flaw allows remote attackers to execute arbitrary scripts in a victims browser by leveraging specially crafted URLs. Impact: Exploitation of this vulnerability could lead to unauthorized access to sensitive information, such as cookie-based authentication credentials, and compromise the security context of the hosting website. AdditionalInformation: Ensure awareness of the affected versions and the nature of the vulnerability for proper risk assessment. Remediation: Upgrade to @Lumieducation/H5p-Server @Lumieducation/H5p-Server version later than 2024-04-05. [Generated by AI]","severity":"Medium","cvssV3":6.4,"cvssVector":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N/E:U/RL:O/RC:C","exposedMachines":0,"publishedOn":"2025-05-11T00:00:00Z","updatedOn":"2025-05-12T20:50:07Z","firstDetected":null,"patchFirstAvailable":null,"publicExploit":false,"exploitVerified":false,"exploitInKit":false,"exploitTypes":[],"exploitUris":[],"cveSupportability":"NotSupported","tags":[],"epss":0.00029} -{"affectedMachine":{"aadDeviceId":"d78dc223-8dc8-4210-9700-019b3b03505b","agentVersion":"10.8792.19045.5737","computerDnsName":"c-lab-08","cveId":"TVM-2020-0002","deviceValue":"Normal","exclusionReason":null,"exposureLevel":"Low","firstSeen":"2024-11-05T11:54:59.5717001Z","fixingKbId":null,"healthStatus":"Active","id":"0e23b8b23f6dc0e9d84846f877b45d19c04a522d-_-TVM-2020-0002-_-vmware-_-tools-_-12.0.6.0-_-","ipAddresses":[{"ipAddress":"216.160.83.56","macAddress":"00505683B880","operationalStatus":"Up","type":"Ethernet"}],"isAadJoined":true,"isExcluded":false,"isPotentialDuplication":false,"lastExternalIpAddress":"67.43.156.0","lastIpAddress":"89.160.20.128","lastSeen":"2025-04-22T05:48:04.7550736Z","machineId":"0e23b8b23f6dc0e9d84846f877b45d19c04a522d","machineTags":["test tag 1"],"managedBy":"Intune","managedByStatus":"Unknown","mergedIntoMachineId":null,"onboardingStatus":"Onboarded","osArchitecture":"64-bit","osBuild":19045,"osPlatform":"Windows10","osProcessor":"x64","osVersion":null,"productName":"tools","productVendor":"vmware","productVersion":"12.0.6.0","rbacGroupId":0,"rbacGroupName":null,"riskScore":"None","severity":"High","version":"22H2","vmMetadata":null},"cveSupportability":"Supported","cvssV3":7,"cvssVector":"CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C","description":"Summary: VMware Tools and Open Virtual Machine Tools are vulnerable to a local privilege escalation vulnerability. An attacker with local non-administrative access to the Guest OS can exploit this vulnerability to escalate privileges as a root user in the virtual machine. Impact: If exploited, this vulnerability could allow a malicious actor to gain elevated privileges on the system, potentially leading to unauthorized access, data theft, or further compromise of the virtual machine. AdditionalInformation: TVM-2020-0002 is associated with this vulnerability. It is recommended to refer to the CVE page for more details, including the impact, CVSS score, and acknowledgments. Remediation: Apply the latest patches and updates provided by the respective vendors. [Generated by AI]","epss":0.00053,"exploitInKit":false,"exploitTypes":["PrivilegeEscalation"],"exploitUris":[],"exploitVerified":false,"exposedMachines":12,"firstDetected":"2025-01-01T08:22:58Z","id":"TVM-2020-0002","name":"TVM-2020-0002","patchFirstAvailable":null,"publicExploit":false,"publishedOn":"2022-08-23T00:00:00Z","severity":"High","tags":[],"updatedOn":"2024-12-10T00:00:00Z"} -{"affectedMachine":{"aadDeviceId":"d78dc223-8dc8-4210-9700-019b3b03505b","agentVersion":"10.8792.19045.5737","computerDnsName":"c-lab-08","cveId":"TVM-2020-0002","deviceValue":"Normal","exclusionReason":null,"exposureLevel":"Low","firstSeen":"2024-11-05T11:54:59.5717001Z","fixingKbId":null,"healthStatus":"Active","id":"0e23b8b23f6dc0e9d84846f877b45d19c04a522d-_-TVM-2020-0002-_-vmware-_-tools-_-12.0.6.0-_-","ipAddresses":[{"ipAddress":"","macAddress":"00505683B880","operationalStatus":"Up","type":"Ethernet"}],"isAadJoined":true,"isExcluded":false,"isPotentialDuplication":false,"lastExternalIpAddress":"67.43.156.0","lastIpAddress":"89.160.20.128","lastSeen":"2025-04-22T05:48:04.7550736Z","machineId":"0e23b8b23f6dc0e9d84846f877b45d19c04a522d","machineTags":["test tag 1"],"managedBy":"Intune","managedByStatus":"Unknown","mergedIntoMachineId":null,"onboardingStatus":"Onboarded","osArchitecture":"64-bit","osBuild":19045,"osPlatform":"Windows10","osProcessor":"x64","osVersion":null,"productName":"tools","productVendor":"vmware","productVersion":"12.0.6.0","rbacGroupId":0,"rbacGroupName":null,"riskScore":"None","severity":"High","version":"22H2","vmMetadata":null},"cveSupportability":"Supported","cvssV3":7,"cvssVector":"CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C","description":"Summary: VMware Tools and Open Virtual Machine Tools are vulnerable to a local privilege escalation vulnerability. An attacker with local non-administrative access to the Guest OS can exploit this vulnerability to escalate privileges as a root user in the virtual machine. Impact: If exploited, this vulnerability could allow a malicious actor to gain elevated privileges on the system, potentially leading to unauthorized access, data theft, or further compromise of the virtual machine. AdditionalInformation: TVM-2020-0002 is associated with this vulnerability. It is recommended to refer to the CVE page for more details, including the impact, CVSS score, and acknowledgments. Remediation: Apply the latest patches and updates provided by the respective vendors. [Generated by AI]","epss":0.00053,"exploitInKit":false,"exploitTypes":["PrivilegeEscalation"],"exploitUris":[],"exploitVerified":false,"exposedMachines":12,"firstDetected":"2025-01-01T08:22:58Z","id":"TVM-2020-0002","name":"TVM-2020-0002","patchFirstAvailable":null,"publicExploit":false,"publishedOn":"2022-08-23T00:00:00Z","severity":"High","tags":[],"updatedOn":"2024-12-10T00:00:00Z"} -{"affectedMachine":{"aadDeviceId":"d78dc223-8dc8-4210-9700-019b3b03505b","agentVersion":"10.8792.19045.5737","computerDnsName":"c-lab-08","cveId":"TVM-2020-0002","deviceValue":"Normal","exclusionReason":null,"exposureLevel":"Low","firstSeen":"2024-11-05T11:54:59.5717001Z","fixingKbId":null,"healthStatus":"Active","id":"0e23b8b23f6dc0e9d84846f877b45d19c04a522d-_-TVM-2020-0002-_-vmware-_-tools-_-12.0.6.0-_-","ipAddresses":[{"ipAddress":"216.160.83.56","macAddress":"00505683B880","operationalStatus":"Up","type":"Ethernet"}],"isAadJoined":true,"isExcluded":false,"isPotentialDuplication":false,"lastExternalIpAddress":"67.43.156.0","lastIpAddress":"89.160.20.128","lastSeen":"2025-04-22T05:48:04.7550736Z","machineId":"0e23b8b23f6dc0e9d84846f877b45d19c04a522d","machineTags":["test tag 1"],"managedBy":"Intune","managedByStatus":"Unknown","mergedIntoMachineId":null,"onboardingStatus":"Onboarded","osArchitecture":"64-bit","osBuild":19045,"osPlatform":"Windows10","osProcessor":"x64","osVersion":null,"productName":"tools","productVendor":"vmware","productVersion":"12.0.6.0","rbacGroupId":0,"rbacGroupName":null,"riskScore":"None","severity":"High","version":"22H2","vmMetadata":{"cloudProvider":"Azure","resourceId":"/subscriptions/e1685f98-517c-4ffe-b7d5-d6cb9d563ec2/resourceGroups/R15_Sentinel/providers/Microsoft.HybridCompute/machines/C-Lab-10","subscriptionId":"e1685f98-517c-4ffe-b7d5-d6cb9d563ec2","vmId":"ecdc774f-45b4-4e33-97c8-f777e134131a"}},"cveSupportability":"Supported","cvssV3":7,"cvssVector":"CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C","description":"Summary: VMware Tools and Open Virtual Machine Tools are vulnerable to a local privilege escalation vulnerability. An attacker with local non-administrative access to the Guest OS can exploit this vulnerability to escalate privileges as a root user in the virtual machine. Impact: If exploited, this vulnerability could allow a malicious actor to gain elevated privileges on the system, potentially leading to unauthorized access, data theft, or further compromise of the virtual machine. AdditionalInformation: TVM-2020-0002 is associated with this vulnerability. It is recommended to refer to the CVE page for more details, including the impact, CVSS score, and acknowledgments. Remediation: Apply the latest patches and updates provided by the respective vendors. [Generated by AI]","epss":0.00053,"exploitInKit":false,"exploitTypes":["PrivilegeEscalation"],"exploitUris":[],"exploitVerified":false,"exposedMachines":12,"firstDetected":"2025-01-01T08:22:58Z","id":"TVM-2020-0002","name":"TVM-2020-0002","patchFirstAvailable":null,"publicExploit":false,"publishedOn":"2022-08-23T00:00:00Z","severity":"High","tags":[],"updatedOn":"2024-12-10T00:00:00Z"} +{"CveBatchTitle":"Red_hat February 2025 Vulnerabilities","CveBatchUrl":"https://security.access.redhat.com/data/oval/v2/RHEL9/rhel-9.8-eus.oval.xml.bz2","CveId":"CVE-2022-49226","CvssScore":5.5,"DeviceId":"1212121212121212121212","DeviceName":"sample-host-1","ExploitabilityLevel":"NoExploit","FirstSeenTimestamp":"2025-10-06 10:43:58","Id":"1212121212121212121212_red_hat_kernel_0:5.14.0-427.42.1.el9_4_CVE-2022-49226","IsOnboarded":true,"LastSeenTimestamp":"2025-10-06 22:45:00","OSArchitecture":"x64","OSPlatform":"Linux","OSVersion":"enterprise_linux_9.4","RbacGroupId":0,"RbacGroupName":"Unassigned","RecommendationReference":"va-_-red_hat-_-kernel","RecommendedSecurityUpdate":"CVE-2022-49226_oval:com.redhat.rhsa:def:20249315","RecommendedSecurityUpdateId":"RHSA-2024:9315","RecommendedSecurityUpdateUrl":"https://access.redhat.com/errata/RHSA-2024:9315","RegistryPaths":[],"SecurityUpdateAvailable":true,"SoftwareName":"kernel","SoftwareVendor":"red_hat","SoftwareVersion":"0:5.14.0-427.42.1.el9_4","VulnerabilitySeverityLevel":"Medium"} +{"CveBatchTitle":"Ubuntu January 2025 Vulnerabilities","CveBatchUrl":"https://security-metadata.canonical.com/oval/com.ubuntu.jammy.usn.oval.xml.bz2","CveId":"CVE-2024-43097","CvssScore":7.8,"DeviceId":"11111111111111111","DeviceName":"sample-host-2","ExploitabilityLevel":"NoExploit","FirstSeenTimestamp":"2025-10-06 10:41:29","Id":"11111111111111111_ubuntu_thunderbird-gnome-support_for_linux_1:115.18.0+build1-0ubuntu0.22.04.1_CVE-2024-43097","IsOnboarded":true,"LastSeenTimestamp":"2025-10-06 22:41:42","OSArchitecture":"x64","OSPlatform":"Linux","OSVersion":"ubuntu_linux_22.04","RbacGroupId":0,"RbacGroupName":"Unassigned","RecommendationReference":"va-_-ubuntu-_-thunderbird-gnome-support_for_linux","RecommendedSecurityUpdate":"CVE-2024-43097_oval:com.ubuntu.jammy:def:76631000000","RecommendedSecurityUpdateId":"USN-7663-1","RecommendedSecurityUpdateUrl":"https://ubuntu.com/security/notices/USN-7663-1","SecurityUpdateAvailable":true,"SoftwareName":"thunderbird-gnome-support_for_linux","SoftwareVendor":"ubuntu","SoftwareVersion":"1:115.18.0+build1-0ubuntu0.22.04.1","VulnerabilitySeverityLevel":"High"} +{"CveBatchTitle":"Microsoft September 2025 Security Updates","CveBatchUrl":"https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2025-49734","CveId":"CVE-2025-49734","CvssScore":7,"DeviceId":"aaasasasasasa","DeviceName":"host-3","ExploitabilityLevel":"NoExploit","FirstSeenTimestamp":"2025-09-09 17:30:58","Id":"aaasasasasasa_microsoft_windows_10_10.0.19045.6093_CVE-2025-49734","IsOnboarded":true,"LastSeenTimestamp":"2025-10-07 00:08:23","OSArchitecture":"x64","OSPlatform":"Windows10","OSVersion":"10.0.19045.6093","RbacGroupId":0,"RbacGroupName":"Unassigned","RecommendationReference":"va-_-microsoft-_-windows_10","RecommendedSecurityUpdate":"September 2025 Security Updates","RecommendedSecurityUpdateId":"5065429","RecommendedSecurityUpdateUrl":"https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB5065429","SecurityUpdateAvailable":true,"SoftwareName":"windows_10","SoftwareVendor":"microsoft","SoftwareVersion":"10.0.19045.6093","VulnerabilitySeverityLevel":"High"} +{"CveBatchTitle":"Vmware August 2022 Vulnerabilities","CveBatchUrl":"https://www.vmware.com/security/advisories/VMSA-2022-0024.1.html","CveId":"CVE-2022-31676","CvssScore":7,"DeviceId":"bbbbbbbbbbbbbb","DeviceName":"host-4","DiskPaths":["C:\\Program Files\\VMware\\VMware Tools\\VMware VGAuth\\VMwareAliasImport.exe"],"ExploitabilityLevel":"NoExploit","FirstSeenTimestamp":"2025-08-02 15:09:51","Id":"bbbbbbbbbbbbbb_vmware_tools_12.0.6.0_CVE-2022-31676","IsOnboarded":true,"LastSeenTimestamp":"2025-10-06 19:49:51","OSArchitecture":"x64","OSPlatform":"Windows10","OSVersion":"10.0.19045.6332","RbacGroupId":0,"RbacGroupName":"Unassigned","RecommendationReference":"va-_-vmware-_-tools","RecommendedSecurityUpdate":"VMware Tools update addresses a local privilege escalation vulnerability (CVE-2022-31676)","RegistryPaths":[],"SecurityUpdateAvailable":true,"SoftwareName":"tools","SoftwareVendor":"vmware","SoftwareVersion":"12.0.6.0","VulnerabilitySeverityLevel":"High"} diff --git a/packages/m365_defender/data_stream/vulnerability/_dev/test/pipeline/test-vulnerability.log-expected.json b/packages/m365_defender/data_stream/vulnerability/_dev/test/pipeline/test-vulnerability.log-expected.json index f77472f9bb8..5841274b5d2 100644 --- a/packages/m365_defender/data_stream/vulnerability/_dev/test/pipeline/test-vulnerability.log-expected.json +++ b/packages/m365_defender/data_stream/vulnerability/_dev/test/pipeline/test-vulnerability.log-expected.json @@ -8,162 +8,93 @@ "category": [ "vulnerability" ], - "id": "86c0491db8ff7e8dcad520288b7759fa27793ce1-_-CVE-2024-11168-_-red_hat-_-python-unversioned-command_for_linux-_-0:3.9.18-3.el9_4.6-_-", + "id": "1212121212121212121212_red_hat_kernel_0:5.14.0-427.42.1.el9_4_CVE-2022-49226", "kind": "event", - "original": "{\"affectedMachine\":{\"id\":\"86c0491db8ff7e8dcad520288b7759fa27793ce1-_-CVE-2024-11168-_-red_hat-_-python-unversioned-command_for_linux-_-0:3.9.18-3.el9_4.6-_-\",\"cveId\":\"CVE-2024-11168\",\"machineId\":\"86c0491db8ff7e8dcad520288b7759fa27793ce1\",\"fixingKbId\":null,\"productName\":\"python-unversioned-command_for_linux\",\"productVendor\":\"red_hat\",\"productVersion\":\"0:3.9.18-3.el9_4.6\",\"severity\":\"Medium\",\"mergedIntoMachineId\":null,\"isPotentialDuplication\":false,\"isExcluded\":false,\"exclusionReason\":null,\"computerDnsName\":\"C-Lab-33\",\"firstSeen\":\"2024-11-06T09:57:53.476232Z\",\"lastSeen\":\"2025-05-12T04:13:23.7778534Z\",\"osPlatform\":\"RedHatEnterpriseLinux\",\"osVersion\":null,\"osProcessor\":\"x64\",\"version\":\"9.4\",\"lastIpAddress\":\"89.160.20.112\",\"lastExternalIpAddress\":\"175.16.199.0\",\"agentVersion\":\"30.124082.4.0\",\"osBuild\":null,\"healthStatus\":\"Active\",\"deviceValue\":\"Normal\",\"rbacGroupId\":0,\"rbacGroupName\":null,\"riskScore\":\"High\",\"exposureLevel\":\"High\",\"isAadJoined\":false,\"aadDeviceId\":null,\"machineTags\":[\"C-Lab-Linux\"],\"onboardingStatus\":\"Onboarded\",\"osArchitecture\":\"64-bit\",\"managedBy\":\"MicrosoftDefenderForEndpoint\",\"managedByStatus\":\"Success\",\"ipAddresses\":[{\"ipAddress\":\"89.160.20.112\",\"macAddress\":\"00505681A42F\",\"type\":\"Other\",\"operationalStatus\":\"Up\"},{\"ipAddress\":\"67.43.156.0\",\"macAddress\":\"000000000000\",\"type\":\"Other\",\"operationalStatus\":\"Up\"}],\"vmMetadata\":null},\"id\":\"CVE-2024-11168\",\"name\":\"CVE-2024-11168\",\"description\":\"Summary: Pythons CPython implementation contains a vulnerability (CVE-2024-11168) in the urllib.parse.urlsplit() and urlparse() functions, where bracketed hosts (`[]`) are improperly validated. This issue allows non-IPv6 or non-IPvFuture hosts, violating RFC 3986 standards. If a URL is processed by multiple parsers, this flaw could enable Server-Side Request Forgery (SSRF) attacks. Impact: Exploitation of this vulnerability could allow attackers to conduct SSRF attacks, potentially leading to unauthorized access to internal systems or sensitive data. AdditionalInformation: This vulnerability affects Python versions prior to 3.9.19-7. It is recommended to review the CVE page for further technical details and associated CVSS scores. Remediation: Upgrade to Python version 3.9.21 or later. [Generated by AI]\",\"severity\":\"Medium\",\"cvssV3\":6.3,\"cvssVector\":\"CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:N/R:X/V:X/RE:X/U:X\",\"exposedMachines\":2,\"publishedOn\":\"2023-04-25T16:00:00Z\",\"updatedOn\":\"2025-04-11T22:15:28.96Z\",\"firstDetected\":\"2025-05-02T05:36:57Z\",\"patchFirstAvailable\":null,\"publicExploit\":false,\"exploitVerified\":false,\"exploitInKit\":false,\"exploitTypes\":[\"Remote\"],\"exploitUris\":[],\"cveSupportability\":\"Supported\",\"tags\":[],\"epss\":0.00154}", + "original": "{\"CveBatchTitle\":\"Red_hat February 2025 Vulnerabilities\",\"CveBatchUrl\":\"https://security.access.redhat.com/data/oval/v2/RHEL9/rhel-9.8-eus.oval.xml.bz2\",\"CveId\":\"CVE-2022-49226\",\"CvssScore\":5.5,\"DeviceId\":\"1212121212121212121212\",\"DeviceName\":\"sample-host-1\",\"ExploitabilityLevel\":\"NoExploit\",\"FirstSeenTimestamp\":\"2025-10-06 10:43:58\",\"Id\":\"1212121212121212121212_red_hat_kernel_0:5.14.0-427.42.1.el9_4_CVE-2022-49226\",\"IsOnboarded\":true,\"LastSeenTimestamp\":\"2025-10-06 22:45:00\",\"OSArchitecture\":\"x64\",\"OSPlatform\":\"Linux\",\"OSVersion\":\"enterprise_linux_9.4\",\"RbacGroupId\":0,\"RbacGroupName\":\"Unassigned\",\"RecommendationReference\":\"va-_-red_hat-_-kernel\",\"RecommendedSecurityUpdate\":\"CVE-2022-49226_oval:com.redhat.rhsa:def:20249315\",\"RecommendedSecurityUpdateId\":\"RHSA-2024:9315\",\"RecommendedSecurityUpdateUrl\":\"https://access.redhat.com/errata/RHSA-2024:9315\",\"RegistryPaths\":[],\"SecurityUpdateAvailable\":true,\"SoftwareName\":\"kernel\",\"SoftwareVendor\":\"red_hat\",\"SoftwareVersion\":\"0:5.14.0-427.42.1.el9_4\",\"VulnerabilitySeverityLevel\":\"Medium\"}", "type": [ "info" ] }, "group": { - "id": "0" + "id": "0", + "name": "Unassigned" }, "host": { "architecture": "x64", - "geo": { - "city_name": "Changchun", - "continent_name": "Asia", - "country_iso_code": "CN", - "country_name": "China", - "location": { - "lat": 43.88, - "lon": 125.3228 - }, - "region_iso_code": "CN-22", - "region_name": "Jilin Sheng" - }, - "hostname": "C-Lab-33", - "id": "86c0491db8ff7e8dcad520288b7759fa27793ce1", - "ip": [ - "175.16.199.0" - ], - "name": "C-Lab-33", + "hostname": "sample-host-1", + "id": "1212121212121212121212", + "name": "sample-host-1", "os": { - "name": "RedHatEnterpriseLinux 9.4", - "platform": "RedHatEnterpriseLinux", + "name": "Linux enterprise_linux_9.4", + "platform": "Linux", "type": "linux", - "version": "9.4" - }, - "risk": { - "calculated_level": "High" + "version": "enterprise_linux_9.4" } }, "m365_defender": { "vulnerability": { - "affected_machine": { - "agent_version": "30.124082.4.0", - "computer_dns_name": "C-Lab-33", - "device_value": "Normal", - "exposure_level": "High", - "first_seen": "2024-11-06T09:57:53.476Z", - "health_status": "Active", - "id": "86c0491db8ff7e8dcad520288b7759fa27793ce1-_-CVE-2024-11168-_-red_hat-_-python-unversioned-command_for_linux-_-0:3.9.18-3.el9_4.6-_-", - "ip_addresses": [ - { - "ip_address": "89.160.20.112", - "mac_address": "00-50-56-81-A4-2F", - "operational_status": "Up", - "type": "Other" - }, - { - "ip_address": "67.43.156.0", - "mac_address": "00-00-00-00-00-00", - "operational_status": "Up", - "type": "Other" - } - ], - "is_aad_joined": false, - "is_excluded": false, - "is_potential_duplication": false, - "last_external_ip_address": "175.16.199.0", - "last_ip_address": "89.160.20.112", - "last_seen": "2025-05-12T04:13:23.777Z", - "machine_id": "86c0491db8ff7e8dcad520288b7759fa27793ce1", - "machine_tags": [ - "C-Lab-Linux" - ], - "managed_by": "MicrosoftDefenderForEndpoint", - "managed_by_status": "Success", - "onboarding_status": "Onboarded", - "os_architecture": "64-bit", - "os_platform": "RedHatEnterpriseLinux", - "os_processor": "x64", - "product_name": "python-unversioned-command_for_linux", - "product_vendor": "red_hat", - "product_version": "0:3.9.18-3.el9_4.6", - "rbac_group_id": "0", - "risk_score": "High", - "severity": "Medium", - "version": "9.4" - }, - "cve_supportability": "Supported", - "cvss_v3": 6.3, - "cvss_vector": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:N/R:X/V:X/RE:X/U:X", - "description": "Summary: Pythons CPython implementation contains a vulnerability (CVE-2024-11168) in the urllib.parse.urlsplit() and urlparse() functions, where bracketed hosts (`[]`) are improperly validated. This issue allows non-IPv6 or non-IPvFuture hosts, violating RFC 3986 standards. If a URL is processed by multiple parsers, this flaw could enable Server-Side Request Forgery (SSRF) attacks. Impact: Exploitation of this vulnerability could allow attackers to conduct SSRF attacks, potentially leading to unauthorized access to internal systems or sensitive data. AdditionalInformation: This vulnerability affects Python versions prior to 3.9.19-7. It is recommended to review the CVE page for further technical details and associated CVSS scores. Remediation: Upgrade to Python version 3.9.21 or later. [Generated by AI]", - "epss": 0.00154, - "exploit_in_kit": false, - "exploit_types": [ - "Remote" - ], - "exploit_verified": false, - "exposed_machines": 2, - "first_detected": "2025-05-02T05:36:57.000Z", - "id": "CVE-2024-11168", - "impact": "Exploitation of this vulnerability could allow attackers to conduct SSRF attacks, potentially leading to unauthorized access to internal systems or sensitive data.", - "name": "CVE-2024-11168", - "public_exploit": false, - "published_on": "2023-04-25T16:00:00.000Z", - "remediation": "Upgrade to Python version 3.9.21 or later.", - "severity": "Medium", - "summary": "Pythons CPython implementation contains a vulnerability (CVE-2024-11168) in the urllib.parse.urlsplit() and urlparse() functions, where bracketed hosts (`[]`) are improperly validated. This issue allows non-IPv6 or non-IPvFuture hosts, violating RFC 3986 standards. If a URL is processed by multiple parsers, this flaw could enable Server-Side Request Forgery (SSRF) attacks.", - "updated_on": "2025-04-11T22:15:28.960Z" + "cve_batch_title": "Red_hat February 2025 Vulnerabilities", + "cve_batch_url": "https://security.access.redhat.com/data/oval/v2/RHEL9/rhel-9.8-eus.oval.xml.bz2", + "cve_id": "CVE-2022-49226", + "cvss_score": 5.5, + "device_id": "1212121212121212121212", + "device_name": "sample-host-1", + "exploitability_level": "NoExploit", + "first_seen_timestamp": "2025-10-06T10:43:58.000Z", + "id": "1212121212121212121212_red_hat_kernel_0:5.14.0-427.42.1.el9_4_CVE-2022-49226", + "is_onboarded": true, + "last_seen_timestamp": "2025-10-06T22:45:00.000Z", + "os_architecture": "x64", + "os_platform": "Linux", + "os_version": "enterprise_linux_9.4", + "rbac_group_id": "0", + "rbac_group_name": "Unassigned", + "recommendation_reference": "va-_-red_hat-_-kernel", + "recommended_security_update": "CVE-2022-49226_oval:com.redhat.rhsa:def:20249315", + "recommended_security_update_id": "RHSA-2024:9315", + "security_update_available": true, + "severity_level": "Medium", + "software_name": "kernel", + "software_vendor": "red_hat", + "software_version": "0:5.14.0-427.42.1.el9_4" } }, - "message": "Summary: Pythons CPython implementation contains a vulnerability (CVE-2024-11168) in the urllib.parse.urlsplit() and urlparse() functions, where bracketed hosts (`[]`) are improperly validated. This issue allows non-IPv6 or non-IPvFuture hosts, violating RFC 3986 standards. If a URL is processed by multiple parsers, this flaw could enable Server-Side Request Forgery (SSRF) attacks. Impact: Exploitation of this vulnerability could allow attackers to conduct SSRF attacks, potentially leading to unauthorized access to internal systems or sensitive data. AdditionalInformation: This vulnerability affects Python versions prior to 3.9.19-7. It is recommended to review the CVE page for further technical details and associated CVSS scores. Remediation: Upgrade to Python version 3.9.21 or later. [Generated by AI]", + "message": "Red_hat February 2025 Vulnerabilities", "observer": { "product": "Microsoft 365 Defender", "vendor": "Microsoft" }, "package": { - "fixed_version": "3.9.21", - "name": "python-unversioned-command_for_linux", - "version": "0:3.9.18-3.el9_4.6" + "name": "kernel", + "version": "0:5.14.0-427.42.1.el9_4" }, "related": { "hosts": [ - "C-Lab-33", - "86c0491db8ff7e8dcad520288b7759fa27793ce1" - ], - "ip": [ - "89.160.20.112", - "67.43.156.0", - "175.16.199.0" + "1212121212121212121212", + "sample-host-1" ] }, "resource": { - "id": "86c0491db8ff7e8dcad520288b7759fa27793ce1", - "name": "C-Lab-33" + "id": "1212121212121212121212", + "name": "sample-host-1" }, "tags": [ "preserve_duplicate_custom_fields" ], "vulnerability": { "classification": "CVSS", - "cve": "CVE-2024-11168", - "description": "Summary: Pythons CPython implementation contains a vulnerability (CVE-2024-11168) in the urllib.parse.urlsplit() and urlparse() functions, where bracketed hosts (`[]`) are improperly validated. This issue allows non-IPv6 or non-IPvFuture hosts, violating RFC 3986 standards. If a URL is processed by multiple parsers, this flaw could enable Server-Side Request Forgery (SSRF) attacks. Impact: Exploitation of this vulnerability could allow attackers to conduct SSRF attacks, potentially leading to unauthorized access to internal systems or sensitive data. AdditionalInformation: This vulnerability affects Python versions prior to 3.9.19-7. It is recommended to review the CVE page for further technical details and associated CVSS scores. Remediation: Upgrade to Python version 3.9.21 or later. [Generated by AI]", + "cve": "CVE-2022-49226", "enumeration": "CVE", - "id": "CVE-2024-11168", - "published_date": "2023-04-25T16:00:00.000Z", - "reference": "https://www.cve.org/CVERecord?id=CVE-2024-11168", + "id": "CVE-2022-49226", + "reference": "https://www.cve.org/CVERecord?id=CVE-2022-49226", "scanner": { "vendor": "Microsoft" }, "score": { - "base": 6.3, - "version": "4.0" + "base": 5.5 }, "severity": "Medium", - "title": "Vulnerability found in python-unversioned-command_for_linux 0:3.9.18-3.el9_4.6 - CVE-2024-11168" + "title": "Vulnerability found in kernel 0:5.14.0-427.42.1.el9_4 - CVE-2022-49226" } }, { @@ -174,395 +105,93 @@ "category": [ "vulnerability" ], - "id": "fd43e5b3ba69b8ecffb165017d9c8687f24e246a-_-CVE-2025-24062-_-microsoft-_-windows_10-_-10.0.19045.5011-_-5055518", + "id": "11111111111111111_ubuntu_thunderbird-gnome-support_for_linux_1:115.18.0+build1-0ubuntu0.22.04.1_CVE-2024-43097", "kind": "event", - "original": "{\"affectedMachine\":{\"aadDeviceId\":\"79dc383d-1ba1-4ac9-9dca-792e881a5034\",\"agentVersion\":\"10.8760.19045.5011\",\"computerDnsName\":\"c-lab-14\",\"cveId\":\"CVE-2025-24062\",\"deviceValue\":\"Normal\",\"exclusionReason\":null,\"exposureLevel\":\"High\",\"firstSeen\":\"2024-11-05T11:55:28.5899758Z\",\"fixingKbId\":\"5055518\",\"healthStatus\":\"Active\",\"id\":\"fd43e5b3ba69b8ecffb165017d9c8687f24e246a-_-CVE-2025-24062-_-microsoft-_-windows_10-_-10.0.19045.5011-_-5055518\",\"ipAddresses\":[{\"ipAddress\":\"1.128.0.0\",\"macAddress\":\"00505683B889\",\"operationalStatus\":\"Up\",\"type\":\"Ethernet\"},{\"ipAddress\":\"2a02:cf40::\",\"macAddress\":\"00505683B889\",\"operationalStatus\":\"Up\",\"type\":\"Ethernet\"},{\"ipAddress\":\"81.2.69.192\",\"macAddress\":null,\"operationalStatus\":\"Up\",\"type\":\"SoftwareLoopback\"}],\"isAadJoined\":true,\"isExcluded\":false,\"isPotentialDuplication\":false,\"lastExternalIpAddress\":\"89.160.20.112\",\"lastIpAddress\":\"175.16.199.0\",\"lastSeen\":\"2025-04-21T08:24:41.3833512Z\",\"machineId\":\"fd43e5b3ba69b8ecffb165017d9c8687f24e246a\",\"machineTags\":[],\"managedBy\":\"Intune\",\"managedByStatus\":\"Unknown\",\"mergedIntoMachineId\":null,\"onboardingStatus\":\"Onboarded\",\"osArchitecture\":\"64-bit\",\"osBuild\":19045,\"osPlatform\":\"Windows10\",\"osProcessor\":\"x64\",\"osVersion\":null,\"productName\":\"windows_10\",\"productVendor\":\"microsoft\",\"productVersion\":\"10.0.19045.5011\",\"rbacGroupId\":0,\"rbacGroupName\":null,\"riskScore\":\"None\",\"severity\":\"High\",\"version\":\"22H2\",\"vmMetadata\":null},\"cveSupportability\":\"Supported\",\"cvssV3\":7.8,\"cvssVector\":\"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C\",\"description\":\"Summary: An improper input validation vulnerability exists in the Windows DWM Core Library, which could allow an authorized attacker to locally elevate their privileges. Impact: Successful exploitation of this vulnerability could result in unauthorized privilege escalation, potentially compromising system integrity. Remediation: Apply the latest patches and updates provided by the respective vendors. [Generated by AI]\",\"epss\":0.00073,\"exploitInKit\":false,\"exploitTypes\":[\"PrivilegeEscalation\"],\"exploitUris\":[],\"exploitVerified\":false,\"exposedMachines\":7,\"firstDetected\":\"2025-04-08T18:00:48Z\",\"id\":\"CVE-2025-24062\",\"name\":\"CVE-2025-24062\",\"patchFirstAvailable\":null,\"publicExploit\":false,\"publishedOn\":\"2025-04-08T07:00:00Z\",\"severity\":\"High\",\"tags\":[\"test\"],\"updatedOn\":\"2025-04-09T20:03:01.577Z\"}", + "original": "{\"CveBatchTitle\":\"Ubuntu January 2025 Vulnerabilities\",\"CveBatchUrl\":\"https://security-metadata.canonical.com/oval/com.ubuntu.jammy.usn.oval.xml.bz2\",\"CveId\":\"CVE-2024-43097\",\"CvssScore\":7.8,\"DeviceId\":\"11111111111111111\",\"DeviceName\":\"sample-host-2\",\"ExploitabilityLevel\":\"NoExploit\",\"FirstSeenTimestamp\":\"2025-10-06 10:41:29\",\"Id\":\"11111111111111111_ubuntu_thunderbird-gnome-support_for_linux_1:115.18.0+build1-0ubuntu0.22.04.1_CVE-2024-43097\",\"IsOnboarded\":true,\"LastSeenTimestamp\":\"2025-10-06 22:41:42\",\"OSArchitecture\":\"x64\",\"OSPlatform\":\"Linux\",\"OSVersion\":\"ubuntu_linux_22.04\",\"RbacGroupId\":0,\"RbacGroupName\":\"Unassigned\",\"RecommendationReference\":\"va-_-ubuntu-_-thunderbird-gnome-support_for_linux\",\"RecommendedSecurityUpdate\":\"CVE-2024-43097_oval:com.ubuntu.jammy:def:76631000000\",\"RecommendedSecurityUpdateId\":\"USN-7663-1\",\"RecommendedSecurityUpdateUrl\":\"https://ubuntu.com/security/notices/USN-7663-1\",\"SecurityUpdateAvailable\":true,\"SoftwareName\":\"thunderbird-gnome-support_for_linux\",\"SoftwareVendor\":\"ubuntu\",\"SoftwareVersion\":\"1:115.18.0+build1-0ubuntu0.22.04.1\",\"VulnerabilitySeverityLevel\":\"High\"}", "type": [ "info" ] }, "group": { - "id": "0" + "id": "0", + "name": "Unassigned" }, "host": { "architecture": "x64", - "geo": { - "city_name": "Linköping", - "continent_name": "Europe", - "country_iso_code": "SE", - "country_name": "Sweden", - "location": { - "lat": 58.4167, - "lon": 15.6167 - }, - "region_iso_code": "SE-E", - "region_name": "Östergötland County" - }, - "hostname": "c-lab-14", - "id": "fd43e5b3ba69b8ecffb165017d9c8687f24e246a", - "ip": [ - "89.160.20.112" - ], - "name": "c-lab-14", + "hostname": "sample-host-2", + "id": "11111111111111111", + "name": "sample-host-2", "os": { - "name": "Windows10 22H2", - "platform": "Windows10", - "type": "windows", - "version": "22H2" - }, - "risk": { - "calculated_level": "None" + "name": "Linux ubuntu_linux_22.04", + "platform": "Linux", + "type": "linux", + "version": "ubuntu_linux_22.04" } }, "m365_defender": { "vulnerability": { - "affected_machine": { - "aad_device_id": "79dc383d-1ba1-4ac9-9dca-792e881a5034", - "agent_version": "10.8760.19045.5011", - "computer_dns_name": "c-lab-14", - "device_value": "Normal", - "exposure_level": "High", - "first_seen": "2024-11-05T11:55:28.589Z", - "fixing_kb_id": "5055518", - "health_status": "Active", - "id": "fd43e5b3ba69b8ecffb165017d9c8687f24e246a-_-CVE-2025-24062-_-microsoft-_-windows_10-_-10.0.19045.5011-_-5055518", - "ip_addresses": [ - { - "ip_address": "1.128.0.0", - "mac_address": "00-50-56-83-B8-89", - "operational_status": "Up", - "type": "Ethernet" - }, - { - "ip_address": "2a02:cf40::", - "mac_address": "00-50-56-83-B8-89", - "operational_status": "Up", - "type": "Ethernet" - }, - { - "ip_address": "81.2.69.192", - "operational_status": "Up", - "type": "SoftwareLoopback" - } - ], - "is_aad_joined": true, - "is_excluded": false, - "is_potential_duplication": false, - "last_external_ip_address": "89.160.20.112", - "last_ip_address": "175.16.199.0", - "last_seen": "2025-04-21T08:24:41.383Z", - "machine_id": "fd43e5b3ba69b8ecffb165017d9c8687f24e246a", - "managed_by": "Intune", - "managed_by_status": "Unknown", - "onboarding_status": "Onboarded", - "os_architecture": "64-bit", - "os_build": 19045, - "os_platform": "Windows10", - "os_processor": "x64", - "product_name": "windows_10", - "product_vendor": "microsoft", - "product_version": "10.0.19045.5011", - "rbac_group_id": "0", - "risk_score": "None", - "severity": "High", - "version": "22H2" - }, - "cve_supportability": "Supported", - "cvss_v3": 7.8, - "cvss_vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C", - "description": "Summary: An improper input validation vulnerability exists in the Windows DWM Core Library, which could allow an authorized attacker to locally elevate their privileges. Impact: Successful exploitation of this vulnerability could result in unauthorized privilege escalation, potentially compromising system integrity. Remediation: Apply the latest patches and updates provided by the respective vendors. [Generated by AI]", - "epss": 7.3E-4, - "exploit_in_kit": false, - "exploit_types": [ - "PrivilegeEscalation" - ], - "exploit_verified": false, - "exposed_machines": 7, - "first_detected": "2025-04-08T18:00:48.000Z", - "id": "CVE-2025-24062", - "impact": "Successful exploitation of this vulnerability could result in unauthorized privilege escalation, potentially compromising system integrity.", - "name": "CVE-2025-24062", - "public_exploit": false, - "published_on": "2025-04-08T07:00:00.000Z", - "remediation": "Apply the latest patches and updates provided by the respective vendors.", - "severity": "High", - "summary": "An improper input validation vulnerability exists in the Windows DWM Core Library, which could allow an authorized attacker to locally elevate their privileges.", - "tags": [ - "test" - ], - "updated_on": "2025-04-09T20:03:01.577Z" + "cve_batch_title": "Ubuntu January 2025 Vulnerabilities", + "cve_batch_url": "https://security-metadata.canonical.com/oval/com.ubuntu.jammy.usn.oval.xml.bz2", + "cve_id": "CVE-2024-43097", + "cvss_score": 7.8, + "device_id": "11111111111111111", + "device_name": "sample-host-2", + "exploitability_level": "NoExploit", + "first_seen_timestamp": "2025-10-06T10:41:29.000Z", + "id": "11111111111111111_ubuntu_thunderbird-gnome-support_for_linux_1:115.18.0+build1-0ubuntu0.22.04.1_CVE-2024-43097", + "is_onboarded": true, + "last_seen_timestamp": "2025-10-06T22:41:42.000Z", + "os_architecture": "x64", + "os_platform": "Linux", + "os_version": "ubuntu_linux_22.04", + "rbac_group_id": "0", + "rbac_group_name": "Unassigned", + "recommendation_reference": "va-_-ubuntu-_-thunderbird-gnome-support_for_linux", + "recommended_security_update": "CVE-2024-43097_oval:com.ubuntu.jammy:def:76631000000", + "recommended_security_update_id": "USN-7663-1", + "security_update_available": true, + "severity_level": "High", + "software_name": "thunderbird-gnome-support_for_linux", + "software_vendor": "ubuntu", + "software_version": "1:115.18.0+build1-0ubuntu0.22.04.1" } }, - "message": "Summary: An improper input validation vulnerability exists in the Windows DWM Core Library, which could allow an authorized attacker to locally elevate their privileges. Impact: Successful exploitation of this vulnerability could result in unauthorized privilege escalation, potentially compromising system integrity. Remediation: Apply the latest patches and updates provided by the respective vendors. [Generated by AI]", + "message": "Ubuntu January 2025 Vulnerabilities", "observer": { "product": "Microsoft 365 Defender", "vendor": "Microsoft" }, "package": { - "name": "windows_10", - "version": "10.0.19045.5011" + "name": "thunderbird-gnome-support_for_linux", + "version": "1:115.18.0+build1-0ubuntu0.22.04.1" }, "related": { "hosts": [ - "79dc383d-1ba1-4ac9-9dca-792e881a5034", - "c-lab-14", - "fd43e5b3ba69b8ecffb165017d9c8687f24e246a" - ], - "ip": [ - "1.128.0.0", - "2a02:cf40::", - "81.2.69.192", - "89.160.20.112", - "175.16.199.0" + "11111111111111111", + "sample-host-2" ] }, "resource": { - "id": "fd43e5b3ba69b8ecffb165017d9c8687f24e246a", - "name": "c-lab-14" + "id": "11111111111111111", + "name": "sample-host-2" }, "tags": [ "preserve_duplicate_custom_fields" ], "vulnerability": { "classification": "CVSS", - "cve": "CVE-2025-24062", - "description": "Summary: An improper input validation vulnerability exists in the Windows DWM Core Library, which could allow an authorized attacker to locally elevate their privileges. Impact: Successful exploitation of this vulnerability could result in unauthorized privilege escalation, potentially compromising system integrity. Remediation: Apply the latest patches and updates provided by the respective vendors. [Generated by AI]", + "cve": "CVE-2024-43097", "enumeration": "CVE", - "id": "CVE-2025-24062", - "published_date": "2025-04-08T07:00:00.000Z", - "reference": "https://www.cve.org/CVERecord?id=CVE-2025-24062", - "scanner": { - "vendor": "Microsoft" - }, - "score": { - "base": 7.8, - "version": "3.1" - }, - "severity": "High", - "title": "Vulnerability found in windows_10 10.0.19045.5011 - CVE-2025-24062" - } - }, - { - "ecs": { - "version": "8.17.0" - }, - "event": { - "category": [ - "vulnerability" - ], - "id": "CVE-2025-47828", - "kind": "event", - "original": "{\"affectedMachine\":null,\"id\":\"CVE-2025-47828\",\"name\":\"CVE-2025-47828\",\"description\":\"Summary: The Lumi H5P-Nodejs-library versions prior to 2025-04-05 are vulnerable to cross-site scripting (XSS) due to the omission of a sanitizeHtml call for plain text strings. This flaw allows remote attackers to execute arbitrary scripts in a victims browser by leveraging specially crafted URLs. Impact: Exploitation of this vulnerability could lead to unauthorized access to sensitive information, such as cookie-based authentication credentials, and compromise the security context of the hosting website. AdditionalInformation: Ensure awareness of the affected versions and the nature of the vulnerability for proper risk assessment. Remediation: Upgrade to @Lumieducation/H5p-Server @Lumieducation/H5p-Server version later than 2024-04-05. [Generated by AI]\",\"severity\":\"Medium\",\"cvssV3\":6.4,\"cvssVector\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N/E:U/RL:O/RC:C\",\"exposedMachines\":0,\"publishedOn\":\"2025-05-11T00:00:00Z\",\"updatedOn\":\"2025-05-12T20:50:07Z\",\"firstDetected\":null,\"patchFirstAvailable\":null,\"publicExploit\":false,\"exploitVerified\":false,\"exploitInKit\":false,\"exploitTypes\":[],\"exploitUris\":[],\"cveSupportability\":\"NotSupported\",\"tags\":[],\"epss\":0.00029}", - "type": [ - "info" - ] - }, - "m365_defender": { - "vulnerability": { - "cve_supportability": "NotSupported", - "cvss_v3": 6.4, - "cvss_vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N/E:U/RL:O/RC:C", - "description": "Summary: The Lumi H5P-Nodejs-library versions prior to 2025-04-05 are vulnerable to cross-site scripting (XSS) due to the omission of a sanitizeHtml call for plain text strings. This flaw allows remote attackers to execute arbitrary scripts in a victims browser by leveraging specially crafted URLs. Impact: Exploitation of this vulnerability could lead to unauthorized access to sensitive information, such as cookie-based authentication credentials, and compromise the security context of the hosting website. AdditionalInformation: Ensure awareness of the affected versions and the nature of the vulnerability for proper risk assessment. Remediation: Upgrade to @Lumieducation/H5p-Server @Lumieducation/H5p-Server version later than 2024-04-05. [Generated by AI]", - "epss": 2.9E-4, - "exploit_in_kit": false, - "exploit_verified": false, - "exposed_machines": 0, - "id": "CVE-2025-47828", - "impact": "Exploitation of this vulnerability could lead to unauthorized access to sensitive information, such as cookie-based authentication credentials, and compromise the security context of the hosting website.", - "name": "CVE-2025-47828", - "public_exploit": false, - "published_on": "2025-05-11T00:00:00.000Z", - "remediation": "Upgrade to @Lumieducation/H5p-Server @Lumieducation/H5p-Server version later than 2024-04-05.", - "severity": "Medium", - "summary": "The Lumi H5P-Nodejs-library versions prior to 2025-04-05 are vulnerable to cross-site scripting (XSS) due to the omission of a sanitizeHtml call for plain text strings. This flaw allows remote attackers to execute arbitrary scripts in a victims browser by leveraging specially crafted URLs.", - "updated_on": "2025-05-12T20:50:07.000Z" - } - }, - "message": "Summary: The Lumi H5P-Nodejs-library versions prior to 2025-04-05 are vulnerable to cross-site scripting (XSS) due to the omission of a sanitizeHtml call for plain text strings. This flaw allows remote attackers to execute arbitrary scripts in a victims browser by leveraging specially crafted URLs. Impact: Exploitation of this vulnerability could lead to unauthorized access to sensitive information, such as cookie-based authentication credentials, and compromise the security context of the hosting website. AdditionalInformation: Ensure awareness of the affected versions and the nature of the vulnerability for proper risk assessment. Remediation: Upgrade to @Lumieducation/H5p-Server @Lumieducation/H5p-Server version later than 2024-04-05. [Generated by AI]", - "observer": { - "product": "Microsoft 365 Defender", - "vendor": "Microsoft" - }, - "package": { - "fixed_version": "2024-04-05" - }, - "tags": [ - "preserve_duplicate_custom_fields" - ], - "vulnerability": { - "classification": "CVSS", - "cve": "CVE-2025-47828", - "description": "Summary: The Lumi H5P-Nodejs-library versions prior to 2025-04-05 are vulnerable to cross-site scripting (XSS) due to the omission of a sanitizeHtml call for plain text strings. This flaw allows remote attackers to execute arbitrary scripts in a victims browser by leveraging specially crafted URLs. Impact: Exploitation of this vulnerability could lead to unauthorized access to sensitive information, such as cookie-based authentication credentials, and compromise the security context of the hosting website. AdditionalInformation: Ensure awareness of the affected versions and the nature of the vulnerability for proper risk assessment. Remediation: Upgrade to @Lumieducation/H5p-Server @Lumieducation/H5p-Server version later than 2024-04-05. [Generated by AI]", - "enumeration": "CVE", - "id": "CVE-2025-47828", - "published_date": "2025-05-11T00:00:00.000Z", - "reference": "https://www.cve.org/CVERecord?id=CVE-2025-47828", - "scanner": { - "vendor": "Microsoft" - }, - "score": { - "base": 6.4, - "version": "3.1" - }, - "severity": "Medium", - "title": "Vulnerability found - CVE-2025-47828" - } - }, - { - "ecs": { - "version": "8.17.0" - }, - "event": { - "category": [ - "vulnerability" - ], - "id": "0e23b8b23f6dc0e9d84846f877b45d19c04a522d-_-TVM-2020-0002-_-vmware-_-tools-_-12.0.6.0-_-", - "kind": "event", - "original": "{\"affectedMachine\":{\"aadDeviceId\":\"d78dc223-8dc8-4210-9700-019b3b03505b\",\"agentVersion\":\"10.8792.19045.5737\",\"computerDnsName\":\"c-lab-08\",\"cveId\":\"TVM-2020-0002\",\"deviceValue\":\"Normal\",\"exclusionReason\":null,\"exposureLevel\":\"Low\",\"firstSeen\":\"2024-11-05T11:54:59.5717001Z\",\"fixingKbId\":null,\"healthStatus\":\"Active\",\"id\":\"0e23b8b23f6dc0e9d84846f877b45d19c04a522d-_-TVM-2020-0002-_-vmware-_-tools-_-12.0.6.0-_-\",\"ipAddresses\":[{\"ipAddress\":\"216.160.83.56\",\"macAddress\":\"00505683B880\",\"operationalStatus\":\"Up\",\"type\":\"Ethernet\"}],\"isAadJoined\":true,\"isExcluded\":false,\"isPotentialDuplication\":false,\"lastExternalIpAddress\":\"67.43.156.0\",\"lastIpAddress\":\"89.160.20.128\",\"lastSeen\":\"2025-04-22T05:48:04.7550736Z\",\"machineId\":\"0e23b8b23f6dc0e9d84846f877b45d19c04a522d\",\"machineTags\":[\"test tag 1\"],\"managedBy\":\"Intune\",\"managedByStatus\":\"Unknown\",\"mergedIntoMachineId\":null,\"onboardingStatus\":\"Onboarded\",\"osArchitecture\":\"64-bit\",\"osBuild\":19045,\"osPlatform\":\"Windows10\",\"osProcessor\":\"x64\",\"osVersion\":null,\"productName\":\"tools\",\"productVendor\":\"vmware\",\"productVersion\":\"12.0.6.0\",\"rbacGroupId\":0,\"rbacGroupName\":null,\"riskScore\":\"None\",\"severity\":\"High\",\"version\":\"22H2\",\"vmMetadata\":null},\"cveSupportability\":\"Supported\",\"cvssV3\":7,\"cvssVector\":\"CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C\",\"description\":\"Summary: VMware Tools and Open Virtual Machine Tools are vulnerable to a local privilege escalation vulnerability. An attacker with local non-administrative access to the Guest OS can exploit this vulnerability to escalate privileges as a root user in the virtual machine. Impact: If exploited, this vulnerability could allow a malicious actor to gain elevated privileges on the system, potentially leading to unauthorized access, data theft, or further compromise of the virtual machine. AdditionalInformation: TVM-2020-0002 is associated with this vulnerability. It is recommended to refer to the CVE page for more details, including the impact, CVSS score, and acknowledgments. Remediation: Apply the latest patches and updates provided by the respective vendors. [Generated by AI]\",\"epss\":0.00053,\"exploitInKit\":false,\"exploitTypes\":[\"PrivilegeEscalation\"],\"exploitUris\":[],\"exploitVerified\":false,\"exposedMachines\":12,\"firstDetected\":\"2025-01-01T08:22:58Z\",\"id\":\"TVM-2020-0002\",\"name\":\"TVM-2020-0002\",\"patchFirstAvailable\":null,\"publicExploit\":false,\"publishedOn\":\"2022-08-23T00:00:00Z\",\"severity\":\"High\",\"tags\":[],\"updatedOn\":\"2024-12-10T00:00:00Z\"}", - "type": [ - "info" - ] - }, - "group": { - "id": "0" - }, - "host": { - "architecture": "x64", - "geo": { - "continent_name": "Asia", - "country_iso_code": "BT", - "country_name": "Bhutan", - "location": { - "lat": 27.5, - "lon": 90.5 - } - }, - "hostname": "c-lab-08", - "id": "0e23b8b23f6dc0e9d84846f877b45d19c04a522d", - "ip": [ - "67.43.156.0" - ], - "name": "c-lab-08", - "os": { - "name": "Windows10 22H2", - "platform": "Windows10", - "type": "windows", - "version": "22H2" - }, - "risk": { - "calculated_level": "None" - } - }, - "m365_defender": { - "vulnerability": { - "affected_machine": { - "aad_device_id": "d78dc223-8dc8-4210-9700-019b3b03505b", - "agent_version": "10.8792.19045.5737", - "computer_dns_name": "c-lab-08", - "device_value": "Normal", - "exposure_level": "Low", - "first_seen": "2024-11-05T11:54:59.571Z", - "health_status": "Active", - "id": "0e23b8b23f6dc0e9d84846f877b45d19c04a522d-_-TVM-2020-0002-_-vmware-_-tools-_-12.0.6.0-_-", - "ip_addresses": [ - { - "ip_address": "216.160.83.56", - "mac_address": "00-50-56-83-B8-80", - "operational_status": "Up", - "type": "Ethernet" - } - ], - "is_aad_joined": true, - "is_excluded": false, - "is_potential_duplication": false, - "last_external_ip_address": "67.43.156.0", - "last_ip_address": "89.160.20.128", - "last_seen": "2025-04-22T05:48:04.755Z", - "machine_id": "0e23b8b23f6dc0e9d84846f877b45d19c04a522d", - "machine_tags": [ - "test tag 1" - ], - "managed_by": "Intune", - "managed_by_status": "Unknown", - "onboarding_status": "Onboarded", - "os_architecture": "64-bit", - "os_build": 19045, - "os_platform": "Windows10", - "os_processor": "x64", - "product_name": "tools", - "product_vendor": "vmware", - "product_version": "12.0.6.0", - "rbac_group_id": "0", - "risk_score": "None", - "severity": "High", - "version": "22H2" - }, - "cve_supportability": "Supported", - "cvss_v3": 7.0, - "cvss_vector": "CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C", - "description": "Summary: VMware Tools and Open Virtual Machine Tools are vulnerable to a local privilege escalation vulnerability. An attacker with local non-administrative access to the Guest OS can exploit this vulnerability to escalate privileges as a root user in the virtual machine. Impact: If exploited, this vulnerability could allow a malicious actor to gain elevated privileges on the system, potentially leading to unauthorized access, data theft, or further compromise of the virtual machine. AdditionalInformation: TVM-2020-0002 is associated with this vulnerability. It is recommended to refer to the CVE page for more details, including the impact, CVSS score, and acknowledgments. Remediation: Apply the latest patches and updates provided by the respective vendors. [Generated by AI]", - "epss": 5.3E-4, - "exploit_in_kit": false, - "exploit_types": [ - "PrivilegeEscalation" - ], - "exploit_verified": false, - "exposed_machines": 12, - "first_detected": "2025-01-01T08:22:58.000Z", - "id": "TVM-2020-0002", - "impact": "If exploited, this vulnerability could allow a malicious actor to gain elevated privileges on the system, potentially leading to unauthorized access, data theft, or further compromise of the virtual machine.", - "name": "TVM-2020-0002", - "public_exploit": false, - "published_on": "2022-08-23T00:00:00.000Z", - "remediation": "Apply the latest patches and updates provided by the respective vendors.", - "severity": "High", - "summary": "VMware Tools and Open Virtual Machine Tools are vulnerable to a local privilege escalation vulnerability. An attacker with local non-administrative access to the Guest OS can exploit this vulnerability to escalate privileges as a root user in the virtual machine.", - "updated_on": "2024-12-10T00:00:00.000Z" - } - }, - "message": "Summary: VMware Tools and Open Virtual Machine Tools are vulnerable to a local privilege escalation vulnerability. An attacker with local non-administrative access to the Guest OS can exploit this vulnerability to escalate privileges as a root user in the virtual machine. Impact: If exploited, this vulnerability could allow a malicious actor to gain elevated privileges on the system, potentially leading to unauthorized access, data theft, or further compromise of the virtual machine. AdditionalInformation: TVM-2020-0002 is associated with this vulnerability. It is recommended to refer to the CVE page for more details, including the impact, CVSS score, and acknowledgments. Remediation: Apply the latest patches and updates provided by the respective vendors. [Generated by AI]", - "observer": { - "product": "Microsoft 365 Defender", - "vendor": "Microsoft" - }, - "package": { - "name": "tools", - "version": "12.0.6.0" - }, - "related": { - "hosts": [ - "d78dc223-8dc8-4210-9700-019b3b03505b", - "c-lab-08", - "0e23b8b23f6dc0e9d84846f877b45d19c04a522d" - ], - "ip": [ - "216.160.83.56", - "67.43.156.0", - "89.160.20.128" - ] - }, - "resource": { - "id": "0e23b8b23f6dc0e9d84846f877b45d19c04a522d", - "name": "c-lab-08" - }, - "tags": [ - "preserve_duplicate_custom_fields" - ], - "vulnerability": { - "classification": "CVSS", - "description": "Summary: VMware Tools and Open Virtual Machine Tools are vulnerable to a local privilege escalation vulnerability. An attacker with local non-administrative access to the Guest OS can exploit this vulnerability to escalate privileges as a root user in the virtual machine. Impact: If exploited, this vulnerability could allow a malicious actor to gain elevated privileges on the system, potentially leading to unauthorized access, data theft, or further compromise of the virtual machine. AdditionalInformation: TVM-2020-0002 is associated with this vulnerability. It is recommended to refer to the CVE page for more details, including the impact, CVSS score, and acknowledgments. Remediation: Apply the latest patches and updates provided by the respective vendors. [Generated by AI]", - "enumeration": "TVM", - "id": "TVM-2020-0002", - "published_date": "2022-08-23T00:00:00.000Z", + "id": "CVE-2024-43097", + "reference": "https://www.cve.org/CVERecord?id=CVE-2024-43097", "scanner": { "vendor": "Microsoft" }, "score": { - "base": 7.0, - "version": "3.0" + "base": 7.8 }, "severity": "High", - "title": "Vulnerability found in tools 12.0.6.0 - TVM-2020-0002" + "title": "Vulnerability found in thunderbird-gnome-support_for_linux 1:115.18.0+build1-0ubuntu0.22.04.1 - CVE-2024-43097" } }, { @@ -573,161 +202,96 @@ "category": [ "vulnerability" ], - "id": "0e23b8b23f6dc0e9d84846f877b45d19c04a522d-_-TVM-2020-0002-_-vmware-_-tools-_-12.0.6.0-_-", + "id": "aaasasasasasa_microsoft_windows_10_10.0.19045.6093_CVE-2025-49734", "kind": "event", - "original": "{\"affectedMachine\":{\"aadDeviceId\":\"d78dc223-8dc8-4210-9700-019b3b03505b\",\"agentVersion\":\"10.8792.19045.5737\",\"computerDnsName\":\"c-lab-08\",\"cveId\":\"TVM-2020-0002\",\"deviceValue\":\"Normal\",\"exclusionReason\":null,\"exposureLevel\":\"Low\",\"firstSeen\":\"2024-11-05T11:54:59.5717001Z\",\"fixingKbId\":null,\"healthStatus\":\"Active\",\"id\":\"0e23b8b23f6dc0e9d84846f877b45d19c04a522d-_-TVM-2020-0002-_-vmware-_-tools-_-12.0.6.0-_-\",\"ipAddresses\":[{\"ipAddress\":\"\",\"macAddress\":\"00505683B880\",\"operationalStatus\":\"Up\",\"type\":\"Ethernet\"}],\"isAadJoined\":true,\"isExcluded\":false,\"isPotentialDuplication\":false,\"lastExternalIpAddress\":\"67.43.156.0\",\"lastIpAddress\":\"89.160.20.128\",\"lastSeen\":\"2025-04-22T05:48:04.7550736Z\",\"machineId\":\"0e23b8b23f6dc0e9d84846f877b45d19c04a522d\",\"machineTags\":[\"test tag 1\"],\"managedBy\":\"Intune\",\"managedByStatus\":\"Unknown\",\"mergedIntoMachineId\":null,\"onboardingStatus\":\"Onboarded\",\"osArchitecture\":\"64-bit\",\"osBuild\":19045,\"osPlatform\":\"Windows10\",\"osProcessor\":\"x64\",\"osVersion\":null,\"productName\":\"tools\",\"productVendor\":\"vmware\",\"productVersion\":\"12.0.6.0\",\"rbacGroupId\":0,\"rbacGroupName\":null,\"riskScore\":\"None\",\"severity\":\"High\",\"version\":\"22H2\",\"vmMetadata\":null},\"cveSupportability\":\"Supported\",\"cvssV3\":7,\"cvssVector\":\"CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C\",\"description\":\"Summary: VMware Tools and Open Virtual Machine Tools are vulnerable to a local privilege escalation vulnerability. An attacker with local non-administrative access to the Guest OS can exploit this vulnerability to escalate privileges as a root user in the virtual machine. Impact: If exploited, this vulnerability could allow a malicious actor to gain elevated privileges on the system, potentially leading to unauthorized access, data theft, or further compromise of the virtual machine. AdditionalInformation: TVM-2020-0002 is associated with this vulnerability. It is recommended to refer to the CVE page for more details, including the impact, CVSS score, and acknowledgments. Remediation: Apply the latest patches and updates provided by the respective vendors. [Generated by AI]\",\"epss\":0.00053,\"exploitInKit\":false,\"exploitTypes\":[\"PrivilegeEscalation\"],\"exploitUris\":[],\"exploitVerified\":false,\"exposedMachines\":12,\"firstDetected\":\"2025-01-01T08:22:58Z\",\"id\":\"TVM-2020-0002\",\"name\":\"TVM-2020-0002\",\"patchFirstAvailable\":null,\"publicExploit\":false,\"publishedOn\":\"2022-08-23T00:00:00Z\",\"severity\":\"High\",\"tags\":[],\"updatedOn\":\"2024-12-10T00:00:00Z\"}", + "original": "{\"CveBatchTitle\":\"Microsoft September 2025 Security Updates\",\"CveBatchUrl\":\"https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2025-49734\",\"CveId\":\"CVE-2025-49734\",\"CvssScore\":7,\"DeviceId\":\"aaasasasasasa\",\"DeviceName\":\"host-3\",\"ExploitabilityLevel\":\"NoExploit\",\"FirstSeenTimestamp\":\"2025-09-09 17:30:58\",\"Id\":\"aaasasasasasa_microsoft_windows_10_10.0.19045.6093_CVE-2025-49734\",\"IsOnboarded\":true,\"LastSeenTimestamp\":\"2025-10-07 00:08:23\",\"OSArchitecture\":\"x64\",\"OSPlatform\":\"Windows10\",\"OSVersion\":\"10.0.19045.6093\",\"RbacGroupId\":0,\"RbacGroupName\":\"Unassigned\",\"RecommendationReference\":\"va-_-microsoft-_-windows_10\",\"RecommendedSecurityUpdate\":\"September 2025 Security Updates\",\"RecommendedSecurityUpdateId\":\"5065429\",\"RecommendedSecurityUpdateUrl\":\"https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB5065429\",\"SecurityUpdateAvailable\":true,\"SoftwareName\":\"windows_10\",\"SoftwareVendor\":\"microsoft\",\"SoftwareVersion\":\"10.0.19045.6093\",\"VulnerabilitySeverityLevel\":\"High\"}", "type": [ "info" ] }, "group": { - "id": "0" + "id": "0", + "name": "Unassigned" }, "host": { "architecture": "x64", - "geo": { - "continent_name": "Asia", - "country_iso_code": "BT", - "country_name": "Bhutan", - "location": { - "lat": 27.5, - "lon": 90.5 - } - }, - "hostname": "c-lab-08", - "id": "0e23b8b23f6dc0e9d84846f877b45d19c04a522d", - "ip": [ - "67.43.156.0" - ], - "name": "c-lab-08", + "hostname": "host-3", + "id": "aaasasasasasa", + "name": "host-3", "os": { - "name": "Windows10 22H2", + "name": "Windows10 10.0.19045.6093", "platform": "Windows10", "type": "windows", - "version": "22H2" - }, - "risk": { - "calculated_level": "None" + "version": "10.0.19045.6093" } }, "m365_defender": { "vulnerability": { - "affected_machine": { - "aad_device_id": "d78dc223-8dc8-4210-9700-019b3b03505b", - "agent_version": "10.8792.19045.5737", - "computer_dns_name": "c-lab-08", - "device_value": "Normal", - "exposure_level": "Low", - "first_seen": "2024-11-05T11:54:59.571Z", - "health_status": "Active", - "id": "0e23b8b23f6dc0e9d84846f877b45d19c04a522d-_-TVM-2020-0002-_-vmware-_-tools-_-12.0.6.0-_-", - "ip_addresses": [ - { - "mac_address": "00-50-56-83-B8-80", - "operational_status": "Up", - "type": "Ethernet" - } - ], - "is_aad_joined": true, - "is_excluded": false, - "is_potential_duplication": false, - "last_external_ip_address": "67.43.156.0", - "last_ip_address": "89.160.20.128", - "last_seen": "2025-04-22T05:48:04.755Z", - "machine_id": "0e23b8b23f6dc0e9d84846f877b45d19c04a522d", - "machine_tags": [ - "test tag 1" - ], - "managed_by": "Intune", - "managed_by_status": "Unknown", - "onboarding_status": "Onboarded", - "os_architecture": "64-bit", - "os_build": 19045, - "os_platform": "Windows10", - "os_processor": "x64", - "product_name": "tools", - "product_vendor": "vmware", - "product_version": "12.0.6.0", - "rbac_group_id": "0", - "risk_score": "None", - "severity": "High", - "version": "22H2" - }, - "cve_supportability": "Supported", - "cvss_v3": 7.0, - "cvss_vector": "CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C", - "description": "Summary: VMware Tools and Open Virtual Machine Tools are vulnerable to a local privilege escalation vulnerability. An attacker with local non-administrative access to the Guest OS can exploit this vulnerability to escalate privileges as a root user in the virtual machine. Impact: If exploited, this vulnerability could allow a malicious actor to gain elevated privileges on the system, potentially leading to unauthorized access, data theft, or further compromise of the virtual machine. AdditionalInformation: TVM-2020-0002 is associated with this vulnerability. It is recommended to refer to the CVE page for more details, including the impact, CVSS score, and acknowledgments. Remediation: Apply the latest patches and updates provided by the respective vendors. [Generated by AI]", - "epss": 5.3E-4, - "exploit_in_kit": false, - "exploit_types": [ - "PrivilegeEscalation" - ], - "exploit_verified": false, - "exposed_machines": 12, - "first_detected": "2025-01-01T08:22:58.000Z", - "id": "TVM-2020-0002", - "impact": "If exploited, this vulnerability could allow a malicious actor to gain elevated privileges on the system, potentially leading to unauthorized access, data theft, or further compromise of the virtual machine.", - "name": "TVM-2020-0002", - "public_exploit": false, - "published_on": "2022-08-23T00:00:00.000Z", - "remediation": "Apply the latest patches and updates provided by the respective vendors.", - "severity": "High", - "summary": "VMware Tools and Open Virtual Machine Tools are vulnerable to a local privilege escalation vulnerability. An attacker with local non-administrative access to the Guest OS can exploit this vulnerability to escalate privileges as a root user in the virtual machine.", - "updated_on": "2024-12-10T00:00:00.000Z" + "cve_batch_title": "Microsoft September 2025 Security Updates", + "cve_batch_url": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2025-49734", + "cve_id": "CVE-2025-49734", + "cvss_score": 7.0, + "device_id": "aaasasasasasa", + "device_name": "host-3", + "exploitability_level": "NoExploit", + "first_seen_timestamp": "2025-09-09T17:30:58.000Z", + "id": "aaasasasasasa_microsoft_windows_10_10.0.19045.6093_CVE-2025-49734", + "is_onboarded": true, + "last_seen_timestamp": "2025-10-07T00:08:23.000Z", + "os_architecture": "x64", + "os_platform": "Windows10", + "os_version": "10.0.19045.6093", + "rbac_group_id": "0", + "rbac_group_name": "Unassigned", + "recommendation_reference": "va-_-microsoft-_-windows_10", + "recommended_security_update": "September 2025 Security Updates", + "recommended_security_update_id": "5065429", + "security_update_available": true, + "severity_level": "High", + "software_name": "windows_10", + "software_vendor": "microsoft", + "software_version": "10.0.19045.6093" } }, - "message": "Summary: VMware Tools and Open Virtual Machine Tools are vulnerable to a local privilege escalation vulnerability. An attacker with local non-administrative access to the Guest OS can exploit this vulnerability to escalate privileges as a root user in the virtual machine. Impact: If exploited, this vulnerability could allow a malicious actor to gain elevated privileges on the system, potentially leading to unauthorized access, data theft, or further compromise of the virtual machine. AdditionalInformation: TVM-2020-0002 is associated with this vulnerability. It is recommended to refer to the CVE page for more details, including the impact, CVSS score, and acknowledgments. Remediation: Apply the latest patches and updates provided by the respective vendors. [Generated by AI]", + "message": "Microsoft September 2025 Security Updates", "observer": { "product": "Microsoft 365 Defender", "vendor": "Microsoft" }, "package": { - "name": "tools", - "version": "12.0.6.0" + "name": "windows_10", + "version": "10.0.19045.6093" }, "related": { "hosts": [ - "d78dc223-8dc8-4210-9700-019b3b03505b", - "c-lab-08", - "0e23b8b23f6dc0e9d84846f877b45d19c04a522d" - ], - "ip": [ - "67.43.156.0", - "89.160.20.128" + "aaasasasasasa", + "host-3" ] }, "resource": { - "id": "0e23b8b23f6dc0e9d84846f877b45d19c04a522d", - "name": "c-lab-08" + "id": "aaasasasasasa", + "name": "host-3" }, "tags": [ "preserve_duplicate_custom_fields" ], "vulnerability": { "classification": "CVSS", - "description": "Summary: VMware Tools and Open Virtual Machine Tools are vulnerable to a local privilege escalation vulnerability. An attacker with local non-administrative access to the Guest OS can exploit this vulnerability to escalate privileges as a root user in the virtual machine. Impact: If exploited, this vulnerability could allow a malicious actor to gain elevated privileges on the system, potentially leading to unauthorized access, data theft, or further compromise of the virtual machine. AdditionalInformation: TVM-2020-0002 is associated with this vulnerability. It is recommended to refer to the CVE page for more details, including the impact, CVSS score, and acknowledgments. Remediation: Apply the latest patches and updates provided by the respective vendors. [Generated by AI]", - "enumeration": "TVM", - "id": "TVM-2020-0002", - "published_date": "2022-08-23T00:00:00.000Z", + "cve": "CVE-2025-49734", + "enumeration": "CVE", + "id": "CVE-2025-49734", + "reference": "https://www.cve.org/CVERecord?id=CVE-2025-49734", "scanner": { "vendor": "Microsoft" }, "score": { - "base": 7.0, - "version": "3.0" + "base": 7.0 }, "severity": "High", - "title": "Vulnerability found in tools 12.0.6.0 - TVM-2020-0002" + "title": "Vulnerability found in windows_10 10.0.19045.6093 - CVE-2025-49734" } }, { - "cloud": { - "instance": { - "id": "ecdc774f-45b4-4e33-97c8-f777e134131a" - }, - "provider": "azure", - "resource_id": "/subscriptions/e1685f98-517c-4ffe-b7d5-d6cb9d563ec2/resourceGroups/R15_Sentinel/providers/Microsoft.HybridCompute/machines/C-Lab-10" - }, "ecs": { "version": "8.17.0" }, @@ -735,117 +299,60 @@ "category": [ "vulnerability" ], - "id": "0e23b8b23f6dc0e9d84846f877b45d19c04a522d-_-TVM-2020-0002-_-vmware-_-tools-_-12.0.6.0-_-", + "id": "bbbbbbbbbbbbbb_vmware_tools_12.0.6.0_CVE-2022-31676", "kind": "event", - "original": "{\"affectedMachine\":{\"aadDeviceId\":\"d78dc223-8dc8-4210-9700-019b3b03505b\",\"agentVersion\":\"10.8792.19045.5737\",\"computerDnsName\":\"c-lab-08\",\"cveId\":\"TVM-2020-0002\",\"deviceValue\":\"Normal\",\"exclusionReason\":null,\"exposureLevel\":\"Low\",\"firstSeen\":\"2024-11-05T11:54:59.5717001Z\",\"fixingKbId\":null,\"healthStatus\":\"Active\",\"id\":\"0e23b8b23f6dc0e9d84846f877b45d19c04a522d-_-TVM-2020-0002-_-vmware-_-tools-_-12.0.6.0-_-\",\"ipAddresses\":[{\"ipAddress\":\"216.160.83.56\",\"macAddress\":\"00505683B880\",\"operationalStatus\":\"Up\",\"type\":\"Ethernet\"}],\"isAadJoined\":true,\"isExcluded\":false,\"isPotentialDuplication\":false,\"lastExternalIpAddress\":\"67.43.156.0\",\"lastIpAddress\":\"89.160.20.128\",\"lastSeen\":\"2025-04-22T05:48:04.7550736Z\",\"machineId\":\"0e23b8b23f6dc0e9d84846f877b45d19c04a522d\",\"machineTags\":[\"test tag 1\"],\"managedBy\":\"Intune\",\"managedByStatus\":\"Unknown\",\"mergedIntoMachineId\":null,\"onboardingStatus\":\"Onboarded\",\"osArchitecture\":\"64-bit\",\"osBuild\":19045,\"osPlatform\":\"Windows10\",\"osProcessor\":\"x64\",\"osVersion\":null,\"productName\":\"tools\",\"productVendor\":\"vmware\",\"productVersion\":\"12.0.6.0\",\"rbacGroupId\":0,\"rbacGroupName\":null,\"riskScore\":\"None\",\"severity\":\"High\",\"version\":\"22H2\",\"vmMetadata\":{\"cloudProvider\":\"Azure\",\"resourceId\":\"/subscriptions/e1685f98-517c-4ffe-b7d5-d6cb9d563ec2/resourceGroups/R15_Sentinel/providers/Microsoft.HybridCompute/machines/C-Lab-10\",\"subscriptionId\":\"e1685f98-517c-4ffe-b7d5-d6cb9d563ec2\",\"vmId\":\"ecdc774f-45b4-4e33-97c8-f777e134131a\"}},\"cveSupportability\":\"Supported\",\"cvssV3\":7,\"cvssVector\":\"CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C\",\"description\":\"Summary: VMware Tools and Open Virtual Machine Tools are vulnerable to a local privilege escalation vulnerability. An attacker with local non-administrative access to the Guest OS can exploit this vulnerability to escalate privileges as a root user in the virtual machine. Impact: If exploited, this vulnerability could allow a malicious actor to gain elevated privileges on the system, potentially leading to unauthorized access, data theft, or further compromise of the virtual machine. AdditionalInformation: TVM-2020-0002 is associated with this vulnerability. It is recommended to refer to the CVE page for more details, including the impact, CVSS score, and acknowledgments. Remediation: Apply the latest patches and updates provided by the respective vendors. [Generated by AI]\",\"epss\":0.00053,\"exploitInKit\":false,\"exploitTypes\":[\"PrivilegeEscalation\"],\"exploitUris\":[],\"exploitVerified\":false,\"exposedMachines\":12,\"firstDetected\":\"2025-01-01T08:22:58Z\",\"id\":\"TVM-2020-0002\",\"name\":\"TVM-2020-0002\",\"patchFirstAvailable\":null,\"publicExploit\":false,\"publishedOn\":\"2022-08-23T00:00:00Z\",\"severity\":\"High\",\"tags\":[],\"updatedOn\":\"2024-12-10T00:00:00Z\"}", + "original": "{\"CveBatchTitle\":\"Vmware August 2022 Vulnerabilities\",\"CveBatchUrl\":\"https://www.vmware.com/security/advisories/VMSA-2022-0024.1.html\",\"CveId\":\"CVE-2022-31676\",\"CvssScore\":7,\"DeviceId\":\"bbbbbbbbbbbbbb\",\"DeviceName\":\"host-4\",\"DiskPaths\":[\"C:\\\\Program Files\\\\VMware\\\\VMware Tools\\\\VMware VGAuth\\\\VMwareAliasImport.exe\"],\"ExploitabilityLevel\":\"NoExploit\",\"FirstSeenTimestamp\":\"2025-08-02 15:09:51\",\"Id\":\"bbbbbbbbbbbbbb_vmware_tools_12.0.6.0_CVE-2022-31676\",\"IsOnboarded\":true,\"LastSeenTimestamp\":\"2025-10-06 19:49:51\",\"OSArchitecture\":\"x64\",\"OSPlatform\":\"Windows10\",\"OSVersion\":\"10.0.19045.6332\",\"RbacGroupId\":0,\"RbacGroupName\":\"Unassigned\",\"RecommendationReference\":\"va-_-vmware-_-tools\",\"RecommendedSecurityUpdate\":\"VMware Tools update addresses a local privilege escalation vulnerability (CVE-2022-31676)\",\"RegistryPaths\":[],\"SecurityUpdateAvailable\":true,\"SoftwareName\":\"tools\",\"SoftwareVendor\":\"vmware\",\"SoftwareVersion\":\"12.0.6.0\",\"VulnerabilitySeverityLevel\":\"High\"}", "type": [ "info" ] }, "group": { - "id": "0" + "id": "0", + "name": "Unassigned" }, "host": { "architecture": "x64", - "geo": { - "continent_name": "Asia", - "country_iso_code": "BT", - "country_name": "Bhutan", - "location": { - "lat": 27.5, - "lon": 90.5 - } - }, - "hostname": "c-lab-08", - "id": "0e23b8b23f6dc0e9d84846f877b45d19c04a522d", - "ip": [ - "67.43.156.0" - ], - "name": "c-lab-08", + "hostname": "host-4", + "id": "bbbbbbbbbbbbbb", + "name": "host-4", "os": { - "name": "Windows10 22H2", + "name": "Windows10 10.0.19045.6332", "platform": "Windows10", "type": "windows", - "version": "22H2" - }, - "risk": { - "calculated_level": "None" + "version": "10.0.19045.6332" } }, "m365_defender": { "vulnerability": { - "affected_machine": { - "aad_device_id": "d78dc223-8dc8-4210-9700-019b3b03505b", - "agent_version": "10.8792.19045.5737", - "computer_dns_name": "c-lab-08", - "device_value": "Normal", - "exposure_level": "Low", - "first_seen": "2024-11-05T11:54:59.571Z", - "health_status": "Active", - "id": "0e23b8b23f6dc0e9d84846f877b45d19c04a522d-_-TVM-2020-0002-_-vmware-_-tools-_-12.0.6.0-_-", - "ip_addresses": [ - { - "ip_address": "216.160.83.56", - "mac_address": "00-50-56-83-B8-80", - "operational_status": "Up", - "type": "Ethernet" - } - ], - "is_aad_joined": true, - "is_excluded": false, - "is_potential_duplication": false, - "last_external_ip_address": "67.43.156.0", - "last_ip_address": "89.160.20.128", - "last_seen": "2025-04-22T05:48:04.755Z", - "machine_id": "0e23b8b23f6dc0e9d84846f877b45d19c04a522d", - "machine_tags": [ - "test tag 1" - ], - "managed_by": "Intune", - "managed_by_status": "Unknown", - "onboarding_status": "Onboarded", - "os_architecture": "64-bit", - "os_build": 19045, - "os_platform": "Windows10", - "os_processor": "x64", - "product_name": "tools", - "product_vendor": "vmware", - "product_version": "12.0.6.0", - "rbac_group_id": "0", - "risk_score": "None", - "severity": "High", - "version": "22H2", - "vmMetadata": { - "cloud_provider": "Azure", - "resource_id": "/subscriptions/e1685f98-517c-4ffe-b7d5-d6cb9d563ec2/resourceGroups/R15_Sentinel/providers/Microsoft.HybridCompute/machines/C-Lab-10", - "subscription_id": "e1685f98-517c-4ffe-b7d5-d6cb9d563ec2", - "vm_id": "ecdc774f-45b4-4e33-97c8-f777e134131a" - } - }, - "cve_supportability": "Supported", - "cvss_v3": 7.0, - "cvss_vector": "CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C", - "description": "Summary: VMware Tools and Open Virtual Machine Tools are vulnerable to a local privilege escalation vulnerability. An attacker with local non-administrative access to the Guest OS can exploit this vulnerability to escalate privileges as a root user in the virtual machine. Impact: If exploited, this vulnerability could allow a malicious actor to gain elevated privileges on the system, potentially leading to unauthorized access, data theft, or further compromise of the virtual machine. AdditionalInformation: TVM-2020-0002 is associated with this vulnerability. It is recommended to refer to the CVE page for more details, including the impact, CVSS score, and acknowledgments. Remediation: Apply the latest patches and updates provided by the respective vendors. [Generated by AI]", - "epss": 5.3E-4, - "exploit_in_kit": false, - "exploit_types": [ - "PrivilegeEscalation" + "cve_batch_title": "Vmware August 2022 Vulnerabilities", + "cve_batch_url": "https://www.vmware.com/security/advisories/VMSA-2022-0024.1.html", + "cve_id": "CVE-2022-31676", + "cvss_score": 7.0, + "device_id": "bbbbbbbbbbbbbb", + "device_name": "host-4", + "disk_paths": [ + "C:\\Program Files\\VMware\\VMware Tools\\VMware VGAuth\\VMwareAliasImport.exe" ], - "exploit_verified": false, - "exposed_machines": 12, - "first_detected": "2025-01-01T08:22:58.000Z", - "id": "TVM-2020-0002", - "impact": "If exploited, this vulnerability could allow a malicious actor to gain elevated privileges on the system, potentially leading to unauthorized access, data theft, or further compromise of the virtual machine.", - "name": "TVM-2020-0002", - "public_exploit": false, - "published_on": "2022-08-23T00:00:00.000Z", - "remediation": "Apply the latest patches and updates provided by the respective vendors.", - "severity": "High", - "summary": "VMware Tools and Open Virtual Machine Tools are vulnerable to a local privilege escalation vulnerability. An attacker with local non-administrative access to the Guest OS can exploit this vulnerability to escalate privileges as a root user in the virtual machine.", - "updated_on": "2024-12-10T00:00:00.000Z" + "exploitability_level": "NoExploit", + "first_seen_timestamp": "2025-08-02T15:09:51.000Z", + "id": "bbbbbbbbbbbbbb_vmware_tools_12.0.6.0_CVE-2022-31676", + "is_onboarded": true, + "last_seen_timestamp": "2025-10-06T19:49:51.000Z", + "os_architecture": "x64", + "os_platform": "Windows10", + "os_version": "10.0.19045.6332", + "rbac_group_id": "0", + "rbac_group_name": "Unassigned", + "recommendation_reference": "va-_-vmware-_-tools", + "recommended_security_update": "VMware Tools update addresses a local privilege escalation vulnerability (CVE-2022-31676)", + "security_update_available": true, + "severity_level": "High", + "software_name": "tools", + "software_vendor": "vmware", + "software_version": "12.0.6.0" } }, - "message": "Summary: VMware Tools and Open Virtual Machine Tools are vulnerable to a local privilege escalation vulnerability. An attacker with local non-administrative access to the Guest OS can exploit this vulnerability to escalate privileges as a root user in the virtual machine. Impact: If exploited, this vulnerability could allow a malicious actor to gain elevated privileges on the system, potentially leading to unauthorized access, data theft, or further compromise of the virtual machine. AdditionalInformation: TVM-2020-0002 is associated with this vulnerability. It is recommended to refer to the CVE page for more details, including the impact, CVSS score, and acknowledgments. Remediation: Apply the latest patches and updates provided by the respective vendors. [Generated by AI]", + "message": "Vmware August 2022 Vulnerabilities", "observer": { "product": "Microsoft 365 Defender", "vendor": "Microsoft" @@ -856,38 +363,31 @@ }, "related": { "hosts": [ - "d78dc223-8dc8-4210-9700-019b3b03505b", - "c-lab-08", - "0e23b8b23f6dc0e9d84846f877b45d19c04a522d" - ], - "ip": [ - "216.160.83.56", - "67.43.156.0", - "89.160.20.128" + "bbbbbbbbbbbbbb", + "host-4" ] }, "resource": { - "id": "0e23b8b23f6dc0e9d84846f877b45d19c04a522d", - "name": "c-lab-08" + "id": "bbbbbbbbbbbbbb", + "name": "host-4" }, "tags": [ "preserve_duplicate_custom_fields" ], "vulnerability": { "classification": "CVSS", - "description": "Summary: VMware Tools and Open Virtual Machine Tools are vulnerable to a local privilege escalation vulnerability. An attacker with local non-administrative access to the Guest OS can exploit this vulnerability to escalate privileges as a root user in the virtual machine. Impact: If exploited, this vulnerability could allow a malicious actor to gain elevated privileges on the system, potentially leading to unauthorized access, data theft, or further compromise of the virtual machine. AdditionalInformation: TVM-2020-0002 is associated with this vulnerability. It is recommended to refer to the CVE page for more details, including the impact, CVSS score, and acknowledgments. Remediation: Apply the latest patches and updates provided by the respective vendors. [Generated by AI]", - "enumeration": "TVM", - "id": "TVM-2020-0002", - "published_date": "2022-08-23T00:00:00.000Z", + "cve": "CVE-2022-31676", + "enumeration": "CVE", + "id": "CVE-2022-31676", + "reference": "https://www.cve.org/CVERecord?id=CVE-2022-31676", "scanner": { "vendor": "Microsoft" }, "score": { - "base": 7.0, - "version": "3.0" + "base": 7.0 }, "severity": "High", - "title": "Vulnerability found in tools 12.0.6.0 - TVM-2020-0002" + "title": "Vulnerability found in tools 12.0.6.0 - CVE-2022-31676" } } ] diff --git a/packages/m365_defender/data_stream/vulnerability/_dev/test/system/test-default-config.yml b/packages/m365_defender/data_stream/vulnerability/_dev/test/system/test-default-config.yml index 33a446e45b8..c034b3325ea 100644 --- a/packages/m365_defender/data_stream/vulnerability/_dev/test/system/test-default-config.yml +++ b/packages/m365_defender/data_stream/vulnerability/_dev/test/system/test-default-config.yml @@ -8,8 +8,9 @@ vars: azure_tenant_id: tenant_id data_stream: vars: - batch_size: 2 + sas_valid_hours: 2h preserve_original_event: true preserve_duplicate_custom_fields: true + enable_request_tracer: true assert: - hit_count: 5 + hit_count: 4 diff --git a/packages/m365_defender/data_stream/vulnerability/agent/stream/cel.yml.hbs b/packages/m365_defender/data_stream/vulnerability/agent/stream/cel.yml.hbs index b5eea842f8a..1d35846b785 100644 --- a/packages/m365_defender/data_stream/vulnerability/agent/stream/cel.yml.hbs +++ b/packages/m365_defender/data_stream/vulnerability/agent/stream/cel.yml.hbs @@ -14,261 +14,123 @@ resource.ssl: {{ssl}} resource.timeout: {{http_client_timeout}} {{/if}} resource.url: {{url}} -auth.oauth2: - provider: azure - client.id: {{client_id}} - client.secret: {{client_secret}} - scopes: +state: + sas_valid_hours: {{sas_valid_hours}} + token_url: {{token_url}}/{{azure_tenant_id}}/oauth2/v2.0/token + client_id: {{client_id}} + client_secret: {{client_secret}} + token_scopes: {{#each token_scopes as |token_scope|}} - {{token_scope}} {{/each}} -{{#if token_url}} - token_url: {{token_url}}/{{azure_tenant_id}}/oauth2/v2.0/token -{{else if azure_tenant_id}} - azure.tenant_id: {{azure_tenant_id}} -{{/if}} - -state: - config: - product_batch_size: 10000 - machine_batch_size: 10000 - vulnerabilities_batch_size: {{batch_size}} - affected_machines_only: {{affected_machines_only}} - product_skip: 0 - machine_skip: 0 - vulnerability_skip: 0 redact: - fields: ~ + fields: + - client_id + - client_secret + - token.access_token program: |- state.with( - ( - // Get products. - state.?is_all_products_fetched.orValue(false) ? - { - "products": state.products, - "product_skip": 0, - "is_all_products_fetched": state.is_all_products_fetched, - ?"machines": state.?machines, - "machine_skip": state.machine_skip, - ?"is_all_machines_fetched": state.?is_all_machines_fetched, - ?"vulnerabilities": state.?vulnerabilities, - "vulnerability_skip": state.vulnerability_skip, - ?"is_all_vulnerabilities_fetched": state.?is_all_vulnerabilities_fetched, - } - : - request( - "GET", - state.url.trim_right("/") + "/api/vulnerabilities/machinesVulnerabilities?" + { - "$top": [string(state.config.product_batch_size)], - "$skip": [string(int(state.product_skip))], - }.format_query() - ).do_request().as(productResp, (productResp.StatusCode == 200) ? - productResp.Body.decode_json().as(productBody, - { - "events": [{"message": "retry"}], - "want_more": true, - "products": (state.?products.orValue([]) + productBody.value).flatten(), - "product_skip": (size(productBody.value) > 0) ? (int(state.product_skip) + int(state.config.product_batch_size)) : 0, - "is_all_products_fetched": size(productBody.value) < int(state.config.product_batch_size), - "machine_skip": state.machine_skip, - "vulnerability_skip": state.vulnerability_skip, - } - ) - : - { - "events": { - "error": { - "code": string(productResp.StatusCode), - "id": string(productResp.Status), - "message": "GET " + state.url.trim_right("/") + "/api/vulnerabilities/machinesVulnerabilities" + ( - (size(productResp.Body) != 0) ? - string(productResp.Body) - : - string(productResp.Status) + " (" + string(productResp.StatusCode) + ")" - ), - }, - }, - "want_more": false, - "products": [], - "product_skip": 0, - "is_all_products_fetched": false, - "machines": [], - "machine_skip": 0, - "is_all_machines_fetched": false, - "vulnerabilities": [], - "vulnerability_skip": 0, - "is_all_vulnerabilities_fetched": false, - } - ) - ).as(res, !res.?is_all_products_fetched.orValue(false) ? - res - : res.?is_all_machines_fetched.orValue(false) ? - { - "products": res.products, - "product_skip": 0, - "is_all_products_fetched": res.is_all_products_fetched, - "machines": res.machines, - "machine_skip": 0, - "is_all_machines_fetched": res.is_all_machines_fetched, - ?"vulnerabilities": res.?vulnerabilities, - "vulnerability_skip": res.vulnerability_skip, - ?"is_all_vulnerabilities_fetched": res.?is_all_vulnerabilities_fetched, - } - : + state.?work_list.orValue([]).size() > 0 ? request( - "GET", - state.url.trim_right("/") + "/api/machines?" + { - "$top": [string(state.config.machine_batch_size)], - "$skip": [string(int(res.machine_skip))], - }.format_query() - ).do_request().as(machineResp, (machineResp.StatusCode == 200) ? - machineResp.Body.decode_json().as(machineBody, - { - "events": [{"message": "retry"}], - "want_more": true, - "machines": (res.?machines.orValue([]) + machineBody.value).flatten(), - "machine_skip": (size(machineBody.value) > 0) ? (int(res.machine_skip) + int(state.config.machine_batch_size)) : 0, - "is_all_machines_fetched": size(machineBody.value) < int(state.config.machine_batch_size), - "products": res.products, - "product_skip": 0, - "is_all_products_fetched": res.is_all_products_fetched, - "vulnerability_skip": res.vulnerability_skip, - } - ) + "GET", + state.work_list[0] + ).do_request().as(resp, resp.StatusCode == 200 ? + resp.Body.mime("application/gzip").decode_json_stream().map(v, + {"message": dyn(v.encode_json())} + ).as(events, { + "events": events, + // Keep polling if more work. + "want_more": state.work_list.size() > 1, + "work_list": tail(state.work_list), + }) : + // It is possible that download URLs have expired, so ignore remaining work_list and return error. { "events": { "error": { - "code": string(machineResp.StatusCode), - "id": string(machineResp.Status), - "message": "GET " + state.url.trim_right("/") + "/api/machines" + ( - (size(machineResp.Body) != 0) ? - string(machineResp.Body) + "code": string(resp.StatusCode), + "id": string(resp.Status), + "message": "GET "+ state.work_list[0] + ":" + ( + size(resp.Body) != 0 ? + string(resp.Body) : - string(machineResp.Status) + " (" + string(machineResp.StatusCode) + ")" + string(resp.Status) + ' (' + string(resp.StatusCode) + ')' ), }, }, "want_more": false, - "products": [], - "product_skip": 0, - "is_all_products_fetched": false, - "machines": [], - "machine_skip": 0, - "is_all_machines_fetched": false, - "vulnerabilities": [], - "vulnerability_skip": 0, - "is_all_vulnerabilities_fetched": false, } ) - ).as(res, - // Get products with machines. - !res.?is_all_machines_fetched.orValue(false) ? - res - : res.?is_all_vulnerability_fetched.orValue(false) ? + : + // Periodic poll. No work_list, so get new token and work_list. + post_request(state.token_url.trim_right("/"), "application/x-www-form-urlencoded", { - "products": res.products, - "product_skip": 0, - "is_all_products_fetched": res.is_all_products_fetched, - "machines": res.machines, - "machine_skip": 0, - "is_all_machines_fetched": res.is_all_machines_fetched, - "vulnerabilities": res.vulnerabilities, - "vulnerability_skip": 0, - "is_all_vulnerability_fetched": res.is_all_vulnerability_fetched, - } + "grant_type": ["client_credentials"], + "client_id": [state.client_id], + "client_secret": [state.client_secret], + "scope": state.token_scopes, + }.format_query() + ).do_request().as(auth, auth.StatusCode == 200 ? + auth.Body.decode_json() : + { + "events": { + "error": { + "code": string(auth.StatusCode), + "id": string(auth.Status), + "message": "POST /oauth2/v2.0/token :" +( + size(auth.Body) != 0 ? + string(auth.Body) + : + string(auth.Status) + ' (' + string(auth.StatusCode) + ')' + ), + }, + }, + "want_more": false, + } + ).as(token, !has(token.access_token) ? token : request( "GET", - state.url.trim_right("/") + "/api/vulnerabilities?" + { - "$top": [string(state.config.vulnerabilities_batch_size)], - "$skip": [string(int(res.vulnerability_skip))], + state.url.trim_right("/") + "/api/machines/SoftwareVulnerabilitiesExport?" + { + "sasValidHours": [string(duration(state.sas_valid_hours).getHours())], }.format_query() - ).do_request().as(vulnerabilityResp, (vulnerabilityResp.StatusCode == 200) ? - vulnerabilityResp.Body.decode_json().as(vulnerabilityBody, + ).with({ + "Header":{ + "Authorization": ["Bearer " + string(token.access_token)], + } + }).do_request().as(resp, resp.StatusCode == 200 ? + resp.Body.decode_json().as(exportBody, exportBody.?exportFiles.orValue([]).size() == 0 ? + // Nothing to download. Don't poll again. + { + "events": [], + "want_more": false, + } + : + // Return new work_list to download. { - "events": [{"message": "retry"}], + "events": [{"message":"retry"}], + "work_list": exportBody.exportFiles, "want_more": true, - "vulnerabilities": (res.?vulnerabilities.orValue([]) + vulnerabilityBody.value).flatten(), - "vulnerability_skip": (size(vulnerabilityBody.value) > 0) ? (int(res.vulnerability_skip) + int(state.config.vulnerabilities_batch_size)) : 0, - "is_all_vulnerabilities_fetched": size(vulnerabilityBody.value) < int(state.config.vulnerabilities_batch_size), - "products": res.products, - "product_skip": 0, - "is_all_products_fetched": res.is_all_products_fetched, - "machines": res.machines, - "machine_skip": 0, - "is_all_machines_fetched": res.is_all_machines_fetched, } ) : { "events": { "error": { - "code": string(vulnerabilityResp.StatusCode), - "id": string(vulnerabilityResp.Status), - "message": "GET " + state.url.trim_right("/") + "/api/vulnerabilities" + ( - (size(vulnerabilityResp.Body) != 0) ? - string(vulnerabilityResp.Body) + "code": string(resp.StatusCode), + "id": string(resp.Status), + "message": "GET /api/machines/SoftwareVulnerabilitiesExport :" + ( + size(resp.Body) != 0 ? + string(resp.Body) : - string(vulnerabilityResp.Status) + " (" + string(vulnerabilityResp.StatusCode) + ")" + string(resp.Status) + ' (' + string(resp.StatusCode) + ')' ), }, }, "want_more": false, - "products": [], - "product_skip": 0, - "is_all_products_fetched": false, - "machines": [], - "machine_skip": 0, - "is_all_machines_fetched": false, - "vulnerabilities": [], - "vulnerability_skip": 0, - "is_all_vulnerabilities_fetched": false, - } - ) - ).as(res, - // Collate data. - (!res.?is_all_vulnerabilities_fetched.orValue(false) || size(res.products) == 0) ? - res - : - res.products.map(p, - res.machines.filter(m, m.id == p.machineId)[?0].as(m, m.hasValue() ? - m.value().with(p) - : - {} - ) - ).as(mapped_products, - { - "vulnerability_with_machines": res.vulnerabilities.filter(v, v.exposedMachines > 0), - "vulnerability_without_machines": state.config.affected_machines_only ? - [] - : - res.vulnerabilities.filter(v, v.exposedMachines == 0), - "mapped_products": mapped_products, - } - ).as(final_data, - { - "events": ( - final_data.vulnerability_with_machines.map(v, - final_data.mapped_products.map(related_mapped_products, - has(related_mapped_products.cveId) && related_mapped_products.cveId == v.id, - { - "message": v.with({"affectedMachine": related_mapped_products}).encode_json(), - } - ) - ).flatten() + final_data.vulnerability_without_machines.map(v, - { - "message": v.drop("affectedMachine").encode_json(), - } - ) - ).flatten(), - "want_more": false, - "product_skip": 0, - "machine_skip": 0, - "vulnerability_skip": 0, } ) - ) + ) ) tags: {{#if preserve_original_event}} diff --git a/packages/m365_defender/data_stream/vulnerability/elasticsearch/ingest_pipeline/default.yml b/packages/m365_defender/data_stream/vulnerability/elasticsearch/ingest_pipeline/default.yml index 9e38c14a597..09898a6b74d 100644 --- a/packages/m365_defender/data_stream/vulnerability/elasticsearch/ingest_pipeline/default.yml +++ b/packages/m365_defender/data_stream/vulnerability/elasticsearch/ingest_pipeline/default.yml @@ -65,341 +65,217 @@ processors: tag : set_observer_vendor value: Microsoft - rename: - field: json.affectedMachine.aadDeviceId - tag: rename_affectedMachine_aadDeviceId - target_field: m365_defender.vulnerability.affected_machine.aad_device_id + field: json.CveBatchTitle + tag: rename_CveBatchTitle + target_field: m365_defender.vulnerability.cve_batch_title ignore_missing: true + - rename: + field: json.CveBatchUrl + tag: rename_CveBatchUrl + target_field: m365_defender.vulnerability.cve_batch_url + ignore_missing: true + - rename: + field: json.CveId + tag: rename_CveId + target_field: m365_defender.vulnerability.cve_id + ignore_missing: true + - set: + field: vulnerability.id + tag: set_vulnerability_id_from_vulnerability_cve_id + copy_from: m365_defender.vulnerability.cve_id + ignore_empty_value: true + - set: + field: vulnerability.cve + tag: set_vulnerability_cve_from_vulnerability_id + copy_from: vulnerability.id + ignore_empty_value: true + if: ctx.vulnerability?.id != null && ctx.vulnerability.id.toUpperCase().contains('CVE') == true + - set: + field: vulnerability.reference + tag: set_vulnerability_reference_from_vulnerability_id + value: https://www.cve.org/CVERecord?id={{{vulnerability.id}}} + if: ctx.vulnerability?.id != null && ctx.vulnerability.id.toUpperCase().contains('CVE') == true + - script: + description: Dynamically set vulnerability.enumeration values. + tag: script_map_vulnerability_id + lang: painless + if: ctx.vulnerability?.id != null + params: + vulnerability_enumeration: + - CVE + - TVM + source: | + String vulnerability_id = ctx.vulnerability.id.toUpperCase(); + for (String enum: params.vulnerability_enumeration) { + if (vulnerability_id.contains(enum)) { + ctx.vulnerability.put('enumeration', enum); + return; + } + } + - convert: + field: json.CvssScore + tag: convert_CvssScore_to_float + target_field: m365_defender.vulnerability.cvss_score + type: float + ignore_missing: true + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - set: + field: vulnerability.score.base + tag: set_vulnerability_score_base_from_vulnerability_cvss_score + copy_from: m365_defender.vulnerability.cvss_score + ignore_empty_value: true + - set: + field: vulnerability.classification + tag: set_vulnerability_classification_from_vulnerability_cvss_score + value: CVSS + if: ctx.m365_defender?.vulnerability?.cvss_score != null + ignore_empty_value: true + - set: + field: vulnerability.scanner.vendor + tag: set_vulnerability_scanner_vendor + value: Microsoft + - set: + field: message + tag: set_message_from_cve_batch_title + copy_from: m365_defender.vulnerability.cve_batch_title + ignore_empty_value: true + - rename: + field: json.DeviceId + tag: rename_DeviceId + target_field: m365_defender.vulnerability.device_id + ignore_missing: true + - set: + field: host.id + tag: set_host_id_from_m365_defender_vulnerability_device_id + copy_from: m365_defender.vulnerability.device_id + ignore_empty_value: true + - set: + field: resource.id + tag: set_resource_id_from_m365_defender_vulnerability_device_id + copy_from: m365_defender.vulnerability.device_id + ignore_empty_value: true - append: field: related.hosts - tag: append_m365_defender_vulnerability_affected_machine_aad_device_id_into_related_hosts - value: '{{{m365_defender.vulnerability.affected_machine.aad_device_id}}}' + tag: append_related_hosts_from_m365_defender_vulnerability_device_id + value: '{{{m365_defender.vulnerability.device_id}}}' allow_duplicates: false - if: ctx.m365_defender?.vulnerability?.affected_machine?.aad_device_id != null + if: ctx.m365_defender?.vulnerability?.device_id != null - rename: - field: json.affectedMachine.agentVersion - tag: rename_affectedMachine_agentVersion - target_field: m365_defender.vulnerability.affected_machine.agent_version - ignore_missing: true - - rename: - field: json.affectedMachine.computerDnsName - tag: rename_affectedMachine_computerDnsName - target_field: m365_defender.vulnerability.affected_machine.computer_dns_name + field: json.DeviceName + tag: rename_DeviceName + target_field: m365_defender.vulnerability.device_name ignore_missing: true - set: field: host.hostname - tag: set_host_hostname_from_m365_defender_vulnerability_affected_machine_computer_dns_name - copy_from: m365_defender.vulnerability.affected_machine.computer_dns_name + tag: set_host_hostname_from_m365_defender_vulnerability_device_name + copy_from: m365_defender.vulnerability.device_name ignore_empty_value: true - set: field: host.name - tag: set_host_hostname_from_m365_defender_vulnerability_affected_machine_computer_dns_name - copy_from: m365_defender.vulnerability.affected_machine.computer_dns_name + tag: set_host_name_from_m365_defender_vulnerability_device_name + copy_from: m365_defender.vulnerability.device_name ignore_empty_value: true - set: field: resource.name - tag: set_resource_name_from_m365_defender_vulnerability_affected_machine_computer_dns_name - copy_from: m365_defender.vulnerability.affected_machine.computer_dns_name + tag: set_resource_name_from_m365_defender_vulnerability_device_name + copy_from: m365_defender.vulnerability.device_name ignore_empty_value: true - append: field: related.hosts - tag: append_m365_defender_vulnerability_computer_dns_name_into_related_hosts - value: '{{{m365_defender.vulnerability.affected_machine.computer_dns_name}}}' + tag: append_m365_defender_vulnerability_device_name_into_related_hosts + value: '{{{m365_defender.vulnerability.device_name}}}' allow_duplicates: false - if: ctx.m365_defender?.vulnerability?.affected_machine?.computer_dns_name != null - - rename: - field: json.affectedMachine.deviceValue - tag: rename_affectedMachine_deviceValue - target_field: m365_defender.vulnerability.affected_machine.device_value - ignore_missing: true + if: ctx.m365_defender?.vulnerability?.device_name != null - rename: - field: json.affectedMachine.exclusionReason - tag: rename_affectedMachine_exclusionReason - target_field: m365_defender.vulnerability.affected_machine.exclusion_reason + field: json.DiskPaths + tag: rename_DiskPaths + target_field: m365_defender.vulnerability.disk_paths ignore_missing: true - rename: - field: json.affectedMachine.exposureLevel - tag: rename_affectedMachine_exposureLevel - target_field: m365_defender.vulnerability.affected_machine.exposure_level + field: json.ExploitabilityLevel + tag: rename_ExploitabilityLevel + target_field: m365_defender.vulnerability.exploitability_level ignore_missing: true - date: - field: json.affectedMachine.firstSeen - tag: date_affectedMachine_firstSeen - target_field: m365_defender.vulnerability.affected_machine.first_seen + field: json.FirstSeenTimestamp + tag: date_FirstSeenTimestamp + target_field: m365_defender.vulnerability.first_seen_timestamp formats: - - strict_date_optional_time_nanos - if: ctx.json?.affectedMachine?.firstSeen != null && ctx.json.affectedMachine.firstSeen != '' + - yyyy-MM-dd HH:mm:ss + - yyyy-MM-dd HH:mm:ss.SSSSSSS + - ISO8601 + if: ctx.json?.FirstSeenTimestamp != null && ctx.json.FirstSeenTimestamp != '' on_failure: - append: field: error.message value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' - rename: - field: json.affectedMachine.fixingKbId - tag: rename_affectedMachine_fixingKbId - target_field: m365_defender.vulnerability.affected_machine.fixing_kb_id - ignore_missing: true - - rename: - field: json.affectedMachine.healthStatus - tag: rename_affectedMachine_healthStatus - target_field: m365_defender.vulnerability.affected_machine.health_status - ignore_missing: true - - rename: - field: json.affectedMachine.id - tag: rename_affectedMachine_id - target_field: m365_defender.vulnerability.affected_machine.id + field: json.Id + tag: rename_Id + target_field: m365_defender.vulnerability.id ignore_missing: true - set: field: event.id - tag: set_event_id_from_m365_defender_vulnerability_affected_machine_id - copy_from: m365_defender.vulnerability.affected_machine.id + tag: set_event_id_from_m365_defender_vulnerability_id + copy_from: m365_defender.vulnerability.id ignore_empty_value: true - - script: - lang: painless - description: Drops empty string values recursively. - tag: painless_remove_empty_from_affected_machine_ips - if: ctx.json?.affectedMachine?.ipAddresses != null - source: |- - boolean drop(Object object) { - if (object == '') { - return true; - } else if (object instanceof Map) { - ((Map) object).values().removeIf(v -> drop(v)); - return (((Map) object).size() == 0); - } else if (object instanceof List) { - ((List) object).removeIf(v -> drop(v)); - return (((List) object).length == 0); - } - return false; - } - drop(ctx.json.affectedMachine.ipAddresses); - - foreach: - field: json.affectedMachine.ipAddresses - if: ctx.json?.affectedMachine?.ipAddresses instanceof List - processor: - convert: - field: _ingest._value.ipAddress - tag: convert_affectedMachine_ipAddresses_ipAddress_to_ip - target_field: _ingest._value.ip_address - type: ip - ignore_missing: true - on_failure: - - append: - field: error.message - value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' - - foreach: - field: json.affectedMachine.ipAddresses - if: ctx.json?.affectedMachine?.ipAddresses instanceof List - processor: - append: - field: related.ip - tag: append_affectedMachine_ipAddresses_ip_address_into_related_ip - value: '{{{_ingest._value.ip_address}}}' - allow_duplicates: false - - foreach: - field: json.affectedMachine.ipAddresses - if: ctx.json?.affectedMachine?.ipAddresses instanceof List - processor: - uppercase: - field: _ingest._value.macAddress - tag: uppercase_affectedMachine_ipAddresses_macAddress - target_field: _ingest._value.mac_address - ignore_missing: true - - foreach: - field: json.affectedMachine.ipAddresses - if: ctx.json?.affectedMachine?.ipAddresses instanceof List - processor: - gsub: - field: _ingest._value.mac_address - pattern: '(..)(?!$)' - replacement: '$1-' - tag: gsub_affectedMachine_ipAddresses_mac_address - ignore_missing: true - - foreach: - field: json.affectedMachine.ipAddresses - if: ctx.json?.affectedMachine?.ipAddresses instanceof List - processor: - rename: - field: _ingest._value.operationalStatus - tag: rename_affectedMachine_ipAddresses_operationalStatus - target_field: _ingest._value.operational_status - ignore_missing: true - - foreach: - field: json.affectedMachine.ipAddresses - if: ctx.json?.affectedMachine?.ipAddresses instanceof List - processor: - remove: - field: - - _ingest._value.ipAddress - - _ingest._value.macAddress - tag: remove_ipAddresses - ignore_missing: true - - rename: - field: json.affectedMachine.ipAddresses - tag: rename_affectedMachine_ipAddresses - target_field: m365_defender.vulnerability.affected_machine.ip_addresses - ignore_missing: true - - convert: - field: json.affectedMachine.isAadJoined - tag: convert_affectedMachine_isAadJoined_to_boolean - target_field: m365_defender.vulnerability.affected_machine.is_aad_joined - type: boolean - ignore_missing: true - on_failure: - - append: - field: error.message - value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' - - convert: - field: json.affectedMachine.isExcluded - tag: convert_affectedMachine_isExcluded_to_boolean - target_field: m365_defender.vulnerability.affected_machine.is_excluded - type: boolean - ignore_missing: true - on_failure: - - append: - field: error.message - value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - set: + field: event.id + tag: set_event_id_from_vulnerability_cve_id + copy_from: m365_defender.vulnerability.cve_id + ignore_empty_value: true + if: ctx.event?.id == null - convert: - field: json.affectedMachine.isPotentialDuplication - tag: convert_affectedMachine_isPotentialDuplication_to_boolean - target_field: m365_defender.vulnerability.affected_machine.is_potential_duplication + field: json.IsOnboarded + tag: convert_IsOnboarded_to_boolean + target_field: m365_defender.vulnerability.is_onboarded type: boolean ignore_missing: true on_failure: - append: field: error.message value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' - - convert: - field: json.affectedMachine.lastExternalIpAddress - tag: convert_affectedMachine_lastExternalIpAddress_to_ip - target_field: m365_defender.vulnerability.affected_machine.last_external_ip_address - type: ip - ignore_missing: true - if: ctx.json?.affectedMachine?.lastExternalIpAddress != '' - on_failure: - - append: - field: error.message - value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' - - append: - field: host.ip - tag: append_m365_defender_vulnerability_affected_machine_last_external_ip_address_into_host_ip - value: '{{{m365_defender.vulnerability.affected_machine.last_external_ip_address}}}' - allow_duplicates: false - if: ctx.m365_defender?.vulnerability?.affected_machine?.last_external_ip_address != null - - append: - field: related.ip - tag: append_m365_defender_vulnerability_affected_machine_last_external_ip_address_into_related_ip - value: '{{{m365_defender.vulnerability.affected_machine.last_external_ip_address}}}' - allow_duplicates: false - if: ctx.m365_defender?.vulnerability?.affected_machine?.last_external_ip_address != null - - geoip: - field: host.ip - target_field: host.geo - tag: geoip_host_geo - ignore_missing: true - - convert: - field: json.affectedMachine.lastIpAddress - tag: convert_affectedMachine_lastIpAddress_to_ip - target_field: m365_defender.vulnerability.affected_machine.last_ip_address - type: ip - ignore_missing: true - if: ctx.json?.affectedMachine?.lastIpAddress != '' - on_failure: - - append: - field: error.message - value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' - - append: - field: related.ip - tag: append_m365_defender_vulnerability_affected_machine_last_ip_address_into_related_ip - value: '{{{m365_defender.vulnerability.affected_machine.last_ip_address}}}' - allow_duplicates: false - if: ctx.m365_defender?.vulnerability?.affected_machine?.last_ip_address != null - date: - field: json.affectedMachine.lastSeen - tag: date_affectedMachine_lastSeen - target_field: m365_defender.vulnerability.affected_machine.last_seen + field: json.LastSeenTimestamp + tag: date_LastSeenTimestamp + target_field: m365_defender.vulnerability.last_seen_timestamp formats: - - strict_date_optional_time_nanos - if: ctx.json?.affectedMachine?.lastSeen != null && ctx.json.affectedMachine.lastSeen != '' + - yyyy-MM-dd HH:mm:ss + - yyyy-MM-dd HH:mm:ss.SSSSSSS + - ISO8601 + if: ctx.json?.LastSeenTimestamp != null && ctx.json.LastSeenTimestamp != '' on_failure: - append: field: error.message value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' - rename: - field: json.affectedMachine.machineId - tag: rename_affectedMachine_machineId - target_field: m365_defender.vulnerability.affected_machine.machine_id + field: json.OSArchitecture + tag: rename_OSArchitecture + target_field: m365_defender.vulnerability.os_architecture ignore_missing: true - set: - field: host.id - tag: set_host_id_from_m365_defender_vulnerability_affected_machine_machine_id - copy_from: m365_defender.vulnerability.affected_machine.machine_id - ignore_empty_value: true - - set: - field: resource.id - tag: set_resource_id_from_m365_defender_vulnerability_affected_machine_machine_id - copy_from: m365_defender.vulnerability.affected_machine.machine_id + field: host.architecture + tag: set_host_architecture_from_vulnerability_os_architecture + copy_from: m365_defender.vulnerability.os_architecture ignore_empty_value: true - - append: - field: related.hosts - tag: append_related_hosts_from_m365_defender_vulnerability_affected_machine_machine_id - value: '{{{m365_defender.vulnerability.affected_machine.machine_id}}}' - allow_duplicates: false - if: ctx.m365_defender?.vulnerability?.affected_machine?.machine_id != null - - rename: - field: json.affectedMachine.machineTags - tag: rename_affectedMachine_machineTags - target_field: m365_defender.vulnerability.affected_machine.machine_tags - ignore_missing: true - - rename: - field: json.affectedMachine.managedBy - tag: rename_affectedMachine_managedBy - target_field: m365_defender.vulnerability.affected_machine.managed_by - ignore_missing: true - - rename: - field: json.affectedMachine.managedByStatus - tag: rename_affectedMachine_managedByStatus - target_field: m365_defender.vulnerability.affected_machine.managed_by_status - ignore_missing: true - - convert: - field: json.affectedMachine.mergedIntoMachineId - tag: convert_affectedMachine_mergedIntoMachineId_to_string - target_field: m365_defender.vulnerability.affected_machine.merged_into_machine_id - type: string - ignore_missing: true - - rename: - field: json.affectedMachine.onboardingStatus - tag: rename_affectedMachine_onboardingStatus - target_field: m365_defender.vulnerability.affected_machine.onboarding_status - ignore_missing: true - rename: - field: json.affectedMachine.osArchitecture - tag: rename_affectedMachine_osArchitecture - target_field: m365_defender.vulnerability.affected_machine.os_architecture - ignore_missing: true - - convert: - field: json.affectedMachine.osBuild - tag: convert_affectedMachine_osBuild_to_long - target_field: m365_defender.vulnerability.affected_machine.os_build - type: long - ignore_missing: true - on_failure: - - append: - field: error.message - value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' - - rename: - field: json.affectedMachine.osPlatform - tag: rename_affectedMachine_osPlatform - target_field: m365_defender.vulnerability.affected_machine.os_platform + field: json.OSPlatform + tag: rename_OSPlatform + target_field: m365_defender.vulnerability.os_platform ignore_missing: true - set: field: host.os.platform - tag: set_host_os_platform_from_m365_defender_vulnerability_affected_machine_os_platform - copy_from: m365_defender.vulnerability.affected_machine.os_platform + tag: set_host_os_platform_from_m365_defender_vulnerability_os_platform + copy_from: m365_defender.vulnerability.os_platform ignore_empty_value: true - script: description: Dynamically set host.os.type values. tag: script_map_host_os_type lang: painless - if: ctx.m365_defender?.vulnerability?.affected_machine?.os_platform != null + if: ctx.m365_defender?.vulnerability?.os_platform != null params: os_type: - linux @@ -409,7 +285,7 @@ processors: - ios - android source: | - String os_platform = ctx.m365_defender.vulnerability.affected_machine.os_platform.toLowerCase(); + String os_platform = ctx.m365_defender.vulnerability.os_platform.toLowerCase(); for (String os: params.os_type) { if (os_platform.contains(os)) { ctx.host.os.put('type', os); @@ -419,51 +295,26 @@ processors: if (os_platform.contains('centos') || os_platform.contains('ubuntu')) { ctx.host.os.put('type', 'linux'); } - - rename: - field: json.affectedMachine.osProcessor - tag: rename_affectedMachine_osProcessor - target_field: m365_defender.vulnerability.affected_machine.os_processor - ignore_missing: true - - set: - field: host.architecture - tag: set_host_architecture_from_vulnerability_affected_machine_os_processor - copy_from: m365_defender.vulnerability.affected_machine.os_processor - ignore_empty_value: true - convert: - field: json.affectedMachine.osVersion - tag: convert_affectedMachine_osVersion_to_string - target_field: m365_defender.vulnerability.affected_machine.os_version + field: json.OSVersion + tag: convert_OSVersion_to_string + target_field: m365_defender.vulnerability.os_version type: string ignore_missing: true - - rename: - field: json.affectedMachine.productName - tag: rename_affectedMachine_productName - target_field: m365_defender.vulnerability.affected_machine.product_name - ignore_missing: true - set: - field: package.name - tag: set_package_version_from_vulnerability_affected_machine_product_name - copy_from: m365_defender.vulnerability.affected_machine.product_name + field: host.os.version + tag: set_host_os_version_from_vulnerability_os_version + copy_from: m365_defender.vulnerability.os_version ignore_empty_value: true - - rename: - field: json.affectedMachine.productVendor - tag: rename_affectedMachine_productVendor - target_field: m365_defender.vulnerability.affected_machine.product_vendor - ignore_missing: true - - rename: - field: json.affectedMachine.productVersion - tag: rename_affectedMachine_productVersion - target_field: m365_defender.vulnerability.affected_machine.product_version - ignore_missing: true - set: - field: package.version - tag: set_package_version_from_vulnerability_affected_machine_product_version - copy_from: m365_defender.vulnerability.affected_machine.product_version - ignore_empty_value: true + field: host.os.name + value: '{{{host.os.platform}}} {{{host.os.version}}}' + ignore_failure: true + if: ctx.host?.os?.platform != null && ctx.host?.os?.version != null - convert: - field: json.affectedMachine.rbacGroupId - tag: convert_affectedMachine_rbacgroup_id_to_string - target_field: m365_defender.vulnerability.affected_machine.rbac_group_id + field: json.RbacGroupId + tag: convert_RbacGroupId_to_string + target_field: m365_defender.vulnerability.rbac_group_id type: string ignore_missing: true on_failure: @@ -472,168 +323,48 @@ processors: value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' - set: field: group.id - tag: set_group_id_from_vulnerability_affected_machine_rbac_group_id - copy_from: m365_defender.vulnerability.affected_machine.rbac_group_id + tag: set_group_id_from_vulnerability_rbac_group_id + copy_from: m365_defender.vulnerability.rbac_group_id ignore_empty_value: true - rename: - field: json.affectedMachine.rbacGroupName - tag: rename_affectedMachine_rbacGroupName - target_field: m365_defender.vulnerability.affected_machine.rbac_group_name + field: json.RbacGroupName + tag: rename_RbacGroupName + target_field: m365_defender.vulnerability.rbac_group_name ignore_missing: true - set: field: group.name - tag: set_group_name_from_vulnerability_affected_machine_rbac_group_name - copy_from: m365_defender.vulnerability.affected_machine.rbac_group_name - ignore_empty_value: true - - rename: - field: json.affectedMachine.riskScore - tag: rename_riskScore - target_field: m365_defender.vulnerability.affected_machine.risk_score - ignore_missing: true - - set: - field: host.risk.calculated_level - tag: set_host_risk_calculated_level_from_vulnerability_affected_machine_risk_score - copy_from: m365_defender.vulnerability.affected_machine.risk_score + tag: set_group_name_from_vulnerability_rbac_group_name + copy_from: m365_defender.vulnerability.rbac_group_name ignore_empty_value: true - rename: - field: json.affectedMachine.severity - tag: rename_affectedMachine_severity - target_field: m365_defender.vulnerability.affected_machine.severity + field: json.RecommendationReference + tag: rename_RecommendationReference + target_field: m365_defender.vulnerability.recommendation_reference ignore_missing: true - rename: - field: json.affectedMachine.version - tag: rename_affectedMachine_version - target_field: m365_defender.vulnerability.affected_machine.version - ignore_missing: true - - set: - field: host.os.version - tag: set_host_os_version_from_vulnerability_affected_machine_version - copy_from: m365_defender.vulnerability.affected_machine.version - ignore_empty_value: true - - set: - field: host.os.name - value: '{{{host.os.platform}}} {{{host.os.version}}}' - ignore_failure: true - if: ctx.host?.os?.platform != null && ctx.host?.os?.version != null - - rename: - field: json.affectedMachine.vmMetadata.cloudProvider - tag: rename_affectedMachine_vmMetadata_cloudProvider - target_field: m365_defender.vulnerability.affected_machine.vmMetadata.cloud_provider - ignore_missing: true - - set: - field: cloud.provider - tag: set_cloud_provider_from_vulnerability_affected_machine_vmMetadata_cloud_provider - copy_from: m365_defender.vulnerability.affected_machine.vmMetadata.cloud_provider - ignore_empty_value: true - - lowercase: - field: cloud.provider - tag: lowercase_cloud_provider - ignore_missing: true - - rename: - field: json.affectedMachine.vmMetadata.resourceId - tag: rename_affectedMachine_vmMetadata_resourceId - target_field: m365_defender.vulnerability.affected_machine.vmMetadata.resource_id - ignore_missing: true - - set: - field: cloud.resource_id - tag: set_cloud_provider_from_vulnerability_affected_machine_vmMetadata_resource_id - copy_from: m365_defender.vulnerability.affected_machine.vmMetadata.resource_id - ignore_empty_value: true - - rename: - field: json.affectedMachine.vmMetadata.subscriptionId - tag: rename_affectedMachine_vmMetadata_subscriptionId - target_field: m365_defender.vulnerability.affected_machine.vmMetadata.subscription_id - ignore_missing: true - - rename: - field: json.affectedMachine.vmMetadata.vmId - tag: rename_affectedMachine_vmMetadata_vmId - target_field: m365_defender.vulnerability.affected_machine.vmMetadata.vm_id - ignore_missing: true - - set: - field: cloud.instance.id - tag: set_cloud_provider_from_vulnerability_affected_machine_vmMetadata_vm_id - copy_from: m365_defender.vulnerability.affected_machine.vmMetadata.vm_id - ignore_empty_value: true - - rename: - field: json.cveSupportability - tag: rename_cveSupportability - target_field: m365_defender.vulnerability.cve_supportability + field: json.RecommendedSecurityUpdate + tag: rename_RecommendedSecurityUpdate + target_field: m365_defender.vulnerability.recommended_security_update ignore_missing: true - convert: - field: json.cvssV3 - tag: convert_cvssV3_to_double - target_field: m365_defender.vulnerability.cvss_v3 - type: double + field: json.RecommendedSecurityUpdateId + tag: convert_RecommendedSecurityUpdateId_to_string + target_field: m365_defender.vulnerability.recommended_security_update_id + type: string ignore_missing: true on_failure: - append: field: error.message value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' - - set: - field: vulnerability.score.base - tag: set_vulnerability_score_base_from_vulnerability_cvss_v3 - copy_from: m365_defender.vulnerability.cvss_v3 - ignore_empty_value: true - - set: - field: vulnerability.classification - tag: set_vulnerability_classification_from_vulnerability_cvss_v3 - value: CVSS - if: ctx.m365_defender?.vulnerability?.cvss_v3 != null - ignore_empty_value: true - - set: - field: vulnerability.scanner.vendor - tag: set_vulnerability_scanner_vendor - value: Microsoft - - rename: - field: json.cvssVector - tag: rename_cvssVector - target_field: m365_defender.vulnerability.cvss_vector - ignore_missing: true - - grok: - field: m365_defender.vulnerability.cvss_vector - tag: grok_to_extract_vulnerability_score_version - patterns: - - '^CVSS:%{DATA:vulnerability.score.version}/' - if: ctx.m365_defender?.vulnerability?.cvss_vector instanceof String - ignore_failure: true - rename: - field: json.description - tag: rename_description - target_field: m365_defender.vulnerability.description + field: json.RegistryPaths + tag: rename_RegistryPaths + target_field: m365_defender.vulnerability.registry_paths ignore_missing: true - - set: - field: vulnerability.description - tag: set_vulnerability_description_from_vulnerability_description - copy_from: m365_defender.vulnerability.description - ignore_empty_value: true - - set: - field: message - tag: set_message_from_vulnerability_description - copy_from: m365_defender.vulnerability.description - ignore_empty_value: true - - grok: - field: message - tag: grok_message_to_extract_vulnerability_summary_impact_remediation_and_fixed_version - patterns: - # remediation version is present - - 'Summary: %{DATA:m365_defender.vulnerability.summary} Impact: %{DATA:m365_defender.vulnerability.impact}(?: AdditionalInformation:%{GREEDYDATA})? Remediation: (?%{DATA}(?\d+(?:[.-]\d+)+)%{GREEDYDATA}\.)(?=(?:[^\.]*\[|$))' - # remediation version is not present - - 'Summary: %{DATA:m365_defender.vulnerability.summary} Impact: %{DATA:m365_defender.vulnerability.impact}(?: AdditionalInformation:%{GREEDYDATA})? Remediation: (?%{DATA}%{GREEDYDATA}\.)(?=(?:[^\.]*\[|$))' - ignore_failure: true - convert: - field: json.epss - tag: convert_epss_to_double - target_field: m365_defender.vulnerability.epss - type: double - ignore_missing: true - on_failure: - - append: - field: error.message - value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' - - convert: - field: json.exploitInKit - tag: convert_exploitInKit_to_boolean - target_field: m365_defender.vulnerability.exploit_in_kit + field: json.SecurityUpdateAvailable + tag: convert_SecurityUpdateAvailable_to_boolean + target_field: m365_defender.vulnerability.security_update_available type: boolean ignore_missing: true on_failure: @@ -641,90 +372,30 @@ processors: field: error.message value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' - rename: - field: json.exploitTypes - tag: rename_exploitTypes - target_field: m365_defender.vulnerability.exploit_types + field: json.SoftwareName + tag: rename_SoftwareName + target_field: m365_defender.vulnerability.software_name ignore_missing: true + - set: + field: package.name + tag: set_package_name_from_vulnerability_software_name + copy_from: m365_defender.vulnerability.software_name + ignore_empty_value: true - rename: - field: json.exploitUris - tag: rename_exploitUris - target_field: m365_defender.vulnerability.exploit_uris - ignore_missing: true - - convert: - field: json.exploitVerified - tag: convert_exploitVerified_to_boolean - target_field: m365_defender.vulnerability.exploit_verified - type: boolean + field: json.SoftwareVendor + tag: rename_SoftwareVendor + target_field: m365_defender.vulnerability.software_vendor ignore_missing: true - on_failure: - - append: - field: error.message - value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' - - convert: - field: json.exposedMachines - tag: convert_exposedMachines_to_long - target_field: m365_defender.vulnerability.exposed_machines - type: long - ignore_missing: true - on_failure: - - append: - field: error.message - value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' - - date: - field: json.firstDetected - tag: date_firstDetected - target_field: m365_defender.vulnerability.first_detected - formats: - - ISO8601 - if: ctx.json?.firstDetected != null && ctx.json.firstDetected != '' - on_failure: - - append: - field: error.message - value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' - rename: - field: json.id - tag: rename_id - target_field: m365_defender.vulnerability.id + field: json.SoftwareVersion + tag: rename_SoftwareVersion + target_field: m365_defender.vulnerability.software_version ignore_missing: true - set: - field: vulnerability.id - tag: set_vulnerability_id_from_vulnerability_id - copy_from: m365_defender.vulnerability.id - ignore_empty_value: true - - set: - field: vulnerability.cve - tag: set_vulnerability_cve_from_vulnerability_id - copy_from: m365_defender.vulnerability.id - ignore_empty_value: true - if: ctx.vulnerability?.id != null && ctx.vulnerability.id.toUpperCase().contains('CVE') == true - - set: - field: event.id - tag: set_event_id_from_vulnerability_id - copy_from: m365_defender.vulnerability.id + field: package.version + tag: set_package_version_from_vulnerability_software_version + copy_from: m365_defender.vulnerability.software_version ignore_empty_value: true - if: ctx.event?.id == null - - set: - field: vulnerability.reference - tag: set_vulnerability_reference_from_vulnerability_id - value: https://www.cve.org/CVERecord?id={{{vulnerability.id}}} - if: ctx.vulnerability?.id != null && ctx.vulnerability.id.toUpperCase().contains('CVE') == true - - script: - description: Dynamically set vulnerability.enumeration values. - tag: script_map_vulnerability_id - lang: painless - if: ctx.vulnerability?.id != null - params: - vulnerability_enumeration: - - CVE - - TVM - source: | - String vulnerability_id = ctx.m365_defender.vulnerability.id.toUpperCase(); - for (String enum: params.vulnerability_enumeration) { - if (vulnerability_id.contains(enum)) { - ctx.vulnerability.put('enumeration', enum); - return; - } - } - set: field: vulnerability.title tag: set_vulnerability_title_from_package_name_package_version_vulnerability_id @@ -741,90 +412,30 @@ processors: value: 'Vulnerability found - {{{vulnerability.id}}}' if: ctx.vulnerability?.id != null && ctx.vulnerability?.title == null - rename: - field: json.name - tag: rename_name - target_field: m365_defender.vulnerability.name - ignore_missing: true - - date: - field: json.patchFirstAvailable - tag: date_patchFirstAvailable - target_field: m365_defender.vulnerability.patch_first_available - formats: - - ISO8601 - if: ctx.json?.patchFirstAvailable != null && ctx.json.patchFirstAvailable != '' - on_failure: - - append: - field: error.message - value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' - - convert: - field: json.publicExploit - tag: convert_publicExploit_to_boolean - target_field: m365_defender.vulnerability.public_exploit - type: boolean - ignore_missing: true - on_failure: - - append: - field: error.message - value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' - - date: - field: json.publishedOn - tag: date_publishedOn - target_field: m365_defender.vulnerability.published_on - formats: - - ISO8601 - if: ctx.json?.publishedOn != null && ctx.json.publishedOn != '' - on_failure: - - append: - field: error.message - value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' - - set: - field: vulnerability.published_date - tag: set_vulnerability_published_date_from_vulnerability_published_on - copy_from: m365_defender.vulnerability.published_on - ignore_empty_value: true - - rename: - field: json.severity - tag: rename_severity - target_field: m365_defender.vulnerability.severity + field: json.VulnerabilitySeverityLevel + tag: rename_VulnerabilitySeverityLevel + target_field: m365_defender.vulnerability.severity_level ignore_missing: true - set: field: vulnerability.severity - tag: set_vulnerability_severity_from_vulnerability_severity - copy_from: m365_defender.vulnerability.severity + tag: set_vulnerability_severity_from_vulnerability_severity_level + copy_from: m365_defender.vulnerability.severity_level ignore_empty_value: true - - rename: - field: json.tags - tag: rename_tags - target_field: m365_defender.vulnerability.tags - ignore_missing: true - - date: - field: json.updatedOn - tag: date_updatedOn - target_field: m365_defender.vulnerability.updated_on - formats: - - ISO8601 - if: ctx.json?.updatedOn != null && ctx.json.updatedOn != '' - on_failure: - - append: - field: error.message - value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' - remove: field: - - m365_defender.vulnerability.affected_machine.computer_dns_name - - m365_defender.vulnerability.affected_machine.last_external_ip_address - - m365_defender.vulnerability.affected_machine.machine_id - - m365_defender.vulnerability.affected_machine.os_platform - - m365_defender.vulnerability.affected_machine.os_processor - - m365_defender.vulnerability.affected_machine.product_name - - m365_defender.vulnerability.affected_machine.product_version - - m365_defender.vulnerability.affected_machine.rbac_group_id - - m365_defender.vulnerability.affected_machine.rbac_group_name - - m365_defender.vulnerability.affected_machine.risk_score - - m365_defender.vulnerability.affected_machine.version - - m365_defender.vulnerability.cvss_v3 - - m365_defender.vulnerability.description + - m365_defender.vulnerability.cve_batch_title + - m365_defender.vulnerability.device_id + - m365_defender.vulnerability.device_name - m365_defender.vulnerability.id - - m365_defender.vulnerability.severity + - m365_defender.vulnerability.cve_id + - m365_defender.vulnerability.os_architecture + - m365_defender.vulnerability.os_platform + - m365_defender.vulnerability.os_version + - m365_defender.vulnerability.rbac_group_id + - m365_defender.vulnerability.rbac_group_name + - m365_defender.vulnerability.software_name + - m365_defender.vulnerability.software_version + - m365_defender.vulnerability.severity_level tag: remove_custom_duplicate_fields ignore_missing: true if: ctx.tags == null || !ctx.tags.contains('preserve_duplicate_custom_fields') diff --git a/packages/m365_defender/data_stream/vulnerability/fields/cloud.yml b/packages/m365_defender/data_stream/vulnerability/fields/cloud.yml deleted file mode 100644 index 226724e3c54..00000000000 --- a/packages/m365_defender/data_stream/vulnerability/fields/cloud.yml +++ /dev/null @@ -1,7 +0,0 @@ -- name: cloud - type: group - fields: - # Not an ECS field. Taken from OTEL cloud attributes. https://opentelemetry.io/docs/specs/semconv/registry/attributes/cloud/ - - name: resource_id - type: keyword - description: Cloud provider-specific native identifier of the monitored cloud resource. diff --git a/packages/m365_defender/data_stream/vulnerability/fields/fields.yml b/packages/m365_defender/data_stream/vulnerability/fields/fields.yml index 05aba0d696b..4fd5797f334 100644 --- a/packages/m365_defender/data_stream/vulnerability/fields/fields.yml +++ b/packages/m365_defender/data_stream/vulnerability/fields/fields.yml @@ -4,181 +4,77 @@ - name: vulnerability type: group fields: - - name: affected_machine - type: group - fields: - - name: aad_device_id - type: keyword - description: Microsoft Entra Device ID (when machine is Microsoft Entra joined). - - name: agent_version - type: keyword - - name: computer_dns_name - type: keyword - description: Machine fully qualified name. - - name: device_value - type: keyword - description: 'The value of the device. Possible values are: Normal, Low, and High.' - - name: exclusion_reason - type: keyword - - name: exposure_level - type: keyword - description: 'Exposure level as evaluated by Microsoft Defender for Endpoint. Possible values are: None, Low, Medium, and High.' - - name: first_seen - type: date - description: First date and time where the machine was observed by Microsoft Defender for Endpoint. - - name: fixing_kb_id - type: keyword - - name: health_status - type: keyword - description: 'machine health status. Possible values are: Active, Inactive, ImpairedCommunication, NoSensorData, NoSensorDataImpairedCommunication, and Unknown.' - - name: id - type: keyword - - name: ip_addresses - type: group - fields: - - name: ip_address - type: ip - - name: mac_address - type: keyword - - name: operational_status - type: keyword - - name: type - type: keyword - - name: is_aad_joined - type: boolean - - name: is_excluded - type: boolean - - name: is_potential_duplication - type: boolean - - name: last_external_ip_address - type: ip - description: Last IP through which the machine accessed the internet. - - name: last_ip_address - type: ip - description: Last IP on local NIC on the machine. - - name: last_seen - type: date - description: 'Time and date of the last received full device report. A device typically sends a full report every 24 hours. NOTE: This property doesn''t correspond to the last seen value in the UI. It pertains to the last device update.' - - name: machine_id - type: keyword - description: Machine identity. - - name: machine_tags - type: keyword - description: Set of machine tags. - - name: managed_by - type: keyword - - name: managed_by_status - type: keyword - - name: merged_into_machine_id - type: keyword - - name: onboarding_status - type: keyword - description: 'Status of machine onboarding. Possible values are: onboarded, CanBeOnboarded, Unsupported, and InsufficientInfo.' - - name: os_architecture - type: keyword - description: 'Operating system architecture. Possible values are: 32-bit, 64-bit. Use this property instead of osProcessor.' - - name: os_build - type: long - description: Operating system build number. - - name: os_platform - type: keyword - description: Operating system platform. - - name: os_processor - type: keyword - description: Operating system processor. Use osArchitecture property instead. - - name: os_version - type: keyword - - name: product_name - type: keyword - - name: product_vendor - type: keyword - - name: product_version - type: keyword - - name: rbac_group_id - type: keyword - description: Machine group ID. - - name: rbac_group_name - type: keyword - description: Machine group Name. - - name: risk_score - type: keyword - description: 'Risk score as evaluated by Microsoft Defender for Endpoint. Possible values are: None, Informational, Low, Medium, and High.' - - name: severity - type: keyword - - name: version - type: keyword - description: Operating system version. - - name: vmMetadata - type: group - fields: - - name: cloud_provider - type: keyword - - name: resource_id - type: keyword - - name: subscription_id - type: keyword - - name: vm_id - type: keyword - - name: cve_supportability - type: keyword - description: 'Possible values are: Supported, Not Supported, or SupportedInPremium.' - - name: cvss_v3 - type: double - description: CVSS v3 score. - - name: cvss_vector - type: keyword - description: A compressed textual representation that reflects the values used to derive the score. - - name: description - type: keyword - description: Vulnerability description. - - name: epss - type: double - description: Represents the probability that a vulnerability will be exploited. This probability is expressed as a number between 0 and 1 (0%-100%) according to the EPSS model. - - name: exploit_in_kit - type: boolean - description: Exploit is part of an exploit kit. - - name: exploit_types + - name: cve_batch_title type: keyword - description: 'Exploit affect. Possible values are: Local privilege escalation, Denial of service, or Local.' - - name: exploit_uris + - name: cve_batch_url type: keyword - description: Exploit source URLs. - - name: exploit_verified - type: boolean - description: Exploit is verified to work. - - name: exposed_machines - type: long - description: Number of exposed devices. - - name: first_detected - type: date - - name: id + - name: cve_id + type: keyword + description: Unique identifier assigned to the security vulnerability under the Common Vulnerabilities and Exposures (CVE) system. + - name: cvss_score + type: float + description: The CVSS score of the CVE. + - name: device_id type: keyword - description: Vulnerability ID. - - name: impact + description: Unique identifier for the device in the service. + - name: device_name type: keyword - description: Impact of vulnerability. - - name: name + description: Fully qualified domain name (FQDN) of the device. + - name: disk_paths type: keyword - description: Vulnerability title. - - name: patch_first_available + description: Disk evidence that the product is installed on the device. + - name: exploitability_level + type: keyword + description: The exploitability level of this vulnerability (NoExploit, ExploitIsPublic, ExploitIsVerified, ExploitIsInKit) + - name: first_seen_timestamp type: date - - name: public_exploit + description: First time this product CVE was seen on the device. + - name: id + type: keyword + description: Unique identifier for the record. + - name: is_onboarded type: boolean - description: Public exploit exists. - - name: published_on + - name: last_seen_timestamp type: date - description: Date when vulnerability was published. - - name: remediation + description: Last time the software was reported on the device. + - name: os_architecture type: keyword - description: Remediation fix for vulnerability to mitigate the problem. - - name: summary + description: Architecture of the operating system running on the device. + - name: os_platform type: keyword - description: Summary of vulnerability. - - name: severity + description: Platform of the operating system running on the device. + - name: os_version type: keyword - description: 'Vulnerability Severity. Possible values are: Low, Medium, High, or Critical.' - - name: tags + description: Version of the operating system running on the device. + - name: rbac_group_id type: keyword - - name: updated_on - type: date - description: Date when vulnerability was updated. + - name: rbac_group_name + type: keyword + description: The role-based access control (RBAC) group. + - name: recommendation_reference + type: keyword + description: A reference to the recommendation ID related to this software. + - name: recommended_security_update + type: keyword + description: Name or description of the security update provided by the software vendor to address the vulnerability. + - name: recommended_security_update_id + type: keyword + description: Identifier of the applicable security updates or identifier for the corresponding guidance or knowledge base (KB) articles. + - name: registry_paths + type: keyword + description: Registry evidence that the product is installed in the device. + - name: security_update_available + type: boolean + description: Indicates whether a security update is available for the software. + - name: severity_level + type: keyword + description: Severity level assigned to the security vulnerability based on the CVSS score. + - name: software_name + type: keyword + description: Name of the software product. + - name: software_vendor + type: keyword + description: Name of the software vendor. + - name: software_version + type: keyword + description: Version number of the software product. diff --git a/packages/m365_defender/data_stream/vulnerability/manifest.yml b/packages/m365_defender/data_stream/vulnerability/manifest.yml index ab0060bfaa1..3c21ee2ed23 100644 --- a/packages/m365_defender/data_stream/vulnerability/manifest.yml +++ b/packages/m365_defender/data_stream/vulnerability/manifest.yml @@ -16,21 +16,14 @@ streams: required: true show_user: true default: 4h - - name: batch_size - type: integer - title: Batch Size - description: Specifies how many records to return in a single request of the M365 Defender Vulnerability API. + - name: sas_valid_hours + type: text + title: SAS Valid Hours + description: The number of hours that the Shared Access Signature (SAS) download URLs are valid for. Maximum is 6 hours. Supported unit for this parameter is 'h'. multi: false required: true show_user: false - default: 8000 - - name: affected_machines_only - type: bool - title: Collect vulnerabilities from affected machines only - description: Collect only vulnerabilities that have at least one affected machine. Vulnerabilities without any affected machines will not be ingested. - show_user: true - required: false - default: true + default: 1h - name: enable_request_tracer type: bool title: Enable request tracing diff --git a/packages/m365_defender/data_stream/vulnerability/sample_event.json b/packages/m365_defender/data_stream/vulnerability/sample_event.json index 887b5f51b43..716791c43b2 100644 --- a/packages/m365_defender/data_stream/vulnerability/sample_event.json +++ b/packages/m365_defender/data_stream/vulnerability/sample_event.json @@ -1,23 +1,23 @@ { - "@timestamp": "2025-09-22T06:34:02.431Z", + "@timestamp": "2025-10-09T19:10:22.692Z", "agent": { - "ephemeral_id": "c97e03d7-6a28-488d-8a64-ac71a9ce85f0", - "id": "c9a38c4d-9001-4fe3-9294-60a4fe6e9670", - "name": "elastic-agent-36768", + "ephemeral_id": "9f70964b-0219-45a5-88a2-be94ab2bc4f8", + "id": "77997b14-cd08-4c4d-a99b-c05d0053d9e8", + "name": "elastic-agent-31393", "type": "filebeat", "version": "8.19.4" }, "data_stream": { "dataset": "m365_defender.vulnerability", - "namespace": "31433", + "namespace": "10793", "type": "logs" }, "ecs": { "version": "8.17.0" }, "elastic_agent": { - "id": "c9a38c4d-9001-4fe3-9294-60a4fe6e9670", - "snapshot": true, + "id": "77997b14-cd08-4c4d-a99b-c05d0053d9e8", + "snapshot": false, "version": "8.19.4" }, "event": { @@ -26,33 +26,28 @@ "vulnerability" ], "dataset": "m365_defender.vulnerability", - "id": "94819846155826828d1603b913c67fe336d81295-_-CVE-2025-3074-_-microsoft-_-edge_chromium-based-_-134.0.3124.72-_-", - "ingested": "2025-09-22T06:34:03Z", + "id": "1212121212121212121212_red_hat_kernel_0:5.14.0-427.42.1.el9_4_CVE-2022-49226", + "ingested": "2025-10-09T19:10:23Z", "kind": "event", - "original": "{\"affectedMachine\":{\"aadDeviceId\":null,\"agentVersion\":\"30.124092.2.0\",\"computerDnsName\":\"bdp3449-ub20-2-4a4f31e2-46ea-4c26-ad89-f09ad1d5fe01\",\"cveId\":\"CVE-2025-3074\",\"deviceValue\":\"Normal\",\"exclusionReason\":null,\"exposureLevel\":\"Low\",\"firstSeen\":\"2025-01-08T13:05:05.3483549Z\",\"fixingKbId\":null,\"healthStatus\":\"Inactive\",\"id\":\"94819846155826828d1603b913c67fe336d81295-_-CVE-2025-3074-_-microsoft-_-edge_chromium-based-_-134.0.3124.72-_-\",\"ipAddresses\":[{\"ipAddress\":\"216.160.83.56\",\"macAddress\":\"000C2910F1DA\",\"operationalStatus\":\"Up\",\"type\":\"Other\"}],\"isAadJoined\":false,\"isExcluded\":false,\"isPotentialDuplication\":false,\"lastExternalIpAddress\":\"1.128.0.0\",\"lastIpAddress\":\"175.16.199.0\",\"lastSeen\":\"2025-01-08T13:15:03.694371Z\",\"machineId\":\"94819846155826828d1603b913c67fe336d81295\",\"machineTags\":[\"test tag\"],\"managedBy\":\"MicrosoftDefenderForEndpoint\",\"managedByStatus\":\"Success\",\"mergedIntoMachineId\":null,\"onboardingStatus\":\"Onboarded\",\"osArchitecture\":\"64-bit\",\"osBuild\":6,\"osPlatform\":\"Ubuntu\",\"osProcessor\":\"x64\",\"osVersion\":null,\"productName\":\"edge_chromium-based\",\"productVendor\":\"microsoft\",\"productVersion\":\"134.0.3124.72\",\"rbacGroupId\":0,\"rbacGroupName\":null,\"riskScore\":\"None\",\"severity\":\"Medium\",\"version\":\"20.4\",\"vmMetadata\":null},\"cveSupportability\":\"Supported\",\"cvssV3\":6.5,\"cvssVector\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N/E:U/RL:O/RC:C\",\"description\":\"Summary: An inappropriate implementation in the Downloads feature of Google Chrome versions prior to 135.0.7049.52 could allow a remote attacker to perform UI spoofing via a crafted HTML page. This vulnerability, classified with a low severity by Chromium, may also enable bypassing security restrictions when a victim visits a specially crafted website. Impact: Exploitation of this vulnerability could lead to UI spoofing or bypassing security restrictions, potentially compromising user trust and security. AdditionalInformation: This vulnerability is associated with Google Chrome and has implications for Microsoft Edge (Chromium-based) due to shared code ingestion. Refer to Google Chrome Releases for further details. Remediation: Apply the latest patches and updates provided by the respective vendors. [Generated by AI]\",\"epss\":0.00111,\"exploitInKit\":false,\"exploitTypes\":[],\"exploitUris\":[],\"exploitVerified\":false,\"exposedMachines\":2,\"firstDetected\":\"2025-04-01T19:52:39Z\",\"id\":\"CVE-2025-3074\",\"name\":\"CVE-2025-3074\",\"patchFirstAvailable\":null,\"publicExploit\":false,\"publishedOn\":\"2025-04-01T00:00:00Z\",\"severity\":\"Medium\",\"tags\":[\"test\"],\"updatedOn\":\"2025-04-08T00:00:00Z\"}", + "original": "{\"CveBatchTitle\":\"Red_hat February 2025 Vulnerabilities\",\"CveBatchUrl\":\"https://security.access.redhat.com/data/oval/v2/RHEL9/rhel-9.8-eus.oval.xml.bz2\",\"CveId\":\"CVE-2022-49226\",\"CvssScore\":5.5,\"DeviceId\":\"1212121212121212121212\",\"DeviceName\":\"sample-host-1\",\"ExploitabilityLevel\":\"NoExploit\",\"FirstSeenTimestamp\":\"2025-10-06 