diff --git a/packages/qualys_vmdr/_dev/deploy/docker/files/config.yml b/packages/qualys_vmdr/_dev/deploy/docker/files/config.yml
index d7163a96412..8c86f8fc71f 100644
--- a/packages/qualys_vmdr/_dev/deploy/docker/files/config.yml
+++ b/packages/qualys_vmdr/_dev/deploy/docker/files/config.yml
@@ -1,6 +1,6 @@
rules:
# Initial Request
- - path: /api/3.0/fo/asset/host/vm/detection/
+ - path: /api/5.0/fo/asset/host/vm/detection/
methods: ['GET']
query_params:
action: list
@@ -22,7 +22,7 @@ rules:
# Response only has host.id = [1,2] because of truncation limit
body: |-
-
+
2023-07-03T06:51:41Z
@@ -50,6 +50,7 @@ rules:
Confirmed
3
0
+ CVE-2023-48161,CVE-2024-21208,CVE-2024-21210,CVE-2024-21217,CVE-2024-21235
Active
2021-02-05T04:50:45Z
2024-03-08T20:15:41Z
+ Cloud Agent,Internal Scanner
+ Cloud Agent
+ lateral-movement, privilege-escalation
+ Exploitation of Remote Services, Exploitation for Privilege Escalation
+ TA0008, TA0004
+ T1210, T1068
+ FIXED
35
@@ -81,11 +89,19 @@ rules:
Confirmed
5
0
+ CVE-2023-48161,CVE-2024-21208,CVE-2024-21210,CVE-2024-21217,CVE-2024-21235
Active
2021-02-05T04:50:45Z
2024-03-08T20:15:41Z
+ Cloud Agent,Internal Scanner
+ Cloud Agent
+ lateral-movement, privilege-escalation
+ Exploitation of Remote Services, Exploitation for Privilege Escalation
+ TA0008, TA0004
+ T1210, T1068
+ FIXED
95
@@ -132,6 +148,7 @@ rules:
Confirmed
3
0
+ CVE-2023-48161,CVE-2024-21208,CVE-2024-21210,CVE-2024-21217,CVE-2024-21235
Active
2021-02-05T04:50:45Z
2024-03-08T20:15:41Z
+ Cloud Agent,Internal Scanner
+ Cloud Agent
+ lateral-movement, privilege-escalation
+ Exploitation of Remote Services, Exploitation for Privilege Escalation
+ TA0008, TA0004
+ T1210, T1068
+ FIXED
35
@@ -163,6 +187,7 @@ rules:
Confirmed
5
0
+ CVE-2023-48161,CVE-2024-21208,CVE-2024-21210,CVE-2024-21217,CVE-2024-21235
Active
2021-02-05T04:50:45Z
2024-03-08T20:15:41Z
+ Cloud Agent,Internal Scanner
+ Cloud Agent
+ lateral-movement, privilege-escalation
+ Exploitation of Remote Services, Exploitation for Privilege Escalation
+ TA0008, TA0004
+ T1210, T1068
+ FIXED
95
@@ -198,12 +230,12 @@ rules:
1980
1000 record limit exceeded. Use URL to get next batch of results.
-
+
# Pagination request 1
- - path: /api/3.0/fo/asset/host/vm/detection/
+ - path: /api/5.0/fo/asset/host/vm/detection/
methods: ['GET']
query_params:
action: list
@@ -225,7 +257,7 @@ rules:
x-ratelimit-remaining: ["299"]
body: |-
-
+
2023-07-03T06:51:41Z
@@ -253,11 +285,19 @@ rules:
Confirmed
3
0
+ CVE-2023-48161,CVE-2024-21208,CVE-2024-21210,CVE-2024-21217,CVE-2024-21235
Active
2021-02-05T04:50:45Z
2024-03-08T20:15:41Z
+ Cloud Agent,Internal Scanner
+ Cloud Agent
+ lateral-movement, privilege-escalation
+ Exploitation of Remote Services, Exploitation for Privilege Escalation
+ TA0008, TA0004
+ T1210, T1068
+ FIXED
35
@@ -280,6 +320,7 @@ rules:
Confirmed
5
0
+ CVE-2023-48161,CVE-2024-21208,CVE-2024-21210,CVE-2024-21217,CVE-2024-21235
Active
2021-02-05T04:50:45Z
2024-03-08T20:15:41Z
+ Cloud Agent,Internal Scanner
+ Cloud Agent
+ lateral-movement, privilege-escalation
+ Exploitation of Remote Services, Exploitation for Privilege Escalation
+ TA0008, TA0004
+ T1210, T1068
+ FIXED
95
@@ -315,12 +363,12 @@ rules:
1980
2 record limit exceeded. Use URL to get next batch of results.
-
+
# Pagination request 2. Should returns 0 events.
- - path: /api/3.0/fo/asset/host/vm/detection/
+ - path: /api/5.0/fo/asset/host/vm/detection/
methods: ['GET']
query_params:
action: list
diff --git a/packages/qualys_vmdr/changelog.yml b/packages/qualys_vmdr/changelog.yml
index 4df7d95eb85..94fe78313a8 100644
--- a/packages/qualys_vmdr/changelog.yml
+++ b/packages/qualys_vmdr/changelog.yml
@@ -1,4 +1,9 @@
# newer versions go on top
+- version: "6.14.0"
+ changes:
+ - description: Add support for Host Detection API v5.0.
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/16436
- version: "6.13.0"
changes:
- description: Add cloudsecurity_cdr sub category label
diff --git a/packages/qualys_vmdr/data_stream/asset_host_detection/_dev/test/pipeline/test-asset-host-detection.log b/packages/qualys_vmdr/data_stream/asset_host_detection/_dev/test/pipeline/test-asset-host-detection.log
index 3474b69a163..9076a5324dd 100644
--- a/packages/qualys_vmdr/data_stream/asset_host_detection/_dev/test/pipeline/test-asset-host-detection.log
+++ b/packages/qualys_vmdr/data_stream/asset_host_detection/_dev/test/pipeline/test-asset-host-detection.log
@@ -5,3 +5,4 @@
{"DETECTION_LIST":{"FIRST_FOUND_DATETIME":"2019-11-06T09:41:57Z","IS_DISABLED":"0","IS_IGNORED":"0","LAST_FOUND_DATETIME":"2019-11-11T23:29:53Z","LAST_PROCESSED_DATETIME":"2019-11-12T15:00:26Z","LAST_TEST_DATETIME":"2019-11-11T23:29:53Z","LAST_UPDATE_DATETIME":"2019-11-12T15:00:26Z","QID":"256716","RESULTS":"Package\tInstalled Version\tRequired Version\nkernel-devel\t3.10.0-1062.1.1.el7.x86_64\t3.10.0-1062.1.2.el7\nkernel\t3.10.0-1062.1.1.el7.x86_64\t3.10.0-1062.1.2.el7","SEVERITY":"4","SSL":"0","STATUS":"Active","TIMES_FOUND":"10","TYPE":"Confirmed","UNIQUE_VULN_ID":"2029338482"},"DNS":"user-staging.example.net","DNS_DATA":{"DOMAIN":"example.net","FQDN":"user-staging.example.net","HOSTNAME":"user-staging"},"ID":"117163093","IP":"81.2.69.192","KNOWLEDGE_BASE":{"CATEGORY":"CentOS","CODE_MODIFIED_DATETIME":"2019-11-04T10:48:40Z","CONSEQUENCE":"This vulnerability could be exploited to gain complete access to sensitive information. Malicious users could also use this vulnerability to change all the contents or configuration on the system. Additionally this vulnerability can also be used to cause a complete denial of service and could render the resource completely unavailable.","CORRELATION":{"EXPLOITS":{"EXPLT_SRC":[{"EXPLT_LIST":{"EXPLT":[{"DESC":"A buffer overflow flaw was found, in versions from 2.6.34 to 5.2.x, in the way Linux kernel's vhost functionality that translates virtqueue buffers to IOVs, logged the buffer descriptors during migration. A privileged guest user able to pass descriptors with invalid length to the host when migration is underway, could use this flaw to increase their privileges on the host.","LINK":"https://www.openwall.com/lists/oss-security/2019/09/17/1","REF":"CVE-2019-14835"}]},"SRC_NAME":"nist-nvd2"},{"EXPLT_LIST":{"EXPLT":[{"DESC":"A buffer overflow flaw was found, in versions from 2.6.34 to 5.2.x, in the way Linux kernel's vhost functionality that translates virtqueue buffers to IOVs, logged the buffer descriptors during migration. A privileged guest user able to pass descriptors with invalid length to the host when migration is underway, could use this flaw to increase their privileges on the host.","LINK":"https://www.openwall.com/lists/oss-security/2019/09/17/1","REF":"CVE-2019-14835"}]},"SRC_NAME":"nvd"}]}},"CVE_LIST":["CVE-2019-14835"],"CVSS":{"BASE":"7.2","TEMPORAL":"5.6","VECTOR_STRING":"CVSS:2.0/AV:L/AC:L/Au:N/C:C/I:C/A:C/E:POC/RL:OF/RC:C"},"CVSS_V3":{"BASE":"7.8","CVSS3_VERSION":"3.1","TEMPORAL":"7.0","VECTOR_STRING":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C"},"DIAGNOSIS":"CentOS has released security update for kernel to fix the vulnerabilities.Affected Products:
centos 7","DISCOVERY":{"ADDITIONAL_INFO":"Patch Available, Exploit Available","AUTH_TYPE_LIST":{"AUTH_TYPE":["Unix"]},"REMOTE":"0"},"LAST_SERVICE_MODIFICATION_DATETIME":"2024-03-01T00:00:02Z","PATCHABLE":"1","PATCH_PUBLISHED_DATE":"2024-02-24T00:00:00Z","PCI_FLAG":"1","PUBLISHED_DATETIME":"2019-11-04T10:48:40Z","QID":"256716","SEVERITY_LEVEL":"4","SOFTWARE_LIST":{"SOFTWARE":[{"PRODUCT":"kernel","VENDOR":"centos"}]},"SOLUTION":"To resolve this issue, upgrade to the latest packages which contain a patch. Refer to CentOS advisory centos 7 for updates and patch information.\n
Patch:
\nFollowing are links for downloading patches to fix the vulnerabilities:\n
CESA-2019:2829:centos 7","THREAT_INTELLIGENCE":{"THREAT_INTEL":[{"#text":"Exploit_Public","id":"2"},{"#text":"High_Lateral_Movement","id":"4"},{"#text":"Easy_Exploit","id":"5"},{"#text":"High_Data_Loss","id":"6"},{"#text":"Denial_of_Service","id":"7"}]},"TITLE":"CentOS Security Update for kernel (CESA-2019:2829)","VENDOR_REFERENCE_LIST":{"VENDOR_REFERENCE":[{"ID":"CESA-2019:2829 centos 7","URL":"https://lists.centos.org/pipermail/centos-announce/2019-October/023457.html"}]},"VULN_TYPE":"Vulnerability"},"LAST_PC_SCANNED_DATE":"2019-11-11T22:25:02Z","LAST_SCAN_DATETIME":"2019-11-12T15:00:26Z","LAST_VM_AUTH_SCANNED_DATE":"2019-11-11T23:29:53Z","LAST_VM_SCANNED_DATE":"2019-11-11T23:29:53Z","NETWORK_ID":"0","OS":"CentOS Linux 7.4.1708","QG_HOSTID":"19260abb-8547-467e-928d-73c13f13ea3c","TRACKING_METHOD":"AGENT"}
{"interval_id":"9d69b1dc-abcd-4946-1234-577abcdef843","interval_start":"2025-06-10T14:29:00Z","DETECTION_LIST":{"FIRST_FOUND_DATETIME":"2019-11-06T09:41:57Z","IS_DISABLED":"0","IS_IGNORED":"0","LAST_FOUND_DATETIME":"2019-11-11T23:29:53Z","LAST_PROCESSED_DATETIME":"2019-11-12T15:00:26Z","LAST_TEST_DATETIME":"2019-11-11T23:29:53Z","LAST_UPDATE_DATETIME":"2019-11-12T15:00:26Z","QID":"212346","RESULTS":"Package\tInstalled Version\tRequired Version\nkernel-devel\t3.10.0-1062.1.1.el7.x86_64\t3.10.0-1062.1.2.el7\nkernel\t3.10.0-1062.1.1.el7.x86_64\t3.10.0-1062.1.2.el7","SEVERITY":"4","SSL":"0","STATUS":"Active","TIMES_FOUND":"10","TYPE":"Confirmed","UNIQUE_VULN_ID":"2012345682"},"DNS":"user-staging.example.net","DNS_DATA":{"DOMAIN":"example.net","FQDN":"user-staging.example.net","HOSTNAME":"user-staging"},"ID":"111234563","IP":"175.16.199.1","KNOWLEDGE_BASE":{"CATEGORY":"CentOS","CODE_MODIFIED_DATETIME":"2019-11-04T10:48:40Z","CONSEQUENCE":"This vulnerability could be exploited to gain complete access to sensitive information. Malicious users could also use this vulnerability to change all the contents or configuration on the system. Additionally this vulnerability can also be used to cause a complete denial of service and could render the resource completely unavailable.","CORRELATION":{"EXPLOITS":{"EXPLT_SRC":[{"EXPLT_LIST":{"EXPLT":[{"DESC":"A buffer overflow flaw was found, in versions from 2.6.34 to 5.2.x, in the way Linux kernel's vhost functionality that translates virtqueue buffers to IOVs, logged the buffer descriptors during migration. A privileged guest user able to pass descriptors with invalid length to the host when migration is underway, could use this flaw to increase their privileges on the host.","LINK":"https://www.openwall.com/lists/oss-security/2019/09/17/1","REF":"CVE-2019-14835"}]},"SRC_NAME":"nist-nvd2"},{"EXPLT_LIST":{"EXPLT":[{"DESC":"A buffer overflow flaw was found, in versions from 2.6.34 to 5.2.x, in the way Linux kernel's vhost functionality that translates virtqueue buffers to IOVs, logged the buffer descriptors during migration. A privileged guest user able to pass descriptors with invalid length to the host when migration is underway, could use this flaw to increase their privileges on the host.","LINK":"https://www.openwall.com/lists/oss-security/2019/09/17/1","REF":"CVE-2019-14835"}]},"SRC_NAME":"nvd"}]}},"CVE_LIST":["CVE-2019-14835"],"CVSS":{"BASE":"7.2","TEMPORAL":"5.6","VECTOR_STRING":"CVSS:2.0/AV:L/AC:L/Au:N/C:C/I:C/A:C/E:POC/RL:OF/RC:C"},"DIAGNOSIS":"CentOS has released security update for kernel to fix the vulnerabilities.
