Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Vulnerabilities template wrong type for package size #27979

Closed
1 task done
sebasfalcone opened this issue Jan 31, 2025 · 2 comments · Fixed by wazuh/wazuh-indexer#662, #27988, wazuh/wazuh-indexer#663 or wazuh/wazuh-indexer-plugins#259
Closed
1 task done

Vulnerabilities template wrong type for package size #27979

sebasfalcone opened this issue Jan 31, 2025 · 2 comments · Fixed by wazuh/wazuh-indexer#662, #27988, wazuh/wazuh-indexer#663 or wazuh/wazuh-indexer-plugins#259
Assignees
@QU3B1M
Labels
level/task type/bug Something isn't working

Comments

@sebasfalcone
Copy link
Member

sebasfalcone commented Jan 31, 2025
edited by QU3B1M
Loading

Description

While investigating:

It was found that there is an issue with the type used to express the package size for vulnerability events:

wazuh/src/wazuh_modules/vulnerability_scanner/indexer/template/index-template.json

Line 141 in 29263a6

"type": "long"

The type used is long (int 64), when in reality it should be an unsigned long (unit 64)

DoD

  • Template updated
@sebasfalcone sebasfalcone added level/task type/bug Something isn't working labels Jan 31, 2025
@sebasfalcone sebasfalcone mentioned this issue Jan 31, 2025
Closed
5 tasks
@wazuhci wazuhci moved this to Backlog in XDR+SIEM/Release 4.12.0 Feb 3, 2025
@QU3B1M
Copy link
Member

QU3B1M commented Feb 3, 2025
edited
Loading

The field package.size comes from the default ECS fields, we need to override it in order to modify its type, something like this should do the trick:

- name: package
  title: Package
  group: 2
  short: Fields to describe the package relevant to an event.
  description: >
    The package fields describe information about a package that is
    relevant to an event.
  type: group
  fields:
    - name: size
      type: <type>
      level: custom
      description: >
        Size of the package.

The value uint (or unsigned INT) is not compatible with the ECS mappings fields, but the unsigned_long is, so im using that type instead. More info about supported types can be found in the ECS reference

@wazuhci wazuhci moved this from Backlog to In progress in XDR+SIEM/Release 4.12.0 Feb 3, 2025
This was referenced Feb 3, 2025
Merged
Merged
@QU3B1M
Copy link
Member

QU3B1M commented Feb 3, 2025
edited
Loading

PRs with changes applied for 4.12.0:

PRs with changes applied for 5.0.0:

This was linked to pull requests Feb 3, 2025
Update Vulnerability Scanner package.size ECS field to unsigned_long for 4.12.0 wazuh/wazuh-indexer#662
Merged
Update Vulnerability Scanner package.size ECS field to unsigned_long #27988
Merged
@QU3B1M QU3B1M mentioned this issue Feb 3, 2025
Merged
3 tasks
@QU3B1M QU3B1M linked a pull request Feb 3, 2025 that will close this issue
[ECS Generator] Update index templates wazuh/wazuh-indexer-plugins#259
Merged
@wazuhci wazuhci moved this from In progress to Pending review in XDR+SIEM/Release 4.12.0 Feb 3, 2025
@AlexRuiz7 AlexRuiz7 moved this from Pending review to In review in XDR+SIEM/Release 4.12.0 Feb 3, 2025
@AlexRuiz7 AlexRuiz7 moved this from In review to On hold in XDR+SIEM/Release 4.12.0 Feb 3, 2025
@wazuhci wazuhci moved this from On hold to Pending review in XDR+SIEM/Release 4.12.0 Feb 3, 2025
@wazuhci wazuhci moved this from Pending review to Done in XDR+SIEM/Release 4.12.0 Feb 3, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@QU3B1M QU3B1M

Labels
level/task type/bug Something isn't working
Projects
XDR+SIEM/Release 4.12.0
Status: Done
Milestone
No milestone
2 participants
@sebasfalcone @QU3B1M