10:43:58\",\"Id\":\"1212121212121212121212_red_hat_kernel_0:5.14.0-427.42.1.el9_4_CVE-2022-49226\",\"IsOnboarded\":true,\"LastSeenTimestamp\":\"2025-10-06 22:45:00\",\"OSArchitecture\":\"x64\",\"OSPlatform\":\"Linux\",\"OSVersion\":\"enterprise_linux_9.4\",\"RbacGroupId\":0,\"RbacGroupName\":\"Unassigned\",\"RecommendationReference\":\"va-_-red_hat-_-kernel\",\"RecommendedSecurityUpdate\":\"CVE-2022-49226_oval:com.redhat.rhsa:def:20249315\",\"RecommendedSecurityUpdateId\":\"RHSA-2024:9315\",\"RecommendedSecurityUpdateUrl\":\"https://access.redhat.com/errata/RHSA-2024:9315\",\"RegistryPaths\":[],\"SecurityUpdateAvailable\":true,\"SoftwareName\":\"kernel\",\"SoftwareVendor\":\"red_hat\",\"SoftwareVersion\":\"0:5.14.0-427.42.1.el9_4\",\"VulnerabilitySeverityLevel\":\"Medium\"}", "type": [ "info" ] }, "group": { - "id": "0" + "id": "0", + "name": "Unassigned" }, "host": { "architecture": "x64", - "hostname": "bdp3449-ub20-2-4a4f31e2-46ea-4c26-ad89-f09ad1d5fe01", - "id": "94819846155826828d1603b913c67fe336d81295", - "ip": [ - "1.128.0.0" - ], - "name": "bdp3449-ub20-2-4a4f31e2-46ea-4c26-ad89-f09ad1d5fe01", + "hostname": "sample-host-1", + "id": "1212121212121212121212", + "name": "sample-host-1", "os": { - "name": "Ubuntu 20.4", - "platform": "Ubuntu", + "name": "Linux enterprise_linux_9.4", + "platform": "Linux", "type": "linux", - "version": "20.4" - }, - "risk": { - "calculated_level": "None" + "version": "enterprise_linux_9.4" } }, "input": { @@ -60,93 +55,50 @@ }, "m365_defender": { "vulnerability": { - "affected_machine": { - "agent_version": "30.124092.2.0", - "computer_dns_name": "bdp3449-ub20-2-4a4f31e2-46ea-4c26-ad89-f09ad1d5fe01", - "device_value": "Normal", - "exposure_level": "Low", - "first_seen": "2025-01-08T13:05:05.348Z", - "health_status": "Inactive", - "id": "94819846155826828d1603b913c67fe336d81295-_-CVE-2025-3074-_-microsoft-_-edge_chromium-based-_-134.0.3124.72-_-", - "ip_addresses": [ - { - "ip_address": "216.160.83.56", - "mac_address": "00-0C-29-10-F1-DA", - "operational_status": "Up", - "type": "Other" - } - ], - "is_aad_joined": false, - "is_excluded": false, - "is_potential_duplication": false, - "last_external_ip_address": "1.128.0.0", - "last_ip_address": "175.16.199.0", - "last_seen": "2025-01-08T13:15:03.694Z", - "machine_id": "94819846155826828d1603b913c67fe336d81295", - "machine_tags": [ - "test tag" - ], - "managed_by": "MicrosoftDefenderForEndpoint", - "managed_by_status": "Success", - "onboarding_status": "Onboarded", - "os_architecture": "64-bit", - "os_build": 6, - "os_platform": "Ubuntu", - "os_processor": "x64", - "product_name": "edge_chromium-based", - "product_vendor": "microsoft", - "product_version": "134.0.3124.72", - "rbac_group_id": "0", - "risk_score": "None", - "severity": "Medium", - "version": "20.4" - }, - "cve_supportability": "Supported", - "cvss_v3": 6.5, - "cvss_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N/E:U/RL:O/RC:C", - "description": "Summary: An inappropriate implementation in the Downloads feature of Google Chrome versions prior to 135.0.7049.52 could allow a remote attacker to perform UI spoofing via a crafted HTML page. This vulnerability, classified with a low severity by Chromium, may also enable bypassing security restrictions when a victim visits a specially crafted website. Impact: Exploitation of this vulnerability could lead to UI spoofing or bypassing security restrictions, potentially compromising user trust and security. AdditionalInformation: This vulnerability is associated with Google Chrome and has implications for Microsoft Edge (Chromium-based) due to shared code ingestion. Refer to Google Chrome Releases for further details. Remediation: Apply the latest patches and updates provided by the respective vendors. [Generated by AI]", - "epss": 0.00111, - "exploit_in_kit": false, - "exploit_verified": false, - "exposed_machines": 2, - "first_detected": "2025-04-01T19:52:39.000Z", - "id": "CVE-2025-3074", - "impact": "Exploitation of this vulnerability could lead to UI spoofing or bypassing security restrictions, potentially compromising user trust and security.", - "name": "CVE-2025-3074", - "public_exploit": false, - "published_on": "2025-04-01T00:00:00.000Z", - "remediation": "Apply the latest patches and updates provided by the respective vendors.", - "severity": "Medium", - "summary": "An inappropriate implementation in the Downloads feature of Google Chrome versions prior to 135.0.7049.52 could allow a remote attacker to perform UI spoofing via a crafted HTML page. This vulnerability, classified with a low severity by Chromium, may also enable bypassing security restrictions when a victim visits a specially crafted website.", - "tags": [ - "test" - ], - "updated_on": "2025-04-08T00:00:00.000Z" + "cve_batch_title": "Red_hat February 2025 Vulnerabilities", + "cve_batch_url": "https://security.access.redhat.com/data/oval/v2/RHEL9/rhel-9.8-eus.oval.xml.bz2", + "cve_id": "CVE-2022-49226", + "cvss_score": 5.5, + "device_id": "1212121212121212121212", + "device_name": "sample-host-1", + "exploitability_level": "NoExploit", + "first_seen_timestamp": "2025-10-06T10:43:58.000Z", + "id": "1212121212121212121212_red_hat_kernel_0:5.14.0-427.42.1.el9_4_CVE-2022-49226", + "is_onboarded": true, + "last_seen_timestamp": "2025-10-06T22:45:00.000Z", + "os_architecture": "x64", + "os_platform": "Linux", + "os_version": "enterprise_linux_9.4", + "rbac_group_id": "0", + "rbac_group_name": "Unassigned", + "recommendation_reference": "va-_-red_hat-_-kernel", + "recommended_security_update": "CVE-2022-49226_oval:com.redhat.rhsa:def:20249315", + "recommended_security_update_id": "RHSA-2024:9315", + "security_update_available": true, + "severity_level": "Medium", + "software_name": "kernel", + "software_vendor": "red_hat", + "software_version": "0:5.14.0-427.42.1.el9_4" } }, - "message": "Summary: An inappropriate implementation in the Downloads feature of Google Chrome versions prior to 135.0.7049.52 could allow a remote attacker to perform UI spoofing via a crafted HTML page. This vulnerability, classified with a low severity by Chromium, may also enable bypassing security restrictions when a victim visits a specially crafted website. Impact: Exploitation of this vulnerability could lead to UI spoofing or bypassing security restrictions, potentially compromising user trust and security. AdditionalInformation: This vulnerability is associated with Google Chrome and has implications for Microsoft Edge (Chromium-based) due to shared code ingestion. Refer to Google Chrome Releases for further details. Remediation: Apply the latest patches and updates provided by the respective vendors. [Generated by AI]", + "message": "Red_hat February 2025 Vulnerabilities", "observer": { "product": "Microsoft 365 Defender", "vendor": "Microsoft" }, "package": { - "name": "edge_chromium-based", - "version": "134.0.3124.72" + "name": "kernel", + "version": "0:5.14.0-427.42.1.el9_4" }, "related": { "hosts": [ - "bdp3449-ub20-2-4a4f31e2-46ea-4c26-ad89-f09ad1d5fe01", - "94819846155826828d1603b913c67fe336d81295" - ], - "ip": [ - "216.160.83.56", - "1.128.0.0", - "175.16.199.0" + "1212121212121212121212", + "sample-host-1" ] }, "resource": { - "id": "94819846155826828d1603b913c67fe336d81295", - "name": "bdp3449-ub20-2-4a4f31e2-46ea-4c26-ad89-f09ad1d5fe01" + "id": "1212121212121212121212", + "name": "sample-host-1" }, "tags": [ "preserve_original_event", @@ -156,20 +108,17 @@ ], "vulnerability": { "classification": "CVSS", - "cve": "CVE-2025-3074", - "description": "Summary: An inappropriate implementation in the Downloads feature of Google Chrome versions prior to 135.0.7049.52 could allow a remote attacker to perform UI spoofing via a crafted HTML page. This vulnerability, classified with a low severity by Chromium, may also enable bypassing security restrictions when a victim visits a specially crafted website. Impact: Exploitation of this vulnerability could lead to UI spoofing or bypassing security restrictions, potentially compromising user trust and security. AdditionalInformation: This vulnerability is associated with Google Chrome and has implications for Microsoft Edge (Chromium-based) due to shared code ingestion. Refer to Google Chrome Releases for further details. Remediation: Apply the latest patches and updates provided by the respective vendors. [Generated by AI]", + "cve": "CVE-2022-49226", "enumeration": "CVE", - "id": "CVE-2025-3074", - "published_date": "2025-04-01T00:00:00.000Z", - "reference": "https://www.cve.org/CVERecord?id=CVE-2025-3074", + "id": "CVE-2022-49226", + "reference": "https://www.cve.org/CVERecord?id=CVE-2022-49226", "scanner": { "vendor": "Microsoft" }, "score": { - "base": 6.5, - "version": "3.1" + "base": 5.5 }, "severity": "Medium", - "title": "Vulnerability found in edge_chromium-based 134.0.3124.72 - CVE-2025-3074" + "title": "Vulnerability found in kernel 0:5.14.0-427.42.1.el9_4 - CVE-2022-49226" } } diff --git a/packages/m365_defender/docs/README.md b/packages/m365_defender/docs/README.md index 9482fdf1e7a..0dfd917b559 100644 --- a/packages/m365_defender/docs/README.md +++ b/packages/m365_defender/docs/README.md @@ -1516,25 +1516,25 @@ An example event for `vulnerability` looks as following: ```json { - "@timestamp": "2025-09-22T06:34:02.431Z", + "@timestamp": "2025-10-09T19:10:22.692Z", "agent": { - "ephemeral_id": "c97e03d7-6a28-488d-8a64-ac71a9ce85f0", - "id": "c9a38c4d-9001-4fe3-9294-60a4fe6e9670", - "name": "elastic-agent-36768", + "ephemeral_id": "9f70964b-0219-45a5-88a2-be94ab2bc4f8", + "id": "77997b14-cd08-4c4d-a99b-c05d0053d9e8", + "name": "elastic-agent-31393", "type": "filebeat", "version": "8.19.4" }, "data_stream": { "dataset": "m365_defender.vulnerability", - "namespace": "31433", + "namespace": "10793", "type": "logs" }, "ecs": { "version": "8.17.0" }, "elastic_agent": { - "id": "c9a38c4d-9001-4fe3-9294-60a4fe6e9670", - "snapshot": true, + "id": "77997b14-cd08-4c4d-a99b-c05d0053d9e8", + "snapshot": false, "version": "8.19.4" }, "event": { @@ -1543,33 +1543,28 @@ An example event for `vulnerability` looks as following: "vulnerability" ], "dataset": "m365_defender.vulnerability", - "id": "94819846155826828d1603b913c67fe336d81295-_-CVE-2025-3074-_-microsoft-_-edge_chromium-based-_-134.0.3124.72-_-", - "ingested": "2025-09-22T06:34:03Z", + "id": "1212121212121212121212_red_hat_kernel_0:5.14.0-427.42.1.el9_4_CVE-2022-49226", + "ingested": "2025-10-09T19:10:23Z", "kind": "event", - "original": "{\"affectedMachine\":{\"aadDeviceId\":null,\"agentVersion\":\"30.124092.2.0\",\"computerDnsName\":\"bdp3449-ub20-2-4a4f31e2-46ea-4c26-ad89-f09ad1d5fe01\",\"cveId\":\"CVE-2025-3074\",\"deviceValue\":\"Normal\",\"exclusionReason\":null,\"exposureLevel\":\"Low\",\"firstSeen\":\"2025-01-08T13:05:05.3483549Z\",\"fixingKbId\":null,\"healthStatus\":\"Inactive\",\"id\":\"94819846155826828d1603b913c67fe336d81295-_-CVE-2025-3074-_-microsoft-_-edge_chromium-based-_-134.0.3124.72-_-\",\"ipAddresses\":[{\"ipAddress\":\"216.160.83.56\",\"macAddress\":\"000C2910F1DA\",\"operationalStatus\":\"Up\",\"type\":\"Other\"}],\"isAadJoined\":false,\"isExcluded\":false,\"isPotentialDuplication\":false,\"lastExternalIpAddress\":\"1.128.0.0\",\"lastIpAddress\":\"175.16.199.0\",\"lastSeen\":\"2025-01-08T13:15:03.694371Z\",\"machineId\":\"94819846155826828d1603b913c67fe336d81295\",\"machineTags\":[\"test tag\"],\"managedBy\":\"MicrosoftDefenderForEndpoint\",\"managedByStatus\":\"Success\",\"mergedIntoMachineId\":null,\"onboardingStatus\":\"Onboarded\",\"osArchitecture\":\"64-bit\",\"osBuild\":6,\"osPlatform\":\"Ubuntu\",\"osProcessor\":\"x64\",\"osVersion\":null,\"productName\":\"edge_chromium-based\",\"productVendor\":\"microsoft\",\"productVersion\":\"134.0.3124.72\",\"rbacGroupId\":0,\"rbacGroupName\":null,\"riskScore\":\"None\",\"severity\":\"Medium\",\"version\":\"20.4\",\"vmMetadata\":null},\"cveSupportability\":\"Supported\",\"cvssV3\":6.5,\"cvssVector\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N/E:U/RL:O/RC:C\",\"description\":\"Summary: An inappropriate implementation in the Downloads feature of Google Chrome versions prior to 135.0.7049.52 could allow a remote attacker to perform UI spoofing via a crafted HTML page. This vulnerability, classified with a low severity by Chromium, may also enable bypassing security restrictions when a victim visits a specially crafted website. Impact: Exploitation of this vulnerability could lead to UI spoofing or bypassing security restrictions, potentially compromising user trust and security. AdditionalInformation: This vulnerability is associated with Google Chrome and has implications for Microsoft Edge (Chromium-based) due to shared code ingestion. Refer to Google Chrome Releases for further details. Remediation: Apply the latest patches and updates provided by the respective vendors. [Generated by AI]\",\"epss\":0.00111,\"exploitInKit\":false,\"exploitTypes\":[],\"exploitUris\":[],\"exploitVerified\":false,\"exposedMachines\":2,\"firstDetected\":\"2025-04-01T19:52:39Z\",\"id\":\"CVE-2025-3074\",\"name\":\"CVE-2025-3074\",\"patchFirstAvailable\":null,\"publicExploit\":false,\"publishedOn\":\"2025-04-01T00:00:00Z\",\"severity\":\"Medium\",\"tags\":[\"test\"],\"updatedOn\":\"2025-04-08T00:00:00Z\"}", + "original": "{\"CveBatchTitle\":\"Red_hat February 2025 Vulnerabilities\",\"CveBatchUrl\":\"https://security.access.redhat.com/data/oval/v2/RHEL9/rhel-9.8-eus.oval.xml.bz2\",\"CveId\":\"CVE-2022-49226\",\"CvssScore\":5.5,\"DeviceId\":\"1212121212121212121212\",\"DeviceName\":\"sample-host-1\",\"ExploitabilityLevel\":\"NoExploit\",\"FirstSeenTimestamp\":\"2025-10-06 10:43:58\",\"Id\":\"1212121212121212121212_red_hat_kernel_0:5.14.0-427.42.1.el9_4_CVE-2022-49226\",\"IsOnboarded\":true,\"LastSeenTimestamp\":\"2025-10-06 22:45:00\",\"OSArchitecture\":\"x64\",\"OSPlatform\":\"Linux\",\"OSVersion\":\"enterprise_linux_9.4\",\"RbacGroupId\":0,\"RbacGroupName\":\"Unassigned\",\"RecommendationReference\":\"va-_-red_hat-_-kernel\",\"RecommendedSecurityUpdate\":\"CVE-2022-49226_oval:com.redhat.rhsa:def:20249315\",\"RecommendedSecurityUpdateId\":\"RHSA-2024:9315\",\"RecommendedSecurityUpdateUrl\":\"https://access.redhat.com/errata/RHSA-2024:9315\",\"RegistryPaths\":[],\"SecurityUpdateAvailable\":true,\"SoftwareName\":\"kernel\",\"SoftwareVendor\":\"red_hat\",\"SoftwareVersion\":\"0:5.14.0-427.42.1.el9_4\",\"VulnerabilitySeverityLevel\":\"Medium\"}", "type": [ "info" ] }, "group": { - "id": "0" + "id": "0", + "name": "Unassigned" }, "host": { "architecture": "x64", - "hostname": "bdp3449-ub20-2-4a4f31e2-46ea-4c26-ad89-f09ad1d5fe01", - "id": "94819846155826828d1603b913c67fe336d81295", - "ip": [ - "1.128.0.0" - ], - "name": "bdp3449-ub20-2-4a4f31e2-46ea-4c26-ad89-f09ad1d5fe01", + "hostname": "sample-host-1", + "id": "1212121212121212121212", + "name": "sample-host-1", "os": { - "name": "Ubuntu 20.4", - "platform": "Ubuntu", + "name": "Linux enterprise_linux_9.4", + "platform": "Linux", "type": "linux", - "version": "20.4" - }, - "risk": { - "calculated_level": "None" + "version": "enterprise_linux_9.4" } }, "input": { @@ -1577,93 +1572,50 @@ An example event for `vulnerability` looks as following: }, "m365_defender": { "vulnerability": { - "affected_machine": { - "agent_version": "30.124092.2.0", - "computer_dns_name": "bdp3449-ub20-2-4a4f31e2-46ea-4c26-ad89-f09ad1d5fe01", - "device_value": "Normal", - "exposure_level": "Low", - "first_seen": "2025-01-08T13:05:05.348Z", - "health_status": "Inactive", - "id": "94819846155826828d1603b913c67fe336d81295-_-CVE-2025-3074-_-microsoft-_-edge_chromium-based-_-134.0.3124.72-_-", - "ip_addresses": [ - { - "ip_address": "216.160.83.56", - "mac_address": "00-0C-29-10-F1-DA", - "operational_status": "Up", - "type": "Other" - } - ], - "is_aad_joined": false, - "is_excluded": false, - "is_potential_duplication": false, - "last_external_ip_address": "1.128.0.0", - "last_ip_address": "175.16.199.0", - "last_seen": "2025-01-08T13:15:03.694Z", - "machine_id": "94819846155826828d1603b913c67fe336d81295", - "machine_tags": [ - "test tag" - ], - "managed_by": "MicrosoftDefenderForEndpoint", - "managed_by_status": "Success", - "onboarding_status": "Onboarded", - "os_architecture": "64-bit", - "os_build": 6, - "os_platform": "Ubuntu", - "os_processor": "x64", - "product_name": "edge_chromium-based", - "product_vendor": "microsoft", - "product_version": "134.0.3124.72", - "rbac_group_id": "0", - "risk_score": "None", - "severity": "Medium", - "version": "20.4" - }, - "cve_supportability": "Supported", - "cvss_v3": 6.5, - "cvss_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N/E:U/RL:O/RC:C", - "description": "Summary: An inappropriate implementation in the Downloads feature of Google Chrome versions prior to 135.0.7049.52 could allow a remote attacker to perform UI spoofing via a crafted HTML page. This vulnerability, classified with a low severity by Chromium, may also enable bypassing security restrictions when a victim visits a specially crafted website. Impact: Exploitation of this vulnerability could lead to UI spoofing or bypassing security restrictions, potentially compromising user trust and security. AdditionalInformation: This vulnerability is associated with Google Chrome and has implications for Microsoft Edge (Chromium-based) due to shared code ingestion. Refer to Google Chrome Releases for further details. Remediation: Apply the latest patches and updates provided by the respective vendors. [Generated by AI]", - "epss": 0.00111, - "exploit_in_kit": false, - "exploit_verified": false, - "exposed_machines": 2, - "first_detected": "2025-04-01T19:52:39.000Z", - "id": "CVE-2025-3074", - "impact": "Exploitation of this vulnerability could lead to UI spoofing or bypassing security restrictions, potentially compromising user trust and security.", - "name": "CVE-2025-3074", - "public_exploit": false, - "published_on": "2025-04-01T00:00:00.000Z", - "remediation": "Apply the latest patches and updates provided by the respective vendors.", - "severity": "Medium", - "summary": "An inappropriate implementation in the Downloads feature of Google Chrome versions prior to 135.0.7049.52 could allow a remote attacker to perform UI spoofing via a crafted HTML page. This vulnerability, classified with a low severity by Chromium, may also enable bypassing security restrictions when a victim visits a specially crafted website.", - "tags": [ - "test" - ], - "updated_on": "2025-04-08T00:00:00.000Z" + "cve_batch_title": "Red_hat February 2025 Vulnerabilities", + "cve_batch_url": "https://security.access.redhat.com/data/oval/v2/RHEL9/rhel-9.8-eus.oval.xml.bz2", + "cve_id": "CVE-2022-49226", + "cvss_score": 5.5, + "device_id": "1212121212121212121212", + "device_name": "sample-host-1", + "exploitability_level": "NoExploit", + "first_seen_timestamp": "2025-10-06T10:43:58.000Z", + "id": "1212121212121212121212_red_hat_kernel_0:5.14.0-427.42.1.el9_4_CVE-2022-49226", + "is_onboarded": true, + "last_seen_timestamp": "2025-10-06T22:45:00.000Z", + "os_architecture": "x64", + "os_platform": "Linux", + "os_version": "enterprise_linux_9.4", + "rbac_group_id": "0", + "rbac_group_name": "Unassigned", + "recommendation_reference": "va-_-red_hat-_-kernel", + "recommended_security_update": "CVE-2022-49226_oval:com.redhat.rhsa:def:20249315", + "recommended_security_update_id": "RHSA-2024:9315", + "security_update_available": true, + "severity_level": "Medium", + "software_name": "kernel", + "software_vendor": "red_hat", + "software_version": "0:5.14.0-427.42.1.el9_4" } }, - "message": "Summary: An inappropriate implementation in the Downloads feature of Google Chrome versions prior to 135.0.7049.52 could allow a remote attacker to perform UI spoofing via a crafted HTML page. This vulnerability, classified with a low severity by Chromium, may also enable bypassing security restrictions when a victim visits a specially crafted website. Impact: Exploitation of this vulnerability could lead to UI spoofing or bypassing security restrictions, potentially compromising user trust and security. AdditionalInformation: This vulnerability is associated with Google Chrome and has implications for Microsoft Edge (Chromium-based) due to shared code ingestion. Refer to Google Chrome Releases for further details. Remediation: Apply the latest patches and updates provided by the respective vendors. [Generated by AI]", + "message": "Red_hat February 2025 Vulnerabilities", "observer": { "product": "Microsoft 365 Defender", "vendor": "Microsoft" }, "package": { - "name": "edge_chromium-based", - "version": "134.0.3124.72" + "name": "kernel", + "version": "0:5.14.0-427.42.1.el9_4" }, "related": { "hosts": [ - "bdp3449-ub20-2-4a4f31e2-46ea-4c26-ad89-f09ad1d5fe01", - "94819846155826828d1603b913c67fe336d81295" - ], - "ip": [ - "216.160.83.56", - "1.128.0.0", - "175.16.199.0" + "1212121212121212121212", + "sample-host-1" ] }, "resource": { - "id": "94819846155826828d1603b913c67fe336d81295", - "name": "bdp3449-ub20-2-4a4f31e2-46ea-4c26-ad89-f09ad1d5fe01" + "id": "1212121212121212121212", + "name": "sample-host-1" }, "tags": [ "preserve_original_event", @@ -1673,21 +1625,18 @@ An example event for `vulnerability` looks as following: ], "vulnerability": { "classification": "CVSS", - "cve": "CVE-2025-3074", - "description": "Summary: An inappropriate implementation in the Downloads feature of Google Chrome versions prior to 135.0.7049.52 could allow a remote attacker to perform UI spoofing via a crafted HTML page. This vulnerability, classified with a low severity by Chromium, may also enable bypassing security restrictions when a victim visits a specially crafted website. Impact: Exploitation of this vulnerability could lead to UI spoofing or bypassing security restrictions, potentially compromising user trust and security. AdditionalInformation: This vulnerability is associated with Google Chrome and has implications for Microsoft Edge (Chromium-based) due to shared code ingestion. Refer to Google Chrome Releases for further details. Remediation: Apply the latest patches and updates provided by the respective vendors. [Generated by AI]", + "cve": "CVE-2022-49226", "enumeration": "CVE", - "id": "CVE-2025-3074", - "published_date": "2025-04-01T00:00:00.000Z", - "reference": "https://www.cve.org/CVERecord?id=CVE-2025-3074", + "id": "CVE-2022-49226", + "reference": "https://www.cve.org/CVERecord?id=CVE-2022-49226", "scanner": { "vendor": "Microsoft" }, "score": { - "base": 6.5, - "version": "3.1" + "base": 5.5 }, "severity": "Medium", - "title": "Vulnerability found in edge_chromium-based 134.0.3124.72 - CVE-2025-3074" + "title": "Vulnerability found in kernel 0:5.14.0-427.42.1.el9_4 - CVE-2022-49226" } } ``` @@ -1697,7 +1646,6 @@ An example event for `vulnerability` looks as following: | Field | Description | Type | |---|---|---| | @timestamp | Date/time when the event originated. This is the date/time extracted from the event, typically representing when the event was generated by the source. If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. Required field for all events. | date | -| cloud.resource_id | Cloud provider-specific native identifier of the monitored cloud resource. | keyword | | data_stream.dataset | The field can contain anything that makes sense to signify the source of the data. Examples include `nginx.access`, `prometheus`, `endpoint` etc. For data streams that otherwise fit, but that do not have dataset set we use the value "generic" for the dataset value. `event.dataset` should have the same value as `data_stream.dataset`. Beyond the Elasticsearch data stream naming criteria noted above, the `dataset` value has additional restrictions: \* Must not contain `-` \* No longer than 100 characters | constant_keyword | | data_stream.namespace | A user defined namespace. Namespaces are useful to allow grouping of data. Many users already organize their indices this way, and the data stream naming scheme now provides this best practice as a default. Many users will populate this field with `default`. If no value is used, it falls back to `default`. Beyond the Elasticsearch index naming criteria noted above, `namespace` value has the additional restrictions: \* Must not contain `-` \* No longer than 100 characters | constant_keyword | | data_stream.type | An overarching type for the data stream. Currently allowed values are "logs" and "metrics". We expect to also add "traces" and "synthetics" in the near future. | constant_keyword | @@ -1707,71 +1655,32 @@ An example event for `vulnerability` looks as following: | log.file.device_id | Device Id of the log file this event came from. | keyword | | log.file.inode | Inode number of the log file. | keyword | | log.offset | Log offset. | long | -| m365_defender.vulnerability.affected_machine.aad_device_id | Microsoft Entra Device ID (when machine is Microsoft Entra joined). | keyword | -| m365_defender.vulnerability.affected_machine.agent_version | | keyword | -| m365_defender.vulnerability.affected_machine.computer_dns_name | Machine fully qualified name. | keyword | -| m365_defender.vulnerability.affected_machine.device_value | The value of the device. Possible values are: Normal, Low, and High. | keyword | -| m365_defender.vulnerability.affected_machine.exclusion_reason | | keyword | -| m365_defender.vulnerability.affected_machine.exposure_level | Exposure level as evaluated by Microsoft Defender for Endpoint. Possible values are: None, Low, Medium, and High. | keyword | -| m365_defender.vulnerability.affected_machine.first_seen | First date and time where the machine was observed by Microsoft Defender for Endpoint. | date | -| m365_defender.vulnerability.affected_machine.fixing_kb_id | | keyword | -| m365_defender.vulnerability.affected_machine.health_status | machine health status. Possible values are: Active, Inactive, ImpairedCommunication, NoSensorData, NoSensorDataImpairedCommunication, and Unknown. | keyword | -| m365_defender.vulnerability.affected_machine.id | | keyword | -| m365_defender.vulnerability.affected_machine.ip_addresses.ip_address | | ip | -| m365_defender.vulnerability.affected_machine.ip_addresses.mac_address | | keyword | -| m365_defender.vulnerability.affected_machine.ip_addresses.operational_status | | keyword | -| m365_defender.vulnerability.affected_machine.ip_addresses.type | | keyword | -| m365_defender.vulnerability.affected_machine.is_aad_joined | | boolean | -| m365_defender.vulnerability.affected_machine.is_excluded | | boolean | -| m365_defender.vulnerability.affected_machine.is_potential_duplication | | boolean | -| m365_defender.vulnerability.affected_machine.last_external_ip_address | Last IP through which the machine accessed the internet. | ip | -| m365_defender.vulnerability.affected_machine.last_ip_address | Last IP on local NIC on the machine. | ip | -| m365_defender.vulnerability.affected_machine.last_seen | Time and date of the last received full device report. A device typically sends a full report every 24 hours. NOTE: This property doesn't correspond to the last seen value in the UI. It pertains to the last device update. | date | -| m365_defender.vulnerability.affected_machine.machine_id | Machine identity. | keyword | -| m365_defender.vulnerability.affected_machine.machine_tags | Set of machine tags. | keyword | -| m365_defender.vulnerability.affected_machine.managed_by | | keyword | -| m365_defender.vulnerability.affected_machine.managed_by_status | | keyword | -| m365_defender.vulnerability.affected_machine.merged_into_machine_id | | keyword | -| m365_defender.vulnerability.affected_machine.onboarding_status | Status of machine onboarding. Possible values are: onboarded, CanBeOnboarded, Unsupported, and InsufficientInfo. | keyword | -| m365_defender.vulnerability.affected_machine.os_architecture | Operating system architecture. Possible values are: 32-bit, 64-bit. Use this property instead of osProcessor. | keyword | -| m365_defender.vulnerability.affected_machine.os_build | Operating system build number. | long | -| m365_defender.vulnerability.affected_machine.os_platform | Operating system platform. | keyword | -| m365_defender.vulnerability.affected_machine.os_processor | Operating system processor. Use osArchitecture property instead. | keyword | -| m365_defender.vulnerability.affected_machine.os_version | | keyword | -| m365_defender.vulnerability.affected_machine.product_name | | keyword | -| m365_defender.vulnerability.affected_machine.product_vendor | | keyword | -| m365_defender.vulnerability.affected_machine.product_version | | keyword | -| m365_defender.vulnerability.affected_machine.rbac_group_id | Machine group ID. | keyword | -| m365_defender.vulnerability.affected_machine.rbac_group_name | Machine group Name. | keyword | -| m365_defender.vulnerability.affected_machine.risk_score | Risk score as evaluated by Microsoft Defender for Endpoint. Possible values are: None, Informational, Low, Medium, and High. | keyword | -| m365_defender.vulnerability.affected_machine.severity | | keyword | -| m365_defender.vulnerability.affected_machine.version | Operating system version. | keyword | -| m365_defender.vulnerability.affected_machine.vmMetadata.cloud_provider | | keyword | -| m365_defender.vulnerability.affected_machine.vmMetadata.resource_id | | keyword | -| m365_defender.vulnerability.affected_machine.vmMetadata.subscription_id | | keyword | -| m365_defender.vulnerability.affected_machine.vmMetadata.vm_id | | keyword | -| m365_defender.vulnerability.cve_supportability | Possible values are: Supported, Not Supported, or SupportedInPremium. | keyword | -| m365_defender.vulnerability.cvss_v3 | CVSS v3 score. | double | -| m365_defender.vulnerability.cvss_vector | A compressed textual representation that reflects the values used to derive the score. | keyword | -| m365_defender.vulnerability.description | Vulnerability description. | keyword | -| m365_defender.vulnerability.epss | Represents the probability that a vulnerability will be exploited. This probability is expressed as a number between 0 and 1 (0%-100%) according to the EPSS model. | double | -| m365_defender.vulnerability.exploit_in_kit | Exploit is part of an exploit kit. | boolean | -| m365_defender.vulnerability.exploit_types | Exploit affect. Possible values are: Local privilege escalation, Denial of service, or Local. | keyword | -| m365_defender.vulnerability.exploit_uris | Exploit source URLs. | keyword | -| m365_defender.vulnerability.exploit_verified | Exploit is verified to work. | boolean | -| m365_defender.vulnerability.exposed_machines | Number of exposed devices. | long | -| m365_defender.vulnerability.first_detected | | date | -| m365_defender.vulnerability.id | Vulnerability ID. | keyword | -| m365_defender.vulnerability.impact | Impact of vulnerability. | keyword | -| m365_defender.vulnerability.name | Vulnerability title. | keyword | -| m365_defender.vulnerability.patch_first_available | | date | -| m365_defender.vulnerability.public_exploit | Public exploit exists. | boolean | -| m365_defender.vulnerability.published_on | Date when vulnerability was published. | date | -| m365_defender.vulnerability.remediation | Remediation fix for vulnerability to mitigate the problem. | keyword | -| m365_defender.vulnerability.severity | Vulnerability Severity. Possible values are: Low, Medium, High, or Critical. | keyword | -| m365_defender.vulnerability.summary | Summary of vulnerability. | keyword | -| m365_defender.vulnerability.tags | | keyword | -| m365_defender.vulnerability.updated_on | Date when vulnerability was updated. | date | +| m365_defender.vulnerability.cve_batch_title | | keyword | +| m365_defender.vulnerability.cve_batch_url | | keyword | +| m365_defender.vulnerability.cve_id | Unique identifier assigned to the security vulnerability under the Common Vulnerabilities and Exposures (CVE) system. | keyword | +| m365_defender.vulnerability.cvss_score | The CVSS score of the CVE. | float | +| m365_defender.vulnerability.device_id | Unique identifier for the device in the service. | keyword | +| m365_defender.vulnerability.device_name | Fully qualified domain name (FQDN) of the device. | keyword | +| m365_defender.vulnerability.disk_paths | Disk evidence that the product is installed on the device. | keyword | +| m365_defender.vulnerability.exploitability_level | The exploitability level of this vulnerability (NoExploit, ExploitIsPublic, ExploitIsVerified, ExploitIsInKit) | keyword | +| m365_defender.vulnerability.first_seen_timestamp | First time this product CVE was seen on the device. | date | +| m365_defender.vulnerability.id | Unique identifier for the record. | keyword | +| m365_defender.vulnerability.is_onboarded | | boolean | +| m365_defender.vulnerability.last_seen_timestamp | Last time the software was reported on the device. | date | +| m365_defender.vulnerability.os_architecture | Architecture of the operating system running on the device. | keyword | +| m365_defender.vulnerability.os_platform | Platform of the operating system running on the device. | keyword | +| m365_defender.vulnerability.os_version | Version of the operating system running on the device. | keyword | +| m365_defender.vulnerability.rbac_group_id | | keyword | +| m365_defender.vulnerability.rbac_group_name | The role-based access control (RBAC) group. | keyword | +| m365_defender.vulnerability.recommendation_reference | A reference to the recommendation ID related to this software. | keyword | +| m365_defender.vulnerability.recommended_security_update | Name or description of the security update provided by the software vendor to address the vulnerability. | keyword | +| m365_defender.vulnerability.recommended_security_update_id | Identifier of the applicable security updates or identifier for the corresponding guidance or knowledge base (KB) articles. | keyword | +| m365_defender.vulnerability.registry_paths | Registry evidence that the product is installed in the device. | keyword | +| m365_defender.vulnerability.security_update_available | Indicates whether a security update is available for the software. | boolean | +| m365_defender.vulnerability.severity_level | Severity level assigned to the security vulnerability based on the CVSS score. | keyword | +| m365_defender.vulnerability.software_name | Name of the software product. | keyword | +| m365_defender.vulnerability.software_vendor | Name of the software vendor. | keyword | +| m365_defender.vulnerability.software_version | Version number of the software product. | keyword | | observer.vendor | Vendor name of the observer. | constant_keyword | | package.fixed_version | | keyword | | package.name | Package name | keyword | diff --git a/packages/m365_defender/elasticsearch/transform/latest_cdr_vulnerabilities/fields/cloud.yml b/packages/m365_defender/elasticsearch/transform/latest_cdr_vulnerabilities/fields/cloud.yml deleted file mode 100644 index 226724e3c54..00000000000 --- a/packages/m365_defender/elasticsearch/transform/latest_cdr_vulnerabilities/fields/cloud.yml +++ /dev/null @@ -1,7 +0,0 @@ -- name: cloud - type: group - fields: - # Not an ECS field. Taken from OTEL cloud attributes. https://opentelemetry.io/docs/specs/semconv/registry/attributes/cloud/ - - name: resource_id - type: keyword - description: Cloud provider-specific native identifier of the monitored cloud resource. diff --git a/packages/m365_defender/elasticsearch/transform/latest_cdr_vulnerabilities/fields/fields.yml b/packages/m365_defender/elasticsearch/transform/latest_cdr_vulnerabilities/fields/fields.yml index 05aba0d696b..4fd5797f334 100644 --- a/packages/m365_defender/elasticsearch/transform/latest_cdr_vulnerabilities/fields/fields.yml +++ b/packages/m365_defender/elasticsearch/transform/latest_cdr_vulnerabilities/fields/fields.yml @@ -4,181 +4,77 @@ - name: vulnerability type: group fields: - - name: affected_machine - type: group - fields: - - name: aad_device_id - type: keyword - description: Microsoft Entra Device ID (when machine is Microsoft Entra joined). - - name: agent_version - type: keyword - - name: computer_dns_name - type: keyword - description: Machine fully qualified name. - - name: device_value - type: keyword - description: 'The value of the device. Possible values are: Normal, Low, and High.' - - name: exclusion_reason - type: keyword - - name: exposure_level - type: keyword - description: 'Exposure level as evaluated by Microsoft Defender for Endpoint. Possible values are: None, Low, Medium, and High.' - - name: first_seen - type: date - description: First date and time where the machine was observed by Microsoft Defender for Endpoint. - - name: fixing_kb_id - type: keyword - - name: health_status - type: keyword - description: 'machine health status. Possible values are: Active, Inactive, ImpairedCommunication, NoSensorData, NoSensorDataImpairedCommunication, and Unknown.' - - name: id - type: keyword - - name: ip_addresses - type: group - fields: - - name: ip_address - type: ip - - name: mac_address - type: keyword - - name: operational_status - type: keyword - - name: type - type: keyword - - name: is_aad_joined - type: boolean - - name: is_excluded - type: boolean - - name: is_potential_duplication - type: boolean - - name: last_external_ip_address - type: ip - description: Last IP through which the machine accessed the internet. - - name: last_ip_address - type: ip - description: Last IP on local NIC on the machine. - - name: last_seen - type: date - description: 'Time and date of the last received full device report. A device typically sends a full report every 24 hours. NOTE: This property doesn''t correspond to the last seen value in the UI. It pertains to the last device update.' - - name: machine_id - type: keyword - description: Machine identity. - - name: machine_tags - type: keyword - description: Set of machine tags. - - name: managed_by - type: keyword - - name: managed_by_status - type: keyword - - name: merged_into_machine_id - type: keyword - - name: onboarding_status - type: keyword - description: 'Status of machine onboarding. Possible values are: onboarded, CanBeOnboarded, Unsupported, and InsufficientInfo.' - - name: os_architecture - type: keyword - description: 'Operating system architecture. Possible values are: 32-bit, 64-bit. Use this property instead of osProcessor.' - - name: os_build - type: long - description: Operating system build number. - - name: os_platform - type: keyword - description: Operating system platform. - - name: os_processor - type: keyword - description: Operating system processor. Use osArchitecture property instead. - - name: os_version - type: keyword - - name: product_name - type: keyword - - name: product_vendor - type: keyword - - name: product_version - type: keyword - - name: rbac_group_id - type: keyword - description: Machine group ID. - - name: rbac_group_name - type: keyword - description: Machine group Name. - - name: risk_score - type: keyword - description: 'Risk score as evaluated by Microsoft Defender for Endpoint. Possible values are: None, Informational, Low, Medium, and High.' - - name: severity - type: keyword - - name: version - type: keyword - description: Operating system version. - - name: vmMetadata - type: group - fields: - - name: cloud_provider - type: keyword - - name: resource_id - type: keyword - - name: subscription_id - type: keyword - - name: vm_id - type: keyword - - name: cve_supportability - type: keyword - description: 'Possible values are: Supported, Not Supported, or SupportedInPremium.' - - name: cvss_v3 - type: double - description: CVSS v3 score. - - name: cvss_vector - type: keyword - description: A compressed textual representation that reflects the values used to derive the score. - - name: description - type: keyword - description: Vulnerability description. - - name: epss - type: double - description: Represents the probability that a vulnerability will be exploited. This probability is expressed as a number between 0 and 1 (0%-100%) according to the EPSS model. - - name: exploit_in_kit - type: boolean - description: Exploit is part of an exploit kit. - - name: exploit_types + - name: cve_batch_title type: keyword - description: 'Exploit affect. Possible values are: Local privilege escalation, Denial of service, or Local.' - - name: exploit_uris + - name: cve_batch_url type: keyword - description: Exploit source URLs. - - name: exploit_verified - type: boolean - description: Exploit is verified to work. - - name: exposed_machines - type: long - description: Number of exposed devices. - - name: first_detected - type: date - - name: id + - name: cve_id + type: keyword + description: Unique identifier assigned to the security vulnerability under the Common Vulnerabilities and Exposures (CVE) system. + - name: cvss_score + type: float + description: The CVSS score of the CVE. + - name: device_id type: keyword - description: Vulnerability ID. - - name: impact + description: Unique identifier for the device in the service. + - name: device_name type: keyword - description: Impact of vulnerability. - - name: name + description: Fully qualified domain name (FQDN) of the device. + - name: disk_paths type: keyword - description: Vulnerability title. - - name: patch_first_available + description: Disk evidence that the product is installed on the device. + - name: exploitability_level + type: keyword + description: The exploitability level of this vulnerability (NoExploit, ExploitIsPublic, ExploitIsVerified, ExploitIsInKit) + - name: first_seen_timestamp type: date - - name: public_exploit + description: First time this product CVE was seen on the device. + - name: id + type: keyword + description: Unique identifier for the record. + - name: is_onboarded type: boolean - description: Public exploit exists. - - name: published_on + - name: last_seen_timestamp type: date - description: Date when vulnerability was published. - - name: remediation + description: Last time the software was reported on the device. + - name: os_architecture type: keyword - description: Remediation fix for vulnerability to mitigate the problem. - - name: summary + description: Architecture of the operating system running on the device. + - name: os_platform type: keyword - description: Summary of vulnerability. - - name: severity + description: Platform of the operating system running on the device. + - name: os_version type: keyword - description: 'Vulnerability Severity. Possible values are: Low, Medium, High, or Critical.' - - name: tags + description: Version of the operating system running on the device. + - name: rbac_group_id type: keyword - - name: updated_on - type: date - description: Date when vulnerability was updated. + - name: rbac_group_name + type: keyword + description: The role-based access control (RBAC) group. + - name: recommendation_reference + type: keyword + description: A reference to the recommendation ID related to this software. + - name: recommended_security_update + type: keyword + description: Name or description of the security update provided by the software vendor to address the vulnerability. + - name: recommended_security_update_id + type: keyword + description: Identifier of the applicable security updates or identifier for the corresponding guidance or knowledge base (KB) articles. + - name: registry_paths + type: keyword + description: Registry evidence that the product is installed in the device. + - name: security_update_available + type: boolean + description: Indicates whether a security update is available for the software. + - name: severity_level + type: keyword + description: Severity level assigned to the security vulnerability based on the CVSS score. + - name: software_name + type: keyword + description: Name of the software product. + - name: software_vendor + type: keyword + description: Name of the software vendor. + - name: software_version + type: keyword + description: Version number of the software product. diff --git a/packages/m365_defender/elasticsearch/transform/latest_cdr_vulnerabilities/transform.yml b/packages/m365_defender/elasticsearch/transform/latest_cdr_vulnerabilities/transform.yml index 2c7bd1ec6ce..327e3abe02d 100644 --- a/packages/m365_defender/elasticsearch/transform/latest_cdr_vulnerabilities/transform.yml +++ b/packages/m365_defender/elasticsearch/transform/latest_cdr_vulnerabilities/transform.yml @@ -10,7 +10,7 @@ source: - exists: field: resource.id dest: - index: "security_solution-m365_defender.vulnerability_latest-v1" + index: "security_solution-m365_defender.vulnerability_latest-v2" aliases: - alias: "security_solution-m365_defender.vulnerability_latest" move_on_creation: true @@ -37,4 +37,4 @@ _meta: managed: true # Bump this version to delete, reinstall, and restart the transform during package. # Version bump is needed if there is any code change in transform. - fleet_transform_version: 0.1.0 + fleet_transform_version: 0.2.0 diff --git a/packages/m365_defender/img/m365-defender-vulnerability.png b/packages/m365_defender/img/m365-defender-vulnerability.png index befc0410b5a..509252d99d5 100644 Binary files a/packages/m365_defender/img/m365-defender-vulnerability.png and b/packages/m365_defender/img/m365-defender-vulnerability.png differ diff --git a/packages/m365_defender/kibana/dashboard/m365_defender-afb93ff7-9903-4d91-9028-9fe9c5a434f8.json b/packages/m365_defender/kibana/dashboard/m365_defender-afb93ff7-9903-4d91-9028-9fe9c5a434f8.json index 9dc594d347e..d246eade4b3 100644 --- a/packages/m365_defender/kibana/dashboard/m365_defender-afb93ff7-9903-4d91-9028-9fe9c5a434f8.json +++ b/packages/m365_defender/kibana/dashboard/m365_defender-afb93ff7-9903-4d91-9028-9fe9c5a434f8.json @@ -36,36 +36,40 @@ "type": "optionsListControl", "width": "medium" }, - "a5663e6a-f7f7-4e77-ae24-5b54abad99d2": { + "54414517-c2ba-4805-9517-068599bf73ec": { "explicitInput": { "dataViewId": "logs-*", - "fieldName": "m365_defender.vulnerability.affected_machine.exposure_level", + "exclude": false, + "existsSelected": false, + "fieldName": "m365_defender.vulnerability.exploitability_level", "searchTechnique": "prefix", "selectedOptions": [], "sort": { "by": "_count", "direction": "desc" }, - "title": "Exposure Level" + "title": "Exploitability Level" }, - "grow": true, + "grow": false, "order": 2, "type": "optionsListControl", "width": "medium" }, - "e7dd70a2-2ddd-4dfb-a2a3-b96bfa5b2d08": { + "c562c9f6-60c6-4622-9a72-3e5b024200b2": { "explicitInput": { "dataViewId": "logs-*", - "fieldName": "host.risk.calculated_level", + "exclude": false, + "existsSelected": false, + "fieldName": "host.name", "searchTechnique": "prefix", "selectedOptions": [], "sort": { "by": "_count", "direction": "desc" }, - "title": "Risk Calculated Level" + "title": "Machine Name" }, - "grow": true, + "grow": false, "order": 3, "type": "optionsListControl", "width": "medium" @@ -140,6 +144,28 @@ "useMargins": true }, "panelsJSON": [ + { + "embeddableConfig": { + "description": "", + "enhancements": { + "dynamicActions": { + "events": [] + } + }, + "savedObjectId": "m365_defender-4f3a6702-9642-4392-9b34-ceb1447e09a7", + "title": "Table of Contents" + }, + "gridData": { + "h": 35, + "i": "72697a0d-690e-496e-9809-389acd1c5cc6", + "w": 8, + "x": 0, + "y": 0 + }, + "panelIndex": "72697a0d-690e-496e-9809-389acd1c5cc6", + "panelRefName": "panel_72697a0d-690e-496e-9809-389acd1c5cc6", + "type": "visualization" + }, { "embeddableConfig": { "attributes": { @@ -147,7 +173,17 @@ "references": [ { "id": "logs-*", - "name": "indexpattern-datasource-layer-bb5c3bc7-2da1-4a15-b588-9e2fcda80836", + "name": "indexpattern-datasource-layer-d448b66c-867d-4229-b46b-098a674230f6", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "c2bc9c32-9a1f-49e3-bfb5-4ea90e6ed36f", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "129b5517-3b71-4b39-bda7-dc60f6a98f92", "type": "index-pattern" } ], @@ -155,57 +191,22 @@ "adHocDataViews": {}, "datasourceStates": { "formBased": { - "currentIndexPatternId": "logs-*", "layers": { - "bb5c3bc7-2da1-4a15-b588-9e2fcda80836": { + "d448b66c-867d-4229-b46b-098a674230f6": { "columnOrder": [ - "b970edb6-7fb6-48f0-af44-b057acbebb37", - "d559fa87-35f2-4096-ba63-b938a3975194" + "9521f331-1199-450b-9f3d-dc1024c90024" ], "columns": { - "b970edb6-7fb6-48f0-af44-b057acbebb37": { - "customLabel": true, - "dataType": "string", - "isBucketed": true, - "label": "Affected Host", - "operationType": "terms", - "params": { - "exclude": [], - "excludeIsRegex": false, - "include": [], - "includeIsRegex": false, - "missingBucket": false, - "orderAgg": { - "dataType": "number", - "isBucketed": false, - "label": "Count of vulnerability.id", - "operationType": "count", - "params": { - "emptyAsNull": true - }, - "scale": "ratio", - "sourceField": "vulnerability.id" - }, - "orderBy": { - "type": "custom" - }, - "orderDirection": "desc", - "otherBucket": false, - "parentFormat": { - "id": "terms" - }, - "secondaryFields": [], - "size": 10 - }, - "scale": "ordinal", - "sourceField": "host.name" - }, - "d559fa87-35f2-4096-ba63-b938a3975194": { + "9521f331-1199-450b-9f3d-dc1024c90024": { "customLabel": true, "dataType": "number", + "filter": { + "language": "kuery", + "query": "" + }, "isBucketed": false, - "label": "Count", - "operationType": "count", + "label": "Total Verified Exploit Vulnerability", + "operationType": "unique_count", "params": { "emptyAsNull": false, "format": { @@ -220,7 +221,6 @@ } }, "incompleteColumns": {}, - "indexPatternId": "logs-*", "sampling": 1 } } @@ -232,29 +232,70 @@ "layers": {} } }, - "filters": [], + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "m365_defender.vulnerability.exploitability_level", + "index": "c2bc9c32-9a1f-49e3-bfb5-4ea90e6ed36f", + "key": "m365_defender.vulnerability.exploitability_level", + "negate": false, + "params": { + "query": "ExploitIsVerified" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "m365_defender.vulnerability.exploitability_level": "ExploitIsVerified" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "data_stream.dataset", + "index": "129b5517-3b71-4b39-bda7-dc60f6a98f92", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "m365_defender.vulnerability" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "m365_defender.vulnerability" + } + } + } + ], "internalReferences": [], "query": { "language": "kuery", "query": "" }, "visualization": { - "columns": [ - { - "columnId": "b970edb6-7fb6-48f0-af44-b057acbebb37", - "width": 357.5 - }, - { - "columnId": "d559fa87-35f2-4096-ba63-b938a3975194" - } - ], - "layerId": "bb5c3bc7-2da1-4a15-b588-9e2fcda80836", - "layerType": "data" + "color": "#6092C0", + "layerId": "d448b66c-867d-4229-b46b-098a674230f6", + "layerType": "data", + "metricAccessor": "9521f331-1199-450b-9f3d-dc1024c90024", + "secondaryTrend": { + "type": "none" + } } }, - "title": "Top 10 Affected Host with Highest Vulnerability", + "title": "Total Verified Exploit Vulnerabilities", "type": "lens", - "visualizationType": "lnsDatatable" + "visualizationType": "lnsMetric" }, "description": "", "enhancements": { @@ -262,25 +303,70 @@ "events": [] } }, - "filters": [], - "hidePanelTitles": false, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "m365_defender.vulnerability.exploitability_level", + "index": "c2bc9c32-9a1f-49e3-bfb5-4ea90e6ed36f", + "key": "m365_defender.vulnerability.exploitability_level", + "negate": false, + "params": { + "query": "ExploitIsVerified" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "m365_defender.vulnerability.exploitability_level": "ExploitIsVerified" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "data_stream.dataset", + "index": "129b5517-3b71-4b39-bda7-dc60f6a98f92", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "m365_defender.vulnerability" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "m365_defender.vulnerability" + } + } + } + ], + "hidePanelTitles": true, "query": { "language": "kuery", "query": "" }, "syncColors": false, "syncCursor": true, - "syncTooltips": false + "syncTooltips": false, + "title": "Total Verified Exploit Vulnerabilities [Logs Microsoft 365 Defender] " }, "gridData": { - "h": 17, - "i": "1fc86dc4-4bd3-4484-9622-f6d14a335bed", - "w": 24, - "x": 0, - "y": 50 + "h": 6, + "i": "4ba0a469-16ee-4f04-ae89-a2aa29e299f1", + "w": 8, + "x": 8, + "y": 0 }, - "panelIndex": "1fc86dc4-4bd3-4484-9622-f6d14a335bed", - "title": "Top 10 Affected Host with Highest Vulnerability [Logs Microsoft Defender XDR]", + "panelIndex": "4ba0a469-16ee-4f04-ae89-a2aa29e299f1", "type": "lens" }, { @@ -290,7 +376,12 @@ "references": [ { "id": "logs-*", - "name": "indexpattern-datasource-layer-93fbd5b8-bcdd-402b-9efb-2a24a2da900f", + "name": "indexpattern-datasource-layer-693c18a1-a856-4f59-a87e-6f58ecb73834", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "6462727d-b375-4617-ab9e-5fed63caaa1e", "type": "index-pattern" } ], @@ -298,42 +389,14 @@ "adHocDataViews": {}, "datasourceStates": { "formBased": { - "currentIndexPatternId": "logs-*", "layers": { - "93fbd5b8-bcdd-402b-9efb-2a24a2da900f": { + "693c18a1-a856-4f59-a87e-6f58ecb73834": { "columnOrder": [ - "1ed5fdf0-b270-4d55-9f27-f2f5dd92b828", - "26f9a0ca-049e-4084-86bb-b709d7ec37bf" + "f70ba21e-c3f3-4541-9690-3d5bddf9a19d", + "689d4347-c58d-469b-8703-104286c8497a" ], "columns": { - "1ed5fdf0-b270-4d55-9f27-f2f5dd92b828": { - "customLabel": true, - "dataType": "string", - "isBucketed": true, - "label": "Affected software product", - "operationType": "terms", - "params": { - "exclude": [], - "excludeIsRegex": false, - "include": [], - "includeIsRegex": false, - "missingBucket": false, - "orderBy": { - "columnId": "26f9a0ca-049e-4084-86bb-b709d7ec37bf", - "type": "column" - }, - "orderDirection": "desc", - "otherBucket": false, - "parentFormat": { - "id": "terms" - }, - "secondaryFields": [], - "size": 10 - }, - "scale": "ordinal", - "sourceField": "package.name" - }, - "26f9a0ca-049e-4084-86bb-b709d7ec37bf": { + "689d4347-c58d-469b-8703-104286c8497a": { "customLabel": true, "dataType": "number", "isBucketed": false, @@ -349,11 +412,25 @@ } }, "scale": "ratio", - "sourceField": "vulnerability.id" + "sourceField": "___records___" + }, + "f70ba21e-c3f3-4541-9690-3d5bddf9a19d": { + "customLabel": true, + "dataType": "date", + "isBucketed": true, + "label": "Vulnerability Updated On Time", + "operationType": "date_histogram", + "params": { + "dropPartials": false, + "ignoreTimeRange": false, + "includeEmptyRows": true, + "interval": "auto" + }, + "scale": "interval", + "sourceField": "m365_defender.vulnerability.last_seen_timestamp" } }, "incompleteColumns": {}, - "indexPatternId": "logs-*", "sampling": 1 } } @@ -365,28 +442,103 @@ "layers": {} } }, - "filters": [], - "internalReferences": [], + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "data_stream.dataset", + "index": "6462727d-b375-4617-ab9e-5fed63caaa1e", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "m365_defender.vulnerability" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "m365_defender.vulnerability" + } + } + } + ], + "internalReferences": [], "query": { "language": "kuery", "query": "" }, "visualization": { - "columns": [ - { - "columnId": "1ed5fdf0-b270-4d55-9f27-f2f5dd92b828" - }, + "axisTitlesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "fittingFunction": "Linear", + "gridlinesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "labelsOrientation": { + "x": 0, + "yLeft": 0, + "yRight": 0 + }, + "layers": [ { - "columnId": "26f9a0ca-049e-4084-86bb-b709d7ec37bf" + "accessors": [ + "689d4347-c58d-469b-8703-104286c8497a" + ], + "colorMapping": { + "assignments": [], + "colorMode": { + "type": "categorical" + }, + "paletteId": "eui_amsterdam_color_blind", + "specialAssignments": [ + { + "color": { + "type": "loop" + }, + "rules": [ + { + "type": "other" + } + ], + "touched": false + } + ] + }, + "layerId": "693c18a1-a856-4f59-a87e-6f58ecb73834", + "layerType": "data", + "position": "top", + "seriesType": "line", + "showGridlines": false, + "xAccessor": "f70ba21e-c3f3-4541-9690-3d5bddf9a19d" } ], - "layerId": "93fbd5b8-bcdd-402b-9efb-2a24a2da900f", - "layerType": "data" + "legend": { + "isVisible": true, + "position": "right", + "shouldTruncate": false, + "showSingleSeries": false + }, + "preferredSeriesType": "line", + "tickLabelsVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "valueLabels": "hide" } }, - "title": "Top 10 Affected software product", + "title": "Vulnerabilities time line over First Seen", "type": "lens", - "visualizationType": "lnsDatatable" + "visualizationType": "lnsXY" }, "description": "", "enhancements": { @@ -394,7 +546,30 @@ "events": [] } }, - "filters": [], + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "data_stream.dataset", + "index": "6462727d-b375-4617-ab9e-5fed63caaa1e", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "m365_defender.vulnerability" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "m365_defender.vulnerability" + } + } + } + ], "hidePanelTitles": false, "query": { "language": "kuery", @@ -402,73 +577,229 @@ }, "syncColors": false, "syncCursor": true, - "syncTooltips": false + "syncTooltips": false, + "title": "Vulnerability over Last Seen Time [Logs Microsoft Defender XDR]" }, "gridData": { - "h": 17, - "i": "6d64f578-66e2-49f3-ae06-911dae110ee7", - "w": 24, - "x": 24, - "y": 50 + "h": 18, + "i": "d50a1111-11a2-4540-b788-dd116022b873", + "w": 32, + "x": 16, + "y": 0 }, - "panelIndex": "6d64f578-66e2-49f3-ae06-911dae110ee7", - "title": "Top 10 Affected Software Product [Logs Microsoft Defender XDR]", + "panelIndex": "d50a1111-11a2-4540-b788-dd116022b873", "type": "lens" }, { "embeddableConfig": { + "attributes": { + "description": "", + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-59044096-edd2-4c17-9b59-05fcfc384e6b", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "5a93616a-24bb-4eb9-82bf-1ec670758874", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "6413b87f-0bfa-4964-a519-84c3e054bfd3", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "59044096-edd2-4c17-9b59-05fcfc384e6b": { + "columnOrder": [ + "ebbe371e-c41c-404a-b40e-b28610cdcab8" + ], + "columns": { + "ebbe371e-c41c-404a-b40e-b28610cdcab8": { + "customLabel": true, + "dataType": "number", + "filter": { + "language": "kuery", + "query": "" + }, + "isBucketed": false, + "label": "Total Public Exploit Vulnerability", + "operationType": "unique_count", + "params": { + "emptyAsNull": false, + "format": { + "id": "number", + "params": { + "decimals": 0 + } + } + }, + "scale": "ratio", + "sourceField": "vulnerability.id" + } + }, + "incompleteColumns": {}, + "sampling": 1 + } + } + }, + "indexpattern": { + "layers": {} + }, + "textBased": { + "layers": {} + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "m365_defender.vulnerability.exploitability_level", + "index": "5a93616a-24bb-4eb9-82bf-1ec670758874", + "key": "m365_defender.vulnerability.exploitability_level", + "negate": false, + "params": { + "query": "ExploitIsPublic" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "m365_defender.vulnerability.exploitability_level": "ExploitIsPublic" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "data_stream.dataset", + "index": "6413b87f-0bfa-4964-a519-84c3e054bfd3", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "m365_defender.vulnerability" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "m365_defender.vulnerability" + } + } + } + ], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "color": "#6092C0", + "layerId": "59044096-edd2-4c17-9b59-05fcfc384e6b", + "layerType": "data", + "metricAccessor": "ebbe371e-c41c-404a-b40e-b28610cdcab8", + "secondaryTrend": { + "type": "none" + } + } + }, + "title": "Total Public Exploit Vulnerabilities", + "type": "lens", + "visualizationType": "lnsMetric" + }, "description": "", "enhancements": { "dynamicActions": { "events": [] } }, - "grid": { - "columns": { - "@timestamp": { - "width": 208 - }, - "host.id": { - "width": 299 - }, - "host.ip": { - "width": 140 + "filters": [ + { + "$state": { + "store": "appState" }, - "host.name": { - "width": 120 + "meta": { + "alias": null, + "disabled": false, + "field": "m365_defender.vulnerability.exploitability_level", + "index": "5a93616a-24bb-4eb9-82bf-1ec670758874", + "key": "m365_defender.vulnerability.exploitability_level", + "negate": false, + "params": { + "query": "ExploitIsPublic" + }, + "type": "phrase" }, - "host.risk.calculated_level": { - "width": 121 + "query": { + "match_phrase": { + "m365_defender.vulnerability.exploitability_level": "ExploitIsPublic" + } + } + }, + { + "$state": { + "store": "appState" }, - "m365_defender.vulnerability.affected_machine.last_seen": { - "width": 246 + "meta": { + "alias": null, + "disabled": false, + "field": "data_stream.dataset", + "index": "6413b87f-0bfa-4964-a519-84c3e054bfd3", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "m365_defender.vulnerability" + }, + "type": "phrase" }, - "m365_defender.vulnerability.updated_on": { - "width": 222 + "query": { + "match_phrase": { + "data_stream.dataset": "m365_defender.vulnerability" + } } } - } + ], + "hidePanelTitles": true, + "query": { + "language": "kuery", + "query": "" + }, + "syncColors": false, + "syncCursor": true, + "syncTooltips": false, + "title": "Total Public Exploit Vulnerabilities [Logs Microsoft 365 Defender]" }, "gridData": { - "h": 22, - "i": "c457e5a3-7fc2-407c-b4a6-73cbca5c0406", - "w": 48, - "x": 0, - "y": 67 + "h": 6, + "i": "274078cb-5fb3-43cd-a025-1eb787e93a5e", + "w": 8, + "x": 8, + "y": 6 }, - "panelIndex": "c457e5a3-7fc2-407c-b4a6-73cbca5c0406", - "panelRefName": "panel_c457e5a3-7fc2-407c-b4a6-73cbca5c0406", - "title": "Affected Machines Essential Details [Logs Microsoft Defender XDR]", - "type": "search" + "panelIndex": "274078cb-5fb3-43cd-a025-1eb787e93a5e", + "type": "lens" }, { "embeddableConfig": { "attributes": { - "description": "", "references": [ { "id": "logs-*", - "name": "indexpattern-datasource-layer-f83347b5-978e-4753-a26a-d40d0a549867", + "name": "indexpattern-datasource-layer-7f9d3821-7e68-4bb8-a189-190e04533a7d", "type": "index-pattern" } ], @@ -478,47 +809,19 @@ "formBased": { "currentIndexPatternId": "logs-*", "layers": { - "f83347b5-978e-4753-a26a-d40d0a549867": { + "7f9d3821-7e68-4bb8-a189-190e04533a7d": { "columnOrder": [ - "64974bb9-da5e-4df7-b627-40f953c6e2b4", - "bf620d80-f648-405b-94ac-3d6834fdb1a4" + "f2dc92c3-ebd9-4846-98ce-bda90b9c7505" ], "columns": { - "64974bb9-da5e-4df7-b627-40f953c6e2b4": { - "customLabel": true, - "dataType": "string", - "isBucketed": true, - "label": "OS Platform", - "operationType": "terms", - "params": { - "exclude": [], - "excludeIsRegex": false, - "include": [], - "includeIsRegex": false, - "missingBucket": false, - "orderBy": { - "columnId": "bf620d80-f648-405b-94ac-3d6834fdb1a4", - "type": "column" - }, - "orderDirection": "desc", - "otherBucket": true, - "parentFormat": { - "id": "terms" - }, - "secondaryFields": [], - "size": 5 - }, - "scale": "ordinal", - "sourceField": "host.os.platform" - }, - "bf620d80-f648-405b-94ac-3d6834fdb1a4": { + "f2dc92c3-ebd9-4846-98ce-bda90b9c7505": { "customLabel": true, "dataType": "number", "isBucketed": false, - "label": "Unique Count of Machine ID", + "label": "Total Affected Software Products", "operationType": "unique_count", "params": { - "emptyAsNull": false, + "emptyAsNull": true, "format": { "id": "number", "params": { @@ -526,10 +829,10 @@ } } }, - "scale": "ratio", - "sourceField": "host.id" + "sourceField": "package.name" } }, + "ignoreGlobalFilters": false, "incompleteColumns": {}, "indexPatternId": "logs-*", "sampling": 1 @@ -551,79 +854,96 @@ "layers": {} } }, - "filters": [], - "internalReferences": [], - "query": { - "language": "kuery", - "query": "" - }, - "visualization": { - "layers": [ - { - "categoryDisplay": "default", - "colorMapping": { - "assignments": [], - "colorMode": { - "type": "categorical" - }, - "paletteId": "eui_amsterdam_color_blind", - "specialAssignments": [ - { - "color": { - "type": "loop" - }, - "rule": { - "type": "other" - }, - "touched": false - } - ] + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "data_stream.dataset", + "index": "7db89145-f967-42cb-b856-f6e0c5843352", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "m365_defender.vulnerability" }, - "layerId": "f83347b5-978e-4753-a26a-d40d0a549867", - "layerType": "data", - "legendDisplay": "show", - "metrics": [ - "bf620d80-f648-405b-94ac-3d6834fdb1a4" - ], - "nestedLegend": false, - "numberDisplay": "percent", - "primaryGroups": [ - "64974bb9-da5e-4df7-b627-40f953c6e2b4" - ], - "truncateLegend": false + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "m365_defender.vulnerability" + } } - ], - "shape": "pie" + } + ], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "color": "#6092C0", + "layerId": "7f9d3821-7e68-4bb8-a189-190e04533a7d", + "layerType": "data", + "metricAccessor": "f2dc92c3-ebd9-4846-98ce-bda90b9c7505", + "secondaryTrend": { + "type": "none" + } } }, - "title": "OS Distribution of Affected Machines", + "title": "", "type": "lens", - "visualizationType": "lnsPie" + "visualizationType": "lnsMetric" }, - "description": "", "enhancements": { "dynamicActions": { "events": [] } }, - "filters": [], + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "data_stream.dataset", + "index": "7db89145-f967-42cb-b856-f6e0c5843352", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "m365_defender.vulnerability" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "m365_defender.vulnerability" + } + } + } + ], + "hidePanelTitles": true, "query": { "language": "kuery", "query": "" }, "syncColors": false, "syncCursor": true, - "syncTooltips": false + "syncTooltips": false, + "title": "Total Affected Products [Logs Microsoft 365 Defender]" }, "gridData": { - "h": 15, - "i": "be800cbb-a57d-440a-84e3-4233103d3bbb", - "w": 16, - "x": 16, - "y": 35 + "h": 6, + "i": "2bb8f3a4-3123-413d-aacc-2e7c2721b468", + "w": 8, + "x": 8, + "y": 12 }, - "panelIndex": "be800cbb-a57d-440a-84e3-4233103d3bbb", - "title": "Affected Machines by OS [Logs Microsoft Defender XDR]", + "panelIndex": "2bb8f3a4-3123-413d-aacc-2e7c2721b468", "type": "lens" }, { @@ -633,7 +953,12 @@ "references": [ { "id": "logs-*", - "name": "indexpattern-datasource-layer-4f129361-0c18-4ba1-9994-a1e4e565c1e5", + "name": "indexpattern-datasource-layer-c2ecbde4-fc03-46a3-a001-d384d24c2c0b", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "92d14cf0-037c-467d-aa94-ae346b9b8bfb", "type": "index-pattern" } ], @@ -641,19 +966,18 @@ "adHocDataViews": {}, "datasourceStates": { "formBased": { - "currentIndexPatternId": "logs-*", "layers": { - "4f129361-0c18-4ba1-9994-a1e4e565c1e5": { + "c2ecbde4-fc03-46a3-a001-d384d24c2c0b": { "columnOrder": [ - "882ebbcb-876b-44c8-a9cd-a9eca6ed2465", - "1470f546-f38d-4cc4-90b3-7a4c9ce856e7" + "4ab972e9-380a-426c-98e1-7acd0b9125d1", + "08b3cac5-98c3-4192-ad0f-0ca04e9e4b20" ], "columns": { - "1470f546-f38d-4cc4-90b3-7a4c9ce856e7": { + "08b3cac5-98c3-4192-ad0f-0ca04e9e4b20": { "customLabel": true, "dataType": "number", "isBucketed": false, - "label": "Unique Count of Machine ID", + "label": "Count", "operationType": "unique_count", "params": { "emptyAsNull": false, @@ -665,112 +989,89 @@ } }, "scale": "ratio", - "sourceField": "host.id" + "sourceField": "vulnerability.id" }, - "882ebbcb-876b-44c8-a9cd-a9eca6ed2465": { + "4ab972e9-380a-426c-98e1-7acd0b9125d1": { "customLabel": true, - "dataType": "string", + "dataType": "date", "isBucketed": true, - "label": "Risk Calculated Level", - "operationType": "terms", + "label": "Vulnerabillity First Seen", + "operationType": "date_histogram", "params": { - "exclude": [], - "excludeIsRegex": false, - "include": [], - "includeIsRegex": false, - "missingBucket": false, - "orderBy": { - "columnId": "1470f546-f38d-4cc4-90b3-7a4c9ce856e7", - "type": "column" - }, - "orderDirection": "desc", - "otherBucket": true, - "parentFormat": { - "id": "terms" - }, - "secondaryFields": [], - "size": 5 + "dropPartials": false, + "ignoreTimeRange": false, + "includeEmptyRows": false, + "interval": "auto" }, - "scale": "ordinal", - "sourceField": "host.risk.calculated_level" + "scale": "interval", + "sourceField": "m365_defender.vulnerability.first_seen_timestamp" } }, "incompleteColumns": {}, - "indexPatternId": "logs-*", "sampling": 1 } } }, "indexpattern": { - "currentIndexPatternId": "logs-*", "layers": {} }, "textBased": { - "indexPatternRefs": [ - { - "id": "logs-*", - "timeField": "@timestamp", - "title": "logs-*" - } - ], "layers": {} } }, - "filters": [], + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "data_stream.dataset", + "index": "92d14cf0-037c-467d-aa94-ae346b9b8bfb", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "m365_defender.vulnerability" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "m365_defender.vulnerability" + } + } + } + ], "internalReferences": [], "query": { "language": "kuery", "query": "" }, "visualization": { + "axisTitlesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "fittingFunction": "Linear", + "gridlinesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "labelsOrientation": { + "x": 0, + "yLeft": 0, + "yRight": 0 + }, "layers": [ { - "categoryDisplay": "default", + "accessors": [ + "08b3cac5-98c3-4192-ad0f-0ca04e9e4b20" + ], "colorMapping": { - "assignments": [ - { - "color": { - "colorIndex": 9, - "paletteId": "eui_amsterdam_color_blind", - "type": "categorical" - }, - "rule": { - "type": "matchExactly", - "values": [ - "Critical" - ] - }, - "touched": true - }, - { - "color": { - "colorIndex": 7, - "paletteId": "eui_amsterdam_color_blind", - "type": "categorical" - }, - "rule": { - "type": "matchExactly", - "values": [ - "High" - ] - }, - "touched": true - }, - { - "color": { - "colorIndex": 1, - "paletteId": "eui_amsterdam_color_blind", - "type": "categorical" - }, - "rule": { - "type": "matchExactly", - "values": [ - "Medium" - ] - }, - "touched": true - } - ], + "assignments": [], "colorMode": { "type": "categorical" }, @@ -780,33 +1081,44 @@ "color": { "type": "loop" }, - "rule": { - "type": "other" - }, + "rules": [ + { + "type": "other" + } + ], "touched": false } ] }, - "layerId": "4f129361-0c18-4ba1-9994-a1e4e565c1e5", + "layerId": "c2ecbde4-fc03-46a3-a001-d384d24c2c0b", "layerType": "data", - "legendDisplay": "show", - "metrics": [ - "1470f546-f38d-4cc4-90b3-7a4c9ce856e7" - ], - "nestedLegend": false, - "numberDisplay": "percent", - "primaryGroups": [ - "882ebbcb-876b-44c8-a9cd-a9eca6ed2465" - ], - "truncateLegend": false + "position": "top", + "seriesType": "line", + "showGridlines": false, + "xAccessor": "4ab972e9-380a-426c-98e1-7acd0b9125d1" } ], - "shape": "pie" + "legend": { + "isInside": false, + "isVisible": true, + "legendSize": "auto", + "legendStats": [], + "position": "right", + "shouldTruncate": false, + "showSingleSeries": false + }, + "preferredSeriesType": "line", + "tickLabelsVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "valueLabels": "hide" } }, - "title": "Vulnerabilities by Severity", + "title": "Vulnerabilities over Time", "type": "lens", - "visualizationType": "lnsPie" + "visualizationType": "lnsXY" }, "description": "", "enhancements": { @@ -814,24 +1126,47 @@ "events": [] } }, - "filters": [], + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "data_stream.dataset", + "index": "92d14cf0-037c-467d-aa94-ae346b9b8bfb", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "m365_defender.vulnerability" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "m365_defender.vulnerability" + } + } + } + ], "query": { "language": "kuery", "query": "" }, "syncColors": false, "syncCursor": true, - "syncTooltips": false + "syncTooltips": false, + "title": "Vulnerability over First Seen Time [Logs Microsoft Defender XDR]" }, "gridData": { - "h": 15, - "i": "cbade69a-97e6-4a08-8e43-4e0824a89840", - "w": 16, - "x": 32, - "y": 35 + "h": 17, + "i": "cd4342af-24cb-4c1c-b72f-3e0f9de7f394", + "w": 24, + "x": 8, + "y": 18 }, - "panelIndex": "cbade69a-97e6-4a08-8e43-4e0824a89840", - "title": "Affected Machines by Risk Calculated Level [Logs Microsoft Defender XDR]", + "panelIndex": "cd4342af-24cb-4c1c-b72f-3e0f9de7f394", "type": "lens" }, { @@ -841,7 +1176,12 @@ "references": [ { "id": "logs-*", - "name": "indexpattern-datasource-layer-95d5d85e-ec68-4d5f-a5e8-f69441a959c0", + "name": "indexpattern-datasource-layer-4f129361-0c18-4ba1-9994-a1e4e565c1e5", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "cae4a3e3-71f8-4669-bfa9-a24da5fd946f", "type": "index-pattern" } ], @@ -849,19 +1189,36 @@ "adHocDataViews": {}, "datasourceStates": { "formBased": { - "currentIndexPatternId": "logs-*", "layers": { - "95d5d85e-ec68-4d5f-a5e8-f69441a959c0": { + "4f129361-0c18-4ba1-9994-a1e4e565c1e5": { "columnOrder": [ - "8b2f13ef-1b5c-42c2-8bae-79f02213e95b", - "9f2f59ce-ffd5-42ca-a6b3-def879393810" + "882ebbcb-876b-44c8-a9cd-a9eca6ed2465", + "1470f546-f38d-4cc4-90b3-7a4c9ce856e7" ], "columns": { - "8b2f13ef-1b5c-42c2-8bae-79f02213e95b": { + "1470f546-f38d-4cc4-90b3-7a4c9ce856e7": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Unique Count of Vulnerability ID", + "operationType": "unique_count", + "params": { + "emptyAsNull": false, + "format": { + "id": "number", + "params": { + "decimals": 0 + } + } + }, + "scale": "ratio", + "sourceField": "vulnerability.id" + }, + "882ebbcb-876b-44c8-a9cd-a9eca6ed2465": { "customLabel": true, "dataType": "string", "isBucketed": true, - "label": "CVE Supportability ", + "label": "Severity ", "operationType": "terms", "params": { "exclude": [], @@ -870,7 +1227,7 @@ "includeIsRegex": false, "missingBucket": false, "orderBy": { - "columnId": "9f2f59ce-ffd5-42ca-a6b3-def879393810", + "columnId": "1470f546-f38d-4cc4-90b3-7a4c9ce856e7", "type": "column" }, "orderDirection": "desc", @@ -881,49 +1238,45 @@ "size": 5 }, "scale": "ordinal", - "sourceField": "m365_defender.vulnerability.cve_supportability" - }, - "9f2f59ce-ffd5-42ca-a6b3-def879393810": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "Unique Count of Vulnerability ID", - "operationType": "unique_count", - "params": { - "emptyAsNull": false, - "format": { - "id": "number", - "params": { - "decimals": 0 - } - } - }, - "scale": "ratio", - "sourceField": "vulnerability.id" + "sourceField": "vulnerability.severity" } }, "incompleteColumns": {}, - "indexPatternId": "logs-*", "sampling": 1 } } }, "indexpattern": { - "currentIndexPatternId": "logs-*", "layers": {} }, "textBased": { - "indexPatternRefs": [ - { - "id": "logs-*", - "timeField": "@timestamp", - "title": "logs-*" - } - ], "layers": {} } }, - "filters": [], + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "data_stream.dataset", + "index": "cae4a3e3-71f8-4669-bfa9-a24da5fd946f", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "m365_defender.vulnerability" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "m365_defender.vulnerability" + } + } + } + ], "internalReferences": [], "query": { "language": "kuery", @@ -934,7 +1287,50 @@ { "categoryDisplay": "default", "colorMapping": { - "assignments": [], + "assignments": [ + { + "color": { + "colorIndex": 9, + "paletteId": "eui_amsterdam_color_blind", + "type": "categorical" + }, + "rules": [ + { + "type": "raw", + "value": "Critical" + } + ], + "touched": true + }, + { + "color": { + "colorIndex": 7, + "paletteId": "eui_amsterdam_color_blind", + "type": "categorical" + }, + "rules": [ + { + "type": "raw", + "value": "High" + } + ], + "touched": true + }, + { + "color": { + "colorIndex": 1, + "paletteId": "eui_amsterdam_color_blind", + "type": "categorical" + }, + "rules": [ + { + "type": "raw", + "value": "Medium" + } + ], + "touched": true + } + ], "colorMode": { "type": "categorical" }, @@ -944,24 +1340,25 @@ "color": { "type": "loop" }, - "rule": { - "type": "other" - }, + "rules": [ + { + "type": "other" + } + ], "touched": false } ] }, - "layerId": "95d5d85e-ec68-4d5f-a5e8-f69441a959c0", + "layerId": "4f129361-0c18-4ba1-9994-a1e4e565c1e5", "layerType": "data", "legendDisplay": "show", - "legendSize": "large", "metrics": [ - "9f2f59ce-ffd5-42ca-a6b3-def879393810" + "1470f546-f38d-4cc4-90b3-7a4c9ce856e7" ], "nestedLegend": false, "numberDisplay": "percent", "primaryGroups": [ - "8b2f13ef-1b5c-42c2-8bae-79f02213e95b" + "882ebbcb-876b-44c8-a9cd-a9eca6ed2465" ], "truncateLegend": false } @@ -969,7 +1366,7 @@ "shape": "pie" } }, - "title": "Vulnerabilities by CVE Supportability ", + "title": "Vulnerabilities by Severity", "type": "lens", "visualizationType": "lnsPie" }, @@ -979,119 +1376,47 @@ "events": [] } }, - "filters": [], - "query": { - "language": "kuery", - "query": "" - }, - "syncColors": false, - "syncCursor": true, - "syncTooltips": false - }, - "gridData": { - "h": 15, - "i": "3f1d140f-1e01-4d38-a8ca-2ef62ca71315", - "w": 16, - "x": 0, - "y": 35 - }, - "panelIndex": "3f1d140f-1e01-4d38-a8ca-2ef62ca71315", - "title": "Vulnerability by CVE Supportability [Logs Microsoft Defender XDR] ", - "type": "lens" - }, - { - "embeddableConfig": { - "attributes": { - "references": [ - { - "id": "logs-*", - "name": "indexpattern-datasource-layer-7f9d3821-7e68-4bb8-a189-190e04533a7d", - "type": "index-pattern" - } - ], - "state": { - "adHocDataViews": {}, - "datasourceStates": { - "formBased": { - "layers": { - "7f9d3821-7e68-4bb8-a189-190e04533a7d": { - "columnOrder": [ - "f2dc92c3-ebd9-4846-98ce-bda90b9c7505" - ], - "columns": { - "f2dc92c3-ebd9-4846-98ce-bda90b9c7505": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "Total Affected Products", - "operationType": "count", - "params": { - "emptyAsNull": true, - "format": { - "id": "number", - "params": { - "decimals": 0 - } - } - }, - "scale": "ratio", - "sourceField": "m365_defender.vulnerability.affected_machine.id" - } - }, - "ignoreGlobalFilters": false, - "incompleteColumns": {}, - "sampling": 1 - } - } - }, - "indexpattern": { - "layers": {} + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "data_stream.dataset", + "index": "cae4a3e3-71f8-4669-bfa9-a24da5fd946f", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "m365_defender.vulnerability" }, - "textBased": { - "layers": {} - } + "type": "phrase" }, - "filters": [], - "internalReferences": [], "query": { - "language": "kuery", - "query": "" - }, - "visualization": { - "color": "#6092C0", - "layerId": "7f9d3821-7e68-4bb8-a189-190e04533a7d", - "layerType": "data", - "metricAccessor": "f2dc92c3-ebd9-4846-98ce-bda90b9c7505" + "match_phrase": { + "data_stream.dataset": "m365_defender.vulnerability" + } } - }, - "title": "", - "type": "lens", - "visualizationType": "lnsMetric" - }, - "enhancements": { - "dynamicActions": { - "events": [] } - }, - "filters": [], - "hidePanelTitles": true, + ], "query": { "language": "kuery", "query": "" }, "syncColors": false, "syncCursor": true, - "syncTooltips": false + "syncTooltips": false, + "title": "Vulnerability by Severity [Logs Microsoft Defender XDR] " }, "gridData": { - "h": 6, - "i": "2bb8f3a4-3123-413d-aacc-2e7c2721b468", - "w": 8, - "x": 8, - "y": 12 + "h": 17, + "i": "50be5d33-6110-4584-8163-29335c338697", + "w": 16, + "x": 32, + "y": 18 }, - "panelIndex": "2bb8f3a4-3123-413d-aacc-2e7c2721b468", - "title": "Total Affected Products [Logs Microsoft 365 Defender]", + "panelIndex": "50be5d33-6110-4584-8163-29335c338697", "type": "lens" }, { @@ -1101,12 +1426,12 @@ "references": [ { "id": "logs-*", - "name": "indexpattern-datasource-layer-59044096-edd2-4c17-9b59-05fcfc384e6b", + "name": "indexpattern-datasource-layer-95d5d85e-ec68-4d5f-a5e8-f69441a959c0", "type": "index-pattern" }, { "id": "logs-*", - "name": "6a1c3042-4087-44c0-a950-624946feea03", + "name": "8cf249b4-f491-465d-9a5d-eb7edb0f9832", "type": "index-pattern" } ], @@ -1115,20 +1440,43 @@ "datasourceStates": { "formBased": { "layers": { - "59044096-edd2-4c17-9b59-05fcfc384e6b": { + "95d5d85e-ec68-4d5f-a5e8-f69441a959c0": { "columnOrder": [ - "ebbe371e-c41c-404a-b40e-b28610cdcab8" + "8b2f13ef-1b5c-42c2-8bae-79f02213e95b", + "9f2f59ce-ffd5-42ca-a6b3-def879393810" ], "columns": { - "ebbe371e-c41c-404a-b40e-b28610cdcab8": { + "8b2f13ef-1b5c-42c2-8bae-79f02213e95b": { "customLabel": true, - "dataType": "number", - "filter": { - "language": "kuery", - "query": "" + "dataType": "string", + "isBucketed": true, + "label": "Exploitability Level", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "9f2f59ce-ffd5-42ca-a6b3-def879393810", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "parentFormat": { + "id": "terms" + }, + "size": 5 }, + "scale": "ordinal", + "sourceField": "m365_defender.vulnerability.exploitability_level" + }, + "9f2f59ce-ffd5-42ca-a6b3-def879393810": { + "customLabel": true, + "dataType": "number", "isBucketed": false, - "label": "Total Public Exploit Vulnerability", + "label": "Unique Count of Vulnerability ID", "operationType": "unique_count", "params": { "emptyAsNull": false, @@ -1163,18 +1511,18 @@ "meta": { "alias": null, "disabled": false, - "field": "m365_defender.vulnerability.public_exploit", - "index": "6a1c3042-4087-44c0-a950-624946feea03", - "key": "m365_defender.vulnerability.public_exploit", + "field": "data_stream.dataset", + "index": "8cf249b4-f491-465d-9a5d-eb7edb0f9832", + "key": "data_stream.dataset", "negate": false, "params": { - "query": true + "query": "m365_defender.vulnerability" }, "type": "phrase" }, "query": { "match_phrase": { - "m365_defender.vulnerability.public_exploit": true + "data_stream.dataset": "m365_defender.vulnerability" } } } @@ -1185,15 +1533,50 @@ "query": "" }, "visualization": { - "color": "#6092C0", - "layerId": "59044096-edd2-4c17-9b59-05fcfc384e6b", - "layerType": "data", - "metricAccessor": "ebbe371e-c41c-404a-b40e-b28610cdcab8" + "layers": [ + { + "categoryDisplay": "default", + "colorMapping": { + "assignments": [], + "colorMode": { + "type": "categorical" + }, + "paletteId": "eui_amsterdam_color_blind", + "specialAssignments": [ + { + "color": { + "type": "loop" + }, + "rules": [ + { + "type": "other" + } + ], + "touched": false + } + ] + }, + "layerId": "95d5d85e-ec68-4d5f-a5e8-f69441a959c0", + "layerType": "data", + "legendDisplay": "show", + "legendSize": "large", + "metrics": [ + "9f2f59ce-ffd5-42ca-a6b3-def879393810" + ], + "nestedLegend": false, + "numberDisplay": "percent", + "primaryGroups": [ + "8b2f13ef-1b5c-42c2-8bae-79f02213e95b" + ], + "truncateLegend": false + } + ], + "shape": "pie" } }, - "title": "Total Public Exploit Vulnerabilities", + "title": "Vulnerabilities by CVE Supportability ", "type": "lens", - "visualizationType": "lnsMetric" + "visualizationType": "lnsPie" }, "description": "", "enhancements": { @@ -1209,40 +1592,39 @@ "meta": { "alias": null, "disabled": false, - "field": "m365_defender.vulnerability.public_exploit", - "index": "logs-*", - "key": "m365_defender.vulnerability.public_exploit", + "field": "data_stream.dataset", + "index": "8cf249b4-f491-465d-9a5d-eb7edb0f9832", + "key": "data_stream.dataset", "negate": false, "params": { - "query": true + "query": "m365_defender.vulnerability" }, "type": "phrase" }, "query": { "match_phrase": { - "m365_defender.vulnerability.public_exploit": true + "data_stream.dataset": "m365_defender.vulnerability" } } } ], - "hidePanelTitles": true, "query": { "language": "kuery", "query": "" }, "syncColors": false, "syncCursor": true, - "syncTooltips": false + "syncTooltips": false, + "title": "Vulnerability by Exploitability Level [Logs Microsoft Defender XDR] " }, "gridData": { - "h": 6, - "i": "274078cb-5fb3-43cd-a025-1eb787e93a5e", - "w": 8, - "x": 8, - "y": 6 + "h": 15, + "i": "3f1d140f-1e01-4d38-a8ca-2ef62ca71315", + "w": 16, + "x": 0, + "y": 35 }, - "panelIndex": "274078cb-5fb3-43cd-a025-1eb787e93a5e", - "title": "Total Public Exploit Vulnerabilities [Logs Microsoft 365 Defender]", + "panelIndex": "3f1d140f-1e01-4d38-a8ca-2ef62ca71315", "type": "lens" }, { @@ -1252,12 +1634,12 @@ "references": [ { "id": "logs-*", - "name": "indexpattern-datasource-layer-d448b66c-867d-4229-b46b-098a674230f6", + "name": "indexpattern-datasource-layer-f83347b5-978e-4753-a26a-d40d0a549867", "type": "index-pattern" }, { "id": "logs-*", - "name": "cdc40fd4-75a6-4f65-aff2-ab1b69826140", + "name": "d82e6c89-c305-4dda-b19e-4bd8f6886da6", "type": "index-pattern" } ], @@ -1266,20 +1648,44 @@ "datasourceStates": { "formBased": { "layers": { - "d448b66c-867d-4229-b46b-098a674230f6": { + "f83347b5-978e-4753-a26a-d40d0a549867": { "columnOrder": [ - "9521f331-1199-450b-9f3d-dc1024c90024" + "64974bb9-da5e-4df7-b627-40f953c6e2b4", + "bf620d80-f648-405b-94ac-3d6834fdb1a4" ], "columns": { - "9521f331-1199-450b-9f3d-dc1024c90024": { + "64974bb9-da5e-4df7-b627-40f953c6e2b4": { "customLabel": true, - "dataType": "number", - "filter": { - "language": "kuery", - "query": "" + "dataType": "string", + "isBucketed": true, + "label": "OS Platform", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "bf620d80-f648-405b-94ac-3d6834fdb1a4", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "parentFormat": { + "id": "terms" + }, + "secondaryFields": [], + "size": 5 }, + "scale": "ordinal", + "sourceField": "host.os.platform" + }, + "bf620d80-f648-405b-94ac-3d6834fdb1a4": { + "customLabel": true, + "dataType": "number", "isBucketed": false, - "label": "Total Verified Exploit Vulnerability", + "label": "Unique Count of Machine ID", "operationType": "unique_count", "params": { "emptyAsNull": false, @@ -1291,7 +1697,7 @@ } }, "scale": "ratio", - "sourceField": "vulnerability.id" + "sourceField": "host.id" } }, "incompleteColumns": {}, @@ -1314,18 +1720,18 @@ "meta": { "alias": null, "disabled": false, - "field": "m365_defender.vulnerability.exploit_verified", - "index": "cdc40fd4-75a6-4f65-aff2-ab1b69826140", - "key": "m365_defender.vulnerability.exploit_verified", + "field": "data_stream.dataset", + "index": "d82e6c89-c305-4dda-b19e-4bd8f6886da6", + "key": "data_stream.dataset", "negate": false, "params": { - "query": true + "query": "m365_defender.vulnerability" }, "type": "phrase" }, "query": { "match_phrase": { - "m365_defender.vulnerability.exploit_verified": true + "data_stream.dataset": "m365_defender.vulnerability" } } } @@ -1336,15 +1742,49 @@ "query": "" }, "visualization": { - "color": "#6092C0", - "layerId": "d448b66c-867d-4229-b46b-098a674230f6", - "layerType": "data", - "metricAccessor": "9521f331-1199-450b-9f3d-dc1024c90024" + "layers": [ + { + "categoryDisplay": "default", + "colorMapping": { + "assignments": [], + "colorMode": { + "type": "categorical" + }, + "paletteId": "eui_amsterdam_color_blind", + "specialAssignments": [ + { + "color": { + "type": "loop" + }, + "rules": [ + { + "type": "other" + } + ], + "touched": false + } + ] + }, + "layerId": "f83347b5-978e-4753-a26a-d40d0a549867", + "layerType": "data", + "legendDisplay": "show", + "metrics": [ + "bf620d80-f648-405b-94ac-3d6834fdb1a4" + ], + "nestedLegend": false, + "numberDisplay": "percent", + "primaryGroups": [ + "64974bb9-da5e-4df7-b627-40f953c6e2b4" + ], + "truncateLegend": false + } + ], + "shape": "pie" } }, - "title": "Total Verified Exploit Vulnerabilities", + "title": "OS Distribution of Affected Machines", "type": "lens", - "visualizationType": "lnsMetric" + "visualizationType": "lnsPie" }, "description": "", "enhancements": { @@ -1360,40 +1800,39 @@ "meta": { "alias": null, "disabled": false, - "field": "m365_defender.vulnerability.exploit_verified", - "index": "logs-*", - "key": "m365_defender.vulnerability.exploit_verified", + "field": "data_stream.dataset", + "index": "d82e6c89-c305-4dda-b19e-4bd8f6886da6", + "key": "data_stream.dataset", "negate": false, "params": { - "query": true + "query": "m365_defender.vulnerability" }, "type": "phrase" }, "query": { "match_phrase": { - "m365_defender.vulnerability.exploit_verified": true + "data_stream.dataset": "m365_defender.vulnerability" } } } ], - "hidePanelTitles": true, "query": { "language": "kuery", "query": "" }, "syncColors": false, "syncCursor": true, - "syncTooltips": false + "syncTooltips": false, + "title": "Affected Machines by OS [Logs Microsoft Defender XDR]" }, "gridData": { - "h": 6, - "i": "4ba0a469-16ee-4f04-ae89-a2aa29e299f1", - "w": 8, - "x": 8, - "y": 0 + "h": 15, + "i": "be800cbb-a57d-440a-84e3-4233103d3bbb", + "w": 16, + "x": 16, + "y": 35 }, - "panelIndex": "4ba0a469-16ee-4f04-ae89-a2aa29e299f1", - "title": "Total Verified Exploit Vulnerabilities [Logs Microsoft 365 Defender] ", + "panelIndex": "be800cbb-a57d-440a-84e3-4233103d3bbb", "type": "lens" }, { @@ -1403,7 +1842,7 @@ "references": [ { "id": "logs-*", - "name": "indexpattern-datasource-layer-693c18a1-a856-4f59-a87e-6f58ecb73834", + "name": "indexpattern-datasource-layer-4f129361-0c18-4ba1-9994-a1e4e565c1e5", "type": "index-pattern" } ], @@ -1413,18 +1852,18 @@ "formBased": { "currentIndexPatternId": "logs-*", "layers": { - "693c18a1-a856-4f59-a87e-6f58ecb73834": { + "4f129361-0c18-4ba1-9994-a1e4e565c1e5": { "columnOrder": [ - "f70ba21e-c3f3-4541-9690-3d5bddf9a19d", - "689d4347-c58d-469b-8703-104286c8497a" + "882ebbcb-876b-44c8-a9cd-a9eca6ed2465", + "1470f546-f38d-4cc4-90b3-7a4c9ce856e7" ], "columns": { - "689d4347-c58d-469b-8703-104286c8497a": { + "1470f546-f38d-4cc4-90b3-7a4c9ce856e7": { "customLabel": true, "dataType": "number", "isBucketed": false, - "label": "Count", - "operationType": "count", + "label": "Unique Count of Machine ID", + "operationType": "unique_count", "params": { "emptyAsNull": false, "format": { @@ -1435,22 +1874,33 @@ } }, "scale": "ratio", - "sourceField": "___records___" + "sourceField": "host.id" }, - "f70ba21e-c3f3-4541-9690-3d5bddf9a19d": { + "882ebbcb-876b-44c8-a9cd-a9eca6ed2465": { "customLabel": true, - "dataType": "date", + "dataType": "string", "isBucketed": true, - "label": "Vulnerability Updated On Time", - "operationType": "date_histogram", + "label": "Exploitability level", + "operationType": "terms", "params": { - "dropPartials": false, - "ignoreTimeRange": true, - "includeEmptyRows": true, - "interval": "30d" + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "1470f546-f38d-4cc4-90b3-7a4c9ce856e7", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "parentFormat": { + "id": "terms" + }, + "size": 5 }, - "scale": "interval", - "sourceField": "m365_defender.vulnerability.updated_on" + "scale": "ordinal", + "sourceField": "m365_defender.vulnerability.exploitability_level" } }, "incompleteColumns": {}, @@ -1470,40 +1920,65 @@ "timeField": "@timestamp", "title": "logs-*" } - ], - "layers": {} - } - }, - "filters": [], - "internalReferences": [], - "query": { - "language": "kuery", - "query": "" - }, - "visualization": { - "axisTitlesVisibilitySettings": { - "x": true, - "yLeft": true, - "yRight": true - }, - "fittingFunction": "Linear", - "gridlinesVisibilitySettings": { - "x": true, - "yLeft": true, - "yRight": true - }, - "labelsOrientation": { - "x": 0, - "yLeft": 0, - "yRight": 0 - }, + ], + "layers": {} + } + }, + "filters": [], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { "layers": [ { - "accessors": [ - "689d4347-c58d-469b-8703-104286c8497a" - ], + "categoryDisplay": "default", "colorMapping": { - "assignments": [], + "assignments": [ + { + "color": { + "colorIndex": 9, + "paletteId": "eui_amsterdam_color_blind", + "type": "categorical" + }, + "rules": [ + { + "type": "raw", + "value": "Critical" + } + ], + "touched": true + }, + { + "color": { + "colorIndex": 7, + "paletteId": "eui_amsterdam_color_blind", + "type": "categorical" + }, + "rules": [ + { + "type": "raw", + "value": "High" + } + ], + "touched": true + }, + { + "color": { + "colorIndex": 1, + "paletteId": "eui_amsterdam_color_blind", + "type": "categorical" + }, + "rules": [ + { + "type": "raw", + "value": "Medium" + } + ], + "touched": true + } + ], "colorMode": { "type": "categorical" }, @@ -1513,39 +1988,35 @@ "color": { "type": "loop" }, - "rule": { - "type": "other" - }, + "rules": [ + { + "type": "other" + } + ], "touched": false } ] }, - "layerId": "693c18a1-a856-4f59-a87e-6f58ecb73834", + "layerId": "4f129361-0c18-4ba1-9994-a1e4e565c1e5", "layerType": "data", - "position": "top", - "seriesType": "line", - "showGridlines": false, - "xAccessor": "f70ba21e-c3f3-4541-9690-3d5bddf9a19d" + "legendDisplay": "show", + "metrics": [ + "1470f546-f38d-4cc4-90b3-7a4c9ce856e7" + ], + "nestedLegend": false, + "numberDisplay": "percent", + "primaryGroups": [ + "882ebbcb-876b-44c8-a9cd-a9eca6ed2465" + ], + "truncateLegend": false } ], - "legend": { - "isVisible": true, - "position": "right", - "shouldTruncate": false, - "showSingleSeries": false - }, - "preferredSeriesType": "line", - "tickLabelsVisibilitySettings": { - "x": true, - "yLeft": true, - "yRight": true - }, - "valueLabels": "hide" + "shape": "pie" } }, - "title": "Vulnerabilities time line over First Seen", + "title": "Vulnerabilities by Severity", "type": "lens", - "visualizationType": "lnsXY" + "visualizationType": "lnsPie" }, "description": "", "enhancements": { @@ -1554,24 +2025,23 @@ } }, "filters": [], - "hidePanelTitles": false, "query": { "language": "kuery", "query": "" }, "syncColors": false, "syncCursor": true, - "syncTooltips": false + "syncTooltips": false, + "title": "Affected Machines by Exploitability Level [Logs Microsoft Defender XDR]" }, "gridData": { - "h": 18, - "i": "d50a1111-11a2-4540-b788-dd116022b873", - "w": 32, - "x": 16, - "y": 0 + "h": 15, + "i": "cbade69a-97e6-4a08-8e43-4e0824a89840", + "w": 16, + "x": 32, + "y": 35 }, - "panelIndex": "d50a1111-11a2-4540-b788-dd116022b873", - "title": "Vulnerability over Time [Logs Microsoft Defender XDR]", + "panelIndex": "cbade69a-97e6-4a08-8e43-4e0824a89840", "type": "lens" }, { @@ -1581,7 +2051,12 @@ "references": [ { "id": "logs-*", - "name": "indexpattern-datasource-layer-c2ecbde4-fc03-46a3-a001-d384d24c2c0b", + "name": "indexpattern-datasource-layer-bb5c3bc7-2da1-4a15-b588-9e2fcda80836", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "6ef9f629-93c4-4a2e-b25e-cf4678d3484a", "type": "index-pattern" } ], @@ -1589,22 +2064,58 @@ "adHocDataViews": {}, "datasourceStates": { "formBased": { - "currentIndexPatternId": "logs-*", "layers": { - "c2ecbde4-fc03-46a3-a001-d384d24c2c0b": { + "bb5c3bc7-2da1-4a15-b588-9e2fcda80836": { "columnOrder": [ - "4ab972e9-380a-426c-98e1-7acd0b9125d1", - "08b3cac5-98c3-4192-ad0f-0ca04e9e4b20" + "b970edb6-7fb6-48f0-af44-b057acbebb37", + "d559fa87-35f2-4096-ba63-b938a3975194" ], "columns": { - "08b3cac5-98c3-4192-ad0f-0ca04e9e4b20": { + "b970edb6-7fb6-48f0-af44-b057acbebb37": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Affected Host", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderAgg": { + "dataType": "number", + "isBucketed": false, + "label": "Count of vulnerability.id", + "operationType": "count", + "params": { + "emptyAsNull": true + }, + "scale": "ratio", + "sourceField": "vulnerability.id" + }, + "orderBy": { + "type": "custom" + }, + "orderDirection": "desc", + "otherBucket": false, + "parentFormat": { + "id": "terms" + }, + "secondaryFields": [], + "size": 10 + }, + "scale": "ordinal", + "sourceField": "host.name" + }, + "d559fa87-35f2-4096-ba63-b938a3975194": { "customLabel": true, "dataType": "number", "isBucketed": false, - "label": "Count", + "label": "Unique Vulnerabilities", "operationType": "unique_count", "params": { - "emptyAsNull": false, + "emptyAsNull": true, "format": { "id": "number", "params": { @@ -1612,121 +2123,67 @@ } } }, - "scale": "ratio", "sourceField": "vulnerability.id" - }, - "4ab972e9-380a-426c-98e1-7acd0b9125d1": { - "customLabel": true, - "dataType": "date", - "isBucketed": true, - "label": "Vulnerabillity First Seen", - "operationType": "date_histogram", - "params": { - "dropPartials": false, - "ignoreTimeRange": true, - "includeEmptyRows": false, - "interval": "5m" - }, - "scale": "interval", - "sourceField": "m365_defender.vulnerability.first_detected" } }, "incompleteColumns": {}, - "indexPatternId": "logs-*", "sampling": 1 } } }, "indexpattern": { - "currentIndexPatternId": "logs-*", "layers": {} }, "textBased": { - "indexPatternRefs": [ - { - "id": "logs-*", - "timeField": "@timestamp", - "title": "logs-*" - } - ], "layers": {} } }, - "filters": [], + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "data_stream.dataset", + "index": "6ef9f629-93c4-4a2e-b25e-cf4678d3484a", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "m365_defender.vulnerability" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "m365_defender.vulnerability" + } + } + } + ], "internalReferences": [], "query": { "language": "kuery", - "query": "event.dataset : \"m365_defender.vulnerability\"" + "query": "" }, "visualization": { - "axisTitlesVisibilitySettings": { - "x": true, - "yLeft": true, - "yRight": true - }, - "fittingFunction": "Linear", - "gridlinesVisibilitySettings": { - "x": true, - "yLeft": true, - "yRight": true - }, - "labelsOrientation": { - "x": 0, - "yLeft": 0, - "yRight": 0 - }, - "layers": [ + "columns": [ { - "accessors": [ - "08b3cac5-98c3-4192-ad0f-0ca04e9e4b20" - ], - "colorMapping": { - "assignments": [], - "colorMode": { - "type": "categorical" - }, - "paletteId": "eui_amsterdam_color_blind", - "specialAssignments": [ - { - "color": { - "type": "loop" - }, - "rule": { - "type": "other" - }, - "touched": false - } - ] - }, - "layerId": "c2ecbde4-fc03-46a3-a001-d384d24c2c0b", - "layerType": "data", - "position": "top", - "seriesType": "line", - "showGridlines": false, - "xAccessor": "4ab972e9-380a-426c-98e1-7acd0b9125d1" + "columnId": "b970edb6-7fb6-48f0-af44-b057acbebb37", + "width": 357.5 + }, + { + "columnId": "d559fa87-35f2-4096-ba63-b938a3975194" } ], - "legend": { - "isInside": false, - "isVisible": true, - "legendSize": "auto", - "legendStats": [], - "position": "right", - "shouldTruncate": false, - "showSingleSeries": false - }, - "preferredSeriesType": "line", - "tickLabelsVisibilitySettings": { - "x": true, - "yLeft": true, - "yRight": true - }, - "valueLabels": "hide" + "layerId": "bb5c3bc7-2da1-4a15-b588-9e2fcda80836", + "layerType": "data" } }, - "title": "Vulnerabilities over Time", + "title": "Top 10 Affected Host with Highest Vulnerability", "type": "lens", - "visualizationType": "lnsXY" + "visualizationType": "lnsDatatable" }, "description": "", "enhancements": { @@ -1734,24 +2191,48 @@ "events": [] } }, - "filters": [], + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "data_stream.dataset", + "index": "6ef9f629-93c4-4a2e-b25e-cf4678d3484a", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "m365_defender.vulnerability" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "m365_defender.vulnerability" + } + } + } + ], + "hidePanelTitles": false, "query": { "language": "kuery", - "query": "event.dataset : \"m365_defender.vulnerability\"" + "query": "" }, "syncColors": false, "syncCursor": true, - "syncTooltips": false + "syncTooltips": false, + "title": "Top 10 Affected Host with Highest Vulnerability [Logs Microsoft Defender XDR]" }, "gridData": { "h": 17, - "i": "cd4342af-24cb-4c1c-b72f-3e0f9de7f394", + "i": "1fc86dc4-4bd3-4484-9622-f6d14a335bed", "w": 24, - "x": 8, - "y": 18 + "x": 0, + "y": 50 }, - "panelIndex": "cd4342af-24cb-4c1c-b72f-3e0f9de7f394", - "title": "Vulnerability over First Seen [Logs Microsoft Defender XDR]", + "panelIndex": "1fc86dc4-4bd3-4484-9622-f6d14a335bed", "type": "lens" }, { @@ -1761,7 +2242,7 @@ "references": [ { "id": "logs-*", - "name": "indexpattern-datasource-layer-4f129361-0c18-4ba1-9994-a1e4e565c1e5", + "name": "indexpattern-datasource-layer-93fbd5b8-bcdd-402b-9efb-2a24a2da900f", "type": "index-pattern" } ], @@ -1771,35 +2252,17 @@ "formBased": { "currentIndexPatternId": "logs-*", "layers": { - "4f129361-0c18-4ba1-9994-a1e4e565c1e5": { + "93fbd5b8-bcdd-402b-9efb-2a24a2da900f": { "columnOrder": [ - "882ebbcb-876b-44c8-a9cd-a9eca6ed2465", - "1470f546-f38d-4cc4-90b3-7a4c9ce856e7" + "1ed5fdf0-b270-4d55-9f27-f2f5dd92b828", + "26f9a0ca-049e-4084-86bb-b709d7ec37bf" ], "columns": { - "1470f546-f38d-4cc4-90b3-7a4c9ce856e7": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "Unique Count of Vulnerability ID", - "operationType": "unique_count", - "params": { - "emptyAsNull": false, - "format": { - "id": "number", - "params": { - "decimals": 0 - } - } - }, - "scale": "ratio", - "sourceField": "vulnerability.id" - }, - "882ebbcb-876b-44c8-a9cd-a9eca6ed2465": { + "1ed5fdf0-b270-4d55-9f27-f2f5dd92b828": { "customLabel": true, "dataType": "string", "isBucketed": true, - "label": "Severity ", + "label": "Affected software product", "operationType": "terms", "params": { "exclude": [], @@ -1808,18 +2271,36 @@ "includeIsRegex": false, "missingBucket": false, "orderBy": { - "columnId": "1470f546-f38d-4cc4-90b3-7a4c9ce856e7", + "columnId": "26f9a0ca-049e-4084-86bb-b709d7ec37bf", "type": "column" }, "orderDirection": "desc", - "otherBucket": true, + "otherBucket": false, "parentFormat": { "id": "terms" }, - "size": 5 + "secondaryFields": [], + "size": 10 }, "scale": "ordinal", - "sourceField": "vulnerability.severity" + "sourceField": "package.name" + }, + "26f9a0ca-049e-4084-86bb-b709d7ec37bf": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Unique Vulnerabilities", + "operationType": "unique_count", + "params": { + "emptyAsNull": true, + "format": { + "id": "number", + "params": { + "decimals": 0 + } + } + }, + "sourceField": "vulnerability.id" } }, "incompleteColumns": {}, @@ -1850,90 +2331,21 @@ "query": "" }, "visualization": { - "layers": [ + "columns": [ { - "categoryDisplay": "default", - "colorMapping": { - "assignments": [ - { - "color": { - "colorIndex": 9, - "paletteId": "eui_amsterdam_color_blind", - "type": "categorical" - }, - "rule": { - "type": "matchExactly", - "values": [ - "Critical" - ] - }, - "touched": true - }, - { - "color": { - "colorIndex": 7, - "paletteId": "eui_amsterdam_color_blind", - "type": "categorical" - }, - "rule": { - "type": "matchExactly", - "values": [ - "High" - ] - }, - "touched": true - }, - { - "color": { - "colorIndex": 1, - "paletteId": "eui_amsterdam_color_blind", - "type": "categorical" - }, - "rule": { - "type": "matchExactly", - "values": [ - "Medium" - ] - }, - "touched": true - } - ], - "colorMode": { - "type": "categorical" - }, - "paletteId": "eui_amsterdam_color_blind", - "specialAssignments": [ - { - "color": { - "type": "loop" - }, - "rule": { - "type": "other" - }, - "touched": false - } - ] - }, - "layerId": "4f129361-0c18-4ba1-9994-a1e4e565c1e5", - "layerType": "data", - "legendDisplay": "show", - "metrics": [ - "1470f546-f38d-4cc4-90b3-7a4c9ce856e7" - ], - "nestedLegend": false, - "numberDisplay": "percent", - "primaryGroups": [ - "882ebbcb-876b-44c8-a9cd-a9eca6ed2465" - ], - "truncateLegend": false + "columnId": "1ed5fdf0-b270-4d55-9f27-f2f5dd92b828" + }, + { + "columnId": "26f9a0ca-049e-4084-86bb-b709d7ec37bf" } ], - "shape": "pie" + "layerId": "93fbd5b8-bcdd-402b-9efb-2a24a2da900f", + "layerType": "data" } }, - "title": "Vulnerabilities by Severity", + "title": "Top 10 Affected software product", "type": "lens", - "visualizationType": "lnsPie" + "visualizationType": "lnsDatatable" }, "description": "", "enhancements": { @@ -1942,23 +2354,24 @@ } }, "filters": [], + "hidePanelTitles": false, "query": { "language": "kuery", "query": "" }, "syncColors": false, "syncCursor": true, - "syncTooltips": false + "syncTooltips": false, + "title": "Top 10 Affected Software Products [Logs Microsoft Defender XDR]" }, "gridData": { "h": 17, - "i": "50be5d33-6110-4584-8163-29335c338697", - "w": 16, - "x": 32, - "y": 18 + "i": "6d64f578-66e2-49f3-ae06-911dae110ee7", + "w": 24, + "x": 24, + "y": 50 }, - "panelIndex": "50be5d33-6110-4584-8163-29335c338697", - "title": "Vulnerability by Severity [Logs Microsoft Defender XDR] ", + "panelIndex": "6d64f578-66e2-49f3-ae06-911dae110ee7", "type": "lens" }, { @@ -1968,33 +2381,34 @@ "dynamicActions": { "events": [] } - } + }, + "savedObjectId": "c35e286e-43e6-46f4-a449-ab8a1be7bcd9", + "title": "Affected Machines Essential Details [Logs Microsoft Defender XDR]" }, "gridData": { - "h": 35, - "i": "72697a0d-690e-496e-9809-389acd1c5cc6", - "w": 8, + "h": 16, + "i": "9d6779b0-8dd5-46ad-b685-27e55e3bc79c", + "w": 48, "x": 0, - "y": 0 + "y": 67 }, - "panelIndex": "72697a0d-690e-496e-9809-389acd1c5cc6", - "panelRefName": "panel_72697a0d-690e-496e-9809-389acd1c5cc6", - "title": "Table of Contents", - "type": "visualization" + "panelIndex": "9d6779b0-8dd5-46ad-b685-27e55e3bc79c", + "panelRefName": "panel_9d6779b0-8dd5-46ad-b685-27e55e3bc79c", + "type": "search" } ], "refreshInterval": { "pause": true, "value": 60000 }, - "timeFrom": "now-4h", + "timeFrom": "now-7d/d", "timeRestore": true, "timeTo": "now", "title": "[Logs Microsoft Defender XDR] Vulnerability", "version": 3 }, "coreMigrationVersion": "8.8.0", - "created_at": "2025-06-27T11:59:14.961Z", + "created_at": "2025-10-09T18:49:09.290Z", "id": "m365_defender-afb93ff7-9903-4d91-9028-9fe9c5a434f8", "references": [ { @@ -2003,9 +2417,14 @@ "type": "index-pattern" }, { - "id": "m365_defender-4e5cb35c-7a18-4f29-bb69-7e30ab9bbdec", - "name": "c457e5a3-7fc2-407c-b4a6-73cbca5c0406:panel_c457e5a3-7fc2-407c-b4a6-73cbca5c0406", - "type": "search" + "id": "m365_defender-security-solution-default", + "name": "tag-ref-m365_defender-security-solution-default", + "type": "tag" + }, + { + "id": "m365_defender-security-solution-default", + "name": "tag-ref-security-solution-default", + "type": "tag" }, { "id": "m365_defender-4f3a6702-9642-4392-9b34-ceb1447e09a7", @@ -2014,27 +2433,42 @@ }, { "id": "logs-*", - "name": "1fc86dc4-4bd3-4484-9622-f6d14a335bed:indexpattern-datasource-layer-bb5c3bc7-2da1-4a15-b588-9e2fcda80836", + "name": "4ba0a469-16ee-4f04-ae89-a2aa29e299f1:indexpattern-datasource-layer-d448b66c-867d-4229-b46b-098a674230f6", "type": "index-pattern" }, { "id": "logs-*", - "name": "6d64f578-66e2-49f3-ae06-911dae110ee7:indexpattern-datasource-layer-93fbd5b8-bcdd-402b-9efb-2a24a2da900f", + "name": "4ba0a469-16ee-4f04-ae89-a2aa29e299f1:c2bc9c32-9a1f-49e3-bfb5-4ea90e6ed36f", "type": "index-pattern" }, { "id": "logs-*", - "name": "be800cbb-a57d-440a-84e3-4233103d3bbb:indexpattern-datasource-layer-f83347b5-978e-4753-a26a-d40d0a549867", + "name": "4ba0a469-16ee-4f04-ae89-a2aa29e299f1:129b5517-3b71-4b39-bda7-dc60f6a98f92", "type": "index-pattern" }, { "id": "logs-*", - "name": "cbade69a-97e6-4a08-8e43-4e0824a89840:indexpattern-datasource-layer-4f129361-0c18-4ba1-9994-a1e4e565c1e5", + "name": "d50a1111-11a2-4540-b788-dd116022b873:indexpattern-datasource-layer-693c18a1-a856-4f59-a87e-6f58ecb73834", "type": "index-pattern" }, { "id": "logs-*", - "name": "3f1d140f-1e01-4d38-a8ca-2ef62ca71315:indexpattern-datasource-layer-95d5d85e-ec68-4d5f-a5e8-f69441a959c0", + "name": "d50a1111-11a2-4540-b788-dd116022b873:6462727d-b375-4617-ab9e-5fed63caaa1e", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "274078cb-5fb3-43cd-a025-1eb787e93a5e:indexpattern-datasource-layer-59044096-edd2-4c17-9b59-05fcfc384e6b", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "274078cb-5fb3-43cd-a025-1eb787e93a5e:5a93616a-24bb-4eb9-82bf-1ec670758874", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "274078cb-5fb3-43cd-a025-1eb787e93a5e:6413b87f-0bfa-4964-a519-84c3e054bfd3", "type": "index-pattern" }, { @@ -2044,76 +2478,96 @@ }, { "id": "logs-*", - "name": "274078cb-5fb3-43cd-a025-1eb787e93a5e:indexpattern-datasource-layer-59044096-edd2-4c17-9b59-05fcfc384e6b", + "name": "cd4342af-24cb-4c1c-b72f-3e0f9de7f394:indexpattern-datasource-layer-c2ecbde4-fc03-46a3-a001-d384d24c2c0b", "type": "index-pattern" }, { "id": "logs-*", - "name": "274078cb-5fb3-43cd-a025-1eb787e93a5e:6a1c3042-4087-44c0-a950-624946feea03", + "name": "cd4342af-24cb-4c1c-b72f-3e0f9de7f394:92d14cf0-037c-467d-aa94-ae346b9b8bfb", "type": "index-pattern" }, { "id": "logs-*", - "name": "4ba0a469-16ee-4f04-ae89-a2aa29e299f1:indexpattern-datasource-layer-d448b66c-867d-4229-b46b-098a674230f6", + "name": "50be5d33-6110-4584-8163-29335c338697:indexpattern-datasource-layer-4f129361-0c18-4ba1-9994-a1e4e565c1e5", "type": "index-pattern" }, { "id": "logs-*", - "name": "4ba0a469-16ee-4f04-ae89-a2aa29e299f1:cdc40fd4-75a6-4f65-aff2-ab1b69826140", + "name": "50be5d33-6110-4584-8163-29335c338697:cae4a3e3-71f8-4669-bfa9-a24da5fd946f", "type": "index-pattern" }, { "id": "logs-*", - "name": "d50a1111-11a2-4540-b788-dd116022b873:indexpattern-datasource-layer-693c18a1-a856-4f59-a87e-6f58ecb73834", + "name": "3f1d140f-1e01-4d38-a8ca-2ef62ca71315:indexpattern-datasource-layer-95d5d85e-ec68-4d5f-a5e8-f69441a959c0", "type": "index-pattern" }, { "id": "logs-*", - "name": "cd4342af-24cb-4c1c-b72f-3e0f9de7f394:indexpattern-datasource-layer-c2ecbde4-fc03-46a3-a001-d384d24c2c0b", + "name": "3f1d140f-1e01-4d38-a8ca-2ef62ca71315:8cf249b4-f491-465d-9a5d-eb7edb0f9832", "type": "index-pattern" }, { "id": "logs-*", - "name": "50be5d33-6110-4584-8163-29335c338697:indexpattern-datasource-layer-4f129361-0c18-4ba1-9994-a1e4e565c1e5", + "name": "be800cbb-a57d-440a-84e3-4233103d3bbb:indexpattern-datasource-layer-f83347b5-978e-4753-a26a-d40d0a549867", "type": "index-pattern" }, { "id": "logs-*", - "name": "controlGroup_496b8374-9f81-43cb-9cbd-cc5859043d5e:optionsListDataView", + "name": "be800cbb-a57d-440a-84e3-4233103d3bbb:d82e6c89-c305-4dda-b19e-4bd8f6886da6", "type": "index-pattern" }, { "id": "logs-*", - "name": "controlGroup_ee7a009c-c029-4f58-b54d-71fbdf297630:optionsListDataView", + "name": "cbade69a-97e6-4a08-8e43-4e0824a89840:indexpattern-datasource-layer-4f129361-0c18-4ba1-9994-a1e4e565c1e5", "type": "index-pattern" }, { "id": "logs-*", - "name": "controlGroup_a5663e6a-f7f7-4e77-ae24-5b54abad99d2:optionsListDataView", + "name": "1fc86dc4-4bd3-4484-9622-f6d14a335bed:indexpattern-datasource-layer-bb5c3bc7-2da1-4a15-b588-9e2fcda80836", "type": "index-pattern" }, { "id": "logs-*", - "name": "controlGroup_e7dd70a2-2ddd-4dfb-a2a3-b96bfa5b2d08:optionsListDataView", + "name": "1fc86dc4-4bd3-4484-9622-f6d14a335bed:6ef9f629-93c4-4a2e-b25e-cf4678d3484a", "type": "index-pattern" }, { "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "name": "6d64f578-66e2-49f3-ae06-911dae110ee7:indexpattern-datasource-layer-93fbd5b8-bcdd-402b-9efb-2a24a2da900f", "type": "index-pattern" }, { - "id": "m365_defender-security-solution-default", - "name": "tag-ref-m365_defender-security-solution-default", - "type": "tag" + "id": "m365_defender-c35e286e-43e6-46f4-a449-ab8a1be7bcd9", + "name": "9d6779b0-8dd5-46ad-b685-27e55e3bc79c:panel_9d6779b0-8dd5-46ad-b685-27e55e3bc79c", + "type": "search" }, { - "id": "m365_defender-security-solution-default", - "name": "tag-ref-security-solution-default", - "type": "tag" + "id": "logs-*", + "name": "controlGroup_496b8374-9f81-43cb-9cbd-cc5859043d5e:optionsListDataView", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "controlGroup_ee7a009c-c029-4f58-b54d-71fbdf297630:optionsListDataView", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "controlGroup_54414517-c2ba-4805-9517-068599bf73ec:optionsListDataView", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "controlGroup_c562c9f6-60c6-4622-9a72-3e5b024200b2:optionsListDataView", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" } ], "type": "dashboard", - "typeMigrationVersion": "10.2.0", + "typeMigrationVersion": "10.3.0", "updated_by": "u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0" } \ No newline at end of file diff --git a/packages/m365_defender/kibana/search/m365_defender-4e5cb35c-7a18-4f29-bb69-7e30ab9bbdec.json b/packages/m365_defender/kibana/search/m365_defender-c35e286e-43e6-46f4-a449-ab8a1be7bcd9.json similarity index 55% rename from packages/m365_defender/kibana/search/m365_defender-4e5cb35c-7a18-4f29-bb69-7e30ab9bbdec.json rename to packages/m365_defender/kibana/search/m365_defender-c35e286e-43e6-46f4-a449-ab8a1be7bcd9.json index 9781cf46b45..152f6e41ea3 100644 --- a/packages/m365_defender/kibana/search/m365_defender-4e5cb35c-7a18-4f29-bb69-7e30ab9bbdec.json +++ b/packages/m365_defender/kibana/search/m365_defender-c35e286e-43e6-46f4-a449-ab8a1be7bcd9.json @@ -1,15 +1,15 @@ { "attributes": { "columns": [ - "m365_defender.vulnerability.affected_machine.last_seen", "host.id", - "host.ip", "host.name", - "vulnerability.id", "host.os.name", - "host.risk.calculated_level", - "m365_defender.vulnerability.affected_machine.health_status", - "m365_defender.vulnerability.affected_machine.is_potential_duplication" + "vulnerability.id", + "m365_defender.vulnerability.exploitability_level", + "vulnerability.severity", + "m365_defender.vulnerability.software_vendor", + "package.name", + "package.version" ], "description": "", "grid": {}, @@ -25,16 +25,38 @@ "meta": { "alias": null, "disabled": false, - "field": "m365_defender.vulnerability.affected_machine.id", + "field": "data_stream.dataset", "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "key": "m365_defender.vulnerability.affected_machine.id", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "m365_defender.vulnerability" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "m365_defender.vulnerability" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "event.id", + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", + "key": "event.id", "negate": false, "type": "exists", "value": "exists" }, "query": { "exists": { - "field": "m365_defender.vulnerability.affected_machine.id" + "field": "event.id" } } } @@ -48,7 +70,7 @@ }, "sort": [ [ - "m365_defender.vulnerability.updated_on", + "@timestamp", "desc" ] ], @@ -56,8 +78,9 @@ "title": "Affected Machines Essential Details [Logs Microsoft Defender XDR]" }, "coreMigrationVersion": "8.8.0", - "created_at": "2025-06-27T11:53:29.717Z", - "id": "m365_defender-4e5cb35c-7a18-4f29-bb69-7e30ab9bbdec", + "created_at": "2025-10-09T19:03:55.878Z", + "created_by": "u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0", + "id": "m365_defender-c35e286e-43e6-46f4-a449-ab8a1be7bcd9", "references": [ { "id": "logs-*", @@ -69,6 +92,11 @@ "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", "type": "index-pattern" }, + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", + "type": "index-pattern" + }, { "id": "m365_defender-security-solution-default", "name": "tag-ref-m365_defender-security-solution-default", @@ -81,5 +109,6 @@ } ], "type": "search", - "typeMigrationVersion": "10.5.0" + "typeMigrationVersion": "10.5.0", + "updated_by": "u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0" } \ No newline at end of file diff --git a/packages/m365_defender/kibana/tag/m365_defender-security-solution-default.json b/packages/m365_defender/kibana/tag/m365_defender-security-solution-default.json index faae3eaa150..df3f6daa6ee 100644 --- a/packages/m365_defender/kibana/tag/m365_defender-security-solution-default.json +++ b/packages/m365_defender/kibana/tag/m365_defender-security-solution-default.json @@ -5,7 +5,7 @@ "name": "Security Solution" }, "coreMigrationVersion": "8.8.0", - "created_at": "2025-06-20T06:28:48.460Z", + "created_at": "2025-10-09T18:30:11.448Z", "id": "m365_defender-security-solution-default", "references": [], "type": "tag", diff --git a/packages/m365_defender/kibana/visualization/m365_defender-4f3a6702-9642-4392-9b34-ceb1447e09a7.json b/packages/m365_defender/kibana/visualization/m365_defender-4f3a6702-9642-4392-9b34-ceb1447e09a7.json index 9ff8b20dd9f..e3bebdf4f4a 100644 --- a/packages/m365_defender/kibana/visualization/m365_defender-4f3a6702-9642-4392-9b34-ceb1447e09a7.json +++ b/packages/m365_defender/kibana/visualization/m365_defender-4f3a6702-9642-4392-9b34-ceb1447e09a7.json @@ -17,7 +17,7 @@ "aggs": [], "params": { "fontSize": 12, - "markdown": "### Navigation\n\n#### Microsoft Defender XDR\n\n#### EventHub Datastream \n[Alert Events](#/dashboard/m365_defender-2690a440-7235-11ed-8657-c59f6ece834c) \n[Device](#/dashboard/m365_defender-c0b796d0-720a-11ed-8657-c59f6ece834c) \n[App \u0026 Identity](#/dashboard/m365_defender-d587df00-745f-11ed-8657-c59f6ece834c) \n[Email](#/dashboard/m365_defender-3caf3c00-7456-11ed-8657-c59f6ece834c) \n\n#### Graph API Datastream\n[Incident](#/dashboard/m365_defender-ac54d310-44ab-11ed-8375-0168a9970c06) \n[Alert](#/dashboard/m365_defender-d80d7840-4366-11ed-b1f2-e917f608bd03) \n\n#### Rest API Datastream \n**Vulnerability** \n\n#### Description\n\nThis dashboard is designed to provide a comprehensive view of vulnerability data and affected machine ingested from Microsoft Defender XDR.\n\nIt highlights total public and verified exploit counts, trends over time, and the top affected hosts and software. Visuals include severity breakdowns, CVE supportability, OS distribution, and essential vulnerability details for deeper analysis.\n\n**[Integration Page](/app/integrations/detail/m365_defender/overview)**\n\n\n\n\n\n\n", + "markdown": "### Navigation\n\n#### Microsoft Defender XDR\n\n#### EventHub Datastream \n[Alert Events](#/dashboard/m365_defender-2690a440-7235-11ed-8657-c59f6ece834c) \n[Device](#/dashboard/m365_defender-c0b796d0-720a-11ed-8657-c59f6ece834c) \n[App \u0026 Identity](#/dashboard/m365_defender-d587df00-745f-11ed-8657-c59f6ece834c) \n[Email](#/dashboard/m365_defender-3caf3c00-7456-11ed-8657-c59f6ece834c) \n\n#### Graph API Datastream\n[Incident](#/dashboard/m365_defender-ac54d310-44ab-11ed-8375-0168a9970c06) \n[Alert](#/dashboard/m365_defender-d80d7840-4366-11ed-b1f2-e917f608bd03) \n\n#### Rest API Datastream \n**Vulnerability** \n\n#### Description\n\nThis dashboard is designed to provide a comprehensive view of vulnerability data and affected machine ingested from Microsoft Defender XDR.\n\nIt highlights total public and verified exploit counts, trends over time, and the top affected hosts and software. Visuals include severity breakdowns, exploitability level, OS distribution, and essential vulnerability details for deeper analysis.\n\n**[Integration Page](/app/integrations/detail/m365_defender/overview)**\n\n\n\n\n\n\n", "openLinksInNewTab": false }, "title": "Table of Contents", @@ -25,9 +25,10 @@ } }, "coreMigrationVersion": "8.8.0", - "created_at": "2025-06-27T11:53:29.717Z", + "created_at": "2025-10-09T18:46:44.631Z", "id": "m365_defender-4f3a6702-9642-4392-9b34-ceb1447e09a7", "references": [], "type": "visualization", - "typeMigrationVersion": "8.5.0" + "typeMigrationVersion": "8.5.0", + "updated_by": "u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0" } \ No newline at end of file diff --git a/packages/m365_defender/manifest.yml b/packages/m365_defender/manifest.yml index 56a4d310772..9a0dcb9eb17 100644 --- a/packages/m365_defender/manifest.yml +++ b/packages/m365_defender/manifest.yml @@ -1,7 +1,7 @@ format_version: "3.4.0" name: m365_defender title: Microsoft Defender XDR -version: "4.2.0" +version: "5.0.0" description: Collect logs from Microsoft Defender XDR with Elastic Agent. categories: - "security" diff --git a/packages/microsoft_defender_endpoint/_dev/deploy/docker/docker-compose.yml b/packages/microsoft_defender_endpoint/_dev/deploy/docker/docker-compose.yml index 7a0e8f63a6c..f173c554cf6 100644 --- a/packages/microsoft_defender_endpoint/_dev/deploy/docker/docker-compose.yml +++ b/packages/microsoft_defender_endpoint/_dev/deploy/docker/docker-compose.yml @@ -24,6 +24,7 @@ services: - 8080 volumes: - ./vulnerability-http-mock-config.yml:/config.yml + - ./download-vulnerability.log.gz:/download-vulnerability.log.gz environment: PORT: 8080 command: diff --git a/packages/microsoft_defender_endpoint/_dev/deploy/docker/download-vulnerability.log.gz b/packages/microsoft_defender_endpoint/_dev/deploy/docker/download-vulnerability.log.gz new file mode 100644 index 00000000000..11a271da18b Binary files /dev/null and b/packages/microsoft_defender_endpoint/_dev/deploy/docker/download-vulnerability.log.gz differ diff --git a/packages/microsoft_defender_endpoint/_dev/deploy/docker/vulnerability-http-mock-config.yml b/packages/microsoft_defender_endpoint/_dev/deploy/docker/vulnerability-http-mock-config.yml index 8b12306ff7c..8aa4f11c480 100644 --- a/packages/microsoft_defender_endpoint/_dev/deploy/docker/vulnerability-http-mock-config.yml +++ b/packages/microsoft_defender_endpoint/_dev/deploy/docker/vulnerability-http-mock-config.yml @@ -7,459 +7,33 @@ rules: Content-Type: - "application/json" body: |- - {"token_type":"Bearer","expires_in":3599,"ext_expires_in":3599,"access_token":"xxxx"} - - path: /api/vulnerabilities/machinesVulnerabilities - methods: ['GET'] + {"token_type":"Bearer","expires_in":3599,"ext_expires_in":3599,"access_token":"topsecretaccesstokenthatshouldnotbeleakedforabit"} + - path: /api/machines/SoftwareVulnerabilitiesExport + methods: ["GET"] query_params: - $top: 10000 - $skip: 0 + sasValidHours: "2" request_headers: - Authorization: - - "Bearer xxxx" + authorization: ["Bearer topsecretaccesstokenthatshouldnotbeleakedforabit"] responses: - status_code: 200 headers: Content-Type: - - application/json - body: | - {{ minify_json ` - { - "@odata.context": "https://api.securitycenter.microsoft.com/api/$metadata#Collection(microsoft.windowsDefenderATP.api.PublicAssetVulnerabilityDto)", - "@odata.count": 5, - "value": [ - { - "id": "94819846155826828d1603b913c67fe336d81295-_-CVE-2025-3074-_-microsoft-_-edge_chromium-based-_-134.0.3124.72-_-", - "cveId": "CVE-2025-3074", - "machineId": "94819846155826828d1603b913c67fe336d81295", - "fixingKbId": null, - "productName": "edge_chromium-based", - "productVendor": "microsoft", - "productVersion": "134.0.3124.72", - "severity": "Medium" - }, - { - "id": "c473dc518718ab3d14ced2bd0870665a533070e0-_-CVE-2025-3074-_-microsoft-_-edge_chromium-based-_-133.0.3065.92-_-", - "cveId": "CVE-2025-3074", - "machineId": "c473dc518718ab3d14ced2bd0870665a533070e0", - "fixingKbId": null, - "productName": "edge_chromium-based", - "productVendor": "microsoft", - "productVersion": "133.0.3065.92", - "severity": "Medium" - }, - { - "id": "c4ca2eb56d52f0a9378d3265541ba02403b76d67-_-CVE-2025-3073-_-microsoft-_-edge_chromium-based-_-133.0.3065.92-_-", - "cveId": "CVE-2025-3073", - "machineId": "c4ca2eb56d52f0a9378d3265541ba02403b76d67", - "fixingKbId": null, - "productName": "edge_chromium-based", - "productVendor": "microsoft", - "productVersion": "133.0.3065.92", - "severity": "Medium" - }, - { - "id": "c4ca2eb56d52f0a9378d3265541ba02403b76d67-_-CVE-2025-3073-_-google-_-chrome-_-134.0.6998.118-_-", - "cveId": "CVE-2025-3073", - "machineId": "c4ca2eb56d52f0a9378d3265541ba02403b76d67", - "fixingKbId": null, - "productName": "chrome", - "productVendor": "google", - "productVersion": "134.0.6998.118", - "severity": "Medium" - }, - { - "id": "6825811b97340ed50d858e6285c7a7878248ca75-_-CVE-2025-26635-_-microsoft-_-windows_10-_-10.0.19045.5011-_-5055518", - "cveId": "CVE-2025-26635", - "machineId": "6825811b97340ed50d858e6285c7a7878248ca75", - "fixingKbId": "5055518", - "productName": "windows_10", - "productVendor": "microsoft", - "productVersion": "10.0.19045.5011", - "severity": "Medium" - } - ] - } - `}} - - path: /api/machines - methods: ['GET'] - query_params: - $top: 10000 - $skip: 0 - request_headers: - Authorization: - - "Bearer xxxx" - responses: - - status_code: 200 - headers: - Content-Type: - - application/json - body: | - {{ minify_json ` - { - "@odata.context": "https://api.securitycenter.microsoft.com/api/$metadata#Machines", - "value": [ - { - "id": "94819846155826828d1603b913c67fe336d81295", - "mergedIntoMachineId": null, - "isPotentialDuplication": false, - "isExcluded": false, - "exclusionReason": null, - "computerDnsName": "bdp3449-ub20-2-4a4f31e2-46ea-4c26-ad89-f09ad1d5fe01", - "firstSeen": "2025-01-08T13:05:05.3483549Z", - "lastSeen": "2025-01-08T13:15:03.694371Z", - "osPlatform": "Ubuntu", - "osVersion": null, - "osProcessor": "x64", - "version": "20.4", - "lastIpAddress": "175.16.199.0", - "lastExternalIpAddress": "1.128.0.0", - "agentVersion": "30.124092.2.0", - "osBuild": 6, - "healthStatus": "Inactive", - "deviceValue": "Normal", - "rbacGroupId": 0, - "rbacGroupName": null, - "riskScore": "None", - "exposureLevel": "Low", - "isAadJoined": false, - "aadDeviceId": null, - "machineTags": ["test tag"], - "onboardingStatus": "Onboarded", - "osArchitecture": "64-bit", - "managedBy": "MicrosoftDefenderForEndpoint", - "managedByStatus": "Success", - "ipAddresses": [ - { - "ipAddress": "216.160.83.56", - "macAddress": "000C2910F1DA", - "type": "Other", - "operationalStatus": "Up" - } - ], - "vmMetadata": null - }, - { - "id": "c473dc518718ab3d14ced2bd0870665a533070e0", - "mergedIntoMachineId": null, - "isPotentialDuplication": false, - "isExcluded": false, - "exclusionReason": null, - "computerDnsName": "bdp3449-ub20-2-a415f17e-ce8d-4ce2-a8b4-83b674e7017e", - "firstSeen": "2025-01-09T20:29:06.2413437Z", - "lastSeen": "2025-01-09T20:57:23.4538904Z", - "osPlatform": "Ubuntu", - "osVersion": null, - "osProcessor": "x64", - "version": "20.4", - "lastIpAddress": "81.2.69.142", - "lastExternalIpAddress": "81.2.69.144", - "agentVersion": "30.124092.2.0", - "osBuild": 6, - "healthStatus": "Inactive", - "deviceValue": "Normal", - "rbacGroupId": 0, - "rbacGroupName": null, - "riskScore": "None", - "exposureLevel": "Low", - "isAadJoined": false, - "aadDeviceId": null, - "machineTags": [], - "onboardingStatus": "Onboarded", - "osArchitecture": "64-bit", - "managedBy": "MicrosoftDefenderForEndpoint", - "managedByStatus": "Success", - "ipAddresses": [ - { - "ipAddress": "81.2.69.192", - "macAddress": "000C2910F1DA", - "type": "Other", - "operationalStatus": "Up" - }, - { - "ipAddress": "2a02:cf40::", - "macAddress": "000C2910F1DA", - "type": "Other", - "operationalStatus": "Up" - } - ], - "vmMetadata": null - }, - { - "id": "c4ca2eb56d52f0a9378d3265541ba02403b76d67", - "mergedIntoMachineId": null, - "isPotentialDuplication": false, - "isExcluded": false, - "exclusionReason": null, - "computerDnsName": "bdp3449-ub20-2-1602ff76-ed7f-4c94-b550-2f727b4782d4", - "firstSeen": "2025-01-09T14:01:35.8022227Z", - "lastSeen": "2025-01-09T14:22:34.8819165Z", - "osPlatform": "Ubuntu", - "osVersion": null, - "osProcessor": "x64", - "version": "20.4", - "lastIpAddress": "81.2.69.192", - "lastExternalIpAddress": "89.160.20.112", - "agentVersion": "30.124092.2.0", - "osBuild": 6, - "healthStatus": "Inactive", - "deviceValue": "Normal", - "rbacGroupId": 0, - "rbacGroupName": null, - "riskScore": "None", - "exposureLevel": "Low", - "isAadJoined": false, - "aadDeviceId": null, - "machineTags": [], - "onboardingStatus": "Onboarded", - "osArchitecture": "64-bit", - "managedBy": "MicrosoftDefenderForEndpoint", - "managedByStatus": "Success", - "ipAddresses": [ - { - "ipAddress": "81.2.69.192", - "macAddress": "000C2910F1DA", - "type": "Other", - "operationalStatus": "Up" - }, - { - "ipAddress": "2a02:cf40::", - "macAddress": "000C2910F1DA", - "type": "Other", - "operationalStatus": "Up" - } - ], - "vmMetadata": null - }, - { - "id": "6825811b97340ed50d858e6285c7a7878248ca75", - "mergedIntoMachineId": null, - "isPotentialDuplication": false, - "isExcluded": false, - "exclusionReason": null, - "computerDnsName": "bdp3449-ub20-2-ab4d04af-68dc-4fee-9c16-6545265b3276", - "firstSeen": "2025-01-09T06:29:21.587607Z", - "lastSeen": "2025-01-09T06:56:38.3119183Z", - "osPlatform": "Ubuntu", - "osVersion": null, - "osProcessor": "x64", - "version": "20.4", - "lastIpAddress": "81.2.69.192", - "lastExternalIpAddress": "89.160.20.112", - "agentVersion": "30.124092.2.0", - "osBuild": 6, - "healthStatus": "Inactive", - "deviceValue": "Normal", - "rbacGroupId": 0, - "rbacGroupName": null, - "riskScore": "Medium", - "exposureLevel": "Low", - "isAadJoined": false, - "aadDeviceId": null, - "machineTags": ["test"], - "onboardingStatus": "Onboarded", - "osArchitecture": "64-bit", - "managedBy": "MicrosoftDefenderForEndpoint", - "managedByStatus": "Success", - "ipAddresses": [ - { - "ipAddress": "81.2.69.192", - "macAddress": "000C2910F1DA", - "type": "Other", - "operationalStatus": "Up" - } - ], - "vmMetadata": null - }, - { - "id": "08a037be5ffcf0e85c0817a202a95e86dbb65124", - "mergedIntoMachineId": null, - "isPotentialDuplication": false, - "isExcluded": false, - "exclusionReason": null, - "computerDnsName": "bdp3449-ub20-2-3a95cdb2-c6ea-4761-b24e-02b71889b8bb", - "firstSeen": "2025-01-09T07:29:19.0754397Z", - "lastSeen": "2025-01-09T07:54:33.335749Z", - "osPlatform": "Ubuntu", - "osVersion": null, - "osProcessor": "x64", - "version": "20.4", - "lastIpAddress": "67.43.156.0", - "lastExternalIpAddress": "175.16.199.0", - "agentVersion": "30.124092.2.0", - "osBuild": 6, - "healthStatus": "Inactive", - "deviceValue": "Normal", - "rbacGroupId": 0, - "rbacGroupName": null, - "riskScore": "High", - "exposureLevel": "Low", - "isAadJoined": false, - "aadDeviceId": null, - "machineTags": [], - "onboardingStatus": "Onboarded", - "osArchitecture": "64-bit", - "managedBy": "MicrosoftDefenderForEndpoint", - "managedByStatus": "Success", - "ipAddresses": [ - { - "ipAddress": "67.43.156.0", - "macAddress": "000C2910F1DA", - "type": "Other", - "operationalStatus": "Up" - } - ], - "vmMetadata": null - } - ] - } - `}} - - path: /api/vulnerabilities - methods: ['GET'] - query_params: - $top: 2 - $skip: 0 - request_headers: - Authorization: - - "Bearer xxxx" - responses: - - status_code: 200 - headers: - Content-Type: - - application/json - body: | - {{ minify_json ` - { - "@odata.context": "https://api.securitycenter.microsoft.com/api/$metadata#Vulnerabilities", - "@odata.count": 2, - "value": [ - { - "id": "CVE-2025-3074", - "name": "CVE-2025-3074", - "description": "Summary: An inappropriate implementation in the Downloads feature of Google Chrome versions prior to 135.0.7049.52 could allow a remote attacker to perform UI spoofing via a crafted HTML page. This vulnerability, classified with a low severity by Chromium, may also enable bypassing security restrictions when a victim visits a specially crafted website. Impact: Exploitation of this vulnerability could lead to UI spoofing or bypassing security restrictions, potentially compromising user trust and security. AdditionalInformation: This vulnerability is associated with Google Chrome and has implications for Microsoft Edge (Chromium-based) due to shared code ingestion. Refer to Google Chrome Releases for further details. Remediation: Apply the latest patches and updates provided by the respective vendors. [Generated by AI]", - "severity": "Medium", - "cvssV3": 6.5, - "cvssVector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N/E:U/RL:O/RC:C", - "exposedMachines": 2, - "publishedOn": "2025-04-01T00:00:00Z", - "updatedOn": "2025-04-08T00:00:00Z", - "firstDetected": "2025-04-01T19:52:39Z", - "patchFirstAvailable": null, - "publicExploit": false, - "exploitVerified": false, - "exploitInKit": false, - "exploitTypes": [], - "exploitUris": [], - "cveSupportability": "Supported", - "tags": ["test"], - "epss": 0.00111 - }, - { - "id": "CVE-2025-3073", - "name": "CVE-2025-3073", - "description": "Summary: An inappropriate implementation in the Autofill feature of Google Chrome versions prior to 135.0.7049.52 allows a remote attacker to perform UI spoofing by convincing a user to interact with a crafted HTML page. This vulnerability is categorized with a Chromium security severity rating of Low. Impact: Exploitation of this vulnerability could enable an attacker to bypass security restrictions, potentially leading to unauthorized actions or data exposure. AdditionalInformation: This vulnerability is also relevant to Microsoft Edge (Chromium-based), as it ingests Chromium. Refer to Google Chrome Releases for further details. Remediation: Apply the latest patches and updates provided by the respective vendors. [Generated by AI]", - "severity": "Medium", - "cvssV3": 6.5, - "cvssVector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N/E:U/RL:O/RC:C", - "exposedMachines": 1, - "publishedOn": "2025-04-01T00:00:00Z", - "updatedOn": "2025-04-08T00:00:00Z", - "firstDetected": "2025-04-01T19:52:39Z", - "patchFirstAvailable": null, - "publicExploit": false, - "exploitVerified": false, - "exploitInKit": false, - "exploitTypes": [], - "exploitUris": [], - "cveSupportability": "Supported", - "tags": ["test"], - "epss": 0.00111 - } - ] - } - `}} - - path: /api/vulnerabilities - methods: ['GET'] - query_params: - $top: 2 - $skip: 2 - request_headers: - Authorization: - - "Bearer xxxx" - responses: - - status_code: 200 - headers: - Content-Type: - - application/json - body: | + - "application/json" + body: |- {{ minify_json ` - { - "@odata.context": "https://api.securitycenter.microsoft.com/api/$metadata#Vulnerabilities", - "@odata.count": 2, - "value": [ - { - "id": "CVE-2025-26635", - "name": "CVE-2025-26635", - "description": "Summary: A vulnerability in Windows Hellos authentication mechanism permits an authorized attacker to bypass its security feature remotely over a network. Impact: Exploitation of this vulnerability could allow unauthorized access to systems, potentially leading to data breaches or further network compromise. Remediation: Apply the latest patches and updates provided by the respective vendors. [Generated by AI]", - "severity": "Medium", - "cvssV3": 6.5, - "cvssVector": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N/E:U/RL:O/RC:C", - "exposedMachines": 1, - "publishedOn": "2025-04-08T07:00:00Z", - "updatedOn": "2025-04-09T20:03:01.577Z", - "firstDetected": "2025-04-08T18:00:48Z", - "patchFirstAvailable": null, - "publicExploit": false, - "exploitVerified": false, - "exploitInKit": false, - "exploitTypes": [], - "exploitUris": [], - "cveSupportability": "Supported", - "tags": [], - "epss": 0.00052 - }, - { - "id": "CVE-2025-3437", - "name": "CVE-2025-3437", - "description": "Summary: The Motors – Car Dealership & Classified Listings Plugin for WordPress contains a vulnerability in its ajax_actions.php file, where several functions lack proper capability checks. This flaw exists in all versions up to and including 1.4.66, allowing authenticated attackers with Subscriber-level access or higher to perform unauthorized data modifications. Impact: Exploitation of this vulnerability could lead to unauthorized changes to the plugins setup, potentially compromising the integrity of the affected WordPress site. Remediation: Upgrade to a version of Stylemixthemes Motors - Car Dealer, Classifieds & Listing later than 1.4.66. [Generated by AI]", - "severity": "Medium", - "cvssV3": 4.3, - "cvssVector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", - "exposedMachines": 0, - "publishedOn": "2025-04-08T10:15:19.413Z", - "updatedOn": "2025-04-08T18:13:53.347Z", - "firstDetected": null, - "patchFirstAvailable": null, - "publicExploit": false, - "exploitVerified": false, - "exploitInKit": false, - "exploitTypes": [], - "exploitUris": [], - "cveSupportability": "NotSupported", - "tags": [], - "epss": 0.00025 - } - ] - } + { + "@odata.context": "https://api.security.microsoft.com/api/$metadata#microsoft.windowsDefenderATP.api.ExportFilesResponse", + "exportFiles": [ + "http://svc-microsoft-defender-endpoint-vulnerability-cel:8080/path/to/vuln" + ], + "generatedTime": "2025-10-09T00:00:00Z" + } `}} - - path: /api/vulnerabilities - methods: ['GET'] - query_params: - $top: 2 - $skip: 4 - request_headers: - Authorization: - - "Bearer xxxx" + - path: /path/to/vuln + methods: ["GET"] responses: - status_code: 200 headers: Content-Type: - - application/json - body: | - {{ minify_json ` - { - "@odata.context": "https://api.securitycenter.microsoft.com/api/$metadata#Vulnerabilities", - "@odata.count": 0, - "value": [] - } - `}} - \ No newline at end of file + - "application/octet-stream" + body: '{{file "/download-vulnerability.log.gz"}}' diff --git a/packages/microsoft_defender_endpoint/changelog.yml b/packages/microsoft_defender_endpoint/changelog.yml index 9af7aef2f62..ec4a20ad561 100644 --- a/packages/microsoft_defender_endpoint/changelog.yml +++ b/packages/microsoft_defender_endpoint/changelog.yml @@ -1,4 +1,16 @@ # newer versions go on top +- version: "4.0.0" + changes: + - description: | + Fetch vulnerability data using SoftwareVulnerabilitiesExport API endpoint. + type: enhancement + link: https://github.com/elastic/integrations/pull/15603 + - description: | + The following fields are no longer available in the new implementation: "cloud.provider", "cloud.resource_id", + "cloud.instance.id", "host.geo", "host.ip", "host.risk.calculated_level", "related.ip", + "vulnerability.description", "vulnerability.published_date", "vulnerability.score.version". + type: breaking-change + link: https://github.com/elastic/integrations/pull/15603 - version: "3.1.2" changes: - description: 'Ensure `page_size` configuration is preserved in CEL evaluation responses.' diff --git a/packages/microsoft_defender_endpoint/data_stream/vulnerability/_dev/test/pipeline/test-vulnerability.log b/packages/microsoft_defender_endpoint/data_stream/vulnerability/_dev/test/pipeline/test-vulnerability.log index ae2e38774fc..5265aa6d6af 100644 --- a/packages/microsoft_defender_endpoint/data_stream/vulnerability/_dev/test/pipeline/test-vulnerability.log +++ b/packages/microsoft_defender_endpoint/data_stream/vulnerability/_dev/test/pipeline/test-vulnerability.log @@ -1,6 +1,4 @@ -{"affectedMachine":{"id":"86c0491db8ff7e8dcad520288b7759fa27793ce1-_-CVE-2024-11168-_-red_hat-_-python-unversioned-command_for_linux-_-0:3.9.18-3.el9_4.6-_-","cveId":"CVE-2024-11168","machineId":"86c0491db8ff7e8dcad520288b7759fa27793ce1","fixingKbId":null,"productName":"python-unversioned-command_for_linux","productVendor":"red_hat","productVersion":"0:3.9.18-3.el9_4.6","severity":"Medium","mergedIntoMachineId":null,"isPotentialDuplication":false,"isExcluded":false,"exclusionReason":null,"computerDnsName":"C-Lab-33","firstSeen":"2024-11-06T09:57:53.476232Z","lastSeen":"2025-05-12T04:13:23.7778534Z","osPlatform":"RedHatEnterpriseLinux","osVersion":null,"osProcessor":"x64","version":"9.4","lastIpAddress":"89.160.20.112","lastExternalIpAddress":"175.16.199.0","agentVersion":"30.124082.4.0","osBuild":null,"healthStatus":"Active","deviceValue":"Normal","rbacGroupId":0,"rbacGroupName":null,"riskScore":"High","exposureLevel":"High","isAadJoined":false,"aadDeviceId":null,"machineTags":["C-Lab-Linux"],"onboardingStatus":"Onboarded","osArchitecture":"64-bit","managedBy":"MicrosoftDefenderForEndpoint","managedByStatus":"Success","ipAddresses":[{"ipAddress":"89.160.20.112","macAddress":"00505681A42F","type":"Other","operationalStatus":"Up"},{"ipAddress":"67.43.156.0","macAddress":"000000000000","type":"Other","operationalStatus":"Up"}],"vmMetadata":null},"id":"CVE-2024-11168","name":"CVE-2024-11168","description":"Summary: Pythons CPython implementation contains a vulnerability (CVE-2024-11168) in the urllib.parse.urlsplit() and urlparse() functions, where bracketed hosts (`[]`) are improperly validated. This issue allows non-IPv6 or non-IPvFuture hosts, violating RFC 3986 standards. If a URL is processed by multiple parsers, this flaw could enable Server-Side Request Forgery (SSRF) attacks. Impact: Exploitation of this vulnerability could allow attackers to conduct SSRF attacks, potentially leading to unauthorized access to internal systems or sensitive data. AdditionalInformation: This vulnerability affects Python versions prior to 3.9.19-7. It is recommended to review the CVE page for further technical details and associated CVSS scores. Remediation: Upgrade to Python version 3.9.21 or later. [Generated by