Affected Products:
centos 7","DISCOVERY":{"ADDITIONAL_INFO":"Patch Available, Exploit Available","AUTH_TYPE_LIST":{"AUTH_TYPE":["Unix"]},"REMOTE":"0"},"LAST_SERVICE_MODIFICATION_DATETIME":"2024-05-01T00:00:02Z","PATCHABLE":"1","PCI_FLAG":"1","PUBLISHED_DATETIME":"2019-11-04T10:48:40Z","QID":"212346","SEVERITY_LEVEL":"4","SOFTWARE_LIST":{"SOFTWARE":[{"PRODUCT":"kernel","VENDOR":"centos"}]},"SOLUTION":"To resolve this issue, upgrade to the latest packages which contain a patch. Refer to CentOS advisory centos 7 for updates and patch information.\n
Patch:
\nFollowing are links for downloading patches to fix the vulnerabilities:\n
CESA-2019:2829:centos 7","THREAT_INTELLIGENCE":{"THREAT_INTEL":[{"#text":"Exploit_Public","id":"2"},{"#text":"High_Lateral_Movement","id":"4"},{"#text":"Easy_Exploit","id":"5"},{"#text":"High_Data_Loss","id":"6"},{"#text":"Denial_of_Service","id":"7"}]},"TITLE":"CentOS Security Update for kernel (CESA-2019:2829)","VENDOR_REFERENCE_LIST":{"VENDOR_REFERENCE":[{"ID":"CESA-2019:2829 centos 7","URL":"https://lists.centos.org/pipermail/centos-announce/2019-October/023457.html"}]},"VULN_TYPE":"Vulnerability"},"LAST_PC_SCANNED_DATE":"2019-11-11T22:25:02Z","LAST_SCAN_DATETIME":"2019-11-12T15:00:26Z","LAST_VM_AUTH_SCANNED_DATE":"2019-11-11T23:29:53Z","LAST_VM_SCANNED_DATE":"2019-11-11T23:29:53Z","NETWORK_ID":"0","OS":"CentOS Linux 7.4.1708","QG_HOSTID":"19260abb-1234-5678-9012-73cabcdefa3c","TRACKING_METHOD":"AGENT"}
{"DETECTION_LIST":{"FIRST_FOUND_DATETIME":"2025-07-22T19:57:38Z","IS_DISABLED":"0","IS_IGNORED":"0","LAST_FOUND_DATETIME":"2025-07-24T09:57:38Z","LAST_PROCESSED_DATETIME":"2025-07-24T09:57:38Z","LAST_TEST_DATETIME":"2025-07-24T09:57:38Z","LAST_UPDATE_DATETIME":"2025-07-24T09:57:38Z","QDS":{"#text":"35","severity":"LOW"},"QDS_FACTORS":{"QDS_FACTOR":[{"#text":"No_Patch,High_Data_Loss,High_Lateral_Movement","name":"RTI"},{"#text":"7.3","name":"CVSS"},{"#text":"v2","name":"CVSS_version"},{"#text":"3.0","name":"QID_severity"}]},"QID":"12345","RESULTS":"HKLM\\System\\CurrentControlSet\\Services\\LanManWorkstation\\Parameters requiresecuritysignature = 0","SEVERITY":"3","SSL":"0","STATUS":"Active","TIMES_FOUND":"4","TYPE":"Confirmed","UNIQUE_VULN_ID":"10123456787"},"DNS":"es-pabcde02","DNS_DATA":{"DOMAIN":"","FQDN":"","HOSTNAME":"es-pabcde02"},"ID":"1123456787","IP":"1.128.0.1","KNOWLEDGE_BASE":{"CATEGORY":"Windows","CODE_MODIFIED_DATETIME":"2023-04-26T06:24:46Z","CONSEQUENCE":"Unauthorized users sniffing the network could catch many challenge/response exchanges and replay the whole thing to grab particular session keys, and then authenticate on the Domain Controller.","CVE_LIST":[],"CVSS":{"BASE":{"#text":"7.3","source":"service"},"TEMPORAL":"5.9","VECTOR_STRING":"CVSS:2.0/AV:A/AC:M/Au:N/C:C/I:C/A:N/E:U/RL:W/RC:C"},"DIAGNOSIS":"This host does not seem to be using SMB (Server Message Block) signing. SMB signing is a security mechanism in the SMB protocol and is also known as security signatures. SMB signing is designed to help improve the security of the SMB protocol.\n
\nSMB signing adds security to a network using NetBIOS, avoiding man-in-the-middle attacks.\n
\nWhen SMB signing is enabled on both the client and server SMB sessions are authenticated between the machines on a packet by packet basis.
\n\nQID Detection Logic:
\nThis checks from the registry value of RequireSecuritySignature and EnableSecuritySignature from HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\LanmanWorkStation\\Parameters for client and HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\LanmanServer\\Parameters for servers to check if SMB signing is required or enabled or disabled.
\n\nNote: On 5/28/2020 the QID was updated to check for client SMB signing behavior via the registry key HKEY_LOCAL_MACHINE\\SystemCurrent\\ControlSetServices\\LanmanWorkStation\\Parameters. The complete detection logic is explained above.
","DISCOVERY":{"AUTH_TYPE_LIST":{"AUTH_TYPE":["Windows"]},"REMOTE":"1"},"LAST_SERVICE_MODIFICATION_DATETIME":"2024-10-25T05:00:01Z","PATCHABLE":"0","PCI_FLAG":"1","PUBLISHED_DATETIME":"1999-01-01T08:00:00Z","QID":"12345","SEVERITY_LEVEL":"3","SOFTWARE_LIST":{"SOFTWARE":[{"PRODUCT":"smb","VENDOR":"multi-vendor"}]},"SOLUTION":"Without SMB signing, a device could intercept SMB network packets from an originating computer, alter their contents, and broadcast them to the destination computer. Since, digitally signing the packets enables the recipient of the packets to confirm their point of origination and their authenticity, it is recommended that SMB signing is enabled and required.\n
\nPlease refer to Microsoft's article 887429 and The Basics of SMB Signing (covering both SMB1 and SMB2) for information on enabling SMB signing. \n
\nFor Windows Server 2008 R2, Windows Server 2012, please refer to Microsoft's article Require SMB Security Signatures for information on enabling SMB signing. For group policies please refer to Microsoft's article Modify Security Policies in Default Domain Controllers Policy\n
\nFor UNIX systems
\n\nTo require samba clients running "smbclient" to use packet signing, add the following to the "[global]" section of the Samba configuration file:
\n\nclient signing = mandatory\n
","THREAT_INTELLIGENCE":{"THREAT_INTEL":[{"#text":"High_Lateral_Movement","id":"4"},{"#text":"High_Data_Loss","id":"6"},{"#text":"No_Patch","id":"8"}]},"TITLE":"SMB Signing Disabled or SMB Signing Not Required","VULN_TYPE":"Vulnerability"},"LAST_SCAN_DATETIME":"2025-07-24T09:57:38Z","LAST_VM_AUTH_SCANNED_DATE":"2025-07-24T09:57:38Z","LAST_VM_SCANNED_DATE":"2025-07-24T09:57:38Z","LAST_VM_SCANNED_DURATION":"175","NETBIOS":"ES-pabcde02","NETWORK_ID":"0","OS":"Windows 11 Pro 64 bit Edition Version 22H2","QG_HOSTID":"69abcde8-1234-4134-5678-19abcdeffa0a","TRACKING_METHOD":"AGENT","interval_id":"f10d9ca1-1234-4e4f-9546-f4ab94dc901d","interval_start":"2025-07-24T13:19:37.031904353Z"}
+{"DETECTION_LIST":{"CVE":"CVE-2023-48161,CVE-2024-21208,CVE-2024-21210,CVE-2024-21217,CVE-2024-21235","FIRST_FOUND_DATETIME":"2025-11-22T19:57:38Z","IS_DISABLED":"0","IS_IGNORED":"0","LAST_FOUND_DATETIME":"2025-11-24T09:57:38Z","LAST_PROCESSED_DATETIME":"2025-11-24T09:57:38Z","LAST_TEST_DATETIME":"2025-11-24T09:57:38Z","LAST_UPDATE_DATETIME":"2025-11-24T09:57:38Z","LATEST_VULNERABILITY_DETECTION_SOURCE":"Cloud Agent","MITRE_TACTIC_NAME":"lateral-movement, privilege-escalation","MITRE_TECHNIQUE_NAME":"Exploitation of Remote Services, Exploitation for Privilege Escalation","MITRE_TACTIC_ID":"TA0008, TA0004","MITRE_TECHNIQUE_ID":"T1210, T1068","QDS":{"#text":"35","severity":"LOW"},"QDS_FACTORS":{"QDS_FACTOR":[{"#text":"No_Patch,High_Data_Loss,High_Lateral_Movement","name":"RTI"},{"#text":"7.3","name":"CVSS"},{"#text":"v2","name":"CVSS_version"},{"#text":"3.0","name":"QID_severity"}]},"QID":"33335","RESULTS":"HKLM\\System\\CurrentControlSet\\Services\\LanManWorkstation\\Parameters requiresecuritysignature = 0","SEVERITY":"3","SSL":"0","STATUS":"Active","TIMES_FOUND":"4","TYPE":"Confirmed","UNIQUE_VULN_ID":"10333356787","VULNERABILITY_DETECTION_SOURCES":"Cloud Agent,Internal Scanner"},"DNS":"es-abcde03","DNS_DATA":{"DOMAIN":"","FQDN":"","HOSTNAME":"es-abcde03"},"ID":"1333356787","IP":"1.128.0.1","KNOWLEDGE_BASE":{"CATEGORY":"Windows","CODE_MODIFIED_DATETIME":"2023-04-26T06:24:46Z","CONSEQUENCE":"Unauthorized users sniffing the network could catch many challenge/response exchanges and replay the whole thing to grab particular session keys, and then authenticate on the Domain Controller.","CVE_LIST":[],"CVSS":{"BASE":{"#text":"7.3","source":"service"},"TEMPORAL":"5.9","VECTOR_STRING":"CVSS:2.0/AV:A/AC:M/Au:N/C:C/I:C/A:N/E:U/RL:W/RC:C"},"DIAGNOSIS":"This host does not seem to be using SMB (Server Message Block) signing. SMB signing is a security mechanism in the SMB protocol and is also known as security signatures. SMB signing is designed to help improve the security of the SMB protocol.\n
\nSMB signing adds security to a network using NetBIOS, avoiding man-in-the-middle attacks.\n
\nWhen SMB signing is enabled on both the client and server SMB sessions are authenticated between the machines on a packet by packet basis.
\n\nQID Detection Logic:
\nThis checks from the registry value of RequireSecuritySignature and EnableSecuritySignature from HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\LanmanWorkStation\\Parameters for client and HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\LanmanServer\\Parameters for servers to check if SMB signing is required or enabled or disabled.
\n\nNote: On 5/28/2020 the QID was updated to check for client SMB signing behavior via the registry key HKEY_LOCAL_MACHINE\\SystemCurrent\\ControlSetServices\\LanmanWorkStation\\Parameters. The complete detection logic is explained above.
","DISCOVERY":{"AUTH_TYPE_LIST":{"AUTH_TYPE":["Windows"]},"REMOTE":"1"},"LAST_SERVICE_MODIFICATION_DATETIME":"2024-10-25T05:00:01Z","PATCHABLE":"0","PCI_FLAG":"1","PUBLISHED_DATETIME":"1999-01-01T08:00:00Z","QID":"33335","SEVERITY_LEVEL":"3","SOFTWARE_LIST":{"SOFTWARE":[{"PRODUCT":"smb","VENDOR":"multi-vendor"}]},"SOLUTION":"Without SMB signing, a device could intercept SMB network packets from an originating computer, alter their contents, and broadcast them to the destination computer. Since, digitally signing the packets enables the recipient of the packets to confirm their point of origination and their authenticity, it is recommended that SMB signing is enabled and required.\n
\nPlease refer to Microsoft's article 887429 and The Basics of SMB Signing (covering both SMB1 and SMB2) for information on enabling SMB signing. \n
\nFor Windows Server 2008 R2, Windows Server 2012, please refer to Microsoft's article Require SMB Security Signatures for information on enabling SMB signing. For group policies please refer to Microsoft's article Modify Security Policies in Default Domain Controllers Policy\n
\nFor UNIX systems
\n\nTo require samba clients running "smbclient" to use packet signing, add the following to the "[global]" section of the Samba configuration file:
\n\nclient signing = mandatory\n
","THREAT_INTELLIGENCE":{"THREAT_INTEL":[{"#text":"High_Lateral_Movement","id":"4"},{"#text":"High_Data_Loss","id":"6"},{"#text":"No_Patch","id":"8"}]},"TITLE":"SMB Signing Disabled or SMB Signing Not Required","VULN_TYPE":"Vulnerability"},"LAST_SCAN_DATETIME":"2025-11-24T09:57:38Z","LAST_VM_AUTH_SCANNED_DATE":"2025-11-24T09:57:38Z","LAST_VM_SCANNED_DATE":"2025-11-24T09:57:38Z","LAST_VM_SCANNED_DURATION":"175","NETBIOS":"ES-abcde03","NETWORK_ID":"0","OS":"Windows 11 Pro 64 bit Edition Version 22H2","QG_HOSTID":"69abcde8-3333-4134-5678-19abcdeffa0a","TRACKING_METHOD":"AGENT","interval_id":"f10d9ab1-3333-4e4f-9546-f4ab94dc901d","interval_start":"2025-11-24T13:19:37.031904353Z"}
diff --git a/packages/qualys_vmdr/data_stream/asset_host_detection/_dev/test/pipeline/test-asset-host-detection.log-expected.json b/packages/qualys_vmdr/data_stream/asset_host_detection/_dev/test/pipeline/test-asset-host-detection.log-expected.json
index f902ed1c7f4..7ea71664bf7 100644
--- a/packages/qualys_vmdr/data_stream/asset_host_detection/_dev/test/pipeline/test-asset-host-detection.log-expected.json
+++ b/packages/qualys_vmdr/data_stream/asset_host_detection/_dev/test/pipeline/test-asset-host-detection.log-expected.json
@@ -2656,6 +2656,229 @@
"severity": "High",
"title": "SMB Signing Disabled or SMB Signing Not Required"
}
+ },
+ {
+ "cloud": {
+ "instance": {
+ "name": "es-abcde03"
+ }
+ },
+ "ecs": {
+ "version": "8.11.0"
+ },
+ "event": {
+ "category": [
+ "vulnerability"
+ ],
+ "id": "10333356787",
+ "kind": "alert",
+ "original": "{\"DETECTION_LIST\":{\"CVE\":\"CVE-2023-48161,CVE-2024-21208,CVE-2024-21210,CVE-2024-21217,CVE-2024-21235\",\"FIRST_FOUND_DATETIME\":\"2025-11-22T19:57:38Z\",\"IS_DISABLED\":\"0\",\"IS_IGNORED\":\"0\",\"LAST_FOUND_DATETIME\":\"2025-11-24T09:57:38Z\",\"LAST_PROCESSED_DATETIME\":\"2025-11-24T09:57:38Z\",\"LAST_TEST_DATETIME\":\"2025-11-24T09:57:38Z\",\"LAST_UPDATE_DATETIME\":\"2025-11-24T09:57:38Z\",\"LATEST_VULNERABILITY_DETECTION_SOURCE\":\"Cloud Agent\",\"MITRE_TACTIC_NAME\":\"lateral-movement, privilege-escalation\",\"MITRE_TECHNIQUE_NAME\":\"Exploitation of Remote Services, Exploitation for Privilege Escalation\",\"MITRE_TACTIC_ID\":\"TA0008, TA0004\",\"MITRE_TECHNIQUE_ID\":\"T1210, T1068\",\"QDS\":{\"#text\":\"35\",\"severity\":\"LOW\"},\"QDS_FACTORS\":{\"QDS_FACTOR\":[{\"#text\":\"No_Patch,High_Data_Loss,High_Lateral_Movement\",\"name\":\"RTI\"},{\"#text\":\"7.3\",\"name\":\"CVSS\"},{\"#text\":\"v2\",\"name\":\"CVSS_version\"},{\"#text\":\"3.0\",\"name\":\"QID_severity\"}]},\"QID\":\"33335\",\"RESULTS\":\"HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\LanManWorkstation\\\\Parameters requiresecuritysignature = 0\",\"SEVERITY\":\"3\",\"SSL\":\"0\",\"STATUS\":\"Active\",\"TIMES_FOUND\":\"4\",\"TYPE\":\"Confirmed\",\"UNIQUE_VULN_ID\":\"10333356787\",\"VULNERABILITY_DETECTION_SOURCES\":\"Cloud Agent,Internal Scanner\"},\"DNS\":\"es-abcde03\",\"DNS_DATA\":{\"DOMAIN\":\"\",\"FQDN\":\"\",\"HOSTNAME\":\"es-abcde03\"},\"ID\":\"1333356787\",\"IP\":\"1.128.0.1\",\"KNOWLEDGE_BASE\":{\"CATEGORY\":\"Windows\",\"CODE_MODIFIED_DATETIME\":\"2023-04-26T06:24:46Z\",\"CONSEQUENCE\":\"Unauthorized users sniffing the network could catch many challenge/response exchanges and replay the whole thing to grab particular session keys, and then authenticate on the Domain Controller.\",\"CVE_LIST\":[],\"CVSS\":{\"BASE\":{\"#text\":\"7.3\",\"source\":\"service\"},\"TEMPORAL\":\"5.9\",\"VECTOR_STRING\":\"CVSS:2.0/AV:A/AC:M/Au:N/C:C/I:C/A:N/E:U/RL:W/RC:C\"},\"DIAGNOSIS\":\"This host does not seem to be using SMB (Server Message Block) signing. SMB signing is a security mechanism in the SMB protocol and is also known as security signatures. SMB signing is designed to help improve the security of the SMB protocol.\\n
\\nSMB signing adds security to a network using NetBIOS, avoiding man-in-the-middle attacks.\\n
\\nWhen SMB signing is enabled on both the client and server SMB sessions are authenticated between the machines on a packet by packet basis.
\\n\\nQID Detection Logic:
\\nThis checks from the registry value of RequireSecuritySignature and EnableSecuritySignature from HKEY_LOCAL_MACHINE\\\\System\\\\CurrentControlSet\\\\Services\\\\LanmanWorkStation\\\\Parameters for client and HKEY_LOCAL_MACHINE\\\\System\\\\CurrentControlSet\\\\Services\\\\LanmanServer\\\\Parameters for servers to check if SMB signing is required or enabled or disabled.
\\n\\nNote: On 5/28/2020 the QID was updated to check for client SMB signing behavior via the registry key HKEY_LOCAL_MACHINE\\\\SystemCurrent\\\\ControlSetServices\\\\LanmanWorkStation\\\\Parameters. The complete detection logic is explained above.
\",\"DISCOVERY\":{\"AUTH_TYPE_LIST\":{\"AUTH_TYPE\":[\"Windows\"]},\"REMOTE\":\"1\"},\"LAST_SERVICE_MODIFICATION_DATETIME\":\"2024-10-25T05:00:01Z\",\"PATCHABLE\":\"0\",\"PCI_FLAG\":\"1\",\"PUBLISHED_DATETIME\":\"1999-01-01T08:00:00Z\",\"QID\":\"33335\",\"SEVERITY_LEVEL\":\"3\",\"SOFTWARE_LIST\":{\"SOFTWARE\":[{\"PRODUCT\":\"smb\",\"VENDOR\":\"multi-vendor\"}]},\"SOLUTION\":\"Without SMB signing, a device could intercept SMB network packets from an originating computer, alter their contents, and broadcast them to the destination computer. Since, digitally signing the packets enables the recipient of the packets to confirm their point of origination and their authenticity, it is recommended that SMB signing is enabled and required.\\n
\\nPlease refer to Microsoft's article 887429 and The Basics of SMB Signing (covering both SMB1 and SMB2) for information on enabling SMB signing. \\n
\\nFor Windows Server 2008 R2, Windows Server 2012, please refer to Microsoft's article Require SMB Security Signatures for information on enabling SMB signing. For group policies please refer to Microsoft's article Modify Security Policies in Default Domain Controllers Policy\\n
\\nFor UNIX systems
\\n\\nTo require samba clients running "smbclient" to use packet signing, add the following to the "[global]" section of the Samba configuration file:
\\n\\nclient signing = mandatory\\n
\",\"THREAT_INTELLIGENCE\":{\"THREAT_INTEL\":[{\"#text\":\"High_Lateral_Movement\",\"id\":\"4\"},{\"#text\":\"High_Data_Loss\",\"id\":\"6\"},{\"#text\":\"No_Patch\",\"id\":\"8\"}]},\"TITLE\":\"SMB Signing Disabled or SMB Signing Not Required\",\"VULN_TYPE\":\"Vulnerability\"},\"LAST_SCAN_DATETIME\":\"2025-11-24T09:57:38Z\",\"LAST_VM_AUTH_SCANNED_DATE\":\"2025-11-24T09:57:38Z\",\"LAST_VM_SCANNED_DATE\":\"2025-11-24T09:57:38Z\",\"LAST_VM_SCANNED_DURATION\":\"175\",\"NETBIOS\":\"ES-abcde03\",\"NETWORK_ID\":\"0\",\"OS\":\"Windows 11 Pro 64 bit Edition Version 22H2\",\"QG_HOSTID\":\"69abcde8-3333-4134-5678-19abcdeffa0a\",\"TRACKING_METHOD\":\"AGENT\",\"interval_id\":\"f10d9ab1-3333-4e4f-9546-f4ab94dc901d\",\"interval_start\":\"2025-11-24T13:19:37.031904353Z\"}",
+ "type": [
+ "info"
+ ]
+ },
+ "host": {
+ "domain": "ES-abcde03",
+ "hostname": "es-abcde03",
+ "id": "1333356787",
+ "ip": [
+ "1.128.0.1"
+ ],
+ "name": "es-abcde03",
+ "os": {
+ "full": "Windows 11 Pro 64 bit Edition Version 22H2",
+ "platform": "windows",
+ "type": "windows"
+ }
+ },
+ "observer": {
+ "vendor": "Qualys VMDR"
+ },
+ "qualys_vmdr": {
+ "asset_host_detection": {
+ "dns": "es-abcde03",
+ "dns_data": {
+ "hostname": "es-abcde03"
+ },
+ "id": "1333356787",
+ "interval_id": "f10d9ab1-3333-4e4f-9546-f4ab94dc901d",
+ "interval_start": "2025-11-24T13:19:37.031Z",
+ "ip": "1.128.0.1",
+ "knowledge_base": {
+ "category": "Windows",
+ "consequence": {
+ "value": "Unauthorized users sniffing the network could catch many challenge/response exchanges and replay the whole thing to grab particular session keys, and then authenticate on the Domain Controller."