AI]","severity":"Medium","cvssV3":6.3,"cvssVector":"CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:N/R:X/V:X/RE:X/U:X","exposedMachines":2,"publishedOn":"2023-04-25T16:00:00Z","updatedOn":"2025-04-11T22:15:28.96Z","firstDetected":"2025-05-02T05:36:57Z","patchFirstAvailable":null,"publicExploit":false,"exploitVerified":false,"exploitInKit":false,"exploitTypes":["Remote"],"exploitUris":[],"cveSupportability":"Supported","tags":[],"epss":0.00154} -{"affectedMachine":{"aadDeviceId":"79dc383d-1ba1-4ac9-9dca-792e881a5034","agentVersion":"10.8760.19045.5011","computerDnsName":"c-lab-14","cveId":"CVE-2025-24062","deviceValue":"Normal","exclusionReason":null,"exposureLevel":"High","firstSeen":"2024-11-05T11:55:28.5899758Z","fixingKbId":"5055518","healthStatus":"Active","id":"fd43e5b3ba69b8ecffb165017d9c8687f24e246a-_-CVE-2025-24062-_-microsoft-_-windows_10-_-10.0.19045.5011-_-5055518","ipAddresses":[{"ipAddress":"1.128.0.0","macAddress":"00505683B889","operationalStatus":"Up","type":"Ethernet"},{"ipAddress":"2a02:cf40::","macAddress":"00505683B889","operationalStatus":"Up","type":"Ethernet"},{"ipAddress":"81.2.69.192","macAddress":null,"operationalStatus":"Up","type":"SoftwareLoopback"}],"isAadJoined":true,"isExcluded":false,"isPotentialDuplication":false,"lastExternalIpAddress":"89.160.20.112","lastIpAddress":"175.16.199.0","lastSeen":"2025-04-21T08:24:41.3833512Z","machineId":"fd43e5b3ba69b8ecffb165017d9c8687f24e246a","machineTags":[],"managedBy":"Intune","managedByStatus":"Unknown","mergedIntoMachineId":null,"onboardingStatus":"Onboarded","osArchitecture":"64-bit","osBuild":19045,"osPlatform":"Windows10","osProcessor":"x64","osVersion":null,"productName":"windows_10","productVendor":"microsoft","productVersion":"10.0.19045.5011","rbacGroupId":0,"rbacGroupName":null,"riskScore":"None","severity":"High","version":"22H2","vmMetadata":null},"cveSupportability":"Supported","cvssV3":7.8,"cvssVector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C","description":"Summary: An improper input validation vulnerability exists in the Windows DWM Core Library, which could allow an authorized attacker to locally elevate their privileges. Impact: Successful exploitation of this vulnerability could result in unauthorized privilege escalation, potentially compromising system integrity. Remediation: Apply the latest patches and updates provided by the respective vendors. [Generated by AI]","epss":0.00073,"exploitInKit":false,"exploitTypes":["PrivilegeEscalation"],"exploitUris":[],"exploitVerified":false,"exposedMachines":7,"firstDetected":"2025-04-08T18:00:48Z","id":"CVE-2025-24062","name":"CVE-2025-24062","patchFirstAvailable":null,"publicExploit":false,"publishedOn":"2025-04-08T07:00:00Z","severity":"High","tags":["test"],"updatedOn":"2025-04-09T20:03:01.577Z"} -{"affectedMachine":null,"id":"CVE-2025-47828","name":"CVE-2025-47828","description":"Summary: The Lumi H5P-Nodejs-library versions prior to 2025-04-05 are vulnerable to cross-site scripting (XSS) due to the omission of a sanitizeHtml call for plain text strings. This flaw allows remote attackers to execute arbitrary scripts in a victims browser by leveraging specially crafted URLs. Impact: Exploitation of this vulnerability could lead to unauthorized access to sensitive information, such as cookie-based authentication credentials, and compromise the security context of the hosting website. AdditionalInformation: Ensure awareness of the affected versions and the nature of the vulnerability for proper risk assessment. Remediation: Upgrade to @Lumieducation/H5p-Server @Lumieducation/H5p-Server version later than 2024-04-05. [Generated by AI]","severity":"Medium","cvssV3":6.4,"cvssVector":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N/E:U/RL:O/RC:C","exposedMachines":0,"publishedOn":"2025-05-11T00:00:00Z","updatedOn":"2025-05-12T20:50:07Z","firstDetected":null,"patchFirstAvailable":null,"publicExploit":false,"exploitVerified":false,"exploitInKit":false,"exploitTypes":[],"exploitUris":[],"cveSupportability":"NotSupported","tags":[],"epss":0.00029} -{"affectedMachine":{"aadDeviceId":"d78dc223-8dc8-4210-9700-019b3b03505b","agentVersion":"10.8792.19045.5737","computerDnsName":"c-lab-08","cveId":"TVM-2020-0002","deviceValue":"Normal","exclusionReason":null,"exposureLevel":"Low","firstSeen":"2024-11-05T11:54:59.5717001Z","fixingKbId":null,"healthStatus":"Active","id":"0e23b8b23f6dc0e9d84846f877b45d19c04a522d-_-TVM-2020-0002-_-vmware-_-tools-_-12.0.6.0-_-","ipAddresses":[{"ipAddress":"216.160.83.56","macAddress":"00505683B880","operationalStatus":"Up","type":"Ethernet"}],"isAadJoined":true,"isExcluded":false,"isPotentialDuplication":false,"lastExternalIpAddress":"67.43.156.0","lastIpAddress":"89.160.20.128","lastSeen":"2025-04-22T05:48:04.7550736Z","machineId":"0e23b8b23f6dc0e9d84846f877b45d19c04a522d","machineTags":["test tag 1"],"managedBy":"Intune","managedByStatus":"Unknown","mergedIntoMachineId":null,"onboardingStatus":"Onboarded","osArchitecture":"64-bit","osBuild":19045,"osPlatform":"Windows10","osProcessor":"x64","osVersion":null,"productName":"tools","productVendor":"vmware","productVersion":"12.0.6.0","rbacGroupId":0,"rbacGroupName":null,"riskScore":"None","severity":"High","version":"22H2","vmMetadata":null},"cveSupportability":"Supported","cvssV3":7,"cvssVector":"CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C","description":"Summary: VMware Tools and Open Virtual Machine Tools are vulnerable to a local privilege escalation vulnerability. An attacker with local non-administrative access to the Guest OS can exploit this vulnerability to escalate privileges as a root user in the virtual machine. Impact: If exploited, this vulnerability could allow a malicious actor to gain elevated privileges on the system, potentially leading to unauthorized access, data theft, or further compromise of the virtual machine. AdditionalInformation: TVM-2020-0002 is associated with this vulnerability. It is recommended to refer to the CVE page for more details, including the impact, CVSS score, and acknowledgments. Remediation: Apply the latest patches and updates provided by the respective vendors. [Generated by AI]","epss":0.00053,"exploitInKit":false,"exploitTypes":["PrivilegeEscalation"],"exploitUris":[],"exploitVerified":false,"exposedMachines":12,"firstDetected":"2025-01-01T08:22:58Z","id":"TVM-2020-0002","name":"TVM-2020-0002","patchFirstAvailable":null,"publicExploit":false,"publishedOn":"2022-08-23T00:00:00Z","severity":"High","tags":[],"updatedOn":"2024-12-10T00:00:00Z"} -{"affectedMachine":{"aadDeviceId":"d78dc223-8dc8-4210-9700-019b3b03505b","agentVersion":"10.8792.19045.5737","computerDnsName":"c-lab-08","cveId":"TVM-2020-0002","deviceValue":"Normal","exclusionReason":null,"exposureLevel":"Low","firstSeen":"2024-11-05T11:54:59.5717001Z","fixingKbId":null,"healthStatus":"Active","id":"0e23b8b23f6dc0e9d84846f877b45d19c04a522d-_-TVM-2020-0002-_-vmware-_-tools-_-12.0.6.0-_-","ipAddresses":[{"ipAddress":"","macAddress":"00505683B880","operationalStatus":"Up","type":"Ethernet"}],"isAadJoined":true,"isExcluded":false,"isPotentialDuplication":false,"lastExternalIpAddress":"67.43.156.0","lastIpAddress":"89.160.20.128","lastSeen":"2025-04-22T05:48:04.7550736Z","machineId":"0e23b8b23f6dc0e9d84846f877b45d19c04a522d","machineTags":["test tag 1"],"managedBy":"Intune","managedByStatus":"Unknown","mergedIntoMachineId":null,"onboardingStatus":"Onboarded","osArchitecture":"64-bit","osBuild":19045,"osPlatform":"Windows10","osProcessor":"x64","osVersion":null,"productName":"tools","productVendor":"vmware","productVersion":"12.0.6.0","rbacGroupId":0,"rbacGroupName":null,"riskScore":"None","severity":"High","version":"22H2","vmMetadata":null},"cveSupportability":"Supported","cvssV3":7,"cvssVector":"CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C","description":"Summary: VMware Tools and Open Virtual Machine Tools are vulnerable to a local privilege escalation vulnerability. An attacker with local non-administrative access to the Guest OS can exploit this vulnerability to escalate privileges as a root user in the virtual machine. Impact: If exploited, this vulnerability could allow a malicious actor to gain elevated privileges on the system, potentially leading to unauthorized access, data theft, or further compromise of the virtual machine. AdditionalInformation: TVM-2020-0002 is associated with this vulnerability. It is recommended to refer to the CVE page for more details, including the impact, CVSS score, and acknowledgments. Remediation: Apply the latest patches and updates provided by the respective vendors. [Generated by AI]","epss":0.00053,"exploitInKit":false,"exploitTypes":["PrivilegeEscalation"],"exploitUris":[],"exploitVerified":false,"exposedMachines":12,"firstDetected":"2025-01-01T08:22:58Z","id":"TVM-2020-0002","name":"TVM-2020-0002","patchFirstAvailable":null,"publicExploit":false,"publishedOn":"2022-08-23T00:00:00Z","severity":"High","tags":[],"updatedOn":"2024-12-10T00:00:00Z"} -{"affectedMachine":{"aadDeviceId":"d78dc223-8dc8-4210-9700-019b3b03505b","agentVersion":"10.8792.19045.5737","computerDnsName":"c-lab-08","cveId":"TVM-2020-0002","deviceValue":"Normal","exclusionReason":null,"exposureLevel":"Low","firstSeen":"2024-11-05T11:54:59.5717001Z","fixingKbId":null,"healthStatus":"Active","id":"0e23b8b23f6dc0e9d84846f877b45d19c04a522d-_-TVM-2020-0002-_-vmware-_-tools-_-12.0.6.0-_-","ipAddresses":[{"ipAddress":"216.160.83.56","macAddress":"00505683B880","operationalStatus":"Up","type":"Ethernet"}],"isAadJoined":true,"isExcluded":false,"isPotentialDuplication":false,"lastExternalIpAddress":"67.43.156.0","lastIpAddress":"89.160.20.128","lastSeen":"2025-04-22T05:48:04.7550736Z","machineId":"0e23b8b23f6dc0e9d84846f877b45d19c04a522d","machineTags":["test tag 1"],"managedBy":"Intune","managedByStatus":"Unknown","mergedIntoMachineId":null,"onboardingStatus":"Onboarded","osArchitecture":"64-bit","osBuild":19045,"osPlatform":"Windows10","osProcessor":"x64","osVersion":null,"productName":"tools","productVendor":"vmware","productVersion":"12.0.6.0","rbacGroupId":0,"rbacGroupName":null,"riskScore":"None","severity":"High","version":"22H2","vmMetadata":{"cloudProvider":"Azure","resourceId":"/subscriptions/e1685f98-517c-4ffe-b7d5-d6cb9d563ec2/resourceGroups/R15_Sentinel/providers/Microsoft.HybridCompute/machines/C-Lab-10","subscriptionId":"e1685f98-517c-4ffe-b7d5-d6cb9d563ec2","vmId":"ecdc774f-45b4-4e33-97c8-f777e134131a"}},"cveSupportability":"Supported","cvssV3":7,"cvssVector":"CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C","description":"Summary: VMware Tools and Open Virtual Machine Tools are vulnerable to a local privilege escalation vulnerability. An attacker with local non-administrative access to the Guest OS can exploit this vulnerability to escalate privileges as a root user in the virtual machine. Impact: If exploited, this vulnerability could allow a malicious actor to gain elevated privileges on the system, potentially leading to unauthorized access, data theft, or further compromise of the virtual machine. AdditionalInformation: TVM-2020-0002 is associated with this vulnerability. It is recommended to refer to the CVE page for more details, including the impact, CVSS score, and acknowledgments. Remediation: Apply the latest patches and updates provided by the respective vendors. [Generated by AI]","epss":0.00053,"exploitInKit":false,"exploitTypes":["PrivilegeEscalation"],"exploitUris":[],"exploitVerified":false,"exposedMachines":12,"firstDetected":"2025-01-01T08:22:58Z","id":"TVM-2020-0002","name":"TVM-2020-0002","patchFirstAvailable":null,"publicExploit":false,"publishedOn":"2022-08-23T00:00:00Z","severity":"High","tags":[],"updatedOn":"2024-12-10T00:00:00Z"} +{"CveBatchTitle":"Red_hat February 2025 Vulnerabilities","CveBatchUrl":"https://security.access.redhat.com/data/oval/v2/RHEL9/rhel-9.8-eus.oval.xml.bz2","CveId":"CVE-2022-49226","CvssScore":5.5,"DeviceId":"1212121212121212121212","DeviceName":"sample-host-1","ExploitabilityLevel":"NoExploit","FirstSeenTimestamp":"2025-10-06 10:43:58","Id":"1212121212121212121212_red_hat_kernel_0:5.14.0-427.42.1.el9_4_CVE-2022-49226","IsOnboarded":true,"LastSeenTimestamp":"2025-10-06 22:45:00","OSArchitecture":"x64","OSPlatform":"Linux","OSVersion":"enterprise_linux_9.4","RbacGroupId":0,"RbacGroupName":"Unassigned","RecommendationReference":"va-_-red_hat-_-kernel","RecommendedSecurityUpdate":"CVE-2022-49226_oval:com.redhat.rhsa:def:20249315","RecommendedSecurityUpdateId":"RHSA-2024:9315","RecommendedSecurityUpdateUrl":"https://access.redhat.com/errata/RHSA-2024:9315","RegistryPaths":[],"SecurityUpdateAvailable":true,"SoftwareName":"kernel","SoftwareVendor":"red_hat","SoftwareVersion":"0:5.14.0-427.42.1.el9_4","VulnerabilitySeverityLevel":"Medium"} +{"CveBatchTitle":"Ubuntu January 2025 Vulnerabilities","CveBatchUrl":"https://security-metadata.canonical.com/oval/com.ubuntu.jammy.usn.oval.xml.bz2","CveId":"CVE-2024-43097","CvssScore":7.8,"DeviceId":"11111111111111111","DeviceName":"sample-host-2","ExploitabilityLevel":"NoExploit","FirstSeenTimestamp":"2025-10-06 10:41:29","Id":"11111111111111111_ubuntu_thunderbird-gnome-support_for_linux_1:115.18.0+build1-0ubuntu0.22.04.1_CVE-2024-43097","IsOnboarded":true,"LastSeenTimestamp":"2025-10-06 22:41:42","OSArchitecture":"x64","OSPlatform":"Linux","OSVersion":"ubuntu_linux_22.04","RbacGroupId":0,"RbacGroupName":"Unassigned","RecommendationReference":"va-_-ubuntu-_-thunderbird-gnome-support_for_linux","RecommendedSecurityUpdate":"CVE-2024-43097_oval:com.ubuntu.jammy:def:76631000000","RecommendedSecurityUpdateId":"USN-7663-1","RecommendedSecurityUpdateUrl":"https://ubuntu.com/security/notices/USN-7663-1","SecurityUpdateAvailable":true,"SoftwareName":"thunderbird-gnome-support_for_linux","SoftwareVendor":"ubuntu","SoftwareVersion":"1:115.18.0+build1-0ubuntu0.22.04.1","VulnerabilitySeverityLevel":"High"} +{"CveBatchTitle":"Microsoft September 2025 Security Updates","CveBatchUrl":"https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2025-49734","CveId":"CVE-2025-49734","CvssScore":7,"DeviceId":"aaasasasasasa","DeviceName":"host-3","ExploitabilityLevel":"NoExploit","FirstSeenTimestamp":"2025-09-09 17:30:58","Id":"aaasasasasasa_microsoft_windows_10_10.0.19045.6093_CVE-2025-49734","IsOnboarded":true,"LastSeenTimestamp":"2025-10-07 00:08:23","OSArchitecture":"x64","OSPlatform":"Windows10","OSVersion":"10.0.19045.6093","RbacGroupId":0,"RbacGroupName":"Unassigned","RecommendationReference":"va-_-microsoft-_-windows_10","RecommendedSecurityUpdate":"September 2025 Security Updates","RecommendedSecurityUpdateId":"5065429","RecommendedSecurityUpdateUrl":"https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB5065429","SecurityUpdateAvailable":true,"SoftwareName":"windows_10","SoftwareVendor":"microsoft","SoftwareVersion":"10.0.19045.6093","VulnerabilitySeverityLevel":"High"} +{"CveBatchTitle":"Vmware August 2022 Vulnerabilities","CveBatchUrl":"https://www.vmware.com/security/advisories/VMSA-2022-0024.1.html","CveId":"CVE-2022-31676","CvssScore":7,"DeviceId":"bbbbbbbbbbbbbb","DeviceName":"host-4","DiskPaths":["C:\\Program Files\\VMware\\VMware Tools\\VMware VGAuth\\VMwareAliasImport.exe"],"ExploitabilityLevel":"NoExploit","FirstSeenTimestamp":"2025-08-02 15:09:51","Id":"bbbbbbbbbbbbbb_vmware_tools_12.0.6.0_CVE-2022-31676","IsOnboarded":true,"LastSeenTimestamp":"2025-10-06 19:49:51","OSArchitecture":"x64","OSPlatform":"Windows10","OSVersion":"10.0.19045.6332","RbacGroupId":0,"RbacGroupName":"Unassigned","RecommendationReference":"va-_-vmware-_-tools","RecommendedSecurityUpdate":"VMware Tools update addresses a local privilege escalation vulnerability (CVE-2022-31676)","RegistryPaths":[],"SecurityUpdateAvailable":true,"SoftwareName":"tools","SoftwareVendor":"vmware","SoftwareVersion":"12.0.6.0","VulnerabilitySeverityLevel":"High"} diff --git a/packages/microsoft_defender_endpoint/data_stream/vulnerability/_dev/test/pipeline/test-vulnerability.log-expected.json b/packages/microsoft_defender_endpoint/data_stream/vulnerability/_dev/test/pipeline/test-vulnerability.log-expected.json index 736601c37d1..c4aadd01187 100644 --- a/packages/microsoft_defender_endpoint/data_stream/vulnerability/_dev/test/pipeline/test-vulnerability.log-expected.json +++ b/packages/microsoft_defender_endpoint/data_stream/vulnerability/_dev/test/pipeline/test-vulnerability.log-expected.json @@ -8,116 +8,56 @@ "category": [ "vulnerability" ], - "id": "86c0491db8ff7e8dcad520288b7759fa27793ce1-_-CVE-2024-11168-_-red_hat-_-python-unversioned-command_for_linux-_-0:3.9.18-3.el9_4.6-_-", + "id": "1212121212121212121212_red_hat_kernel_0:5.14.0-427.42.1.el9_4_CVE-2022-49226", "kind": "event", - "original": "{\"affectedMachine\":{\"id\":\"86c0491db8ff7e8dcad520288b7759fa27793ce1-_-CVE-2024-11168-_-red_hat-_-python-unversioned-command_for_linux-_-0:3.9.18-3.el9_4.6-_-\",\"cveId\":\"CVE-2024-11168\",\"machineId\":\"86c0491db8ff7e8dcad520288b7759fa27793ce1\",\"fixingKbId\":null,\"productName\":\"python-unversioned-command_for_linux\",\"productVendor\":\"red_hat\",\"productVersion\":\"0:3.9.18-3.el9_4.6\",\"severity\":\"Medium\",\"mergedIntoMachineId\":null,\"isPotentialDuplication\":false,\"isExcluded\":false,\"exclusionReason\":null,\"computerDnsName\":\"C-Lab-33\",\"firstSeen\":\"2024-11-06T09:57:53.476232Z\",\"lastSeen\":\"2025-05-12T04:13:23.7778534Z\",\"osPlatform\":\"RedHatEnterpriseLinux\",\"osVersion\":null,\"osProcessor\":\"x64\",\"version\":\"9.4\",\"lastIpAddress\":\"89.160.20.112\",\"lastExternalIpAddress\":\"175.16.199.0\",\"agentVersion\":\"30.124082.4.0\",\"osBuild\":null,\"healthStatus\":\"Active\",\"deviceValue\":\"Normal\",\"rbacGroupId\":0,\"rbacGroupName\":null,\"riskScore\":\"High\",\"exposureLevel\":\"High\",\"isAadJoined\":false,\"aadDeviceId\":null,\"machineTags\":[\"C-Lab-Linux\"],\"onboardingStatus\":\"Onboarded\",\"osArchitecture\":\"64-bit\",\"managedBy\":\"MicrosoftDefenderForEndpoint\",\"managedByStatus\":\"Success\",\"ipAddresses\":[{\"ipAddress\":\"89.160.20.112\",\"macAddress\":\"00505681A42F\",\"type\":\"Other\",\"operationalStatus\":\"Up\"},{\"ipAddress\":\"67.43.156.0\",\"macAddress\":\"000000000000\",\"type\":\"Other\",\"operationalStatus\":\"Up\"}],\"vmMetadata\":null},\"id\":\"CVE-2024-11168\",\"name\":\"CVE-2024-11168\",\"description\":\"Summary: Pythons CPython implementation contains a vulnerability (CVE-2024-11168) in the urllib.parse.urlsplit() and urlparse() functions, where bracketed hosts (`[]`) are improperly validated. This issue allows non-IPv6 or non-IPvFuture hosts, violating RFC 3986 standards. If a URL is processed by multiple parsers, this flaw could enable Server-Side Request Forgery (SSRF) attacks. Impact: Exploitation of this vulnerability could allow attackers to conduct SSRF attacks, potentially leading to unauthorized access to internal systems or sensitive data. AdditionalInformation: This vulnerability affects Python versions prior to 3.9.19-7. It is recommended to review the CVE page for further technical details and associated CVSS scores. Remediation: Upgrade to Python version 3.9.21 or later. [Generated by AI]\",\"severity\":\"Medium\",\"cvssV3\":6.3,\"cvssVector\":\"CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:N/R:X/V:X/RE:X/U:X\",\"exposedMachines\":2,\"publishedOn\":\"2023-04-25T16:00:00Z\",\"updatedOn\":\"2025-04-11T22:15:28.96Z\",\"firstDetected\":\"2025-05-02T05:36:57Z\",\"patchFirstAvailable\":null,\"publicExploit\":false,\"exploitVerified\":false,\"exploitInKit\":false,\"exploitTypes\":[\"Remote\"],\"exploitUris\":[],\"cveSupportability\":\"Supported\",\"tags\":[],\"epss\":0.00154}", + "original": "{\"CveBatchTitle\":\"Red_hat February 2025 Vulnerabilities\",\"CveBatchUrl\":\"https://security.access.redhat.com/data/oval/v2/RHEL9/rhel-9.8-eus.oval.xml.bz2\",\"CveId\":\"CVE-2022-49226\",\"CvssScore\":5.5,\"DeviceId\":\"1212121212121212121212\",\"DeviceName\":\"sample-host-1\",\"ExploitabilityLevel\":\"NoExploit\",\"FirstSeenTimestamp\":\"2025-10-06 10:43:58\",\"Id\":\"1212121212121212121212_red_hat_kernel_0:5.14.0-427.42.1.el9_4_CVE-2022-49226\",\"IsOnboarded\":true,\"LastSeenTimestamp\":\"2025-10-06 22:45:00\",\"OSArchitecture\":\"x64\",\"OSPlatform\":\"Linux\",\"OSVersion\":\"enterprise_linux_9.4\",\"RbacGroupId\":0,\"RbacGroupName\":\"Unassigned\",\"RecommendationReference\":\"va-_-red_hat-_-kernel\",\"RecommendedSecurityUpdate\":\"CVE-2022-49226_oval:com.redhat.rhsa:def:20249315\",\"RecommendedSecurityUpdateId\":\"RHSA-2024:9315\",\"RecommendedSecurityUpdateUrl\":\"https://access.redhat.com/errata/RHSA-2024:9315\",\"RegistryPaths\":[],\"SecurityUpdateAvailable\":true,\"SoftwareName\":\"kernel\",\"SoftwareVendor\":\"red_hat\",\"SoftwareVersion\":\"0:5.14.0-427.42.1.el9_4\",\"VulnerabilitySeverityLevel\":\"Medium\"}", "type": [ "info" ] }, "group": { - "id": "0" + "id": "0", + "name": "Unassigned" }, "host": { "architecture": "x64", - "geo": { - "city_name": "Changchun", - "continent_name": "Asia", - "country_iso_code": "CN", - "country_name": "China", - "location": { - "lat": 43.88, - "lon": 125.3228 - }, - "region_iso_code": "CN-22", - "region_name": "Jilin Sheng" - }, - "hostname": "C-Lab-33", - "id": "86c0491db8ff7e8dcad520288b7759fa27793ce1", - "ip": [ - "175.16.199.0" - ], - "name": "C-Lab-33", + "hostname": "sample-host-1", + "id": "1212121212121212121212", + "name": "sample-host-1", "os": { - "name": "RedHatEnterpriseLinux 9.4", - "platform": "RedHatEnterpriseLinux", + "name": "Linux enterprise_linux_9.4", + "platform": "Linux", "type": "linux", - "version": "9.4" - }, - "risk": { - "calculated_level": "High" + "version": "enterprise_linux_9.4" } }, - "message": "Summary: Pythons CPython implementation contains a vulnerability (CVE-2024-11168) in the urllib.parse.urlsplit() and urlparse() functions, where bracketed hosts (`[]`) are improperly validated. This issue allows non-IPv6 or non-IPvFuture hosts, violating RFC 3986 standards. If a URL is processed by multiple parsers, this flaw could enable Server-Side Request Forgery (SSRF) attacks. Impact: Exploitation of this vulnerability could allow attackers to conduct SSRF attacks, potentially leading to unauthorized access to internal systems or sensitive data. AdditionalInformation: This vulnerability affects Python versions prior to 3.9.19-7. It is recommended to review the CVE page for further technical details and associated CVSS scores. Remediation: Upgrade to Python version 3.9.21 or later. [Generated by AI]", + "message": "Red_hat February 2025 Vulnerabilities", "microsoft_defender_endpoint": { "vulnerability": { - "affected_machine": { - "agent_version": "30.124082.4.0", - "computer_dns_name": "C-Lab-33", - "device_value": "Normal", - "exposure_level": "High", - "first_seen": "2024-11-06T09:57:53.476Z", - "health_status": "Active", - "id": "86c0491db8ff7e8dcad520288b7759fa27793ce1-_-CVE-2024-11168-_-red_hat-_-python-unversioned-command_for_linux-_-0:3.9.18-3.el9_4.6-_-", - "ip_addresses": [ - { - "ip_address": "89.160.20.112", - "mac_address": "00-50-56-81-A4-2F", - "operational_status": "Up", - "type": "Other" - }, - { - "ip_address": "67.43.156.0", - "mac_address": "00-00-00-00-00-00", - "operational_status": "Up", - "type": "Other" - } - ], - "is_aad_joined": false, - "is_excluded": false, - "is_potential_duplication": false, - "last_external_ip_address": "175.16.199.0", - "last_ip_address": "89.160.20.112", - "last_seen": "2025-05-12T04:13:23.777Z", - "machine_id": "86c0491db8ff7e8dcad520288b7759fa27793ce1", - "machine_tags": [ - "C-Lab-Linux" - ], - "managed_by": "MicrosoftDefenderForEndpoint", - "managed_by_status": "Success", - "onboarding_status": "Onboarded", - "os_architecture": "64-bit", - "os_platform": "RedHatEnterpriseLinux", - "os_processor": "x64", - "product_name": "python-unversioned-command_for_linux", - "product_vendor": "red_hat", - "product_version": "0:3.9.18-3.el9_4.6", - "rbac_group_id": "0", - "risk_score": "High", - "severity": "Medium", - "version": "9.4" - }, - "cve_supportability": "Supported", - "cvss_v3": 6.3, - "cvss_vector": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:N/R:X/V:X/RE:X/U:X", - "description": "Summary: Pythons CPython implementation contains a vulnerability (CVE-2024-11168) in the urllib.parse.urlsplit() and urlparse() functions, where bracketed hosts (`[]`) are improperly validated. This issue allows non-IPv6 or non-IPvFuture hosts, violating RFC 3986 standards. If a URL is processed by multiple parsers, this flaw could enable Server-Side Request Forgery (SSRF) attacks. Impact: Exploitation of this vulnerability could allow attackers to conduct SSRF attacks, potentially leading to unauthorized access to internal systems or sensitive data. AdditionalInformation: This vulnerability affects Python versions prior to 3.9.19-7. It is recommended to review the CVE page for further technical details and associated CVSS scores. Remediation: Upgrade to Python version 3.9.21 or later. [Generated by AI]", - "epss": 0.00154, - "exploit_in_kit": false, - "exploit_types": [ - "Remote" - ], - "exploit_verified": false, - "exposed_machines": 2, - "first_detected": "2025-05-02T05:36:57.000Z", - "id": "CVE-2024-11168", - "impact": "Exploitation of this vulnerability could allow attackers to conduct SSRF attacks, potentially leading to unauthorized access to internal systems or sensitive data.", - "name": "CVE-2024-11168", - "public_exploit": false, - "published_on": "2023-04-25T16:00:00.000Z", - "remediation": "Upgrade to Python version 3.9.21 or later.", - "severity": "Medium", - "summary": "Pythons CPython implementation contains a vulnerability (CVE-2024-11168) in the urllib.parse.urlsplit() and urlparse() functions, where bracketed hosts (`[]`) are improperly validated. This issue allows non-IPv6 or non-IPvFuture hosts, violating RFC 3986 standards. If a URL is processed by multiple parsers, this flaw could enable Server-Side Request Forgery (SSRF) attacks.", - "updated_on": "2025-04-11T22:15:28.960Z" + "cve_batch_title": "Red_hat February 2025 Vulnerabilities", + "cve_batch_url": "https://security.access.redhat.com/data/oval/v2/RHEL9/rhel-9.8-eus.oval.xml.bz2", + "cve_id": "CVE-2022-49226", + "cvss_score": 5.5, + "device_id": "1212121212121212121212", + "device_name": "sample-host-1", + "exploitability_level": "NoExploit", + "first_seen_timestamp": "2025-10-06T10:43:58.000Z", + "id": "1212121212121212121212_red_hat_kernel_0:5.14.0-427.42.1.el9_4_CVE-2022-49226", + "is_onboarded": true, + "last_seen_timestamp": "2025-10-06T22:45:00.000Z", + "os_architecture": "x64", + "os_platform": "Linux", + "os_version": "enterprise_linux_9.4", + "rbac_group_id": "0", + "rbac_group_name": "Unassigned", + "recommendation_reference": "va-_-red_hat-_-kernel", + "recommended_security_update": "CVE-2022-49226_oval:com.redhat.rhsa:def:20249315", + "recommended_security_update_id": "RHSA-2024:9315", + "security_update_available": true, + "severity_level": "Medium", + "software_name": "kernel", + "software_vendor": "red_hat", + "software_version": "0:5.14.0-427.42.1.el9_4" } }, "observer": { @@ -125,45 +65,36 @@ "vendor": "Microsoft" }, "package": { - "fixed_version": "3.9.21", - "name": "python-unversioned-command_for_linux", - "version": "0:3.9.18-3.el9_4.6" + "name": "kernel", + "version": "0:5.14.0-427.42.1.el9_4" }, "related": { "hosts": [ - "C-Lab-33", - "86c0491db8ff7e8dcad520288b7759fa27793ce1" - ], - "ip": [ - "89.160.20.112", - "67.43.156.0", - "175.16.199.0" + "1212121212121212121212", + "sample-host-1" ] }, "resource": { - "id": "86c0491db8ff7e8dcad520288b7759fa27793ce1", - "name": "C-Lab-33" + "id": "1212121212121212121212", + "name": "sample-host-1" }, "tags": [ "preserve_duplicate_custom_fields" ], "vulnerability": { "classification": "CVSS", - "cve": "CVE-2024-11168", - "description": "Summary: Pythons CPython implementation contains a vulnerability (CVE-2024-11168) in the urllib.parse.urlsplit() and urlparse() functions, where bracketed hosts (`[]`) are improperly validated. This issue allows non-IPv6 or non-IPvFuture hosts, violating RFC 3986 standards. If a URL is processed by multiple parsers, this flaw could enable Server-Side Request Forgery (SSRF) attacks. Impact: Exploitation of this vulnerability could allow attackers to conduct SSRF attacks, potentially leading to unauthorized access to internal systems or sensitive data. AdditionalInformation: This vulnerability affects Python versions prior to 3.9.19-7. It is recommended to review the CVE page for further technical details and associated CVSS scores. Remediation: Upgrade to Python version 3.9.21 or later. [Generated by AI]", + "cve": "CVE-2022-49226", "enumeration": "CVE", - "id": "CVE-2024-11168", - "published_date": "2023-04-25T16:00:00.000Z", - "reference": "https://www.cve.org/CVERecord?id=CVE-2024-11168", + "id": "CVE-2022-49226", + "reference": "https://www.cve.org/CVERecord?id=CVE-2022-49226", "scanner": { "vendor": "Microsoft" }, "score": { - "base": 6.3, - "version": "4.0" + "base": 5.5 }, "severity": "Medium", - "title": "Vulnerability found in python-unversioned-command_for_linux 0:3.9.18-3.el9_4.6 - CVE-2024-11168" + "title": "Vulnerability found in kernel 0:5.14.0-427.42.1.el9_4 - CVE-2022-49226" } }, { @@ -174,124 +105,56 @@ "category": [ "vulnerability" ], - "id": "fd43e5b3ba69b8ecffb165017d9c8687f24e246a-_-CVE-2025-24062-_-microsoft-_-windows_10-_-10.0.19045.5011-_-5055518", + "id": "11111111111111111_ubuntu_thunderbird-gnome-support_for_linux_1:115.18.0+build1-0ubuntu0.22.04.1_CVE-2024-43097", "kind": "event", - "original": "{\"affectedMachine\":{\"aadDeviceId\":\"79dc383d-1ba1-4ac9-9dca-792e881a5034\",\"agentVersion\":\"10.8760.19045.5011\",\"computerDnsName\":\"c-lab-14\",\"cveId\":\"CVE-2025-24062\",\"deviceValue\":\"Normal\",\"exclusionReason\":null,\"exposureLevel\":\"High\",\"firstSeen\":\"2024-11-05T11:55:28.5899758Z\",\"fixingKbId\":\"5055518\",\"healthStatus\":\"Active\",\"id\":\"fd43e5b3ba69b8ecffb165017d9c8687f24e246a-_-CVE-2025-24062-_-microsoft-_-windows_10-_-10.0.19045.5011-_-5055518\",\"ipAddresses\":[{\"ipAddress\":\"1.128.0.0\",\"macAddress\":\"00505683B889\",\"operationalStatus\":\"Up\",\"type\":\"Ethernet\"},{\"ipAddress\":\"2a02:cf40::\",\"macAddress\":\"00505683B889\",\"operationalStatus\":\"Up\",\"type\":\"Ethernet\"},{\"ipAddress\":\"81.2.69.192\",\"macAddress\":null,\"operationalStatus\":\"Up\",\"type\":\"SoftwareLoopback\"}],\"isAadJoined\":true,\"isExcluded\":false,\"isPotentialDuplication\":false,\"lastExternalIpAddress\":\"89.160.20.112\",\"lastIpAddress\":\"175.16.199.0\",\"lastSeen\":\"2025-04-21T08:24:41.3833512Z\",\"machineId\":\"fd43e5b3ba69b8ecffb165017d9c8687f24e246a\",\"machineTags\":[],\"managedBy\":\"Intune\",\"managedByStatus\":\"Unknown\",\"mergedIntoMachineId\":null,\"onboardingStatus\":\"Onboarded\",\"osArchitecture\":\"64-bit\",\"osBuild\":19045,\"osPlatform\":\"Windows10\",\"osProcessor\":\"x64\",\"osVersion\":null,\"productName\":\"windows_10\",\"productVendor\":\"microsoft\",\"productVersion\":\"10.0.19045.5011\",\"rbacGroupId\":0,\"rbacGroupName\":null,\"riskScore\":\"None\",\"severity\":\"High\",\"version\":\"22H2\",\"vmMetadata\":null},\"cveSupportability\":\"Supported\",\"cvssV3\":7.8,\"cvssVector\":\"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C\",\"description\":\"Summary: An improper input validation vulnerability exists in the Windows DWM Core Library, which could allow an authorized attacker to locally elevate their privileges. Impact: Successful exploitation of this vulnerability could result in unauthorized privilege escalation, potentially compromising system integrity. Remediation: Apply the latest patches and updates provided by the respective vendors. [Generated by AI]\",\"epss\":0.00073,\"exploitInKit\":false,\"exploitTypes\":[\"PrivilegeEscalation\"],\"exploitUris\":[],\"exploitVerified\":false,\"exposedMachines\":7,\"firstDetected\":\"2025-04-08T18:00:48Z\",\"id\":\"CVE-2025-24062\",\"name\":\"CVE-2025-24062\",\"patchFirstAvailable\":null,\"publicExploit\":false,\"publishedOn\":\"2025-04-08T07:00:00Z\",\"severity\":\"High\",\"tags\":[\"test\"],\"updatedOn\":\"2025-04-09T20:03:01.577Z\"}", + "original": "{\"CveBatchTitle\":\"Ubuntu January 2025 Vulnerabilities\",\"CveBatchUrl\":\"https://security-metadata.canonical.com/oval/com.ubuntu.jammy.usn.oval.xml.bz2\",\"CveId\":\"CVE-2024-43097\",\"CvssScore\":7.8,\"DeviceId\":\"11111111111111111\",\"DeviceName\":\"sample-host-2\",\"ExploitabilityLevel\":\"NoExploit\",\"FirstSeenTimestamp\":\"2025-10-06 10:41:29\",\"Id\":\"11111111111111111_ubuntu_thunderbird-gnome-support_for_linux_1:115.18.0+build1-0ubuntu0.22.04.1_CVE-2024-43097\",\"IsOnboarded\":true,\"LastSeenTimestamp\":\"2025-10-06 22:41:42\",\"OSArchitecture\":\"x64\",\"OSPlatform\":\"Linux\",\"OSVersion\":\"ubuntu_linux_22.04\",\"RbacGroupId\":0,\"RbacGroupName\":\"Unassigned\",\"RecommendationReference\":\"va-_-ubuntu-_-thunderbird-gnome-support_for_linux\",\"RecommendedSecurityUpdate\":\"CVE-2024-43097_oval:com.ubuntu.jammy:def:76631000000\",\"RecommendedSecurityUpdateId\":\"USN-7663-1\",\"RecommendedSecurityUpdateUrl\":\"https://ubuntu.com/security/notices/USN-7663-1\",\"SecurityUpdateAvailable\":true,\"SoftwareName\":\"thunderbird-gnome-support_for_linux\",\"SoftwareVendor\":\"ubuntu\",\"SoftwareVersion\":\"1:115.18.0+build1-0ubuntu0.22.04.1\",\"VulnerabilitySeverityLevel\":\"High\"}", "type": [ "info" ] }, "group": { - "id": "0" + "id": "0", + "name": "Unassigned" }, "host": { "architecture": "x64", - "geo": { - "city_name": "Linköping", - "continent_name": "Europe", - "country_iso_code": "SE", - "country_name": "Sweden", - "location": { - "lat": 58.4167, - "lon": 15.6167 - }, - "region_iso_code": "SE-E", - "region_name": "Östergötland County" - }, - "hostname": "c-lab-14", - "id": "fd43e5b3ba69b8ecffb165017d9c8687f24e246a", - "ip": [ - "89.160.20.112" - ], - "name": "c-lab-14", + "hostname": "sample-host-2", + "id": "11111111111111111", + "name": "sample-host-2", "os": { - "name": "Windows10 22H2", - "platform": "Windows10", - "type": "windows", - "version": "22H2" - }, - "risk": { - "calculated_level": "None" + "name": "Linux ubuntu_linux_22.04", + "platform": "Linux", + "type": "linux", + "version": "ubuntu_linux_22.04" } }, - "message": "Summary: An improper input validation vulnerability exists in the Windows DWM Core Library, which could allow an authorized attacker to locally elevate their privileges. Impact: Successful exploitation of this vulnerability could result in unauthorized privilege escalation, potentially compromising system integrity. Remediation: Apply the latest patches and updates provided by the respective vendors. [Generated by AI]", + "message": "Ubuntu January 2025 Vulnerabilities", "microsoft_defender_endpoint": { "vulnerability": { - "affected_machine": { - "aad_device_id": "79dc383d-1ba1-4ac9-9dca-792e881a5034", - "agent_version": "10.8760.19045.5011", - "computer_dns_name": "c-lab-14", - "device_value": "Normal", - "exposure_level": "High", - "first_seen": "2024-11-05T11:55:28.589Z", - "fixing_kb_id": "5055518", - "health_status": "Active", - "id": "fd43e5b3ba69b8ecffb165017d9c8687f24e246a-_-CVE-2025-24062-_-microsoft-_-windows_10-_-10.0.19045.5011-_-5055518", - "ip_addresses": [ - { - "ip_address": "1.128.0.0", - "mac_address": "00-50-56-83-B8-89", - "operational_status": "Up", - "type": "Ethernet" - }, - { - "ip_address": "2a02:cf40::", - "mac_address": "00-50-56-83-B8-89", - "operational_status": "Up", - "type": "Ethernet" - }, - { - "ip_address": "81.2.69.192", - "operational_status": "Up", - "type": "SoftwareLoopback" - } - ], - "is_aad_joined": true, - "is_excluded": false, - "is_potential_duplication": false, - "last_external_ip_address": "89.160.20.112", - "last_ip_address": "175.16.199.0", - "last_seen": "2025-04-21T08:24:41.383Z", - "machine_id": "fd43e5b3ba69b8ecffb165017d9c8687f24e246a", - "managed_by": "Intune", - "managed_by_status": "Unknown", - "onboarding_status": "Onboarded", - "os_architecture": "64-bit", - "os_build": 19045, - "os_platform": "Windows10", - "os_processor": "x64", - "product_name": "windows_10", - "product_vendor": "microsoft", - "product_version": "10.0.19045.5011", - "rbac_group_id": "0", - "risk_score": "None", - "severity": "High", - "version": "22H2" - }, - "cve_supportability": "Supported", - "cvss_v3": 7.8, - "cvss_vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C", - "description": "Summary: An improper input validation vulnerability exists in the Windows DWM Core Library, which could allow an authorized attacker to locally elevate their privileges. Impact: Successful exploitation of this vulnerability could result in unauthorized privilege escalation, potentially compromising system integrity. Remediation: Apply the latest patches and updates provided by the respective vendors. [Generated by AI]", - "epss": 7.3E-4, - "exploit_in_kit": false, - "exploit_types": [ - "PrivilegeEscalation" - ], - "exploit_verified": false, - "exposed_machines": 7, - "first_detected": "2025-04-08T18:00:48.000Z", - "id": "CVE-2025-24062", - "impact": "Successful exploitation of this vulnerability could result in unauthorized privilege escalation, potentially compromising system integrity.", - "name": "CVE-2025-24062", - "public_exploit": false, - "published_on": "2025-04-08T07:00:00.000Z", - "remediation": "Apply the latest patches and updates provided by the respective vendors.", - "severity": "High", - "summary": "An improper input validation vulnerability exists in the Windows DWM Core Library, which could allow an authorized attacker to locally elevate their privileges.", - "tags": [ - "test" - ], - "updated_on": "2025-04-09T20:03:01.577Z" + "cve_batch_title": "Ubuntu January 2025 Vulnerabilities", + "cve_batch_url": "https://security-metadata.canonical.com/oval/com.ubuntu.jammy.usn.oval.xml.bz2", + "cve_id": "CVE-2024-43097", + "cvss_score": 7.8, + "device_id": "11111111111111111", + "device_name": "sample-host-2", + "exploitability_level": "NoExploit", + "first_seen_timestamp": "2025-10-06T10:41:29.000Z", + "id": "11111111111111111_ubuntu_thunderbird-gnome-support_for_linux_1:115.18.0+build1-0ubuntu0.22.04.1_CVE-2024-43097", + "is_onboarded": true, + "last_seen_timestamp": "2025-10-06T22:41:42.000Z", + "os_architecture": "x64", + "os_platform": "Linux", + "os_version": "ubuntu_linux_22.04", + "rbac_group_id": "0", + "rbac_group_name": "Unassigned", + "recommendation_reference": "va-_-ubuntu-_-thunderbird-gnome-support_for_linux", + "recommended_security_update": "CVE-2024-43097_oval:com.ubuntu.jammy:def:76631000000", + "recommended_security_update_id": "USN-7663-1", + "security_update_available": true, + "severity_level": "High", + "software_name": "thunderbird-gnome-support_for_linux", + "software_vendor": "ubuntu", + "software_version": "1:115.18.0+build1-0ubuntu0.22.04.1" } }, "observer": { @@ -299,270 +162,36 @@ "vendor": "Microsoft" }, "package": { - "name": "windows_10", - "version": "10.0.19045.5011" + "name": "thunderbird-gnome-support_for_linux", + "version": "1:115.18.0+build1-0ubuntu0.22.04.1" }, "related": { "hosts": [ - "79dc383d-1ba1-4ac9-9dca-792e881a5034", - "c-lab-14", - "fd43e5b3ba69b8ecffb165017d9c8687f24e246a" - ], - "ip": [ - "1.128.0.0", - "2a02:cf40::", - "81.2.69.192", - "89.160.20.112", - "175.16.199.0" + "11111111111111111", + "sample-host-2" ] }, "resource": { - "id": "fd43e5b3ba69b8ecffb165017d9c8687f24e246a", - "name": "c-lab-14" + "id": "11111111111111111", + "name": "sample-host-2" }, "tags": [ "preserve_duplicate_custom_fields" ], "vulnerability": { "classification": "CVSS", - "cve": "CVE-2025-24062", - "description": "Summary: An improper input validation vulnerability exists in the Windows DWM Core Library, which could allow an authorized attacker to locally elevate their privileges. Impact: Successful exploitation of this vulnerability could result in unauthorized privilege escalation, potentially compromising system integrity. Remediation: Apply the latest patches and updates provided by the respective vendors. [Generated by AI]", + "cve": "CVE-2024-43097", "enumeration": "CVE", - "id": "CVE-2025-24062", - "published_date": "2025-04-08T07:00:00.000Z", - "reference": "https://www.cve.org/CVERecord?id=CVE-2025-24062", - "scanner": { - "vendor": "Microsoft" - }, - "score": { - "base": 7.8, - "version": "3.1" - }, - "severity": "High", - "title": "Vulnerability found in windows_10 10.0.19045.5011 - CVE-2025-24062" - } - }, - { - "ecs": { - "version": "8.17.0" - }, - "event": { - "category": [ - "vulnerability" - ], - "id": "CVE-2025-47828", - "kind": "event", - "original": "{\"affectedMachine\":null,\"id\":\"CVE-2025-47828\",\"name\":\"CVE-2025-47828\",\"description\":\"Summary: The Lumi H5P-Nodejs-library versions prior to 2025-04-05 are vulnerable to cross-site scripting (XSS) due to the omission of a sanitizeHtml call for plain text strings. This flaw allows remote attackers to execute arbitrary scripts in a victims browser by leveraging specially crafted URLs. Impact: Exploitation of this vulnerability could lead to unauthorized access to sensitive information, such as cookie-based authentication credentials, and compromise the security context of the hosting website. AdditionalInformation: Ensure awareness of the affected versions and the nature of the vulnerability for proper risk assessment. Remediation: Upgrade to @Lumieducation/H5p-Server @Lumieducation/H5p-Server version later than 2024-04-05. [Generated by AI]\",\"severity\":\"Medium\",\"cvssV3\":6.4,\"cvssVector\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N/E:U/RL:O/RC:C\",\"exposedMachines\":0,\"publishedOn\":\"2025-05-11T00:00:00Z\",\"updatedOn\":\"2025-05-12T20:50:07Z\",\"firstDetected\":null,\"patchFirstAvailable\":null,\"publicExploit\":false,\"exploitVerified\":false,\"exploitInKit\":false,\"exploitTypes\":[],\"exploitUris\":[],\"cveSupportability\":\"NotSupported\",\"tags\":[],\"epss\":0.00029}", - "type": [ - "info" - ] - }, - "message": "Summary: The Lumi H5P-Nodejs-library versions prior to 2025-04-05 are vulnerable to cross-site scripting (XSS) due to the omission of a sanitizeHtml call for plain text strings. This flaw allows remote attackers to execute arbitrary scripts in a victims browser by leveraging specially crafted URLs. Impact: Exploitation of this vulnerability could lead to unauthorized access to sensitive information, such as cookie-based authentication credentials, and compromise the security context of the hosting website. AdditionalInformation: Ensure awareness of the affected versions and the nature of the vulnerability for proper risk assessment. Remediation: Upgrade to @Lumieducation/H5p-Server @Lumieducation/H5p-Server version later than 2024-04-05. [Generated by AI]", - "microsoft_defender_endpoint": { - "vulnerability": { - "cve_supportability": "NotSupported", - "cvss_v3": 6.4, - "cvss_vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N/E:U/RL:O/RC:C", - "description": "Summary: The Lumi H5P-Nodejs-library versions prior to 2025-04-05 are vulnerable to cross-site scripting (XSS) due to the omission of a sanitizeHtml call for plain text strings. This flaw allows remote attackers to execute arbitrary scripts in a victims browser by leveraging specially crafted URLs. Impact: Exploitation of this vulnerability could lead to unauthorized access to sensitive information, such as cookie-based authentication credentials, and compromise the security context of the hosting website. AdditionalInformation: Ensure awareness of the affected versions and the nature of the vulnerability for proper risk assessment. Remediation: Upgrade to @Lumieducation/H5p-Server @Lumieducation/H5p-Server version later than 2024-04-05. [Generated by AI]", - "epss": 2.9E-4, - "exploit_in_kit": false, - "exploit_verified": false, - "exposed_machines": 0, - "id": "CVE-2025-47828", - "impact": "Exploitation of this vulnerability could lead to unauthorized access to sensitive information, such as cookie-based authentication credentials, and compromise the security context of the hosting website.", - "name": "CVE-2025-47828", - "public_exploit": false, - "published_on": "2025-05-11T00:00:00.000Z", - "remediation": "Upgrade to @Lumieducation/H5p-Server @Lumieducation/H5p-Server version later than 2024-04-05.", - "severity": "Medium", - "summary": "The Lumi H5P-Nodejs-library versions prior to 2025-04-05 are vulnerable to cross-site scripting (XSS) due to the omission of a sanitizeHtml call for plain text strings. This flaw allows remote attackers to execute arbitrary scripts in a victims browser by leveraging specially crafted URLs.", - "updated_on": "2025-05-12T20:50:07.000Z" - } - }, - "observer": { - "product": "Microsoft Defender for Endpoint", - "vendor": "Microsoft" - }, - "package": { - "fixed_version": "2024-04-05" - }, - "tags": [ - "preserve_duplicate_custom_fields" - ], - "vulnerability": { - "classification": "CVSS", - "cve": "CVE-2025-47828", - "description": "Summary: The Lumi H5P-Nodejs-library versions prior to 2025-04-05 are vulnerable to cross-site scripting (XSS) due to the omission of a sanitizeHtml call for plain text strings. This flaw allows remote attackers to execute arbitrary scripts in a victims browser by leveraging specially crafted URLs. Impact: Exploitation of this vulnerability could lead to unauthorized access to sensitive information, such as cookie-based authentication credentials, and compromise the security context of the hosting website. AdditionalInformation: Ensure awareness of the affected versions and the nature of the vulnerability for proper risk assessment. Remediation: Upgrade to @Lumieducation/H5p-Server @Lumieducation/H5p-Server version later than 2024-04-05. [Generated by AI]", - "enumeration": "CVE", - "id": "CVE-2025-47828", - "published_date": "2025-05-11T00:00:00.000Z", - "reference": "https://www.cve.org/CVERecord?id=CVE-2025-47828", - "scanner": { - "vendor": "Microsoft" - }, - "score": { - "base": 6.4, - "version": "3.1" - }, - "severity": "Medium", - "title": "Vulnerability found - CVE-2025-47828" - } - }, - { - "ecs": { - "version": "8.17.0" - }, - "event": { - "category": [ - "vulnerability" - ], - "id": "0e23b8b23f6dc0e9d84846f877b45d19c04a522d-_-TVM-2020-0002-_-vmware-_-tools-_-12.0.6.0-_-", - "kind": "event", - "original": "{\"affectedMachine\":{\"aadDeviceId\":\"d78dc223-8dc8-4210-9700-019b3b03505b\",\"agentVersion\":\"10.8792.19045.5737\",\"computerDnsName\":\"c-lab-08\",\"cveId\":\"TVM-2020-0002\",\"deviceValue\":\"Normal\",\"exclusionReason\":null,\"exposureLevel\":\"Low\",\"firstSeen\":\"2024-11-05T11:54:59.5717001Z\",\"fixingKbId\":null,\"healthStatus\":\"Active\",\"id\":\"0e23b8b23f6dc0e9d84846f877b45d19c04a522d-_-TVM-2020-0002-_-vmware-_-tools-_-12.0.6.0-_-\",\"ipAddresses\":[{\"ipAddress\":\"216.160.83.56\",\"macAddress\":\"00505683B880\",\"operationalStatus\":\"Up\",\"type\":\"Ethernet\"}],\"isAadJoined\":true,\"isExcluded\":false,\"isPotentialDuplication\":false,\"lastExternalIpAddress\":\"67.43.156.0\",\"lastIpAddress\":\"89.160.20.128\",\"lastSeen\":\"2025-04-22T05:48:04.7550736Z\",\"machineId\":\"0e23b8b23f6dc0e9d84846f877b45d19c04a522d\",\"machineTags\":[\"test tag 1\"],\"managedBy\":\"Intune\",\"managedByStatus\":\"Unknown\",\"mergedIntoMachineId\":null,\"onboardingStatus\":\"Onboarded\",\"osArchitecture\":\"64-bit\",\"osBuild\":19045,\"osPlatform\":\"Windows10\",\"osProcessor\":\"x64\",\"osVersion\":null,\"productName\":\"tools\",\"productVendor\":\"vmware\",\"productVersion\":\"12.0.6.0\",\"rbacGroupId\":0,\"rbacGroupName\":null,\"riskScore\":\"None\",\"severity\":\"High\",\"version\":\"22H2\",\"vmMetadata\":null},\"cveSupportability\":\"Supported\",\"cvssV3\":7,\"cvssVector\":\"CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C\",\"description\":\"Summary: VMware Tools and Open Virtual Machine Tools are vulnerable to a local privilege escalation vulnerability. An attacker with local non-administrative access to the Guest OS can exploit this vulnerability to escalate privileges as a root user in the virtual machine. Impact: If exploited, this vulnerability could allow a malicious actor to gain elevated privileges on the system, potentially leading to unauthorized access, data theft, or further compromise of the virtual machine. AdditionalInformation: TVM-2020-0002 is associated with this vulnerability. It is recommended to refer to the CVE page for more details, including the impact, CVSS score, and acknowledgments. Remediation: Apply the latest patches and updates provided by the respective vendors. [Generated by AI]\",\"epss\":0.00053,\"exploitInKit\":false,\"exploitTypes\":[\"PrivilegeEscalation\"],\"exploitUris\":[],\"exploitVerified\":false,\"exposedMachines\":12,\"firstDetected\":\"2025-01-01T08:22:58Z\",\"id\":\"TVM-2020-0002\",\"name\":\"TVM-2020-0002\",\"patchFirstAvailable\":null,\"publicExploit\":false,\"publishedOn\":\"2022-08-23T00:00:00Z\",\"severity\":\"High\",\"tags\":[],\"updatedOn\":\"2024-12-10T00:00:00Z\"}", - "type": [ - "info" - ] - }, - "group": { - "id": "0" - }, - "host": { - "architecture": "x64", - "geo": { - "continent_name": "Asia", - "country_iso_code": "BT", - "country_name": "Bhutan", - "location": { - "lat": 27.5, - "lon": 90.5 - } - }, - "hostname": "c-lab-08", - "id": "0e23b8b23f6dc0e9d84846f877b45d19c04a522d", - "ip": [ - "67.43.156.0" - ], - "name": "c-lab-08", - "os": { - "name": "Windows10 22H2", - "platform": "Windows10", - "type": "windows", - "version": "22H2" - }, - "risk": { - "calculated_level": "None" - } - }, - "message": "Summary: VMware Tools and Open Virtual Machine Tools are vulnerable to a local privilege escalation vulnerability. An attacker with local non-administrative access to the Guest OS can exploit this vulnerability to escalate privileges as a root user in the virtual machine. Impact: If exploited, this vulnerability could allow a malicious actor to gain elevated privileges on the system, potentially leading to unauthorized access, data theft, or further compromise of the virtual machine. AdditionalInformation: TVM-2020-0002 is associated with this vulnerability. It is recommended to refer to the CVE page for more details, including the impact, CVSS score, and acknowledgments. Remediation: Apply the latest patches and updates provided by the respective vendors. [Generated by AI]", - "microsoft_defender_endpoint": { - "vulnerability": { - "affected_machine": { - "aad_device_id": "d78dc223-8dc8-4210-9700-019b3b03505b", - "agent_version": "10.8792.19045.5737", - "computer_dns_name": "c-lab-08", - "device_value": "Normal", - "exposure_level": "Low", - "first_seen": "2024-11-05T11:54:59.571Z", - "health_status": "Active", - "id": "0e23b8b23f6dc0e9d84846f877b45d19c04a522d-_-TVM-2020-0002-_-vmware-_-tools-_-12.0.6.0-_-", - "ip_addresses": [ - { - "ip_address": "216.160.83.56", - "mac_address": "00-50-56-83-B8-80", - "operational_status": "Up", - "type": "Ethernet" - } - ], - "is_aad_joined": true, - "is_excluded": false, - "is_potential_duplication": false, - "last_external_ip_address": "67.43.156.0", - "last_ip_address": "89.160.20.128", - "last_seen": "2025-04-22T05:48:04.755Z", - "machine_id": "0e23b8b23f6dc0e9d84846f877b45d19c04a522d", - "machine_tags": [ - "test tag 1" - ], - "managed_by": "Intune", - "managed_by_status": "Unknown", - "onboarding_status": "Onboarded", - "os_architecture": "64-bit", - "os_build": 19045, - "os_platform": "Windows10", - "os_processor": "x64", - "product_name": "tools", - "product_vendor": "vmware", - "product_version": "12.0.6.0", - "rbac_group_id": "0", - "risk_score": "None", - "severity": "High", - "version": "22H2" - }, - "cve_supportability": "Supported", - "cvss_v3": 7.0, - "cvss_vector": "CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C", - "description": "Summary: VMware Tools and Open Virtual Machine Tools are vulnerable to a local privilege escalation vulnerability. An attacker with local non-administrative access to the Guest OS can exploit this vulnerability to escalate privileges as a root user in the virtual machine. Impact: If exploited, this vulnerability could allow a malicious actor to gain elevated privileges on the system, potentially leading to unauthorized access, data theft, or further compromise of the virtual machine. AdditionalInformation: TVM-2020-0002 is associated with this vulnerability. It is recommended to refer to the CVE page for more details, including the impact, CVSS score, and acknowledgments. Remediation: Apply the latest patches and updates provided by the respective vendors. [Generated by AI]", - "epss": 5.3E-4, - "exploit_in_kit": false, - "exploit_types": [ - "PrivilegeEscalation" - ], - "exploit_verified": false, - "exposed_machines": 12, - "first_detected": "2025-01-01T08:22:58.000Z", - "id": "TVM-2020-0002", - "impact": "If exploited, this vulnerability could allow a malicious actor to gain elevated privileges on the system, potentially leading to unauthorized access, data theft, or further compromise of the virtual machine.", - "name": "TVM-2020-0002", - "public_exploit": false, - "published_on": "2022-08-23T00:00:00.000Z", - "remediation": "Apply the latest patches and updates provided by the respective vendors.", - "severity": "High", - "summary": "VMware Tools and Open Virtual Machine Tools are vulnerable to a local privilege escalation vulnerability. An attacker with local non-administrative access to the Guest OS can exploit this vulnerability to escalate privileges as a root user in the virtual machine.", - "updated_on": "2024-12-10T00:00:00.000Z" - } - }, - "observer": { - "product": "Microsoft Defender for Endpoint", - "vendor": "Microsoft" - }, - "package": { - "name": "tools", - "version": "12.0.6.0" - }, - "related": { - "hosts": [ - "d78dc223-8dc8-4210-9700-019b3b03505b", - "c-lab-08", - "0e23b8b23f6dc0e9d84846f877b45d19c04a522d" - ], - "ip": [ - "216.160.83.56", - "67.43.156.0", - "89.160.20.128" - ] - }, - "resource": { - "id": "0e23b8b23f6dc0e9d84846f877b45d19c04a522d", - "name": "c-lab-08" - }, - "tags": [ - "preserve_duplicate_custom_fields" - ], - "vulnerability": { - "classification": "CVSS", - "description": "Summary: VMware Tools and Open Virtual Machine Tools are vulnerable to a local privilege escalation vulnerability. An attacker with local non-administrative access to the Guest OS can exploit this vulnerability to escalate privileges as a root user in the virtual machine. Impact: If exploited, this vulnerability could allow a malicious actor to gain elevated privileges on the system, potentially leading to unauthorized access, data theft, or further compromise of the virtual machine. AdditionalInformation: TVM-2020-0002 is associated with this vulnerability. It is recommended to refer to the CVE page for more details, including the impact, CVSS score, and acknowledgments. Remediation: Apply the latest patches and updates provided by the respective vendors. [Generated by AI]", - "enumeration": "TVM", - "id": "TVM-2020-0002", - "published_date": "2022-08-23T00:00:00.000Z", + "id": "CVE-2024-43097", + "reference": "https://www.cve.org/CVERecord?id=CVE-2024-43097", "scanner": { "vendor": "Microsoft" }, "score": { - "base": 7.0, - "version": "3.0" + "base": 7.8 }, "severity": "High", - "title": "Vulnerability found in tools 12.0.6.0 - TVM-2020-0002" + "title": "Vulnerability found in thunderbird-gnome-support_for_linux 1:115.18.0+build1-0ubuntu0.22.04.1 - CVE-2024-43097" } }, { @@ -573,108 +202,56 @@ "category": [ "vulnerability" ], - "id": "0e23b8b23f6dc0e9d84846f877b45d19c04a522d-_-TVM-2020-0002-_-vmware-_-tools-_-12.0.6.0-_-", + "id": "aaasasasasasa_microsoft_windows_10_10.0.19045.6093_CVE-2025-49734", "kind": "event", - "original": "{\"affectedMachine\":{\"aadDeviceId\":\"d78dc223-8dc8-4210-9700-019b3b03505b\",\"agentVersion\":\"10.8792.19045.5737\",\"computerDnsName\":\"c-lab-08\",\"cveId\":\"TVM-2020-0002\",\"deviceValue\":\"Normal\",\"exclusionReason\":null,\"exposureLevel\":\"Low\",\"firstSeen\":\"2024-11-05T11:54:59.5717001Z\",\"fixingKbId\":null,\"healthStatus\":\"Active\",\"id\":\"0e23b8b23f6dc0e9d84846f877b45d19c04a522d-_-TVM-2020-0002-_-vmware-_-tools-_-12.0.6.0-_-\",\"ipAddresses\":[{\"ipAddress\":\"\",\"macAddress\":\"00505683B880\",\"operationalStatus\":\"Up\",\"type\":\"Ethernet\"}],\"isAadJoined\":true,\"isExcluded\":false,\"isPotentialDuplication\":false,\"lastExternalIpAddress\":\"67.43.156.0\",\"lastIpAddress\":\"89.160.20.128\",\"lastSeen\":\"2025-04-22T05:48:04.7550736Z\",\"machineId\":\"0e23b8b23f6dc0e9d84846f877b45d19c04a522d\",\"machineTags\":[\"test tag 1\"],\"managedBy\":\"Intune\",\"managedByStatus\":\"Unknown\",\"mergedIntoMachineId\":null,\"onboardingStatus\":\"Onboarded\",\"osArchitecture\":\"64-bit\",\"osBuild\":19045,\"osPlatform\":\"Windows10\",\"osProcessor\":\"x64\",\"osVersion\":null,\"productName\":\"tools\",\"productVendor\":\"vmware\",\"productVersion\":\"12.0.6.0\",\"rbacGroupId\":0,\"rbacGroupName\":null,\"riskScore\":\"None\",\"severity\":\"High\",\"version\":\"22H2\",\"vmMetadata\":null},\"cveSupportability\":\"Supported\",\"cvssV3\":7,\"cvssVector\":\"CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C\",\"description\":\"Summary: VMware Tools and Open Virtual Machine Tools are vulnerable to a local privilege escalation vulnerability. An attacker with local non-administrative access to the Guest OS can exploit this vulnerability to escalate privileges as a root user in the virtual machine. Impact: If exploited, this vulnerability could allow a malicious actor to gain elevated privileges on the system, potentially leading to unauthorized access, data theft, or further compromise of the virtual machine. AdditionalInformation: TVM-2020-0002 is associated with this vulnerability. It is recommended to refer to the CVE page for more details, including the impact, CVSS score, and acknowledgments. Remediation: Apply the latest patches and updates provided by the respective vendors. [Generated by AI]\",\"epss\":0.00053,\"exploitInKit\":false,\"exploitTypes\":[\"PrivilegeEscalation\"],\"exploitUris\":[],\"exploitVerified\":false,\"exposedMachines\":12,\"firstDetected\":\"2025-01-01T08:22:58Z\",\"id\":\"TVM-2020-0002\",\"name\":\"TVM-2020-0002\",\"patchFirstAvailable\":null,\"publicExploit\":false,\"publishedOn\":\"2022-08-23T00:00:00Z\",\"severity\":\"High\",\"tags\":[],\"updatedOn\":\"2024-12-10T00:00:00Z\"}", + "original": "{\"CveBatchTitle\":\"Microsoft September 2025 Security Updates\",\"CveBatchUrl\":\"https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2025-49734\",\"CveId\":\"CVE-2025-49734\",\"CvssScore\":7,\"DeviceId\":\"aaasasasasasa\",\"DeviceName\":\"host-3\",\"ExploitabilityLevel\":\"NoExploit\",\"FirstSeenTimestamp\":\"2025-09-09 17:30:58\",\"Id\":\"aaasasasasasa_microsoft_windows_10_10.0.19045.6093_CVE-2025-49734\",\"IsOnboarded\":true,\"LastSeenTimestamp\":\"2025-10-07 00:08:23\",\"OSArchitecture\":\"x64\",\"OSPlatform\":\"Windows10\",\"OSVersion\":\"10.0.19045.6093\",\"RbacGroupId\":0,\"RbacGroupName\":\"Unassigned\",\"RecommendationReference\":\"va-_-microsoft-_-windows_10\",\"RecommendedSecurityUpdate\":\"September 2025 Security Updates\",\"RecommendedSecurityUpdateId\":\"5065429\",\"RecommendedSecurityUpdateUrl\":\"https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB5065429\",\"SecurityUpdateAvailable\":true,\"SoftwareName\":\"windows_10\",\"SoftwareVendor\":\"microsoft\",\"SoftwareVersion\":\"10.0.19045.6093\",\"VulnerabilitySeverityLevel\":\"High\"}", "type": [ "info" ] }, "group": { - "id": "0" + "id": "0", + "name": "Unassigned" }, "host": { "architecture": "x64", - "geo": { - "continent_name": "Asia", - "country_iso_code": "BT", - "country_name": "Bhutan", - "location": { - "lat": 27.5, - "lon": 90.5 - } - }, - "hostname": "c-lab-08", - "id": "0e23b8b23f6dc0e9d84846f877b45d19c04a522d", - "ip": [ - "67.43.156.0" - ], - "name": "c-lab-08", + "hostname": "host-3", + "id": "aaasasasasasa", + "name": "host-3", "os": { - "name": "Windows10 22H2", + "name": "Windows10 10.0.19045.6093", "platform": "Windows10", "type": "windows", - "version": "22H2" - }, - "risk": { - "calculated_level": "None" + "version": "10.0.19045.6093" } }, - "message": "Summary: VMware Tools and Open Virtual Machine Tools are vulnerable to a local privilege escalation vulnerability. An attacker with local non-administrative access to the Guest OS can exploit this vulnerability to escalate privileges as a root user in the virtual machine. Impact: If exploited, this vulnerability could allow a malicious actor to gain elevated privileges on the system, potentially leading to unauthorized access, data theft, or further compromise of the virtual machine. AdditionalInformation: TVM-2020-0002 is associated with this vulnerability. It is recommended to refer to the CVE page for more details, including the impact, CVSS score, and acknowledgments. Remediation: Apply the latest patches and updates provided by the respective vendors. [Generated by AI]", + "message": "Microsoft September 2025 Security Updates", "microsoft_defender_endpoint": { "vulnerability": { - "affected_machine": { - "aad_device_id": "d78dc223-8dc8-4210-9700-019b3b03505b", - "agent_version": "10.8792.19045.5737", - "computer_dns_name": "c-lab-08", - "device_value": "Normal", - "exposure_level": "Low", - "first_seen": "2024-11-05T11:54:59.571Z", - "health_status": "Active", - "id": "0e23b8b23f6dc0e9d84846f877b45d19c04a522d-_-TVM-2020-0002-_-vmware-_-tools-_-12.0.6.0-_-", - "ip_addresses": [ - { - "mac_address": "00-50-56-83-B8-80", - "operational_status": "Up", - "type": "Ethernet" - } - ], - "is_aad_joined": true, - "is_excluded": false, - "is_potential_duplication": false, - "last_external_ip_address": "67.43.156.0", - "last_ip_address": "89.160.20.128", - "last_seen": "2025-04-22T05:48:04.755Z", - "machine_id": "0e23b8b23f6dc0e9d84846f877b45d19c04a522d", - "machine_tags": [ - "test tag 1" - ], - "managed_by": "Intune", - "managed_by_status": "Unknown", - "onboarding_status": "Onboarded", - "os_architecture": "64-bit", - "os_build": 19045, - "os_platform": "Windows10", - "os_processor": "x64", - "product_name": "tools", - "product_vendor": "vmware", - "product_version": "12.0.6.0", - "rbac_group_id": "0", - "risk_score": "None", - "severity": "High", - "version": "22H2" - }, - "cve_supportability": "Supported", - "cvss_v3": 7.0, - "cvss_vector": "CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C", - "description": "Summary: VMware Tools and Open Virtual Machine Tools are vulnerable to a local privilege escalation vulnerability. An attacker with local non-administrative access to the Guest OS can exploit this vulnerability to escalate privileges as a root user in the virtual machine. Impact: If exploited, this vulnerability could allow a malicious actor to gain elevated privileges on the system, potentially leading to unauthorized access, data theft, or further compromise of the virtual machine. AdditionalInformation: TVM-2020-0002 is associated with this vulnerability. It is recommended to refer to the CVE page for more details, including the impact, CVSS score, and acknowledgments. Remediation: Apply the latest patches and updates provided by the respective vendors. [Generated by AI]", - "epss": 5.3E-4, - "exploit_in_kit": false, - "exploit_types": [ - "PrivilegeEscalation" - ], - "exploit_verified": false, - "exposed_machines": 12, - "first_detected": "2025-01-01T08:22:58.000Z", - "id": "TVM-2020-0002", - "impact": "If exploited, this vulnerability could allow a malicious actor to gain elevated privileges on the system, potentially leading to unauthorized access, data theft, or further compromise of the virtual machine.", - "name": "TVM-2020-0002", - "public_exploit": false, - "published_on": "2022-08-23T00:00:00.000Z", - "remediation": "Apply the latest patches and updates provided by the respective vendors.", - "severity": "High", - "summary": "VMware Tools and Open Virtual Machine Tools are vulnerable to a local privilege escalation vulnerability. An attacker with local non-administrative access to the Guest OS can exploit this vulnerability to escalate privileges as a root user in the virtual machine.", - "updated_on": "2024-12-10T00:00:00.000Z" + "cve_batch_title": "Microsoft September 2025 Security Updates", + "cve_batch_url": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2025-49734", + "cve_id": "CVE-2025-49734", + "cvss_score": 7.0, + "device_id": "aaasasasasasa", + "device_name": "host-3", + "exploitability_level": "NoExploit", + "first_seen_timestamp": "2025-09-09T17:30:58.000Z", + "id": "aaasasasasasa_microsoft_windows_10_10.0.19045.6093_CVE-2025-49734", + "is_onboarded": true, + "last_seen_timestamp": "2025-10-07T00:08:23.000Z", + "os_architecture": "x64", + "os_platform": "Windows10", + "os_version": "10.0.19045.6093", + "rbac_group_id": "0", + "rbac_group_name": "Unassigned", + "recommendation_reference": "va-_-microsoft-_-windows_10", + "recommended_security_update": "September 2025 Security Updates", + "recommended_security_update_id": "5065429", + "security_update_available": true, + "severity_level": "High", + "software_name": "windows_10", + "software_vendor": "microsoft", + "software_version": "10.0.19045.6093" } }, "observer": { @@ -682,52 +259,39 @@ "vendor": "Microsoft" }, "package": { - "name": "tools", - "version": "12.0.6.0" + "name": "windows_10", + "version": "10.0.19045.6093" }, "related": { "hosts": [ - "d78dc223-8dc8-4210-9700-019b3b03505b", - "c-lab-08", - "0e23b8b23f6dc0e9d84846f877b45d19c04a522d" - ], - "ip": [ - "67.43.156.0", - "89.160.20.128" + "aaasasasasasa", + "host-3" ] }, "resource": { - "id": "0e23b8b23f6dc0e9d84846f877b45d19c04a522d", - "name": "c-lab-08" + "id": "aaasasasasasa", + "name": "host-3" }, "tags": [ "preserve_duplicate_custom_fields" ], "vulnerability": { "classification": "CVSS", - "description": "Summary: VMware Tools and Open Virtual Machine Tools are vulnerable to a local privilege escalation vulnerability. An attacker with local non-administrative access to the Guest OS can exploit this vulnerability to escalate privileges as a root user in the virtual machine. Impact: If exploited, this vulnerability could allow a malicious actor to gain elevated privileges on the system, potentially leading to unauthorized access, data theft, or further compromise of the virtual machine. AdditionalInformation: TVM-2020-0002 is associated with this vulnerability. It is recommended to refer to the CVE page for more details, including the impact, CVSS score, and acknowledgments. Remediation: Apply the latest patches and updates provided by the respective vendors. [Generated by AI]", - "enumeration": "TVM", - "id": "TVM-2020-0002", - "published_date": "2022-08-23T00:00:00.000Z", + "cve": "CVE-2025-49734", + "enumeration": "CVE", + "id": "CVE-2025-49734", + "reference": "https://www.cve.org/CVERecord?id=CVE-2025-49734", "scanner": { "vendor": "Microsoft" }, "score": { - "base": 7.0, - "version": "3.0" + "base": 7.0 }, "severity": "High", - "title": "Vulnerability found in tools 12.0.6.0 - TVM-2020-0002" + "title": "Vulnerability found in windows_10 10.0.19045.6093 - CVE-2025-49734" } }, { - "cloud": { - "instance": { - "id": "ecdc774f-45b4-4e33-97c8-f777e134131a" - }, - "provider": "azure", - "resource_id": "/subscriptions/e1685f98-517c-4ffe-b7d5-d6cb9d563ec2/resourceGroups/R15_Sentinel/providers/Microsoft.HybridCompute/machines/C-Lab-10" - }, "ecs": { "version": "8.17.0" }, @@ -735,115 +299,58 @@ "category": [ "vulnerability" ], - "id": "0e23b8b23f6dc0e9d84846f877b45d19c04a522d-_-TVM-2020-0002-_-vmware-_-tools-_-12.0.6.0-_-", + "id": "bbbbbbbbbbbbbb_vmware_tools_12.0.6.0_CVE-2022-31676", "kind": "event", - "original": "{\"affectedMachine\":{\"aadDeviceId\":\"d78dc223-8dc8-4210-9700-019b3b03505b\",\"agentVersion\":\"10.8792.19045.5737\",\"computerDnsName\":\"c-lab-08\",\"cveId\":\"TVM-2020-0002\",\"deviceValue\":\"Normal\",\"exclusionReason\":null,\"exposureLevel\":\"Low\",\"firstSeen\":\"2024-11-05T11:54:59.5717001Z\",\"fixingKbId\":null,\"healthStatus\":\"Active\",\"id\":\"0e23b8b23f6dc0e9d84846f877b45d19c04a522d-_-TVM-2020-0002-_-vmware-_-tools-_-12.0.6.0-_-\",\"ipAddresses\":[{\"ipAddress\":\"216.160.83.56\",\"macAddress\":\"00505683B880\",\"operationalStatus\":\"Up\",\"type\":\"Ethernet\"}],\"isAadJoined\":true,\"isExcluded\":false,\"isPotentialDuplication\":false,\"lastExternalIpAddress\":\"67.43.156.0\",\"lastIpAddress\":\"89.160.20.128\",\"lastSeen\":\"2025-04-22T05:48:04.7550736Z\",\"machineId\":\"0e23b8b23f6dc0e9d84846f877b45d19c04a522d\",\"machineTags\":[\"test tag 1\"],\"managedBy\":\"Intune\",\"managedByStatus\":\"Unknown\",\"mergedIntoMachineId\":null,\"onboardingStatus\":\"Onboarded\",\"osArchitecture\":\"64-bit\",\"osBuild\":19045,\"osPlatform\":\"Windows10\",\"osProcessor\":\"x64\",\"osVersion\":null,\"productName\":\"tools\",\"productVendor\":\"vmware\",\"productVersion\":\"12.0.6.0\",\"rbacGroupId\":0,\"rbacGroupName\":null,\"riskScore\":\"None\",\"severity\":\"High\",\"version\":\"22H2\",\"vmMetadata\":{\"cloudProvider\":\"Azure\",\"resourceId\":\"/subscriptions/e1685f98-517c-4ffe-b7d5-d6cb9d563ec2/resourceGroups/R15_Sentinel/providers/Microsoft.HybridCompute/machines/C-Lab-10\",\"subscriptionId\":\"e1685f98-517c-4ffe-b7d5-d6cb9d563ec2\",\"vmId\":\"ecdc774f-45b4-4e33-97c8-f777e134131a\"}},\"cveSupportability\":\"Supported\",\"cvssV3\":7,\"cvssVector\":\"CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C\",\"description\":\"Summary: VMware Tools and Open Virtual Machine Tools are vulnerable to a local privilege escalation vulnerability. An attacker with local non-administrative access to the Guest OS can exploit this vulnerability to escalate privileges as a root user in the virtual machine. Impact: If exploited, this vulnerability could allow a malicious actor to gain elevated privileges on the system, potentially leading to unauthorized access, data theft, or further compromise of the virtual machine. AdditionalInformation: TVM-2020-0002 is associated with this vulnerability. It is recommended to refer to the CVE page for more details, including the