+ },
+ "cvss": {
+ "base_obj": {
+ "#text": "7.3",
+ "source": "service"
+ },
+ "temporal": "5.9",
+ "vector_string": "CVSS:2.0/AV:A/AC:M/Au:N/C:C/I:C/A:N/E:U/RL:W/RC:C"
+ },
+ "diagnosis": {
+ "value": "This host does not seem to be using SMB (Server Message Block) signing. SMB signing is a security mechanism in the SMB protocol and is also known as security signatures. SMB signing is designed to help improve the security of the SMB protocol.\n
\nSMB signing adds security to a network using NetBIOS, avoiding man-in-the-middle attacks.\n
\nWhen SMB signing is enabled on both the client and server SMB sessions are authenticated between the machines on a packet by packet basis.
\n\nQID Detection Logic:
\nThis checks from the registry value of RequireSecuritySignature and EnableSecuritySignature from HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\LanmanWorkStation\\Parameters for client and HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\LanmanServer\\Parameters for servers to check if SMB signing is required or enabled or disabled.
\n\nNote: On 5/28/2020 the QID was updated to check for client SMB signing behavior via the registry key HKEY_LOCAL_MACHINE\\SystemCurrent\\ControlSetServices\\LanmanWorkStation\\Parameters. The complete detection logic is explained above.
"
+ },
+ "discovery": {
+ "auth_type_list": {
+ "value": [
+ "Windows"
+ ]
+ },
+ "remote": 1
+ },
+ "last": {
+ "service_modification_datetime": "2024-10-25T05:00:01.000Z"
+ },
+ "patchable": false,
+ "pci_flag": true,
+ "published_datetime": "1999-01-01T08:00:00.000Z",
+ "qid": "33335",
+ "severity_level": "Serious",
+ "software_list": [
+ {
+ "product": "smb",
+ "vendor": "multi-vendor"
+ }
+ ],
+ "solution": {
+ "value": "Without SMB signing, a device could intercept SMB network packets from an originating computer, alter their contents, and broadcast them to the destination computer. Since, digitally signing the packets enables the recipient of the packets to confirm their point of origination and their authenticity, it is recommended that SMB signing is enabled and required.\n
\nPlease refer to Microsoft's article 887429 and The Basics of SMB Signing (covering both SMB1 and SMB2) for information on enabling SMB signing. \n
\nFor Windows Server 2008 R2, Windows Server 2012, please refer to Microsoft's article Require SMB Security Signatures for information on enabling SMB signing. For group policies please refer to Microsoft's article Modify Security Policies in Default Domain Controllers Policy\n
\nFor UNIX systems
\n\nTo require samba clients running "smbclient" to use packet signing, add the following to the "[global]" section of the Samba configuration file:
\n\nclient signing = mandatory\n
"
+ },
+ "threat_intelligence": {
+ "intel": [
+ {
+ "id": "4",
+ "text": "High_Lateral_Movement"
+ },
+ {
+ "id": "6",
+ "text": "High_Data_Loss"
+ },
+ {
+ "id": "8",
+ "text": "No_Patch"
+ }
+ ]
+ },
+ "title": "SMB Signing Disabled or SMB Signing Not Required",
+ "vuln_type": "Vulnerability"
+ },
+ "last_scan_datetime": "2025-11-24T09:57:38.000Z",
+ "last_vm_auth_scanned_date": "2025-11-24T09:57:38.000Z",
+ "last_vm_scanned_date": "2025-11-24T09:57:38.000Z",
+ "last_vm_scanned_duration": 175,
+ "netbios": "ES-abcde03",
+ "network_id": "0",
+ "os": "Windows 11 Pro 64 bit Edition Version 22H2",
+ "qg_hostid": "69abcde8-3333-4134-5678-19abcdeffa0a",
+ "tracking_method": "AGENT",
+ "vulnerability": {
+ "cve": [
+ "CVE-2023-48161",
+ "CVE-2024-21208",
+ "CVE-2024-21210",
+ "CVE-2024-21217",
+ "CVE-2024-21235"
+ ],
+ "first_found_datetime": "2025-11-22T19:57:38.000Z",
+ "is_disabled": false,
+ "is_ignored": false,
+ "last_found_datetime": "2025-11-24T09:57:38.000Z",
+ "last_processed_datetime": "2025-11-24T09:57:38.000Z",
+ "last_test_datetime": "2025-11-24T09:57:38.000Z",
+ "last_update_datetime": "2025-11-24T09:57:38.000Z",
+ "latest_vulnerability_detection_source": "Cloud Agent",
+ "mitre_tactic_id": [
+ "TA0008",
+ "TA0004"
+ ],
+ "mitre_tactic_name": [
+ "lateral-movement",
+ "privilege-escalation"
+ ],
+ "mitre_technique_id": [
+ "T1210",
+ "T1068"
+ ],
+ "mitre_technique_name": [
+ "Exploitation of Remote Services",
+ "Exploitation for Privilege Escalation"
+ ],
+ "qds": {
+ "score": 35,
+ "severity": "LOW"
+ },
+ "qds_factors": [
+ {
+ "name": "RTI",
+ "text": "No_Patch,High_Data_Loss,High_Lateral_Movement"
+ },
+ {
+ "name": "CVSS",
+ "text": "7.3"
+ },
+ {
+ "name": "CVSS_version",
+ "text": "v2"
+ },
+ {
+ "name": "QID_severity",
+ "text": "3.0"
+ }
+ ],
+ "qid": 33335,
+ "results": "HKLM\\System\\CurrentControlSet\\Services\\LanManWorkstation\\Parameters requiresecuritysignature = 0",
+ "severity": 3,
+ "ssl": "0",
+ "status": "Active",
+ "times_found": 4,
+ "type": "Confirmed",
+ "unique_vuln_id": "10333356787",
+ "vulnerability_detection_sources": [
+ "Cloud Agent",
+ "Internal Scanner"
+ ]
+ }
+ }
+ },
+ "related": {
+ "hosts": [
+ "es-abcde03",
+ "1333356787",
+ "ES-abcde03",
+ "69abcde8-3333-4134-5678-19abcdeffa0a"
+ ],
+ "ip": [
+ "1.128.0.1"
+ ]
+ },
+ "resource": {
+ "id": "1333356787",
+ "name": "es-abcde03"
+ },
+ "tags": [
+ "preserve_original_event",
+ "preserve_duplicate_custom_fields",
+ "provider_cloud_data"
+ ],
+ "vulnerability": {
+ "category": [
+ "Windows"
+ ],
+ "classification": "CVSS",
+ "description": "This host does not seem to be using SMB (Server Message Block) signing. SMB signing is a security mechanism in the SMB protocol and is also known as security signatures. SMB signing is designed to help improve the security of the SMB protocol.\n
\nSMB signing adds security to a network using NetBIOS, avoiding man-in-the-middle attacks.\n
\nWhen SMB signing is enabled on both the client and server SMB sessions are authenticated between the machines on a packet by packet basis.
\n\nQID Detection Logic:
\nThis checks from the registry value of RequireSecuritySignature and EnableSecuritySignature from HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\LanmanWorkStation\\Parameters for client and HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\LanmanServer\\Parameters for servers to check if SMB signing is required or enabled or disabled.
\n\nNote: On 5/28/2020 the QID was updated to check for client SMB signing behavior via the registry key HKEY_LOCAL_MACHINE\\SystemCurrent\\ControlSetServices\\LanmanWorkStation\\Parameters. The complete detection logic is explained above.
",
+ "enumeration": "CVE",
+ "scanner": {
+ "vendor": "Qualys"
+ },
+ "score": {
+ "base": 7.3,
+ "version": "2.0"
+ },
+ "severity": "High",
+ "title": "SMB Signing Disabled or SMB Signing Not Required"
+ }
}
]
}
diff --git a/packages/qualys_vmdr/data_stream/asset_host_detection/agent/stream/input.yml.hbs b/packages/qualys_vmdr/data_stream/asset_host_detection/agent/stream/input.yml.hbs
index 07c8aacbc0e..5bd7d810dce 100644
--- a/packages/qualys_vmdr/data_stream/asset_host_detection/agent/stream/input.yml.hbs
+++ b/packages/qualys_vmdr/data_stream/asset_host_detection/agent/stream/input.yml.hbs
@@ -42,7 +42,7 @@ program: |
state.?want_more.orValue(false) ?
state.next_page.link
:
- state.url.trim_right("/") + "/api/3.0/fo/asset/host/vm/detection/?" +
+ state.url.trim_right("/") + "/api/5.0/fo/asset/host/vm/detection/?" +
state.?params.orValue("").parse_query().with({
"action": ["list"],
"show_igs": [state.show_igs? "1" : "0"],
@@ -125,7 +125,7 @@ program: |
"error": {
"code": string(resp.StatusCode),
"id": string(resp.Status),
- "message": "GET "+state.url.trim_right("/") + "/api/3.0/fo/asset/host/vm/detection/: "+(
+ "message": "GET "+state.url.trim_right("/") + "/api/5.0/fo/asset/host/vm/detection/: "+(
size(resp.Body) != 0 ?
string(resp.Body)
:
@@ -597,6 +597,7 @@ xsd:
+
@@ -625,6 +626,14 @@ xsd:
+
+
+
+
+
+
+
+
@@ -687,10 +696,18 @@ xsd:
+
+
+
+
+
+
+
+
@@ -730,6 +747,9 @@ xsd:
+
+
+
@@ -773,6 +793,27 @@ xsd:
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
diff --git a/packages/qualys_vmdr/data_stream/asset_host_detection/elasticsearch/ingest_pipeline/default.yml b/packages/qualys_vmdr/data_stream/asset_host_detection/elasticsearch/ingest_pipeline/default.yml
index 0d7a0941bee..319f210e6b8 100644
--- a/packages/qualys_vmdr/data_stream/asset_host_detection/elasticsearch/ingest_pipeline/default.yml
+++ b/packages/qualys_vmdr/data_stream/asset_host_detection/elasticsearch/ingest_pipeline/default.yml
@@ -851,6 +851,128 @@ processors:
- _ingest._value.LAST_ERROR_DATE
tag: remove_qualys_vmdr_asset_host_detection_metadata_azure_attribute_fields
ignore_missing: true
+ - rename:
+ field: json.METADATA.ALICLOUD.ATTRIBUTE
+ tag: rename_METADATA_ALICLOUD_ATTRIBUTE
+ target_field: qualys_vmdr.asset_host_detection.metadata.alicloud.attribute
+ ignore_missing: true
+ - foreach:
+ field: qualys_vmdr.asset_host_detection.metadata.alicloud.attribute
+ if: ctx.qualys_vmdr?.asset_host_detection?.metadata?.alicloud?.attribute instanceof List
+ tag: foreach_rename_metadata_alicloud_attribute_NAME
+ processor:
+ rename:
+ field: _ingest._value.NAME
+ tag: rename_qualys_vmdr_asset_host_detection_metadata_alicloud_attribute_NAME_1
+ target_field: _ingest._value.name
+ ignore_missing: true
+ - rename:
+ field: qualys_vmdr.asset_host_detection.metadata.alicloud.attribute.NAME
+ tag: rename_qualys_vmdr_asset_host_detection_metadata_alicloud_attribute_NAME_2
+ target_field: qualys_vmdr.asset_host_detection.metadata.alicloud.attribute.name
+ ignore_missing: true
+ - foreach:
+ field: qualys_vmdr.asset_host_detection.metadata.alicloud.attribute
+ if: ctx.qualys_vmdr?.asset_host_detection?.metadata?.alicloud?.attribute instanceof List
+ tag: foreach_rename_metadata_alicloud_attribute_LAST_STATUS
+ processor:
+ rename:
+ field: _ingest._value.LAST_STATUS
+ tag: rename_qualys_vmdr_asset_host_detection_metadata_alicloud_attribute_LAST_STATUS_1
+ target_field: _ingest._value.last.status
+ ignore_missing: true
+ - rename:
+ field: qualys_vmdr.asset_host_detection.metadata.alicloud.attribute.LAST_STATUS
+ tag: rename_qualys_vmdr_asset_host_detection_metadata_alicloud_attribute_LAST_STATUS_2
+ target_field: qualys_vmdr.asset_host_detection.metadata.alicloud.attribute.last.status
+ ignore_missing: true
+ - foreach:
+ field: qualys_vmdr.asset_host_detection.metadata.alicloud.attribute
+ if: ctx.qualys_vmdr?.asset_host_detection?.metadata?.alicloud?.attribute instanceof List
+ tag: foreach_rename_metadata_alicloud_attribute_VALUE
+ processor:
+ rename:
+ field: _ingest._value.VALUE
+ tag: rename_qualys_vmdr_asset_host_detection_metadata_alicloud_attribute_VALUE_1
+ target_field: _ingest._value.value
+ ignore_missing: true
+ - rename:
+ field: qualys_vmdr.asset_host_detection.metadata.alicloud.attribute.VALUE
+ tag: rename_qualys_vmdr_asset_host_detection_metadata_alicloud_attribute_VALUE_2
+ target_field: qualys_vmdr.asset_host_detection.metadata.alicloud.attribute.value
+ ignore_missing: true
+ - foreach:
+ field: qualys_vmdr.asset_host_detection.metadata.alicloud.attribute
+ if: ctx.qualys_vmdr?.asset_host_detection?.metadata?.alicloud?.attribute instanceof List
+ tag: foreach_rename_metadata_alicloud_attribute_LAST_ERROR
+ processor:
+ rename:
+ field: _ingest._value.LAST_ERROR
+ tag: rename_qualys_vmdr_asset_host_detection_metadata_alicloud_attribute_LAST_ERROR_1
+ target_field: _ingest._value.last.error.value
+ ignore_missing: true
+ - rename:
+ field: qualys_vmdr.asset_host_detection.metadata.alicloud.attribute.LAST_ERROR
+ tag: rename_qualys_vmdr_asset_host_detection_metadata_alicloud_attribute_LAST_ERROR_2
+ target_field: qualys_vmdr.asset_host_detection.metadata.alicloud.attribute.last.error.value
+ ignore_missing: true
+ - foreach:
+ field: qualys_vmdr.asset_host_detection.metadata.alicloud.attribute
+ if: ctx.qualys_vmdr?.asset_host_detection?.metadata?.alicloud?.attribute instanceof List
+ tag: foreach_date_metadata_alicloud_attribute_LAST_SUCCESS_DATE
+ processor:
+ date:
+ field: _ingest._value.LAST_SUCCESS_DATE
+ tag: date_qualys_vmdr_asset_host_detection_metadata_alicloud_attribute_LAST_SUCCESS_DATE_1
+ target_field: _ingest._value.last.success_date
+ formats:
+ - ISO8601
+ ignore_failure: true
+ - date:
+ field: qualys_vmdr.asset_host_detection.metadata.alicloud.attribute.LAST_SUCCESS_DATE
+ tag: date_qualys_vmdr_asset_host_detection_metadata_alicloud_attribute_LAST_SUCCESS_DATE_2
+ if: (!(ctx.qualys_vmdr?.asset_host_detection?.metadata?.alicloud?.attribute instanceof List)) && ctx.qualys_vmdr?.asset_host_detection?.metadata?.alicloud?.attribute?.LAST_SUCCESS_DATE != null && ctx.qualys_vmdr.asset_host_detection.metadata.alicloud.attribute.LAST_SUCCESS_DATE != ''
+ target_field: qualys_vmdr.asset_host_detection.metadata.alicloud.attribute.last.success_date
+ formats:
+ - ISO8601
+ on_failure:
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - foreach:
+ field: qualys_vmdr.asset_host_detection.metadata.alicloud.attribute
+ if: ctx.qualys_vmdr?.asset_host_detection?.metadata?.alicloud?.attribute instanceof List
+ tag: foreach_date_metadata_alicloud_attribute_LAST_ERROR_DATE
+ processor:
+ date:
+ field: _ingest._value.LAST_ERROR_DATE
+ tag: date_qualys_vmdr_asset_host_detection_metadata_alicloud_attribute_LAST_ERROR_DATE_1
+ target_field: _ingest._value.last.error.date
+ formats:
+ - ISO8601
+ ignore_failure: true
+ - date:
+ field: qualys_vmdr.asset_host_detection.metadata.alicloud.attribute.LAST_ERROR_DATE
+ tag: date_qualys_vmdr_asset_host_detection_metadata_alicloud_attribute_LAST_ERROR_DATE_2
+ if: (!(ctx.qualys_vmdr?.asset_host_detection?.metadata?.alicloud?.attribute instanceof List)) && ctx.qualys_vmdr?.asset_host_detection?.metadata?.alicloud?.attribute?.LAST_ERROR_DATE != null && ctx.qualys_vmdr.asset_host_detection.metadata.alicloud.attribute.LAST_ERROR_DATE != ''
+ target_field: qualys_vmdr.asset_host_detection.metadata.alicloud.attribute.last.error.date
+ formats:
+ - ISO8601
+ on_failure:
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - foreach:
+ field: qualys_vmdr.asset_host_detection.metadata.alicloud.attribute
+ if: ctx.qualys_vmdr?.asset_host_detection?.metadata?.alicloud?.attribute instanceof List
+ tag: foreach_remove_metadata_alicloud_attribute_fields
+ processor:
+ remove:
+ field:
+ - _ingest._value.LAST_SUCCESS_DATE
+ - _ingest._value.LAST_ERROR_DATE
+ tag: remove_qualys_vmdr_asset_host_detection_metadata_alicloud_attribute_fields
+ ignore_missing: true
- rename:
field: json.CLOUD_PROVIDER_TAGS.CLOUD_TAG
tag: rename_CLOUD_PROVIDER_TAGS_CLOUD_TAG
@@ -1164,6 +1286,70 @@ processors:
tag: rename_qualys_vmdr_asset_host_detection_vulnerability_ASSET_CVE_1
target_field: qualys_vmdr.asset_host_detection.vulnerability.asset_cve
ignore_missing: true
+ - split:
+ field: qualys_vmdr.asset_host_detection.vulnerability.CVE
+ separator: ',\s?'
+ target_field: qualys_vmdr.asset_host_detection.vulnerability.cve
+ if: ctx.qualys_vmdr?.asset_host_detection?.vulnerability?.CVE != null
+ tag: split_qualys_vmdr_asset_host_detection_vulnerability_CVE
+ ignore_missing: true
+ - rename:
+ if: ctx.qualys_vmdr?.asset_host_detection?.vulnerability?.LATEST_VULNERABILITY_DETECTION_SOURCE != null
+ field: qualys_vmdr.asset_host_detection.vulnerability.LATEST_VULNERABILITY_DETECTION_SOURCE
+ tag: rename_qualys_vmdr_asset_host_detection_vulnerability_LATEST_VULNERABILITY_DETECTION_SOURCE
+ target_field: qualys_vmdr.asset_host_detection.vulnerability.latest_vulnerability_detection_source
+ ignore_missing: true
+ - split:
+ field: qualys_vmdr.asset_host_detection.vulnerability.MITRE_TACTIC_NAME
+ separator: ',\s?'
+ target_field: qualys_vmdr.asset_host_detection.vulnerability.mitre_tactic_name
+ if: ctx.qualys_vmdr?.asset_host_detection?.vulnerability?.MITRE_TACTIC_NAME != null
+ tag: split_qualys_vmdr_asset_host_detection_vulnerability_MITRE_TACTIC_NAME
+ ignore_missing: true
+ - split:
+ field: qualys_vmdr.asset_host_detection.vulnerability.MITRE_TECHNIQUE_NAME
+ separator: ',\s?'
+ target_field: qualys_vmdr.asset_host_detection.vulnerability.mitre_technique_name
+ if: ctx.qualys_vmdr?.asset_host_detection?.vulnerability?.MITRE_TECHNIQUE_NAME != null
+ tag: split_qualys_vmdr_asset_host_detection_vulnerability_MITRE_TECHNIQUE_NAME
+ ignore_missing: true
+ - split:
+ field: qualys_vmdr.asset_host_detection.vulnerability.MITRE_TACTIC_ID
+ separator: ',\s?'
+ target_field: qualys_vmdr.asset_host_detection.vulnerability.mitre_tactic_id
+ if: ctx.qualys_vmdr?.asset_host_detection?.vulnerability?.MITRE_TACTIC_ID != null
+ tag: split_qualys_vmdr_asset_host_detection_vulnerability_MITRE_TACTIC_ID
+ ignore_missing: true
+ - split:
+ field: qualys_vmdr.asset_host_detection.vulnerability.MITRE_TECHNIQUE_ID
+ separator: ',\s?'
+ target_field: qualys_vmdr.asset_host_detection.vulnerability.mitre_technique_id
+ if: ctx.qualys_vmdr?.asset_host_detection?.vulnerability?.MITRE_TECHNIQUE_ID != null
+ tag: split_qualys_vmdr_asset_host_detection_vulnerability_MITRE_TECHNIQUE_ID
+ ignore_missing: true
+ - rename:
+ if: ctx.qualys_vmdr?.asset_host_detection?.vulnerability?.TRURISK_ELIMINATION_STATUS != null
+ field: qualys_vmdr.asset_host_detection.vulnerability.TRURISK_ELIMINATION_STATUS
+ tag: rename_qualys_vmdr_asset_host_detection_vulnerability_TRURISK_ELIMINATION_STATUS
+ target_field: qualys_vmdr.asset_host_detection.vulnerability.trurisk_elimination_status
+ ignore_missing: true
+ - split:
+ field: qualys_vmdr.asset_host_detection.vulnerability.VULNERABILITY_DETECTION_SOURCES
+ separator: ',\s?'
+ target_field: qualys_vmdr.asset_host_detection.vulnerability.vulnerability_detection_sources
+ if: ctx.qualys_vmdr?.asset_host_detection?.vulnerability?.VULNERABILITY_DETECTION_SOURCES != null
+ tag: split_qualys_vmdr_asset_host_detection_vulnerability_VULNERABILITY_DETECTION_SOURCES
+ ignore_missing: true
+ - remove:
+ field:
+ - qualys_vmdr.asset_host_detection.vulnerability.CVE
+ - qualys_vmdr.asset_host_detection.vulnerability.MITRE_TACTIC_NAME
+ - qualys_vmdr.asset_host_detection.vulnerability.MITRE_TECHNIQUE_NAME
+ - qualys_vmdr.asset_host_detection.vulnerability.MITRE_TACTIC_ID
+ - qualys_vmdr.asset_host_detection.vulnerability.MITRE_TECHNIQUE_ID
+ - qualys_vmdr.asset_host_detection.vulnerability.VULNERABILITY_DETECTION_SOURCES
+ tag: remove_unmapped_capitalised_fields_from_vulnerability
+ ignore_missing: true
- rename:
if: ctx.qualys_vmdr?.asset_host_detection?.vulnerability?.QID != null
field: qualys_vmdr.asset_host_detection.vulnerability.QID
@@ -1634,6 +1820,8 @@ processors:
- qualys_vmdr.asset_host_detection.metadata.google.attribute.LAST_SUCCESS_DATE
- qualys_vmdr.asset_host_detection.metadata.azure.attribute.LAST_ERROR_DATE
- qualys_vmdr.asset_host_detection.metadata.azure.attribute.LAST_SUCCESS_DATE
+ - qualys_vmdr.asset_host_detection.metadata.alicloud.attribute.LAST_ERROR_DATE
+ - qualys_vmdr.asset_host_detection.metadata.alicloud.attribute.LAST_SUCCESS_DATE
ignore_missing: true
- remove:
field:
diff --git a/packages/qualys_vmdr/data_stream/asset_host_detection/fields/fields.yml b/packages/qualys_vmdr/data_stream/asset_host_detection/fields/fields.yml
index e7e5a701b1b..8621c972fcb 100644
--- a/packages/qualys_vmdr/data_stream/asset_host_detection/fields/fields.yml
+++ b/packages/qualys_vmdr/data_stream/asset_host_detection/fields/fields.yml
@@ -77,6 +77,8 @@
type: keyword
- name: asset_cve
type: keyword
+ - name: cve
+ type: keyword
- name: first_found_datetime
type: date
- name: first_reopened_datetime
@@ -101,6 +103,16 @@
type: date
- name: last_update_datetime
type: date
+ - name: latest_vulnerability_detection_source
+ type: keyword
+ - name: mitre_tactic_id
+ type: keyword
+ - name: mitre_tactic_name
+ type: keyword
+ - name: mitre_technique_id
+ type: keyword
+ - name: mitre_technique_name
+ type: keyword
- name: port
type: long
- name: protocol
@@ -137,8 +149,12 @@
type: long
- name: type
type: keyword
+ - name: trurisk_elimination_status
+ type: keyword
- name: unique_vuln_id
type: keyword
+ - name: vulnerability_detection_sources
+ type: keyword
- name: metadata
type: group
fields:
@@ -214,6 +230,30 @@
type: keyword
- name: value
type: keyword
+ - name: alicloud
+ type: group
+ fields:
+ - name: attribute
+ type: group
+ fields:
+ - name: last
+ type: group
+ fields:
+ - name: error
+ type: group
+ fields:
+ - name: value
+ type: keyword
+ - name: date
+ type: date
+ - name: status
+ type: keyword
+ - name: success_date
+ type: date
+ - name: name
+ type: keyword
+ - name: value
+ type: keyword
- name: netbios
type: keyword
- name: network_id
diff --git a/packages/qualys_vmdr/data_stream/asset_host_detection/manifest.yml b/packages/qualys_vmdr/data_stream/asset_host_detection/manifest.yml
index 8dbd61b9fb2..17533af1846 100644
--- a/packages/qualys_vmdr/data_stream/asset_host_detection/manifest.yml
+++ b/packages/qualys_vmdr/data_stream/asset_host_detection/manifest.yml
@@ -131,9 +131,4 @@ streams:
required: false
show_user: false
description: >-
- The request tracer logs requests and responses to the agent's local file-system for debugging configurations.