impact, CVSS score, and acknowledgments. Remediation: Apply the latest patches and updates provided by the respective vendors. [Generated by AI]\",\"epss\":0.00053,\"exploitInKit\":false,\"exploitTypes\":[\"PrivilegeEscalation\"],\"exploitUris\":[],\"exploitVerified\":false,\"exposedMachines\":12,\"firstDetected\":\"2025-01-01T08:22:58Z\",\"id\":\"TVM-2020-0002\",\"name\":\"TVM-2020-0002\",\"patchFirstAvailable\":null,\"publicExploit\":false,\"publishedOn\":\"2022-08-23T00:00:00Z\",\"severity\":\"High\",\"tags\":[],\"updatedOn\":\"2024-12-10T00:00:00Z\"}", + "original": "{\"CveBatchTitle\":\"Vmware August 2022 Vulnerabilities\",\"CveBatchUrl\":\"https://www.vmware.com/security/advisories/VMSA-2022-0024.1.html\",\"CveId\":\"CVE-2022-31676\",\"CvssScore\":7,\"DeviceId\":\"bbbbbbbbbbbbbb\",\"DeviceName\":\"host-4\",\"DiskPaths\":[\"C:\\\\Program Files\\\\VMware\\\\VMware Tools\\\\VMware VGAuth\\\\VMwareAliasImport.exe\"],\"ExploitabilityLevel\":\"NoExploit\",\"FirstSeenTimestamp\":\"2025-08-02 15:09:51\",\"Id\":\"bbbbbbbbbbbbbb_vmware_tools_12.0.6.0_CVE-2022-31676\",\"IsOnboarded\":true,\"LastSeenTimestamp\":\"2025-10-06 19:49:51\",\"OSArchitecture\":\"x64\",\"OSPlatform\":\"Windows10\",\"OSVersion\":\"10.0.19045.6332\",\"RbacGroupId\":0,\"RbacGroupName\":\"Unassigned\",\"RecommendationReference\":\"va-_-vmware-_-tools\",\"RecommendedSecurityUpdate\":\"VMware Tools update addresses a local privilege escalation vulnerability (CVE-2022-31676)\",\"RegistryPaths\":[],\"SecurityUpdateAvailable\":true,\"SoftwareName\":\"tools\",\"SoftwareVendor\":\"vmware\",\"SoftwareVersion\":\"12.0.6.0\",\"VulnerabilitySeverityLevel\":\"High\"}", "type": [ "info" ] }, "group": { - "id": "0" + "id": "0", + "name": "Unassigned" }, "host": { "architecture": "x64", - "geo": { - "continent_name": "Asia", - "country_iso_code": "BT", - "country_name": "Bhutan", - "location": { - "lat": 27.5, - "lon": 90.5 - } - }, - "hostname": "c-lab-08", - "id": "0e23b8b23f6dc0e9d84846f877b45d19c04a522d", - "ip": [ - "67.43.156.0" - ], - "name": "c-lab-08", + "hostname": "host-4", + "id": "bbbbbbbbbbbbbb", + "name": "host-4", "os": { - "name": "Windows10 22H2", + "name": "Windows10 10.0.19045.6332", "platform": "Windows10", "type": "windows", - "version": "22H2" - }, - "risk": { - "calculated_level": "None" + "version": "10.0.19045.6332" } }, - "message": "Summary: VMware Tools and Open Virtual Machine Tools are vulnerable to a local privilege escalation vulnerability. An attacker with local non-administrative access to the Guest OS can exploit this vulnerability to escalate privileges as a root user in the virtual machine. Impact: If exploited, this vulnerability could allow a malicious actor to gain elevated privileges on the system, potentially leading to unauthorized access, data theft, or further compromise of the virtual machine. AdditionalInformation: TVM-2020-0002 is associated with this vulnerability. It is recommended to refer to the CVE page for more details, including the impact, CVSS score, and acknowledgments. Remediation: Apply the latest patches and updates provided by the respective vendors. [Generated by AI]", + "message": "Vmware August 2022 Vulnerabilities", "microsoft_defender_endpoint": { "vulnerability": { - "affected_machine": { - "aad_device_id": "d78dc223-8dc8-4210-9700-019b3b03505b", - "agent_version": "10.8792.19045.5737", - "computer_dns_name": "c-lab-08", - "device_value": "Normal", - "exposure_level": "Low", - "first_seen": "2024-11-05T11:54:59.571Z", - "health_status": "Active", - "id": "0e23b8b23f6dc0e9d84846f877b45d19c04a522d-_-TVM-2020-0002-_-vmware-_-tools-_-12.0.6.0-_-", - "ip_addresses": [ - { - "ip_address": "216.160.83.56", - "mac_address": "00-50-56-83-B8-80", - "operational_status": "Up", - "type": "Ethernet" - } - ], - "is_aad_joined": true, - "is_excluded": false, - "is_potential_duplication": false, - "last_external_ip_address": "67.43.156.0", - "last_ip_address": "89.160.20.128", - "last_seen": "2025-04-22T05:48:04.755Z", - "machine_id": "0e23b8b23f6dc0e9d84846f877b45d19c04a522d", - "machine_tags": [ - "test tag 1" - ], - "managed_by": "Intune", - "managed_by_status": "Unknown", - "onboarding_status": "Onboarded", - "os_architecture": "64-bit", - "os_build": 19045, - "os_platform": "Windows10", - "os_processor": "x64", - "product_name": "tools", - "product_vendor": "vmware", - "product_version": "12.0.6.0", - "rbac_group_id": "0", - "risk_score": "None", - "severity": "High", - "version": "22H2", - "vmMetadata": { - "cloud_provider": "Azure", - "resource_id": "/subscriptions/e1685f98-517c-4ffe-b7d5-d6cb9d563ec2/resourceGroups/R15_Sentinel/providers/Microsoft.HybridCompute/machines/C-Lab-10", - "subscription_id": "e1685f98-517c-4ffe-b7d5-d6cb9d563ec2", - "vm_id": "ecdc774f-45b4-4e33-97c8-f777e134131a" - } - }, - "cve_supportability": "Supported", - "cvss_v3": 7.0, - "cvss_vector": "CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C", - "description": "Summary: VMware Tools and Open Virtual Machine Tools are vulnerable to a local privilege escalation vulnerability. An attacker with local non-administrative access to the Guest OS can exploit this vulnerability to escalate privileges as a root user in the virtual machine. Impact: If exploited, this vulnerability could allow a malicious actor to gain elevated privileges on the system, potentially leading to unauthorized access, data theft, or further compromise of the virtual machine. AdditionalInformation: TVM-2020-0002 is associated with this vulnerability. It is recommended to refer to the CVE page for more details, including the impact, CVSS score, and acknowledgments. Remediation: Apply the latest patches and updates provided by the respective vendors. [Generated by AI]", - "epss": 5.3E-4, - "exploit_in_kit": false, - "exploit_types": [ - "PrivilegeEscalation" + "cve_batch_title": "Vmware August 2022 Vulnerabilities", + "cve_batch_url": "https://www.vmware.com/security/advisories/VMSA-2022-0024.1.html", + "cve_id": "CVE-2022-31676", + "cvss_score": 7.0, + "device_id": "bbbbbbbbbbbbbb", + "device_name": "host-4", + "disk_paths": [ + "C:\\Program Files\\VMware\\VMware Tools\\VMware VGAuth\\VMwareAliasImport.exe" ], - "exploit_verified": false, - "exposed_machines": 12, - "first_detected": "2025-01-01T08:22:58.000Z", - "id": "TVM-2020-0002", - "impact": "If exploited, this vulnerability could allow a malicious actor to gain elevated privileges on the system, potentially leading to unauthorized access, data theft, or further compromise of the virtual machine.", - "name": "TVM-2020-0002", - "public_exploit": false, - "published_on": "2022-08-23T00:00:00.000Z", - "remediation": "Apply the latest patches and updates provided by the respective vendors.", - "severity": "High", - "summary": "VMware Tools and Open Virtual Machine Tools are vulnerable to a local privilege escalation vulnerability. An attacker with local non-administrative access to the Guest OS can exploit this vulnerability to escalate privileges as a root user in the virtual machine.", - "updated_on": "2024-12-10T00:00:00.000Z" + "exploitability_level": "NoExploit", + "first_seen_timestamp": "2025-08-02T15:09:51.000Z", + "id": "bbbbbbbbbbbbbb_vmware_tools_12.0.6.0_CVE-2022-31676", + "is_onboarded": true, + "last_seen_timestamp": "2025-10-06T19:49:51.000Z", + "os_architecture": "x64", + "os_platform": "Windows10", + "os_version": "10.0.19045.6332", + "rbac_group_id": "0", + "rbac_group_name": "Unassigned", + "recommendation_reference": "va-_-vmware-_-tools", + "recommended_security_update": "VMware Tools update addresses a local privilege escalation vulnerability (CVE-2022-31676)", + "security_update_available": true, + "severity_level": "High", + "software_name": "tools", + "software_vendor": "vmware", + "software_version": "12.0.6.0" } }, "observer": { @@ -856,38 +363,31 @@ }, "related": { "hosts": [ - "d78dc223-8dc8-4210-9700-019b3b03505b", - "c-lab-08", - "0e23b8b23f6dc0e9d84846f877b45d19c04a522d" - ], - "ip": [ - "216.160.83.56", - "67.43.156.0", - "89.160.20.128" + "bbbbbbbbbbbbbb", + "host-4" ] }, "resource": { - "id": "0e23b8b23f6dc0e9d84846f877b45d19c04a522d", - "name": "c-lab-08" + "id": "bbbbbbbbbbbbbb", + "name": "host-4" }, "tags": [ "preserve_duplicate_custom_fields" ], "vulnerability": { "classification": "CVSS", - "description": "Summary: VMware Tools and Open Virtual Machine Tools are vulnerable to a local privilege escalation vulnerability. An attacker with local non-administrative access to the Guest OS can exploit this vulnerability to escalate privileges as a root user in the virtual machine. Impact: If exploited, this vulnerability could allow a malicious actor to gain elevated privileges on the system, potentially leading to unauthorized access, data theft, or further compromise of the virtual machine. AdditionalInformation: TVM-2020-0002 is associated with this vulnerability. It is recommended to refer to the CVE page for more details, including the impact, CVSS score, and acknowledgments. Remediation: Apply the latest patches and updates provided by the respective vendors. [Generated by AI]", - "enumeration": "TVM", - "id": "TVM-2020-0002", - "published_date": "2022-08-23T00:00:00.000Z", + "cve": "CVE-2022-31676", + "enumeration": "CVE", + "id": "CVE-2022-31676", + "reference": "https://www.cve.org/CVERecord?id=CVE-2022-31676", "scanner": { "vendor": "Microsoft" }, "score": { - "base": 7.0, - "version": "3.0" + "base": 7.0 }, "severity": "High", - "title": "Vulnerability found in tools 12.0.6.0 - TVM-2020-0002" + "title": "Vulnerability found in tools 12.0.6.0 - CVE-2022-31676" } } ] diff --git a/packages/microsoft_defender_endpoint/data_stream/vulnerability/_dev/test/system/test-default-config.yml b/packages/microsoft_defender_endpoint/data_stream/vulnerability/_dev/test/system/test-default-config.yml index d1612acef23..4de34a7f1b6 100644 --- a/packages/microsoft_defender_endpoint/data_stream/vulnerability/_dev/test/system/test-default-config.yml +++ b/packages/microsoft_defender_endpoint/data_stream/vulnerability/_dev/test/system/test-default-config.yml @@ -8,8 +8,9 @@ vars: tenant_id: tenant_id data_stream: vars: - batch_size: 2 + sas_valid_hours: 2h preserve_original_event: true preserve_duplicate_custom_fields: true + enable_request_tracer: true assert: - hit_count: 5 + hit_count: 4 diff --git a/packages/microsoft_defender_endpoint/data_stream/vulnerability/agent/stream/cel.yml.hbs b/packages/microsoft_defender_endpoint/data_stream/vulnerability/agent/stream/cel.yml.hbs index f0036d12a75..6b4649fd7e2 100644 --- a/packages/microsoft_defender_endpoint/data_stream/vulnerability/agent/stream/cel.yml.hbs +++ b/packages/microsoft_defender_endpoint/data_stream/vulnerability/agent/stream/cel.yml.hbs @@ -14,261 +14,123 @@ resource.ssl: {{ssl}} resource.timeout: {{http_client_timeout}} {{/if}} resource.url: {{url}} -auth.oauth2: - provider: azure - client.id: {{client_id}} - client.secret: {{client_secret}} - scopes: +state: + sas_valid_hours: {{sas_valid_hours}} + token_url: {{login_url}}/{{tenant_id}}/oauth2/v2.0/token + client_id: {{client_id}} + client_secret: {{client_secret}} + token_scopes: {{#each token_scopes as |token_scope|}} - {{token_scope}} {{/each}} -{{#if login_url}} - token_url: {{login_url}}/{{tenant_id}}/oauth2/v2.0/token -{{else if tenant_id}} - azure.tenant_id: {{tenant_id}} -{{/if}} - -state: - config: - product_batch_size: 10000 - machine_batch_size: 10000 - vulnerabilities_batch_size: {{batch_size}} - affected_machines_only: {{affected_machines_only}} - product_skip: 0 - machine_skip: 0 - vulnerability_skip: 0 redact: - fields: ~ + fields: + - client_id + - client_secret + - token.access_token program: |- state.with( - ( - // Get products. - state.?is_all_products_fetched.orValue(false) ? - { - "products": state.products, - "product_skip": 0, - "is_all_products_fetched": state.is_all_products_fetched, - ?"machines": state.?machines, - "machine_skip": state.machine_skip, - ?"is_all_machines_fetched": state.?is_all_machines_fetched, - ?"vulnerabilities": state.?vulnerabilities, - "vulnerability_skip": state.vulnerability_skip, - ?"is_all_vulnerabilities_fetched": state.?is_all_vulnerabilities_fetched, - } - : - request( - "GET", - state.url.trim_right("/") + "/api/vulnerabilities/machinesVulnerabilities?" + { - "$top": [string(state.config.product_batch_size)], - "$skip": [string(int(state.product_skip))], - }.format_query() - ).do_request().as(productResp, (productResp.StatusCode == 200) ? - productResp.Body.decode_json().as(productBody, - { - "events": [{"message": "retry"}], - "want_more": true, - "products": (state.?products.orValue([]) + productBody.value).flatten(), - "product_skip": (size(productBody.value) > 0) ? (int(state.product_skip) + int(state.config.product_batch_size)) : 0, - "is_all_products_fetched": size(productBody.value) < int(state.config.product_batch_size), - "machine_skip": state.machine_skip, - "vulnerability_skip": state.vulnerability_skip, - } - ) - : - { - "events": { - "error": { - "code": string(productResp.StatusCode), - "id": string(productResp.Status), - "message": "GET " + state.url.trim_right("/") + "/api/vulnerabilities/machinesVulnerabilities" + ( - (size(productResp.Body) != 0) ? - string(productResp.Body) - : - string(productResp.Status) + " (" + string(productResp.StatusCode) + ")" - ), - }, - }, - "want_more": false, - "products": [], - "product_skip": 0, - "is_all_products_fetched": false, - "machines": [], - "machine_skip": 0, - "is_all_machines_fetched": false, - "vulnerabilities": [], - "vulnerability_skip": 0, - "is_all_vulnerabilities_fetched": false, - } - ) - ).as(res, !res.?is_all_products_fetched.orValue(false) ? - res - : res.?is_all_machines_fetched.orValue(false) ? - { - "products": res.products, - "product_skip": 0, - "is_all_products_fetched": res.is_all_products_fetched, - "machines": res.machines, - "machine_skip": 0, - "is_all_machines_fetched": res.is_all_machines_fetched, - ?"vulnerabilities": res.?vulnerabilities, - "vulnerability_skip": res.vulnerability_skip, - ?"is_all_vulnerabilities_fetched": res.?is_all_vulnerabilities_fetched, - } - : + state.?work_list.orValue([]).size() > 0 ? request( - "GET", - state.url.trim_right("/") + "/api/machines?" + { - "$top": [string(state.config.machine_batch_size)], - "$skip": [string(int(res.machine_skip))], - }.format_query() - ).do_request().as(machineResp, (machineResp.StatusCode == 200) ? - machineResp.Body.decode_json().as(machineBody, - { - "events": [{"message": "retry"}], - "want_more": true, - "machines": (res.?machines.orValue([]) + machineBody.value).flatten(), - "machine_skip": (size(machineBody.value) > 0) ? (int(res.machine_skip) + int(state.config.machine_batch_size)) : 0, - "is_all_machines_fetched": size(machineBody.value) < int(state.config.machine_batch_size), - "products": res.products, - "product_skip": 0, - "is_all_products_fetched": res.is_all_products_fetched, - "vulnerability_skip": res.vulnerability_skip, - } - ) + "GET", + state.work_list[0] + ).do_request().as(resp, resp.StatusCode == 200 ? + resp.Body.mime("application/gzip").decode_json_stream().map(v, + {"message": dyn(v.encode_json())} + ).as(events, { + "events": events, + // Keep polling if more work. + "want_more": state.work_list.size() > 1, + "work_list": tail(state.work_list), + }) : + // It is possible that download URLs have expired, so ignore remaining work_list and return error. { "events": { "error": { - "code": string(machineResp.StatusCode), - "id": string(machineResp.Status), - "message": "GET " + state.url.trim_right("/") + "/api/machines" + ( - (size(machineResp.Body) != 0) ? - string(machineResp.Body) + "code": string(resp.StatusCode), + "id": string(resp.Status), + "message": "GET "+ state.work_list[0] + ":" + ( + size(resp.Body) != 0 ? + string(resp.Body) : - string(machineResp.Status) + " (" + string(machineResp.StatusCode) + ")" + string(resp.Status) + ' (' + string(resp.StatusCode) + ')' ), }, }, "want_more": false, - "products": [], - "product_skip": 0, - "is_all_products_fetched": false, - "machines": [], - "machine_skip": 0, - "is_all_machines_fetched": false, - "vulnerabilities": [], - "vulnerability_skip": 0, - "is_all_vulnerabilities_fetched": false, } ) - ).as(res, - // Get products with machines. - !res.?is_all_machines_fetched.orValue(false) ? - res - : res.?is_all_vulnerability_fetched.orValue(false) ? + : + // Periodic poll. No work_list, so get new token and work_list. + post_request(state.token_url.trim_right("/"), "application/x-www-form-urlencoded", { - "products": res.products, - "product_skip": 0, - "is_all_products_fetched": res.is_all_products_fetched, - "machines": res.machines, - "machine_skip": 0, - "is_all_machines_fetched": res.is_all_machines_fetched, - "vulnerabilities": res.vulnerabilities, - "vulnerability_skip": 0, - "is_all_vulnerability_fetched": res.is_all_vulnerability_fetched, - } + "grant_type": ["client_credentials"], + "client_id": [state.client_id], + "client_secret": [state.client_secret], + "scope": state.token_scopes, + }.format_query() + ).do_request().as(auth, auth.StatusCode == 200 ? + auth.Body.decode_json() : + { + "events": { + "error": { + "code": string(auth.StatusCode), + "id": string(auth.Status), + "message": "POST /oauth2/v2.0/token :" +( + size(auth.Body) != 0 ? + string(auth.Body) + : + string(auth.Status) + ' (' + string(auth.StatusCode) + ')' + ), + }, + }, + "want_more": false, + } + ).as(token, !has(token.access_token) ? token : request( "GET", - state.url.trim_right("/") + "/api/vulnerabilities?" + { - "$top": [string(state.config.vulnerabilities_batch_size)], - "$skip": [string(int(res.vulnerability_skip))], + state.url.trim_right("/") + "/api/machines/SoftwareVulnerabilitiesExport?" + { + "sasValidHours": [string(duration(state.sas_valid_hours).getHours())], }.format_query() - ).do_request().as(vulnerabilityResp, (vulnerabilityResp.StatusCode == 200) ? - vulnerabilityResp.Body.decode_json().as(vulnerabilityBody, + ).with({ + "Header":{ + "Authorization": ["Bearer " + string(token.access_token)], + } + }).do_request().as(resp, resp.StatusCode == 200 ? + resp.Body.decode_json().as(exportBody, exportBody.?exportFiles.orValue([]).size() == 0 ? + // Nothing to download. Don't poll again. + { + "events": [], + "want_more": false, + } + : + // Return new work_list to download. { - "events": [{"message": "retry"}], + "events": [{"message":"retry"}], + "work_list": exportBody.exportFiles, "want_more": true, - "vulnerabilities": (res.?vulnerabilities.orValue([]) + vulnerabilityBody.value).flatten(), - "vulnerability_skip": (size(vulnerabilityBody.value) > 0) ? (int(res.vulnerability_skip) + int(state.config.vulnerabilities_batch_size)) : 0, - "is_all_vulnerabilities_fetched": size(vulnerabilityBody.value) < int(state.config.vulnerabilities_batch_size), - "products": res.products, - "product_skip": 0, - "is_all_products_fetched": res.is_all_products_fetched, - "machines": res.machines, - "machine_skip": 0, - "is_all_machines_fetched": res.is_all_machines_fetched, } ) : { "events": { "error": { - "code": string(vulnerabilityResp.StatusCode), - "id": string(vulnerabilityResp.Status), - "message": "GET " + state.url.trim_right("/") + "/api/vulnerabilities" + ( - (size(vulnerabilityResp.Body) != 0) ? - string(vulnerabilityResp.Body) + "code": string(resp.StatusCode), + "id": string(resp.Status), + "message": "GET /api/machines/SoftwareVulnerabilitiesExport :" + ( + size(resp.Body) != 0 ? + string(resp.Body) : - string(vulnerabilityResp.Status) + " (" + string(vulnerabilityResp.StatusCode) + ")" + string(resp.Status) + ' (' + string(resp.StatusCode) + ')' ), }, }, "want_more": false, - "products": [], - "product_skip": 0, - "is_all_products_fetched": false, - "machines": [], - "machine_skip": 0, - "is_all_machines_fetched": false, - "vulnerabilities": [], - "vulnerability_skip": 0, - "is_all_vulnerabilities_fetched": false, - } - ) - ).as(res, - // Collate data. - (!res.?is_all_vulnerabilities_fetched.orValue(false) || size(res.products) == 0) ? - res - : - res.products.map(p, - res.machines.filter(m, m.id == p.machineId)[?0].as(m, m.hasValue() ? - m.value().with(p) - : - {} - ) - ).as(mapped_products, - { - "vulnerability_with_machines": res.vulnerabilities.filter(v, v.exposedMachines > 0), - "vulnerability_without_machines": state.config.affected_machines_only ? - [] - : - res.vulnerabilities.filter(v, v.exposedMachines == 0), - "mapped_products": mapped_products, - } - ).as(final_data, - { - "events": ( - final_data.vulnerability_with_machines.map(v, - final_data.mapped_products.map(related_mapped_products, - has(related_mapped_products.cveId) && related_mapped_products.cveId == v.id, - { - "message": v.with({"affectedMachine": related_mapped_products}).encode_json(), - } - ) - ).flatten() + final_data.vulnerability_without_machines.map(v, - { - "message": v.drop("affectedMachine").encode_json(), - } - ) - ).flatten(), - "want_more": false, - "product_skip": 0, - "machine_skip": 0, - "vulnerability_skip": 0, } ) - ) + ) ) tags: {{#if preserve_original_event}} diff --git a/packages/microsoft_defender_endpoint/data_stream/vulnerability/elasticsearch/ingest_pipeline/default.yml b/packages/microsoft_defender_endpoint/data_stream/vulnerability/elasticsearch/ingest_pipeline/default.yml index 3aadec01c3e..64bb3bfff7e 100644 --- a/packages/microsoft_defender_endpoint/data_stream/vulnerability/elasticsearch/ingest_pipeline/default.yml +++ b/packages/microsoft_defender_endpoint/data_stream/vulnerability/elasticsearch/ingest_pipeline/default.yml @@ -65,341 +65,217 @@ processors: tag : set_observer_vendor value: Microsoft - rename: - field: json.affectedMachine.aadDeviceId - tag: rename_affectedMachine_aadDeviceId - target_field: microsoft_defender_endpoint.vulnerability.affected_machine.aad_device_id + field: json.CveBatchTitle + tag: rename_CveBatchTitle + target_field: microsoft_defender_endpoint.vulnerability.cve_batch_title ignore_missing: true + - rename: + field: json.CveBatchUrl + tag: rename_CveBatchUrl + target_field: microsoft_defender_endpoint.vulnerability.cve_batch_url + ignore_missing: true + - rename: + field: json.CveId + tag: rename_CveId + target_field: microsoft_defender_endpoint.vulnerability.cve_id + ignore_missing: true + - set: + field: vulnerability.id + tag: set_vulnerability_id_from_vulnerability_cve_id + copy_from: microsoft_defender_endpoint.vulnerability.cve_id + ignore_empty_value: true + - set: + field: vulnerability.cve + tag: set_vulnerability_cve_from_vulnerability_id + copy_from: vulnerability.id + ignore_empty_value: true + if: ctx.vulnerability?.id != null && ctx.vulnerability.id.toUpperCase().contains('CVE') == true + - set: + field: vulnerability.reference + tag: set_vulnerability_reference_from_vulnerability_id + value: https://www.cve.org/CVERecord?id={{{vulnerability.id}}} + if: ctx.vulnerability?.id != null && ctx.vulnerability.id.toUpperCase().contains('CVE') == true + - script: + description: Dynamically set vulnerability.enumeration values. + tag: script_map_vulnerability_id + lang: painless + if: ctx.vulnerability?.id != null + params: + vulnerability_enumeration: + - CVE + - TVM + source: | + String vulnerability_id = ctx.vulnerability.id.toUpperCase(); + for (String enum: params.vulnerability_enumeration) { + if (vulnerability_id.contains(enum)) { + ctx.vulnerability.put('enumeration', enum); + return; + } + } + - convert: + field: json.CvssScore + tag: convert_CvssScore_to_float + target_field: microsoft_defender_endpoint.vulnerability.cvss_score + type: float + ignore_missing: true + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - set: + field: vulnerability.score.base + tag: set_vulnerability_score_base_from_vulnerability_cvss_score + copy_from: microsoft_defender_endpoint.vulnerability.cvss_score + ignore_empty_value: true + - set: + field: vulnerability.classification + tag: set_vulnerability_classification_from_vulnerability_cvss_score + value: CVSS + if: ctx.microsoft_defender_endpoint?.vulnerability?.cvss_score != null + ignore_empty_value: true + - set: + field: vulnerability.scanner.vendor + tag: set_vulnerability_scanner_vendor + value: Microsoft + - set: + field: message + tag: set_message_from_cve_batch_title + copy_from: microsoft_defender_endpoint.vulnerability.cve_batch_title + ignore_empty_value: true + - rename: + field: json.DeviceId + tag: rename_DeviceId + target_field: microsoft_defender_endpoint.vulnerability.device_id + ignore_missing: true + - set: + field: host.id + tag: set_host_id_from_microsoft_defender_endpoint_vulnerability_device_id + copy_from: microsoft_defender_endpoint.vulnerability.device_id + ignore_empty_value: true + - set: + field: resource.id + tag: set_resource_id_from_microsoft_defender_endpoint_vulnerability_device_id + copy_from: microsoft_defender_endpoint.vulnerability.device_id + ignore_empty_value: true - append: field: related.hosts - tag: append_microsoft_defender_endpoint_vulnerability_affected_machine_aad_device_id_into_related_hosts - value: '{{{microsoft_defender_endpoint.vulnerability.affected_machine.aad_device_id}}}' + tag: append_related_hosts_from_microsoft_defender_endpoint_vulnerability_device_id + value: '{{{microsoft_defender_endpoint.vulnerability.device_id}}}' allow_duplicates: false - if: ctx.microsoft_defender_endpoint?.vulnerability?.affected_machine?.aad_device_id != null + if: ctx.microsoft_defender_endpoint?.vulnerability?.device_id != null - rename: - field: json.affectedMachine.agentVersion - tag: rename_affectedMachine_agentVersion - target_field: microsoft_defender_endpoint.vulnerability.affected_machine.agent_version - ignore_missing: true - - rename: - field: json.affectedMachine.computerDnsName - tag: rename_affectedMachine_computerDnsName - target_field: microsoft_defender_endpoint.vulnerability.affected_machine.computer_dns_name + field: json.DeviceName + tag: rename_DeviceName + target_field: microsoft_defender_endpoint.vulnerability.device_name ignore_missing: true - set: field: host.hostname - tag: set_host_hostname_from_microsoft_defender_endpoint_vulnerability_affected_machine_computer_dns_name - copy_from: microsoft_defender_endpoint.vulnerability.affected_machine.computer_dns_name + tag: set_host_hostname_from_microsoft_defender_endpoint_vulnerability_device_name + copy_from: microsoft_defender_endpoint.vulnerability.device_name ignore_empty_value: true - set: field: host.name - tag: set_host_hostname_from_microsoft_defender_endpoint_vulnerability_affected_machine_computer_dns_name - copy_from: microsoft_defender_endpoint.vulnerability.affected_machine.computer_dns_name + tag: set_host_name_from_microsoft_defender_endpoint_vulnerability_device_name + copy_from: microsoft_defender_endpoint.vulnerability.device_name ignore_empty_value: true - set: field: resource.name - tag: set_resource_name_from_microsoft_defender_endpoint_vulnerability_affected_machine_computer_dns_name - copy_from: microsoft_defender_endpoint.vulnerability.affected_machine.computer_dns_name + tag: set_resource_name_from_microsoft_defender_endpoint_vulnerability_device_name + copy_from: microsoft_defender_endpoint.vulnerability.device_name ignore_empty_value: true - append: field: related.hosts - tag: append_microsoft_defender_endpoint_vulnerability_computer_dns_name_into_related_hosts - value: '{{{microsoft_defender_endpoint.vulnerability.affected_machine.computer_dns_name}}}' + tag: append_microsoft_defender_endpoint_vulnerability_device_name_into_related_hosts + value: '{{{microsoft_defender_endpoint.vulnerability.device_name}}}' allow_duplicates: false - if: ctx.microsoft_defender_endpoint?.vulnerability?.affected_machine?.computer_dns_name != null - - rename: - field: json.affectedMachine.deviceValue - tag: rename_affectedMachine_deviceValue - target_field: microsoft_defender_endpoint.vulnerability.affected_machine.device_value - ignore_missing: true + if: ctx.microsoft_defender_endpoint?.vulnerability?.device_name != null - rename: - field: json.affectedMachine.exclusionReason - tag: rename_affectedMachine_exclusionReason - target_field: microsoft_defender_endpoint.vulnerability.affected_machine.exclusion_reason + field: json.DiskPaths + tag: rename_DiskPaths + target_field: microsoft_defender_endpoint.vulnerability.disk_paths ignore_missing: true - rename: - field: json.affectedMachine.exposureLevel - tag: rename_affectedMachine_exposureLevel - target_field: microsoft_defender_endpoint.vulnerability.affected_machine.exposure_level + field: json.ExploitabilityLevel + tag: rename_ExploitabilityLevel + target_field: microsoft_defender_endpoint.vulnerability.exploitability_level ignore_missing: true - date: - field: json.affectedMachine.firstSeen - tag: date_affectedMachine_firstSeen - target_field: microsoft_defender_endpoint.vulnerability.affected_machine.first_seen + field: json.FirstSeenTimestamp + tag: date_FirstSeenTimestamp + target_field: microsoft_defender_endpoint.vulnerability.first_seen_timestamp formats: - - strict_date_optional_time_nanos - if: ctx.json?.affectedMachine?.firstSeen != null && ctx.json.affectedMachine.firstSeen != '' + - yyyy-MM-dd HH:mm:ss + - yyyy-MM-dd HH:mm:ss.SSSSSSS + - ISO8601 + if: ctx.json?.FirstSeenTimestamp != null && ctx.json.FirstSeenTimestamp != '' on_failure: - append: field: error.message value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' - rename: - field: json.affectedMachine.fixingKbId - tag: rename_affectedMachine_fixingKbId - target_field: microsoft_defender_endpoint.vulnerability.affected_machine.fixing_kb_id - ignore_missing: true - - rename: - field: json.affectedMachine.healthStatus - tag: rename_affectedMachine_healthStatus - target_field: microsoft_defender_endpoint.vulnerability.affected_machine.health_status - ignore_missing: true - - rename: - field: json.affectedMachine.id - tag: rename_affectedMachine_id - target_field: microsoft_defender_endpoint.vulnerability.affected_machine.id + field: json.Id + tag: rename_Id + target_field: microsoft_defender_endpoint.vulnerability.id ignore_missing: true - set: field: event.id - tag: set_event_id_from_microsoft_defender_endpoint_vulnerability_affected_machine_id - copy_from: microsoft_defender_endpoint.vulnerability.affected_machine.id + tag: set_event_id_from_microsoft_defender_endpoint_vulnerability_id + copy_from: microsoft_defender_endpoint.vulnerability.id ignore_empty_value: true - - script: - lang: painless - description: Drops empty string values recursively. - tag: painless_remove_empty_from_affected_machine_ips - if: ctx.json?.affectedMachine?.ipAddresses != null - source: |- - boolean drop(Object object) { - if (object == '') { - return true; - } else if (object instanceof Map) { - ((Map) object).values().removeIf(v -> drop(v)); - return (((Map) object).size() == 0); - } else if (object instanceof List) { - ((List) object).removeIf(v -> drop(v)); - return (((List) object).length == 0); - } - return false; - } - drop(ctx.json.affectedMachine.ipAddresses); - - foreach: - field: json.affectedMachine.ipAddresses - if: ctx.json?.affectedMachine?.ipAddresses instanceof List - processor: - convert: - field: _ingest._value.ipAddress - tag: convert_affectedMachine_ipAddresses_ipAddress_to_ip - target_field: _ingest._value.ip_address - type: ip - ignore_missing: true - on_failure: - - append: - field: error.message - value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' - - foreach: - field: json.affectedMachine.ipAddresses - if: ctx.json?.affectedMachine?.ipAddresses instanceof List - processor: - append: - field: related.ip - tag: append_affectedMachine_ipAddresses_ip_address_into_related_ip - value: '{{{_ingest._value.ip_address}}}' - allow_duplicates: false - - foreach: - field: json.affectedMachine.ipAddresses - if: ctx.json?.affectedMachine?.ipAddresses instanceof List - processor: - uppercase: - field: _ingest._value.macAddress - tag: uppercase_affectedMachine_ipAddresses_macAddress - target_field: _ingest._value.mac_address - ignore_missing: true - - foreach: - field: json.affectedMachine.ipAddresses - if: ctx.json?.affectedMachine?.ipAddresses instanceof List - processor: - gsub: - field: _ingest._value.mac_address - pattern: '(..)(?!$)' - replacement: '$1-' - tag: gsub_affectedMachine_ipAddresses_mac_address - ignore_missing: true - - foreach: - field: json.affectedMachine.ipAddresses - if: ctx.json?.affectedMachine?.ipAddresses instanceof List - processor: - rename: - field: _ingest._value.operationalStatus - tag: rename_affectedMachine_ipAddresses_operationalStatus - target_field: _ingest._value.operational_status - ignore_missing: true - - foreach: - field: json.affectedMachine.ipAddresses - if: ctx.json?.affectedMachine?.ipAddresses instanceof List - processor: - remove: - field: - - _ingest._value.ipAddress - - _ingest._value.macAddress - tag: remove_ipAddresses - ignore_missing: true - - rename: - field: json.affectedMachine.ipAddresses - tag: rename_affectedMachine_ipAddresses - target_field: microsoft_defender_endpoint.vulnerability.affected_machine.ip_addresses - ignore_missing: true - - convert: - field: json.affectedMachine.isAadJoined - tag: convert_affectedMachine_isAadJoined_to_boolean - target_field: microsoft_defender_endpoint.vulnerability.affected_machine.is_aad_joined - type: boolean - ignore_missing: true - on_failure: - - append: - field: error.message - value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' - - convert: - field: json.affectedMachine.isExcluded - tag: convert_affectedMachine_isExcluded_to_boolean - target_field: microsoft_defender_endpoint.vulnerability.affected_machine.is_excluded - type: boolean - ignore_missing: true - on_failure: - - append: - field: error.message - value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - set: + field: event.id + tag: set_event_id_from_vulnerability_cve_id + copy_from: microsoft_defender_endpoint.vulnerability.cve_id + ignore_empty_value: true + if: ctx.event?.id == null - convert: - field: json.affectedMachine.isPotentialDuplication - tag: convert_affectedMachine_isPotentialDuplication_to_boolean - target_field: microsoft_defender_endpoint.vulnerability.affected_machine.is_potential_duplication + field: json.IsOnboarded + tag: convert_IsOnboarded_to_boolean + target_field: microsoft_defender_endpoint.vulnerability.is_onboarded type: boolean ignore_missing: true on_failure: - append: field: error.message value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' - - convert: - field: json.affectedMachine.lastExternalIpAddress - tag: convert_affectedMachine_lastExternalIpAddress_to_ip - target_field: microsoft_defender_endpoint.vulnerability.affected_machine.last_external_ip_address - type: ip - ignore_missing: true - if: ctx.json?.affectedMachine?.lastExternalIpAddress != '' - on_failure: - - append: - field: error.message - value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' - - append: - field: host.ip - tag: append_microsoft_defender_endpoint_vulnerability_affected_machine_last_external_ip_address_into_host_ip - value: '{{{microsoft_defender_endpoint.vulnerability.affected_machine.last_external_ip_address}}}' - allow_duplicates: false - if: ctx.microsoft_defender_endpoint?.vulnerability?.affected_machine?.last_external_ip_address != null - - append: - field: related.ip - tag: append_microsoft_defender_endpoint_vulnerability_affected_machine_last_external_ip_address_into_related_ip - value: '{{{microsoft_defender_endpoint.vulnerability.affected_machine.last_external_ip_address}}}' - allow_duplicates: false - if: ctx.microsoft_defender_endpoint?.vulnerability?.affected_machine?.last_external_ip_address != null - - geoip: - field: host.ip - target_field: host.geo - tag: geoip_host_geo - ignore_missing: true - - convert: - field: json.affectedMachine.lastIpAddress - tag: convert_affectedMachine_lastIpAddress_to_ip - target_field: microsoft_defender_endpoint.vulnerability.affected_machine.last_ip_address - type: ip - ignore_missing: true - if: ctx.json?.affectedMachine?.lastIpAddress != '' - on_failure: - - append: - field: error.message - value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' - - append: - field: related.ip - tag: append_microsoft_defender_endpoint_vulnerability_affected_machine_last_ip_address_into_related_ip - value: '{{{microsoft_defender_endpoint.vulnerability.affected_machine.last_ip_address}}}' - allow_duplicates: false - if: ctx.microsoft_defender_endpoint?.vulnerability?.affected_machine?.last_ip_address != null - date: - field: json.affectedMachine.lastSeen - tag: date_affectedMachine_lastSeen - target_field: microsoft_defender_endpoint.vulnerability.affected_machine.last_seen + field: json.LastSeenTimestamp + tag: date_LastSeenTimestamp + target_field: microsoft_defender_endpoint.vulnerability.last_seen_timestamp formats: - - strict_date_optional_time_nanos - if: ctx.json?.affectedMachine?.lastSeen != null && ctx.json.affectedMachine.lastSeen != '' + - yyyy-MM-dd HH:mm:ss + - yyyy-MM-dd HH:mm:ss.SSSSSSS + - ISO8601 + if: ctx.json?.LastSeenTimestamp != null && ctx.json.LastSeenTimestamp != '' on_failure: - append: field: error.message value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' - rename: - field: json.affectedMachine.machineId - tag: rename_affectedMachine_machineId - target_field: microsoft_defender_endpoint.vulnerability.affected_machine.machine_id + field: json.OSArchitecture + tag: rename_OSArchitecture + target_field: microsoft_defender_endpoint.vulnerability.os_architecture ignore_missing: true - set: - field: host.id - tag: set_host_id_from_microsoft_defender_endpoint_vulnerability_affected_machine_machine_id - copy_from: microsoft_defender_endpoint.vulnerability.affected_machine.machine_id - ignore_empty_value: true - - set: - field: resource.id - tag: set_resource_id_from_microsoft_defender_endpoint_vulnerability_affected_machine_machine_id - copy_from: microsoft_defender_endpoint.vulnerability.affected_machine.machine_id + field: host.architecture + tag: set_host_architecture_from_vulnerability_os_architecture + copy_from: microsoft_defender_endpoint.vulnerability.os_architecture ignore_empty_value: true - - append: - field: related.hosts - tag: append_related_hosts_from_microsoft_defender_endpoint_vulnerability_affected_machine_machine_id - value: '{{{microsoft_defender_endpoint.vulnerability.affected_machine.machine_id}}}' - allow_duplicates: false - if: ctx.microsoft_defender_endpoint?.vulnerability?.affected_machine?.machine_id != null - - rename: - field: json.affectedMachine.machineTags - tag: rename_affectedMachine_machineTags - target_field: microsoft_defender_endpoint.vulnerability.affected_machine.machine_tags - ignore_missing: true - - rename: - field: json.affectedMachine.managedBy - tag: rename_affectedMachine_managedBy - target_field: microsoft_defender_endpoint.vulnerability.affected_machine.managed_by - ignore_missing: true - - rename: - field: json.affectedMachine.managedByStatus - tag: rename_affectedMachine_managedByStatus - target_field: microsoft_defender_endpoint.vulnerability.affected_machine.managed_by_status - ignore_missing: true - - convert: - field: json.affectedMachine.mergedIntoMachineId - tag: convert_affectedMachine_mergedIntoMachineId_to_string - target_field: microsoft_defender_endpoint.vulnerability.affected_machine.merged_into_machine_id - type: string - ignore_missing: true - - rename: - field: json.affectedMachine.onboardingStatus - tag: rename_affectedMachine_onboardingStatus - target_field: microsoft_defender_endpoint.vulnerability.affected_machine.onboarding_status - ignore_missing: true - rename: - field: json.affectedMachine.osArchitecture - tag: rename_affectedMachine_osArchitecture - target_field: microsoft_defender_endpoint.vulnerability.affected_machine.os_architecture - ignore_missing: true - - convert: - field: json.affectedMachine.osBuild - tag: convert_affectedMachine_osBuild_to_long - target_field: microsoft_defender_endpoint.vulnerability.affected_machine.os_build - type: long - ignore_missing: true - on_failure: - - append: - field: error.message - value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' - - rename: - field: json.affectedMachine.osPlatform - tag: rename_affectedMachine_osPlatform - target_field: microsoft_defender_endpoint.vulnerability.affected_machine.os_platform + field: json.OSPlatform + tag: rename_OSPlatform + target_field: microsoft_defender_endpoint.vulnerability.os_platform ignore_missing: true - set: field: host.os.platform - tag: set_host_os_platform_from_microsoft_defender_endpoint_vulnerability_affected_machine_os_platform - copy_from: microsoft_defender_endpoint.vulnerability.affected_machine.os_platform + tag: set_host_os_platform_from_microsoft_defender_endpoint_vulnerability_os_platform + copy_from: microsoft_defender_endpoint.vulnerability.os_platform ignore_empty_value: true - script: description: Dynamically set host.os.type values. tag: script_map_host_os_type lang: painless - if: ctx.microsoft_defender_endpoint?.vulnerability?.affected_machine?.os_platform != null + if: ctx.microsoft_defender_endpoint?.vulnerability?.os_platform != null params: os_type: - linux @@ -409,7 +285,7 @@ processors: - ios - android source: | - String os_platform = ctx.microsoft_defender_endpoint.vulnerability.affected_machine.os_platform.toLowerCase(); + String os_platform = ctx.microsoft_defender_endpoint.vulnerability.os_platform.toLowerCase(); for (String os: params.os_type) { if (os_platform.contains(os)) { ctx.host.os.put('type', os); @@ -419,51 +295,26 @@ processors: if (os_platform.contains('centos') || os_platform.contains('ubuntu')) { ctx.host.os.put('type', 'linux'); } - - rename: - field: json.affectedMachine.osProcessor - tag: rename_affectedMachine_osProcessor - target_field: microsoft_defender_endpoint.vulnerability.affected_machine.os_processor - ignore_missing: true - - set: - field: host.architecture - tag: set_host_architecture_from_vulnerability_affected_machine_os_processor - copy_from: microsoft_defender_endpoint.vulnerability.affected_machine.os_processor - ignore_empty_value: true - convert: - field: json.affectedMachine.osVersion - tag: convert_affectedMachine_osVersion_to_string - target_field: microsoft_defender_endpoint.vulnerability.affected_machine.os_version + field: json.OSVersion + tag: convert_OSVersion_to_string + target_field: microsoft_defender_endpoint.vulnerability.os_version type: string ignore_missing: true - - rename: - field: json.affectedMachine.productName - tag: rename_affectedMachine_productName - target_field: microsoft_defender_endpoint.vulnerability.affected_machine.product_name - ignore_missing: true - set: - field: package.name - tag: set_package_version_from_vulnerability_affected_machine_product_name - copy_from: microsoft_defender_endpoint.vulnerability.affected_machine.product_name + field: host.os.version + tag: set_host_os_version_from_vulnerability_os_version + copy_from: microsoft_defender_endpoint.vulnerability.os_version ignore_empty_value: true - - rename: - field: json.affectedMachine.productVendor - tag: rename_affectedMachine_productVendor - target_field: microsoft_defender_endpoint.vulnerability.affected_machine.product_vendor - ignore_missing: true - - rename: - field: json.affectedMachine.productVersion - tag: rename_affectedMachine_productVersion - target_field: microsoft_defender_endpoint.vulnerability.affected_machine.product_version - ignore_missing: true - set: - field: package.version - tag: set_package_version_from_vulnerability_affected_machine_product_version - copy_from: microsoft_defender_endpoint.vulnerability.affected_machine.product_version - ignore_empty_value: true + field: host.os.name + value: '{{{host.os.platform}}} {{{host.os.version}}}' + ignore_failure: true + if: ctx.host?.os?.platform != null && ctx.host?.os?.version != null - convert: - field: json.affectedMachine.rbacGroupId - tag: convert_affectedMachine_rbacgroup_id_to_string - target_field: microsoft_defender_endpoint.vulnerability.affected_machine.rbac_group_id + field: json.RbacGroupId + tag: convert_RbacGroupId_to_string + target_field: microsoft_defender_endpoint.vulnerability.rbac_group_id type: string ignore_missing: true on_failure: @@ -472,168 +323,48 @@ processors: value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' - set: field: group.id - tag: set_group_id_from_vulnerability_affected_machine_rbac_group_id - copy_from: microsoft_defender_endpoint.vulnerability.affected_machine.rbac_group_id + tag: set_group_id_from_vulnerability_rbac_group_id + copy_from: microsoft_defender_endpoint.vulnerability.rbac_group_id ignore_empty_value: true - rename: - field: json.affectedMachine.rbacGroupName - tag: rename_affectedMachine_rbacGroupName - target_field: microsoft_defender_endpoint.vulnerability.affected_machine.rbac_group_name + field: json.RbacGroupName + tag: rename_RbacGroupName + target_field: microsoft_defender_endpoint.vulnerability.rbac_group_name ignore_missing: true - set: field: group.name - tag: set_group_name_from_vulnerability_affected_machine_rbac_group_name - copy_from: microsoft_defender_endpoint.vulnerability.affected_machine.rbac_group_name - ignore_empty_value: true - - rename: - field: json.affectedMachine.riskScore - tag: rename_riskScore - target_field: microsoft_defender_endpoint.vulnerability.affected_machine.risk_score - ignore_missing: true - - set: - field: host.risk.calculated_level - tag: set_host_risk_calculated_level_from_vulnerability_affected_machine_risk_score - copy_from: microsoft_defender_endpoint.vulnerability.affected_machine.risk_score + tag: set_group_name_from_vulnerability_rbac_group_name + copy_from: microsoft_defender_endpoint.vulnerability.rbac_group_name ignore_empty_value: true - rename: - field: json.affectedMachine.severity - tag: rename_affectedMachine_severity - target_field: microsoft_defender_endpoint.vulnerability.affected_machine.severity + field: json.RecommendationReference + tag: rename_RecommendationReference + target_field: microsoft_defender_endpoint.vulnerability.recommendation_reference ignore_missing: true - rename: - field: json.affectedMachine.version - tag: rename_affectedMachine_version - target_field: microsoft_defender_endpoint.vulnerability.affected_machine.version - ignore_missing: true - - set: - field: host.os.version - tag: set_host_os_version_from_vulnerability_affected_machine_version - copy_from: microsoft_defender_endpoint.vulnerability.affected_machine.version - ignore_empty_value: true - - set: - field: host.os.name - value: '{{{host.os.platform}}} {{{host.os.version}}}' - ignore_failure: true - if: ctx.host?.os?.platform != null && ctx.host?.os?.version != null - - rename: - field: json.affectedMachine.vmMetadata.cloudProvider - tag: rename_affectedMachine_vmMetadata_cloudProvider - target_field: microsoft_defender_endpoint.vulnerability.affected_machine.vmMetadata.cloud_provider - ignore_missing: true - - set: - field: cloud.provider - tag: set_cloud_provider_from_vulnerability_affected_machine_vmMetadata_cloud_provider - copy_from: microsoft_defender_endpoint.vulnerability.affected_machine.vmMetadata.cloud_provider - ignore_empty_value: true - - lowercase: - field: cloud.provider - tag: lowercase_cloud_provider - ignore_missing: true - - rename: - field: json.affectedMachine.vmMetadata.resourceId - tag: rename_affectedMachine_vmMetadata_resourceId - target_field: microsoft_defender_endpoint.vulnerability.affected_machine.vmMetadata.resource_id - ignore_missing: true - - set: - field: cloud.resource_id - tag: set_cloud_provider_from_vulnerability_affected_machine_vmMetadata_resource_id - copy_from: microsoft_defender_endpoint.vulnerability.affected_machine.vmMetadata.resource_id - ignore_empty_value: true - - rename: - field: json.affectedMachine.vmMetadata.subscriptionId - tag: rename_affectedMachine_vmMetadata_subscriptionId - target_field: microsoft_defender_endpoint.vulnerability.affected_machine.vmMetadata.subscription_id - ignore_missing: true - - rename: - field: json.affectedMachine.vmMetadata.vmId - tag: rename_affectedMachine_vmMetadata_vmId - target_field: microsoft_defender_endpoint.vulnerability.affected_machine.vmMetadata.vm_id - ignore_missing: true - - set: - field: cloud.instance.id - tag: set_cloud_provider_from_vulnerability_affected_machine_vmMetadata_vm_id - copy_from: microsoft_defender_endpoint.vulnerability.affected_machine.vmMetadata.vm_id - ignore_empty_value: true - - rename: - field: json.cveSupportability - tag: rename_cveSupportability - target_field: microsoft_defender_endpoint.vulnerability.cve_supportability + field: json.RecommendedSecurityUpdate + tag: rename_RecommendedSecurityUpdate + target_field: microsoft_defender_endpoint.vulnerability.recommended_security_update ignore_missing: true - convert: - field: json.cvssV3 - tag: convert_cvssV3_to_double - target_field: microsoft_defender_endpoint.vulnerability.cvss_v3 - type: double + field: json.RecommendedSecurityUpdateId + tag: convert_RecommendedSecurityUpdateId_to_string + target_field: microsoft_defender_endpoint.vulnerability.recommended_security_update_id + type: string ignore_missing: true on_failure: - append: field: error.message value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' - - set: - field: vulnerability.score.base - tag: set_vulnerability_score_base_from_vulnerability_cvss_v3 - copy_from: microsoft_defender_endpoint.vulnerability.cvss_v3 - ignore_empty_value: true - - set: - field: vulnerability.classification - tag: set_vulnerability_classification_from_vulnerability_cvss_v3 - value: CVSS - if: ctx.microsoft_defender_endpoint?.vulnerability?.cvss_v3 != null - ignore_empty_value: true - - set: - field: vulnerability.scanner.vendor - tag: set_vulnerability_scanner_vendor - value: Microsoft - - rename: - field: json.cvssVector - tag: rename_cvssVector - target_field: microsoft_defender_endpoint.vulnerability.cvss_vector - ignore_missing: true - - grok: - field: microsoft_defender_endpoint.vulnerability.cvss_vector - tag: grok_to_extract_vulnerability_score_version - patterns: - - '^CVSS:%{DATA:vulnerability.score.version}/' - if: ctx.microsoft_defender_endpoint?.vulnerability?.cvss_vector instanceof String - ignore_failure: true - rename: - field: json.description - tag: rename_description - target_field: microsoft_defender_endpoint.vulnerability.description + field: json.RegistryPaths + tag: rename_RegistryPaths + target_field: microsoft_defender_endpoint.vulnerability.registry_paths ignore_missing: true - - set: - field: vulnerability.description - tag: set_vulnerability_description_from_vulnerability_description - copy_from: microsoft_defender_endpoint.vulnerability.description - ignore_empty_value: true - - set: - field: message - tag: set_message_from_vulnerability_description - copy_from: microsoft_defender_endpoint.vulnerability.description - ignore_empty_value: true - - grok: - field: message - tag: grok_message_to_extract_vulnerability_summary_impact_remediation_and_fixed_version - patterns: - # remediation version is present - - 'Summary: %{DATA:microsoft_defender_endpoint.vulnerability.summary} Impact: %{DATA:microsoft_defender_endpoint.vulnerability.impact}(?: AdditionalInformation:%{GREEDYDATA})? Remediation: (?%{DATA}(?\d+(?:[.-]\d+)+)%{GREEDYDATA}\.)(?=(?:[^\.]*\[|$))' - # remediation version is not present - - 'Summary: %{DATA:microsoft_defender_endpoint.vulnerability.summary} Impact: %{DATA:microsoft_defender_endpoint.vulnerability.impact}(?: AdditionalInformation:%{GREEDYDATA})? Remediation: (?%{DATA}%{GREEDYDATA}\.)(?=(?:[^\.]*\[|$))' - ignore_failure: true - convert: - field: json.epss - tag: convert_epss_to_double - target_field: microsoft_defender_endpoint.vulnerability.epss - type: double - ignore_missing: true - on_failure: - - append: - field: error.message - value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' - - convert: - field: json.exploitInKit - tag: convert_exploitInKit_to_boolean - target_field: microsoft_defender_endpoint.vulnerability.exploit_in_kit + field: json.SecurityUpdateAvailable + tag: convert_SecurityUpdateAvailable_to_boolean + target_field: microsoft_defender_endpoint.vulnerability.security_update_available type: boolean ignore_missing: true on_failure: @@ -641,90 +372,30 @@ processors: field: error.message value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' - rename: - field: json.exploitTypes - tag: rename_exploitTypes - target_field: microsoft_defender_endpoint.vulnerability.exploit_types + field: json.SoftwareName + tag: rename_SoftwareName + target_field: microsoft_defender_endpoint.vulnerability.software_name ignore_missing: true + - set: + field: package.name + tag: set_package_name_from_vulnerability_software_name + copy_from: microsoft_defender_endpoint.vulnerability.software_name + ignore_empty_value: true - rename: - field: json.exploitUris - tag: rename_exploitUris - target_field: microsoft_defender_endpoint.vulnerability.exploit_uris - ignore_missing: true - - convert: - field: json.exploitVerified - tag: convert_exploitVerified_to_boolean - target_field: microsoft_defender_endpoint.vulnerability.exploit_verified - type: boolean + field: json.SoftwareVendor + tag: rename_SoftwareVendor + target_field: microsoft_defender_endpoint.vulnerability.software_vendor ignore_missing: true - on_failure: - - append: - field: error.message - value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' - - convert: - field: json.exposedMachines - tag: convert_exposedMachines_to_long - target_field: microsoft_defender_endpoint.vulnerability.exposed_machines - type: long - ignore_missing: true - on_failure: - - append: - field: error.message - value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' - - date: - field: json.firstDetected - tag: date_firstDetected - target_field: microsoft_defender_endpoint.vulnerability.first_detected - formats: - - ISO8601 - if: ctx.json?.firstDetected != null && ctx.json.firstDetected != '' - on_failure: - - append: - field: error.message - value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' - rename: - field: json.id - tag: rename_id - target_field: microsoft_defender_endpoint.vulnerability.id + field: json.SoftwareVersion + tag: rename_SoftwareVersion + target_field: microsoft_defender_endpoint.vulnerability.software_version ignore_missing: true - set: - field: vulnerability.id - tag: set_vulnerability_id_from_vulnerability_id - copy_from: microsoft_defender_endpoint.vulnerability.id - ignore_empty_value: true - - set: - field: vulnerability.cve - tag: set_vulnerability_cve_from_vulnerability_id - copy_from: microsoft_defender_endpoint.vulnerability.id - ignore_empty_value: true - if: ctx.vulnerability?.id != null && ctx.vulnerability.id.toUpperCase().contains('CVE') == true - - set: - field: event.id - tag: set_event_id_from_vulnerability_id - copy_from: microsoft_defender_endpoint.vulnerability.id + field: package.version + tag: set_package_version_from_vulnerability_software_version + copy_from: microsoft_defender_endpoint.vulnerability.software_version ignore_empty_value: true - if: ctx.event?.id == null - - set: - field: vulnerability.reference - tag: set_vulnerability_reference_from_vulnerability_id - value: https://www.cve.org/CVERecord?id={{{vulnerability.id}}} - if: ctx.vulnerability?.id != null && ctx.vulnerability.id.toUpperCase().contains('CVE') == true - - script: - description: Dynamically set vulnerability.enumeration values. - tag: script_map_vulnerability_id - lang: painless - if: ctx.vulnerability?.id != null - params: - vulnerability_enumeration: - - CVE - - TVM - source: | - String vulnerability_id = ctx.microsoft_defender_endpoint.vulnerability.id.toUpperCase(); - for (String enum: params.vulnerability_enumeration) { - if (vulnerability_id.contains(enum)) { - ctx.vulnerability.put('enumeration', enum); - return; - } - } - set: field: vulnerability.title tag: set_vulnerability_title_from_package_name_package_version_vulnerability_id @@ -741,90 +412,30 @@ processors: value: 'Vulnerability found - {{{vulnerability.id}}}' if: ctx.vulnerability?.id != null && ctx.vulnerability?.title == null - rename: - field: json.name - tag: rename_name - target_field: microsoft_defender_endpoint.vulnerability.name - ignore_missing: true - - date: - field: json.patchFirstAvailable - tag: date_patchFirstAvailable - target_field: microsoft_defender_endpoint.vulnerability.patch_first_available - formats: - - ISO8601 - if: ctx.json?.patchFirstAvailable != null && ctx.json.patchFirstAvailable != '' - on_failure: - - append: - field: error.message - value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' - - convert: - field: json.publicExploit - tag: convert_publicExploit_to_boolean - target_field: microsoft_defender_endpoint.vulnerability.public_exploit - type: boolean - ignore_missing: true - on_failure: - - append: - field: error.message - value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' - - date: - field: json.publishedOn - tag: date_publishedOn - target_field: microsoft_defender_endpoint.vulnerability.published_on - formats: - - ISO8601 - if: ctx.json?.publishedOn != null && ctx.json.publishedOn != '' - on_failure: - - append: - field: error.message - value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' - - set: - field: vulnerability.published_date - tag: set_vulnerability_published_date_from_vulnerability_published_on - copy_from: microsoft_defender_endpoint.vulnerability.published_on - ignore_empty_value: true - - rename: - field: json.severity - tag: rename_severity - target_field: microsoft_defender_endpoint.vulnerability.severity + field: json.VulnerabilitySeverityLevel + tag: rename_VulnerabilitySeverityLevel + target_field: microsoft_defender_endpoint.vulnerability.severity_level ignore_missing: true - set: field: vulnerability.severity - tag: set_vulnerability_severity_from_vulnerability_severity - copy_from: microsoft_defender_endpoint.vulnerability.severity + tag: set_vulnerability_severity_from_vulnerability_severity_level + copy_from: microsoft_defender_endpoint.vulnerability.severity_level ignore_empty_value: true - - rename: - field: json.tags - tag: rename_tags - target_field: microsoft_defender_endpoint.vulnerability.tags - ignore_missing: true - - date: - field: json.updatedOn - tag: date_updatedOn - target_field: microsoft_defender_endpoint.vulnerability.updated_on - formats: - - ISO8601 - if: ctx.json?.updatedOn != null && ctx.json.updatedOn != '' - on_failure: - - append: - field: error.message - value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' - remove: field: - - microsoft_defender_endpoint.vulnerability.affected_machine.computer_dns_name - - microsoft_defender_endpoint.vulnerability.affected_machine.last_external_ip_address - - microsoft_defender_endpoint.vulnerability.affected_machine.machine_id - - microsoft_defender_endpoint.vulnerability.affected_machine.os_platform - - microsoft_defender_endpoint.vulnerability.affected_machine.os_processor - - microsoft_defender_endpoint.vulnerability.affected_machine.product_name - - microsoft_defender_endpoint.vulnerability.affected_machine.product_version - - microsoft_defender_endpoint.vulnerability.affected_machine.rbac_group_id - - microsoft_defender_endpoint.vulnerability.affected_machine.rbac_group_name - - microsoft_defender_endpoint.vulnerability.affected_machine.risk_score - - microsoft_defender_endpoint.vulnerability.affected_machine.version - - microsoft_defender_endpoint.vulnerability.cvss_v3 - - microsoft_defender_endpoint.vulnerability.description + - microsoft_defender_endpoint.vulnerability.cve_batch_title + - microsoft_defender_endpoint.vulnerability.device_id + - microsoft_defender_endpoint.vulnerability.device_name - microsoft_defender_endpoint.vulnerability.id - - microsoft_defender_endpoint.vulnerability.severity + - microsoft_defender_endpoint.vulnerability.cve_id + - microsoft_defender_endpoint.vulnerability.os_architecture + - microsoft_defender_endpoint.vulnerability.os_platform + - microsoft_defender_endpoint.vulnerability.os_version + - microsoft_defender_endpoint.vulnerability.rbac_group_id + - microsoft_defender_endpoint.vulnerability.rbac_group_name + - microsoft_defender_endpoint.vulnerability.software_name + - microsoft_defender_endpoint.vulnerability.software_version + - microsoft_defender_endpoint.vulnerability.severity_level tag: remove_custom_duplicate_fields ignore_missing: true if: ctx.tags == null || !ctx.tags.contains('preserve_duplicate_custom_fields') diff --git a/packages/microsoft_defender_endpoint/data_stream/vulnerability/fields/cloud.yml b/packages/microsoft_defender_endpoint/data_stream/vulnerability/fields/cloud.yml deleted file mode 100644 index 226724e3c54..00000000000 --- a/packages/microsoft_defender_endpoint/data_stream/vulnerability/fields/cloud.yml +++ /dev/null @@ -1,7 +0,0 @@ -- name: cloud - type: group - fields: - # Not an ECS field. Taken from OTEL cloud attributes. https://opentelemetry.io/docs/specs/semconv/registry/attributes/cloud/ - - name: resource_id - type: keyword - description: Cloud provider-specific native identifier of the monitored cloud resource. diff --git a/packages/microsoft_defender_endpoint/data_stream/vulnerability/fields/fields.yml b/packages/microsoft_defender_endpoint/data_stream/vulnerability/fields/fields.yml index 11e403c2470..69ae0079fd4 100644 --- a/packages/microsoft_defender_endpoint/data_stream/vulnerability/fields/fields.yml +++ b/packages/microsoft_defender_endpoint/data_stream/vulnerability/fields/fields.yml @@ -4,181 +4,77 @@ - name: vulnerability type: group fields: - - name: affected_machine - type: group - fields: - - name: aad_device_id - type: keyword - description: Microsoft Entra Device ID (when machine is Microsoft Entra joined). - - name: agent_version - type: keyword - - name: computer_dns_name - type: keyword - description: Machine fully qualified name. - - name: device_value - type: keyword - description: 'The value of the device. Possible values are: Normal, Low, and High.' - - name: exclusion_reason - type: keyword - - name: exposure_level - type: keyword - description: 'Exposure level as evaluated by Microsoft Defender for Endpoint. Possible values are: None, Low, Medium, and High.' - - name: first_seen - type: date - description: First date and time where the machine was observed by Microsoft Defender for Endpoint. - - name: fixing_kb_id - type: keyword - - name: health_status - type: keyword - description: 'machine health status. Possible values are: Active, Inactive, ImpairedCommunication, NoSensorData, NoSensorDataImpairedCommunication, and Unknown.' - - name: id - type: keyword - - name: ip_addresses - type: group - fields: - - name: ip_address - type: ip - - name: mac_address - type: keyword - - name: operational_status - type: keyword - - name: type - type: keyword - - name: is_aad_joined - type: boolean - - name: is_excluded - type: boolean - - name: is_potential_duplication - type: boolean - - name: last_external_ip_address - type: ip - description: Last IP through which the machine accessed the internet. - - name: last_ip_address - type: ip - description: Last IP on local NIC on the machine. - - name: last_seen - type: date - description: 'Time and date of the last received full device report. A device typically sends a full report every 24 hours. NOTE: This property doesn''t correspond to the last seen value in the UI. It pertains to the last device update.' - - name: machine_id - type: keyword - description: Machine identity. - - name: machine_tags - type: keyword - description: Set of machine tags. - - name: managed_by - type: keyword - - name: managed_by_status - type: keyword - - name: merged_into_machine_id - type: keyword - - name: onboarding_status - type: keyword - description: 'Status of machine onboarding. Possible values are: onboarded, CanBeOnboarded, Unsupported, and InsufficientInfo.' - - name: os_architecture - type: keyword - description: 'Operating system architecture. Possible values are: 32-bit, 64-bit. Use this property instead of osProcessor.' - - name: os_build - type: long - description: Operating system build number. - - name: os_platform - type: keyword - description: Operating system platform. - - name: os_processor - type: keyword - description: Operating system processor. Use osArchitecture property instead. - - name: os_version - type: keyword - - name: product_name - type: keyword - - name: product_vendor - type: keyword - - name: product_version - type: keyword - - name: rbac_group_id - type: keyword - description: Machine group ID. - - name: rbac_group_name - type: keyword - description: Machine group Name. - - name: risk_score - type: keyword - description: 'Risk score as evaluated by Microsoft Defender for Endpoint. Possible values are: None, Informational, Low, Medium, and High.' - - name: severity - type: keyword - - name: version - type: keyword - description: Operating system version. - - name: vmMetadata - type: group - fields: - - name: cloud_provider - type: keyword - - name: resource_id - type: keyword - - name: subscription_id - type: keyword - - name: vm_id - type: keyword - - name: cve_supportability - type: keyword - description: 'Possible values are: Supported, Not Supported, or SupportedInPremium.' - - name: cvss_v3 - type: double - description: CVSS v3 score. - - name: cvss_vector - type: keyword - description: A compressed textual representation that reflects the values used to derive the score. - - name: description - type: keyword - description: Vulnerability description. - - name: epss - type: double - description: Represents the probability that a vulnerability will be exploited. This probability is expressed as a number between 0 and 1 (0%-100%) according to the EPSS model. - - name: exploit_in_kit - type: boolean - description: Exploit is part of an exploit kit. - - name: exploit_types + - name: cve_batch_title type: keyword - description: 'Exploit affect. Possible values are: Local privilege escalation, Denial of service, or Local.' - - name: exploit_uris + - name: cve_batch_url type: keyword - description: Exploit source URLs. - - name: exploit_verified - type: boolean - description: Exploit is verified to work. - - name: exposed_machines - type: long - description: Number of exposed devices. - - name: first_detected - type: date - - name: id + - name: cve_id + type: keyword + description: Unique identifier assigned to the security vulnerability under the Common Vulnerabilities and Exposures (CVE) system. + - name: cvss_score + type: float + description: The CVSS score of the CVE. + - name: device_id type: keyword - description: Vulnerability ID. - - name: impact + description: Unique identifier for the device in the service. + - name: device_name type: keyword - description: Impact of vulnerability. - - name: name + description: Fully qualified domain name (FQDN) of the device. + - name: disk_paths type: keyword - description: Vulnerability title. - - name: patch_first_available + description: Disk evidence that the product is installed on the device. + - name: exploitability_level + type: keyword + description: The exploitability level of this vulnerability (NoExploit, ExploitIsPublic, ExploitIsVerified, ExploitIsInKit) + - name: first_seen_timestamp type: date - - name: public_exploit + description: First time this product CVE was seen on the device. + - name: id + type: keyword + description: Unique identifier for the record. + - name: is_onboarded type: boolean - description: Public exploit exists. - - name: published_on + - name: last_seen_timestamp type: date - description: Date when vulnerability was published. - - name: remediation + description: Last time the software was reported on the device. + - name: os_architecture type: keyword - description: Remediation fix for vulnerability to mitigate the problem. - - name: summary + description: Architecture of the operating system running on the device. + - name: os_platform type: keyword - description: Summary of vulnerability. - - name: severity + description: Platform of the operating system running on the device. + - name: os_version type: keyword - description: 'Vulnerability Severity. Possible values are: Low, Medium, High, or Critical.' - - name: tags + description: Version of the operating system running on the device. + - name: rbac_group_id type: keyword - - name: updated_on - type: date - description: Date when vulnerability was updated. + - name: rbac_group_name + type: keyword + description: The role-based access control (RBAC) group. + - name: recommendation_reference + type: keyword + description: A reference to the recommendation ID related to this software. + - name: recommended_security_update + type: keyword + description: Name or description of the security update provided by the software vendor to address the vulnerability. + - name: recommended_security_update_id + type: keyword + description: Identifier of the applicable security updates or identifier for the corresponding guidance or knowledge base (KB) articles. + - name: registry_paths + type: keyword + description: Registry evidence that the product is installed in the device. + - name: security_update_available + type: boolean + description: Indicates whether a security update is available for the software. + - name: severity_level + type: keyword + description: Severity level assigned to the security vulnerability based on the CVSS score. + - name: software_name + type: keyword + description: Name of the software product. + - name: software_vendor + type: keyword + description: Name of the software vendor. + - name: software_version + type: keyword + description: Version number of the software product. diff --git a/packages/microsoft_defender_endpoint/data_stream/vulnerability/manifest.yml b/packages/microsoft_defender_endpoint/data_stream/vulnerability/manifest.yml index 56395d5f281..90363e786db 100644 --- a/packages/microsoft_defender_endpoint/data_stream/vulnerability/manifest.yml +++ b/packages/microsoft_defender_endpoint/data_stream/vulnerability/manifest.yml @@ -16,21 +16,14 @@ streams: required: true show_user: true default: 4h - - name: batch_size - type: integer - title: Batch Size - description: Specifies how many records to return in a single request of the Microsoft Defender Endpoint Vulnerability API. + - name: sas_valid_hours + type: text + title: SAS Valid Hours + description: The number of hours that the Shared Access Signature (SAS) download URLs are valid for. Maximum is 6 hours. Supported unit for this parameter is 'h'. multi: false required: true show_user: false - default: 8000 - - name: affected_machines_only - type: bool - title: Collect vulnerabilities from affected machines only - description: Collect only vulnerabilities that have at least one affected machine. Vulnerabilities without any affected machines will not be ingested. - show_user: true - required: false - default: true + default: 1h - name: enable_request_tracer type: bool title: Enable request tracing diff --git a/packages/microsoft_defender_endpoint/data_stream/vulnerability/sample_event.json b/packages/microsoft_defender_endpoint/data_stream/vulnerability/sample_event.json index 6c208bb2fb3..c06419eded4 100644 --- a/packages/microsoft_defender_endpoint/data_stream/vulnerability/sample_event.json +++ b/packages/microsoft_defender_endpoint/data_stream/vulnerability/sample_event.json @@ -1,24 +1,24 @@ { - "@timestamp": "2025-08-05T14:25:21.991Z", + "@timestamp": "2025-10-09T18:02:10.412Z", "agent": { - "ephemeral_id": "ac97f2cc-6015-4238-afeb-24d81bb1f4eb", - "id": "df992497-f3e8-40fa-8b14-a86461292d03", - "name": "elastic-agent-26886", + "ephemeral_id": "2524101f-667e-439c-bec3-6dd357b7a215", + "id": "3b58c8e2-7598-48d3-999b-b24ad7c6946f", + "name": "elastic-agent-73278", "type": "filebeat", - "version": "8.19.0" + "version": "8.19.3" }, "data_stream": { "dataset": "microsoft_defender_endpoint.vulnerability", - "namespace": "61041", + "namespace": "80291", "type": "logs" }, "ecs": { "version": "8.17.0" }, "elastic_agent": { - "id": "df992497-f3e8-40fa-8b14-a86461292d03", + "id": "3b58c8e2-7598-48d3-999b-b24ad7c6946f", "snapshot": false, - "version": "8.19.0" + "version": "8.19.3" }, "event": { "agent_id_status": "verified", @@ -26,103 +26,60 @@ "vulnerability" ], "dataset": "microsoft_defender_endpoint.vulnerability", - "id": "94819846155826828d1603b913c67fe336d81295-_-CVE-2025-3074-_-microsoft-_-edge_chromium-based-_-134.0.3124.72-_-", - "ingested": "2025-08-05T14:25:23Z", + "id": "1212121212121212121212_red_hat_kernel_0:5.14.0-427.42.1.el9_4_CVE-2022-49226", + "ingested": "2025-10-09T18:02:11Z", "kind": "event", - "original": "{\"affectedMachine\":{\"aadDeviceId\":null,\"agentVersion\":\"30.124092.2.0\",\"computerDnsName\":\"bdp3449-ub20-2-4a4f31e2-46ea-4c26-ad89-f09ad1d5fe01\",\"cveId\":\"CVE-2025-3074\",\"deviceValue\":\"Normal\",\"exclusionReason\":null,\"exposureLevel\":\"Low\",\"firstSeen\":\"2025-01-08T13:05:05.3483549Z\",\"fixingKbId\":null,\"healthStatus\":\"Inactive\",\"id\":\"94819846155826828d1603b913c67fe336d81295-_-CVE-2025-3074-_-microsoft-_-edge_chromium-based-_-134.0.3124.72-_-\",\"ipAddresses\":[{\"ipAddress\":\"216.160.83.56\",\"macAddress\":\"000C2910F1DA\",\"operationalStatus\":\"Up\",\"type\":\"Other\"}],\"isAadJoined\":false,\"isExcluded\":false,\"isPotentialDuplication\":false,\"lastExternalIpAddress\":\"1.128.0.0\",\"lastIpAddress\":\"175.16.199.0\",\"lastSeen\":\"2025-01-08T13:15:03.694371Z\",\"machineId\":\"94819846155826828d1603b913c67fe336d81295\",\"machineTags\":[\"test tag\"],\"managedBy\":\"MicrosoftDefenderForEndpoint\",\"managedByStatus\":\"Success\",\"mergedIntoMachineId\":null,\"onboardingStatus\":\"Onboarded\",\"osArchitecture\":\"64-bit\",\"osBuild\":6,\"osPlatform\":\"Ubuntu\",\"osProcessor\":\"x64\",\"osVersion\":null,\"productName\":\"edge_chromium-based\",\"productVendor\":\"microsoft\",\"productVersion\":\"134.0.3124.72\",\"rbacGroupId\":0,\"rbacGroupName\":null,\"riskScore\":\"None\",\"severity\":\"Medium\",\"version\":\"20.4\",\"vmMetadata\":null},\"cveSupportability\":\"Supported\",\"cvssV3\":6.5,\"cvssVector\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N/E:U/RL:O/RC:C\",\"description\":\"Summary: An inappropriate implementation in the Downloads feature of Google Chrome versions prior to 135.0.7049.52 could allow a remote attacker to perform UI spoofing via a crafted HTML page. This vulnerability, classified with a low severity by Chromium, may also enable bypassing security restrictions when a victim visits a specially crafted website. Impact: Exploitation of this vulnerability could lead to UI spoofing or bypassing security restrictions, potentially compromising user trust and security. AdditionalInformation: This vulnerability is associated with Google Chrome and has implications for Microsoft Edge (Chromium-based) due to shared code ingestion. Refer to Google Chrome Releases for further details. Remediation: Apply the latest patches and updates provided by the respective vendors. [Generated by AI]\",\"epss\":0.00111,\"exploitInKit\":false,\"exploitTypes\":[],\"exploitUris\":[],\"exploitVerified\":false,\"exposedMachines\":2,\"firstDetected\":\"2025-04-01T19:52:39Z\",\"id\":\"CVE-2025-3074\",\"name\":\"CVE-2025-3074\",\"patchFirstAvailable\":null,\"publicExploit\":false,\"publishedOn\":\"2025-04-01T00:00:00Z\",\"severity\":\"Medium\",\"tags\":[\"test\"],\"updatedOn\":\"2025-04-08T00:00:00Z\"}", + "original": "{\"CveBatchTitle\":\"Red_hat February 2025 Vulnerabilities\",\"CveBatchUrl\":\"https://security.access.redhat.com/data/oval/v2/RHEL9/rhel-9.8-eus.oval.xml.bz2\",\"CveId\":\"CVE-2022-49226\",\"CvssScore\":5.5,\"DeviceId\":\"1212121212121212121212\",\"DeviceName\":\"sample-host-1\",\"ExploitabilityLevel\":\"NoExploit\",\"FirstSeenTimestamp\":\"2025-10-06 10:43:58\",\"Id\":\"1212121212121212121212_red_hat_kernel_0:5.14.0-427.42.1.el9_4_CVE-2022-49226\",\"IsOnboarded\":true,\"LastSeenTimestamp\":\"2025-10-06 22:45:00\",\"OSArchitecture\":\"x64\",\"OSPlatform\":\"Linux\",\"OSVersion\":\"enterprise_linux_9.4\",\"RbacGroupId\":0,\"RbacGroupName\":\"Unassigned\",\"RecommendationReference\":\"va-_-red_hat-_-kernel\",\"RecommendedSecurityUpdate\":\"CVE-2022-49226_oval:com.redhat.rhsa:def:20249315\",\"RecommendedSecurityUpdateId\":\"RHSA-2024:9315\",\"RecommendedSecurityUpdateUrl\":\"https://access.redhat.com/errata/RHSA-2024:9315\",\"RegistryPaths\":[],\"SecurityUpdateAvailable\":true,\"SoftwareName\":\"kernel\",\"SoftwareVendor\":\"red_hat\",\"SoftwareVersion\":\"0:5.14.0-427.42.1.el9_4\",\"VulnerabilitySeverityLevel\":\"Medium\"}", "type": [ "info" ] }, "group": { - "id": "0" + "id": "0", + "name": "Unassigned" }, "host": { "architecture": "x64", - "hostname": "bdp3449-ub20-2-4a4f31e2-46ea-4c26-ad89-f09ad1d5fe01", - "id": "94819846155826828d1603b913c67fe336d81295", - "ip": [ - "1.128.0.0" - ], - "name": "bdp3449-ub20-2-4a4f31e2-46ea-4c26-ad89-f09ad1d5fe01", + "hostname": "sample-host-1", + "id": "1212121212121212121212", + "name": "sample-host-1", "os": { - "name": "Ubuntu 20.4", - "platform": "Ubuntu", + "name": "Linux enterprise_linux_9.4", + "platform": "Linux", "type": "linux", - "version": "20.4" - }, - "risk": { - "calculated_level": "None" + "version": "enterprise_linux_9.4" } }, "input": { "type": "cel" }, - "message": "Summary: An inappropriate implementation in the Downloads feature of Google Chrome versions prior to 135.0.7049.52 could allow a remote attacker to perform UI spoofing via a crafted HTML page. This vulnerability, classified with a low severity by Chromium, may also enable bypassing security restrictions when a victim visits a specially crafted website. Impact: Exploitation of this vulnerability could lead to UI spoofing or bypassing security restrictions, potentially compromising user trust and security. AdditionalInformation: This vulnerability is associated with Google Chrome and has implications for Microsoft Edge (Chromium-based) due to shared code ingestion. Refer to Google Chrome Releases for further details. Remediation: Apply the latest patches and updates provided by the respective vendors. [Generated by AI]", + "message": "Red_hat February 2025 Vulnerabilities", "microsoft_defender_endpoint": { "vulnerability": { - "affected_machine": { - "agent_version": "30.124092.2.0", - "computer_dns_name": "bdp3449-ub20-2-4a4f31e2-46ea-4c26-ad89-f09ad1d5fe01", - "device_value": "Normal", - "exposure_level": "Low", - "first_seen": "2025-01-08T13:05:05.348Z", - "health_status": "Inactive", - "id": "94819846155826828d1603b913c67fe336d81295-_-CVE-2025-3074-_-microsoft-_-edge_chromium-based-_-134.0.3124.72-_-", - "ip_addresses": [ - { - "ip_address": "216.160.83.56", - "mac_address": "00-0C-29-10-F1-DA", - "operational_status": "Up", - "type": "Other" - } - ], - "is_aad_joined": false, - "is_excluded": false, - "is_potential_duplication": false, - "last_external_ip_address": "1.128.0.0", - "last_ip_address": "175.16.199.0", - "last_seen": "2025-01-08T13:15:03.694Z", - "machine_id": "94819846155826828d1603b913c67fe336d81295", - "machine_tags": [ - "test tag" - ], - "managed_by": "MicrosoftDefenderForEndpoint", - "managed_by_status": "Success", - "onboarding_status": "Onboarded", - "os_architecture": "64-bit", - "os_build": 6, - "os_platform": "Ubuntu", - "os_processor": "x64", - "product_name": "edge_chromium-based", - "product_vendor": "microsoft", - "product_version": "134.0.3124.72", - "rbac_group_id": "0", - "risk_score": "None", - "severity": "Medium", - "version": "20.4" - }, - "cve_supportability": "Supported", - "cvss_v3": 6.5, - "cvss_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N/E:U/RL:O/RC:C", - "description": "Summary: An inappropriate implementation in the Downloads feature of Google Chrome versions prior to 135.0.7049.52 could allow a remote attacker to perform UI spoofing via a crafted HTML page. This vulnerability, classified with a low severity by Chromium, may also enable bypassing security restrictions when a victim visits a specially crafted website. Impact: Exploitation of this vulnerability could lead to UI spoofing or bypassing security restrictions, potentially compromising user trust and security. AdditionalInformation: This vulnerability is associated with Google Chrome and has implications for Microsoft Edge (Chromium-based) due to shared code ingestion. Refer to Google Chrome Releases for further details. Remediation: Apply the latest patches and updates provided by the respective vendors. [Generated by AI]", - "epss": 0.00111, - "exploit_in_kit": false, - "exploit_verified": false, - "exposed_machines": 2, - "first_detected": "2025-04-01T19:52:39.000Z", - "id": "CVE-2025-3074", - "impact": "Exploitation of this vulnerability could lead to UI spoofing or bypassing security restrictions, potentially compromising user trust and security.", - "name": "CVE-2025-3074", - "public_exploit": false, - "published_on": "2025-04-01T00:00:00.000Z", - "remediation": "Apply the latest patches and updates provided by the respective vendors.", - "severity": "Medium", - "summary": "An inappropriate implementation in the Downloads feature of Google Chrome versions prior to 135.0.7049.52 could allow a remote attacker to perform UI spoofing via a crafted HTML page. This vulnerability, classified with a low severity by Chromium, may also enable bypassing security restrictions when a victim visits a specially crafted website.", - "tags": [ - "test" - ], - "updated_on": "2025-04-08T00:00:00.000Z" + "cve_batch_title": "Red_hat February 2025 Vulnerabilities", + "cve_batch_url": "https://security.access.redhat.com/data/oval/v2/RHEL9/rhel-9.8-eus.oval.xml.bz2", + "cve_id": "CVE-2022-49226", + "cvss_score": 5.5, + "device_id": "1212121212121212121212", + "device_name": "sample-host-1", + "exploitability_level": "NoExploit", + "first_seen_timestamp": "2025-10-06T10:43:58.000Z", + "id": "1212121212121212121212_red_hat_kernel_0:5.14.0-427.42.1.el9_4_CVE-2022-49226", + "is_onboarded": true, + "last_seen_timestamp": "2025-10-06T22:45:00.000Z", + "os_architecture": "x64", + "os_platform": "Linux", + "os_version": "enterprise_linux_9.4", + "rbac_group_id": "0", + "rbac_group_name": "Unassigned", + "recommendation_reference": "va-_-red_hat-_-kernel", + "recommended_security_update": "CVE-2022-49226_oval:com.redhat.rhsa:def:20249315", + "recommended_security_update_id": "RHSA-2024:9315", + "security_update_available": true, + "severity_level": "Medium", + "software_name": "kernel", + "software_vendor": "red_hat", + "software_version": "0:5.14.0-427.42.1.el9_4" } }, "observer": { @@ -130,23 +87,18 @@ "vendor": "Microsoft" }, "package": { - "name": "edge_chromium-based", - "version": "134.0.3124.72" + "name": "kernel", + "version": "0:5.14.0-427.42.1.el9_4" }, "related": { "hosts": [ - "bdp3449-ub20-2-4a4f31e2-46ea-4c26-ad89-f09ad1d5fe01", - "94819846155826828d1603b913c67fe336d81295" - ], - "ip": [ - "216.160.83.56", - "1.128.0.0", - "175.16.199.0" + "1212121212121212121212", + "sample-host-1" ] }, "resource": { - "id": "94819846155826828d1603b913c67fe336d81295", - "name": "bdp3449-ub20-2-4a4f31e2-46ea-4c26-ad89-f09ad1d5fe01" + "id": "1212121212121212121212", + "name": "sample-host-1" }, "tags": [ "preserve_original_event", @@ -156,20 +108,17 @@ ], "vulnerability": { "classification": "CVSS", - "cve": "CVE-2025-3074", - "description": "Summary: An inappropriate implementation in the Downloads feature of Google Chrome versions prior to 135.0.7049.52 could allow a remote attacker to perform UI spoofing via a crafted HTML page. This vulnerability, classified with a low severity by Chromium, may also enable bypassing security restrictions when a victim visits a specially crafted website. Impact: Exploitation of this vulnerability could lead to UI spoofing or bypassing security restrictions, potentially compromising user trust and security. AdditionalInformation: This vulnerability is associated with Google Chrome and has implications for Microsoft Edge (Chromium-based) due to shared code ingestion. Refer to Google Chrome Releases for further details. Remediation: Apply the latest patches and updates provided by the respective vendors. [Generated by AI]", + "cve": "CVE-2022-49226", "enumeration": "CVE", - "id": "CVE-2025-3074", - "published_date": "2025-04-01T00:00:00.000Z", - "reference": "https://www.cve.org/CVERecord?id=CVE-2025-3074", + "id": "CVE-2022-49226", + "reference": "https://www.cve.org/CVERecord?id=CVE-2022-49226", "scanner": { "vendor": "Microsoft" }, "score": { - "base": 6.5, - "version": "3.1" + "base": 5.5 }, "severity": "Medium", - "title": "Vulnerability found in edge_chromium-based 134.0.3124.72 - CVE-2025-3074" + "title": "Vulnerability found in kernel 0:5.14.0-427.42.1.el9_4 - CVE-2022-49226" } } diff --git a/packages/microsoft_defender_endpoint/docs/README.md b/packages/microsoft_defender_endpoint/docs/README.md index 9b11f405881..bb937069625 100644 --- a/packages/microsoft_defender_endpoint/docs/README.md +++ b/packages/microsoft_defender_endpoint/docs/README.md @@ -584,26 +584,26 @@ An example event for `vulnerability` looks as following: ```json { - "@timestamp": "2025-08-05T14:25:21.991Z", + "@timestamp": "2025-10-09T18:02:10.412Z", "agent": { - "ephemeral_id": "ac97f2cc-6015-4238-afeb-24d81bb1f4eb", - "id": "df992497-f3e8-40fa-8b14-a86461292d03", - "name": "elastic-agent-26886", + "ephemeral_id": "2524101f-667e-439c-bec3-6dd357b7a215", + "id": "3b58c8e2-7598-48d3-999b-b24ad7c6946f", + "name": "elastic-agent-73278", "type": "filebeat", - "version": "8.19.0" + "version": "8.19.3" }, "data_stream": { "dataset": "microsoft_defender_endpoint.vulnerability", - "namespace": "61041", + "namespace": "80291", "type": "logs" }, "ecs": { "version": "8.17.0" }, "elastic_agent": { - "id": "df992497-f3e8-40fa-8b14-a86461292d03", + "id": "3b58c8e2-7598-48d3-999b-b24ad7c6946f", "snapshot": false, - "version": "8.19.0" + "version": "8.19.3" }, "event": { "agent_id_status": "verified", @@ -611,103 +611,60 @@ An example event for `vulnerability` looks as following: "vulnerability" ], "dataset": "microsoft_defender_endpoint.vulnerability", - "id": "94819846155826828d1603b913c67fe336d81295-_-CVE-2025-3074-_-microsoft-_-edge_chromium-based-_-134.0.3124.72-_-", - "ingested": "2025-08-05T14:25:23Z", + "id": "1212121212121212121212_red_hat_kernel_0:5.14.0-427.42.1.el9_4_CVE-2022-49226", + "ingested": "2025-10-09T18:02:11Z", "kind": "event", - "original": "{\"affectedMachine\":{\"aadDeviceId\":null,\"agentVersion\":\"30.124092.2.0\",\"computerDnsName\":\"bdp3449-ub20-2-4a4f31e2-46ea-4c26-ad89-f09ad1d5fe01\",\"cveId\":\"CVE-2025-3074\",\"deviceValue\":\"Normal\",\"exclusionReason\":null,\"exposureLevel\":\"Low\",\"firstSeen\":\"2025-01-08T13:05:05.3483549Z\",\"fixingKbId\":null,\"healthStatus\":\"Inactive\",\"id\":\"94819846155826828d1603b913c67fe336d81295-_-CVE-2025-3074-_-microsoft-_-edge_chromium-based-_-134.0.3124.72-_-\",\"ipAddresses\":[{\"ipAddress\":\"216.160.83.56\",\"macAddress\":\"000C2910F1DA\",\"operationalStatus\":\"Up\",\"type\":\"Other\"}],\"isAadJoined\":false,\"isExcluded\":false,\"isPotentialDuplication\":false,\"lastExternalIpAddress\":\"1.128.0.0\",\"lastIpAddress\":\"175.16.199.0\",\"lastSeen\":\"2025-01-08T13:15:03.694371Z\",\"machineId\":\"94819846155826828d1603b913c67fe336d81295\",\"machineTags\":[\"test tag\"],\"managedBy\":\"MicrosoftDefenderForEndpoint\",\"managedByStatus\":\"Success\",\"mergedIntoMachineId\":null,\"onboardingStatus\":\"Onboarded\",\"osArchitecture\":\"64-bit\",\"osBuild\":6,\"osPlatform\":\"Ubuntu\",\"osProcessor\":\"x64\",\"osVersion\":null,\"productName\":\"edge_chromium-based\",\"productVendor\":\"microsoft\",\"productVersion\":\"134.0.3124.72\",\"rbacGroupId\":0,\"rbacGroupName\":null,\"riskScore\":\"None\",\"severity\":\"Medium\",\"version\":\"20.4\",\"vmMetadata\":null},\"cveSupportability\":\"Supported\",\"cvssV3\":6.5,\"cvssVector\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N/E:U/RL:O/RC:C\",\"description\":\"Summary: An inappropriate implementation in the Downloads feature of Google Chrome versions prior to 135.0.7049.52 could allow a remote attacker to perform UI spoofing via a crafted HTML page. This vulnerability, classified with a low severity by Chromium, may also enable bypassing security restrictions when a victim visits a specially crafted website. Impact: Exploitation of this vulnerability could lead to UI spoofing or bypassing security restrictions, potentially compromising user trust and security. AdditionalInformation: This vulnerability is associated with Google Chrome and has implications for Microsoft Edge (Chromium-based) due to shared code ingestion. Refer to Google Chrome Releases for further details. Remediation: Apply the latest patches and updates provided by the respective vendors. [Generated by AI]\",\"epss\":0.00111,\"exploitInKit\":false,\"exploitTypes\":[],\"exploitUris\":[],\"exploitVerified\":false,\"exposedMachines\":2,\"firstDetected\":\"2025-04-01T19:52:39Z\",\"id\":\"CVE-2025-3074\",\"name\":\"CVE-2025-3074\",\"patchFirstAvailable\":null,\"publicExploit\":false,\"publishedOn\":\"2025-04-01T00:00:00Z\",\"severity\":\"Medium\",\"tags\":[\"test\"],\"updatedOn\":\"2025-04-08T00:00:00Z\"}", + "original": "{\"CveBatchTitle\":\"Red_hat February 2025 Vulnerabilities\",\"CveBatchUrl\":\"https://security.access.redhat.com/data/oval/v2/RHEL9/rhel-9.8-eus.oval.xml.bz2\",\"CveId\":\"CVE-2022-49226\",\"CvssScore\":5.5,\"DeviceId\":\"1212121212121212121212\",\"DeviceName\":\"sample-host-1\",\"ExploitabilityLevel\":\"NoExploit\",\"FirstSeenTimestamp\":\"2025-10-06 10:43:58\",\"Id\":\"1212121212121212121212_red_hat_kernel_0:5.14.0-427.42.1.el9_4_CVE-2022-49226\",\"IsOnboarded\":true,\"LastSeenTimestamp\":\"2025-10-06 22:45:00\",\"OSArchitecture\":\"x64\",\"OSPlatform\":\"Linux\",\"OSVersion\":\"enterprise_linux_9.4\",\"RbacGroupId\":0,\"RbacGroupName\":\"Unassigned\",\"RecommendationReference\":\"va-_-red_hat-_-kernel\",\"RecommendedSecurityUpdate\":\"CVE-2022-49226_oval:com.redhat.rhsa:def:20249315\",\"RecommendedSecurityUpdateId\":\"RHSA-2024:9315\",\"RecommendedSecurityUpdateUrl\":\"https://access.redhat.com/errata/RHSA-2024:9315\",\"RegistryPaths\":[],\"SecurityUpdateAvailable\":true,\"SoftwareName\":\"kernel\",\"SoftwareVendor\":\"red_hat\",\"SoftwareVersion\":\"0:5.14.0-427.42.1.el9_4\",\"VulnerabilitySeverityLevel\":\"Medium\"}", "type": [ "info" ] }, "group": { - "id": "0" + "id": "0", + "name": "Unassigned" }, "host": { "architecture": "x64", - "hostname": "bdp3449-ub20-2-4a4f31e2-46ea-4c26-ad89-f09ad1d5fe01", - "id": "94819846155826828d1603b913c67fe336d81295", - "ip": [ - "1.128.0.0" - ], - "name": "bdp3449-ub20-2-4a4f31e2-46ea-4c26-ad89-f09ad1d5fe01", + "hostname": "sample-host-1", + "id": "1212121212121212121212", + "name": "sample-host-1", "os": { - "name": "Ubuntu 20.4", - "platform": "Ubuntu", + "name": "Linux enterprise_linux_9.4", + "platform": "Linux", "type": "linux", - "version": "20.4" - }, - "risk": { - "calculated_level": "None" + "version": "enterprise_linux_9.4" } }, "input": { "type": "cel" }, - "message": "Summary: An inappropriate implementation in the Downloads feature of Google Chrome versions prior to 135.0.7049.52 could allow a remote attacker to perform UI spoofing via a crafted HTML page. This vulnerability, classified with a low severity by Chromium, may also enable bypassing security restrictions when a victim visits a specially crafted website. Impact: Exploitation of this vulnerability could lead to UI spoofing or bypassing security restrictions, potentially compromising user trust and security. AdditionalInformation: This vulnerability is associated with Google Chrome and has implications for Microsoft Edge (Chromium-based) due to shared code ingestion. Refer to Google Chrome Releases for further details. Remediation: Apply the latest patches and updates provided by the respective vendors. [Generated by AI]", + "message": "Red_hat February 2025 Vulnerabilities", "microsoft_defender_endpoint": { "vulnerability": { - "affected_machine": { - "agent_version": "30.124092.2.0", - "computer_dns_name": "bdp3449-ub20-2-4a4f31e2-46ea-4c26-ad89-f09ad1d5fe01", - "device_value": "Normal", - "exposure_level": "Low", - "first_seen": "2025-01-08T13:05:05.348Z", - "health_status": "Inactive", - "id": "94819846155826828d1603b913c67fe336d81295-_-CVE-2025-3074-_-microsoft-_-edge_chromium-based-_-134.0.3124.72-_-", - "ip_addresses": [ - { - "ip_address": "216.160.83.56", - "mac_address": "00-0C-29-10-F1-DA", - "operational_status": "Up", - "type": "Other" - } - ], - "is_aad_joined": false, - "is_excluded": false, - "is_potential_duplication": false, - "last_external_ip_address": "1.128.0.0", - "last_ip_address": "175.16.199.0", - "last_seen": "2025-01-08T13:15:03.694Z", - "machine_id": "94819846155826828d1603b913c67fe336d81295", - "machine_tags": [ - "test tag" - ], - "managed_by": "MicrosoftDefenderForEndpoint", - "managed_by_status": "Success", - "onboarding_status": "Onboarded", - "os_architecture": "64-bit", - "os_build": 6, - "os_platform": "Ubuntu", - "os_processor": "x64", - "product_name": "edge_chromium-based", - "product_vendor": "microsoft", - "product_version": "134.0.3124.72", - "rbac_group_id": "0", - "risk_score": "None", - "severity": "Medium", - "version": "20.4" - }, - "cve_supportability": "Supported", - "cvss_v3": 6.5, - "cvss_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N/E:U/RL:O/RC:C", - "description": "Summary: An inappropriate implementation in the Downloads feature of Google Chrome versions prior to 135.0.7049.52 could allow a remote attacker to perform UI spoofing via a crafted HTML page. This vulnerability, classified with a low severity by Chromium, may also enable bypassing security restrictions when a victim visits a specially crafted website. Impact: Exploitation of this vulnerability could lead to UI spoofing or bypassing security restrictions, potentially compromising user trust and security. AdditionalInformation: This vulnerability is associated with Google Chrome and has implications for Microsoft Edge (Chromium-based) due to shared code ingestion. Refer to Google Chrome Releases for further details. Remediation: Apply the latest patches and updates provided by the respective vendors. [Generated by AI]", - "epss": 0.00111, - "exploit_in_kit": false, - "exploit_verified": false, - "exposed_machines": 2, - "first_detected": "2025-04-01T19:52:39.000Z", - "id": "CVE-2025-3074", - "impact": "Exploitation of this vulnerability could lead to UI spoofing or bypassing security restrictions, potentially compromising user trust and security.", - "name": "CVE-2025-3074", - "public_exploit": false, - "published_on": "2025-04-01T00:00:00.000Z", - "remediation": "Apply the latest patches and updates provided by the respective vendors.", - "severity": "Medium", - "summary": "An inappropriate implementation in the Downloads feature of Google Chrome versions prior to 135.0.7049.52 could allow a remote attacker to perform UI spoofing via a crafted HTML page. This vulnerability, classified with a low severity by Chromium, may also enable bypassing security restrictions when a victim visits a specially crafted website.", - "tags": [ - "test" - ], - "updated_on": "2025-04-08T00:00:00.000Z" + "cve_batch_title": "Red_hat February 2025 Vulnerabilities", + "cve_batch_url": "https://security.access.redhat.com/data/oval/v2/RHEL9/rhel-9.8-eus.oval.xml.bz2", + "cve_id": "CVE-2022-49226", + "cvss_score": 5.5, + "device_id": "1212121212121212121212", + "device_name": "sample-host-1", + "exploitability_level": "NoExploit", + "first_seen_timestamp": "2025-10-06T10:43:58.000Z", + "id": "1212121212121212121212_red_hat_kernel_0:5.14.0-427.42.1.el9_4_CVE-2022-49226", + "is_onboarded": true, + "last_seen_timestamp": "2025-10-06T22:45:00.000Z", + "os_architecture": "x64", + "os_platform": "Linux", + "os_version": "enterprise_linux_9.4", + "rbac_group_id": "0", + "rbac_group_name": "Unassigned", + "recommendation_reference": "va-_-red_hat-_-kernel", + "recommended_security_update": "CVE-2022-49226_oval:com.redhat.rhsa:def:20249315", + "recommended_security_update_id": "RHSA-2024:9315", + "security_update_available": true, + "severity_level": "Medium", + "software_name": "kernel", + "software_vendor": "red_hat", + "software_version": "0:5.14.0-427.42.1.el9_4" } }, "observer": { @@ -715,23 +672,18 @@ An example event for `vulnerability` looks as following: "vendor": "Microsoft" }, "package": { - "name": "edge_chromium-based", - "version": "134.0.3124.72" + "name": "kernel", + "version": "0:5.14.0-427.42.1.el9_4" }, "related": { "hosts": [ - "bdp3449-ub20-2-4a4f31e2-46ea-4c26-ad89-f09ad1d5fe01", - "94819846155826828d1603b913c67fe336d81295" - ], - "ip": [ - "216.160.83.56", - "1.128.0.0", - "175.16.199.0" + "1212121212121212121212", + "sample-host-1" ] }, "resource": { - "id": "94819846155826828d1603b913c67fe336d81295", - "name": "bdp3449-ub20-2-4a4f31e2-46ea-4c26-ad89-f09ad1d5fe01" + "id": "1212121212121212121212", + "name": "sample-host-1" }, "tags": [ "preserve_original_event", @@ -741,21 +693,18 @@ An example event for `vulnerability` looks as following: ], "vulnerability": { "classification": "CVSS", - "cve": "CVE-2025-3074", - "description": "Summary: An inappropriate implementation in the Downloads feature of Google Chrome versions prior to 135.0.7049.52 could allow a remote attacker to perform UI spoofing via a crafted HTML page. This vulnerability, classified with a low severity by Chromium, may also enable bypassing security restrictions when a victim visits a specially crafted website. Impact: Exploitation of this vulnerability could lead to UI spoofing or bypassing security restrictions, potentially compromising user trust and security. AdditionalInformation: This vulnerability is associated with Google Chrome and has implications for Microsoft Edge (Chromium-based) due to shared code ingestion. Refer to Google Chrome Releases for further details. Remediation: Apply the latest patches and updates provided by the respective vendors. [Generated by AI]", + "cve": "CVE-2022-49226", "enumeration": "CVE", - "id": "CVE-2025-3074", - "published_date": "2025-04-01T00:00:00.000Z", - "reference": "https://www.cve.org/CVERecord?id=CVE-2025-3074", + "id": "CVE-2022-49226", + "reference": "https://www.cve.org/CVERecord?id=CVE-2022-49226", "scanner": { "vendor": "Microsoft" }, "score": { - "base": 6.5, - "version": "3.1" + "base": 5.5 }, "severity": "Medium", - "title": "Vulnerability found in edge_chromium-based 134.0.3124.72 - CVE-2025-3074" + "title": "Vulnerability found in kernel 0:5.14.0-427.42.1.el9_4 - CVE-2022-49226" } } ``` @@ -765,7 +714,6 @@ An example event for `vulnerability` looks as following: | Field | Description | Type | |---|---|---| | @timestamp | Date/time when the event originated. This is the date/time extracted from the event, typically representing when the event was generated by the source. If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. Required field for all events. | date | -| cloud.resource_id | Cloud provider-specific native identifier of the monitored cloud resource. | keyword | | data_stream.dataset | The field can contain anything that makes sense to signify the source of the data. Examples include `nginx.access`, `prometheus`, `endpoint` etc. For data streams that otherwise fit, but that do not have dataset set we use the value "generic" for the dataset value. `event.dataset` should have the same value as `data_stream.dataset`. Beyond the Elasticsearch data stream naming criteria noted above, the `dataset` value has additional restrictions: \* Must not contain `-` \* No longer than 100 characters | constant_keyword | | data_stream.namespace | A user defined namespace. Namespaces are useful to allow grouping of data. Many users already organize their indices this way, and the data stream naming scheme now provides this best practice as a default. Many users will populate this field with `default`. If no value is used, it falls back to `default`. Beyond the Elasticsearch index naming criteria noted above, `namespace` value has the additional restrictions: \* Must not contain `-` \* No longer than 100 characters | constant_keyword | | data_stream.type | An overarching type for the data stream. Currently allowed values are "logs" and "metrics". We expect to also add "traces" and "synthetics" in the near future. | constant_keyword | @@ -775,71 +723,32 @@ An example event for `vulnerability` looks as following: | log.file.device_id | Device Id of the log file this event came from. | keyword | | log.file.inode | Inode number of the log file. | keyword | | log.offset | Log offset. | long | -| microsoft_defender_endpoint.vulnerability.affected_machine.aad_device_id | Microsoft Entra Device ID (when machine is Microsoft Entra joined). | keyword | -| microsoft_defender_endpoint.vulnerability.affected_machine.agent_version | | keyword | -| microsoft_defender_endpoint.vulnerability.affected_machine.computer_dns_name | Machine fully qualified name. | keyword | -| microsoft_defender_endpoint.vulnerability.affected_machine.device_value | The value of the device. Possible values are: Normal, Low, and High. | keyword | -| microsoft_defender_endpoint.vulnerability.affected_machine.exclusion_reason | | keyword | -| microsoft_defender_endpoint.vulnerability.affected_machine.exposure_level | Exposure level as evaluated by Microsoft Defender for Endpoint. Possible values are: None, Low, Medium, and High. | keyword | -| microsoft_defender_endpoint.vulnerability.affected_machine.first_seen | First date and time where the machine was observed by Microsoft Defender for Endpoint. | date | -| microsoft_defender_endpoint.vulnerability.affected_machine.fixing_kb_id | | keyword | -| microsoft_defender_endpoint.vulnerability.affected_machine.health_status | machine health status. Possible values are: Active, Inactive, ImpairedCommunication, NoSensorData, NoSensorDataImpairedCommunication, and Unknown. | keyword | -| microsoft_defender_endpoint.vulnerability.affected_machine.id | | keyword | -| microsoft_defender_endpoint.vulnerability.affected_machine.ip_addresses.ip_address | | ip | -| microsoft_defender_endpoint.vulnerability.affected_machine.ip_addresses.mac_address | | keyword | -| microsoft_defender_endpoint.vulnerability.affected_machine.ip_addresses.operational_status | | keyword | -| microsoft_defender_endpoint.vulnerability.affected_machine.ip_addresses.type | | keyword | -| microsoft_defender_endpoint.vulnerability.affected_machine.is_aad_joined | | boolean | -| microsoft_defender_endpoint.vulnerability.affected_machine.is_excluded | | boolean | -| microsoft_defender_endpoint.vulnerability.affected_machine.is_potential_duplication | | boolean | -| microsoft_defender_endpoint.vulnerability.affected_machine.last_external_ip_address | Last IP through which the machine accessed the internet. | ip | -| microsoft_defender_endpoint.vulnerability.affected_machine.last_ip_address | Last IP on local NIC on the machine. | ip | -| microsoft_defender_endpoint.vulnerability.affected_machine.last_seen | Time and date of the last received full device report. A device typically sends a full report every 24 hours. NOTE: This property doesn't correspond to the last seen value in the UI. It pertains to the last device update. | date | -| microsoft_defender_endpoint.vulnerability.affected_machine.machine_id | Machine identity. | keyword | -| microsoft_defender_endpoint.vulnerability.affected_machine.machine_tags | Set of machine tags. | keyword | -| microsoft_defender_endpoint.vulnerability.affected_machine.managed_by | | keyword | -| microsoft_defender_endpoint.vulnerability.affected_machine.managed_by_status | | keyword | -| microsoft_defender_endpoint.vulnerability.affected_machine.merged_into_machine_id | | keyword | -| microsoft_defender_endpoint.vulnerability.affected_machine.onboarding_status | Status of machine onboarding. Possible values are: onboarded, CanBeOnboarded, Unsupported, and InsufficientInfo. | keyword | -| microsoft_defender_endpoint.vulnerability.affected_machine.os_architecture | Operating system architecture. Possible values are: 32-bit, 64-bit. Use this property instead of osProcessor. | keyword | -| microsoft_defender_endpoint.vulnerability.affected_machine.os_build | Operating system build number. | long | -| microsoft_defender_endpoint.vulnerability.affected_machine.os_platform | Operating system platform. | keyword | -| microsoft_defender_endpoint.vulnerability.affected_machine.os_processor | Operating system processor. Use osArchitecture property instead. | keyword | -| microsoft_defender_endpoint.vulnerability.affected_machine.os_version | | keyword | -| microsoft_defender_endpoint.vulnerability.affected_machine.product_name | | keyword | -| microsoft_defender_endpoint.vulnerability.affected_machine.product_vendor | | keyword | -| microsoft_defender_endpoint.vulnerability.affected_machine.product_version | | keyword | -| microsoft_defender_endpoint.vulnerability.affected_machine.rbac_group_id | Machine group ID. | keyword | -| microsoft_defender_endpoint.vulnerability.affected_machine.rbac_group_name | Machine group Name. | keyword | -| microsoft_defender_endpoint.vulnerability.affected_machine.risk_score | Risk score as evaluated by Microsoft Defender for Endpoint. Possible values are: None, Informational, Low, Medium, and High. | keyword | -| microsoft_defender_endpoint.vulnerability.affected_machine.severity | | keyword | -| microsoft_defender_endpoint.vulnerability.affected_machine.version | Operating system version. | keyword | -| microsoft_defender_endpoint.vulnerability.affected_machine.vmMetadata.cloud_provider | | keyword | -| microsoft_defender_endpoint.vulnerability.affected_machine.vmMetadata.resource_id | | keyword | -| microsoft_defender_endpoint.vulnerability.affected_machine.vmMetadata.subscription_id | | keyword | -| microsoft_defender_endpoint.vulnerability.affected_machine.vmMetadata.vm_id | | keyword | -| microsoft_defender_endpoint.vulnerability.cve_supportability | Possible values are: Supported, Not Supported, or SupportedInPremium. | keyword | -| microsoft_defender_endpoint.vulnerability.cvss_v3 | CVSS v3 score. | double | -| microsoft_defender_endpoint.vulnerability.cvss_vector | A compressed textual representation that reflects the values used to derive the score. | keyword | -| microsoft_defender_endpoint.vulnerability.description | Vulnerability description. | keyword | -| microsoft_defender_endpoint.vulnerability.epss | Represents the probability that a vulnerability will be exploited. This probability is expressed as a number between 0 and 1 (0%-100%) according to the EPSS model. | double | -| microsoft_defender_endpoint.vulnerability.exploit_in_kit | Exploit is part of an exploit kit. | boolean | -| microsoft_defender_endpoint.vulnerability.exploit_types | Exploit affect. Possible values are: Local privilege escalation, Denial of service, or Local. | keyword | -| microsoft_defender_endpoint.vulnerability.exploit_uris | Exploit source URLs. | keyword | -| microsoft_defender_endpoint.vulnerability.exploit_verified | Exploit is verified to work. | boolean | -| microsoft_defender_endpoint.vulnerability.exposed_machines | Number of exposed devices. | long | -| microsoft_defender_endpoint.vulnerability.first_detected | | date | -| microsoft_defender_endpoint.vulnerability.id | Vulnerability ID. | keyword | -| microsoft_defender_endpoint.vulnerability.impact | Impact of vulnerability. | keyword | -| microsoft_defender_endpoint.vulnerability.name | Vulnerability title. | keyword | -| microsoft_defender_endpoint.vulnerability.patch_first_available | | date | -| microsoft_defender_endpoint.vulnerability.public_exploit | Public exploit exists. | boolean | -| microsoft_defender_endpoint.vulnerability.published_on | Date when vulnerability was published. | date | -| microsoft_defender_endpoint.vulnerability.remediation | Remediation fix for vulnerability to mitigate the problem. | keyword | -| microsoft_defender_endpoint.vulnerability.severity | Vulnerability Severity. Possible values are: Low, Medium, High, or Critical. | keyword | -| microsoft_defender_endpoint.vulnerability.summary | Summary of vulnerability. | keyword | -| microsoft_defender_endpoint.vulnerability.tags | | keyword | -| microsoft_defender_endpoint.vulnerability.updated_on | Date when vulnerability was updated. | date | +| microsoft_defender_endpoint.vulnerability.cve_batch_title | | keyword | +| microsoft_defender_endpoint.vulnerability.cve_batch_url | | keyword | +| microsoft_defender_endpoint.vulnerability.cve_id | Unique identifier assigned to the security vulnerability under the Common Vulnerabilities and Exposures (CVE) system. | keyword | +| microsoft_defender_endpoint.vulnerability.cvss_score | The CVSS score of the CVE. | float | +| microsoft_defender_endpoint.vulnerability.device_id | Unique identifier for the device in the service. | keyword | +| microsoft_defender_endpoint.vulnerability.device_name | Fully qualified domain name (FQDN) of the device. | keyword | +| microsoft_defender_endpoint.vulnerability.disk_paths | Disk evidence that the product is installed on the device. | keyword | +| microsoft_defender_endpoint.vulnerability.exploitability_level | The exploitability level of this vulnerability (NoExploit, ExploitIsPublic, ExploitIsVerified, ExploitIsInKit) | keyword | +| microsoft_defender_endpoint.vulnerability.first_seen_timestamp | First time this product CVE was seen on the device. | date | +| microsoft_defender_endpoint.vulnerability.id | Unique identifier for the record. | keyword | +| microsoft_defender_endpoint.vulnerability.is_onboarded | | boolean | +| microsoft_defender_endpoint.vulnerability.last_seen_timestamp | Last time the software was reported on the device. | date | +| microsoft_defender_endpoint.vulnerability.os_architecture | Architecture of the operating system running on the device. | keyword | +| microsoft_defender_endpoint.vulnerability.os_platform | Platform of the operating system running on the device. | keyword | +| microsoft_defender_endpoint.vulnerability.os_version | Version of the operating system running on the device. | keyword | +| microsoft_defender_endpoint.vulnerability.rbac_group_id | | keyword | +| microsoft_defender_endpoint.vulnerability.rbac_group_name | The role-based access control (RBAC) group. | keyword | +| microsoft_defender_endpoint.vulnerability.recommendation_reference | A reference to the recommendation ID related to this software. | keyword | +| microsoft_defender_endpoint.vulnerability.recommended_security_update | Name or description of the security update provided by the software vendor to address the vulnerability. | keyword | +| microsoft_defender_endpoint.vulnerability.recommended_security_update_id | Identifier of the applicable security updates or identifier for the corresponding guidance or knowledge base (KB) articles. | keyword | +| microsoft_defender_endpoint.vulnerability.registry_paths | Registry evidence that the product is installed in the device. | keyword | +| microsoft_defender_endpoint.vulnerability.security_update_available | Indicates whether a security update is available for the software. | boolean | +| microsoft_defender_endpoint.vulnerability.severity_level | Severity level assigned to the security vulnerability based on the CVSS score. | keyword | +| microsoft_defender_endpoint.vulnerability.software_name | Name of the software product. | keyword | +| microsoft_defender_endpoint.vulnerability.software_vendor | Name of the software vendor. | keyword | +| microsoft_defender_endpoint.vulnerability.software_version | Version number of the software product. | keyword | | observer.vendor | Vendor name of the observer. | constant_keyword | | package.fixed_version | | keyword | | package.name | Package name | keyword | diff --git a/packages/microsoft_defender_endpoint/elasticsearch/transform/latest_cdr_vuln/fields/cloud.yml b/packages/microsoft_defender_endpoint/elasticsearch/transform/latest_cdr_vuln/fields/cloud.yml deleted file mode 100644 index 226724e3c54..00000000000 --- a/packages/microsoft_defender_endpoint/elasticsearch/transform/latest_cdr_vuln/fields/cloud.yml +++ /dev/null @@ -1,7 +0,0 @@ -- name: cloud - type: group - fields: - # Not an ECS field. Taken from OTEL cloud attributes. https://opentelemetry.io/docs/specs/semconv/registry/attributes/cloud/ - - name: resource_id - type: keyword - description: Cloud provider-specific native identifier of the monitored cloud resource. diff --git a/packages/microsoft_defender_endpoint/elasticsearch/transform/latest_cdr_vuln/fields/fields.yml b/packages/microsoft_defender_endpoint/elasticsearch/transform/latest_cdr_vuln/fields/fields.yml index 11e403c2470..69ae0079fd4 100644 --- a/packages/microsoft_defender_endpoint/elasticsearch/transform/latest_cdr_vuln/fields/fields.yml +++ b/packages/microsoft_defender_endpoint/elasticsearch/transform/latest_cdr_vuln/fields/fields.yml @@ -4,181 +4,77 @@ - name: vulnerability type: group fields: - - name: affected_machine - type: group - fields: - - name: aad_device_id - type: keyword - description: Microsoft Entra Device ID (when machine is Microsoft Entra joined). - - name: agent_version - type: keyword - - name: computer_dns_name - type: keyword - description: Machine fully qualified name. - - name: device_value - type: keyword - description: 'The value of the device. Possible values are: Normal, Low, and High.' - - name: exclusion_reason - type: keyword - - name: exposure_level - type: keyword - description: 'Exposure level as evaluated by Microsoft Defender for Endpoint. Possible values are: None, Low, Medium, and High.' - - name: first_seen - type: date - description: First date and time where the machine was observed by Microsoft Defender for Endpoint. - - name: fixing_kb_id - type: keyword - - name: health_status - type: keyword - description: 'machine health status. Possible values are: Active, Inactive, ImpairedCommunication, NoSensorData, NoSensorDataImpairedCommunication, and Unknown.' - - name: id - type: keyword - - name: ip_addresses - type: group - fields: - - name: ip_address - type: ip - - name: mac_address - type: keyword - - name: operational_status - type: keyword - - name: type - type: keyword - - name: is_aad_joined - type: boolean - - name: is_excluded - type: boolean - - name: is_potential_duplication - type: boolean - - name: last_external_ip_address - type: ip - description: Last IP through which the machine accessed the internet. - - name: last_ip_address - type: ip - description: Last IP on local NIC on the machine. - - name: last_seen - type: date - description: 'Time and date of the last received full device report. A device typically sends a full report every 24 hours. NOTE: This property doesn''t correspond to the last seen value in the UI. It pertains to the last device update.' - - name: machine_id - type: keyword - description: Machine identity. - - name: machine_tags - type: keyword - description: Set of machine tags. - - name: managed_by - type: keyword - - name: managed_by_status - type: keyword - - name: merged_into_machine_id - type: keyword - - name: onboarding_status - type: keyword - description: 'Status of machine onboarding. Possible values are: onboarded, CanBeOnboarded, Unsupported, and InsufficientInfo.' - - name: os_architecture - type: keyword - description: 'Operating system architecture. Possible values are: 32-bit, 64-bit. Use this property instead of osProcessor.' - - name: os_build - type: long - description: Operating system build number. - - name: os_platform - type: keyword - description: Operating system platform. - - name: os_processor - type: keyword - description: Operating system processor. Use osArchitecture property instead. - - name: os_version - type: keyword - - name: product_name - type: keyword - - name: product_vendor - type: keyword - - name: product_version - type: keyword - - name: rbac_group_id - type: keyword - description: Machine group ID. - - name: rbac_group_name - type: keyword - description: Machine group Name. - - name: risk_score - type: keyword - description: 'Risk score as evaluated by Microsoft Defender for Endpoint. Possible values are: None, Informational, Low, Medium, and High.' - - name: severity - type: keyword - - name: version - type: keyword - description: Operating system version. - - name: vmMetadata - type: group - fields: - - name: cloud_provider - type: keyword - - name: resource_id - type: keyword - - name: subscription_id - type: keyword - - name: vm_id - type: keyword - - name: cve_supportability - type: keyword - description: 'Possible values are: Supported, Not Supported, or SupportedInPremium.' - - name: cvss_v3 - type: double - description: CVSS v3 score. - - name: cvss_vector - type: keyword - description: A compressed textual representation that reflects the values used to derive the score. - - name: description - type: keyword - description: Vulnerability description. - - name: epss - type: double - description: Represents the probability that a vulnerability will be exploited. This probability is expressed as a number between 0 and 1 (0%-100%) according to the EPSS model. - - name: exploit_in_kit - type: boolean - description: Exploit is part of an exploit kit. - - name: exploit_types + - name: cve_batch_title type: keyword - description: 'Exploit affect. Possible values are: Local privilege escalation, Denial of service, or Local.' - - name: exploit_uris + - name: cve_batch_url type: keyword - description: Exploit source URLs. - - name: exploit_verified - type: boolean - description: Exploit is verified to work. - - name: exposed_machines - type: long - description: Number of exposed devices. - - name: first_detected - type: date - - name: id + - name: cve_id + type: keyword + description: Unique identifier assigned to the security vulnerability under the Common Vulnerabilities and Exposures (CVE) system. + - name: cvss_score + type: float + description: The CVSS score of the CVE. + - name: device_id type: keyword - description: Vulnerability ID. - - name: impact + description: Unique identifier for the device in the service. + - name: device_name type: keyword - description: Impact of vulnerability. - - name: name + description: Fully qualified domain name (FQDN) of the device. + - name: disk_paths type: keyword - description: Vulnerability title. - - name: patch_first_available + description: Disk evidence that the product is installed on the device. + - name: exploitability_level + type: keyword + description: The exploitability level of this vulnerability (NoExploit, ExploitIsPublic, ExploitIsVerified, ExploitIsInKit) + - name: first_seen_timestamp type: date - - name: public_exploit + description: First time this product CVE was seen on the device. + - name: id + type: keyword + description: Unique identifier for the record. + - name: is_onboarded type: boolean - description: Public exploit exists. - - name: published_on + - name: last_seen_timestamp type: date - description: Date when vulnerability was published. - - name: remediation + description: Last time the software was reported on the device. + - name: os_architecture type: keyword - description: Remediation fix for vulnerability to mitigate the problem. - - name: summary + description: Architecture of the operating system running on the device. + - name: os_platform type: keyword - description: Summary of vulnerability. - - name: severity + description: Platform of the operating system running on the device. + - name: os_version type: keyword - description: 'Vulnerability Severity. Possible values are: Low, Medium, High, or Critical.' - - name: tags + description: Version of the operating system running on the device. + - name: rbac_group_id type: keyword - - name: updated_on - type: date - description: Date when vulnerability was updated. + - name: rbac_group_name + type: keyword + description: The role-based access control (RBAC) group. + - name: recommendation_reference + type: keyword + description: A reference to the recommendation ID related to this software. + - name: recommended_security_update + type: keyword + description: Name or description of the security update provided by the software vendor to address the vulnerability. + - name: recommended_security_update_id + type: keyword + description: Identifier of the applicable security updates or identifier for the corresponding guidance or knowledge base (KB) articles. + - name: registry_paths + type: keyword + description: Registry evidence that the product is installed in the device. + - name: security_update_available + type: boolean + description: Indicates whether a security update is available for the software. + - name: severity_level + type: keyword + description: Severity level assigned to the security vulnerability based on the CVSS score. + - name: software_name + type: keyword + description: Name of the software product. + - name: software_vendor + type: keyword + description: Name of the software vendor. + - name: software_version + type: keyword + description: Version number of the software product. diff --git a/packages/microsoft_defender_endpoint/elasticsearch/transform/latest_cdr_vuln/transform.yml b/packages/microsoft_defender_endpoint/elasticsearch/transform/latest_cdr_vuln/transform.yml index ba26d4dea6e..4d54fa3eed3 100644 --- a/packages/microsoft_defender_endpoint/elasticsearch/transform/latest_cdr_vuln/transform.yml +++ b/packages/microsoft_defender_endpoint/elasticsearch/transform/latest_cdr_vuln/transform.yml @@ -10,7 +10,7 @@ source: - exists: field: resource.id dest: - index: "security_solution-microsoft_defender_endpoint.vulnerability_latest-v1" + index: "security_solution-microsoft_defender_endpoint.vulnerability_latest-v2" aliases: - alias: "security_solution-microsoft_defender_endpoint.vulnerability_latest" move_on_creation: true @@ -37,4 +37,4 @@ _meta: managed: true # Bump this version to delete, reinstall, and restart the transform during package. # Version bump is needed if there is any code change in transform. - fleet_transform_version: 0.1.0 + fleet_transform_version: 0.2.0 diff --git a/packages/microsoft_defender_endpoint/img/microsoft_defender_endpoint-vulnerability_overview.png b/packages/microsoft_defender_endpoint/img/microsoft_defender_endpoint-vulnerability_overview.png index e5b735db298..78d286040d5 100644 Binary files a/packages/microsoft_defender_endpoint/img/microsoft_defender_endpoint-vulnerability_overview.png and b/packages/microsoft_defender_endpoint/img/microsoft_defender_endpoint-vulnerability_overview.png differ diff --git a/packages/microsoft_defender_endpoint/kibana/dashboard/microsoft_defender_endpoint-afb93ff7-9903-4d91-9028-9fe9c5a434f8.json b/packages/microsoft_defender_endpoint/kibana/dashboard/microsoft_defender_endpoint-afb93ff7-9903-4d91-9028-9fe9c5a434f8.json index c9cfc943192..c874245c2cf 100644 --- a/packages/microsoft_defender_endpoint/kibana/dashboard/microsoft_defender_endpoint-afb93ff7-9903-4d91-9028-9fe9c5a434f8.json +++ b/packages/microsoft_defender_endpoint/kibana/dashboard/microsoft_defender_endpoint-afb93ff7-9903-4d91-9028-9fe9c5a434f8.json @@ -39,14 +39,16 @@ "a5663e6a-f7f7-4e77-ae24-5b54abad99d2": { "explicitInput": { "dataViewId": "logs-*", - "fieldName": "microsoft_defender_endpoint.vulnerability.affected_machine.exposure_level", + "exclude": false, + "existsSelected": false, + "fieldName": "microsoft_defender_endpoint.vulnerability.exploitability_level", "searchTechnique": "prefix", "selectedOptions": [], "sort": { "by": "_count", "direction": "desc" }, - "title": "Exposure Level" + "title": "Exploitability Level" }, "grow": true, "order": 2, @@ -56,14 +58,16 @@ "e7dd70a2-2ddd-4dfb-a2a3-b96bfa5b2d08": { "explicitInput": { "dataViewId": "logs-*", - "fieldName": "host.risk.calculated_level", + "exclude": false, + "existsSelected": false, + "fieldName": "host.name", "searchTechnique": "prefix", "selectedOptions": [], "sort": { "by": "_count", "direction": "desc" }, - "title": "Risk Calculated Level" + "title": "Machine Name" }, "grow": true, "order": 3, @@ -140,6 +144,28 @@ "useMargins": true }, "panelsJSON": [ + { + "embeddableConfig": { + "description": "", + "enhancements": { + "dynamicActions": { + "events": [] + } + }, + "savedObjectId": "microsoft_defender_endpoint-4f3a6702-9642-4392-9b34-ceb1447e09a7", + "title": "Table of Contents" + }, + "gridData": { + "h": 35, + "i": "72697a0d-690e-496e-9809-389acd1c5cc6", + "w": 10, + "x": 0, + "y": 0 + }, + "panelIndex": "72697a0d-690e-496e-9809-389acd1c5cc6", + "panelRefName": "panel_72697a0d-690e-496e-9809-389acd1c5cc6", + "type": "visualization" + }, { "embeddableConfig": { "attributes": { @@ -147,7 +173,17 @@ "references": [ { "id": "logs-*", - "name": "indexpattern-datasource-layer-bb5c3bc7-2da1-4a15-b588-9e2fcda80836", + "name": "indexpattern-datasource-layer-d448b66c-867d-4229-b46b-098a674230f6", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "06719d2c-30c4-4bef-b7e8-e62519673a6d", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "77b10750-e06c-48a7-aa22-dbbca30bfe4b", "type": "index-pattern" } ], @@ -155,57 +191,22 @@ "adHocDataViews": {}, "datasourceStates": { "formBased": { - "currentIndexPatternId": "logs-*", "layers": { - "bb5c3bc7-2da1-4a15-b588-9e2fcda80836": { + "d448b66c-867d-4229-b46b-098a674230f6": { "columnOrder": [ - "b970edb6-7fb6-48f0-af44-b057acbebb37", - "d559fa87-35f2-4096-ba63-b938a3975194" + "9521f331-1199-450b-9f3d-dc1024c90024" ], "columns": { - "b970edb6-7fb6-48f0-af44-b057acbebb37": { - "customLabel": true, - "dataType": "string", - "isBucketed": true, - "label": "Affected Host", - "operationType": "terms", - "params": { - "exclude": [], - "excludeIsRegex": false, - "include": [], - "includeIsRegex": false, - "missingBucket": false, - "orderAgg": { - "dataType": "number", - "isBucketed": false, - "label": "Count of vulnerability.id", - "operationType": "count", - "params": { - "emptyAsNull": true - }, - "scale": "ratio", - "sourceField": "vulnerability.id" - }, - "orderBy": { - "type": "custom" - }, - "orderDirection": "desc", - "otherBucket": false, - "parentFormat": { - "id": "terms" - }, - "secondaryFields": [], - "size": 10 - }, - "scale": "ordinal", - "sourceField": "host.name" - }, - "d559fa87-35f2-4096-ba63-b938a3975194": { + "9521f331-1199-450b-9f3d-dc1024c90024": { "customLabel": true, "dataType": "number", + "filter": { + "language": "kuery", + "query": "" + }, "isBucketed": false, - "label": "Count", - "operationType": "count", + "label": "Total Verified Exploit Vulnerability", + "operationType": "unique_count", "params": { "emptyAsNull": false, "format": { @@ -220,7 +221,6 @@ } }, "incompleteColumns": {}, - "indexPatternId": "logs-*", "sampling": 1 } } @@ -232,29 +232,70 @@ "layers": {} } }, - "filters": [], + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "microsoft_defender_endpoint.vulnerability.exploitability_level", + "index": "06719d2c-30c4-4bef-b7e8-e62519673a6d", + "key": "microsoft_defender_endpoint.vulnerability.exploitability_level", + "negate": false, + "params": { + "query": "ExploitIsVerified" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "microsoft_defender_endpoint.vulnerability.exploitability_level": "ExploitIsVerified" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "data_stream.dataset", + "index": "77b10750-e06c-48a7-aa22-dbbca30bfe4b", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "microsoft_defender_endpoint.vulnerability" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "microsoft_defender_endpoint.vulnerability" + } + } + } + ], "internalReferences": [], "query": { "language": "kuery", "query": "" }, "visualization": { - "columns": [ - { - "columnId": "b970edb6-7fb6-48f0-af44-b057acbebb37", - "width": 357.5 - }, - { - "columnId": "d559fa87-35f2-4096-ba63-b938a3975194" - } - ], - "layerId": "bb5c3bc7-2da1-4a15-b588-9e2fcda80836", - "layerType": "data" + "color": "#6092C0", + "layerId": "d448b66c-867d-4229-b46b-098a674230f6", + "layerType": "data", + "metricAccessor": "9521f331-1199-450b-9f3d-dc1024c90024", + "secondaryTrend": { + "type": "none" + } } }, - "title": "Top 10 Affected Host with Highest Vulnerability", + "title": "Total Verified Exploit Vulnerabilities", "type": "lens", - "visualizationType": "lnsDatatable" + "visualizationType": "lnsMetric" }, "description": "", "enhancements": { @@ -262,25 +303,70 @@ "events": [] } }, - "filters": [], - "hidePanelTitles": false, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "microsoft_defender_endpoint.vulnerability.exploitability_level", + "index": "06719d2c-30c4-4bef-b7e8-e62519673a6d", + "key": "microsoft_defender_endpoint.vulnerability.exploitability_level", + "negate": false, + "params": { + "query": "ExploitIsVerified" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "microsoft_defender_endpoint.vulnerability.exploitability_level": "ExploitIsVerified" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "data_stream.dataset", + "index": "77b10750-e06c-48a7-aa22-dbbca30bfe4b", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "microsoft_defender_endpoint.vulnerability" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "microsoft_defender_endpoint.vulnerability" + } + } + } + ], + "hidePanelTitles": true, "query": { "language": "kuery", "query": "" }, "syncColors": false, "syncCursor": true, - "syncTooltips": false + "syncTooltips": false, + "title": "Total Verified Exploit Vulnerabilities [Logs Microsoft Defender Endpoint] " }, "gridData": { - "h": 17, - "i": "1fc86dc4-4bd3-4484-9622-f6d14a335bed", - "w": 24, - "x": 0, - "y": 50 + "h": 6, + "i": "4ba0a469-16ee-4f04-ae89-a2aa29e299f1", + "w": 8, + "x": 10, + "y": 0 }, - "panelIndex": "1fc86dc4-4bd3-4484-9622-f6d14a335bed", - "title": "Top 10 Affected Host with Highest Vulnerability [Logs Microsoft Defender Endpoint]", + "panelIndex": "4ba0a469-16ee-4f04-ae89-a2aa29e299f1", "type": "lens" }, { @@ -290,7 +376,12 @@ "references": [ { "id": "logs-*", - "name": "indexpattern-datasource-layer-93fbd5b8-bcdd-402b-9efb-2a24a2da900f", + "name": "indexpattern-datasource-layer-693c18a1-a856-4f59-a87e-6f58ecb73834", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "6e2ba459-1b0d-4d52-bd11-82013ce53178", "type": "index-pattern" } ], @@ -298,49 +389,20 @@ "adHocDataViews": {}, "datasourceStates": { "formBased": { - "currentIndexPatternId": "logs-*", "layers": { - "93fbd5b8-bcdd-402b-9efb-2a24a2da900f": { + "693c18a1-a856-4f59-a87e-6f58ecb73834": { "columnOrder": [ - "1ed5fdf0-b270-4d55-9f27-f2f5dd92b828", - "26f9a0ca-049e-4084-86bb-b709d7ec37bf" + "f70ba21e-c3f3-4541-9690-3d5bddf9a19d", + "689d4347-c58d-469b-8703-104286c8497a" ], "columns": { - "1ed5fdf0-b270-4d55-9f27-f2f5dd92b828": { - "customLabel": true, - "dataType": "string", - "isBucketed": true, - "label": "Affected software product", - "operationType": "terms", - "params": { - "exclude": [], - "excludeIsRegex": false, - "include": [], - "includeIsRegex": false, - "missingBucket": false, - "orderBy": { - "columnId": "26f9a0ca-049e-4084-86bb-b709d7ec37bf", - "type": "column" - }, - "orderDirection": "desc", - "otherBucket": false, - "parentFormat": { - "id": "terms" - }, - "secondaryFields": [], - "size": 10 - }, - "scale": "ordinal", - "sourceField": "package.name" - }, - "26f9a0ca-049e-4084-86bb-b709d7ec37bf": { - "customLabel": true, + "689d4347-c58d-469b-8703-104286c8497a": { "dataType": "number", "isBucketed": false, - "label": "Count", - "operationType": "count", + "label": "Unique count of event.id", + "operationType": "unique_count", "params": { - "emptyAsNull": false, + "emptyAsNull": true, "format": { "id": "number", "params": { @@ -348,12 +410,25 @@ } } }, - "scale": "ratio", - "sourceField": "vulnerability.id" + "sourceField": "event.id" + }, + "f70ba21e-c3f3-4541-9690-3d5bddf9a19d": { + "customLabel": true, + "dataType": "date", + "isBucketed": true, + "label": "Vulnerability Last Seen On Time", + "operationType": "date_histogram", + "params": { + "dropPartials": false, + "ignoreTimeRange": false, + "includeEmptyRows": true, + "interval": "auto" + }, + "scale": "interval", + "sourceField": "microsoft_defender_endpoint.vulnerability.last_seen_timestamp" } }, "incompleteColumns": {}, - "indexPatternId": "logs-*", "sampling": 1 } } @@ -365,28 +440,103 @@ "layers": {} } }, - "filters": [], - "internalReferences": [], - "query": { - "language": "kuery", - "query": "" - }, - "visualization": { - "columns": [ - { - "columnId": "1ed5fdf0-b270-4d55-9f27-f2f5dd92b828" - }, - { - "columnId": "26f9a0ca-049e-4084-86bb-b709d7ec37bf" + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "data_stream.dataset", + "index": "6e2ba459-1b0d-4d52-bd11-82013ce53178", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "microsoft_defender_endpoint.vulnerability" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "microsoft_defender_endpoint.vulnerability" + } + } + } + ], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "axisTitlesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "fittingFunction": "Linear", + "gridlinesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "labelsOrientation": { + "x": 0, + "yLeft": 0, + "yRight": 0 + }, + "layers": [ + { + "accessors": [ + "689d4347-c58d-469b-8703-104286c8497a" + ], + "colorMapping": { + "assignments": [], + "colorMode": { + "type": "categorical" + }, + "paletteId": "eui_amsterdam_color_blind", + "specialAssignments": [ + { + "color": { + "type": "loop" + }, + "rules": [ + { + "type": "other" + } + ], + "touched": false + } + ] + }, + "layerId": "693c18a1-a856-4f59-a87e-6f58ecb73834", + "layerType": "data", + "position": "top", + "seriesType": "line", + "showGridlines": false, + "xAccessor": "f70ba21e-c3f3-4541-9690-3d5bddf9a19d" } ], - "layerId": "93fbd5b8-bcdd-402b-9efb-2a24a2da900f", - "layerType": "data" + "legend": { + "isVisible": true, + "position": "right", + "shouldTruncate": false, + "showSingleSeries": false + }, + "preferredSeriesType": "line", + "tickLabelsVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "valueLabels": "hide" } }, - "title": "Top 10 Affected software product", + "title": "Vulnerabilities time line over First Seen", "type": "lens", - "visualizationType": "lnsDatatable" + "visualizationType": "lnsXY" }, "description": "", "enhancements": { @@ -394,7 +544,30 @@ "events": [] } }, - "filters": [], + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "data_stream.dataset", + "index": "6e2ba459-1b0d-4d52-bd11-82013ce53178", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "microsoft_defender_endpoint.vulnerability" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "microsoft_defender_endpoint.vulnerability" + } + } + } + ], "hidePanelTitles": false, "query": { "language": "kuery", @@ -402,65 +575,19 @@ }, "syncColors": false, "syncCursor": true, - "syncTooltips": false + "syncTooltips": false, + "title": "Vulnerability over Last Seen Time [Logs Microsoft Defender Endpoint]" }, "gridData": { - "h": 17, - "i": "6d64f578-66e2-49f3-ae06-911dae110ee7", - "w": 24, - "x": 24, - "y": 50 + "h": 18, + "i": "d50a1111-11a2-4540-b788-dd116022b873", + "w": 30, + "x": 18, + "y": 0 }, - "panelIndex": "6d64f578-66e2-49f3-ae06-911dae110ee7", - "title": "Top 10 Affected Software Product [Logs Microsoft Defender Endpoint]", + "panelIndex": "d50a1111-11a2-4540-b788-dd116022b873", "type": "lens" }, - { - "embeddableConfig": { - "description": "", - "enhancements": { - "dynamicActions": { - "events": [] - } - }, - "grid": { - "columns": { - "@timestamp": { - "width": 208 - }, - "host.id": { - "width": 299 - }, - "host.ip": { - "width": 140 - }, - "host.name": { - "width": 120 - }, - "host.risk.calculated_level": { - "width": 121 - }, - "microsoft_defender_endpoint.vulnerability.affected_machine.last_seen": { - "width": 246 - }, - "microsoft_defender_endpoint.vulnerability.updated_on": { - "width": 222 - } - } - } - }, - "gridData": { - "h": 22, - "i": "c457e5a3-7fc2-407c-b4a6-73cbca5c0406", - "w": 48, - "x": 0, - "y": 67 - }, - "panelIndex": "c457e5a3-7fc2-407c-b4a6-73cbca5c0406", - "panelRefName": "panel_c457e5a3-7fc2-407c-b4a6-73cbca5c0406", - "title": "Affected Machines Essential Details [Logs Microsoft Defender Endpoint]", - "type": "search" - }, { "embeddableConfig": { "attributes": { @@ -468,7 +595,17 @@ "references": [ { "id": "logs-*", - "name": "indexpattern-datasource-layer-4f129361-0c18-4ba1-9994-a1e4e565c1e5", + "name": "indexpattern-datasource-layer-59044096-edd2-4c17-9b59-05fcfc384e6b", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "9b2cbfaa-e531-48a9-84e2-f1567978697f", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "c853bfd8-b76a-4ef3-8e6d-a3ba8fdfed62", "type": "index-pattern" } ], @@ -476,19 +613,21 @@ "adHocDataViews": {}, "datasourceStates": { "formBased": { - "currentIndexPatternId": "logs-*", "layers": { - "4f129361-0c18-4ba1-9994-a1e4e565c1e5": { + "59044096-edd2-4c17-9b59-05fcfc384e6b": { "columnOrder": [ - "882ebbcb-876b-44c8-a9cd-a9eca6ed2465", - "1470f546-f38d-4cc4-90b3-7a4c9ce856e7" + "ebbe371e-c41c-404a-b40e-b28610cdcab8" ], "columns": { - "1470f546-f38d-4cc4-90b3-7a4c9ce856e7": { + "ebbe371e-c41c-404a-b40e-b28610cdcab8": { "customLabel": true, "dataType": "number", + "filter": { + "language": "kuery", + "query": "" + }, "isBucketed": false, - "label": "Unique Count of Machine ID", + "label": "Total Public Exploit Vulnerability", "operationType": "unique_count", "params": { "emptyAsNull": false, @@ -500,148 +639,85 @@ } }, "scale": "ratio", - "sourceField": "host.id" - }, - "882ebbcb-876b-44c8-a9cd-a9eca6ed2465": { - "customLabel": true, - "dataType": "string", - "isBucketed": true, - "label": "Risk Calculated Level", - "operationType": "terms", - "params": { - "exclude": [], - "excludeIsRegex": false, - "include": [], - "includeIsRegex": false, - "missingBucket": false, - "orderBy": { - "columnId": "1470f546-f38d-4cc4-90b3-7a4c9ce856e7", - "type": "column" - }, - "orderDirection": "desc", - "otherBucket": true, - "parentFormat": { - "id": "terms" - }, - "secondaryFields": [], - "size": 5 - }, - "scale": "ordinal", - "sourceField": "host.risk.calculated_level" + "sourceField": "vulnerability.id" } }, "incompleteColumns": {}, - "indexPatternId": "logs-*", "sampling": 1 } } }, "indexpattern": { - "currentIndexPatternId": "logs-*", "layers": {} }, "textBased": { - "indexPatternRefs": [ - { - "id": "logs-*", - "timeField": "@timestamp", - "title": "logs-*" - } - ], "layers": {} } }, - "filters": [], + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "microsoft_defender_endpoint.vulnerability.exploitability_level", + "index": "9b2cbfaa-e531-48a9-84e2-f1567978697f", + "key": "microsoft_defender_endpoint.vulnerability.exploitability_level", + "negate": false, + "params": { + "query": "ExploitIsPublic" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "microsoft_defender_endpoint.vulnerability.exploitability_level": "ExploitIsPublic" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "data_stream.dataset", + "index": "c853bfd8-b76a-4ef3-8e6d-a3ba8fdfed62", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "microsoft_defender_endpoint.vulnerability" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "microsoft_defender_endpoint.vulnerability" + } + } + } + ], "internalReferences": [], "query": { "language": "kuery", "query": "" }, "visualization": { - "layers": [ - { - "categoryDisplay": "default", - "colorMapping": { - "assignments": [ - { - "color": { - "colorIndex": 9, - "paletteId": "eui_amsterdam_color_blind", - "type": "categorical" - }, - "rule": { - "type": "matchExactly", - "values": [ - "Critical" - ] - }, - "touched": true - }, - { - "color": { - "colorIndex": 7, - "paletteId": "eui_amsterdam_color_blind", - "type": "categorical" - }, - "rule": { - "type": "matchExactly", - "values": [ - "High" - ] - }, - "touched": true - }, - { - "color": { - "colorIndex": 1, - "paletteId": "eui_amsterdam_color_blind", - "type": "categorical" - }, - "rule": { - "type": "matchExactly", - "values": [ - "Medium" - ] - }, - "touched": true - } - ], - "colorMode": { - "type": "categorical" - }, - "paletteId": "eui_amsterdam_color_blind", - "specialAssignments": [ - { - "color": { - "type": "loop" - }, - "rule": { - "type": "other" - }, - "touched": false - } - ] - }, - "layerId": "4f129361-0c18-4ba1-9994-a1e4e565c1e5", - "layerType": "data", - "legendDisplay": "show", - "metrics": [ - "1470f546-f38d-4cc4-90b3-7a4c9ce856e7" - ], - "nestedLegend": false, - "numberDisplay": "percent", - "primaryGroups": [ - "882ebbcb-876b-44c8-a9cd-a9eca6ed2465" - ], - "truncateLegend": false - } - ], - "shape": "pie" + "color": "#6092C0", + "layerId": "59044096-edd2-4c17-9b59-05fcfc384e6b", + "layerType": "data", + "metricAccessor": "ebbe371e-c41c-404a-b40e-b28610cdcab8", + "secondaryTrend": { + "type": "none" + } } }, - "title": "Vulnerabilities by Severity", + "title": "Total Public Exploit Vulnerabilities", "type": "lens", - "visualizationType": "lnsPie" + "visualizationType": "lnsMetric" }, "description": "", "enhancements": { @@ -649,34 +725,84 @@ "events": [] } }, - "filters": [], + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "microsoft_defender_endpoint.vulnerability.exploitability_level", + "index": "9b2cbfaa-e531-48a9-84e2-f1567978697f", + "key": "microsoft_defender_endpoint.vulnerability.exploitability_level", + "negate": false, + "params": { + "query": "ExploitIsPublic" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "microsoft_defender_endpoint.vulnerability.exploitability_level": "ExploitIsPublic" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "data_stream.dataset", + "index": "c853bfd8-b76a-4ef3-8e6d-a3ba8fdfed62", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "microsoft_defender_endpoint.vulnerability" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "microsoft_defender_endpoint.vulnerability" + } + } + } + ], + "hidePanelTitles": true, "query": { "language": "kuery", "query": "" }, "syncColors": false, "syncCursor": true, - "syncTooltips": false + "syncTooltips": false, + "title": "Total Public Exploit Vulnerabilities [Logs Microsoft Defender Endpoint]" }, "gridData": { - "h": 15, - "i": "cbade69a-97e6-4a08-8e43-4e0824a89840", - "w": 16, - "x": 32, - "y": 35 + "h": 6, + "i": "274078cb-5fb3-43cd-a025-1eb787e93a5e", + "w": 8, + "x": 10, + "y": 6 }, - "panelIndex": "cbade69a-97e6-4a08-8e43-4e0824a89840", - "title": "Affected Machines by Risk Calculated Level [Logs Microsoft Defender Endpoint]", + "panelIndex": "274078cb-5fb3-43cd-a025-1eb787e93a5e", "type": "lens" }, { "embeddableConfig": { "attributes": { - "description": "", "references": [ { "id": "logs-*", - "name": "indexpattern-datasource-layer-95d5d85e-ec68-4d5f-a5e8-f69441a959c0", + "name": "indexpattern-datasource-layer-7f9d3821-7e68-4bb8-a189-190e04533a7d", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "fa90cf42-4b92-4502-8d7a-2cdb8ded2b9c", "type": "index-pattern" } ], @@ -684,48 +810,20 @@ "adHocDataViews": {}, "datasourceStates": { "formBased": { - "currentIndexPatternId": "logs-*", "layers": { - "95d5d85e-ec68-4d5f-a5e8-f69441a959c0": { + "7f9d3821-7e68-4bb8-a189-190e04533a7d": { "columnOrder": [ - "8b2f13ef-1b5c-42c2-8bae-79f02213e95b", - "9f2f59ce-ffd5-42ca-a6b3-def879393810" + "f2dc92c3-ebd9-4846-98ce-bda90b9c7505" ], "columns": { - "8b2f13ef-1b5c-42c2-8bae-79f02213e95b": { - "customLabel": true, - "dataType": "string", - "isBucketed": true, - "label": "CVE Supportability ", - "operationType": "terms", - "params": { - "exclude": [], - "excludeIsRegex": false, - "include": [], - "includeIsRegex": false, - "missingBucket": false, - "orderBy": { - "columnId": "9f2f59ce-ffd5-42ca-a6b3-def879393810", - "type": "column" - }, - "orderDirection": "desc", - "otherBucket": true, - "parentFormat": { - "id": "terms" - }, - "size": 5 - }, - "scale": "ordinal", - "sourceField": "microsoft_defender_endpoint.vulnerability.cve_supportability" - }, - "9f2f59ce-ffd5-42ca-a6b3-def879393810": { + "f2dc92c3-ebd9-4846-98ce-bda90b9c7505": { "customLabel": true, "dataType": "number", "isBucketed": false, - "label": "Unique Count of Vulnerability ID", + "label": "Total Affected Softwares", "operationType": "unique_count", "params": { - "emptyAsNull": false, + "emptyAsNull": true, "format": { "id": "number", "params": { @@ -733,105 +831,112 @@ } } }, - "scale": "ratio", - "sourceField": "vulnerability.id" + "sourceField": "package.name" } }, + "ignoreGlobalFilters": false, "incompleteColumns": {}, - "indexPatternId": "logs-*", "sampling": 1 } } }, "indexpattern": { - "currentIndexPatternId": "logs-*", "layers": {} }, "textBased": { - "indexPatternRefs": [ - { - "id": "logs-*", - "timeField": "@timestamp", - "title": "logs-*" - } - ], "layers": {} } }, - "filters": [], + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "data_stream.dataset", + "index": "fa90cf42-4b92-4502-8d7a-2cdb8ded2b9c", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "microsoft_defender_endpoint.vulnerability" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "microsoft_defender_endpoint.vulnerability" + } + } + } + ], "internalReferences": [], "query": { "language": "kuery", "query": "" }, "visualization": { - "layers": [ - { - "categoryDisplay": "default", - "colorMapping": { - "assignments": [], - "colorMode": { - "type": "categorical" - }, - "paletteId": "eui_amsterdam_color_blind", - "specialAssignments": [ - { - "color": { - "type": "loop" - }, - "rule": { - "type": "other" - }, - "touched": false - } - ] - }, - "layerId": "95d5d85e-ec68-4d5f-a5e8-f69441a959c0", - "layerType": "data", - "legendDisplay": "show", - "legendSize": "large", - "metrics": [ - "9f2f59ce-ffd5-42ca-a6b3-def879393810" - ], - "nestedLegend": false, - "numberDisplay": "percent", - "primaryGroups": [ - "8b2f13ef-1b5c-42c2-8bae-79f02213e95b" - ], - "truncateLegend": false - } - ], - "shape": "pie" + "color": "#6092C0", + "layerId": "7f9d3821-7e68-4bb8-a189-190e04533a7d", + "layerType": "data", + "metricAccessor": "f2dc92c3-ebd9-4846-98ce-bda90b9c7505", + "secondaryTrend": { + "type": "none" + } } }, - "title": "Vulnerabilities by CVE Supportability ", + "title": "", "type": "lens", - "visualizationType": "lnsPie" + "visualizationType": "lnsMetric" }, - "description": "", "enhancements": { "dynamicActions": { "events": [] } }, - "filters": [], + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "data_stream.dataset", + "index": "fa90cf42-4b92-4502-8d7a-2cdb8ded2b9c", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "microsoft_defender_endpoint.vulnerability" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "microsoft_defender_endpoint.vulnerability" + } + } + } + ], + "hidePanelTitles": true, "query": { "language": "kuery", "query": "" }, "syncColors": false, "syncCursor": true, - "syncTooltips": false + "syncTooltips": false, + "title": "Total Affected Products [Logs Microsoft Defender Endpoint]" }, "gridData": { - "h": 15, - "i": "3f1d140f-1e01-4d38-a8ca-2ef62ca71315", - "w": 16, - "x": 0, - "y": 35 + "h": 6, + "i": "2bb8f3a4-3123-413d-aacc-2e7c2721b468", + "w": 8, + "x": 10, + "y": 12 }, - "panelIndex": "3f1d140f-1e01-4d38-a8ca-2ef62ca71315", - "title": "Vulnerability by CVE Supportability [Logs Microsoft Defender Endpoint] ", + "panelIndex": "2bb8f3a4-3123-413d-aacc-2e7c2721b468", "type": "lens" }, { @@ -841,7 +946,12 @@ "references": [ { "id": "logs-*", - "name": "indexpattern-datasource-layer-4f129361-0c18-4ba1-9994-a1e4e565c1e5", + "name": "indexpattern-datasource-layer-c2ecbde4-fc03-46a3-a001-d384d24c2c0b", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "ce9d0fcb-8642-4dd0-b2a9-3ed89cbdd88e", "type": "index-pattern" } ], @@ -849,19 +959,18 @@ "adHocDataViews": {}, "datasourceStates": { "formBased": { - "currentIndexPatternId": "logs-*", "layers": { - "4f129361-0c18-4ba1-9994-a1e4e565c1e5": { + "c2ecbde4-fc03-46a3-a001-d384d24c2c0b": { "columnOrder": [ - "882ebbcb-876b-44c8-a9cd-a9eca6ed2465", - "1470f546-f38d-4cc4-90b3-7a4c9ce856e7" + "4ab972e9-380a-426c-98e1-7acd0b9125d1", + "08b3cac5-98c3-4192-ad0f-0ca04e9e4b20" ], "columns": { - "1470f546-f38d-4cc4-90b3-7a4c9ce856e7": { + "08b3cac5-98c3-4192-ad0f-0ca04e9e4b20": { "customLabel": true, "dataType": "number", "isBucketed": false, - "label": "Unique Count of Vulnerability ID", + "label": "Count", "operationType": "unique_count", "params": { "emptyAsNull": false, @@ -875,109 +984,87 @@ "scale": "ratio", "sourceField": "vulnerability.id" }, - "882ebbcb-876b-44c8-a9cd-a9eca6ed2465": { + "4ab972e9-380a-426c-98e1-7acd0b9125d1": { "customLabel": true, - "dataType": "string", + "dataType": "date", "isBucketed": true, - "label": "Severity ", - "operationType": "terms", + "label": "Vulnerabillity First Seen", + "operationType": "date_histogram", "params": { - "exclude": [], - "excludeIsRegex": false, - "include": [], - "includeIsRegex": false, - "missingBucket": false, - "orderBy": { - "columnId": "1470f546-f38d-4cc4-90b3-7a4c9ce856e7", - "type": "column" - }, - "orderDirection": "desc", - "otherBucket": true, - "parentFormat": { - "id": "terms" - }, - "size": 5 + "dropPartials": false, + "ignoreTimeRange": true, + "includeEmptyRows": false, + "interval": "5m" }, - "scale": "ordinal", - "sourceField": "vulnerability.severity" + "scale": "interval", + "sourceField": "microsoft_defender_endpoint.vulnerability.first_seen_timestamp" } }, "incompleteColumns": {}, - "indexPatternId": "logs-*", "sampling": 1 } } }, "indexpattern": { - "currentIndexPatternId": "logs-*", "layers": {} }, "textBased": { - "indexPatternRefs": [ - { - "id": "logs-*", - "timeField": "@timestamp", - "title": "logs-*" - } - ], "layers": {} } }, - "filters": [], + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "data_stream.dataset", + "index": "ce9d0fcb-8642-4dd0-b2a9-3ed89cbdd88e", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "microsoft_defender_endpoint.vulnerability" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "microsoft_defender_endpoint.vulnerability" + } + } + } + ], "internalReferences": [], "query": { "language": "kuery", "query": "" }, "visualization": { + "axisTitlesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "fittingFunction": "Linear", + "gridlinesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "labelsOrientation": { + "x": 0, + "yLeft": 0, + "yRight": 0 + }, "layers": [ { - "categoryDisplay": "default", + "accessors": [ + "08b3cac5-98c3-4192-ad0f-0ca04e9e4b20" + ], "colorMapping": { - "assignments": [ - { - "color": { - "colorIndex": 9, - "paletteId": "eui_amsterdam_color_blind", - "type": "categorical" - }, - "rule": { - "type": "matchExactly", - "values": [ - "Critical" - ] - }, - "touched": true - }, - { - "color": { - "colorIndex": 7, - "paletteId": "eui_amsterdam_color_blind", - "type": "categorical" - }, - "rule": { - "type": "matchExactly", - "values": [ - "High" - ] - }, - "touched": true - }, - { - "color": { - "colorIndex": 1, - "paletteId": "eui_amsterdam_color_blind", - "type": "categorical" - }, - "rule": { - "type": "matchExactly", - "values": [ - "Medium" - ] - }, - "touched": true - } - ], + "assignments": [], "colorMode": { "type": "categorical" }, @@ -987,33 +1074,44 @@ "color": { "type": "loop" }, - "rule": { - "type": "other" - }, + "rules": [ + { + "type": "other" + } + ], "touched": false } ] }, - "layerId": "4f129361-0c18-4ba1-9994-a1e4e565c1e5", + "layerId": "c2ecbde4-fc03-46a3-a001-d384d24c2c0b", "layerType": "data", - "legendDisplay": "show", - "metrics": [ - "1470f546-f38d-4cc4-90b3-7a4c9ce856e7" - ], - "nestedLegend": false, - "numberDisplay": "percent", - "primaryGroups": [ - "882ebbcb-876b-44c8-a9cd-a9eca6ed2465" - ], - "truncateLegend": false + "position": "top", + "seriesType": "line", + "showGridlines": false, + "xAccessor": "4ab972e9-380a-426c-98e1-7acd0b9125d1" } ], - "shape": "pie" + "legend": { + "isInside": false, + "isVisible": true, + "legendSize": "auto", + "legendStats": [], + "position": "right", + "shouldTruncate": false, + "showSingleSeries": false + }, + "preferredSeriesType": "line", + "tickLabelsVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "valueLabels": "hide" } }, - "title": "Vulnerabilities by Severity", + "title": "Vulnerabilities over Time", "type": "lens", - "visualizationType": "lnsPie" + "visualizationType": "lnsXY" }, "description": "", "enhancements": { @@ -1021,47 +1119,49 @@ "events": [] } }, - "filters": [], + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "data_stream.dataset", + "index": "ce9d0fcb-8642-4dd0-b2a9-3ed89cbdd88e", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "microsoft_defender_endpoint.vulnerability" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "microsoft_defender_endpoint.vulnerability" + } + } + } + ], "query": { "language": "kuery", "query": "" }, "syncColors": false, "syncCursor": true, - "syncTooltips": false + "syncTooltips": false, + "title": "Vulnerability over First Seen [Logs Microsoft Defender Endpoint]" }, "gridData": { "h": 17, - "i": "50be5d33-6110-4584-8163-29335c338697", - "w": 16, - "x": 32, + "i": "cd4342af-24cb-4c1c-b72f-3e0f9de7f394", + "w": 22, + "x": 10, "y": 18 }, - "panelIndex": "50be5d33-6110-4584-8163-29335c338697", - "title": "Vulnerability by Severity [Logs Microsoft Defender Endpoint] ", + "panelIndex": "cd4342af-24cb-4c1c-b72f-3e0f9de7f394", "type": "lens" }, - { - "embeddableConfig": { - "description": "", - "enhancements": { - "dynamicActions": { - "events": [] - } - } - }, - "gridData": { - "h": 35, - "i": "72697a0d-690e-496e-9809-389acd1c5cc6", - "w": 10, - "x": 0, - "y": 0 - }, - "panelIndex": "72697a0d-690e-496e-9809-389acd1c5cc6", - "panelRefName": "panel_72697a0d-690e-496e-9809-389acd1c5cc6", - "title": "Table of Contents", - "type": "visualization" - }, { "embeddableConfig": { "attributes": { @@ -1069,12 +1169,12 @@ "references": [ { "id": "logs-*", - "name": "indexpattern-datasource-layer-d448b66c-867d-4229-b46b-098a674230f6", + "name": "indexpattern-datasource-layer-4f129361-0c18-4ba1-9994-a1e4e565c1e5", "type": "index-pattern" }, { "id": "logs-*", - "name": "cdc40fd4-75a6-4f65-aff2-ab1b69826140", + "name": "356a43be-cf4a-4118-b5ae-07b99665b7ee", "type": "index-pattern" } ], @@ -1083,20 +1183,17 @@ "datasourceStates": { "formBased": { "layers": { - "d448b66c-867d-4229-b46b-098a674230f6": { + "4f129361-0c18-4ba1-9994-a1e4e565c1e5": { "columnOrder": [ - "9521f331-1199-450b-9f3d-dc1024c90024" + "882ebbcb-876b-44c8-a9cd-a9eca6ed2465", + "1470f546-f38d-4cc4-90b3-7a4c9ce856e7" ], "columns": { - "9521f331-1199-450b-9f3d-dc1024c90024": { + "1470f546-f38d-4cc4-90b3-7a4c9ce856e7": { "customLabel": true, "dataType": "number", - "filter": { - "language": "kuery", - "query": "" - }, "isBucketed": false, - "label": "Total Verified Exploit Vulnerability", + "label": "Unique Count of Vulnerability ID", "operationType": "unique_count", "params": { "emptyAsNull": false, @@ -1109,6 +1206,32 @@ }, "scale": "ratio", "sourceField": "vulnerability.id" + }, + "882ebbcb-876b-44c8-a9cd-a9eca6ed2465": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Severity ", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "1470f546-f38d-4cc4-90b3-7a4c9ce856e7", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "parentFormat": { + "id": "terms" + }, + "size": 5 + }, + "scale": "ordinal", + "sourceField": "vulnerability.severity" } }, "incompleteColumns": {}, @@ -1131,18 +1254,18 @@ "meta": { "alias": null, "disabled": false, - "field": "microsoft_defender_endpoint.vulnerability.exploit_verified", - "index": "cdc40fd4-75a6-4f65-aff2-ab1b69826140", - "key": "microsoft_defender_endpoint.vulnerability.exploit_verified", + "field": "data_stream.dataset", + "index": "356a43be-cf4a-4118-b5ae-07b99665b7ee", + "key": "data_stream.dataset", "negate": false, "params": { - "query": true + "query": "microsoft_defender_endpoint.vulnerability" }, "type": "phrase" }, "query": { "match_phrase": { - "microsoft_defender_endpoint.vulnerability.exploit_verified": true + "data_stream.dataset": "microsoft_defender_endpoint.vulnerability" } } } @@ -1153,64 +1276,140 @@ "query": "" }, "visualization": { - "color": "#6092C0", - "layerId": "d448b66c-867d-4229-b46b-098a674230f6", - "layerType": "data", - "metricAccessor": "9521f331-1199-450b-9f3d-dc1024c90024" - } - }, - "title": "Total Verified Exploit Vulnerabilities", - "type": "lens", - "visualizationType": "lnsMetric" - }, - "description": "", - "enhancements": { - "dynamicActions": { - "events": [] - } - }, - "filters": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "field": "microsoft_defender_endpoint.vulnerability.exploit_verified", - "index": "logs-*", - "key": "microsoft_defender_endpoint.vulnerability.exploit_verified", - "negate": false, - "params": { - "query": true - }, - "type": "phrase" - }, - "query": { - "match_phrase": { - "microsoft_defender_endpoint.vulnerability.exploit_verified": true - } - } - } - ], - "hidePanelTitles": true, + "layers": [ + { + "categoryDisplay": "default", + "colorMapping": { + "assignments": [ + { + "color": { + "colorIndex": 9, + "paletteId": "eui_amsterdam_color_blind", + "type": "categorical" + }, + "rules": [ + { + "type": "raw", + "value": "Critical" + } + ], + "touched": true + }, + { + "color": { + "colorIndex": 7, + "paletteId": "eui_amsterdam_color_blind", + "type": "categorical" + }, + "rules": [ + { + "type": "raw", + "value": "High" + } + ], + "touched": true + }, + { + "color": { + "colorIndex": 1, + "paletteId": "eui_amsterdam_color_blind", + "type": "categorical" + }, + "rules": [ + { + "type": "raw", + "value": "Medium" + } + ], + "touched": true + } + ], + "colorMode": { + "type": "categorical" + }, + "paletteId": "eui_amsterdam_color_blind", + "specialAssignments": [ + { + "color": { + "type": "loop" + }, + "rules": [ + { + "type": "other" + } + ], + "touched": false + } + ] + }, + "layerId": "4f129361-0c18-4ba1-9994-a1e4e565c1e5", + "layerType": "data", + "legendDisplay": "show", + "metrics": [ + "1470f546-f38d-4cc4-90b3-7a4c9ce856e7" + ], + "nestedLegend": false, + "numberDisplay": "percent", + "primaryGroups": [ + "882ebbcb-876b-44c8-a9cd-a9eca6ed2465" + ], + "truncateLegend": false + } + ], + "shape": "pie" + } + }, + "title": "Vulnerabilities by Severity", + "type": "lens", + "visualizationType": "lnsPie" + }, + "description": "", + "enhancements": { + "dynamicActions": { + "events": [] + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "data_stream.dataset", + "index": "356a43be-cf4a-4118-b5ae-07b99665b7ee", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "microsoft_defender_endpoint.vulnerability" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "microsoft_defender_endpoint.vulnerability" + } + } + } + ], "query": { "language": "kuery", "query": "" }, "syncColors": false, "syncCursor": true, - "syncTooltips": false + "syncTooltips": false, + "title": "Vulnerability by Severity [Logs Microsoft Defender Endpoint] " }, "gridData": { - "h": 6, - "i": "4ba0a469-16ee-4f04-ae89-a2aa29e299f1", - "w": 8, - "x": 10, - "y": 0 + "h": 17, + "i": "50be5d33-6110-4584-8163-29335c338697", + "w": 16, + "x": 32, + "y": 18 }, - "panelIndex": "4ba0a469-16ee-4f04-ae89-a2aa29e299f1", - "title": "Total Verified Exploit Vulnerabilities [Logs Microsoft Defender Endpoint] ", + "panelIndex": "50be5d33-6110-4584-8163-29335c338697", "type": "lens" }, { @@ -1220,12 +1419,12 @@ "references": [ { "id": "logs-*", - "name": "indexpattern-datasource-layer-59044096-edd2-4c17-9b59-05fcfc384e6b", + "name": "indexpattern-datasource-layer-95d5d85e-ec68-4d5f-a5e8-f69441a959c0", "type": "index-pattern" }, { "id": "logs-*", - "name": "6a1c3042-4087-44c0-a950-624946feea03", + "name": "90ca1d8b-cc56-45e9-846e-cd550f63eb55", "type": "index-pattern" } ], @@ -1234,20 +1433,43 @@ "datasourceStates": { "formBased": { "layers": { - "59044096-edd2-4c17-9b59-05fcfc384e6b": { + "95d5d85e-ec68-4d5f-a5e8-f69441a959c0": { "columnOrder": [ - "ebbe371e-c41c-404a-b40e-b28610cdcab8" + "8b2f13ef-1b5c-42c2-8bae-79f02213e95b", + "9f2f59ce-ffd5-42ca-a6b3-def879393810" ], "columns": { - "ebbe371e-c41c-404a-b40e-b28610cdcab8": { + "8b2f13ef-1b5c-42c2-8bae-79f02213e95b": { "customLabel": true, - "dataType": "number", - "filter": { - "language": "kuery", - "query": "" + "dataType": "string", + "isBucketed": true, + "label": "Exploitability Level", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "9f2f59ce-ffd5-42ca-a6b3-def879393810", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "parentFormat": { + "id": "terms" + }, + "size": 5 }, + "scale": "ordinal", + "sourceField": "microsoft_defender_endpoint.vulnerability.exploitability_level" + }, + "9f2f59ce-ffd5-42ca-a6b3-def879393810": { + "customLabel": true, + "dataType": "number", "isBucketed": false, - "label": "Total Public Exploit Vulnerability", + "label": "Unique Count of Vulnerability ID", "operationType": "unique_count", "params": { "emptyAsNull": false, @@ -1282,18 +1504,18 @@ "meta": { "alias": null, "disabled": false, - "field": "microsoft_defender_endpoint.vulnerability.public_exploit", - "index": "6a1c3042-4087-44c0-a950-624946feea03", - "key": "microsoft_defender_endpoint.vulnerability.public_exploit", + "field": "data_stream.dataset", + "index": "90ca1d8b-cc56-45e9-846e-cd550f63eb55", + "key": "data_stream.dataset", "negate": false, "params": { - "query": true + "query": "microsoft_defender_endpoint.vulnerability" }, "type": "phrase" }, "query": { "match_phrase": { - "microsoft_defender_endpoint.vulnerability.public_exploit": true + "data_stream.dataset": "microsoft_defender_endpoint.vulnerability" } } } @@ -1304,15 +1526,50 @@ "query": "" }, "visualization": { - "color": "#6092C0", - "layerId": "59044096-edd2-4c17-9b59-05fcfc384e6b", - "layerType": "data", - "metricAccessor": "ebbe371e-c41c-404a-b40e-b28610cdcab8" + "layers": [ + { + "categoryDisplay": "default", + "colorMapping": { + "assignments": [], + "colorMode": { + "type": "categorical" + }, + "paletteId": "eui_amsterdam_color_blind", + "specialAssignments": [ + { + "color": { + "type": "loop" + }, + "rules": [ + { + "type": "other" + } + ], + "touched": false + } + ] + }, + "layerId": "95d5d85e-ec68-4d5f-a5e8-f69441a959c0", + "layerType": "data", + "legendDisplay": "show", + "legendSize": "large", + "metrics": [ + "9f2f59ce-ffd5-42ca-a6b3-def879393810" + ], + "nestedLegend": false, + "numberDisplay": "percent", + "primaryGroups": [ + "8b2f13ef-1b5c-42c2-8bae-79f02213e95b" + ], + "truncateLegend": false + } + ], + "shape": "pie" } }, - "title": "Total Public Exploit Vulnerabilities", + "title": "Vulnerabilities by CVE Supportability ", "type": "lens", - "visualizationType": "lnsMetric" + "visualizationType": "lnsPie" }, "description": "", "enhancements": { @@ -1328,49 +1585,54 @@ "meta": { "alias": null, "disabled": false, - "field": "microsoft_defender_endpoint.vulnerability.public_exploit", - "index": "logs-*", - "key": "microsoft_defender_endpoint.vulnerability.public_exploit", + "field": "data_stream.dataset", + "index": "90ca1d8b-cc56-45e9-846e-cd550f63eb55", + "key": "data_stream.dataset", "negate": false, "params": { - "query": true + "query": "microsoft_defender_endpoint.vulnerability" }, "type": "phrase" }, "query": { "match_phrase": { - "microsoft_defender_endpoint.vulnerability.public_exploit": true + "data_stream.dataset": "microsoft_defender_endpoint.vulnerability" } } } ], - "hidePanelTitles": true, "query": { "language": "kuery", "query": "" }, "syncColors": false, "syncCursor": true, - "syncTooltips": false + "syncTooltips": false, + "title": "Vulnerability by Exploitability Level [Logs Microsoft Defender Endpoint] " }, "gridData": { - "h": 6, - "i": "274078cb-5fb3-43cd-a025-1eb787e93a5e", - "w": 8, - "x": 10, - "y": 6 + "h": 15, + "i": "3f1d140f-1e01-4d38-a8ca-2ef62ca71315", + "w": 16, + "x": 0, + "y": 35 }, - "panelIndex": "274078cb-5fb3-43cd-a025-1eb787e93a5e", - "title": "Total Public Exploit Vulnerabilities [Logs Microsoft Defender Endpoint]", + "panelIndex": "3f1d140f-1e01-4d38-a8ca-2ef62ca71315", "type": "lens" }, { "embeddableConfig": { "attributes": { + "description": "", "references": [ { "id": "logs-*", - "name": "indexpattern-datasource-layer-7f9d3821-7e68-4bb8-a189-190e04533a7d", + "name": "indexpattern-datasource-layer-f83347b5-978e-4753-a26a-d40d0a549867", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "37746151-5590-448a-8479-591b0f3e4ad2", "type": "index-pattern" } ], @@ -1379,19 +1641,47 @@ "datasourceStates": { "formBased": { "layers": { - "7f9d3821-7e68-4bb8-a189-190e04533a7d": { + "f83347b5-978e-4753-a26a-d40d0a549867": { "columnOrder": [ - "f2dc92c3-ebd9-4846-98ce-bda90b9c7505" + "64974bb9-da5e-4df7-b627-40f953c6e2b4", + "bf620d80-f648-405b-94ac-3d6834fdb1a4" ], "columns": { - "f2dc92c3-ebd9-4846-98ce-bda90b9c7505": { + "64974bb9-da5e-4df7-b627-40f953c6e2b4": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "OS Platform", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "bf620d80-f648-405b-94ac-3d6834fdb1a4", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "parentFormat": { + "id": "terms" + }, + "secondaryFields": [], + "size": 5 + }, + "scale": "ordinal", + "sourceField": "host.os.platform" + }, + "bf620d80-f648-405b-94ac-3d6834fdb1a4": { "customLabel": true, "dataType": "number", "isBucketed": false, - "label": "Total Affected Products", - "operationType": "count", + "label": "Unique Count of Machine ID", + "operationType": "unique_count", "params": { - "emptyAsNull": true, + "emptyAsNull": false, "format": { "id": "number", "params": { @@ -1400,10 +1690,9 @@ } }, "scale": "ratio", - "sourceField": "microsoft_defender_endpoint.vulnerability.affected_machine.id" + "sourceField": "host.id" } }, - "ignoreGlobalFilters": false, "incompleteColumns": {}, "sampling": 1 } @@ -1416,155 +1705,39 @@ "layers": {} } }, - "filters": [], - "internalReferences": [], - "query": { - "language": "kuery", - "query": "" - }, - "visualization": { - "color": "#6092C0", - "layerId": "7f9d3821-7e68-4bb8-a189-190e04533a7d", - "layerType": "data", - "metricAccessor": "f2dc92c3-ebd9-4846-98ce-bda90b9c7505" - } - }, - "title": "", - "type": "lens", - "visualizationType": "lnsMetric" - }, - "enhancements": { - "dynamicActions": { - "events": [] - } - }, - "filters": [], - "hidePanelTitles": true, - "query": { - "language": "kuery", - "query": "" - }, - "syncColors": false, - "syncCursor": true, - "syncTooltips": false - }, - "gridData": { - "h": 6, - "i": "2bb8f3a4-3123-413d-aacc-2e7c2721b468", - "w": 8, - "x": 10, - "y": 12 - }, - "panelIndex": "2bb8f3a4-3123-413d-aacc-2e7c2721b468", - "title": "Total Affected Products [Logs Microsoft Defender Endpoint]", - "type": "lens" - }, - { - "embeddableConfig": { - "attributes": { - "description": "", - "references": [ - { - "id": "logs-*", - "name": "indexpattern-datasource-layer-693c18a1-a856-4f59-a87e-6f58ecb73834", - "type": "index-pattern" - } - ], - "state": { - "adHocDataViews": {}, - "datasourceStates": { - "formBased": { - "currentIndexPatternId": "logs-*", - "layers": { - "693c18a1-a856-4f59-a87e-6f58ecb73834": { - "columnOrder": [ - "f70ba21e-c3f3-4541-9690-3d5bddf9a19d", - "689d4347-c58d-469b-8703-104286c8497a" - ], - "columns": { - "689d4347-c58d-469b-8703-104286c8497a": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "Count", - "operationType": "count", - "params": { - "emptyAsNull": false, - "format": { - "id": "number", - "params": { - "decimals": 0 - } - } - }, - "scale": "ratio", - "sourceField": "___records___" - }, - "f70ba21e-c3f3-4541-9690-3d5bddf9a19d": { - "customLabel": true, - "dataType": "date", - "isBucketed": true, - "label": "Vulnerability Updated On Time", - "operationType": "date_histogram", - "params": { - "dropPartials": false, - "ignoreTimeRange": true, - "includeEmptyRows": true, - "interval": "30d" - }, - "scale": "interval", - "sourceField": "microsoft_defender_endpoint.vulnerability.updated_on" - } - }, - "incompleteColumns": {}, - "indexPatternId": "logs-*", - "sampling": 1 + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "data_stream.dataset", + "index": "37746151-5590-448a-8479-591b0f3e4ad2", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "microsoft_defender_endpoint.vulnerability" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "microsoft_defender_endpoint.vulnerability" } } - }, - "indexpattern": { - "currentIndexPatternId": "logs-*", - "layers": {} - }, - "textBased": { - "indexPatternRefs": [ - { - "id": "logs-*", - "timeField": "@timestamp", - "title": "logs-*" - } - ], - "layers": {} } - }, - "filters": [], + ], "internalReferences": [], "query": { "language": "kuery", "query": "" }, "visualization": { - "axisTitlesVisibilitySettings": { - "x": true, - "yLeft": true, - "yRight": true - }, - "fittingFunction": "Linear", - "gridlinesVisibilitySettings": { - "x": true, - "yLeft": true, - "yRight": true - }, - "labelsOrientation": { - "x": 0, - "yLeft": 0, - "yRight": 0 - }, "layers": [ { - "accessors": [ - "689d4347-c58d-469b-8703-104286c8497a" - ], + "categoryDisplay": "default", "colorMapping": { "assignments": [], "colorMode": { @@ -1576,39 +1749,35 @@ "color": { "type": "loop" }, - "rule": { - "type": "other" - }, + "rules": [ + { + "type": "other" + } + ], "touched": false } ] }, - "layerId": "693c18a1-a856-4f59-a87e-6f58ecb73834", + "layerId": "f83347b5-978e-4753-a26a-d40d0a549867", "layerType": "data", - "position": "top", - "seriesType": "line", - "showGridlines": false, - "xAccessor": "f70ba21e-c3f3-4541-9690-3d5bddf9a19d" + "legendDisplay": "show", + "metrics": [ + "bf620d80-f648-405b-94ac-3d6834fdb1a4" + ], + "nestedLegend": false, + "numberDisplay": "percent", + "primaryGroups": [ + "64974bb9-da5e-4df7-b627-40f953c6e2b4" + ], + "truncateLegend": false } ], - "legend": { - "isVisible": true, - "position": "right", - "shouldTruncate": false, - "showSingleSeries": false - }, - "preferredSeriesType": "line", - "tickLabelsVisibilitySettings": { - "x": true, - "yLeft": true, - "yRight": true - }, - "valueLabels": "hide" + "shape": "pie" } }, - "title": "Vulnerabilities time line over First Seen", + "title": "OS Distribution of Affected Machines", "type": "lens", - "visualizationType": "lnsXY" + "visualizationType": "lnsPie" }, "description": "", "enhancements": { @@ -1616,25 +1785,47 @@ "events": [] } }, - "filters": [], - "hidePanelTitles": false, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "data_stream.dataset", + "index": "37746151-5590-448a-8479-591b0f3e4ad2", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "microsoft_defender_endpoint.vulnerability" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "microsoft_defender_endpoint.vulnerability" + } + } + } + ], "query": { "language": "kuery", "query": "" }, "syncColors": false, "syncCursor": true, - "syncTooltips": false + "syncTooltips": false, + "title": "Affected Machines by OS [Logs Microsoft Defender Endpoint]" }, "gridData": { - "h": 18, - "i": "d50a1111-11a2-4540-b788-dd116022b873", - "w": 30, - "x": 18, - "y": 0 + "h": 15, + "i": "be800cbb-a57d-440a-84e3-4233103d3bbb", + "w": 16, + "x": 16, + "y": 35 }, - "panelIndex": "d50a1111-11a2-4540-b788-dd116022b873", - "title": "Vulnerability over Time [Logs Microsoft Defender Endpoint]", + "panelIndex": "be800cbb-a57d-440a-84e3-4233103d3bbb", "type": "lens" }, { @@ -1644,7 +1835,12 @@ "references": [ { "id": "logs-*", - "name": "indexpattern-datasource-layer-f83347b5-978e-4753-a26a-d40d0a549867", + "name": "indexpattern-datasource-layer-4f129361-0c18-4ba1-9994-a1e4e565c1e5", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "ff5f8bfa-a72c-4af1-9151-dc02f0bb0e77", "type": "index-pattern" } ], @@ -1652,19 +1848,36 @@ "adHocDataViews": {}, "datasourceStates": { "formBased": { - "currentIndexPatternId": "logs-*", "layers": { - "f83347b5-978e-4753-a26a-d40d0a549867": { + "4f129361-0c18-4ba1-9994-a1e4e565c1e5": { "columnOrder": [ - "64974bb9-da5e-4df7-b627-40f953c6e2b4", - "bf620d80-f648-405b-94ac-3d6834fdb1a4" + "882ebbcb-876b-44c8-a9cd-a9eca6ed2465", + "1470f546-f38d-4cc4-90b3-7a4c9ce856e7" ], "columns": { - "64974bb9-da5e-4df7-b627-40f953c6e2b4": { + "1470f546-f38d-4cc4-90b3-7a4c9ce856e7": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Unique Count of Machine ID", + "operationType": "unique_count", + "params": { + "emptyAsNull": false, + "format": { + "id": "number", + "params": { + "decimals": 0 + } + } + }, + "scale": "ratio", + "sourceField": "host.id" + }, + "882ebbcb-876b-44c8-a9cd-a9eca6ed2465": { "customLabel": true, "dataType": "string", "isBucketed": true, - "label": "OS Platform", + "label": "Exploitability Level", "operationType": "terms", "params": { "exclude": [], @@ -1673,7 +1886,7 @@ "includeIsRegex": false, "missingBucket": false, "orderBy": { - "columnId": "bf620d80-f648-405b-94ac-3d6834fdb1a4", + "columnId": "1470f546-f38d-4cc4-90b3-7a4c9ce856e7", "type": "column" }, "orderDirection": "desc", @@ -1685,60 +1898,99 @@ "size": 5 }, "scale": "ordinal", - "sourceField": "host.os.platform" - }, - "bf620d80-f648-405b-94ac-3d6834fdb1a4": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "Unique Count of Machine ID", - "operationType": "unique_count", - "params": { - "emptyAsNull": false, - "format": { - "id": "number", - "params": { - "decimals": 0 - } - } - }, - "scale": "ratio", - "sourceField": "host.id" + "sourceField": "microsoft_defender_endpoint.vulnerability.exploitability_level" } }, "incompleteColumns": {}, - "indexPatternId": "logs-*", "sampling": 1 } } }, "indexpattern": { - "currentIndexPatternId": "logs-*", "layers": {} }, "textBased": { - "indexPatternRefs": [ - { - "id": "logs-*", - "timeField": "@timestamp", - "title": "logs-*" - } - ], "layers": {} } }, - "filters": [], - "internalReferences": [], - "query": { - "language": "kuery", - "query": "" - }, - "visualization": { - "layers": [ - { + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "data_stream.dataset", + "index": "ff5f8bfa-a72c-4af1-9151-dc02f0bb0e77", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "microsoft_defender_endpoint.vulnerability" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "microsoft_defender_endpoint.vulnerability" + } + } + } + ], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "layers": [ + { "categoryDisplay": "default", "colorMapping": { - "assignments": [], + "assignments": [ + { + "color": { + "colorIndex": 9, + "paletteId": "eui_amsterdam_color_blind", + "type": "categorical" + }, + "rules": [ + { + "type": "raw", + "value": "Critical" + } + ], + "touched": true + }, + { + "color": { + "colorIndex": 7, + "paletteId": "eui_amsterdam_color_blind", + "type": "categorical" + }, + "rules": [ + { + "type": "raw", + "value": "High" + } + ], + "touched": true + }, + { + "color": { + "colorIndex": 1, + "paletteId": "eui_amsterdam_color_blind", + "type": "categorical" + }, + "rules": [ + { + "type": "raw", + "value": "Medium" + } + ], + "touched": true + } + ], "colorMode": { "type": "categorical" }, @@ -1748,23 +2000,25 @@ "color": { "type": "loop" }, - "rule": { - "type": "other" - }, + "rules": [ + { + "type": "other" + } + ], "touched": false } ] }, - "layerId": "f83347b5-978e-4753-a26a-d40d0a549867", + "layerId": "4f129361-0c18-4ba1-9994-a1e4e565c1e5", "layerType": "data", "legendDisplay": "show", "metrics": [ - "bf620d80-f648-405b-94ac-3d6834fdb1a4" + "1470f546-f38d-4cc4-90b3-7a4c9ce856e7" ], "nestedLegend": false, "numberDisplay": "percent", "primaryGroups": [ - "64974bb9-da5e-4df7-b627-40f953c6e2b4" + "882ebbcb-876b-44c8-a9cd-a9eca6ed2465" ], "truncateLegend": false } @@ -1772,7 +2026,7 @@ "shape": "pie" } }, - "title": "OS Distribution of Affected Machines", + "title": "Vulnerabilities by Severity", "type": "lens", "visualizationType": "lnsPie" }, @@ -1782,24 +2036,47 @@ "events": [] } }, - "filters": [], + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "data_stream.dataset", + "index": "ff5f8bfa-a72c-4af1-9151-dc02f0bb0e77", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "microsoft_defender_endpoint.vulnerability" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "microsoft_defender_endpoint.vulnerability" + } + } + } + ], "query": { "language": "kuery", "query": "" }, "syncColors": false, "syncCursor": true, - "syncTooltips": false + "syncTooltips": false, + "title": "Affected Machines by Exploitability Level [Logs Microsoft Defender Endpoint]" }, "gridData": { "h": 15, - "i": "be800cbb-a57d-440a-84e3-4233103d3bbb", + "i": "cbade69a-97e6-4a08-8e43-4e0824a89840", "w": 16, - "x": 16, + "x": 32, "y": 35 }, - "panelIndex": "be800cbb-a57d-440a-84e3-4233103d3bbb", - "title": "Affected Machines by OS [Logs Microsoft Defender Endpoint]", + "panelIndex": "cbade69a-97e6-4a08-8e43-4e0824a89840", "type": "lens" }, { @@ -1809,7 +2086,12 @@ "references": [ { "id": "logs-*", - "name": "indexpattern-datasource-layer-c2ecbde4-fc03-46a3-a001-d384d24c2c0b", + "name": "indexpattern-datasource-layer-bb5c3bc7-2da1-4a15-b588-9e2fcda80836", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "0cdf4e81-af87-46bd-bc42-8fd93fbf526e", "type": "index-pattern" } ], @@ -1817,22 +2099,57 @@ "adHocDataViews": {}, "datasourceStates": { "formBased": { - "currentIndexPatternId": "logs-*", "layers": { - "c2ecbde4-fc03-46a3-a001-d384d24c2c0b": { + "bb5c3bc7-2da1-4a15-b588-9e2fcda80836": { "columnOrder": [ - "4ab972e9-380a-426c-98e1-7acd0b9125d1", - "08b3cac5-98c3-4192-ad0f-0ca04e9e4b20" + "b970edb6-7fb6-48f0-af44-b057acbebb37", + "d559fa87-35f2-4096-ba63-b938a3975194" ], "columns": { - "08b3cac5-98c3-4192-ad0f-0ca04e9e4b20": { + "b970edb6-7fb6-48f0-af44-b057acbebb37": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Affected Machine", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderAgg": { + "dataType": "number", + "isBucketed": false, + "label": "Unique count of vulnerability.id", + "operationType": "unique_count", + "params": { + "emptyAsNull": true + }, + "sourceField": "vulnerability.id" + }, + "orderBy": { + "type": "custom" + }, + "orderDirection": "desc", + "otherBucket": false, + "parentFormat": { + "id": "terms" + }, + "secondaryFields": [], + "size": 10 + }, + "scale": "ordinal", + "sourceField": "host.name" + }, + "d559fa87-35f2-4096-ba63-b938a3975194": { "customLabel": true, "dataType": "number", "isBucketed": false, - "label": "Count", + "label": "Unique Vulnerabilities", "operationType": "unique_count", "params": { - "emptyAsNull": false, + "emptyAsNull": true, "format": { "id": "number", "params": { @@ -1840,121 +2157,67 @@ } } }, - "scale": "ratio", "sourceField": "vulnerability.id" - }, - "4ab972e9-380a-426c-98e1-7acd0b9125d1": { - "customLabel": true, - "dataType": "date", - "isBucketed": true, - "label": "Vulnerabillity First Seen", - "operationType": "date_histogram", - "params": { - "dropPartials": false, - "ignoreTimeRange": true, - "includeEmptyRows": false, - "interval": "5m" - }, - "scale": "interval", - "sourceField": "microsoft_defender_endpoint.vulnerability.first_detected" } }, "incompleteColumns": {}, - "indexPatternId": "logs-*", "sampling": 1 } } }, "indexpattern": { - "currentIndexPatternId": "logs-*", "layers": {} }, "textBased": { - "indexPatternRefs": [ - { - "id": "logs-*", - "timeField": "@timestamp", - "title": "logs-*" - } - ], "layers": {} } }, - "filters": [], + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "data_stream.dataset", + "index": "0cdf4e81-af87-46bd-bc42-8fd93fbf526e", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "microsoft_defender_endpoint.vulnerability" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "microsoft_defender_endpoint.vulnerability" + } + } + } + ], "internalReferences": [], "query": { "language": "kuery", - "query": "event.dataset : \"microsoft_defender_endpoint.vulnerability\"" + "query": "" }, "visualization": { - "axisTitlesVisibilitySettings": { - "x": true, - "yLeft": true, - "yRight": true - }, - "fittingFunction": "Linear", - "gridlinesVisibilitySettings": { - "x": true, - "yLeft": true, - "yRight": true - }, - "labelsOrientation": { - "x": 0, - "yLeft": 0, - "yRight": 0 - }, - "layers": [ + "columns": [ { - "accessors": [ - "08b3cac5-98c3-4192-ad0f-0ca04e9e4b20" - ], - "colorMapping": { - "assignments": [], - "colorMode": { - "type": "categorical" - }, - "paletteId": "eui_amsterdam_color_blind", - "specialAssignments": [ - { - "color": { - "type": "loop" - }, - "rule": { - "type": "other" - }, - "touched": false - } - ] - }, - "layerId": "c2ecbde4-fc03-46a3-a001-d384d24c2c0b", - "layerType": "data", - "position": "top", - "seriesType": "line", - "showGridlines": false, - "xAccessor": "4ab972e9-380a-426c-98e1-7acd0b9125d1" + "columnId": "b970edb6-7fb6-48f0-af44-b057acbebb37", + "width": 357.5 + }, + { + "columnId": "d559fa87-35f2-4096-ba63-b938a3975194" } ], - "legend": { - "isInside": false, - "isVisible": true, - "legendSize": "auto", - "legendStats": [], - "position": "right", - "shouldTruncate": false, - "showSingleSeries": false - }, - "preferredSeriesType": "line", - "tickLabelsVisibilitySettings": { - "x": true, - "yLeft": true, - "yRight": true - }, - "valueLabels": "hide" + "layerId": "bb5c3bc7-2da1-4a15-b588-9e2fcda80836", + "layerType": "data" } }, - "title": "Vulnerabilities over Time", + "title": "Top 10 Affected Host with Highest Vulnerability", "type": "lens", - "visualizationType": "lnsXY" + "visualizationType": "lnsDatatable" }, "description": "", "enhancements": { @@ -1962,41 +2225,260 @@ "events": [] } }, - "filters": [], - "query": { - "language": "kuery", - "query": "event.dataset : \"microsoft_defender_endpoint.vulnerability\"" - }, - "syncColors": false, - "syncCursor": true, - "syncTooltips": false - }, - "gridData": { - "h": 17, - "i": "cd4342af-24cb-4c1c-b72f-3e0f9de7f394", - "w": 22, - "x": 10, - "y": 18 + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "data_stream.dataset", + "index": "0cdf4e81-af87-46bd-bc42-8fd93fbf526e", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "microsoft_defender_endpoint.vulnerability" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "microsoft_defender_endpoint.vulnerability" + } + } + } + ], + "hidePanelTitles": false, + "query": { + "language": "kuery", + "query": "" + }, + "syncColors": false, + "syncCursor": true, + "syncTooltips": false, + "title": "Top 10 Affected Machines with Highest Vulnerability [Logs Microsoft Defender Endpoint]" }, - "panelIndex": "cd4342af-24cb-4c1c-b72f-3e0f9de7f394", - "title": "Vulnerability over First Seen [Logs Microsoft Defender Endpoint]", + "gridData": { + "h": 17, + "i": "1fc86dc4-4bd3-4484-9622-f6d14a335bed", + "w": 24, + "x": 0, + "y": 50 + }, + "panelIndex": "1fc86dc4-4bd3-4484-9622-f6d14a335bed", "type": "lens" + }, + { + "embeddableConfig": { + "attributes": { + "description": "", + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-93fbd5b8-bcdd-402b-9efb-2a24a2da900f", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "d3ea51ee-f017-4224-a9de-8f1d6023adef", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "93fbd5b8-bcdd-402b-9efb-2a24a2da900f": { + "columnOrder": [ + "1ed5fdf0-b270-4d55-9f27-f2f5dd92b828", + "26f9a0ca-049e-4084-86bb-b709d7ec37bf" + ], + "columns": { + "1ed5fdf0-b270-4d55-9f27-f2f5dd92b828": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Affected software", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "26f9a0ca-049e-4084-86bb-b709d7ec37bf", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": false, + "parentFormat": { + "id": "terms" + }, + "secondaryFields": [], + "size": 20 + }, + "scale": "ordinal", + "sourceField": "package.name" + }, + "26f9a0ca-049e-4084-86bb-b709d7ec37bf": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Unique Vulnerabilities", + "operationType": "unique_count", + "params": { + "emptyAsNull": true, + "format": { + "id": "number", + "params": { + "decimals": 0 + } + } + }, + "sourceField": "vulnerability.id" + } + }, + "incompleteColumns": {}, + "sampling": 1 + } + } + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "data_stream.dataset", + "index": "d3ea51ee-f017-4224-a9de-8f1d6023adef", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "microsoft_defender_endpoint.vulnerability" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "microsoft_defender_endpoint.vulnerability" + } + } + } + ], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "columns": [ + { + "columnId": "1ed5fdf0-b270-4d55-9f27-f2f5dd92b828" + }, + { + "columnId": "26f9a0ca-049e-4084-86bb-b709d7ec37bf" + } + ], + "layerId": "93fbd5b8-bcdd-402b-9efb-2a24a2da900f", + "layerType": "data" + } + }, + "title": "Top 10 Affected software product", + "type": "lens", + "visualizationType": "lnsDatatable" + }, + "description": "", + "enhancements": { + "dynamicActions": { + "events": [] + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "data_stream.dataset", + "index": "d3ea51ee-f017-4224-a9de-8f1d6023adef", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "microsoft_defender_endpoint.vulnerability" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "microsoft_defender_endpoint.vulnerability" + } + } + } + ], + "hidePanelTitles": false, + "query": { + "language": "kuery", + "query": "" + }, + "syncColors": false, + "syncCursor": true, + "syncTooltips": false, + "title": "Top 10 Affected Softwares [Logs Microsoft Defender Endpoint]" + }, + "gridData": { + "h": 17, + "i": "6d64f578-66e2-49f3-ae06-911dae110ee7", + "w": 24, + "x": 24, + "y": 50 + }, + "panelIndex": "6d64f578-66e2-49f3-ae06-911dae110ee7", + "type": "lens" + }, + { + "embeddableConfig": { + "description": "", + "enhancements": { + "dynamicActions": { + "events": [] + } + }, + "savedObjectId": "microsoft_defender_endpoint-89e2c263-f9c2-4f34-85d2-86b1d1b9106b", + "title": "Affected Machines Essential Details [Logs Microsoft Defender Endpoint]" + }, + "gridData": { + "h": 15, + "i": "8df48253-4d96-48af-ae94-14409cf798d6", + "w": 48, + "x": 0, + "y": 67 + }, + "panelIndex": "8df48253-4d96-48af-ae94-14409cf798d6", + "panelRefName": "panel_8df48253-4d96-48af-ae94-14409cf798d6", + "type": "search" } ], "refreshInterval": { "pause": true, "value": 60000 }, - "timeFrom": "now-4h", + "timeFrom": "now-7d/d", "timeRestore": true, "timeTo": "now", "title": "[Logs Microsoft Defender Endpoint] Vulnerability Overview", "version": 3 }, "coreMigrationVersion": "8.8.0", - "created_at": "2025-05-08T09:47:41.958Z", + "created_at": "2025-10-09T16:45:17.448Z", "id": "microsoft_defender_endpoint-afb93ff7-9903-4d91-9028-9fe9c5a434f8", - "managed": false, "references": [ { "id": "logs-*", @@ -2004,9 +2486,14 @@ "type": "index-pattern" }, { - "id": "microsoft_defender_endpoint-4e5cb35c-7a18-4f29-bb69-7e30ab9bbdec", - "name": "c457e5a3-7fc2-407c-b4a6-73cbca5c0406:panel_c457e5a3-7fc2-407c-b4a6-73cbca5c0406", - "type": "search" + "id": "microsoft_defender_endpoint-security-solution-default", + "name": "tag-ref-microsoft_defender_endpoint-security-solution-default", + "type": "tag" + }, + { + "id": "microsoft_defender_endpoint-security-solution-default", + "name": "tag-ref-security-solution-default", + "type": "tag" }, { "id": "microsoft_defender_endpoint-4f3a6702-9642-4392-9b34-ceb1447e09a7", @@ -2014,68 +2501,228 @@ "type": "visualization" }, { - "id": "microsoft_defender_endpoint-security-solution-default", - "name": "tag-ref-microsoft_defender_endpoint-security-solution-default", - "type": "tag" + "id": "microsoft_defender_endpoint-4f3a6702-9642-4392-9b34-ceb1447e09a7", + "name": "72697a0d-690e-496e-9809-389acd1c5cc6:panel_72697a0d-690e-496e-9809-389acd1c5cc6", + "type": "visualization" }, { - "id": "microsoft_defender_endpoint-security-solution-default", - "name": "tag-ref-security-solution-default", - "type": "tag" + "id": "microsoft_defender_endpoint-4f3a6702-9642-4392-9b34-ceb1447e09a7", + "name": "72697a0d-690e-496e-9809-389acd1c5cc6:panel_72697a0d-690e-496e-9809-389acd1c5cc6", + "type": "visualization" + }, + { + "id": "microsoft_defender_endpoint-4f3a6702-9642-4392-9b34-ceb1447e09a7", + "name": "72697a0d-690e-496e-9809-389acd1c5cc6:panel_72697a0d-690e-496e-9809-389acd1c5cc6", + "type": "visualization" + }, + { + "id": "microsoft_defender_endpoint-4f3a6702-9642-4392-9b34-ceb1447e09a7", + "name": "72697a0d-690e-496e-9809-389acd1c5cc6:panel_72697a0d-690e-496e-9809-389acd1c5cc6", + "type": "visualization" + }, + { + "id": "microsoft_defender_endpoint-4f3a6702-9642-4392-9b34-ceb1447e09a7", + "name": "72697a0d-690e-496e-9809-389acd1c5cc6:panel_72697a0d-690e-496e-9809-389acd1c5cc6", + "type": "visualization" + }, + { + "id": "microsoft_defender_endpoint-4f3a6702-9642-4392-9b34-ceb1447e09a7", + "name": "72697a0d-690e-496e-9809-389acd1c5cc6:panel_72697a0d-690e-496e-9809-389acd1c5cc6", + "type": "visualization" + }, + { + "id": "microsoft_defender_endpoint-4f3a6702-9642-4392-9b34-ceb1447e09a7", + "name": "72697a0d-690e-496e-9809-389acd1c5cc6:panel_72697a0d-690e-496e-9809-389acd1c5cc6", + "type": "visualization" + }, + { + "id": "microsoft_defender_endpoint-4f3a6702-9642-4392-9b34-ceb1447e09a7", + "name": "72697a0d-690e-496e-9809-389acd1c5cc6:panel_72697a0d-690e-496e-9809-389acd1c5cc6", + "type": "visualization" + }, + { + "id": "microsoft_defender_endpoint-4f3a6702-9642-4392-9b34-ceb1447e09a7", + "name": "72697a0d-690e-496e-9809-389acd1c5cc6:panel_72697a0d-690e-496e-9809-389acd1c5cc6", + "type": "visualization" + }, + { + "id": "microsoft_defender_endpoint-4f3a6702-9642-4392-9b34-ceb1447e09a7", + "name": "72697a0d-690e-496e-9809-389acd1c5cc6:panel_72697a0d-690e-496e-9809-389acd1c5cc6", + "type": "visualization" + }, + { + "id": "microsoft_defender_endpoint-4f3a6702-9642-4392-9b34-ceb1447e09a7", + "name": "72697a0d-690e-496e-9809-389acd1c5cc6:panel_72697a0d-690e-496e-9809-389acd1c5cc6", + "type": "visualization" + }, + { + "id": "microsoft_defender_endpoint-4f3a6702-9642-4392-9b34-ceb1447e09a7", + "name": "72697a0d-690e-496e-9809-389acd1c5cc6:panel_72697a0d-690e-496e-9809-389acd1c5cc6", + "type": "visualization" + }, + { + "id": "microsoft_defender_endpoint-4f3a6702-9642-4392-9b34-ceb1447e09a7", + "name": "72697a0d-690e-496e-9809-389acd1c5cc6:panel_72697a0d-690e-496e-9809-389acd1c5cc6", + "type": "visualization" + }, + { + "id": "microsoft_defender_endpoint-4f3a6702-9642-4392-9b34-ceb1447e09a7", + "name": "72697a0d-690e-496e-9809-389acd1c5cc6:panel_72697a0d-690e-496e-9809-389acd1c5cc6", + "type": "visualization" + }, + { + "id": "microsoft_defender_endpoint-4f3a6702-9642-4392-9b34-ceb1447e09a7", + "name": "72697a0d-690e-496e-9809-389acd1c5cc6:panel_72697a0d-690e-496e-9809-389acd1c5cc6", + "type": "visualization" + }, + { + "id": "microsoft_defender_endpoint-4f3a6702-9642-4392-9b34-ceb1447e09a7", + "name": "72697a0d-690e-496e-9809-389acd1c5cc6:panel_72697a0d-690e-496e-9809-389acd1c5cc6", + "type": "visualization" + }, + { + "id": "microsoft_defender_endpoint-4f3a6702-9642-4392-9b34-ceb1447e09a7", + "name": "72697a0d-690e-496e-9809-389acd1c5cc6:panel_72697a0d-690e-496e-9809-389acd1c5cc6", + "type": "visualization" + }, + { + "id": "microsoft_defender_endpoint-4f3a6702-9642-4392-9b34-ceb1447e09a7", + "name": "72697a0d-690e-496e-9809-389acd1c5cc6:panel_72697a0d-690e-496e-9809-389acd1c5cc6", + "type": "visualization" + }, + { + "id": "microsoft_defender_endpoint-4f3a6702-9642-4392-9b34-ceb1447e09a7", + "name": "72697a0d-690e-496e-9809-389acd1c5cc6:panel_72697a0d-690e-496e-9809-389acd1c5cc6", + "type": "visualization" + }, + { + "id": "microsoft_defender_endpoint-4f3a6702-9642-4392-9b34-ceb1447e09a7", + "name": "72697a0d-690e-496e-9809-389acd1c5cc6:panel_72697a0d-690e-496e-9809-389acd1c5cc6", + "type": "visualization" + }, + { + "id": "microsoft_defender_endpoint-4f3a6702-9642-4392-9b34-ceb1447e09a7", + "name": "72697a0d-690e-496e-9809-389acd1c5cc6:panel_72697a0d-690e-496e-9809-389acd1c5cc6", + "type": "visualization" + }, + { + "id": "microsoft_defender_endpoint-4f3a6702-9642-4392-9b34-ceb1447e09a7", + "name": "72697a0d-690e-496e-9809-389acd1c5cc6:panel_72697a0d-690e-496e-9809-389acd1c5cc6", + "type": "visualization" + }, + { + "id": "microsoft_defender_endpoint-4f3a6702-9642-4392-9b34-ceb1447e09a7", + "name": "72697a0d-690e-496e-9809-389acd1c5cc6:panel_72697a0d-690e-496e-9809-389acd1c5cc6", + "type": "visualization" + }, + { + "id": "microsoft_defender_endpoint-4f3a6702-9642-4392-9b34-ceb1447e09a7", + "name": "72697a0d-690e-496e-9809-389acd1c5cc6:panel_72697a0d-690e-496e-9809-389acd1c5cc6", + "type": "visualization" + }, + { + "id": "microsoft_defender_endpoint-4f3a6702-9642-4392-9b34-ceb1447e09a7", + "name": "72697a0d-690e-496e-9809-389acd1c5cc6:panel_72697a0d-690e-496e-9809-389acd1c5cc6", + "type": "visualization" + }, + { + "id": "microsoft_defender_endpoint-4f3a6702-9642-4392-9b34-ceb1447e09a7", + "name": "72697a0d-690e-496e-9809-389acd1c5cc6:panel_72697a0d-690e-496e-9809-389acd1c5cc6", + "type": "visualization" + }, + { + "id": "microsoft_defender_endpoint-4f3a6702-9642-4392-9b34-ceb1447e09a7", + "name": "72697a0d-690e-496e-9809-389acd1c5cc6:panel_72697a0d-690e-496e-9809-389acd1c5cc6", + "type": "visualization" + }, + { + "id": "microsoft_defender_endpoint-4f3a6702-9642-4392-9b34-ceb1447e09a7", + "name": "72697a0d-690e-496e-9809-389acd1c5cc6:panel_72697a0d-690e-496e-9809-389acd1c5cc6", + "type": "visualization" + }, + { + "id": "microsoft_defender_endpoint-4f3a6702-9642-4392-9b34-ceb1447e09a7", + "name": "72697a0d-690e-496e-9809-389acd1c5cc6:panel_72697a0d-690e-496e-9809-389acd1c5cc6", + "type": "visualization" }, { "id": "logs-*", - "name": "1fc86dc4-4bd3-4484-9622-f6d14a335bed:indexpattern-datasource-layer-bb5c3bc7-2da1-4a15-b588-9e2fcda80836", + "name": "4ba0a469-16ee-4f04-ae89-a2aa29e299f1:indexpattern-datasource-layer-d448b66c-867d-4229-b46b-098a674230f6", "type": "index-pattern" }, { "id": "logs-*", - "name": "6d64f578-66e2-49f3-ae06-911dae110ee7:indexpattern-datasource-layer-93fbd5b8-bcdd-402b-9efb-2a24a2da900f", + "name": "4ba0a469-16ee-4f04-ae89-a2aa29e299f1:06719d2c-30c4-4bef-b7e8-e62519673a6d", "type": "index-pattern" }, { "id": "logs-*", - "name": "cbade69a-97e6-4a08-8e43-4e0824a89840:indexpattern-datasource-layer-4f129361-0c18-4ba1-9994-a1e4e565c1e5", + "name": "4ba0a469-16ee-4f04-ae89-a2aa29e299f1:77b10750-e06c-48a7-aa22-dbbca30bfe4b", "type": "index-pattern" }, { "id": "logs-*", - "name": "3f1d140f-1e01-4d38-a8ca-2ef62ca71315:indexpattern-datasource-layer-95d5d85e-ec68-4d5f-a5e8-f69441a959c0", + "name": "d50a1111-11a2-4540-b788-dd116022b873:indexpattern-datasource-layer-693c18a1-a856-4f59-a87e-6f58ecb73834", "type": "index-pattern" }, { "id": "logs-*", - "name": "50be5d33-6110-4584-8163-29335c338697:indexpattern-datasource-layer-4f129361-0c18-4ba1-9994-a1e4e565c1e5", + "name": "d50a1111-11a2-4540-b788-dd116022b873:6e2ba459-1b0d-4d52-bd11-82013ce53178", "type": "index-pattern" }, { "id": "logs-*", - "name": "4ba0a469-16ee-4f04-ae89-a2aa29e299f1:indexpattern-datasource-layer-d448b66c-867d-4229-b46b-098a674230f6", + "name": "274078cb-5fb3-43cd-a025-1eb787e93a5e:indexpattern-datasource-layer-59044096-edd2-4c17-9b59-05fcfc384e6b", "type": "index-pattern" }, { "id": "logs-*", - "name": "4ba0a469-16ee-4f04-ae89-a2aa29e299f1:cdc40fd4-75a6-4f65-aff2-ab1b69826140", + "name": "274078cb-5fb3-43cd-a025-1eb787e93a5e:9b2cbfaa-e531-48a9-84e2-f1567978697f", "type": "index-pattern" }, { "id": "logs-*", - "name": "274078cb-5fb3-43cd-a025-1eb787e93a5e:indexpattern-datasource-layer-59044096-edd2-4c17-9b59-05fcfc384e6b", + "name": "274078cb-5fb3-43cd-a025-1eb787e93a5e:c853bfd8-b76a-4ef3-8e6d-a3ba8fdfed62", "type": "index-pattern" }, { "id": "logs-*", - "name": "274078cb-5fb3-43cd-a025-1eb787e93a5e:6a1c3042-4087-44c0-a950-624946feea03", + "name": "2bb8f3a4-3123-413d-aacc-2e7c2721b468:indexpattern-datasource-layer-7f9d3821-7e68-4bb8-a189-190e04533a7d", "type": "index-pattern" }, { "id": "logs-*", - "name": "2bb8f3a4-3123-413d-aacc-2e7c2721b468:indexpattern-datasource-layer-7f9d3821-7e68-4bb8-a189-190e04533a7d", + "name": "2bb8f3a4-3123-413d-aacc-2e7c2721b468:fa90cf42-4b92-4502-8d7a-2cdb8ded2b9c", "type": "index-pattern" }, { "id": "logs-*", - "name": "d50a1111-11a2-4540-b788-dd116022b873:indexpattern-datasource-layer-693c18a1-a856-4f59-a87e-6f58ecb73834", + "name": "cd4342af-24cb-4c1c-b72f-3e0f9de7f394:indexpattern-datasource-layer-c2ecbde4-fc03-46a3-a001-d384d24c2c0b", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "cd4342af-24cb-4c1c-b72f-3e0f9de7f394:ce9d0fcb-8642-4dd0-b2a9-3ed89cbdd88e", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "50be5d33-6110-4584-8163-29335c338697:indexpattern-datasource-layer-4f129361-0c18-4ba1-9994-a1e4e565c1e5", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "50be5d33-6110-4584-8163-29335c338697:356a43be-cf4a-4118-b5ae-07b99665b7ee", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "3f1d140f-1e01-4d38-a8ca-2ef62ca71315:indexpattern-datasource-layer-95d5d85e-ec68-4d5f-a5e8-f69441a959c0", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "3f1d140f-1e01-4d38-a8ca-2ef62ca71315:90ca1d8b-cc56-45e9-846e-cd550f63eb55", "type": "index-pattern" }, { @@ -2085,9 +2732,124 @@ }, { "id": "logs-*", - "name": "cd4342af-24cb-4c1c-b72f-3e0f9de7f394:indexpattern-datasource-layer-c2ecbde4-fc03-46a3-a001-d384d24c2c0b", + "name": "be800cbb-a57d-440a-84e3-4233103d3bbb:37746151-5590-448a-8479-591b0f3e4ad2", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "cbade69a-97e6-4a08-8e43-4e0824a89840:indexpattern-datasource-layer-4f129361-0c18-4ba1-9994-a1e4e565c1e5", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "cbade69a-97e6-4a08-8e43-4e0824a89840:ff5f8bfa-a72c-4af1-9151-dc02f0bb0e77", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "1fc86dc4-4bd3-4484-9622-f6d14a335bed:indexpattern-datasource-layer-bb5c3bc7-2da1-4a15-b588-9e2fcda80836", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "1fc86dc4-4bd3-4484-9622-f6d14a335bed:0cdf4e81-af87-46bd-bc42-8fd93fbf526e", "type": "index-pattern" }, + { + "id": "logs-*", + "name": "6d64f578-66e2-49f3-ae06-911dae110ee7:indexpattern-datasource-layer-93fbd5b8-bcdd-402b-9efb-2a24a2da900f", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "6d64f578-66e2-49f3-ae06-911dae110ee7:d3ea51ee-f017-4224-a9de-8f1d6023adef", + "type": "index-pattern" + }, + { + "id": "microsoft_defender_endpoint-89e2c263-f9c2-4f34-85d2-86b1d1b9106b", + "name": "8df48253-4d96-48af-ae94-14409cf798d6:panel_8df48253-4d96-48af-ae94-14409cf798d6", + "type": "search" + }, + { + "id": "microsoft_defender_endpoint-89e2c263-f9c2-4f34-85d2-86b1d1b9106b", + "name": "8df48253-4d96-48af-ae94-14409cf798d6:panel_8df48253-4d96-48af-ae94-14409cf798d6", + "type": "search" + }, + { + "id": "microsoft_defender_endpoint-89e2c263-f9c2-4f34-85d2-86b1d1b9106b", + "name": "8df48253-4d96-48af-ae94-14409cf798d6:panel_8df48253-4d96-48af-ae94-14409cf798d6", + "type": "search" + }, + { + "id": "microsoft_defender_endpoint-89e2c263-f9c2-4f34-85d2-86b1d1b9106b", + "name": "8df48253-4d96-48af-ae94-14409cf798d6:panel_8df48253-4d96-48af-ae94-14409cf798d6", + "type": "search" + }, + { + "id": "microsoft_defender_endpoint-89e2c263-f9c2-4f34-85d2-86b1d1b9106b", + "name": "8df48253-4d96-48af-ae94-14409cf798d6:panel_8df48253-4d96-48af-ae94-14409cf798d6", + "type": "search" + }, + { + "id": "microsoft_defender_endpoint-89e2c263-f9c2-4f34-85d2-86b1d1b9106b", + "name": "8df48253-4d96-48af-ae94-14409cf798d6:panel_8df48253-4d96-48af-ae94-14409cf798d6", + "type": "search" + }, + { + "id": "microsoft_defender_endpoint-89e2c263-f9c2-4f34-85d2-86b1d1b9106b", + "name": "8df48253-4d96-48af-ae94-14409cf798d6:panel_8df48253-4d96-48af-ae94-14409cf798d6", + "type": "search" + }, + { + "id": "microsoft_defender_endpoint-89e2c263-f9c2-4f34-85d2-86b1d1b9106b", + "name": "8df48253-4d96-48af-ae94-14409cf798d6:panel_8df48253-4d96-48af-ae94-14409cf798d6", + "type": "search" + }, + { + "id": "microsoft_defender_endpoint-89e2c263-f9c2-4f34-85d2-86b1d1b9106b", + "name": "8df48253-4d96-48af-ae94-14409cf798d6:panel_8df48253-4d96-48af-ae94-14409cf798d6", + "type": "search" + }, + { + "id": "microsoft_defender_endpoint-89e2c263-f9c2-4f34-85d2-86b1d1b9106b", + "name": "8df48253-4d96-48af-ae94-14409cf798d6:panel_8df48253-4d96-48af-ae94-14409cf798d6", + "type": "search" + }, + { + "id": "microsoft_defender_endpoint-89e2c263-f9c2-4f34-85d2-86b1d1b9106b", + "name": "8df48253-4d96-48af-ae94-14409cf798d6:panel_8df48253-4d96-48af-ae94-14409cf798d6", + "type": "search" + }, + { + "id": "microsoft_defender_endpoint-89e2c263-f9c2-4f34-85d2-86b1d1b9106b", + "name": "8df48253-4d96-48af-ae94-14409cf798d6:panel_8df48253-4d96-48af-ae94-14409cf798d6", + "type": "search" + }, + { + "id": "microsoft_defender_endpoint-89e2c263-f9c2-4f34-85d2-86b1d1b9106b", + "name": "8df48253-4d96-48af-ae94-14409cf798d6:panel_8df48253-4d96-48af-ae94-14409cf798d6", + "type": "search" + }, + { + "id": "microsoft_defender_endpoint-89e2c263-f9c2-4f34-85d2-86b1d1b9106b", + "name": "8df48253-4d96-48af-ae94-14409cf798d6:panel_8df48253-4d96-48af-ae94-14409cf798d6", + "type": "search" + }, + { + "id": "microsoft_defender_endpoint-89e2c263-f9c2-4f34-85d2-86b1d1b9106b", + "name": "8df48253-4d96-48af-ae94-14409cf798d6:panel_8df48253-4d96-48af-ae94-14409cf798d6", + "type": "search" + }, + { + "id": "microsoft_defender_endpoint-89e2c263-f9c2-4f34-85d2-86b1d1b9106b", + "name": "8df48253-4d96-48af-ae94-14409cf798d6:panel_8df48253-4d96-48af-ae94-14409cf798d6", + "type": "search" + }, + { + "id": "microsoft_defender_endpoint-89e2c263-f9c2-4f34-85d2-86b1d1b9106b", + "name": "8df48253-4d96-48af-ae94-14409cf798d6:panel_8df48253-4d96-48af-ae94-14409cf798d6", + "type": "search" + }, { "id": "logs-*", "name": "controlGroup_496b8374-9f81-43cb-9cbd-cc5859043d5e:optionsListDataView", @@ -2115,6 +2877,6 @@ } ], "type": "dashboard", - "typeMigrationVersion": "10.2.0", + "typeMigrationVersion": "10.3.0", "updated_by": "u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0" } \ No newline at end of file diff --git a/packages/microsoft_defender_endpoint/kibana/search/microsoft_defender_endpoint-4e5cb35c-7a18-4f29-bb69-7e30ab9bbdec.json b/packages/microsoft_defender_endpoint/kibana/search/microsoft_defender_endpoint-89e2c263-f9c2-4f34-85d2-86b1d1b9106b.json similarity index 54% rename from packages/microsoft_defender_endpoint/kibana/search/microsoft_defender_endpoint-4e5cb35c-7a18-4f29-bb69-7e30ab9bbdec.json rename to packages/microsoft_defender_endpoint/kibana/search/microsoft_defender_endpoint-89e2c263-f9c2-4f34-85d2-86b1d1b9106b.json index af4db767133..1ba7b40f11c 100644 --- a/packages/microsoft_defender_endpoint/kibana/search/microsoft_defender_endpoint-4e5cb35c-7a18-4f29-bb69-7e30ab9bbdec.json +++ b/packages/microsoft_defender_endpoint/kibana/search/microsoft_defender_endpoint-89e2c263-f9c2-4f34-85d2-86b1d1b9106b.json @@ -1,18 +1,20 @@ { "attributes": { "columns": [ - "microsoft_defender_endpoint.vulnerability.affected_machine.last_seen", "host.id", - "host.ip", "host.name", + "microsoft_defender_endpoint.vulnerability.last_seen_timestamp", "vulnerability.id", - "host.os.name", - "host.risk.calculated_level", - "microsoft_defender_endpoint.vulnerability.affected_machine.health_status", - "microsoft_defender_endpoint.vulnerability.affected_machine.is_potential_duplication" + "vulnerability.severity", + "microsoft_defender_endpoint.vulnerability.exploitability_level", + "package.name", + "package.version", + "message" ], "description": "", - "grid": {}, + "grid": { + "columns": {} + }, "hideChart": false, "isTextBasedQuery": false, "kibanaSavedObjectMeta": { @@ -25,16 +27,38 @@ "meta": { "alias": null, "disabled": false, - "field": "microsoft_defender_endpoint.vulnerability.affected_machine.id", + "field": "data_stream.dataset", "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "key": "microsoft_defender_endpoint.vulnerability.affected_machine.id", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "microsoft_defender_endpoint.vulnerability" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "microsoft_defender_endpoint.vulnerability" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "host.id", + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", + "key": "host.id", "negate": false, "type": "exists", "value": "exists" }, "query": { "exists": { - "field": "microsoft_defender_endpoint.vulnerability.affected_machine.id" + "field": "host.id" } } } @@ -56,9 +80,8 @@ "title": "Affected Machines Essential Details [Logs Microsoft Defender Endpoint]" }, "coreMigrationVersion": "8.8.0", - "created_at": "2025-05-08T08:59:15.497Z", - "id": "microsoft_defender_endpoint-4e5cb35c-7a18-4f29-bb69-7e30ab9bbdec", - "managed": true, + "created_at": "2025-10-09T16:15:52.727Z", + "id": "microsoft_defender_endpoint-89e2c263-f9c2-4f34-85d2-86b1d1b9106b", "references": [ { "id": "logs-*", @@ -70,6 +93,11 @@ "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", "type": "index-pattern" }, + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", + "type": "index-pattern" + }, { "id": "microsoft_defender_endpoint-security-solution-default", "name": "tag-ref-microsoft_defender_endpoint-security-solution-default", diff --git a/packages/microsoft_defender_endpoint/kibana/tag/microsoft_defender_endpoint-security-solution-default.json b/packages/microsoft_defender_endpoint/kibana/tag/microsoft_defender_endpoint-security-solution-default.json index c13a852858a..254c4982833 100644 --- a/packages/microsoft_defender_endpoint/kibana/tag/microsoft_defender_endpoint-security-solution-default.json +++ b/packages/microsoft_defender_endpoint/kibana/tag/microsoft_defender_endpoint-security-solution-default.json @@ -1,13 +1,12 @@ { "attributes": { - "color": "#F583B7", + "color": "#FFA500", "description": "Tag defined in package-spec", "name": "Security Solution" }, "coreMigrationVersion": "8.8.0", - "created_at": "2025-05-07T11:01:44.111Z", + "created_at": "2025-10-09T16:13:16.269Z", "id": "microsoft_defender_endpoint-security-solution-default", - "managed": true, "references": [], "type": "tag", "typeMigrationVersion": "8.0.0" diff --git a/packages/microsoft_defender_endpoint/kibana/visualization/microsoft_defender_endpoint-4f3a6702-9642-4392-9b34-ceb1447e09a7.json b/packages/microsoft_defender_endpoint/kibana/visualization/microsoft_defender_endpoint-4f3a6702-9642-4392-9b34-ceb1447e09a7.json index 55d41e978ea..0a86d3dd2c8 100644 --- a/packages/microsoft_defender_endpoint/kibana/visualization/microsoft_defender_endpoint-4f3a6702-9642-4392-9b34-ceb1447e09a7.json +++ b/packages/microsoft_defender_endpoint/kibana/visualization/microsoft_defender_endpoint-4f3a6702-9642-4392-9b34-ceb1447e09a7.json @@ -17,7 +17,7 @@ "aggs": [], "params": { "fontSize": 12, - "markdown": "**Navigation**\n\n**Microsoft Defender for Endpoint**\n\n- [Overview](#/dashboard/microsoft_defender_endpoint-65402c30-ca6a-11ea-9d4d-9737a63aaa55)\n- [Machine Overview](#/dashboard/microsoft_defender_endpoint-c89734ca-ab7f-419d-b665-50076cceee60)\n- [Machine Action Overview](#/dashboard/microsoft_defender_endpoint-6a043fee-1e3d-454b-96d1-159e6efce215)\n- **Vulnerability Overview**\n\n**Overview**\n\nThis dashboard is designed to provide a comprehensive view of vulnerability data and affected machine ingested from Microsoft Defender Endpoint.\n\nIt highlights total public and verified exploit counts, trends over time, and the top affected hosts and software. Visuals include severity breakdowns, CVE supportability, OS distribution, and essential vulnerability details for deeper analysis.\n\n[Integration Page](/app/integrations/detail/microsoft_defender_endpoint/overview)", + "markdown": "**Navigation**\n\n**Microsoft Defender for Endpoint**\n\n- [Overview](#/dashboard/microsoft_defender_endpoint-65402c30-ca6a-11ea-9d4d-9737a63aaa55)\n- [Machine Overview](#/dashboard/microsoft_defender_endpoint-c89734ca-ab7f-419d-b665-50076cceee60)\n- [Machine Action Overview](#/dashboard/microsoft_defender_endpoint-6a043fee-1e3d-454b-96d1-159e6efce215)\n- **Vulnerability Overview**\n\n**Overview**\n\nThis dashboard is designed to provide a comprehensive view of vulnerability data and affected machine ingested from Microsoft Defender Endpoint.\n\nIt highlights total public and verified exploit counts, trends over time, and the top affected hosts and software. Visuals include severity breakdowns, exploitability level, OS distribution, and essential vulnerability details for deeper analysis.\n\n[Integration Page](/app/integrations/detail/microsoft_defender_endpoint/overview)", "openLinksInNewTab": false }, "title": "Table of Contents", @@ -25,9 +25,8 @@ } }, "coreMigrationVersion": "8.8.0", - "created_at": "2025-05-08T08:59:15.497Z", + "created_at": "2025-10-09T16:15:52.727Z", "id": "microsoft_defender_endpoint-4f3a6702-9642-4392-9b34-ceb1447e09a7", - "managed": true, "references": [], "type": "visualization", "typeMigrationVersion": "8.5.0" diff --git a/packages/microsoft_defender_endpoint/manifest.yml b/packages/microsoft_defender_endpoint/manifest.yml index e72d5f276c0..bd1f6370b80 100644 --- a/packages/microsoft_defender_endpoint/manifest.yml +++ b/packages/microsoft_defender_endpoint/manifest.yml @@ -1,7 +1,7 @@ format_version: "3.4.0" name: microsoft_defender_endpoint title: Microsoft Defender for Endpoint -version: "3.1.2" +version: "4.0.0" description: Collect logs from Microsoft Defender for Endpoint with Elastic Agent. categories: - security @@ -12,7 +12,7 @@ categories: type: integration conditions: kibana: - version: "^8.19.2 || ^9.1.2" + version: "^8.19.3 || ^9.1.2" policy_templates: - name: microsoft_defender_endpoint title: Microsoft Defender for Endpoint