- Enabling this request tracing compromises security and should only be used for debugging. Disabling the request
- tracer will delete any stored traces.
- See [documentation](https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-input-cel.html#_resource_tracer_enable)
- for details.
-
+ The request tracer logs requests and responses to the agent's local file-system for debugging configurations. Enabling this request tracing compromises security and should only be used for debugging. Disabling the request tracer will delete any stored traces. See [documentation](https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-input-cel.html#_resource_tracer_enable) for details.
diff --git a/packages/qualys_vmdr/data_stream/asset_host_detection/sample_event.json b/packages/qualys_vmdr/data_stream/asset_host_detection/sample_event.json
index d3c54e7e550..f055bced64d 100644
--- a/packages/qualys_vmdr/data_stream/asset_host_detection/sample_event.json
+++ b/packages/qualys_vmdr/data_stream/asset_host_detection/sample_event.json
@@ -1,11 +1,11 @@
{
- "@timestamp": "2025-08-04T13:51:29.904Z",
+ "@timestamp": "2025-12-09T13:06:00.619Z",
"agent": {
- "ephemeral_id": "11651637-e03b-4df7-8cd3-a50a22012cea",
- "id": "667fa893-55d2-4a31-9a26-0663cd9debd8",
- "name": "elastic-agent-40026",
+ "ephemeral_id": "5eb4618e-1fb2-4db3-a80a-a1c9d60ddf79",
+ "id": "c25772f1-99b1-43d4-9ac3-8941538fa406",
+ "name": "elastic-agent-11567",
"type": "filebeat",
- "version": "8.19.0"
+ "version": "8.19.4"
},
"cloud": {
"instance": {
@@ -14,16 +14,16 @@
},
"data_stream": {
"dataset": "qualys_vmdr.asset_host_detection",
- "namespace": "27666",
+ "namespace": "88746",
"type": "logs"
},
"ecs": {
"version": "8.11.0"
},
"elastic_agent": {
- "id": "667fa893-55d2-4a31-9a26-0663cd9debd8",
+ "id": "c25772f1-99b1-43d4-9ac3-8941538fa406",
"snapshot": false,
- "version": "8.19.0"
+ "version": "8.19.4"
},
"event": {
"agent_id_status": "verified",
@@ -32,9 +32,9 @@
],
"dataset": "qualys_vmdr.asset_host_detection",
"id": "11111111",
- "ingested": "2025-08-04T13:51:32Z",
+ "ingested": "2025-12-09T13:06:03Z",
"kind": "alert",
- "original": "{\"DETECTION_LIST\":{\"AFFECT_RUNNING_KERNEL\":\"0\",\"FIRST_FOUND_DATETIME\":\"2021-02-05T04:50:45Z\",\"IS_DISABLED\":\"0\",\"IS_IGNORED\":\"0\",\"LAST_FIXED_DATETIME\":\"2022-12-14T06:52:57Z\",\"LAST_FOUND_DATETIME\":\"2024-03-08T20:15:41Z\",\"LAST_PROCESSED_DATETIME\":\"2024-03-08T20:15:41Z\",\"LAST_TEST_DATETIME\":\"2024-03-08T20:15:41Z\",\"LAST_UPDATE_DATETIME\":\"2024-03-08T20:15:41Z\",\"QDS\":{\"#text\":\"35\",\"severity\":\"LOW\"},\"QDS_FACTORS\":{\"QDS_FACTOR\":[{\"#text\":\"7.7\",\"name\":\"CVSS\"},{\"#text\":\"v3.x\",\"name\":\"CVSS_version\"},{\"#text\":\"0.00232\",\"name\":\"epss\"},{\"#text\":\"AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H\",\"name\":\"CVSS_vector\"}]},\"QID\":\"101\",\"RESULTS\":\"Package\\tInstalled Version\\tRequired Version\\nlinux-cloud-tools-4.4.0\\t1074-aws_4.4.0-1074.84\\t1092\\nlinux-aws-tools-4.4.0\\t1074_4.4.0-1074.84\\t1092\\nlinux-aws-headers-4.4.0\\t1074_4.15.0-1126.135\\t1092\\nlinux-tools-4.4.0\\t1074-aws_4.4.0-1074.84\\t1092\\nlinux-aws-cloud-tools-4.4.0\\t1074_4.4.0-1074.84\\t1092\",\"SEVERITY\":\"3\",\"SSL\":\"0\",\"STATUS\":\"Active\",\"TIMES_FOUND\":\"5393\",\"TYPE\":\"Confirmed\",\"UNIQUE_VULN_ID\":\"11111111\"},\"DNS\":\"adfssrvr.adfs.local\",\"DNS_DATA\":{\"DOMAIN\":\"adfs.local\",\"FQDN\":\"adfssrvr.adfs.local\",\"HOSTNAME\":\"adfssrvr\"},\"ID\":\"1\",\"IP\":\"10.50.2.111\",\"KNOWLEDGE_BASE\":{\"CATEGORY\":\"CGI\",\"CONSEQUENCE\":\"Depending on the vulnerability being exploited, an unauthenticated remote attacker could conduct cross-site scripting, clickjacking or MIME-type sniffing attacks.\",\"CVE_LIST\":[\"CVE-2022-31629\",\"CVE-2022-31628\"],\"CVSS\":{\"BASE\":{\"#text\":\"7.7\",\"source\":\"service\"},\"TEMPORAL\":\"4.0\",\"VECTOR_STRING\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H\"},\"DIAGNOSIS\":\"This QID reports the absence of the following\",\"DISCOVERY\":{\"REMOTE\":\"1\"},\"LAST_SERVICE_MODIFICATION_DATETIME\":\"2023-06-29T12:20:46Z\",\"PATCHABLE\":\"0\",\"PCI_FLAG\":\"1\",\"PUBLISHED_DATETIME\":\"2017-06-05T21:34:49Z\",\"QID\":\"101\",\"SEVERITY_LEVEL\":\"2\",\"SOFTWARE_LIST\":{\"SOFTWARE\":[{\"PRODUCT\":\"None\",\"VENDOR\":\"multi-vendor\"}]},\"SOLUTION\":\"\\u003cB\\u003eNote:\\u003c/B\\u003e To better debug the results of this QID\",\"THREAT_INTELLIGENCE\":{\"THREAT_INTEL\":[{\"id\":\"8\"}]},\"TITLE\":\"HTTP Security Header Not Detected\",\"VULN_TYPE\":\"Vulnerability\"},\"LAST_PC_SCANNED_DATE\":\"2023-06-28T09:58:12Z\",\"LAST_SCAN_DATETIME\":\"2023-07-03T06:25:17Z\",\"LAST_VM_SCANNED_DATE\":\"2023-07-03T06:23:47Z\",\"LAST_VM_SCANNED_DURATION\":\"1113\",\"NETBIOS\":\"ADFSSRVR\",\"OS\":\"Windows 2016/2019/10\",\"TRACKING_METHOD\":\"IP\",\"interval_id\":\"b4048068-ffa5-4c3b-a706-2f44ceef2088\",\"interval_start\":\"2025-08-04T13:51:29.897392437Z\"}",
+ "original": "{\"DETECTION_LIST\":{\"AFFECT_RUNNING_KERNEL\":\"0\",\"CVE\":\"CVE-2023-48161,CVE-2024-21208,CVE-2024-21210,CVE-2024-21217,CVE-2024-21235\",\"FIRST_FOUND_DATETIME\":\"2021-02-05T04:50:45Z\",\"IS_DISABLED\":\"0\",\"IS_IGNORED\":\"0\",\"LAST_FIXED_DATETIME\":\"2022-12-14T06:52:57Z\",\"LAST_FOUND_DATETIME\":\"2024-03-08T20:15:41Z\",\"LAST_PROCESSED_DATETIME\":\"2024-03-08T20:15:41Z\",\"LAST_TEST_DATETIME\":\"2024-03-08T20:15:41Z\",\"LAST_UPDATE_DATETIME\":\"2024-03-08T20:15:41Z\",\"LATEST_VULNERABILITY_DETECTION_SOURCE\":\"Cloud Agent\",\"MITRE_TACTIC_ID\":\"TA0008, TA0004\",\"MITRE_TACTIC_NAME\":\"lateral-movement, privilege-escalation\",\"MITRE_TECHNIQUE_ID\":\"T1210, T1068\",\"MITRE_TECHNIQUE_NAME\":\"Exploitation of Remote Services, Exploitation for Privilege Escalation\",\"QDS\":{\"#text\":\"35\",\"severity\":\"LOW\"},\"QDS_FACTORS\":{\"QDS_FACTOR\":[{\"#text\":\"7.7\",\"name\":\"CVSS\"},{\"#text\":\"v3.x\",\"name\":\"CVSS_version\"},{\"#text\":\"0.00232\",\"name\":\"epss\"},{\"#text\":\"AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H\",\"name\":\"CVSS_vector\"}]},\"QID\":\"101\",\"RESULTS\":\"Package\\tInstalled Version\\tRequired Version\\nlinux-cloud-tools-4.4.0\\t1074-aws_4.4.0-1074.84\\t1092\\nlinux-aws-tools-4.4.0\\t1074_4.4.0-1074.84\\t1092\\nlinux-aws-headers-4.4.0\\t1074_4.15.0-1126.135\\t1092\\nlinux-tools-4.4.0\\t1074-aws_4.4.0-1074.84\\t1092\\nlinux-aws-cloud-tools-4.4.0\\t1074_4.4.0-1074.84\\t1092\",\"SEVERITY\":\"3\",\"SSL\":\"0\",\"STATUS\":\"Active\",\"TIMES_FOUND\":\"5393\",\"TRURISK_ELIMINATION_STATUS\":\"FIXED\",\"TYPE\":\"Confirmed\",\"UNIQUE_VULN_ID\":\"11111111\",\"VULNERABILITY_DETECTION_SOURCES\":\"Cloud Agent,Internal Scanner\"},\"DNS\":\"adfssrvr.adfs.local\",\"DNS_DATA\":{\"DOMAIN\":\"adfs.local\",\"FQDN\":\"adfssrvr.adfs.local\",\"HOSTNAME\":\"adfssrvr\"},\"ID\":\"1\",\"IP\":\"10.50.2.111\",\"KNOWLEDGE_BASE\":{\"CATEGORY\":\"CGI\",\"CONSEQUENCE\":\"Depending on the vulnerability being exploited, an unauthenticated remote attacker could conduct cross-site scripting, clickjacking or MIME-type sniffing attacks.\",\"CVE_LIST\":[\"CVE-2022-31629\",\"CVE-2022-31628\"],\"CVSS\":{\"BASE\":{\"#text\":\"7.7\",\"source\":\"service\"},\"TEMPORAL\":\"4.0\",\"VECTOR_STRING\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H\"},\"DIAGNOSIS\":\"This QID reports the absence of the following\",\"DISCOVERY\":{\"REMOTE\":\"1\"},\"LAST_SERVICE_MODIFICATION_DATETIME\":\"2023-06-29T12:20:46Z\",\"PATCHABLE\":\"0\",\"PCI_FLAG\":\"1\",\"PUBLISHED_DATETIME\":\"2017-06-05T21:34:49Z\",\"QID\":\"101\",\"SEVERITY_LEVEL\":\"2\",\"SOFTWARE_LIST\":{\"SOFTWARE\":[{\"PRODUCT\":\"None\",\"VENDOR\":\"multi-vendor\"}]},\"SOLUTION\":\"\\u003cB\\u003eNote:\\u003c/B\\u003e To better debug the results of this QID\",\"THREAT_INTELLIGENCE\":{\"THREAT_INTEL\":[{\"id\":\"8\"}]},\"TITLE\":\"HTTP Security Header Not Detected\",\"VULN_TYPE\":\"Vulnerability\"},\"LAST_PC_SCANNED_DATE\":\"2023-06-28T09:58:12Z\",\"LAST_SCAN_DATETIME\":\"2023-07-03T06:25:17Z\",\"LAST_VM_SCANNED_DATE\":\"2023-07-03T06:23:47Z\",\"LAST_VM_SCANNED_DURATION\":\"1113\",\"NETBIOS\":\"ADFSSRVR\",\"OS\":\"Windows 2016/2019/10\",\"TRACKING_METHOD\":\"IP\",\"interval_id\":\"040d4ccd-718d-43bb-8f0e-92a685dcd3e0\",\"interval_start\":\"2025-12-09T13:06:00.615439086Z\"}",
"type": [
"info"
]
@@ -91,8 +91,8 @@
"hostname": "adfssrvr"
},
"id": "1",
- "interval_id": "b4048068-ffa5-4c3b-a706-2f44ceef2088",
- "interval_start": "2025-08-04T13:51:29.897Z",
+ "interval_id": "040d4ccd-718d-43bb-8f0e-92a685dcd3e0",
+ "interval_start": "2025-12-09T13:06:00.615Z",
"ip": "10.50.2.111",
"knowledge_base": {
"category": "CGI",
@@ -180,6 +180,13 @@
"tracking_method": "IP",
"vulnerability": {
"affect_running_kernel": "0",
+ "cve": [
+ "CVE-2023-48161",
+ "CVE-2024-21208",
+ "CVE-2024-21210",
+ "CVE-2024-21217",
+ "CVE-2024-21235"
+ ],
"first_found_datetime": "2021-02-05T04:50:45.000Z",
"is_disabled": false,
"is_ignored": false,
@@ -188,6 +195,23 @@
"last_processed_datetime": "2024-03-08T20:15:41.000Z",
"last_test_datetime": "2024-03-08T20:15:41.000Z",
"last_update_datetime": "2024-03-08T20:15:41.000Z",
+ "latest_vulnerability_detection_source": "Cloud Agent",
+ "mitre_tactic_id": [
+ "TA0008",
+ "TA0004"
+ ],
+ "mitre_tactic_name": [
+ "lateral-movement",
+ "privilege-escalation"
+ ],
+ "mitre_technique_id": [
+ "T1210",
+ "T1068"
+ ],
+ "mitre_technique_name": [
+ "Exploitation of Remote Services",
+ "Exploitation for Privilege Escalation"
+ ],
"qds": {
"score": 35,
"severity": "LOW"
@@ -216,8 +240,13 @@
"ssl": "0",
"status": "Active",
"times_found": 5393,
+ "trurisk_elimination_status": "FIXED",
"type": "Confirmed",
- "unique_vuln_id": "11111111"
+ "unique_vuln_id": "11111111",
+ "vulnerability_detection_sources": [
+ "Cloud Agent",
+ "Internal Scanner"
+ ]
}
}
},
diff --git a/packages/qualys_vmdr/data_stream/knowledge_base/manifest.yml b/packages/qualys_vmdr/data_stream/knowledge_base/manifest.yml
index 5985c6a864c..5d0a8a968a8 100644
--- a/packages/qualys_vmdr/data_stream/knowledge_base/manifest.yml
+++ b/packages/qualys_vmdr/data_stream/knowledge_base/manifest.yml
@@ -90,8 +90,4 @@ streams:
required: false
show_user: false
description: >-
- The request tracer logs requests and responses to the agent's local file-system for debugging configurations.
- Enabling this request tracing compromises security and should only be used for debugging. Disabling the request
- tracer will delete any stored traces.
- See [documentation](https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-input-cel.html#_resource_tracer_enable)
- for details.
+ The request tracer logs requests and responses to the agent's local file-system for debugging configurations. Enabling this request tracing compromises security and should only be used for debugging. Disabling the request tracer will delete any stored traces. See [documentation](https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-input-cel.html#_resource_tracer_enable) for details.
diff --git a/packages/qualys_vmdr/data_stream/user_activity/manifest.yml b/packages/qualys_vmdr/data_stream/user_activity/manifest.yml
index 442969b6f52..3818101dc3f 100644
--- a/packages/qualys_vmdr/data_stream/user_activity/manifest.yml
+++ b/packages/qualys_vmdr/data_stream/user_activity/manifest.yml
@@ -90,8 +90,4 @@ streams:
required: false
show_user: false
description: >-
- The request tracer logs requests and responses to the agent's local file-system for debugging configurations.
- Enabling this request tracing compromises security and should only be used for debugging. Disabling the request
- tracer will delete any stored traces.
- See [documentation](https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-input-cel.html#_resource_tracer_enable)
- for details.
+ The request tracer logs requests and responses to the agent's local file-system for debugging configurations. Enabling this request tracing compromises security and should only be used for debugging. Disabling the request tracer will delete any stored traces. See [documentation](https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-input-cel.html#_resource_tracer_enable) for details.
diff --git a/packages/qualys_vmdr/docs/README.md b/packages/qualys_vmdr/docs/README.md
index 1e0b100ac68..c6680e51a3b 100644
--- a/packages/qualys_vmdr/docs/README.md
+++ b/packages/qualys_vmdr/docs/README.md
@@ -107,13 +107,13 @@ An example event for `asset_host_detection` looks as following:
```json
{
- "@timestamp": "2025-08-04T13:51:29.904Z",
+ "@timestamp": "2025-12-09T13:06:00.619Z",
"agent": {
- "ephemeral_id": "11651637-e03b-4df7-8cd3-a50a22012cea",
- "id": "667fa893-55d2-4a31-9a26-0663cd9debd8",
- "name": "elastic-agent-40026",
+ "ephemeral_id": "5eb4618e-1fb2-4db3-a80a-a1c9d60ddf79",
+ "id": "c25772f1-99b1-43d4-9ac3-8941538fa406",
+ "name": "elastic-agent-11567",
"type": "filebeat",
- "version": "8.19.0"
+ "version": "8.19.4"
},
"cloud": {
"instance": {
@@ -122,16 +122,16 @@ An example event for `asset_host_detection` looks as following:
},
"data_stream": {
"dataset": "qualys_vmdr.asset_host_detection",
- "namespace": "27666",
+ "namespace": "88746",
"type": "logs"
},
"ecs": {
"version": "8.11.0"
},
"elastic_agent": {
- "id": "667fa893-55d2-4a31-9a26-0663cd9debd8",
+ "id": "c25772f1-99b1-43d4-9ac3-8941538fa406",
"snapshot": false,
- "version": "8.19.0"
+ "version": "8.19.4"
},
"event": {
"agent_id_status": "verified",
@@ -140,9 +140,9 @@ An example event for `asset_host_detection` looks as following:
],
"dataset": "qualys_vmdr.asset_host_detection",
"id": "11111111",
- "ingested": "2025-08-04T13:51:32Z",
+ "ingested": "2025-12-09T13:06:03Z",
"kind": "alert",
- "original": "{\"DETECTION_LIST\":{\"AFFECT_RUNNING_KERNEL\":\"0\",\"FIRST_FOUND_DATETIME\":\"2021-02-05T04:50:45Z\",\"IS_DISABLED\":\"0\",\"IS_IGNORED\":\"0\",\"LAST_FIXED_DATETIME\":\"2022-12-14T06:52:57Z\",\"LAST_FOUND_DATETIME\":\"2024-03-08T20:15:41Z\",\"LAST_PROCESSED_DATETIME\":\"2024-03-08T20:15:41Z\",\"LAST_TEST_DATETIME\":\"2024-03-08T20:15:41Z\",\"LAST_UPDATE_DATETIME\":\"2024-03-08T20:15:41Z\",\"QDS\":{\"#text\":\"35\",\"severity\":\"LOW\"},\"QDS_FACTORS\":{\"QDS_FACTOR\":[{\"#text\":\"7.7\",\"name\":\"CVSS\"},{\"#text\":\"v3.x\",\"name\":\"CVSS_version\"},{\"#text\":\"0.00232\",\"name\":\"epss\"},{\"#text\":\"AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H\",\"name\":\"CVSS_vector\"}]},\"QID\":\"101\",\"RESULTS\":\"Package\\tInstalled Version\\tRequired Version\\nlinux-cloud-tools-4.4.0\\t1074-aws_4.4.0-1074.84\\t1092\\nlinux-aws-tools-4.4.0\\t1074_4.4.0-1074.84\\t1092\\nlinux-aws-headers-4.4.0\\t1074_4.15.0-1126.135\\t1092\\nlinux-tools-4.4.0\\t1074-aws_4.4.0-1074.84\\t1092\\nlinux-aws-cloud-tools-4.4.0\\t1074_4.4.0-1074.84\\t1092\",\"SEVERITY\":\"3\",\"SSL\":\"0\",\"STATUS\":\"Active\",\"TIMES_FOUND\":\"5393\",\"TYPE\":\"Confirmed\",\"UNIQUE_VULN_ID\":\"11111111\"},\"DNS\":\"adfssrvr.adfs.local\",\"DNS_DATA\":{\"DOMAIN\":\"adfs.local\",\"FQDN\":\"adfssrvr.adfs.local\",\"HOSTNAME\":\"adfssrvr\"},\"ID\":\"1\",\"IP\":\"10.50.2.111\",\"KNOWLEDGE_BASE\":{\"CATEGORY\":\"CGI\",\"CONSEQUENCE\":\"Depending on the vulnerability being exploited, an unauthenticated remote attacker could conduct cross-site scripting, clickjacking or MIME-type sniffing attacks.\",\"CVE_LIST\":[\"CVE-2022-31629\",\"CVE-2022-31628\"],\"CVSS\":{\"BASE\":{\"#text\":\"7.7\",\"source\":\"service\"},\"TEMPORAL\":\"4.0\",\"VECTOR_STRING\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H\"},\"DIAGNOSIS\":\"This QID reports the absence of the following\",\"DISCOVERY\":{\"REMOTE\":\"1\"},\"LAST_SERVICE_MODIFICATION_DATETIME\":\"2023-06-29T12:20:46Z\",\"PATCHABLE\":\"0\",\"PCI_FLAG\":\"1\",\"PUBLISHED_DATETIME\":\"2017-06-05T21:34:49Z\",\"QID\":\"101\",\"SEVERITY_LEVEL\":\"2\",\"SOFTWARE_LIST\":{\"SOFTWARE\":[{\"PRODUCT\":\"None\",\"VENDOR\":\"multi-vendor\"}]},\"SOLUTION\":\"\\u003cB\\u003eNote:\\u003c/B\\u003e To better debug the results of this QID\",\"THREAT_INTELLIGENCE\":{\"THREAT_INTEL\":[{\"id\":\"8\"}]},\"TITLE\":\"HTTP Security Header Not Detected\",\"VULN_TYPE\":\"Vulnerability\"},\"LAST_PC_SCANNED_DATE\":\"2023-06-28T09:58:12Z\",\"LAST_SCAN_DATETIME\":\"2023-07-03T06:25:17Z\",\"LAST_VM_SCANNED_DATE\":\"2023-07-03T06:23:47Z\",\"LAST_VM_SCANNED_DURATION\":\"1113\",\"NETBIOS\":\"ADFSSRVR\",\"OS\":\"Windows 2016/2019/10\",\"TRACKING_METHOD\":\"IP\",\"interval_id\":\"b4048068-ffa5-4c3b-a706-2f44ceef2088\",\"interval_start\":\"2025-08-04T13:51:29.897392437Z\"}",
+ "original": "{\"DETECTION_LIST\":{\"AFFECT_RUNNING_KERNEL\":\"0\",\"CVE\":\"CVE-2023-48161,CVE-2024-21208,CVE-2024-21210,CVE-2024-21217,CVE-2024-21235\",\"FIRST_FOUND_DATETIME\":\"2021-02-05T04:50:45Z\",\"IS_DISABLED\":\"0\",\"IS_IGNORED\":\"0\",\"LAST_FIXED_DATETIME\":\"2022-12-14T06:52:57Z\",\"LAST_FOUND_DATETIME\":\"2024-03-08T20:15:41Z\",\"LAST_PROCESSED_DATETIME\":\"2024-03-08T20:15:41Z\",\"LAST_TEST_DATETIME\":\"2024-03-08T20:15:41Z\",\"LAST_UPDATE_DATETIME\":\"2024-03-08T20:15:41Z\",\"LATEST_VULNERABILITY_DETECTION_SOURCE\":\"Cloud Agent\",\"MITRE_TACTIC_ID\":\"TA0008, TA0004\",\"MITRE_TACTIC_NAME\":\"lateral-movement, privilege-escalation\",\"MITRE_TECHNIQUE_ID\":\"T1210, T1068\",\"MITRE_TECHNIQUE_NAME\":\"Exploitation of Remote Services, Exploitation for Privilege Escalation\",\"QDS\":{\"#text\":\"35\",\"severity\":\"LOW\"},\"QDS_FACTORS\":{\"QDS_FACTOR\":[{\"#text\":\"7.7\",\"name\":\"CVSS\"},{\"#text\":\"v3.x\",\"name\":\"CVSS_version\"},{\"#text\":\"0.00232\",\"name\":\"epss\"},{\"#text\":\"AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H\",\"name\":\"CVSS_vector\"}]},\"QID\":\"101\",\"RESULTS\":\"Package\\tInstalled Version\\tRequired Version\\nlinux-cloud-tools-4.4.0\\t1074-aws_4.4.0-1074.84\\t1092\\nlinux-aws-tools-4.4.0\\t1074_4.4.0-1074.84\\t1092\\nlinux-aws-headers-4.4.0\\t1074_4.15.0-1126.135\\t1092\\nlinux-tools-4.4.0\\t1074-aws_4.4.0-1074.84\\t1092\\nlinux-aws-cloud-tools-4.4.0\\t1074_4.4.0-1074.84\\t1092\",\"SEVERITY\":\"3\",\"SSL\":\"0\",\"STATUS\":\"Active\",\"TIMES_FOUND\":\"5393\",\"TRURISK_ELIMINATION_STATUS\":\"FIXED\",\"TYPE\":\"Confirmed\",\"UNIQUE_VULN_ID\":\"11111111\",\"VULNERABILITY_DETECTION_SOURCES\":\"Cloud Agent,Internal Scanner\"},\"DNS\":\"adfssrvr.adfs.local\",\"DNS_DATA\":{\"DOMAIN\":\"adfs.local\",\"FQDN\":\"adfssrvr.adfs.local\",\"HOSTNAME\":\"adfssrvr\"},\"ID\":\"1\",\"IP\":\"10.50.2.111\",\"KNOWLEDGE_BASE\":{\"CATEGORY\":\"CGI\",\"CONSEQUENCE\":\"Depending on the vulnerability being exploited, an unauthenticated remote attacker could conduct cross-site scripting, clickjacking or MIME-type sniffing attacks.\",\"CVE_LIST\":[\"CVE-2022-31629\",\"CVE-2022-31628\"],\"CVSS\":{\"BASE\":{\"#text\":\"7.7\",\"source\":\"service\"},\"TEMPORAL\":\"4.0\",\"VECTOR_STRING\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H\"},\"DIAGNOSIS\":\"This QID reports the absence of the following\",\"DISCOVERY\":{\"REMOTE\":\"1\"},\"LAST_SERVICE_MODIFICATION_DATETIME\":\"2023-06-29T12:20:46Z\",\"PATCHABLE\":\"0\",\"PCI_FLAG\":\"1\",\"PUBLISHED_DATETIME\":\"2017-06-05T21:34:49Z\",\"QID\":\"101\",\"SEVERITY_LEVEL\":\"2\",\"SOFTWARE_LIST\":{\"SOFTWARE\":[{\"PRODUCT\":\"None\",\"VENDOR\":\"multi-vendor\"}]},\"SOLUTION\":\"\\u003cB\\u003eNote:\\u003c/B\\u003e To better debug the results of this QID\",\"THREAT_INTELLIGENCE\":{\"THREAT_INTEL\":[{\"id\":\"8\"}]},\"TITLE\":\"HTTP Security Header Not Detected\",\"VULN_TYPE\":\"Vulnerability\"},\"LAST_PC_SCANNED_DATE\":\"2023-06-28T09:58:12Z\",\"LAST_SCAN_DATETIME\":\"2023-07-03T06:25:17Z\",\"LAST_VM_SCANNED_DATE\":\"2023-07-03T06:23:47Z\",\"LAST_VM_SCANNED_DURATION\":\"1113\",\"NETBIOS\":\"ADFSSRVR\",\"OS\":\"Windows 2016/2019/10\",\"TRACKING_METHOD\":\"IP\",\"interval_id\":\"040d4ccd-718d-43bb-8f0e-92a685dcd3e0\",\"interval_start\":\"2025-12-09T13:06:00.615439086Z\"}",
"type": [
"info"
]
@@ -199,8 +199,8 @@ An example event for `asset_host_detection` looks as following:
"hostname": "adfssrvr"
},
"id": "1",
- "interval_id": "b4048068-ffa5-4c3b-a706-2f44ceef2088",
- "interval_start": "2025-08-04T13:51:29.897Z",
+ "interval_id": "040d4ccd-718d-43bb-8f0e-92a685dcd3e0",
+ "interval_start": "2025-12-09T13:06:00.615Z",
"ip": "10.50.2.111",
"knowledge_base": {
"category": "CGI",
@@ -288,6 +288,13 @@ An example event for `asset_host_detection` looks as following:
"tracking_method": "IP",
"vulnerability": {
"affect_running_kernel": "0",
+ "cve": [
+ "CVE-2023-48161",
+ "CVE-2024-21208",
+ "CVE-2024-21210",
+ "CVE-2024-21217",
+ "CVE-2024-21235"
+ ],
"first_found_datetime": "2021-02-05T04:50:45.000Z",
"is_disabled": false,
"is_ignored": false,
@@ -296,6 +303,23 @@ An example event for `asset_host_detection` looks as following:
"last_processed_datetime": "2024-03-08T20:15:41.000Z",
"last_test_datetime": "2024-03-08T20:15:41.000Z",
"last_update_datetime": "2024-03-08T20:15:41.000Z",
+ "latest_vulnerability_detection_source": "Cloud Agent",
+ "mitre_tactic_id": [
+ "TA0008",
+ "TA0004"
+ ],
+ "mitre_tactic_name": [
+ "lateral-movement",
+ "privilege-escalation"
+ ],
+ "mitre_technique_id": [
+ "T1210",
+ "T1068"
+ ],
+ "mitre_technique_name": [
+ "Exploitation of Remote Services",
+ "Exploitation for Privilege Escalation"
+ ],
"qds": {
"score": 35,
"severity": "LOW"
@@ -324,8 +348,13 @@ An example event for `asset_host_detection` looks as following:
"ssl": "0",
"status": "Active",
"times_found": 5393,
+ "trurisk_elimination_status": "FIXED",
"type": "Confirmed",
- "unique_vuln_id": "11111111"
+ "unique_vuln_id": "11111111",
+ "vulnerability_detection_sources": [
+ "Cloud Agent",
+ "Internal Scanner"
+ ]
}
}
},
@@ -521,6 +550,12 @@ An example event for `asset_host_detection` looks as following:
| qualys_vmdr.asset_host_detection.last_vm_auth_scanned_duration | | long |
| qualys_vmdr.asset_host_detection.last_vm_scanned_date | | date |
| qualys_vmdr.asset_host_detection.last_vm_scanned_duration | | long |
+| qualys_vmdr.asset_host_detection.metadata.alicloud.attribute.last.error.date | | date |
+| qualys_vmdr.asset_host_detection.metadata.alicloud.attribute.last.error.value | | keyword |
+| qualys_vmdr.asset_host_detection.metadata.alicloud.attribute.last.status | | keyword |
+| qualys_vmdr.asset_host_detection.metadata.alicloud.attribute.last.success_date | | date |
+| qualys_vmdr.asset_host_detection.metadata.alicloud.attribute.name | | keyword |
+| qualys_vmdr.asset_host_detection.metadata.alicloud.attribute.value | | keyword |
| qualys_vmdr.asset_host_detection.metadata.azure.attribute.last.error.date | | date |
| qualys_vmdr.asset_host_detection.metadata.azure.attribute.last.error.value | | keyword |
| qualys_vmdr.asset_host_detection.metadata.azure.attribute.last.status | | keyword |
@@ -557,6 +592,7 @@ An example event for `asset_host_detection` looks as following:
| qualys_vmdr.asset_host_detection.vulnerability.affect_running_kernel | | keyword |
| qualys_vmdr.asset_host_detection.vulnerability.affect_running_service | | keyword |
| qualys_vmdr.asset_host_detection.vulnerability.asset_cve | | keyword |
+| qualys_vmdr.asset_host_detection.vulnerability.cve | | keyword |
| qualys_vmdr.asset_host_detection.vulnerability.first_found_datetime | | date |
| qualys_vmdr.asset_host_detection.vulnerability.first_reopened_datetime | | date |
| qualys_vmdr.asset_host_detection.vulnerability.fqdn | | keyword |
@@ -569,6 +605,11 @@ An example event for `asset_host_detection` looks as following:
| qualys_vmdr.asset_host_detection.vulnerability.last_reopened_datetime | | date |
| qualys_vmdr.asset_host_detection.vulnerability.last_test_datetime | | date |
| qualys_vmdr.asset_host_detection.vulnerability.last_update_datetime | | date |
+| qualys_vmdr.asset_host_detection.vulnerability.latest_vulnerability_detection_source | | keyword |
+| qualys_vmdr.asset_host_detection.vulnerability.mitre_tactic_id | | keyword |
+| qualys_vmdr.asset_host_detection.vulnerability.mitre_tactic_name | | keyword |
+| qualys_vmdr.asset_host_detection.vulnerability.mitre_technique_id | | keyword |
+| qualys_vmdr.asset_host_detection.vulnerability.mitre_technique_name | | keyword |
| qualys_vmdr.asset_host_detection.vulnerability.port | | long |
| qualys_vmdr.asset_host_detection.vulnerability.protocol | | keyword |
| qualys_vmdr.asset_host_detection.vulnerability.qds.score | | integer |
@@ -583,8 +624,10 @@ An example event for `asset_host_detection` looks as following:
| qualys_vmdr.asset_host_detection.vulnerability.status | | keyword |
| qualys_vmdr.asset_host_detection.vulnerability.times_found | | long |
| qualys_vmdr.asset_host_detection.vulnerability.times_reopened | | long |
+| qualys_vmdr.asset_host_detection.vulnerability.trurisk_elimination_status | | keyword |
| qualys_vmdr.asset_host_detection.vulnerability.type | | keyword |
| qualys_vmdr.asset_host_detection.vulnerability.unique_vuln_id | | keyword |
+| qualys_vmdr.asset_host_detection.vulnerability.vulnerability_detection_sources | | keyword |
| resource.id | | keyword |
| resource.name | | keyword |
| vulnerability.package.fixed_version | | keyword |
diff --git a/packages/qualys_vmdr/elasticsearch/transform/latest_cdr_vulnerabilities/fields/fields.yml b/packages/qualys_vmdr/elasticsearch/transform/latest_cdr_vulnerabilities/fields/fields.yml
index e7e5a701b1b..8621c972fcb 100644
--- a/packages/qualys_vmdr/elasticsearch/transform/latest_cdr_vulnerabilities/fields/fields.yml
+++ b/packages/qualys_vmdr/elasticsearch/transform/latest_cdr_vulnerabilities/fields/fields.yml
@@ -77,6 +77,8 @@
type: keyword
- name: asset_cve
type: keyword
+ - name: cve
+ type: keyword
- name: first_found_datetime
type: date
- name: first_reopened_datetime
@@ -101,6 +103,16 @@
type: date
- name: last_update_datetime
type: date
+ - name: latest_vulnerability_detection_source
+ type: keyword
+ - name: mitre_tactic_id
+ type: keyword
+ - name: mitre_tactic_name
+ type: keyword
+ - name: mitre_technique_id
+ type: keyword
+ - name: mitre_technique_name
+ type: keyword
- name: port
type: long
- name: protocol
@@ -137,8 +149,12 @@
type: long
- name: type
type: keyword
+ - name: trurisk_elimination_status
+ type: keyword
- name: unique_vuln_id
type: keyword
+ - name: vulnerability_detection_sources
+ type: keyword
- name: metadata
type: group
fields:
@@ -214,6 +230,30 @@
type: keyword
- name: value
type: keyword
+ - name: alicloud
+ type: group
+ fields:
+ - name: attribute
+ type: group
+ fields:
+ - name: last
+ type: group
+ fields:
+ - name: error
+ type: group
+ fields:
+ - name: value
+ type: keyword
+ - name: date
+ type: date
+ - name: status
+ type: keyword
+ - name: success_date
+ type: date
+ - name: name
+ type: keyword
+ - name: value
+ type: keyword
- name: netbios
type: keyword
- name: network_id
diff --git a/packages/qualys_vmdr/manifest.yml b/packages/qualys_vmdr/manifest.yml
index 5ed3176e175..6ab525b5f17 100644
--- a/packages/qualys_vmdr/manifest.yml
+++ b/packages/qualys_vmdr/manifest.yml
@@ -1,7 +1,7 @@
format_version: "3.4.0"
name: qualys_vmdr
title: Qualys VMDR
-version: "6.13.0"
+version: "6.14.0"
description: Collect data from Qualys VMDR platform with Elastic Agent.
type: integration
categories: