From 3bd76e021777e706bf8246ac2ee2d17a85945ee7 Mon Sep 17 00:00:00 2001 From: pemontto Date: Thu, 11 Apr 2019 08:27:28 +1000 Subject: [PATCH 01/73] Clean config and separate qualys data --- configs/frameworks_example.ini | 24 ++----------------- configs/test.ini | 24 ++----------------- .../elk6/pipeline/2000_qualys_web_scans.conf | 3 +-- 3 files changed, 5 insertions(+), 46 deletions(-) diff --git a/configs/frameworks_example.ini b/configs/frameworks_example.ini index 77d283c..20410cb 100755 --- a/configs/frameworks_example.ini +++ b/configs/frameworks_example.ini @@ -26,7 +26,7 @@ enabled = true hostname = qualysapi.qg2.apps.qualys.com username = exampleuser password = examplepass -write_path=/opt/VulnWhisperer/data/qualys/ +write_path=/opt/VulnWhisperer/data/qualys_web/ db_path=/opt/VulnWhisperer/data/database verbose=true @@ -42,16 +42,10 @@ enabled = true hostname = qualysapi.qg2.apps.qualys.com username = exampleuser password = examplepass -write_path=/opt/VulnWhisperer/data/qualys/ +write_path=/opt/VulnWhisperer/data/qualys_vuln/ db_path=/opt/VulnWhisperer/data/database verbose=true -# Set the maximum number of retries each connection should attempt. -#Note, this applies only to failed connections and timeouts, never to requests where the server returns a response. -max_retries = 10 -# Template ID will need to be retrieved for each document. Please follow the reference guide above for instructions on how to get your template ID. -template_id = 126024 - [detectify] #Reference https://developer.detectify.com/ enabled = false @@ -74,20 +68,6 @@ write_path=/opt/VulnWhisperer/data/openvas/ db_path=/opt/VulnWhisperer/data/database verbose=true -#[proxy] -; This section is optional. Leave it out if you're not using a proxy. -; You can use environmental variables as well: http://www.python-requests.org/en/latest/user/advanced/#proxies - -; proxy_protocol set to https, if not specified. -#proxy_url = proxy.mycorp.com - -; proxy_port will override any port specified in proxy_url -#proxy_port = 8080 - -; proxy authentication -#proxy_username = proxyuser -#proxy_password = proxypass - [jira] enabled = false hostname = jira-host diff --git a/configs/test.ini b/configs/test.ini index 468ba4a..b8ce72f 100755 --- a/configs/test.ini +++ b/configs/test.ini @@ -26,7 +26,7 @@ enabled = false hostname = qualys_web username = exampleuser password = examplepass -write_path=/tmp/VulnWhisperer/data/qualys/ +write_path=/tmp/VulnWhisperer/data/qualys_web/ db_path=/tmp/VulnWhisperer/data/database verbose=true @@ -42,16 +42,10 @@ enabled = true hostname = qualys_vuln username = exampleuser password = examplepass -write_path=/tmp/VulnWhisperer/data/qualys/ +write_path=/tmp/VulnWhisperer/data/qualys_vuln/ db_path=/tmp/VulnWhisperer/data/database verbose=true -# Set the maximum number of retries each connection should attempt. -#Note, this applies only to failed connections and timeouts, never to requests where the server returns a response. -max_retries = 10 -# Template ID will need to be retrieved for each document. Please follow the reference guide above for instructions on how to get your template ID. -template_id = 126024 - [detectify] #Reference https://developer.detectify.com/ enabled = false @@ -74,20 +68,6 @@ write_path=/tmp/VulnWhisperer/data/openvas/ db_path=/tmp/VulnWhisperer/data/database verbose=true -#[proxy] -; This section is optional. Leave it out if you're not using a proxy. -; You can use environmental variables as well: http://www.python-requests.org/en/latest/user/advanced/#proxies - -; proxy_protocol set to https, if not specified. -#proxy_url = proxy.mycorp.com - -; proxy_port will override any port specified in proxy_url -#proxy_port = 8080 - -; proxy authentication -#proxy_username = proxyuser -#proxy_password = proxypass - [jira] enabled = false hostname = jira-host diff --git a/resources/elk6/pipeline/2000_qualys_web_scans.conf b/resources/elk6/pipeline/2000_qualys_web_scans.conf index 66b0993..fbf83ee 100644 --- a/resources/elk6/pipeline/2000_qualys_web_scans.conf +++ b/resources/elk6/pipeline/2000_qualys_web_scans.conf @@ -6,7 +6,7 @@ input { file { - path => "/opt/vulnwhisperer/data/qualys/*.json" + path => [ "/opt/vulnwhisperer/data/qualys/*.json" , "/opt/vulnwhisperer/data/qualys_web/*.json", "/opt/vulnwhisperer/data/qualys_vuln/*.json"] type => json codec => json start_position => "beginning" @@ -14,7 +14,6 @@ input { mode => "read" start_position => "beginning" file_completed_action => "delete" - } } From db0d7a0491624eda125c2b393138b9a679a4da66 Mon Sep 17 00:00:00 2001 From: pemontto Date: Thu, 11 Apr 2019 10:36:41 +1000 Subject: [PATCH 02/73] Fix nessus logstash field cvss3_vector --- .../logstash/1000_nessus_process_file.conf | 2 +- resources/elk6/pipeline/1000_nessus_process_file.conf | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/resources/elk5-old_compatibility/logstash/1000_nessus_process_file.conf b/resources/elk5-old_compatibility/logstash/1000_nessus_process_file.conf index 60e1920..d8d4f92 100644 --- a/resources/elk5-old_compatibility/logstash/1000_nessus_process_file.conf +++ b/resources/elk5-old_compatibility/logstash/1000_nessus_process_file.conf @@ -27,7 +27,7 @@ filter { csv { # columns => ["plugin_id", "cve", "cvss", "risk", "asset", "protocol", "port", "plugin_name", "synopsis", "description", "solution", "see_also", "plugin_output"] - columns => ["plugin_id", "cve", "cvss", "risk", "asset", "protocol", "port", "plugin_name", "synopsis", "description", "solution", "see_also", "plugin_output", "asset_uuid", "vulnerability_state", "ip", "fqdn", "netbios", "operating_system", "mac_address", "plugin_family", "cvss_base", "cvss_temporal", "cvss_temporal_vector", "cvss_vector", "cvss3_base", "cvss3_temporal", "cvss3_temporal_vector", "cvss_vector", "system_type", "host_start", "host_end"] + columns => ["plugin_id", "cve", "cvss", "risk", "asset", "protocol", "port", "plugin_name", "synopsis", "description", "solution", "see_also", "plugin_output", "asset_uuid", "vulnerability_state", "ip", "fqdn", "netbios", "operating_system", "mac_address", "plugin_family", "cvss_base", "cvss_temporal", "cvss_temporal_vector", "cvss_vector", "cvss3_base", "cvss3_temporal", "cvss3_temporal_vector", "cvss3_vector", "system_type", "host_start", "host_end"] separator => "," source => "message" } diff --git a/resources/elk6/pipeline/1000_nessus_process_file.conf b/resources/elk6/pipeline/1000_nessus_process_file.conf index dcb74a2..0c64047 100644 --- a/resources/elk6/pipeline/1000_nessus_process_file.conf +++ b/resources/elk6/pipeline/1000_nessus_process_file.conf @@ -29,7 +29,7 @@ filter { csv { # columns => ["plugin_id", "cve", "cvss", "risk", "asset", "protocol", "port", "plugin_name", "synopsis", "description", "solution", "see_also", "plugin_output"] - columns => ["plugin_id", "cve", "cvss", "risk", "asset", "protocol", "port", "plugin_name", "synopsis", "description", "solution", "see_also", "plugin_output", "asset_uuid", "vulnerability_state", "ip", "fqdn", "netbios", "operating_system", "mac_address", "plugin_family", "cvss_base", "cvss_temporal", "cvss_temporal_vector", "cvss_vector", "cvss3_base", "cvss3_temporal", "cvss3_temporal_vector", "cvss_vector", "system_type", "host_start", "host_end"] + columns => ["plugin_id", "cve", "cvss", "risk", "asset", "protocol", "port", "plugin_name", "synopsis", "description", "solution", "see_also", "plugin_output", "asset_uuid", "vulnerability_state", "ip", "fqdn", "netbios", "operating_system", "mac_address", "plugin_family", "cvss_base", "cvss_temporal", "cvss_temporal_vector", "cvss_vector", "cvss3_base", "cvss3_temporal", "cvss3_temporal_vector", "cvss3_vector", "system_type", "host_start", "host_end"] separator => "," source => "message" } From 7240fd9028431be21295571350c727eb63f5e239 Mon Sep 17 00:00:00 2001 From: pemontto Date: Thu, 11 Apr 2019 10:41:13 +1000 Subject: [PATCH 03/73] Add qualys paths to elk5 logstash config --- .../elk5-old_compatibility/logstash/2000_qualys_web_scans.conf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/resources/elk5-old_compatibility/logstash/2000_qualys_web_scans.conf b/resources/elk5-old_compatibility/logstash/2000_qualys_web_scans.conf index b330260..504de84 100644 --- a/resources/elk5-old_compatibility/logstash/2000_qualys_web_scans.conf +++ b/resources/elk5-old_compatibility/logstash/2000_qualys_web_scans.conf @@ -6,7 +6,7 @@ input { file { - path => "/opt/vulnwhisperer/qualys/*.json" + path => [ "/opt/vulnwhisperer/data/qualys/*.json" , "/opt/vulnwhisperer/data/qualys_web/*.json", "/opt/vulnwhisperer/data/qualys_vuln/*.json" ] type => json codec => json start_position => "beginning" From 76d54abdc6941d3e71fd9d2909dc2aa184c39d9f Mon Sep 17 00:00:00 2001 From: pemontto Date: Thu, 11 Apr 2019 20:09:21 +1000 Subject: [PATCH 04/73] Nessus JSON output with normalisation --- vulnwhisp/frameworks/nessus.py | 90 +++++++++++++++++++++++++++++++--- vulnwhisp/vulnwhisp.py | 20 +++----- 2 files changed, 91 insertions(+), 19 deletions(-) diff --git a/vulnwhisp/frameworks/nessus.py b/vulnwhisp/frameworks/nessus.py index 23c67d6..127e658 100755 --- a/vulnwhisp/frameworks/nessus.py +++ b/vulnwhisp/frameworks/nessus.py @@ -23,8 +23,24 @@ class NessusAPI(object): EXPORT_FILE_DOWNLOAD = EXPORT + '/{file_id}/download' EXPORT_STATUS = EXPORT + '/{file_id}/status' EXPORT_HISTORY = EXPORT + '?history_id={history_id}' + # All column mappings should be lowercase + COLUMN_MAPPING = { + 'cvss base score': 'cvss', + 'cvss temporal score': 'cvss_temporal', + 'cvss temporal vector': 'cvss_temporal_vector', + 'cvss3 base score': 'cvss3', + 'cvss3 temporal score': 'cvss3_temporal', + 'cvss3 temporal vector': 'cvss3_temporal_vector', + 'fqdn': 'dns', + 'host': 'asset', + 'name': 'plugin_name', + 'os': 'operating_system', + 'system type': 'category', + 'vulnerability state': 'state' + } + SEVERITY_MAPPING = {'none': 0, 'low': 1, 'medium': 2, 'high': 3, 'critical': 4} - def __init__(self, hostname=None, port=None, username=None, password=None, verbose=True): + def __init__(self, hostname=None, port=None, username=None, password=None, verbose=True, profile=None): self.logger = logging.getLogger('NessusAPI') if verbose: self.logger.setLevel(logging.DEBUG) @@ -35,6 +51,7 @@ class NessusAPI(object): self.password = password self.base = 'https://{hostname}:{port}'.format(hostname=hostname, port=port) self.verbose = verbose + self.profile = profile self.session = requests.Session() self.session.verify = False @@ -67,7 +84,7 @@ class NessusAPI(object): def request(self, url, data=None, headers=None, method='POST', download=False, json_output=False): timeout = 0 success = False - + method = method.lower() url = self.base + url self.logger.debug('Requesting to url {}'.format(url)) @@ -114,7 +131,7 @@ class NessusAPI(object): data = self.request(self.SCAN_ID.format(scan_id=scan_id), method='GET', json_output=True) return data['history'] - def download_scan(self, scan_id=None, history=None, export_format="", profile=""): + def download_scan(self, scan_id=None, history=None, export_format=''): running = True counter = 0 @@ -137,13 +154,13 @@ class NessusAPI(object): report_status = self.request(self.EXPORT_STATUS.format(scan_id=scan_id, file_id=file_id), method='GET', json_output=True) running = report_status['status'] != 'ready' - sys.stdout.write(".") + sys.stdout.write('.') sys.stdout.flush() # FIXME: why? can this be removed in favour of a counter? if counter % 60 == 0: - self.logger.info("Completed: {}".format(counter)) - self.logger.info("Done: {}".format(counter)) - if profile == 'tenable': + self.logger.info('Completed: {}'.format(counter)) + self.logger.info('Done: {}'.format(counter)) + if self.profile == 'tenable': content = self.request(self.EXPORT_FILE_DOWNLOAD.format(scan_id=scan_id, file_id=file_id), method='GET', download=True) else: content = self.request(self.EXPORT_TOKEN_DOWNLOAD.format(token_id=token_id), method='GET', download=True) @@ -169,3 +186,62 @@ class NessusAPI(object): 'Pacific Standard Time': 'US/Pacific', 'None': 'US/Central'} return time_map.get(tz, None) + + def normalise(self, dataframe): + self.logger.debug('Normalising data') + self.map_fields(dataframe) + self.transform_values(dataframe) + return dataframe + + def map_fields(self, dataframe): + self.logger.debug('Mapping fields') + + # Any specific mappings here + if self.profile == 'tenable': + # Prefer CVSS Base Score over CVSS for tenable + self.logger.debug('Dropping redundant tenable fields') + dataframe.drop('CVSS', axis=1, inplace=True) + dataframe.drop('IP Address', axis=1, inplace=True) + + # Map fields from COLUMN_MAPPING + fields = [x.lower() for x in dataframe.columns] + for field, replacement in self.COLUMN_MAPPING.iteritems(): + if field in fields: + self.logger.debug('Renaming "{}" to "{}"'.format(field, replacement)) + fields[fields.index(field)] = replacement + + fields = [x.replace(' ', '_') for x in fields] + dataframe.columns = fields + + return dataframe + + def transform_values(self, dataframe): + self.logger.debug('Transforming values') + + # upper/lowercase fields + self.logger.debug('Changing case of fields') + dataframe['cve'] = dataframe['cve'].str.upper() + dataframe['protocol'] = dataframe['protocol'].str.lower() + + # Map risk to a SEVERITY MAPPING value + self.logger.debug('Mapping risk to severity number') + dataframe['risk_number'] = dataframe['risk'].str.lower() + dataframe['risk_number'].replace(self.SEVERITY_MAPPING, inplace=True) + + if self.profile == 'tenable': + self.logger.debug('Combinging CVSS vectors for tenable') + # Combine CVSS vectors + dataframe['cvss_vector'] = ( + dataframe[['cvss_vector', 'cvss_temporal_vector']] + .apply(lambda x: '{}/{}'.format(x[0], x[1]), axis=1) + .str.rstrip('/nan') + ) + dataframe['cvss3_vector'] = ( + dataframe[['cvss3_vector', 'cvss3_temporal_vector']] + .apply(lambda x: '{}/{}'.format(x[0], x[1]), axis=1) + .str.rstrip('/nan') + ) + + dataframe.fillna('', inplace=True) + + return dataframe \ No newline at end of file diff --git a/vulnwhisp/vulnwhisp.py b/vulnwhisp/vulnwhisp.py index 782af0e..befe9d6 100755 --- a/vulnwhisp/vulnwhisp.py +++ b/vulnwhisp/vulnwhisp.py @@ -129,11 +129,6 @@ class vulnWhispererBase(object): self.delete_table() self.create_table() - def cleanser(self, _data): - repls = (('\n', r'\n'), ('\r', r'\r')) - data = reduce(lambda a, kv: a.replace(*kv), repls, _data) - return data - def path_check(self, _data): if self.write_path: if '/' or '\\' in _data[-1]: @@ -288,7 +283,9 @@ class vulnWhispererNessus(vulnWhispererBase): NessusAPI(hostname=self.hostname, port=self.nessus_port, username=self.username, - password=self.password) + password=self.password, + profile=self.CONFIG_SECTION + ) self.nessus_connect = True self.logger.info('Connected to nessus on {host}:{port}'.format(host=self.hostname, port=str(self.nessus_port))) @@ -435,21 +432,20 @@ class vulnWhispererNessus(vulnWhispererBase): try: file_req = \ self.nessus.download_scan(scan_id=scan_id, history=history_id, - export_format='csv', profile=self.CONFIG_SECTION) + export_format='csv') except Exception as e: self.logger.error('Could not download {} scan {}: {}'.format(self.CONFIG_SECTION, scan_id, str(e))) self.exit_code += 1 continue - clean_csv = \ - pd.read_csv(io.StringIO(file_req.decode('utf-8'))) + clean_csv = pd.read_csv(io.StringIO(file_req.decode('utf-8'))) if len(clean_csv) > 2: self.logger.info('Processing {}/{} for scan: {}'.format(scan_count, len(scan_list), scan_name.encode('utf8'))) - columns_to_cleanse = ['CVSS','CVE','Description','Synopsis','Solution','See Also','Plugin Output'] - for col in columns_to_cleanse: - clean_csv[col] = clean_csv[col].astype(str).apply(self.cleanser) + # Map and transform fields + clean_csv = self.nessus.normalise(clean_csv) + clean_csv.to_json(relative_path_name.replace('csv', 'json'), orient='records', lines=True) clean_csv.to_csv(relative_path_name, index=False) record_meta = ( scan_name, From d6980d82291acdd5511d330b2fec093ddd6f17cb Mon Sep 17 00:00:00 2001 From: pemontto Date: Thu, 11 Apr 2019 20:11:08 +1000 Subject: [PATCH 05/73] Add normalisation, mapping and transform stubs --- vulnwhisp/frameworks/openvas.py | 14 ++++++++++++++ vulnwhisp/frameworks/qualys_web.py | 14 ++++++++++++++ vulnwhisp/vulnwhisp.py | 14 +++++++------- 3 files changed, 35 insertions(+), 7 deletions(-) diff --git a/vulnwhisp/frameworks/openvas.py b/vulnwhisp/frameworks/openvas.py index a5f8b70..5461629 100644 --- a/vulnwhisp/frameworks/openvas.py +++ b/vulnwhisp/frameworks/openvas.py @@ -190,3 +190,17 @@ class OpenVAS_API(object): self.processed_reports += 1 merged_df = pd.merge(report_df, self.openvas_reports, on='report_ids').reset_index().drop('index', axis=1) return merged_df + + def normalise(self, dataframe): + self.logger.debug('Normalising data') + self.map_fields(dataframe) + self.transform_values(dataframe) + return dataframe + + def map_fields(self, dataframe): + self.logger.debug('Mapping fields') + return dataframe + + def transform_values(self, dataframe): + self.logger.debug('Transforming values') + return dataframe \ No newline at end of file diff --git a/vulnwhisp/frameworks/qualys_web.py b/vulnwhisp/frameworks/qualys_web.py index 4e50c5f..45c9da3 100644 --- a/vulnwhisp/frameworks/qualys_web.py +++ b/vulnwhisp/frameworks/qualys_web.py @@ -463,3 +463,17 @@ class qualysScanReport: merged_data.sort_index(axis=1, inplace=True) return merged_data + + def normalise(self, dataframe): + self.logger.debug('Normalising data') + self.map_fields(dataframe) + self.transform_values(dataframe) + return dataframe + + def map_fields(self, dataframe): + self.logger.debug('Mapping fields') + return dataframe + + def transform_values(self, dataframe): + self.logger.debug('Transforming values') + return dataframe \ No newline at end of file diff --git a/vulnwhisp/vulnwhisp.py b/vulnwhisp/vulnwhisp.py index befe9d6..7d0c95d 100755 --- a/vulnwhisp/vulnwhisp.py +++ b/vulnwhisp/vulnwhisp.py @@ -610,6 +610,9 @@ class vulnWhispererQualys(vulnWhispererBase): vuln_ready['scan_name'] = scan_name vuln_ready['scan_reference'] = scan_reference + # Map and transform fields + vuln_ready = self.qualys_scan.normalise(vuln_ready) + # TODO remove the line below once normalising complete vuln_ready.rename(columns=self.COLUMN_MAPPING, inplace=True) record_meta = ( @@ -627,9 +630,7 @@ class vulnWhispererQualys(vulnWhispererBase): self.record_insert(record_meta) if output_format == 'json': - with open(relative_path_name, 'w') as f: - f.write(vuln_ready.to_json(orient='records', lines=True)) - f.write('\n') + vuln_ready.to_json(relative_path_name, orient='records', lines=True) elif output_format == 'csv': vuln_ready.to_csv(relative_path_name, index=False, header=True) # add when timestamp occured @@ -779,10 +780,9 @@ class vulnWhispererOpenVAS(vulnWhispererBase): vuln_ready.rename(columns=self.COLUMN_MAPPING, inplace=True) vuln_ready.port = vuln_ready.port.fillna(0).astype(int) vuln_ready.fillna('', inplace=True) - if output_format == 'json': - with open(relative_path_name, 'w') as f: - f.write(vuln_ready.to_json(orient='records', lines=True)) - f.write('\n') + # Map and transform fields + vuln_ready = self.openvas_api.normalise(vuln_ready) + vuln_ready.to_json(relative_path_name, orient='records', lines=True) self.logger.info('Report written to {}'.format(report_name)) return report From 5671b70bdd5c95b58fcafa6da092a569aeb780df Mon Sep 17 00:00:00 2001 From: pemontto Date: Thu, 11 Apr 2019 20:13:17 +1000 Subject: [PATCH 06/73] Add normalisation for qualys_vuln --- vulnwhisp/frameworks/qualys_vuln.py | 83 +++++++++++++++++++++++++++++ vulnwhisp/vulnwhisp.py | 19 ++----- 2 files changed, 88 insertions(+), 14 deletions(-) diff --git a/vulnwhisp/frameworks/qualys_vuln.py b/vulnwhisp/frameworks/qualys_vuln.py index 69cddfa..dace770 100644 --- a/vulnwhisp/frameworks/qualys_vuln.py +++ b/vulnwhisp/frameworks/qualys_vuln.py @@ -11,6 +11,7 @@ import pandas as pd import qualysapi + class qualysWhisperAPI(object): SCANS = 'api/2.0/fo/scan' @@ -78,6 +79,15 @@ class qualysUtils: class qualysVulnScan: + COLUMN_MAPPING = { + 'cve_id': 'cve', + 'cvss_base': 'cvss', + 'cvss3_base': 'cvss3', + 'ip_status': 'state', + 'os': 'operating_system', + 'qid': 'plugin_id' + } + def __init__( self, config=None, @@ -122,3 +132,76 @@ class qualysVulnScan: return scan_report return scan_report + + def normalise(self, dataframe): + self.logger.debug('Normalising data') + self.map_fields(dataframe) + self.transform_values(dataframe) + return dataframe + + def map_fields(self, dataframe): + self.logger.info('Mapping fields') + + # Map fields from COLUMN_MAPPING + fields = [x.lower() for x in dataframe.columns] + for field, replacement in self.COLUMN_MAPPING.iteritems(): + if field in fields: + self.logger.info('Renaming "{}" to "{}"'.format(field, replacement)) + fields[fields.index(field)] = replacement + + fields = [x.replace(' ', '_') for x in fields] + dataframe.columns = fields + + return dataframe + + def transform_values(self, dataframe): + self.logger.info('Transforming values') + + # upper/lowercase fields + self.logger.info('Changing case of fields') + dataframe['cve'] = dataframe['cve'].str.upper() + dataframe['protocol'] = dataframe['protocol'].str.lower() + + # Contruct the CVSS vector + dataframe['cvss_vector'] = '' + dataframe.loc[dataframe["cvss"].notnull(), "cvss_vector"] = ( + dataframe.loc[dataframe["cvss"].notnull(), "cvss"] + .str.split() + .apply(lambda x: x[1]) + .str.replace("(", "") + .str.replace(")", "") + ) + dataframe.loc[dataframe["cvss"].notnull(), "cvss"] = ( + dataframe.loc[dataframe["cvss"].notnull(), "cvss"] + .str.split() + .apply(lambda x: x[0]) + ) + dataframe['cvss_temporal_vector'] = '' + dataframe.loc[dataframe["cvss_temporal"].notnull(), "cvss_temporal_vector"] = ( + dataframe.loc[dataframe["cvss_temporal"].notnull(), "cvss_temporal"] + .str.split() + .apply(lambda x: x[1]) + .str.replace("(", "") + .str.replace(")", "") + ) + dataframe.loc[dataframe["cvss_temporal"].notnull(), "cvss_temporal"] = ( + dataframe.loc[dataframe["cvss_temporal"].notnull(), "cvss_temporal"] + .str.split() + .apply(lambda x: x[0]) + .fillna('') + ) + + # Combine base and temporal + dataframe["cvss_vector"] = ( + dataframe[["cvss_vector", "cvss_temporal_vector"]] + .apply(lambda x: "{}/{}".format(x[0], x[1]), axis=1) + .str.rstrip("/nan") + .fillna("") + ) + + # Convert Qualys severity to standardised risk number + dataframe['risk_number'] = dataframe['severity'].astype(int)-1 + + dataframe.fillna('', inplace=True) + + return dataframe \ No newline at end of file diff --git a/vulnwhisp/vulnwhisp.py b/vulnwhisp/vulnwhisp.py index 7d0c95d..e7614a1 100755 --- a/vulnwhisp/vulnwhisp.py +++ b/vulnwhisp/vulnwhisp.py @@ -633,7 +633,7 @@ class vulnWhispererQualys(vulnWhispererBase): vuln_ready.to_json(relative_path_name, orient='records', lines=True) elif output_format == 'csv': - vuln_ready.to_csv(relative_path_name, index=False, header=True) # add when timestamp occured + vuln_ready.to_csv(relative_path_name, index=False, header=True) # add when timestamp occured self.logger.info('Report written to {}'.format(report_name)) @@ -815,13 +815,6 @@ class vulnWhispererOpenVAS(vulnWhispererBase): class vulnWhispererQualysVuln(vulnWhispererBase): CONFIG_SECTION = 'qualys_vuln' - COLUMN_MAPPING = {'cvss_base': 'cvss', - 'cvss3_base': 'cvss3', - 'cve_id': 'cve', - 'os': 'operating_system', - 'qid': 'plugin_id', - 'severity': 'risk', - 'title': 'plugin_name'} def __init__( self, @@ -850,12 +843,11 @@ class vulnWhispererQualysVuln(vulnWhispererBase): scan_reference=None, output_format='json', cleanup=True): - launched_date if 'Z' in launched_date: launched_date = self.qualys_scan.utils.iso_to_epoch(launched_date) report_name = 'qualys_vuln_' + report_id.replace('/','_') \ + '_{last_updated}'.format(last_updated=launched_date) \ - + '.json' + + '.{extension}'.format(extension=output_format) relative_path_name = self.path_check(report_name) @@ -883,7 +875,8 @@ class vulnWhispererQualysVuln(vulnWhispererBase): vuln_ready = self.qualys_scan.process_data(scan_id=report_id) vuln_ready['scan_name'] = scan_name vuln_ready['scan_reference'] = report_id - vuln_ready.rename(columns=self.COLUMN_MAPPING, inplace=True) + # Map and transform fields + vuln_ready = self.qualys_scan.normalise(vuln_ready) except Exception as e: self.logger.error('Could not process {}: {}'.format(report_id, str(e))) self.exit_code += 1 @@ -904,9 +897,7 @@ class vulnWhispererQualysVuln(vulnWhispererBase): self.record_insert(record_meta) if output_format == 'json': - with open(relative_path_name, 'w') as f: - f.write(vuln_ready.to_json(orient='records', lines=True)) - f.write('\n') + vuln_ready.to_json(relative_path_name, orient='records', lines=True) self.logger.info('Report written to {}'.format(report_name)) return self.exit_code From 0710b38de3a956da4f6630f745484860829913db Mon Sep 17 00:00:00 2001 From: pemontto Date: Thu, 11 Apr 2019 20:27:54 +1000 Subject: [PATCH 07/73] Update nessus logstash configs --- .../docker/1000_nessus_process_file.conf | 71 ++++++++++++------- .../logstash/1000_nessus_process_file.conf | 71 ++++++++++++------- .../pipeline/1000_nessus_process_file.conf | 69 +++++++++++------- 3 files changed, 131 insertions(+), 80 deletions(-) diff --git a/resources/elk5-old_compatibility/docker/1000_nessus_process_file.conf b/resources/elk5-old_compatibility/docker/1000_nessus_process_file.conf index f28a530..fdf022b 100644 --- a/resources/elk5-old_compatibility/docker/1000_nessus_process_file.conf +++ b/resources/elk5-old_compatibility/docker/1000_nessus_process_file.conf @@ -7,52 +7,69 @@ input { file { - path => "/opt/VulnWhisperer/data/nessus/**/*" + path => "/opt/VulnWhisperer/data/nessus/**/*.csv" start_position => "beginning" tags => "nessus" type => "nessus" } + file { + path => "/opt/VulnWhisperer/data/nessus/**/*.json" + start_position => "beginning" + tags => "nessus" + type => "nessus" + codec => json + } file { path => "/opt/VulnWhisperer/data/tenable/*.csv" start_position => "beginning" tags => "tenable" type => "tenable" } + file { + path => "/opt/VulnWhisperer/data/tenable/*.json" + start_position => "beginning" + tags => "nessus" + type => "nessus" + codec => json + } } filter { if "nessus" in [tags] or "tenable" in [tags] { - # Drop the header column - if [message] =~ "^Plugin ID" { drop {} } - csv { - # columns => ["plugin_id", "cve", "cvss", "risk", "asset", "protocol", "port", "plugin_name", "synopsis", "description", "solution", "see_also", "plugin_output"] - columns => ["plugin_id", "cve", "cvss", "risk", "asset", "protocol", "port", "plugin_name", "synopsis", "description", "solution", "see_also", "plugin_output", "asset_uuid", "vulnerability_state", "ip", "fqdn", "netbios", "operating_system", "mac_address", "plugin_family", "cvss_base", "cvss_temporal", "cvss_temporal_vector", "cvss_vector", "cvss3_base", "cvss3_temporal", "cvss3_temporal_vector", "cvss_vector", "system_type", "host_start", "host_end"] - separator => "," - source => "message" - } + if [path] =~ /\.csv$/ {} + # Drop the header column + if [message] =~ "^(Plugin ID|plugin_id,)" { drop {} } - ruby { - code => "if event.get('description') - event.set('description', event.get('description').gsub(92.chr + 'n', 10.chr).gsub(92.chr + 'r', 13.chr)) - end - if event.get('synopsis') - event.set('synopsis', event.get('synopsis').gsub(92.chr + 'n', 10.chr).gsub(92.chr + 'r', 13.chr)) - end - if event.get('solution') - event.set('solution', event.get('solution').gsub(92.chr + 'n', 10.chr).gsub(92.chr + 'r', 13.chr)) - end - if event.get('see_also') - event.set('see_also', event.get('see_also').gsub(92.chr + 'n', 10.chr).gsub(92.chr + 'r', 13.chr)) - end - if event.get('plugin_output') - event.set('plugin_output', event.get('plugin_output').gsub(92.chr + 'n', 10.chr).gsub(92.chr + 'r', 13.chr)) - end" - } + csv { + # columns => ["plugin_id", "cve", "cvss", "risk", "asset", "protocol", "port", "plugin_name", "synopsis", "description", "solution", "see_also", "plugin_output"] + columns => ["plugin_id", "cve", "cvss", "risk", "asset", "protocol", "port", "plugin_name", "synopsis", "description", "solution", "see_also", "plugin_output", "asset_uuid", "vulnerability_state", "ip", "fqdn", "netbios", "operating_system", "mac_address", "plugin_family", "cvss_base", "cvss_temporal", "cvss_temporal_vector", "cvss_vector", "cvss3_base", "cvss3_temporal", "cvss3_temporal_vector", "cvss3_vector", "system_type", "host_start", "host_end"] + separator => "," + source => "message" + } + + ruby { + code => "if event.get('description') + event.set('description', event.get('description').gsub(92.chr + 'n', 10.chr).gsub(92.chr + 'r', 13.chr)) + end + if event.get('synopsis') + event.set('synopsis', event.get('synopsis').gsub(92.chr + 'n', 10.chr).gsub(92.chr + 'r', 13.chr)) + end + if event.get('solution') + event.set('solution', event.get('solution').gsub(92.chr + 'n', 10.chr).gsub(92.chr + 'r', 13.chr)) + end + if event.get('see_also') + event.set('see_also', event.get('see_also').gsub(92.chr + 'n', 10.chr).gsub(92.chr + 'r', 13.chr)) + end + if event.get('plugin_output') + event.set('plugin_output', event.get('plugin_output').gsub(92.chr + 'n', 10.chr).gsub(92.chr + 'r', 13.chr)) + end" + } + } #If using filebeats as your source, you will need to replace the "path" field to "source" grok { - match => { "path" => "(?[a-zA-Z0-9_.\-]+)_%{INT:scan_id}_%{INT:history_id}_%{INT:last_updated}.csv$" } + match => { "path" => "(?[a-zA-Z0-9_.\-]+)_%{INT:scan_id}_%{INT:history_id}_%{INT:last_updated}.(csv|json)$" } tag_on_failure => [] } diff --git a/resources/elk5-old_compatibility/logstash/1000_nessus_process_file.conf b/resources/elk5-old_compatibility/logstash/1000_nessus_process_file.conf index d8d4f92..ffda45a 100644 --- a/resources/elk5-old_compatibility/logstash/1000_nessus_process_file.conf +++ b/resources/elk5-old_compatibility/logstash/1000_nessus_process_file.conf @@ -7,52 +7,69 @@ input { file { - path => "/opt/vulnwhisperer/nessus/**/*" + path => "/opt/VulnWhisperer/data/nessus/**/*.csv" start_position => "beginning" tags => "nessus" type => "nessus" } file { - path => "/opt/vulnwhisperer/tenable/*.csv" + path => "/opt/VulnWhisperer/data/nessus/**/*.json" + start_position => "beginning" + tags => "nessus" + type => "nessus" + codec => json + } + file { + path => "/opt/VulnWhisperer/data/tenable/*.csv" start_position => "beginning" tags => "tenable" type => "tenable" } + file { + path => "/opt/VulnWhisperer/data/tenable/*.json" + start_position => "beginning" + tags => "nessus" + type => "nessus" + codec => json + } } filter { if "nessus" in [tags] or "tenable" in [tags] { - # Drop the header column - if [message] =~ "^Plugin ID" { drop {} } - csv { - # columns => ["plugin_id", "cve", "cvss", "risk", "asset", "protocol", "port", "plugin_name", "synopsis", "description", "solution", "see_also", "plugin_output"] - columns => ["plugin_id", "cve", "cvss", "risk", "asset", "protocol", "port", "plugin_name", "synopsis", "description", "solution", "see_also", "plugin_output", "asset_uuid", "vulnerability_state", "ip", "fqdn", "netbios", "operating_system", "mac_address", "plugin_family", "cvss_base", "cvss_temporal", "cvss_temporal_vector", "cvss_vector", "cvss3_base", "cvss3_temporal", "cvss3_temporal_vector", "cvss3_vector", "system_type", "host_start", "host_end"] - separator => "," - source => "message" - } + if [path] =~ /\.csv$/ {} + # Drop the header column + if [message] =~ "^(Plugin ID|plugin_id,)" { drop {} } - ruby { - code => "if event.get('description') - event.set('description', event.get('description').gsub(92.chr + 'n', 10.chr).gsub(92.chr + 'r', 13.chr)) - end - if event.get('synopsis') - event.set('synopsis', event.get('synopsis').gsub(92.chr + 'n', 10.chr).gsub(92.chr + 'r', 13.chr)) - end - if event.get('solution') - event.set('solution', event.get('solution').gsub(92.chr + 'n', 10.chr).gsub(92.chr + 'r', 13.chr)) - end - if event.get('see_also') - event.set('see_also', event.get('see_also').gsub(92.chr + 'n', 10.chr).gsub(92.chr + 'r', 13.chr)) - end - if event.get('plugin_output') - event.set('plugin_output', event.get('plugin_output').gsub(92.chr + 'n', 10.chr).gsub(92.chr + 'r', 13.chr)) - end" + csv { + # columns => ["plugin_id", "cve", "cvss", "risk", "asset", "protocol", "port", "plugin_name", "synopsis", "description", "solution", "see_also", "plugin_output"] + columns => ["plugin_id", "cve", "cvss", "risk", "asset", "protocol", "port", "plugin_name", "synopsis", "description", "solution", "see_also", "plugin_output", "asset_uuid", "vulnerability_state", "ip", "fqdn", "netbios", "operating_system", "mac_address", "plugin_family", "cvss_base", "cvss_temporal", "cvss_temporal_vector", "cvss_vector", "cvss3_base", "cvss3_temporal", "cvss3_temporal_vector", "cvss3_vector", "system_type", "host_start", "host_end"] + separator => "," + source => "message" + } + + ruby { + code => "if event.get('description') + event.set('description', event.get('description').gsub(92.chr + 'n', 10.chr).gsub(92.chr + 'r', 13.chr)) + end + if event.get('synopsis') + event.set('synopsis', event.get('synopsis').gsub(92.chr + 'n', 10.chr).gsub(92.chr + 'r', 13.chr)) + end + if event.get('solution') + event.set('solution', event.get('solution').gsub(92.chr + 'n', 10.chr).gsub(92.chr + 'r', 13.chr)) + end + if event.get('see_also') + event.set('see_also', event.get('see_also').gsub(92.chr + 'n', 10.chr).gsub(92.chr + 'r', 13.chr)) + end + if event.get('plugin_output') + event.set('plugin_output', event.get('plugin_output').gsub(92.chr + 'n', 10.chr).gsub(92.chr + 'r', 13.chr)) + end" + } } #If using filebeats as your source, you will need to replace the "path" field to "source" grok { - match => { "path" => "(?[a-zA-Z0-9_.\-]+)_%{INT:scan_id}_%{INT:history_id}_%{INT:last_updated}.csv$" } + match => { "path" => "(?[a-zA-Z0-9_.\-]+)_%{INT:scan_id}_%{INT:history_id}_%{INT:last_updated}.(csv|json)$" } tag_on_failure => [] } diff --git a/resources/elk6/pipeline/1000_nessus_process_file.conf b/resources/elk6/pipeline/1000_nessus_process_file.conf index 0c64047..8f02757 100644 --- a/resources/elk6/pipeline/1000_nessus_process_file.conf +++ b/resources/elk6/pipeline/1000_nessus_process_file.conf @@ -7,12 +7,19 @@ input { file { - path => "/opt/vulnwhisperer/data/nessus/**/*" + path => "/opt/vulnwhisperer/data/nessus/**/*.csv" mode => "read" start_position => "beginning" file_completed_action => "delete" tags => "nessus" } + file { + path => "/opt/VulnWhisperer/data/nessus/**/*.json" + start_position => "beginning" + file_completed_action => "delete" + tags => "nessus" + codec => json + } file { path => "/opt/vulnwhisperer/data/tenable/*.csv" mode => "read" @@ -20,41 +27,51 @@ input { file_completed_action => "delete" tags => "tenable" } + file { + path => "/opt/VulnWhisperer/data/tenable/*.json" + start_position => "beginning" + file_completed_action => "delete" + tags => "tenable" + codec => json + } } filter { if "nessus" in [tags] or "tenable" in [tags] { - # Drop the header column - if [message] =~ "^Plugin ID" { drop {} } - csv { - # columns => ["plugin_id", "cve", "cvss", "risk", "asset", "protocol", "port", "plugin_name", "synopsis", "description", "solution", "see_also", "plugin_output"] - columns => ["plugin_id", "cve", "cvss", "risk", "asset", "protocol", "port", "plugin_name", "synopsis", "description", "solution", "see_also", "plugin_output", "asset_uuid", "vulnerability_state", "ip", "fqdn", "netbios", "operating_system", "mac_address", "plugin_family", "cvss_base", "cvss_temporal", "cvss_temporal_vector", "cvss_vector", "cvss3_base", "cvss3_temporal", "cvss3_temporal_vector", "cvss3_vector", "system_type", "host_start", "host_end"] - separator => "," - source => "message" - } + if [path] =~ /\.csv$/ {} + # Drop the header column + if [message] =~ "^(Plugin ID|plugin_id,)" { drop {} } - ruby { - code => "if event.get('description') - event.set('description', event.get('description').gsub(92.chr + 'n', 10.chr).gsub(92.chr + 'r', 13.chr)) - end - if event.get('synopsis') - event.set('synopsis', event.get('synopsis').gsub(92.chr + 'n', 10.chr).gsub(92.chr + 'r', 13.chr)) - end - if event.get('solution') - event.set('solution', event.get('solution').gsub(92.chr + 'n', 10.chr).gsub(92.chr + 'r', 13.chr)) - end - if event.get('see_also') - event.set('see_also', event.get('see_also').gsub(92.chr + 'n', 10.chr).gsub(92.chr + 'r', 13.chr)) - end - if event.get('plugin_output') - event.set('plugin_output', event.get('plugin_output').gsub(92.chr + 'n', 10.chr).gsub(92.chr + 'r', 13.chr)) - end" + csv { + # columns => ["plugin_id", "cve", "cvss", "risk", "asset", "protocol", "port", "plugin_name", "synopsis", "description", "solution", "see_also", "plugin_output"] + columns => ["plugin_id", "cve", "cvss", "risk", "asset", "protocol", "port", "plugin_name", "synopsis", "description", "solution", "see_also", "plugin_output", "asset_uuid", "vulnerability_state", "ip", "fqdn", "netbios", "operating_system", "mac_address", "plugin_family", "cvss_base", "cvss_temporal", "cvss_temporal_vector", "cvss_vector", "cvss3_base", "cvss3_temporal", "cvss3_temporal_vector", "cvss3_vector", "system_type", "host_start", "host_end"] + separator => "," + source => "message" + } + + ruby { + code => "if event.get('description') + event.set('description', event.get('description').gsub(92.chr + 'n', 10.chr).gsub(92.chr + 'r', 13.chr)) + end + if event.get('synopsis') + event.set('synopsis', event.get('synopsis').gsub(92.chr + 'n', 10.chr).gsub(92.chr + 'r', 13.chr)) + end + if event.get('solution') + event.set('solution', event.get('solution').gsub(92.chr + 'n', 10.chr).gsub(92.chr + 'r', 13.chr)) + end + if event.get('see_also') + event.set('see_also', event.get('see_also').gsub(92.chr + 'n', 10.chr).gsub(92.chr + 'r', 13.chr)) + end + if event.get('plugin_output') + event.set('plugin_output', event.get('plugin_output').gsub(92.chr + 'n', 10.chr).gsub(92.chr + 'r', 13.chr)) + end" + } } #If using filebeats as your source, you will need to replace the "path" field to "source" grok { - match => { "path" => "(?[a-zA-Z0-9_.\-]+)_%{INT:scan_id}_%{INT:history_id}_%{INT:last_updated}.csv$" } + match => { "path" => "(?[a-zA-Z0-9_.\-]+)_%{INT:scan_id}_%{INT:history_id}_%{INT:last_updated}.(csv|json)$" } tag_on_failure => [] } From 8f9932e56bd359881f62c658b8d003fe83b18bea Mon Sep 17 00:00:00 2001 From: pemontto Date: Thu, 11 Apr 2019 21:17:24 +1000 Subject: [PATCH 08/73] minor updates --- vulnwhisp/frameworks/nessus.py | 3 +++ vulnwhisp/frameworks/qualys_vuln.py | 7 +++++-- 2 files changed, 8 insertions(+), 2 deletions(-) diff --git a/vulnwhisp/frameworks/nessus.py b/vulnwhisp/frameworks/nessus.py index 127e658..9899de6 100755 --- a/vulnwhisp/frameworks/nessus.py +++ b/vulnwhisp/frameworks/nessus.py @@ -223,6 +223,9 @@ class NessusAPI(object): dataframe['cve'] = dataframe['cve'].str.upper() dataframe['protocol'] = dataframe['protocol'].str.lower() + # Copy asset to IP + dataframe['ip'] = dataframe['asset'] + # Map risk to a SEVERITY MAPPING value self.logger.debug('Mapping risk to severity number') dataframe['risk_number'] = dataframe['risk'].str.lower() diff --git a/vulnwhisp/frameworks/qualys_vuln.py b/vulnwhisp/frameworks/qualys_vuln.py index dace770..3eac54f 100644 --- a/vulnwhisp/frameworks/qualys_vuln.py +++ b/vulnwhisp/frameworks/qualys_vuln.py @@ -85,7 +85,8 @@ class qualysVulnScan: 'cvss3_base': 'cvss3', 'ip_status': 'state', 'os': 'operating_system', - 'qid': 'plugin_id' + 'qid': 'plugin_id', + 'title': 'plugin_name' } def __init__( @@ -198,7 +199,9 @@ class qualysVulnScan: .str.rstrip("/nan") .fillna("") ) - + + dataframe.drop('cvss_temporal_vector', axis=1, inplace=True) + # Convert Qualys severity to standardised risk number dataframe['risk_number'] = dataframe['severity'].astype(int)-1 From 2547873bd28c9086a805683822ca572188839053 Mon Sep 17 00:00:00 2001 From: pemontto Date: Thu, 11 Apr 2019 21:57:18 +1000 Subject: [PATCH 09/73] Add scan name to output --- vulnwhisp/vulnwhisp.py | 13 ++++++++----- 1 file changed, 8 insertions(+), 5 deletions(-) diff --git a/vulnwhisp/vulnwhisp.py b/vulnwhisp/vulnwhisp.py index e7614a1..7a49f29 100755 --- a/vulnwhisp/vulnwhisp.py +++ b/vulnwhisp/vulnwhisp.py @@ -445,6 +445,9 @@ class vulnWhispererNessus(vulnWhispererBase): # Map and transform fields clean_csv = self.nessus.normalise(clean_csv) + clean_csv['scan_name'] = scan_name.encode('utf8') + clean_csv['scan_id'] = scan_id + clean_csv.to_json(relative_path_name.replace('csv', 'json'), orient='records', lines=True) clean_csv.to_csv(relative_path_name, index=False) record_meta = ( @@ -608,8 +611,8 @@ class vulnWhispererQualys(vulnWhispererBase): vuln_ready = self.qualys_scan.process_data(path=self.write_path, file_id=str(generated_report_id)) - vuln_ready['scan_name'] = scan_name - vuln_ready['scan_reference'] = scan_reference + vuln_ready['scan_name'] = scan_name.encode('utf8') + vuln_ready['scan_id'] = scan_reference # Map and transform fields vuln_ready = self.qualys_scan.normalise(vuln_ready) # TODO remove the line below once normalising complete @@ -775,8 +778,8 @@ class vulnWhispererOpenVAS(vulnWhispererBase): else: vuln_ready = self.openvas_api.process_report(report_id=report_id) - vuln_ready['scan_name'] = scan_name - vuln_ready['scan_reference'] = report_id + vuln_ready['scan_name'] = scan_name.encode('utf8') + vuln_ready['scan_id'] = report_id vuln_ready.rename(columns=self.COLUMN_MAPPING, inplace=True) vuln_ready.port = vuln_ready.port.fillna(0).astype(int) vuln_ready.fillna('', inplace=True) @@ -873,7 +876,7 @@ class vulnWhispererQualysVuln(vulnWhispererBase): try: self.logger.info('Processing report ID: {}'.format(report_id)) vuln_ready = self.qualys_scan.process_data(scan_id=report_id) - vuln_ready['scan_name'] = scan_name + vuln_ready['scan_name'] = scan_name.encode('utf8') vuln_ready['scan_reference'] = report_id # Map and transform fields vuln_ready = self.qualys_scan.normalise(vuln_ready) From 778a07535fac0bf362e84cf0ac466100c94e9016 Mon Sep 17 00:00:00 2001 From: pemontto Date: Thu, 11 Apr 2019 22:17:02 +1000 Subject: [PATCH 10/73] Fix scan_id field for all sources --- vulnwhisp/vulnwhisp.py | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/vulnwhisp/vulnwhisp.py b/vulnwhisp/vulnwhisp.py index 7a49f29..c84e3a4 100755 --- a/vulnwhisp/vulnwhisp.py +++ b/vulnwhisp/vulnwhisp.py @@ -446,7 +446,7 @@ class vulnWhispererNessus(vulnWhispererBase): clean_csv = self.nessus.normalise(clean_csv) clean_csv['scan_name'] = scan_name.encode('utf8') - clean_csv['scan_id'] = scan_id + clean_csv['scan_id'] = uuid clean_csv.to_json(relative_path_name.replace('csv', 'json'), orient='records', lines=True) clean_csv.to_csv(relative_path_name, index=False) @@ -612,7 +612,7 @@ class vulnWhispererQualys(vulnWhispererBase): vuln_ready = self.qualys_scan.process_data(path=self.write_path, file_id=str(generated_report_id)) vuln_ready['scan_name'] = scan_name.encode('utf8') - vuln_ready['scan_id'] = scan_reference + vuln_ready['scan_id'] = report_id # Map and transform fields vuln_ready = self.qualys_scan.normalise(vuln_ready) # TODO remove the line below once normalising complete @@ -877,7 +877,7 @@ class vulnWhispererQualysVuln(vulnWhispererBase): self.logger.info('Processing report ID: {}'.format(report_id)) vuln_ready = self.qualys_scan.process_data(scan_id=report_id) vuln_ready['scan_name'] = scan_name.encode('utf8') - vuln_ready['scan_reference'] = report_id + vuln_ready['scan_id'] = report_id # Map and transform fields vuln_ready = self.qualys_scan.normalise(vuln_ready) except Exception as e: From 496fd23121d46f2458fb87d826114485d4b26240 Mon Sep 17 00:00:00 2001 From: pemontto Date: Thu, 11 Apr 2019 22:22:58 +1000 Subject: [PATCH 11/73] Remove nessus csv completely --- .../docker/1000_nessus_process_file.conf | 42 ------------------ .../logstash/1000_nessus_process_file.conf | 42 ------------------ .../pipeline/1000_nessus_process_file.conf | 44 ------------------- vulnwhisp/vulnwhisp.py | 6 +-- 4 files changed, 3 insertions(+), 131 deletions(-) diff --git a/resources/elk5-old_compatibility/docker/1000_nessus_process_file.conf b/resources/elk5-old_compatibility/docker/1000_nessus_process_file.conf index fdf022b..13e6f6c 100644 --- a/resources/elk5-old_compatibility/docker/1000_nessus_process_file.conf +++ b/resources/elk5-old_compatibility/docker/1000_nessus_process_file.conf @@ -6,12 +6,6 @@ input { - file { - path => "/opt/VulnWhisperer/data/nessus/**/*.csv" - start_position => "beginning" - tags => "nessus" - type => "nessus" - } file { path => "/opt/VulnWhisperer/data/nessus/**/*.json" start_position => "beginning" @@ -19,12 +13,6 @@ input { type => "nessus" codec => json } - file { - path => "/opt/VulnWhisperer/data/tenable/*.csv" - start_position => "beginning" - tags => "tenable" - type => "tenable" - } file { path => "/opt/VulnWhisperer/data/tenable/*.json" start_position => "beginning" @@ -37,36 +25,6 @@ input { filter { if "nessus" in [tags] or "tenable" in [tags] { - if [path] =~ /\.csv$/ {} - # Drop the header column - if [message] =~ "^(Plugin ID|plugin_id,)" { drop {} } - - csv { - # columns => ["plugin_id", "cve", "cvss", "risk", "asset", "protocol", "port", "plugin_name", "synopsis", "description", "solution", "see_also", "plugin_output"] - columns => ["plugin_id", "cve", "cvss", "risk", "asset", "protocol", "port", "plugin_name", "synopsis", "description", "solution", "see_also", "plugin_output", "asset_uuid", "vulnerability_state", "ip", "fqdn", "netbios", "operating_system", "mac_address", "plugin_family", "cvss_base", "cvss_temporal", "cvss_temporal_vector", "cvss_vector", "cvss3_base", "cvss3_temporal", "cvss3_temporal_vector", "cvss3_vector", "system_type", "host_start", "host_end"] - separator => "," - source => "message" - } - - ruby { - code => "if event.get('description') - event.set('description', event.get('description').gsub(92.chr + 'n', 10.chr).gsub(92.chr + 'r', 13.chr)) - end - if event.get('synopsis') - event.set('synopsis', event.get('synopsis').gsub(92.chr + 'n', 10.chr).gsub(92.chr + 'r', 13.chr)) - end - if event.get('solution') - event.set('solution', event.get('solution').gsub(92.chr + 'n', 10.chr).gsub(92.chr + 'r', 13.chr)) - end - if event.get('see_also') - event.set('see_also', event.get('see_also').gsub(92.chr + 'n', 10.chr).gsub(92.chr + 'r', 13.chr)) - end - if event.get('plugin_output') - event.set('plugin_output', event.get('plugin_output').gsub(92.chr + 'n', 10.chr).gsub(92.chr + 'r', 13.chr)) - end" - } - } - #If using filebeats as your source, you will need to replace the "path" field to "source" grok { match => { "path" => "(?[a-zA-Z0-9_.\-]+)_%{INT:scan_id}_%{INT:history_id}_%{INT:last_updated}.(csv|json)$" } diff --git a/resources/elk5-old_compatibility/logstash/1000_nessus_process_file.conf b/resources/elk5-old_compatibility/logstash/1000_nessus_process_file.conf index ffda45a..b1c4b1a 100644 --- a/resources/elk5-old_compatibility/logstash/1000_nessus_process_file.conf +++ b/resources/elk5-old_compatibility/logstash/1000_nessus_process_file.conf @@ -6,12 +6,6 @@ input { - file { - path => "/opt/VulnWhisperer/data/nessus/**/*.csv" - start_position => "beginning" - tags => "nessus" - type => "nessus" - } file { path => "/opt/VulnWhisperer/data/nessus/**/*.json" start_position => "beginning" @@ -19,12 +13,6 @@ input { type => "nessus" codec => json } - file { - path => "/opt/VulnWhisperer/data/tenable/*.csv" - start_position => "beginning" - tags => "tenable" - type => "tenable" - } file { path => "/opt/VulnWhisperer/data/tenable/*.json" start_position => "beginning" @@ -37,36 +25,6 @@ input { filter { if "nessus" in [tags] or "tenable" in [tags] { - if [path] =~ /\.csv$/ {} - # Drop the header column - if [message] =~ "^(Plugin ID|plugin_id,)" { drop {} } - - csv { - # columns => ["plugin_id", "cve", "cvss", "risk", "asset", "protocol", "port", "plugin_name", "synopsis", "description", "solution", "see_also", "plugin_output"] - columns => ["plugin_id", "cve", "cvss", "risk", "asset", "protocol", "port", "plugin_name", "synopsis", "description", "solution", "see_also", "plugin_output", "asset_uuid", "vulnerability_state", "ip", "fqdn", "netbios", "operating_system", "mac_address", "plugin_family", "cvss_base", "cvss_temporal", "cvss_temporal_vector", "cvss_vector", "cvss3_base", "cvss3_temporal", "cvss3_temporal_vector", "cvss3_vector", "system_type", "host_start", "host_end"] - separator => "," - source => "message" - } - - ruby { - code => "if event.get('description') - event.set('description', event.get('description').gsub(92.chr + 'n', 10.chr).gsub(92.chr + 'r', 13.chr)) - end - if event.get('synopsis') - event.set('synopsis', event.get('synopsis').gsub(92.chr + 'n', 10.chr).gsub(92.chr + 'r', 13.chr)) - end - if event.get('solution') - event.set('solution', event.get('solution').gsub(92.chr + 'n', 10.chr).gsub(92.chr + 'r', 13.chr)) - end - if event.get('see_also') - event.set('see_also', event.get('see_also').gsub(92.chr + 'n', 10.chr).gsub(92.chr + 'r', 13.chr)) - end - if event.get('plugin_output') - event.set('plugin_output', event.get('plugin_output').gsub(92.chr + 'n', 10.chr).gsub(92.chr + 'r', 13.chr)) - end" - } - } - #If using filebeats as your source, you will need to replace the "path" field to "source" grok { match => { "path" => "(?[a-zA-Z0-9_.\-]+)_%{INT:scan_id}_%{INT:history_id}_%{INT:last_updated}.(csv|json)$" } diff --git a/resources/elk6/pipeline/1000_nessus_process_file.conf b/resources/elk6/pipeline/1000_nessus_process_file.conf index 8f02757..041bf4a 100644 --- a/resources/elk6/pipeline/1000_nessus_process_file.conf +++ b/resources/elk6/pipeline/1000_nessus_process_file.conf @@ -6,13 +6,6 @@ input { - file { - path => "/opt/vulnwhisperer/data/nessus/**/*.csv" - mode => "read" - start_position => "beginning" - file_completed_action => "delete" - tags => "nessus" - } file { path => "/opt/VulnWhisperer/data/nessus/**/*.json" start_position => "beginning" @@ -20,13 +13,6 @@ input { tags => "nessus" codec => json } - file { - path => "/opt/vulnwhisperer/data/tenable/*.csv" - mode => "read" - start_position => "beginning" - file_completed_action => "delete" - tags => "tenable" - } file { path => "/opt/VulnWhisperer/data/tenable/*.json" start_position => "beginning" @@ -39,36 +25,6 @@ input { filter { if "nessus" in [tags] or "tenable" in [tags] { - if [path] =~ /\.csv$/ {} - # Drop the header column - if [message] =~ "^(Plugin ID|plugin_id,)" { drop {} } - - csv { - # columns => ["plugin_id", "cve", "cvss", "risk", "asset", "protocol", "port", "plugin_name", "synopsis", "description", "solution", "see_also", "plugin_output"] - columns => ["plugin_id", "cve", "cvss", "risk", "asset", "protocol", "port", "plugin_name", "synopsis", "description", "solution", "see_also", "plugin_output", "asset_uuid", "vulnerability_state", "ip", "fqdn", "netbios", "operating_system", "mac_address", "plugin_family", "cvss_base", "cvss_temporal", "cvss_temporal_vector", "cvss_vector", "cvss3_base", "cvss3_temporal", "cvss3_temporal_vector", "cvss3_vector", "system_type", "host_start", "host_end"] - separator => "," - source => "message" - } - - ruby { - code => "if event.get('description') - event.set('description', event.get('description').gsub(92.chr + 'n', 10.chr).gsub(92.chr + 'r', 13.chr)) - end - if event.get('synopsis') - event.set('synopsis', event.get('synopsis').gsub(92.chr + 'n', 10.chr).gsub(92.chr + 'r', 13.chr)) - end - if event.get('solution') - event.set('solution', event.get('solution').gsub(92.chr + 'n', 10.chr).gsub(92.chr + 'r', 13.chr)) - end - if event.get('see_also') - event.set('see_also', event.get('see_also').gsub(92.chr + 'n', 10.chr).gsub(92.chr + 'r', 13.chr)) - end - if event.get('plugin_output') - event.set('plugin_output', event.get('plugin_output').gsub(92.chr + 'n', 10.chr).gsub(92.chr + 'r', 13.chr)) - end" - } - } - #If using filebeats as your source, you will need to replace the "path" field to "source" grok { match => { "path" => "(?[a-zA-Z0-9_.\-]+)_%{INT:scan_id}_%{INT:history_id}_%{INT:last_updated}.(csv|json)$" } diff --git a/vulnwhisp/vulnwhisp.py b/vulnwhisp/vulnwhisp.py index c84e3a4..bf85f42 100755 --- a/vulnwhisp/vulnwhisp.py +++ b/vulnwhisp/vulnwhisp.py @@ -406,7 +406,7 @@ class vulnWhispererNessus(vulnWhispererBase): folder_name = next(f['name'] for f in folders if f['id'] == folder_id) if status in ['completed', 'imported']: file_name = '%s_%s_%s_%s.%s' % (scan_name, scan_id, - history_id, norm_time, 'csv') + history_id, norm_time, 'json') repls = (('\\', '_'), ('/', '_'), (' ', '_')) file_name = reduce(lambda a, kv: a.replace(*kv), repls, file_name) relative_path_name = self.path_check(folder_name + '/' + file_name) @@ -448,8 +448,8 @@ class vulnWhispererNessus(vulnWhispererBase): clean_csv['scan_name'] = scan_name.encode('utf8') clean_csv['scan_id'] = uuid - clean_csv.to_json(relative_path_name.replace('csv', 'json'), orient='records', lines=True) - clean_csv.to_csv(relative_path_name, index=False) + clean_csv.to_json(relative_path_name, orient='records', lines=True) + record_meta = ( scan_name, scan_id, From ad184689f8507e5abb9e3711300598d68afa75d2 Mon Sep 17 00:00:00 2001 From: pemontto Date: Thu, 11 Apr 2019 23:18:42 +1000 Subject: [PATCH 12/73] map more qualys_vuln fields --- vulnwhisp/frameworks/qualys_vuln.py | 2 ++ 1 file changed, 2 insertions(+) diff --git a/vulnwhisp/frameworks/qualys_vuln.py b/vulnwhisp/frameworks/qualys_vuln.py index 3eac54f..7f477e5 100644 --- a/vulnwhisp/frameworks/qualys_vuln.py +++ b/vulnwhisp/frameworks/qualys_vuln.py @@ -86,6 +86,8 @@ class qualysVulnScan: 'ip_status': 'state', 'os': 'operating_system', 'qid': 'plugin_id', + 'results': 'plugin_output', + 'threat': 'description', 'title': 'plugin_name' } From bd1430ebbf105ed4faf2d77ce28a3d053a03eeaa Mon Sep 17 00:00:00 2001 From: pemontto Date: Fri, 12 Apr 2019 00:40:26 +1000 Subject: [PATCH 13/73] test updates --- .travis.yml | 10 +++++----- vulnwhisp/test/mock.py | 2 +- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/.travis.yml b/.travis.yml index c412177..b0244f5 100644 --- a/.travis.yml +++ b/.travis.yml @@ -22,21 +22,21 @@ script: - python setup.py install # Test successful scan download and parsing - rm -rf /tmp/VulnWhisperer - - vuln_whisperer -c configs/test.ini --mock --mock_dir ${TEST_PATH} + - vuln_whisperer -F -c configs/test.ini --mock --mock_dir ${TEST_PATH} # Test one failed scan - rm -rf /tmp/VulnWhisperer - rm -f ${TEST_PATH}/nessus/GET_scans_exports_164_download - - vuln_whisperer -c configs/test.ini --mock --mock_dir ${TEST_PATH}; [[ $? -eq 1 ]] + - vuln_whisperer -F -c configs/test.ini --mock --mock_dir ${TEST_PATH}; [[ $? -eq 1 ]] # Test two failed scans - rm -rf /tmp/VulnWhisperer - rm -f ${TEST_PATH}/qualys_vuln/scan_1553941061.87241 - - vuln_whisperer -c configs/test.ini --mock --mock_dir ${TEST_PATH}; [[ $? -eq 2 ]] + - vuln_whisperer -F -c configs/test.ini --mock --mock_dir ${TEST_PATH}; [[ $? -eq 2 ]] # Test only nessus - rm -rf /tmp/VulnWhisperer - - vuln_whisperer -c configs/test.ini -s nessus --mock --mock_dir ${TEST_PATH}; [[ $? -eq 1 ]] + - vuln_whisperer -F -c configs/test.ini -s nessus --mock --mock_dir ${TEST_PATH}; [[ $? -eq 1 ]] # Test only qualy_vuln - rm -rf /tmp/VulnWhisperer - - vuln_whisperer -c configs/test.ini -s qualys_vuln --mock --mock_dir ${TEST_PATH}; [[ $? -eq 1 ]] + - vuln_whisperer -F -c configs/test.ini -s qualys_vuln --mock --mock_dir ${TEST_PATH}; [[ $? -eq 1 ]] notifications: on_success: change on_failure: change # `always` will be the setting once code changes slow down diff --git a/vulnwhisp/test/mock.py b/vulnwhisp/test/mock.py index 5d48729..8af8cbc 100644 --- a/vulnwhisp/test/mock.py +++ b/vulnwhisp/test/mock.py @@ -16,7 +16,7 @@ class mockAPI(object): self.logger.setLevel(logging.DEBUG) self.logger.info('mockAPI initialised, API requests will be mocked') - self.logger.debug('Test path resolved as {}'.format(self.mock_dir)) + self.logger.info('Test path resolved as {}'.format(self.mock_dir)) def get_directories(self, path): dir, subdirs, files = next(os.walk(path)) From 5b45da69a8f9b42c4dec78ef7c973de287b8a98f Mon Sep 17 00:00:00 2001 From: pemontto Date: Fri, 12 Apr 2019 01:49:15 +1000 Subject: [PATCH 14/73] Add @timestamps to findings, map more fields --- vulnwhisp/frameworks/nessus.py | 1 + vulnwhisp/frameworks/qualys_vuln.py | 1 + vulnwhisp/vulnwhisp.py | 65 ++++++++++++++++++++--------- 3 files changed, 47 insertions(+), 20 deletions(-) diff --git a/vulnwhisp/frameworks/nessus.py b/vulnwhisp/frameworks/nessus.py index 9899de6..d1aab69 100755 --- a/vulnwhisp/frameworks/nessus.py +++ b/vulnwhisp/frameworks/nessus.py @@ -35,6 +35,7 @@ class NessusAPI(object): 'host': 'asset', 'name': 'plugin_name', 'os': 'operating_system', + 'see also': 'exploitability', 'system type': 'category', 'vulnerability state': 'state' } diff --git a/vulnwhisp/frameworks/qualys_vuln.py b/vulnwhisp/frameworks/qualys_vuln.py index 7f477e5..38e12a8 100644 --- a/vulnwhisp/frameworks/qualys_vuln.py +++ b/vulnwhisp/frameworks/qualys_vuln.py @@ -83,6 +83,7 @@ class qualysVulnScan: 'cve_id': 'cve', 'cvss_base': 'cvss', 'cvss3_base': 'cvss3', + 'impact': 'synopsis', 'ip_status': 'state', 'os': 'operating_system', 'qid': 'plugin_id', diff --git a/vulnwhisp/vulnwhisp.py b/vulnwhisp/vulnwhisp.py index bf85f42..c6d9eed 100755 --- a/vulnwhisp/vulnwhisp.py +++ b/vulnwhisp/vulnwhisp.py @@ -326,13 +326,13 @@ class vulnWhispererNessus(vulnWhispererBase): record['uuid'] = h.get('uuid', '') record['status'] = h.get('status', '') record['history_id'] = h.get('history_id', '') - record['last_modification_date'] = \ - h.get('last_modification_date', '') - record['norm_time'] = \ - self.nessus.get_utc_from_local(int(record['last_modification_date' - ]), - local_tz=self.nessus.tz_conv(record['timezone' - ])) + record["last_modification_date"] = h.get( + "last_modification_date", "" + ) + record["norm_time"] = self.nessus.get_utc_from_local( + int(record["last_modification_date"]), + local_tz=self.nessus.tz_conv(record["timezone"]), + ) scan_records.append(record.copy()) except Exception as e: # Generates error each time nonetype is encountered. @@ -350,14 +350,20 @@ class vulnWhispererNessus(vulnWhispererBase): scans = scan_data['scans'] if scan_data['scans'] else [] all_scans = self.scan_count(scans) if self.uuids: - scan_list = [scan for scan in all_scans if scan['uuid'] - not in self.uuids and scan['status'] in ['completed', 'imported']] + scan_list = [ + scan + for scan in all_scans + if scan["uuid"] not in self.uuids + and scan["status"] in ["completed", "imported"] + ] else: scan_list = all_scans - self.logger.info('Identified {new} scans to be processed'.format(new=len(scan_list))) + self.logger.info( + "Identified {new} scans to be processed".format(new=len(scan_list)) + ) if not scan_list: - self.logger.warn('No new scans to process. Exiting...') + self.logger.warn("No new scans to process. Exiting...") return self.exit_code # Create scan subfolders @@ -445,9 +451,13 @@ class vulnWhispererNessus(vulnWhispererBase): # Map and transform fields clean_csv = self.nessus.normalise(clean_csv) + # Set common fields clean_csv['scan_name'] = scan_name.encode('utf8') clean_csv['scan_id'] = uuid + # Add @timestamp and convert to milliseconds + clean_csv['@timestamp'] = int(norm_time) * 1000 + clean_csv.to_json(relative_path_name, orient='records', lines=True) record_meta = ( @@ -610,14 +620,17 @@ class vulnWhispererQualys(vulnWhispererBase): self.logger.info('New Report ID: {}'.format(generated_report_id)) vuln_ready = self.qualys_scan.process_data(path=self.write_path, file_id=str(generated_report_id)) - - vuln_ready['scan_name'] = scan_name.encode('utf8') - vuln_ready['scan_id'] = report_id # Map and transform fields vuln_ready = self.qualys_scan.normalise(vuln_ready) # TODO remove the line below once normalising complete vuln_ready.rename(columns=self.COLUMN_MAPPING, inplace=True) + # Set common fields + vuln_ready['scan_name'] = scan_name.encode('utf8') + vuln_ready['scan_id'] = report_id + # Add @timestamp and convert to milliseconds + vuln_ready['@timestamp'] = int(launched_date) * 1000 + record_meta = ( scan_name, scan_reference, @@ -778,13 +791,19 @@ class vulnWhispererOpenVAS(vulnWhispererBase): else: vuln_ready = self.openvas_api.process_report(report_id=report_id) - vuln_ready['scan_name'] = scan_name.encode('utf8') - vuln_ready['scan_id'] = report_id + # Map and transform fields + vuln_ready = self.openvas_api.normalise(vuln_ready) + # TODO move the following to the openvas_api.transform_values vuln_ready.rename(columns=self.COLUMN_MAPPING, inplace=True) vuln_ready.port = vuln_ready.port.fillna(0).astype(int) vuln_ready.fillna('', inplace=True) - # Map and transform fields - vuln_ready = self.openvas_api.normalise(vuln_ready) + + # Set common fields + vuln_ready['scan_name'] = scan_name.encode('utf8') + vuln_ready['scan_id'] = report_id + # Add @timestamp and convert to milliseconds + vuln_ready['@timestamp'] = int(launched_date) * 1000 + vuln_ready.to_json(relative_path_name, orient='records', lines=True) self.logger.info('Report written to {}'.format(report_name)) @@ -876,10 +895,16 @@ class vulnWhispererQualysVuln(vulnWhispererBase): try: self.logger.info('Processing report ID: {}'.format(report_id)) vuln_ready = self.qualys_scan.process_data(scan_id=report_id) - vuln_ready['scan_name'] = scan_name.encode('utf8') - vuln_ready['scan_id'] = report_id # Map and transform fields vuln_ready = self.qualys_scan.normalise(vuln_ready) + + # Set common fields + vuln_ready['scan_name'] = scan_name.encode('utf8') + vuln_ready['scan_id'] = report_id + + # Add @timestamp and convert to milliseconds + vuln_ready['@timestamp'] = int(launched_date) * 1000 + except Exception as e: self.logger.error('Could not process {}: {}'.format(report_id, str(e))) self.exit_code += 1 From edbae986b36ac93e9123419a4264bc840c8ba372 Mon Sep 17 00:00:00 2001 From: pemontto Date: Fri, 12 Apr 2019 11:39:49 +1000 Subject: [PATCH 15/73] Remove deps from docker image --- Dockerfile | 3 --- 1 file changed, 3 deletions(-) diff --git a/Dockerfile b/Dockerfile index 64d75a8..606e6a1 100644 --- a/Dockerfile +++ b/Dockerfile @@ -13,14 +13,11 @@ COPY requirements.txt requirements.txt COPY setup.py setup.py COPY vulnwhisp/ vulnwhisp/ COPY bin/ bin/ -COPY deps/ deps/ COPY configs/frameworks_example.ini frameworks_example.ini RUN python setup.py clean --all RUN pip install -r requirements.txt -WORKDIR /opt/VulnWhisperer/deps/qualysapi -RUN python setup.py install WORKDIR /opt/VulnWhisperer RUN python setup.py install From 952c934b9cdb7a012788951dc0f66dd5b6951367 Mon Sep 17 00:00:00 2001 From: pemontto Date: Fri, 12 Apr 2019 11:40:01 +1000 Subject: [PATCH 16/73] Fix more unicode issues --- vulnwhisp/vulnwhisp.py | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/vulnwhisp/vulnwhisp.py b/vulnwhisp/vulnwhisp.py index c6d9eed..42c27cd 100755 --- a/vulnwhisp/vulnwhisp.py +++ b/vulnwhisp/vulnwhisp.py @@ -415,7 +415,7 @@ class vulnWhispererNessus(vulnWhispererBase): history_id, norm_time, 'json') repls = (('\\', '_'), ('/', '_'), (' ', '_')) file_name = reduce(lambda a, kv: a.replace(*kv), repls, file_name) - relative_path_name = self.path_check(folder_name + '/' + file_name) + relative_path_name = self.path_check(folder_name + '/' + file_name).encode('utf8') if os.path.isfile(relative_path_name): if self.develop: @@ -590,7 +590,7 @@ class vulnWhispererQualys(vulnWhispererBase): + '_{last_updated}'.format(last_updated=launched_date) \ + '.{extension}'.format(extension=output_format) - relative_path_name = self.path_check(report_name) + relative_path_name = self.path_check(report_name).encode('utf8') if os.path.isfile(relative_path_name): #TODO Possibly make this optional to sync directories @@ -756,7 +756,7 @@ class vulnWhispererOpenVAS(vulnWhispererBase): report_name = 'openvas_scan_{scan_name}_{last_updated}.{extension}'.format(scan_name=scan_name, last_updated=launched_date, extension=output_format) - relative_path_name = self.path_check(report_name) + relative_path_name = self.path_check(report_name).encode('utf8') scan_reference = report_id if os.path.isfile(relative_path_name): @@ -871,7 +871,7 @@ class vulnWhispererQualysVuln(vulnWhispererBase): + '_{last_updated}'.format(last_updated=launched_date) \ + '.{extension}'.format(extension=output_format) - relative_path_name = self.path_check(report_name) + relative_path_name = self.path_check(report_name).encode('utf8') if os.path.isfile(relative_path_name): #TODO Possibly make this optional to sync directories From 367930c5c8752ad2add6c638207df0acbbd64745 Mon Sep 17 00:00:00 2001 From: pemontto Date: Fri, 12 Apr 2019 11:44:04 +1000 Subject: [PATCH 17/73] Add extra test case --- .travis.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.travis.yml b/.travis.yml index b0244f5..be03ccc 100644 --- a/.travis.yml +++ b/.travis.yml @@ -23,6 +23,8 @@ script: # Test successful scan download and parsing - rm -rf /tmp/VulnWhisperer - vuln_whisperer -F -c configs/test.ini --mock --mock_dir ${TEST_PATH} + # Run a second time with no scans to import + - vuln_whisperer -F -c configs/test.ini --mock --mock_dir ${TEST_PATH} # Test one failed scan - rm -rf /tmp/VulnWhisperer - rm -f ${TEST_PATH}/nessus/GET_scans_exports_164_download From 71c090d0f3a24edaa92917de36789f640dd23283 Mon Sep 17 00:00:00 2001 From: pemontto Date: Fri, 12 Apr 2019 17:51:15 +1000 Subject: [PATCH 18/73] reduce docker layers and support test data --- Dockerfile | 15 ++++++++------- 1 file changed, 8 insertions(+), 7 deletions(-) diff --git a/Dockerfile b/Dockerfile index 606e6a1..a2806ee 100644 --- a/Dockerfile +++ b/Dockerfile @@ -2,10 +2,10 @@ FROM centos:latest MAINTAINER Justin Henderson justin@hasecuritysolutions.com -RUN yum update -y -RUN yum install -y python python-devel git gcc -RUN curl https://bootstrap.pypa.io/get-pip.py -o get-pip.py -RUN python get-pip.py +RUN yum update -y && \ + yum install -y python python-devel git gcc && \ + curl https://bootstrap.pypa.io/get-pip.py -o get-pip.py && \ + python get-pip.py WORKDIR /opt/VulnWhisperer @@ -15,12 +15,13 @@ COPY vulnwhisp/ vulnwhisp/ COPY bin/ bin/ COPY configs/frameworks_example.ini frameworks_example.ini -RUN python setup.py clean --all -RUN pip install -r requirements.txt +RUN python setup.py clean --all && \ + pip install -r requirements.txt WORKDIR /opt/VulnWhisperer -RUN python setup.py install +RUN python setup.py install && \ + ln -s /opt/VulnWhisperer /tmp/VulnWhisperer CMD vuln_whisperer -c /opt/VulnWhisperer/frameworks_example.ini From 603050e7b3ce54697109c3b328b8e1e2af2c976f Mon Sep 17 00:00:00 2001 From: pemontto Date: Fri, 12 Apr 2019 17:54:17 +1000 Subject: [PATCH 19/73] cherry pick #0227636 --- docker-compose-test.yml | 94 +++++++++++++++++++ docker-compose.v6.yml | 10 +- .../logstash/2000_qualys_web_scans.conf | 2 +- .../logstash/3000_openvas.conf | 2 +- .../logstash/4000_jira.conf | 2 +- .../pipeline/1000_nessus_process_file.conf | 5 + .../elk6/pipeline/2000_qualys_web_scans.conf | 7 +- resources/elk6/pipeline/3000_openvas.conf | 7 +- resources/elk6/pipeline/4000_jira.conf | 2 +- resources/elk6/vulnwhisperer.ini | 26 ++--- 10 files changed, 133 insertions(+), 24 deletions(-) create mode 100644 docker-compose-test.yml diff --git a/docker-compose-test.yml b/docker-compose-test.yml new file mode 100644 index 0000000..89e3ee4 --- /dev/null +++ b/docker-compose-test.yml @@ -0,0 +1,94 @@ +version: '2' +services: + elasticsearch: + image: docker.elastic.co/elasticsearch/elasticsearch:6.6.0 + container_name: elasticsearch + environment: + - cluster.name=vulnwhisperer + - bootstrap.memory_lock=true + - "ES_JAVA_OPTS=-Xms1g -Xmx1g" + - xpack.security.enabled=false + - cluster.routing.allocation.disk.threshold_enabled=false + ulimits: + memlock: + soft: -1 + hard: -1 + nofile: + soft: 65536 + hard: 65536 + mem_limit: 8g + volumes: + - ./docker_data/esdata1:/usr/share/elasticsearch/data + ports: + - 9200:9200 + #restart: always + networks: + esnet: + aliases: + - elasticsearch.local + + kibana: + image: docker.elastic.co/kibana/kibana:6.6.0 + container_name: kibana + environment: + SERVER_NAME: kibana + ELASTICSEARCH_URL: http://elasticsearch:9200 + ports: + - 5601:5601 + depends_on: + - elasticsearch + # volumes: + # - ./kibana-data: + networks: + esnet: + aliases: + - kibana.local + + kibana-config: + image: alpine + container_name: kibana-config + volumes: + - ./resources/elk6/init_kibana.sh:/opt/init_kibana.sh + - ./resources/elk6/kibana_APIonly.json:/opt/kibana_APIonly.json + - ./docker_data/kibana_optimize:/usr/share/kibana/optimize + command: sh -c "apk add --no-cache curl bash && chmod +x /opt/init_kibana.sh && chmod +r /opt/kibana_APIonly.json && cd /opt/ && /bin/bash /opt/init_kibana.sh" # /opt/kibana_APIonly.json" + networks: + esnet: + aliases: + - kibana-config.local + + logstash: + image: docker.elastic.co/logstash/logstash:6.6.0 + container_name: logstash + volumes: + - ./resources/elk6/pipeline/:/usr/share/logstash/pipeline + - ./docker_data/data/:/opt/VulnWhisperer/data + - ./resources/elk6/logstash.yml:/usr/share/logstash/config/logstash.yml + environment: + - xpack.monitoring.enabled=false + depends_on: + - elasticsearch + networks: + esnet: + aliases: + - logstash.local + vulnwhisperer: + image: vulnwhisperer-1.8 + container_name: vulnwhisperer + entrypoint: [ + "vuln_whisperer", + "-c", + "/opt/VulnWhisperer/vulnwhisperer.ini", + "--mock", + "--mock_dir", + "/tests/data" + ] + volumes: + # - /opt/VulnWhisperer/data/:/opt/VulnWhisperer/data + - ./docker_data/data/:/opt/VulnWhisperer/data + - ./configs/test.ini:/opt/VulnWhisperer/vulnwhisperer.ini + - ./tests/data/:/tests/data + network_mode: host + +networks: + esnet: diff --git a/docker-compose.v6.yml b/docker-compose.v6.yml index b5a833e..f53aa0c 100644 --- a/docker-compose.v6.yml +++ b/docker-compose.v6.yml @@ -56,7 +56,7 @@ services: container_name: logstash volumes: - ./resources/elk6/pipeline/:/usr/share/logstash/pipeline - - ./data/:/opt/vulnwhisperer/data + - ./data/:/opt/VulnWhisperer/data #- ./resources/elk6/logstash.yml:/usr/share/logstash/config/logstash.yml environment: - xpack.monitoring.enabled=false @@ -72,12 +72,12 @@ services: entrypoint: [ "vuln_whisperer", "-c", - "/opt/vulnwhisperer/vulnwhisperer.ini" + "/opt/VulnWhisperer/vulnwhisperer.ini" ] volumes: - - /opt/vulnwhisperer/data/:/opt/vulnwhisperer/data - - ./data/:/opt/vulnwhisperer/data - - ./resources/elk6/vulnwhisperer.ini:/opt/vulnwhisperer/vulnwhisperer.ini + - /opt/VulnWhisperer/data/:/opt/VulnWhisperer/data + - ./data/:/opt/VulnWhisperer/data + - ./resources/elk6/vulnwhisperer.ini:/opt/VulnWhisperer/vulnwhisperer.ini network_mode: host volumes: esdata1: diff --git a/resources/elk5-old_compatibility/logstash/2000_qualys_web_scans.conf b/resources/elk5-old_compatibility/logstash/2000_qualys_web_scans.conf index 504de84..fe98ef8 100644 --- a/resources/elk5-old_compatibility/logstash/2000_qualys_web_scans.conf +++ b/resources/elk5-old_compatibility/logstash/2000_qualys_web_scans.conf @@ -6,7 +6,7 @@ input { file { - path => [ "/opt/vulnwhisperer/data/qualys/*.json" , "/opt/vulnwhisperer/data/qualys_web/*.json", "/opt/vulnwhisperer/data/qualys_vuln/*.json" ] + path => [ "/opt/VulnWhisperer/data/qualys/*.json" , "/opt/VulnWhisperer/data/qualys_web/*.json", "/opt/VulnWhisperer/data/qualys_vuln/*.json" ] type => json codec => json start_position => "beginning" diff --git a/resources/elk5-old_compatibility/logstash/3000_openvas.conf b/resources/elk5-old_compatibility/logstash/3000_openvas.conf index f560731..32e889c 100644 --- a/resources/elk5-old_compatibility/logstash/3000_openvas.conf +++ b/resources/elk5-old_compatibility/logstash/3000_openvas.conf @@ -6,7 +6,7 @@ input { file { - path => "/opt/vulnwhisperer/openvas/*.json" + path => "/opt/VulnWhisperer/openvas/*.json" type => json codec => json start_position => "beginning" diff --git a/resources/elk5-old_compatibility/logstash/4000_jira.conf b/resources/elk5-old_compatibility/logstash/4000_jira.conf index e4106c7..03a0b04 100644 --- a/resources/elk5-old_compatibility/logstash/4000_jira.conf +++ b/resources/elk5-old_compatibility/logstash/4000_jira.conf @@ -2,7 +2,7 @@ input { file { - path => "/opt/vulnwhisperer/jira/*.json" + path => "/opt/VulnWhisperer/jira/*.json" type => json codec => json start_position => "beginning" diff --git a/resources/elk6/pipeline/1000_nessus_process_file.conf b/resources/elk6/pipeline/1000_nessus_process_file.conf index 041bf4a..3bcc83d 100644 --- a/resources/elk6/pipeline/1000_nessus_process_file.conf +++ b/resources/elk6/pipeline/1000_nessus_process_file.conf @@ -26,11 +26,13 @@ filter { if "nessus" in [tags] or "tenable" in [tags] { #If using filebeats as your source, you will need to replace the "path" field to "source" + # Remove when scan name is included in event (current method is error prone) grok { match => { "path" => "(?[a-zA-Z0-9_.\-]+)_%{INT:scan_id}_%{INT:history_id}_%{INT:last_updated}.(csv|json)$" } tag_on_failure => [] } + # TODO remove when @timestamp is included in event date { match => [ "last_updated", "UNIX" ] target => "@timestamp" @@ -142,6 +144,9 @@ filter { output { if "nessus" in [tags] or "tenable" in [tags]{ + stdout { + codec => dots + } elasticsearch { hosts => [ "elasticsearch:9200" ] index => "logstash-vulnwhisperer-%{+YYYY.MM}" diff --git a/resources/elk6/pipeline/2000_qualys_web_scans.conf b/resources/elk6/pipeline/2000_qualys_web_scans.conf index fbf83ee..7c207c7 100644 --- a/resources/elk6/pipeline/2000_qualys_web_scans.conf +++ b/resources/elk6/pipeline/2000_qualys_web_scans.conf @@ -6,7 +6,7 @@ input { file { - path => [ "/opt/vulnwhisperer/data/qualys/*.json" , "/opt/vulnwhisperer/data/qualys_web/*.json", "/opt/vulnwhisperer/data/qualys_vuln/*.json"] + path => [ "/opt/VulnWhisperer/data/qualys/*.json" , "/opt/VulnWhisperer/data/qualys_web/*.json", "/opt/VulnWhisperer/data/qualys_vuln/*.json"] type => json codec => json start_position => "beginning" @@ -98,6 +98,8 @@ filter { target => "last_time_tested" } } + + # TODO remove when @timestamp is included in event date { match => [ "last_updated", "UNIX" ] target => "@timestamp" @@ -147,6 +149,9 @@ filter { } output { if "qualys" in [tags] { + stdout { + codec => dots + } elasticsearch { hosts => [ "elasticsearch:9200" ] index => "logstash-vulnwhisperer-%{+YYYY.MM}" diff --git a/resources/elk6/pipeline/3000_openvas.conf b/resources/elk6/pipeline/3000_openvas.conf index 5fcc56c..4a96ca3 100644 --- a/resources/elk6/pipeline/3000_openvas.conf +++ b/resources/elk6/pipeline/3000_openvas.conf @@ -6,7 +6,7 @@ input { file { - path => "/opt/vulnwhisperer/data/openvas/*.json" + path => "/opt/VulnWhisperer/data/openvas/*.json" type => json codec => json start_position => "beginning" @@ -92,6 +92,8 @@ filter { target => "last_time_tested" } } + + # TODO remove when @timestamp is included in event date { match => [ "last_updated", "UNIX" ] target => "@timestamp" @@ -141,6 +143,9 @@ filter { } output { if "openvas" in [tags] { + stdout { + codec => dots + } elasticsearch { hosts => [ "elasticsearch:9200" ] index => "logstash-vulnwhisperer-%{+YYYY.MM}" diff --git a/resources/elk6/pipeline/4000_jira.conf b/resources/elk6/pipeline/4000_jira.conf index 83030cc..47d978c 100644 --- a/resources/elk6/pipeline/4000_jira.conf +++ b/resources/elk6/pipeline/4000_jira.conf @@ -2,7 +2,7 @@ input { file { - path => "/opt/vulnwhisperer/data/jira/*.json" + path => "/opt/VulnWhisperer/data/jira/*.json" type => json codec => json start_position => "beginning" diff --git a/resources/elk6/vulnwhisperer.ini b/resources/elk6/vulnwhisperer.ini index 2b92761..2e8c687 100644 --- a/resources/elk6/vulnwhisperer.ini +++ b/resources/elk6/vulnwhisperer.ini @@ -4,8 +4,8 @@ hostname=localhost port=8834 username=nessus_username password=nessus_password -write_path=/opt/vulnwhisperer/data/nessus/ -db_path=/opt/vulnwhisperer/database +write_path=/opt/VulnWhisperer/data/nessus/ +db_path=/opt/VulnWhisperer/database trash=false verbose=true @@ -15,7 +15,7 @@ hostname=cloud.tenable.com port=443 username=tenable.io_username password=tenable.io_password -write_path=/opt/vulnwhisperer/data/tenable/ +write_path=/opt/VulnWhisperer/data/tenable/ db_path=/opt/VulnWhisperer/data/database trash=false verbose=true @@ -26,8 +26,8 @@ enabled = true hostname = qualysapi.qg2.apps.qualys.com username = exampleuser password = examplepass -write_path=/opt/vulnwhisperer/data/qualys/ -db_path=/opt/vulnwhisperer/data/database +write_path=/opt/VulnWhisperer/data/qualys/ +db_path=/opt/VulnWhisperer/data/database verbose=true # Set the maximum number of retries each connection should attempt. @@ -42,8 +42,8 @@ enabled = true hostname = qualysapi.qg2.apps.qualys.com username = exampleuser password = examplepass -write_path=/opt/vulnwhisperer/data/qualys/ -db_path=/opt/vulnwhisperer/data/database +write_path=/opt/VulnWhisperer/data/qualys/ +db_path=/opt/VulnWhisperer/data/database verbose=true # Set the maximum number of retries each connection should attempt. @@ -60,8 +60,8 @@ hostname = api.detectify.com username = exampleuser #password variable used as secretKey password = examplepass -write_path =/opt/vulnwhisperer/data/detectify/ -db_path = /opt/vulnwhisperer/data/database +write_path =/opt/VulnWhisperer/data/detectify/ +db_path = /opt/VulnWhisperer/data/database verbose = true [openvas] @@ -70,8 +70,8 @@ hostname = localhost port = 4000 username = exampleuser password = examplepass -write_path=/opt/vulnwhisperer/data/openvas/ -db_path=/opt/vulnwhisperer/data/database +write_path=/opt/VulnWhisperer/data/openvas/ +db_path=/opt/VulnWhisperer/data/database verbose=true #[proxy] @@ -92,8 +92,8 @@ verbose=true hostname = jira-host username = username password = password -write_path = /opt/vulnwhisperer/data/jira/ -db_path = /opt/vulnwhisperer/data/database +write_path = /opt/VulnWhisperer/data/jira/ +db_path = /opt/VulnWhisperer/data/database verbose = true dns_resolv = False From 275b89c94d4c4bb2cd44e3ef16942d46011c3e45 Mon Sep 17 00:00:00 2001 From: pemontto Date: Mon, 15 Apr 2019 13:32:31 +1000 Subject: [PATCH 20/73] Create cvss score from base and temporal --- vulnwhisp/frameworks/nessus.py | 54 ++++++++++----------- vulnwhisp/frameworks/openvas.py | 16 +++--- vulnwhisp/frameworks/qualys_vuln.py | 75 +++++++++++++++-------------- vulnwhisp/frameworks/qualys_web.py | 16 +++--- 4 files changed, 81 insertions(+), 80 deletions(-) diff --git a/vulnwhisp/frameworks/nessus.py b/vulnwhisp/frameworks/nessus.py index d1aab69..a616659 100755 --- a/vulnwhisp/frameworks/nessus.py +++ b/vulnwhisp/frameworks/nessus.py @@ -25,10 +25,10 @@ class NessusAPI(object): EXPORT_HISTORY = EXPORT + '?history_id={history_id}' # All column mappings should be lowercase COLUMN_MAPPING = { - 'cvss base score': 'cvss', + 'cvss base score': 'cvss_base', 'cvss temporal score': 'cvss_temporal', 'cvss temporal vector': 'cvss_temporal_vector', - 'cvss3 base score': 'cvss3', + 'cvss3 base score': 'cvss3_base', 'cvss3 temporal score': 'cvss3_temporal', 'cvss3 temporal vector': 'cvss3_temporal_vector', 'fqdn': 'dns', @@ -188,64 +188,64 @@ class NessusAPI(object): 'None': 'US/Central'} return time_map.get(tz, None) - def normalise(self, dataframe): + def normalise(self, df): self.logger.debug('Normalising data') - self.map_fields(dataframe) - self.transform_values(dataframe) - return dataframe + df = self.map_fields(df) + df = self.transform_values(df) + return df - def map_fields(self, dataframe): + def map_fields(self, df): self.logger.debug('Mapping fields') - # Any specific mappings here if self.profile == 'tenable': # Prefer CVSS Base Score over CVSS for tenable self.logger.debug('Dropping redundant tenable fields') - dataframe.drop('CVSS', axis=1, inplace=True) - dataframe.drop('IP Address', axis=1, inplace=True) + df.drop('CVSS', axis=1, inplace=True) + df.drop('IP Address', axis=1, inplace=True) # Map fields from COLUMN_MAPPING - fields = [x.lower() for x in dataframe.columns] + fields = [x.lower() for x in df.columns] for field, replacement in self.COLUMN_MAPPING.iteritems(): if field in fields: self.logger.debug('Renaming "{}" to "{}"'.format(field, replacement)) fields[fields.index(field)] = replacement fields = [x.replace(' ', '_') for x in fields] - dataframe.columns = fields - - return dataframe + df.columns = fields + return df - def transform_values(self, dataframe): + def transform_values(self, df): self.logger.debug('Transforming values') # upper/lowercase fields self.logger.debug('Changing case of fields') - dataframe['cve'] = dataframe['cve'].str.upper() - dataframe['protocol'] = dataframe['protocol'].str.lower() + df['cve'] = df['cve'].str.upper() + df['protocol'] = df['protocol'].str.lower() # Copy asset to IP - dataframe['ip'] = dataframe['asset'] + df['ip'] = df['asset'] # Map risk to a SEVERITY MAPPING value self.logger.debug('Mapping risk to severity number') - dataframe['risk_number'] = dataframe['risk'].str.lower() - dataframe['risk_number'].replace(self.SEVERITY_MAPPING, inplace=True) + df['risk_number'] = df['risk'].str.lower() + df['risk_number'].replace(self.SEVERITY_MAPPING, inplace=True) if self.profile == 'tenable': self.logger.debug('Combinging CVSS vectors for tenable') # Combine CVSS vectors - dataframe['cvss_vector'] = ( - dataframe[['cvss_vector', 'cvss_temporal_vector']] + df['cvss_vector'] = ( + df[['cvss_vector', 'cvss_temporal_vector']] .apply(lambda x: '{}/{}'.format(x[0], x[1]), axis=1) .str.rstrip('/nan') ) - dataframe['cvss3_vector'] = ( - dataframe[['cvss3_vector', 'cvss3_temporal_vector']] + df['cvss3_vector'] = ( + df[['cvss3_vector', 'cvss3_temporal_vector']] .apply(lambda x: '{}/{}'.format(x[0], x[1]), axis=1) .str.rstrip('/nan') ) + # CVSS score = cvss_temporal if cvss_temporal else cvss_base + df['cvss'] = df['cvss_base'] + df.loc[df['cvss_temporal'].notnull(), 'cvss'] = df['cvss_temporal'] - dataframe.fillna('', inplace=True) - - return dataframe \ No newline at end of file + df.fillna('', inplace=True) + return df \ No newline at end of file diff --git a/vulnwhisp/frameworks/openvas.py b/vulnwhisp/frameworks/openvas.py index 5461629..6c63c4c 100644 --- a/vulnwhisp/frameworks/openvas.py +++ b/vulnwhisp/frameworks/openvas.py @@ -191,16 +191,16 @@ class OpenVAS_API(object): merged_df = pd.merge(report_df, self.openvas_reports, on='report_ids').reset_index().drop('index', axis=1) return merged_df - def normalise(self, dataframe): + def normalise(self, df): self.logger.debug('Normalising data') - self.map_fields(dataframe) - self.transform_values(dataframe) - return dataframe + df = self.map_fields(df) + df = self.transform_values(df) + return df - def map_fields(self, dataframe): + def map_fields(self, df): self.logger.debug('Mapping fields') - return dataframe + return df - def transform_values(self, dataframe): + def transform_values(self, df): self.logger.debug('Transforming values') - return dataframe \ No newline at end of file + return df \ No newline at end of file diff --git a/vulnwhisp/frameworks/qualys_vuln.py b/vulnwhisp/frameworks/qualys_vuln.py index 38e12a8..70f55e9 100644 --- a/vulnwhisp/frameworks/qualys_vuln.py +++ b/vulnwhisp/frameworks/qualys_vuln.py @@ -29,7 +29,7 @@ class qualysWhisperAPI(object): def scan_xml_parser(self, xml): all_records = [] - root = ET.XML(xml.encode("utf-8")) + root = ET.XML(xml.encode('utf-8')) for child in root.find('.//SCAN_LIST'): all_records.append({ 'name': child.find('TITLE').text, @@ -81,8 +81,6 @@ class qualysVulnScan: COLUMN_MAPPING = { 'cve_id': 'cve', - 'cvss_base': 'cvss', - 'cvss3_base': 'cvss3', 'impact': 'synopsis', 'ip_status': 'state', 'os': 'operating_system', @@ -137,77 +135,80 @@ class qualysVulnScan: return scan_report - def normalise(self, dataframe): + def normalise(self, df): self.logger.debug('Normalising data') - self.map_fields(dataframe) - self.transform_values(dataframe) - return dataframe + df = self.map_fields(df) + df = self.transform_values(df) + return df - def map_fields(self, dataframe): + def map_fields(self, df): self.logger.info('Mapping fields') # Map fields from COLUMN_MAPPING - fields = [x.lower() for x in dataframe.columns] + fields = [x.lower() for x in df.columns] for field, replacement in self.COLUMN_MAPPING.iteritems(): if field in fields: self.logger.info('Renaming "{}" to "{}"'.format(field, replacement)) fields[fields.index(field)] = replacement fields = [x.replace(' ', '_') for x in fields] - dataframe.columns = fields + df.columns = fields - return dataframe + return df - def transform_values(self, dataframe): + def transform_values(self, df): self.logger.info('Transforming values') # upper/lowercase fields self.logger.info('Changing case of fields') - dataframe['cve'] = dataframe['cve'].str.upper() - dataframe['protocol'] = dataframe['protocol'].str.lower() + df['cve'] = df['cve'].str.upper() + df['protocol'] = df['protocol'].str.lower() # Contruct the CVSS vector - dataframe['cvss_vector'] = '' - dataframe.loc[dataframe["cvss"].notnull(), "cvss_vector"] = ( - dataframe.loc[dataframe["cvss"].notnull(), "cvss"] + df['cvss_vector'] = '' + df.loc[df['cvss_base'].notnull(), 'cvss_vector'] = ( + df.loc[df['cvss_base'].notnull(), 'cvss_base'] .str.split() .apply(lambda x: x[1]) - .str.replace("(", "") - .str.replace(")", "") + .str.replace('(', '') + .str.replace(')', '') ) - dataframe.loc[dataframe["cvss"].notnull(), "cvss"] = ( - dataframe.loc[dataframe["cvss"].notnull(), "cvss"] + df.loc[df['cvss_base'].notnull(), 'cvss_base'] = ( + df.loc[df['cvss_base'].notnull(), 'cvss_base'] .str.split() .apply(lambda x: x[0]) ) - dataframe['cvss_temporal_vector'] = '' - dataframe.loc[dataframe["cvss_temporal"].notnull(), "cvss_temporal_vector"] = ( - dataframe.loc[dataframe["cvss_temporal"].notnull(), "cvss_temporal"] + df['cvss_temporal_vector'] = '' + df.loc[df['cvss_temporal'].notnull(), 'cvss_temporal_vector'] = ( + df.loc[df['cvss_temporal'].notnull(), 'cvss_temporal'] .str.split() .apply(lambda x: x[1]) - .str.replace("(", "") - .str.replace(")", "") + .str.replace('(', '') + .str.replace(')', '') ) - dataframe.loc[dataframe["cvss_temporal"].notnull(), "cvss_temporal"] = ( - dataframe.loc[dataframe["cvss_temporal"].notnull(), "cvss_temporal"] + df.loc[df['cvss_temporal'].notnull(), 'cvss_temporal'] = ( + df.loc[df['cvss_temporal'].notnull(), 'cvss_temporal'] .str.split() .apply(lambda x: x[0]) .fillna('') ) # Combine base and temporal - dataframe["cvss_vector"] = ( - dataframe[["cvss_vector", "cvss_temporal_vector"]] - .apply(lambda x: "{}/{}".format(x[0], x[1]), axis=1) - .str.rstrip("/nan") - .fillna("") + df['cvss_vector'] = ( + df[['cvss_vector', 'cvss_temporal_vector']] + .apply(lambda x: '{}/{}'.format(x[0], x[1]), axis=1) + .str.rstrip('/nan') + .fillna('') ) - dataframe.drop('cvss_temporal_vector', axis=1, inplace=True) + df.drop('cvss_temporal_vector', axis=1, inplace=True) # Convert Qualys severity to standardised risk number - dataframe['risk_number'] = dataframe['severity'].astype(int)-1 + df['risk_number'] = df['severity'].astype(int)-1 - dataframe.fillna('', inplace=True) + df['cvss'] = df['cvss_base'] + df.loc[df['cvss_temporal'].notnull(), 'cvss'] = df['cvss_temporal'] - return dataframe \ No newline at end of file + df.fillna('', inplace=True) + + return df \ No newline at end of file diff --git a/vulnwhisp/frameworks/qualys_web.py b/vulnwhisp/frameworks/qualys_web.py index 45c9da3..b288449 100644 --- a/vulnwhisp/frameworks/qualys_web.py +++ b/vulnwhisp/frameworks/qualys_web.py @@ -464,16 +464,16 @@ class qualysScanReport: return merged_data - def normalise(self, dataframe): + def normalise(self, df): self.logger.debug('Normalising data') - self.map_fields(dataframe) - self.transform_values(dataframe) - return dataframe + df = self.map_fields(df) + df = self.transform_values(df) + return df - def map_fields(self, dataframe): + def map_fields(self, df): self.logger.debug('Mapping fields') - return dataframe + return df - def transform_values(self, dataframe): + def transform_values(self, df): self.logger.debug('Transforming values') - return dataframe \ No newline at end of file + return df \ No newline at end of file From 29a91cbfb24f55a0393017d626d224bf18cbabab Mon Sep 17 00:00:00 2001 From: pemontto Date: Mon, 15 Apr 2019 17:05:21 +1000 Subject: [PATCH 21/73] Simplify pandas operations, update transforms --- .gitignore | 1 + .travis.yml | 1 + docker-compose-test.yml | 6 ++--- vulnwhisp/frameworks/nessus.py | 22 +++++++++--------- vulnwhisp/frameworks/qualys_vuln.py | 35 ++++++++++++----------------- vulnwhisp/vulnwhisp.py | 16 ++++++------- 6 files changed, 38 insertions(+), 43 deletions(-) diff --git a/.gitignore b/.gitignore index 9fc0cb6..4ca7c68 100644 --- a/.gitignore +++ b/.gitignore @@ -1,5 +1,6 @@ # Vulnwhisperer stuff data/ +docker_data/ logs/ elk6/vulnwhisperer.ini resources/elk6/vulnwhisperer.ini diff --git a/.travis.yml b/.travis.yml index be03ccc..08edaa4 100644 --- a/.travis.yml +++ b/.travis.yml @@ -24,6 +24,7 @@ script: - rm -rf /tmp/VulnWhisperer - vuln_whisperer -F -c configs/test.ini --mock --mock_dir ${TEST_PATH} # Run a second time with no scans to import + - rm -rf /tmp/VulnWhisperer/data/database - vuln_whisperer -F -c configs/test.ini --mock --mock_dir ${TEST_PATH} # Test one failed scan - rm -rf /tmp/VulnWhisperer diff --git a/docker-compose-test.yml b/docker-compose-test.yml index 89e3ee4..4d0db8c 100644 --- a/docker-compose-test.yml +++ b/docker-compose-test.yml @@ -19,6 +19,7 @@ services: mem_limit: 8g volumes: - ./docker_data/esdata1:/usr/share/elasticsearch/data + - ./docker_data/es_snapshots:/snapshots ports: - 9200:9200 #restart: always @@ -37,8 +38,8 @@ services: - 5601:5601 depends_on: - elasticsearch - # volumes: - # - ./kibana-data: + volumes: + - ./docker_data/kibana_optimize:/usr/share/kibana/optimize networks: esnet: aliases: @@ -50,7 +51,6 @@ services: volumes: - ./resources/elk6/init_kibana.sh:/opt/init_kibana.sh - ./resources/elk6/kibana_APIonly.json:/opt/kibana_APIonly.json - - ./docker_data/kibana_optimize:/usr/share/kibana/optimize command: sh -c "apk add --no-cache curl bash && chmod +x /opt/init_kibana.sh && chmod +r /opt/kibana_APIonly.json && cd /opt/ && /bin/bash /opt/init_kibana.sh" # /opt/kibana_APIonly.json" networks: esnet: diff --git a/vulnwhisp/frameworks/nessus.py b/vulnwhisp/frameworks/nessus.py index a616659..11e4258 100755 --- a/vulnwhisp/frameworks/nessus.py +++ b/vulnwhisp/frameworks/nessus.py @@ -203,15 +203,11 @@ class NessusAPI(object): df.drop('CVSS', axis=1, inplace=True) df.drop('IP Address', axis=1, inplace=True) - # Map fields from COLUMN_MAPPING - fields = [x.lower() for x in df.columns] - for field, replacement in self.COLUMN_MAPPING.iteritems(): - if field in fields: - self.logger.debug('Renaming "{}" to "{}"'.format(field, replacement)) - fields[fields.index(field)] = replacement + # Lowercase and map fields from COLUMN_MAPPING + df.columns = [x.lower() for x in df.columns] + df.rename(columns=self.COLUMN_MAPPING, inplace=True) + df.columns = [x.replace(' ', '_') for x in df.columns] - fields = [x.replace(' ', '_') for x in fields] - df.columns = fields return df def transform_values(self, df): @@ -227,8 +223,7 @@ class NessusAPI(object): # Map risk to a SEVERITY MAPPING value self.logger.debug('Mapping risk to severity number') - df['risk_number'] = df['risk'].str.lower() - df['risk_number'].replace(self.SEVERITY_MAPPING, inplace=True) + df['risk_number'] = df['risk'].str.lower().map(self.SEVERITY_MAPPING) if self.profile == 'tenable': self.logger.debug('Combinging CVSS vectors for tenable') @@ -243,9 +238,14 @@ class NessusAPI(object): .apply(lambda x: '{}/{}'.format(x[0], x[1]), axis=1) .str.rstrip('/nan') ) - # CVSS score = cvss_temporal if cvss_temporal else cvss_base + + df.drop(['cvss_temporal_vector', 'cvss3_temporal_vector'], axis=1, inplace=True) + + # CVSS score = cvss3_temporal or cvss3_base or cvss_temporal or cvss_base df['cvss'] = df['cvss_base'] df.loc[df['cvss_temporal'].notnull(), 'cvss'] = df['cvss_temporal'] + df['cvss3'] = df['cvss3_base'] + df.loc[df['cvss3_temporal'].notnull(), 'cvss3'] = df['cvss3_temporal'] df.fillna('', inplace=True) return df \ No newline at end of file diff --git a/vulnwhisp/frameworks/qualys_vuln.py b/vulnwhisp/frameworks/qualys_vuln.py index 70f55e9..4cf21de 100644 --- a/vulnwhisp/frameworks/qualys_vuln.py +++ b/vulnwhisp/frameworks/qualys_vuln.py @@ -144,15 +144,10 @@ class qualysVulnScan: def map_fields(self, df): self.logger.info('Mapping fields') - # Map fields from COLUMN_MAPPING - fields = [x.lower() for x in df.columns] - for field, replacement in self.COLUMN_MAPPING.iteritems(): - if field in fields: - self.logger.info('Renaming "{}" to "{}"'.format(field, replacement)) - fields[fields.index(field)] = replacement - - fields = [x.replace(' ', '_') for x in fields] - df.columns = fields + # Lowercase and map fields from COLUMN_MAPPING + df.columns = [x.lower() for x in df.columns] + df.rename(columns=self.COLUMN_MAPPING, inplace=True) + df.columns = [x.replace(' ', '_') for x in df.columns] return df @@ -165,32 +160,28 @@ class qualysVulnScan: df['protocol'] = df['protocol'].str.lower() # Contruct the CVSS vector - df['cvss_vector'] = '' - df.loc[df['cvss_base'].notnull(), 'cvss_vector'] = ( + df['cvss_vector'] = ( df.loc[df['cvss_base'].notnull(), 'cvss_base'] .str.split() .apply(lambda x: x[1]) - .str.replace('(', '') - .str.replace(')', '') + .str.strip('()') ) - df.loc[df['cvss_base'].notnull(), 'cvss_base'] = ( + df['cvss_base'] = ( df.loc[df['cvss_base'].notnull(), 'cvss_base'] .str.split() .apply(lambda x: x[0]) ) - df['cvss_temporal_vector'] = '' - df.loc[df['cvss_temporal'].notnull(), 'cvss_temporal_vector'] = ( + + df['cvss_temporal_vector'] = ( df.loc[df['cvss_temporal'].notnull(), 'cvss_temporal'] .str.split() .apply(lambda x: x[1]) - .str.replace('(', '') - .str.replace(')', '') + .str.strip('()') ) - df.loc[df['cvss_temporal'].notnull(), 'cvss_temporal'] = ( + df['cvss_temporal'] = ( df.loc[df['cvss_temporal'].notnull(), 'cvss_temporal'] .str.split() .apply(lambda x: x[0]) - .fillna('') ) # Combine base and temporal @@ -198,7 +189,6 @@ class qualysVulnScan: df[['cvss_vector', 'cvss_temporal_vector']] .apply(lambda x: '{}/{}'.format(x[0], x[1]), axis=1) .str.rstrip('/nan') - .fillna('') ) df.drop('cvss_temporal_vector', axis=1, inplace=True) @@ -206,8 +196,11 @@ class qualysVulnScan: # Convert Qualys severity to standardised risk number df['risk_number'] = df['severity'].astype(int)-1 + # CVSS score = cvss3_temporal or cvss3_base or cvss_temporal or cvss_base df['cvss'] = df['cvss_base'] df.loc[df['cvss_temporal'].notnull(), 'cvss'] = df['cvss_temporal'] + df['cvss3'] = df['cvss3_base'] + df.loc[df['cvss3_temporal'].notnull(), 'cvss3'] = df['cvss3_temporal'] df.fillna('', inplace=True) diff --git a/vulnwhisp/vulnwhisp.py b/vulnwhisp/vulnwhisp.py index 42c27cd..289eaf8 100755 --- a/vulnwhisp/vulnwhisp.py +++ b/vulnwhisp/vulnwhisp.py @@ -84,7 +84,7 @@ class vulnWhispererBase(object): self.cur = self.conn.cursor() self.logger.info('Connected to database at {loc}'.format(loc=self.database)) except Exception as e: - self.logger.error('Could not connect to database at {loc}\nReason: {e} - Please ensure the path exist'.format( + self.logger.error('Could not connect to database at {loc}\nReason: {e} - Please ensure the path exists'.format( e=e, loc=self.database)) else: @@ -189,7 +189,7 @@ class vulnWhispererBase(object): scan=self.write_path.encode('utf8'))) else: os.path.exists(self.write_path) - self.logger.info('Directory already exist for {scan} - Skipping creation'.format( + self.logger.info('Directory already exists for {scan} - Skipping creation'.format( scan=self.write_path.encode('utf8'))) def get_latest_results(self, source, scan_name): @@ -376,7 +376,7 @@ class vulnWhispererNessus(vulnWhispererBase): os.makedirs(self.path_check(f['name'])) else: os.path.exists(self.path_check(f['name'])) - self.logger.info('Directory already exist for {scan} - Skipping creation'.format( + self.logger.info('Directory already exists for {scan} - Skipping creation'.format( scan=self.path_check(f['name']).encode('utf8'))) # try download and save scans into each folder the belong to @@ -419,7 +419,7 @@ class vulnWhispererNessus(vulnWhispererBase): if os.path.isfile(relative_path_name): if self.develop: - csv_in = pd.read_csv(relative_path_name) + csv_in = pd.read_json(relative_path_name, lines=True) record_meta = ( scan_name, scan_id, @@ -433,7 +433,7 @@ class vulnWhispererNessus(vulnWhispererBase): 0, ) self.record_insert(record_meta) - self.logger.info('File {filename} already exist! Updating database'.format(filename=relative_path_name)) + self.logger.info('File {filename} already exists! Updating database'.format(filename=relative_path_name)) else: try: file_req = \ @@ -608,7 +608,7 @@ class vulnWhispererQualys(vulnWhispererBase): 0, ) self.record_insert(record_meta) - self.logger.info('File {filename} already exist! Updating database'.format(filename=relative_path_name)) + self.logger.info('File {filename} already exists! Updating database'.format(filename=relative_path_name)) else: self.logger.info('Generating report for {}'.format(report_id)) @@ -775,7 +775,7 @@ class vulnWhispererOpenVAS(vulnWhispererBase): 0, ) self.record_insert(record_meta) - self.logger.info('File {filename} already exist! Updating database'.format(filename=relative_path_name)) + self.logger.info('File {filename} already exists! Updating database'.format(filename=relative_path_name)) record_meta = ( scan_name, @@ -889,7 +889,7 @@ class vulnWhispererQualysVuln(vulnWhispererBase): 0, ) self.record_insert(record_meta) - self.logger.info('File {filename} already exist! Updating database'.format(filename=relative_path_name)) + self.logger.info('File {filename} already exists! Updating database'.format(filename=relative_path_name)) else: try: From 96e7211e7794c746a6473451526890a411e9c4bf Mon Sep 17 00:00:00 2001 From: pemontto Date: Mon, 15 Apr 2019 17:16:29 +1000 Subject: [PATCH 22/73] Add mode back to logstash conf --- resources/elk6/pipeline/1000_nessus_process_file.conf | 2 ++ 1 file changed, 2 insertions(+) diff --git a/resources/elk6/pipeline/1000_nessus_process_file.conf b/resources/elk6/pipeline/1000_nessus_process_file.conf index 3bcc83d..122f1f0 100644 --- a/resources/elk6/pipeline/1000_nessus_process_file.conf +++ b/resources/elk6/pipeline/1000_nessus_process_file.conf @@ -8,6 +8,7 @@ input { file { path => "/opt/VulnWhisperer/data/nessus/**/*.json" + mode => "read" start_position => "beginning" file_completed_action => "delete" tags => "nessus" @@ -15,6 +16,7 @@ input { } file { path => "/opt/VulnWhisperer/data/tenable/*.json" + mode => "read" start_position => "beginning" file_completed_action => "delete" tags => "tenable" From 00f9b7659b53898788ad08fde88f813f460618eb Mon Sep 17 00:00:00 2001 From: pemontto Date: Mon, 15 Apr 2019 18:17:43 +1000 Subject: [PATCH 23/73] Docker install ES index template --- docker-compose-test.yml | 1 + resources/elk6/init_kibana.sh | 12 +++++++++++- 2 files changed, 12 insertions(+), 1 deletion(-) diff --git a/docker-compose-test.yml b/docker-compose-test.yml index 4d0db8c..cb6a9bb 100644 --- a/docker-compose-test.yml +++ b/docker-compose-test.yml @@ -51,6 +51,7 @@ services: volumes: - ./resources/elk6/init_kibana.sh:/opt/init_kibana.sh - ./resources/elk6/kibana_APIonly.json:/opt/kibana_APIonly.json + - ./resources/elk6/logstash-vulnwhisperer-template.json:/opt/index-template.json command: sh -c "apk add --no-cache curl bash && chmod +x /opt/init_kibana.sh && chmod +r /opt/kibana_APIonly.json && cd /opt/ && /bin/bash /opt/init_kibana.sh" # /opt/kibana_APIonly.json" networks: esnet: diff --git a/resources/elk6/init_kibana.sh b/resources/elk6/init_kibana.sh index ca23d74..797fa93 100755 --- a/resources/elk6/init_kibana.sh +++ b/resources/elk6/init_kibana.sh @@ -2,13 +2,23 @@ #kibana_url="localhost:5601" kibana_url="kibana.local:5601" +elasticsearch_url="elasticsearch.local:9200" add_saved_objects="curl -u elastic:changeme -k -XPOST 'http://"$kibana_url"/api/saved_objects/_bulk_create' -H 'Content-Type: application/json' -H \"kbn-xsrf: true\" -d @" #Create all saved objects - including index pattern saved_objects_file="kibana_APIonly.json" #if [ `curl -I localhost:5601/status | head -n1 |cut -d$' ' -f2` -eq '200' ]; then echo "Loading VulnWhisperer Saved Objects"; eval $(echo $add_saved_objects$saved_objects_file); else echo "waiting for kibana"; fi - + +until curl -s "$elasticsearch_url/_cluster/health?pretty" | grep '"status"' | grep -q green; do + curl -s "$elasticsearch_url/_cluster/health?pretty" + echo "Waiting for Elasticsearch" + sleep 5 +done + +echo "Loading VulnWhisperer index template" +curl -XPUT "http://$elasticsearch_url/_template/vulnwhisperer" -H 'Content-Type: application/json' -d '@/opt/index-template.json' + until [ "`curl -I "$kibana_url"/status | head -n1 |cut -d$' ' -f2`" == "200" ]; do curl -I "$kibana_url"/status echo "Waiting for Kibana" From 74ebf4349234fbb3c95011d3562648a7064d2dc5 Mon Sep 17 00:00:00 2001 From: pemontto Date: Mon, 15 Apr 2019 20:09:50 +1000 Subject: [PATCH 24/73] Add snapshots and latest build --- docker-compose-test.yml | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/docker-compose-test.yml b/docker-compose-test.yml index cb6a9bb..3739c1d 100644 --- a/docker-compose-test.yml +++ b/docker-compose-test.yml @@ -9,6 +9,7 @@ services: - "ES_JAVA_OPTS=-Xms1g -Xmx1g" - xpack.security.enabled=false - cluster.routing.allocation.disk.threshold_enabled=false + - path.repo=/snapshots ulimits: memlock: soft: -1 @@ -73,11 +74,14 @@ services: esnet: aliases: - logstash.local + vulnwhisperer: - image: vulnwhisperer-1.8 + # image: vulnwhisperer-1.8 + image: vulnwhisperer-pemontto container_name: vulnwhisperer entrypoint: [ "vuln_whisperer", + "-F", "-c", "/opt/VulnWhisperer/vulnwhisperer.ini", "--mock", From 97d2a2606c77df5688273edec207954c7b0330a2 Mon Sep 17 00:00:00 2001 From: pemontto Date: Mon, 15 Apr 2019 20:10:49 +1000 Subject: [PATCH 25/73] Cleanup logstash configs --- resources/elk6/init_kibana.sh | 2 +- .../pipeline/1000_nessus_process_file.conf | 106 ++++---------- .../elk6/pipeline/2000_qualys_web_scans.conf | 134 +++++++----------- resources/elk6/pipeline/3000_openvas.conf | 64 +++++---- vulnwhisp/vulnwhisp.py | 20 +-- 5 files changed, 138 insertions(+), 188 deletions(-) diff --git a/resources/elk6/init_kibana.sh b/resources/elk6/init_kibana.sh index 797fa93..9d2cbc3 100755 --- a/resources/elk6/init_kibana.sh +++ b/resources/elk6/init_kibana.sh @@ -10,7 +10,7 @@ saved_objects_file="kibana_APIonly.json" #if [ `curl -I localhost:5601/status | head -n1 |cut -d$' ' -f2` -eq '200' ]; then echo "Loading VulnWhisperer Saved Objects"; eval $(echo $add_saved_objects$saved_objects_file); else echo "waiting for kibana"; fi -until curl -s "$elasticsearch_url/_cluster/health?pretty" | grep '"status"' | grep -q green; do +until curl -s "$elasticsearch_url/_cluster/health?pretty" | grep '"status"' | grep -qE "green|yellow"; do curl -s "$elasticsearch_url/_cluster/health?pretty" echo "Waiting for Elasticsearch" sleep 5 diff --git a/resources/elk6/pipeline/1000_nessus_process_file.conf b/resources/elk6/pipeline/1000_nessus_process_file.conf index 122f1f0..1462ee3 100644 --- a/resources/elk6/pipeline/1000_nessus_process_file.conf +++ b/resources/elk6/pipeline/1000_nessus_process_file.conf @@ -27,95 +27,49 @@ input { filter { if "nessus" in [tags] or "tenable" in [tags] { + date { + match => [ "_timestamp", "UNIX" ] + target => "@timestamp" + remove_field => ["timestamp"] + } + #If using filebeats as your source, you will need to replace the "path" field to "source" # Remove when scan name is included in event (current method is error prone) grok { - match => { "path" => "(?[a-zA-Z0-9_.\-]+)_%{INT:scan_id}_%{INT:history_id}_%{INT:last_updated}.(csv|json)$" } + match => { "path" => "([a-zA-Z0-9_.\-]+)_%{INT}_%{INT:history_id}_%{INT}.json$" } tag_on_failure => [] } - # TODO remove when @timestamp is included in event - date { - match => [ "last_updated", "UNIX" ] - target => "@timestamp" - remove_field => ["last_updated"] - } - - if [risk] == "None" { - mutate { add_field => { "risk_number" => 0 }} - } - if [risk] == "Low" { - mutate { add_field => { "risk_number" => 1 }} - } - if [risk] == "Medium" { - mutate { add_field => { "risk_number" => 2 }} - } - if [risk] == "High" { - mutate { add_field => { "risk_number" => 3 }} - } - if [risk] == "Critical" { - mutate { add_field => { "risk_number" => 4 }} - } - - if ![cve] or [cve] == "nan" { - mutate { remove_field => [ "cve" ] } - } - if ![cvss] or [cvss] == "nan" { - mutate { remove_field => [ "cvss" ] } - } - if ![cvss_base] or [cvss_base] == "nan" { - mutate { remove_field => [ "cvss_base" ] } - } - if ![cvss_temporal] or [cvss_temporal] == "nan" { - mutate { remove_field => [ "cvss_temporal" ] } - } - if ![cvss_temporal_vector] or [cvss_temporal_vector] == "nan" { - mutate { remove_field => [ "cvss_temporal_vector" ] } - } - if ![cvss_vector] or [cvss_vector] == "nan" { - mutate { remove_field => [ "cvss_vector" ] } - } - if ![cvss3_base] or [cvss3_base] == "nan" { - mutate { remove_field => [ "cvss3_base" ] } - } - if ![cvss3_temporal] or [cvss3_temporal] == "nan" { - mutate { remove_field => [ "cvss3_temporal" ] } - } - if ![cvss3_temporal_vector] or [cvss3_temporal_vector] == "nan" { - mutate { remove_field => [ "cvss3_temporal_vector" ] } - } - if ![description] or [description] == "nan" { - mutate { remove_field => [ "description" ] } - } - if ![mac_address] or [mac_address] == "nan" { - mutate { remove_field => [ "mac_address" ] } - } - if ![netbios] or [netbios] == "nan" { - mutate { remove_field => [ "netbios" ] } - } - if ![operating_system] or [operating_system] == "nan" { - mutate { remove_field => [ "operating_system" ] } - } - if ![plugin_output] or [plugin_output] == "nan" { - mutate { remove_field => [ "plugin_output" ] } - } - if ![see_also] or [see_also] == "nan" { - mutate { remove_field => [ "see_also" ] } - } - if ![synopsis] or [synopsis] == "nan" { - mutate { remove_field => [ "synopsis" ] } - } - if ![system_type] or [system_type] == "nan" { - mutate { remove_field => [ "system_type" ] } + translate { + field => "[risk]" + destination => "[risk_number]" + dictionary => { + "None" => 0 + "Low" => 1 + "Medium" => 2 + "High" => 3 + "Critical" => 4 + } } mutate { - remove_field => [ "message" ] add_field => { "risk_score" => "%{cvss}" } } + mutate { - convert => { "risk_score" => "float" } + convert => { "cvss_base" => "float"} + convert => { "cvss_temporal" => "float"} + convert => { "cvss" => "float"} + convert => { "cvss3_base" => "float"} + convert => { "cvss3_temporal" => "float"} + convert => { "cvss3" => "float"} + convert => { "id" => "integer"} + convert => { "plugin_id" => "integer"} + convert => { "risk_number" => "integer"} + convert => { "risk_score" => "float"} + convert => { "total_times_detected" => "integer"} } + if [risk_score] == 0 { mutate { add_field => { "risk_score_name" => "info" } diff --git a/resources/elk6/pipeline/2000_qualys_web_scans.conf b/resources/elk6/pipeline/2000_qualys_web_scans.conf index 7c207c7..0ee2522 100644 --- a/resources/elk6/pipeline/2000_qualys_web_scans.conf +++ b/resources/elk6/pipeline/2000_qualys_web_scans.conf @@ -19,101 +19,53 @@ input { filter { if "qualys" in [tags] { + date { + match => [ "_timestamp", "UNIX" ] + target => "@timestamp" + remove_field => ["timestamp"] + } + grok { - match => { "path" => [ "(?qualys_vuln)_scan_%{DATA}_%{INT:last_updated}.json$", "(?qualys_web)_%{INT:app_id}_%{INT:last_updated}.json$" ] } + match => { "path" => [ "(?qualys_vuln)_scan_%{DATA}_%{INT}.json$", "(?qualys_web)_%{INT:app_id}_%{INT}.json$" ] } tag_on_failure => [] } - - mutate { - replace => [ "message", "%{message}" ] - #gsub => [ - # "message", "\|\|\|", " ", - # "message", "\t\t", " ", - # "message", " ", " ", - # "message", " ", " ", - # "message", " ", " ", - # "message", "nan", " ", - # "message",'\n','' - #] + + translate { + field => "[risk_number]" + destination => "[risk]" + dictionary => { + "0" => "Info" + "1" => "Low" + "2" => "Medium" + "3" => "High" + "4" => "Critical" + } } if "qualys_web" in [tags] { - mutate { - add_field => { "asset" => "%{web_application_name}" } - add_field => { "risk_score" => "%{cvss}" } - } - } else if "qualys_vuln" in [tags] { mutate { - add_field => { "asset" => "%{ip}" } - add_field => { "risk_score" => "%{cvss}" } + add_field => { "asset" => "%{web_application_name}" } } } - if [risk] == "1" { - mutate { add_field => { "risk_number" => 0 }} - mutate { replace => { "risk" => "info" }} - } - if [risk] == "2" { - mutate { add_field => { "risk_number" => 1 }} - mutate { replace => { "risk" => "low" }} - } - if [risk] == "3" { - mutate { add_field => { "risk_number" => 2 }} - mutate { replace => { "risk" => "medium" }} - } - if [risk] == "4" { - mutate { add_field => { "risk_number" => 3 }} - mutate { replace => { "risk" => "high" }} - } - if [risk] == "5" { - mutate { add_field => { "risk_number" => 4 }} - mutate { replace => { "risk" => "critical" }} - } - mutate { - remove_field => "message" + add_field => { "risk_score" => "%{cvss}" } } - if [first_time_detected] { - date { - match => [ "first_time_detected", "dd MMM yyyy HH:mma 'GMT'ZZ", "dd MMM yyyy HH:mma 'GMT'" ] - target => "first_time_detected" - } - } - if [first_time_tested] { - date { - match => [ "first_time_tested", "dd MMM yyyy HH:mma 'GMT'ZZ", "dd MMM yyyy HH:mma 'GMT'" ] - target => "first_time_tested" - } - } - if [last_time_detected] { - date { - match => [ "last_time_detected", "dd MMM yyyy HH:mma 'GMT'ZZ", "dd MMM yyyy HH:mma 'GMT'" ] - target => "last_time_detected" - } - } - if [last_time_tested] { - date { - match => [ "last_time_tested", "dd MMM yyyy HH:mma 'GMT'ZZ", "dd MMM yyyy HH:mma 'GMT'" ] - target => "last_time_tested" - } - } - - # TODO remove when @timestamp is included in event - date { - match => [ "last_updated", "UNIX" ] - target => "@timestamp" - remove_field => "last_updated" - } mutate { - convert => { "plugin_id" => "integer"} + convert => { "cvss_base" => "float"} + convert => { "cvss_temporal" => "float"} + convert => { "cvss" => "float"} + convert => { "cvss3_base" => "float"} + convert => { "cvss3_temporal" => "float"} + convert => { "cvss3" => "float"} convert => { "id" => "integer"} + convert => { "plugin_id" => "integer"} convert => { "risk_number" => "integer"} convert => { "risk_score" => "float"} convert => { "total_times_detected" => "integer"} - convert => { "cvss_temporal" => "float"} - convert => { "cvss" => "float"} } + if [risk_score] == 0 { mutate { add_field => { "risk_score_name" => "info" } @@ -140,11 +92,35 @@ filter { } } - if [asset] =~ "\.yourdomain\.(com|net)$" { - mutate { - add_tag => [ "critical_asset" ] + if [first_time_detected] { + date { + match => [ "first_time_detected", "dd MMM yyyy HH:mma 'GMT'ZZ", "dd MMM yyyy HH:mma 'GMT'" ] + target => "first_time_detected" } } + if [first_time_tested] { + date { + match => [ "first_time_tested", "dd MMM yyyy HH:mma 'GMT'ZZ", "dd MMM yyyy HH:mma 'GMT'" ] + target => "first_time_tested" + } + } + if [last_time_detected] { + date { + match => [ "last_time_detected", "dd MMM yyyy HH:mma 'GMT'ZZ", "dd MMM yyyy HH:mma 'GMT'" ] + target => "last_time_detected" + } + } + if [last_time_tested] { + date { + match => [ "last_time_tested", "dd MMM yyyy HH:mma 'GMT'ZZ", "dd MMM yyyy HH:mma 'GMT'" ] + target => "last_time_tested" + } + } + # if [asset] =~ "\.yourdomain\.(com|net)$" { + # mutate { + # add_tag => [ "critical_asset" ] + # } + # } } } output { diff --git a/resources/elk6/pipeline/3000_openvas.conf b/resources/elk6/pipeline/3000_openvas.conf index 4a96ca3..cb1a00c 100644 --- a/resources/elk6/pipeline/3000_openvas.conf +++ b/resources/elk6/pipeline/3000_openvas.conf @@ -20,27 +20,27 @@ input { filter { if "openvas_scan" in [tags] { - mutate { - replace => [ "message", "%{message}" ] - gsub => [ - "message", "\|\|\|", " ", - "message", "\t\t", " ", - "message", " ", " ", - "message", " ", " ", - "message", " ", " ", - "message", "nan", " ", - "message",'\n','' - ] + date { + match => [ "_timestamp", "UNIX" ] + target => "@timestamp" + remove_field => ["timestamp"] } - grok { - match => { "path" => "openvas_scan_%{DATA:scan_id}_%{INT:last_updated}.json$" } + match => { "path" => "openvas_scan_%{DATA}_%{INT}.json$" } tag_on_failure => [] } - mutate { - add_field => { "risk_score" => "%{cvss}" } + translate { + field => "[risk_number]" + destination => "[risk]" + dictionary => { + "0" => "Info" + "1" => "Low" + "2" => "Medium" + "3" => "High" + "4" => "Critical" + } } if [risk] == "1" { @@ -93,21 +93,24 @@ filter { } } - # TODO remove when @timestamp is included in event - date { - match => [ "last_updated", "UNIX" ] - target => "@timestamp" - remove_field => "last_updated" - } mutate { - convert => { "plugin_id" => "integer"} + add_field => { "risk_score" => "%{cvss}" } + } + + mutate { + convert => { "cvss_base" => "float"} + convert => { "cvss_temporal" => "float"} + convert => { "cvss" => "float"} + convert => { "cvss3_base" => "float"} + convert => { "cvss3_temporal" => "float"} + convert => { "cvss3" => "float"} convert => { "id" => "integer"} + convert => { "plugin_id" => "integer"} convert => { "risk_number" => "integer"} convert => { "risk_score" => "float"} convert => { "total_times_detected" => "integer"} - convert => { "cvss_temporal" => "float"} - convert => { "cvss" => "float"} } + if [risk_score] == 0 { mutate { add_field => { "risk_score_name" => "info" } @@ -139,6 +142,19 @@ filter { add_tag => [ "critical_asset" ] } } + mutate { + convert => { "plugin_id" => "integer"} + convert => { "id" => "integer"} + convert => { "risk_number" => "integer"} + convert => { "risk_score" => "float"} + convert => { "total_times_detected" => "integer"} + convert => { "cvss" => "float"} + convert => { "cvss_base" => "float"} + convert => { "cvss_temporal" => "float"} + convert => { "cvss3" => "float"} + convert => { "cvss3_base" => "float"} + convert => { "cvss3_temporal" => "float"} + } } } output { diff --git a/vulnwhisp/vulnwhisp.py b/vulnwhisp/vulnwhisp.py index 289eaf8..cd73320 100755 --- a/vulnwhisp/vulnwhisp.py +++ b/vulnwhisp/vulnwhisp.py @@ -455,8 +455,9 @@ class vulnWhispererNessus(vulnWhispererBase): clean_csv['scan_name'] = scan_name.encode('utf8') clean_csv['scan_id'] = uuid - # Add @timestamp and convert to milliseconds - clean_csv['@timestamp'] = int(norm_time) * 1000 + # Add timestamp and convert to milliseconds + clean_csv['_timestamp'] = norm_time + clean_csv['scan_source'] = self.CONFIG_SECTION clean_csv.to_json(relative_path_name, orient='records', lines=True) @@ -628,8 +629,9 @@ class vulnWhispererQualys(vulnWhispererBase): # Set common fields vuln_ready['scan_name'] = scan_name.encode('utf8') vuln_ready['scan_id'] = report_id - # Add @timestamp and convert to milliseconds - vuln_ready['@timestamp'] = int(launched_date) * 1000 + # Add timestamp and convert to milliseconds + vuln_ready['_timestamp'] = launched_date + vuln_ready['scan_source'] = self.CONFIG_SECTION record_meta = ( scan_name, @@ -801,8 +803,9 @@ class vulnWhispererOpenVAS(vulnWhispererBase): # Set common fields vuln_ready['scan_name'] = scan_name.encode('utf8') vuln_ready['scan_id'] = report_id - # Add @timestamp and convert to milliseconds - vuln_ready['@timestamp'] = int(launched_date) * 1000 + # Add _timestamp and convert to milliseconds + vuln_ready['_timestamp'] = launched_date + vuln_ready['scan_source'] = self.CONFIG_SECTION vuln_ready.to_json(relative_path_name, orient='records', lines=True) self.logger.info('Report written to {}'.format(report_name)) @@ -902,8 +905,9 @@ class vulnWhispererQualysVuln(vulnWhispererBase): vuln_ready['scan_name'] = scan_name.encode('utf8') vuln_ready['scan_id'] = report_id - # Add @timestamp and convert to milliseconds - vuln_ready['@timestamp'] = int(launched_date) * 1000 + # Add timestamp and convert to milliseconds + vuln_ready['_timestamp'] = launched_date + vuln_ready['scan_source'] = self.CONFIG_SECTION except Exception as e: self.logger.error('Could not process {}: {}'.format(report_id, str(e))) From dd66414fe7258bb666d0fa43d52d666cdc905b32 Mon Sep 17 00:00:00 2001 From: pemontto Date: Mon, 15 Apr 2019 20:12:28 +1000 Subject: [PATCH 26/73] remove _timestamp correctly --- resources/elk6/pipeline/1000_nessus_process_file.conf | 2 +- resources/elk6/pipeline/2000_qualys_web_scans.conf | 2 +- resources/elk6/pipeline/3000_openvas.conf | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/resources/elk6/pipeline/1000_nessus_process_file.conf b/resources/elk6/pipeline/1000_nessus_process_file.conf index 1462ee3..2be2e03 100644 --- a/resources/elk6/pipeline/1000_nessus_process_file.conf +++ b/resources/elk6/pipeline/1000_nessus_process_file.conf @@ -30,7 +30,7 @@ filter { date { match => [ "_timestamp", "UNIX" ] target => "@timestamp" - remove_field => ["timestamp"] + remove_field => ["_timestamp"] } #If using filebeats as your source, you will need to replace the "path" field to "source" diff --git a/resources/elk6/pipeline/2000_qualys_web_scans.conf b/resources/elk6/pipeline/2000_qualys_web_scans.conf index 0ee2522..329257f 100644 --- a/resources/elk6/pipeline/2000_qualys_web_scans.conf +++ b/resources/elk6/pipeline/2000_qualys_web_scans.conf @@ -22,7 +22,7 @@ filter { date { match => [ "_timestamp", "UNIX" ] target => "@timestamp" - remove_field => ["timestamp"] + remove_field => ["_timestamp"] } grok { diff --git a/resources/elk6/pipeline/3000_openvas.conf b/resources/elk6/pipeline/3000_openvas.conf index cb1a00c..0bf12c1 100644 --- a/resources/elk6/pipeline/3000_openvas.conf +++ b/resources/elk6/pipeline/3000_openvas.conf @@ -23,7 +23,7 @@ filter { date { match => [ "_timestamp", "UNIX" ] target => "@timestamp" - remove_field => ["timestamp"] + remove_field => ["_timestamp"] } grok { From ee327874e5d722406f10fa51f67b2a7b2b21b2c3 Mon Sep 17 00:00:00 2001 From: pemontto Date: Mon, 15 Apr 2019 21:12:07 +1000 Subject: [PATCH 27/73] Move to a common normalisation function --- .../pipeline/1000_nessus_process_file.conf | 41 ++++------- .../elk6/pipeline/2000_qualys_web_scans.conf | 41 ++++------- resources/elk6/pipeline/3000_openvas.conf | 30 ++++---- vulnwhisp/frameworks/nessus.py | 23 +----- vulnwhisp/frameworks/qualys_vuln.py | 18 +---- vulnwhisp/vulnwhisp.py | 72 ++++++++++++++++--- 6 files changed, 102 insertions(+), 123 deletions(-) diff --git a/resources/elk6/pipeline/1000_nessus_process_file.conf b/resources/elk6/pipeline/1000_nessus_process_file.conf index 2be2e03..335dd20 100644 --- a/resources/elk6/pipeline/1000_nessus_process_file.conf +++ b/resources/elk6/pipeline/1000_nessus_process_file.conf @@ -40,59 +40,42 @@ filter { tag_on_failure => [] } - translate { - field => "[risk]" - destination => "[risk_number]" - dictionary => { - "None" => 0 - "Low" => 1 - "Medium" => 2 - "High" => 3 - "Critical" => 4 - } - } - - mutate { - add_field => { "risk_score" => "%{cvss}" } - } - mutate { + convert => { "cvss" => "float"} convert => { "cvss_base" => "float"} convert => { "cvss_temporal" => "float"} - convert => { "cvss" => "float"} + convert => { "cvss3" => "float"} convert => { "cvss3_base" => "float"} convert => { "cvss3_temporal" => "float"} - convert => { "cvss3" => "float"} convert => { "id" => "integer"} convert => { "plugin_id" => "integer"} convert => { "risk_number" => "integer"} - convert => { "risk_score" => "float"} convert => { "total_times_detected" => "integer"} } - if [risk_score] == 0 { + if [cvss] == 0 { mutate { - add_field => { "risk_score_name" => "info" } + add_field => { "cvss_severity" => "info" } } } - if [risk_score] > 0 and [risk_score] < 3 { + if [cvss] > 0 and [cvss] < 3 { mutate { - add_field => { "risk_score_name" => "low" } + add_field => { "cvss_severity" => "low" } } } - if [risk_score] >= 3 and [risk_score] < 6 { + if [cvss] >= 3 and [cvss] < 6 { mutate { - add_field => { "risk_score_name" => "medium" } + add_field => { "cvss_severity" => "medium" } } } - if [risk_score] >=6 and [risk_score] < 9 { + if [cvss] >=6 and [cvss] < 9 { mutate { - add_field => { "risk_score_name" => "high" } + add_field => { "cvss_severity" => "high" } } } - if [risk_score] >= 9 { + if [cvss] >= 9 { mutate { - add_field => { "risk_score_name" => "critical" } + add_field => { "cvss_severity" => "critical" } } } } diff --git a/resources/elk6/pipeline/2000_qualys_web_scans.conf b/resources/elk6/pipeline/2000_qualys_web_scans.conf index 329257f..6a4e11f 100644 --- a/resources/elk6/pipeline/2000_qualys_web_scans.conf +++ b/resources/elk6/pipeline/2000_qualys_web_scans.conf @@ -30,18 +30,6 @@ filter { tag_on_failure => [] } - translate { - field => "[risk_number]" - destination => "[risk]" - dictionary => { - "0" => "Info" - "1" => "Low" - "2" => "Medium" - "3" => "High" - "4" => "Critical" - } - } - if "qualys_web" in [tags] { mutate { add_field => { "asset" => "%{web_application_name}" } @@ -49,46 +37,41 @@ filter { } mutate { - add_field => { "risk_score" => "%{cvss}" } - } - - mutate { + convert => { "cvss" => "float"} convert => { "cvss_base" => "float"} convert => { "cvss_temporal" => "float"} - convert => { "cvss" => "float"} + convert => { "cvss3" => "float"} convert => { "cvss3_base" => "float"} convert => { "cvss3_temporal" => "float"} - convert => { "cvss3" => "float"} convert => { "id" => "integer"} convert => { "plugin_id" => "integer"} convert => { "risk_number" => "integer"} - convert => { "risk_score" => "float"} convert => { "total_times_detected" => "integer"} } - if [risk_score] == 0 { + if [cvss] == 0 { mutate { - add_field => { "risk_score_name" => "info" } + add_field => { "cvss_severity" => "info" } } } - if [risk_score] > 0 and [risk_score] < 3 { + if [cvss] > 0 and [cvss] < 3 { mutate { - add_field => { "risk_score_name" => "low" } + add_field => { "cvss_severity" => "low" } } } - if [risk_score] >= 3 and [risk_score] < 6 { + if [cvss] >= 3 and [cvss] < 6 { mutate { - add_field => { "risk_score_name" => "medium" } + add_field => { "cvss_severity" => "medium" } } } - if [risk_score] >=6 and [risk_score] < 9 { + if [cvss] >=6 and [cvss] < 9 { mutate { - add_field => { "risk_score_name" => "high" } + add_field => { "cvss_severity" => "high" } } } - if [risk_score] >= 9 { + if [cvss] >= 9 { mutate { - add_field => { "risk_score_name" => "critical" } + add_field => { "cvss_severity" => "critical" } } } diff --git a/resources/elk6/pipeline/3000_openvas.conf b/resources/elk6/pipeline/3000_openvas.conf index 0bf12c1..97b91ea 100644 --- a/resources/elk6/pipeline/3000_openvas.conf +++ b/resources/elk6/pipeline/3000_openvas.conf @@ -94,48 +94,44 @@ filter { } mutate { - add_field => { "risk_score" => "%{cvss}" } - } - - mutate { + convert => { "cvss" => "float"} convert => { "cvss_base" => "float"} convert => { "cvss_temporal" => "float"} - convert => { "cvss" => "float"} + convert => { "cvss3" => "float"} convert => { "cvss3_base" => "float"} convert => { "cvss3_temporal" => "float"} - convert => { "cvss3" => "float"} convert => { "id" => "integer"} convert => { "plugin_id" => "integer"} convert => { "risk_number" => "integer"} - convert => { "risk_score" => "float"} convert => { "total_times_detected" => "integer"} } - if [risk_score] == 0 { + if [cvss] == 0 { mutate { - add_field => { "risk_score_name" => "info" } + add_field => { "cvss_severity" => "info" } } } - if [risk_score] > 0 and [risk_score] < 3 { + if [cvss] > 0 and [cvss] < 3 { mutate { - add_field => { "risk_score_name" => "low" } + add_field => { "cvss_severity" => "low" } } } - if [risk_score] >= 3 and [risk_score] < 6 { + if [cvss] >= 3 and [cvss] < 6 { mutate { - add_field => { "risk_score_name" => "medium" } + add_field => { "cvss_severity" => "medium" } } } - if [risk_score] >=6 and [risk_score] < 9 { + if [cvss] >=6 and [cvss] < 9 { mutate { - add_field => { "risk_score_name" => "high" } + add_field => { "cvss_severity" => "high" } } } - if [risk_score] >= 9 { + if [cvss] >= 9 { mutate { - add_field => { "risk_score_name" => "critical" } + add_field => { "cvss_severity" => "critical" } } } + # Add your critical assets by subnet or by hostname. Comment this field out if you don't want to tag any, but the asset panel will break. if [asset] =~ "^10\.0\.100\." { mutate { diff --git a/vulnwhisp/frameworks/nessus.py b/vulnwhisp/frameworks/nessus.py index 11e4258..1d6de7f 100755 --- a/vulnwhisp/frameworks/nessus.py +++ b/vulnwhisp/frameworks/nessus.py @@ -217,6 +217,7 @@ class NessusAPI(object): self.logger.debug('Changing case of fields') df['cve'] = df['cve'].str.upper() df['protocol'] = df['protocol'].str.lower() + df['risk'] = df['risk'].str.lower() # Copy asset to IP df['ip'] = df['asset'] @@ -225,27 +226,5 @@ class NessusAPI(object): self.logger.debug('Mapping risk to severity number') df['risk_number'] = df['risk'].str.lower().map(self.SEVERITY_MAPPING) - if self.profile == 'tenable': - self.logger.debug('Combinging CVSS vectors for tenable') - # Combine CVSS vectors - df['cvss_vector'] = ( - df[['cvss_vector', 'cvss_temporal_vector']] - .apply(lambda x: '{}/{}'.format(x[0], x[1]), axis=1) - .str.rstrip('/nan') - ) - df['cvss3_vector'] = ( - df[['cvss3_vector', 'cvss3_temporal_vector']] - .apply(lambda x: '{}/{}'.format(x[0], x[1]), axis=1) - .str.rstrip('/nan') - ) - - df.drop(['cvss_temporal_vector', 'cvss3_temporal_vector'], axis=1, inplace=True) - - # CVSS score = cvss3_temporal or cvss3_base or cvss_temporal or cvss_base - df['cvss'] = df['cvss_base'] - df.loc[df['cvss_temporal'].notnull(), 'cvss'] = df['cvss_temporal'] - df['cvss3'] = df['cvss3_base'] - df.loc[df['cvss3_temporal'].notnull(), 'cvss3'] = df['cvss3_temporal'] - df.fillna('', inplace=True) return df \ No newline at end of file diff --git a/vulnwhisp/frameworks/qualys_vuln.py b/vulnwhisp/frameworks/qualys_vuln.py index 4cf21de..118d8f2 100644 --- a/vulnwhisp/frameworks/qualys_vuln.py +++ b/vulnwhisp/frameworks/qualys_vuln.py @@ -90,6 +90,8 @@ class qualysVulnScan: 'title': 'plugin_name' } + SEVERITY_MAPPING = {0: 'none', 1: 'low', 2: 'medium', 3: 'high',4: 'critical'} + def __init__( self, config=None, @@ -184,23 +186,9 @@ class qualysVulnScan: .apply(lambda x: x[0]) ) - # Combine base and temporal - df['cvss_vector'] = ( - df[['cvss_vector', 'cvss_temporal_vector']] - .apply(lambda x: '{}/{}'.format(x[0], x[1]), axis=1) - .str.rstrip('/nan') - ) - - df.drop('cvss_temporal_vector', axis=1, inplace=True) - # Convert Qualys severity to standardised risk number df['risk_number'] = df['severity'].astype(int)-1 - - # CVSS score = cvss3_temporal or cvss3_base or cvss_temporal or cvss_base - df['cvss'] = df['cvss_base'] - df.loc[df['cvss_temporal'].notnull(), 'cvss'] = df['cvss_temporal'] - df['cvss3'] = df['cvss3_base'] - df.loc[df['cvss3_temporal'].notnull(), 'cvss3'] = df['cvss3_temporal'] + df['risk'] = df['risk_number'].map(self.SEVERITY_MAPPING) df.fillna('', inplace=True) diff --git a/vulnwhisp/vulnwhisp.py b/vulnwhisp/vulnwhisp.py index cd73320..954e8ba 100755 --- a/vulnwhisp/vulnwhisp.py +++ b/vulnwhisp/vulnwhisp.py @@ -242,6 +242,52 @@ class vulnWhispererBase(object): scan_names = [] return results + def common_normalise(self, df): + """Map and transform common data values""" + self.logger.info('Start common mapping') + if 'cvss_base' in df: + self.logger.info('Normalising CVSS') + # CVSS = cvss_temporal or cvss_base + df['cvss'] = df['cvss_base'] + df.loc[df['cvss_temporal'].notnull(), 'cvss'] = df['cvss_temporal'] + # Map CVSS to severity name + df.loc[df['cvss'] == 0, 'cvss_severity'] = 'info' + df.loc[(df['cvss'] > 0) & (df['cvss'] < 3), 'cvss_severity'] = 'info' + df.loc[(df['cvss'] >= 3) & (df['cvss'] < 6), 'cvss_severity'] = 'medium' + df.loc[(df['cvss'] >= 6) & (df['cvss'] < 9), 'cvss_severity'] = 'high' + df.loc[df['cvss'] > 9, 'cvss_severity'] = 'critical' + + if 'cvss3_base' in df: + self.logger.info('Normalising CVSS3') + # CVSS3 = cvss3_temporal or cvss3_base + df['cvss3'] = df['cvss3_base'] + df.loc[df['cvss3_temporal'].notnull(), 'cvss3'] = df['cvss3_temporal'] + # Map CVSS to severity name + df.loc[df['cvss3'] == 0, 'cvss3_severity'] = 'info' + df.loc[(df['cvss3'] > 0) & (df['cvss3'] < 3), 'cvss3_severity'] = 'info' + df.loc[(df['cvss3'] >= 3) & (df['cvss3'] < 6), 'cvss3_severity'] = 'medium' + df.loc[(df['cvss3'] >= 6) & (df['cvss3'] < 9), 'cvss3_severity'] = 'high' + df.loc[df['cvss3'] > 9, 'cvss3_severity'] = 'critical' + + # Combine CVSS and CVSS3 vectors + if 'cvss_vector' in df and 'cvss_temporal_vector' in df: + self.logger.info('Normalising CVSS Vector') + df['cvss_vector'] = ( + df[['cvss_vector', 'cvss_temporal_vector']] + .apply(lambda x: '{}/{}'.format(x[0], x[1]), axis=1) + .str.rstrip('/nan') + ) + df.drop('cvss_temporal_vector', axis=1, inplace=True) + if 'cvss3_vector' in df and 'cvss3_temporal_vector' in df: + self.logger.info('Normalising CVSS Vector') + df['cvss3_vector'] = ( + df[['cvss3_vector', 'cvss3_temporal_vector']] + .apply(lambda x: '{}/{}'.format(x[0], x[1]), axis=1) + .str.rstrip('/nan') + ) + df.drop('cvss3_temporal_vector', axis=1, inplace=True) + return df + class vulnWhispererNessus(vulnWhispererBase): @@ -444,22 +490,23 @@ class vulnWhispererNessus(vulnWhispererBase): self.exit_code += 1 continue - clean_csv = pd.read_csv(io.StringIO(file_req.decode('utf-8'))) - if len(clean_csv) > 2: + vuln_ready = pd.read_csv(io.StringIO(file_req.decode('utf-8'))) + if len(vuln_ready) > 2: self.logger.info('Processing {}/{} for scan: {}'.format(scan_count, len(scan_list), scan_name.encode('utf8'))) # Map and transform fields - clean_csv = self.nessus.normalise(clean_csv) + vuln_ready = self.nessus.normalise(vuln_ready) + vuln_ready = self.common_normalise(vuln_ready) # Set common fields - clean_csv['scan_name'] = scan_name.encode('utf8') - clean_csv['scan_id'] = uuid + vuln_ready['scan_name'] = scan_name.encode('utf8') + vuln_ready['scan_id'] = uuid # Add timestamp and convert to milliseconds - clean_csv['_timestamp'] = norm_time - clean_csv['scan_source'] = self.CONFIG_SECTION + vuln_ready['_timestamp'] = norm_time + vuln_ready['scan_source'] = self.CONFIG_SECTION - clean_csv.to_json(relative_path_name, orient='records', lines=True) + vuln_ready.to_json(relative_path_name, orient='records', lines=True) record_meta = ( scan_name, @@ -467,14 +514,14 @@ class vulnWhispererNessus(vulnWhispererBase): norm_time, file_name, time.time(), - clean_csv.shape[0], + vuln_ready.shape[0], self.CONFIG_SECTION, uuid, 1, 0, ) self.record_insert(record_meta) - self.logger.info('{filename} records written to {path} '.format(filename=clean_csv.shape[0], + self.logger.info('{filename} records written to {path} '.format(filename=vuln_ready.shape[0], path=file_name.encode('utf8'))) else: record_meta = ( @@ -483,7 +530,7 @@ class vulnWhispererNessus(vulnWhispererBase): norm_time, file_name, time.time(), - clean_csv.shape[0], + vuln_ready.shape[0], self.CONFIG_SECTION, uuid, 1, @@ -623,6 +670,7 @@ class vulnWhispererQualys(vulnWhispererBase): vuln_ready = self.qualys_scan.process_data(path=self.write_path, file_id=str(generated_report_id)) # Map and transform fields vuln_ready = self.qualys_scan.normalise(vuln_ready) + vuln_ready = self.common_normalise(vuln_ready) # TODO remove the line below once normalising complete vuln_ready.rename(columns=self.COLUMN_MAPPING, inplace=True) @@ -795,6 +843,7 @@ class vulnWhispererOpenVAS(vulnWhispererBase): vuln_ready = self.openvas_api.process_report(report_id=report_id) # Map and transform fields vuln_ready = self.openvas_api.normalise(vuln_ready) + vuln_ready = self.common_normalise(vuln_ready) # TODO move the following to the openvas_api.transform_values vuln_ready.rename(columns=self.COLUMN_MAPPING, inplace=True) vuln_ready.port = vuln_ready.port.fillna(0).astype(int) @@ -900,6 +949,7 @@ class vulnWhispererQualysVuln(vulnWhispererBase): vuln_ready = self.qualys_scan.process_data(scan_id=report_id) # Map and transform fields vuln_ready = self.qualys_scan.normalise(vuln_ready) + vuln_ready = self.common_normalise(vuln_ready) # Set common fields vuln_ready['scan_name'] = scan_name.encode('utf8') From 982d51a465f3cdcc783c539c0cf6a54e9ed6d2f3 Mon Sep 17 00:00:00 2001 From: pemontto Date: Mon, 15 Apr 2019 21:59:01 +1000 Subject: [PATCH 28/73] typo --- vulnwhisp/vulnwhisp.py | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/vulnwhisp/vulnwhisp.py b/vulnwhisp/vulnwhisp.py index 954e8ba..55f452a 100755 --- a/vulnwhisp/vulnwhisp.py +++ b/vulnwhisp/vulnwhisp.py @@ -242,6 +242,7 @@ class vulnWhispererBase(object): scan_names = [] return results + def common_normalise(self, df): """Map and transform common data values""" self.logger.info('Start common mapping') @@ -279,7 +280,7 @@ class vulnWhispererBase(object): ) df.drop('cvss_temporal_vector', axis=1, inplace=True) if 'cvss3_vector' in df and 'cvss3_temporal_vector' in df: - self.logger.info('Normalising CVSS Vector') + self.logger.info('Normalising CVSS3 Vector') df['cvss3_vector'] = ( df[['cvss3_vector', 'cvss3_temporal_vector']] .apply(lambda x: '{}/{}'.format(x[0], x[1]), axis=1) From ca5500add41d8cd8215400ee644d1d5c392b2abd Mon Sep 17 00:00:00 2001 From: pemontto Date: Mon, 15 Apr 2019 22:02:33 +1000 Subject: [PATCH 29/73] cvss mapping moved to vulnwhisperer --- .../pipeline/1000_nessus_process_file.conf | 26 ------------- .../elk6/pipeline/2000_qualys_web_scans.conf | 26 ------------- resources/elk6/pipeline/3000_openvas.conf | 39 ------------------- 3 files changed, 91 deletions(-) diff --git a/resources/elk6/pipeline/1000_nessus_process_file.conf b/resources/elk6/pipeline/1000_nessus_process_file.conf index 335dd20..f22ade4 100644 --- a/resources/elk6/pipeline/1000_nessus_process_file.conf +++ b/resources/elk6/pipeline/1000_nessus_process_file.conf @@ -52,32 +52,6 @@ filter { convert => { "risk_number" => "integer"} convert => { "total_times_detected" => "integer"} } - - if [cvss] == 0 { - mutate { - add_field => { "cvss_severity" => "info" } - } - } - if [cvss] > 0 and [cvss] < 3 { - mutate { - add_field => { "cvss_severity" => "low" } - } - } - if [cvss] >= 3 and [cvss] < 6 { - mutate { - add_field => { "cvss_severity" => "medium" } - } - } - if [cvss] >=6 and [cvss] < 9 { - mutate { - add_field => { "cvss_severity" => "high" } - } - } - if [cvss] >= 9 { - mutate { - add_field => { "cvss_severity" => "critical" } - } - } } } diff --git a/resources/elk6/pipeline/2000_qualys_web_scans.conf b/resources/elk6/pipeline/2000_qualys_web_scans.conf index 6a4e11f..02fe101 100644 --- a/resources/elk6/pipeline/2000_qualys_web_scans.conf +++ b/resources/elk6/pipeline/2000_qualys_web_scans.conf @@ -49,32 +49,6 @@ filter { convert => { "total_times_detected" => "integer"} } - if [cvss] == 0 { - mutate { - add_field => { "cvss_severity" => "info" } - } - } - if [cvss] > 0 and [cvss] < 3 { - mutate { - add_field => { "cvss_severity" => "low" } - } - } - if [cvss] >= 3 and [cvss] < 6 { - mutate { - add_field => { "cvss_severity" => "medium" } - } - } - if [cvss] >=6 and [cvss] < 9 { - mutate { - add_field => { "cvss_severity" => "high" } - } - } - if [cvss] >= 9 { - mutate { - add_field => { "cvss_severity" => "critical" } - } - } - if [first_time_detected] { date { match => [ "first_time_detected", "dd MMM yyyy HH:mma 'GMT'ZZ", "dd MMM yyyy HH:mma 'GMT'" ] diff --git a/resources/elk6/pipeline/3000_openvas.conf b/resources/elk6/pipeline/3000_openvas.conf index 97b91ea..5a3b7d3 100644 --- a/resources/elk6/pipeline/3000_openvas.conf +++ b/resources/elk6/pipeline/3000_openvas.conf @@ -106,51 +106,12 @@ filter { convert => { "total_times_detected" => "integer"} } - if [cvss] == 0 { - mutate { - add_field => { "cvss_severity" => "info" } - } - } - if [cvss] > 0 and [cvss] < 3 { - mutate { - add_field => { "cvss_severity" => "low" } - } - } - if [cvss] >= 3 and [cvss] < 6 { - mutate { - add_field => { "cvss_severity" => "medium" } - } - } - if [cvss] >=6 and [cvss] < 9 { - mutate { - add_field => { "cvss_severity" => "high" } - } - } - if [cvss] >= 9 { - mutate { - add_field => { "cvss_severity" => "critical" } - } - } - # Add your critical assets by subnet or by hostname. Comment this field out if you don't want to tag any, but the asset panel will break. if [asset] =~ "^10\.0\.100\." { mutate { add_tag => [ "critical_asset" ] } } - mutate { - convert => { "plugin_id" => "integer"} - convert => { "id" => "integer"} - convert => { "risk_number" => "integer"} - convert => { "risk_score" => "float"} - convert => { "total_times_detected" => "integer"} - convert => { "cvss" => "float"} - convert => { "cvss_base" => "float"} - convert => { "cvss_temporal" => "float"} - convert => { "cvss3" => "float"} - convert => { "cvss3_base" => "float"} - convert => { "cvss3_temporal" => "float"} - } } } output { From 5dd20a74e9c27b3cf10ee8e704d1db40dff3f05b Mon Sep 17 00:00:00 2001 From: pemontto Date: Mon, 15 Apr 2019 23:04:08 +1000 Subject: [PATCH 30/73] Fix cvss score issues --- vulnwhisp/vulnwhisp.py | 45 +++++++++++++++++++++++++++--------------- 1 file changed, 29 insertions(+), 16 deletions(-) diff --git a/vulnwhisp/vulnwhisp.py b/vulnwhisp/vulnwhisp.py index 55f452a..b4677c3 100755 --- a/vulnwhisp/vulnwhisp.py +++ b/vulnwhisp/vulnwhisp.py @@ -246,29 +246,18 @@ class vulnWhispererBase(object): def common_normalise(self, df): """Map and transform common data values""" self.logger.info('Start common mapping') + if 'cvss_base' in df: - self.logger.info('Normalising CVSS') + self.logger.info('Normalising CVSS base') # CVSS = cvss_temporal or cvss_base df['cvss'] = df['cvss_base'] - df.loc[df['cvss_temporal'].notnull(), 'cvss'] = df['cvss_temporal'] - # Map CVSS to severity name - df.loc[df['cvss'] == 0, 'cvss_severity'] = 'info' - df.loc[(df['cvss'] > 0) & (df['cvss'] < 3), 'cvss_severity'] = 'info' - df.loc[(df['cvss'] >= 3) & (df['cvss'] < 6), 'cvss_severity'] = 'medium' - df.loc[(df['cvss'] >= 6) & (df['cvss'] < 9), 'cvss_severity'] = 'high' - df.loc[df['cvss'] > 9, 'cvss_severity'] = 'critical' + df.loc[df['cvss_temporal'] != '', 'cvss'] = df['cvss_temporal'] if 'cvss3_base' in df: - self.logger.info('Normalising CVSS3') + self.logger.info('Normalising CVSS3 base') # CVSS3 = cvss3_temporal or cvss3_base df['cvss3'] = df['cvss3_base'] - df.loc[df['cvss3_temporal'].notnull(), 'cvss3'] = df['cvss3_temporal'] - # Map CVSS to severity name - df.loc[df['cvss3'] == 0, 'cvss3_severity'] = 'info' - df.loc[(df['cvss3'] > 0) & (df['cvss3'] < 3), 'cvss3_severity'] = 'info' - df.loc[(df['cvss3'] >= 3) & (df['cvss3'] < 6), 'cvss3_severity'] = 'medium' - df.loc[(df['cvss3'] >= 6) & (df['cvss3'] < 9), 'cvss3_severity'] = 'high' - df.loc[df['cvss3'] > 9, 'cvss3_severity'] = 'critical' + df.loc[df['cvss3_temporal'] != '', 'cvss3'] = df['cvss3_temporal'] # Combine CVSS and CVSS3 vectors if 'cvss_vector' in df and 'cvss_temporal_vector' in df: @@ -287,6 +276,30 @@ class vulnWhispererBase(object): .str.rstrip('/nan') ) df.drop('cvss3_temporal_vector', axis=1, inplace=True) + + if 'cvss' in df: + self.logger.info('Normalising CVSS severity') + # Map CVSS to severity name + df.loc[df['cvss'] == '', 'cvss'] = None + df['cvss'] = df['cvss'].astype('float') + df.loc[df['cvss'] == 0, 'cvss_severity'] = 'info' + df.loc[(df['cvss'] > 0) & (df['cvss'] < 3), 'cvss_severity'] = 'low' + df.loc[(df['cvss'] >= 3) & (df['cvss'] < 6), 'cvss_severity'] = 'medium' + df.loc[(df['cvss'] >= 6) & (df['cvss'] < 9), 'cvss_severity'] = 'high' + df.loc[(df['cvss'] > 9) & (df['cvss'].notnull()), 'cvss_severity'] = 'critical' + + if 'cvss3' in df: + self.logger.info('Normalising CVSS3 severity') + # Map CVSS to severity name + df.loc[df['cvss3'] =='', 'cvss3'] = None + df['cvss3'] = df['cvss3'].astype('float') + df.loc[df['cvss3'] == 0, 'cvss3_severity'] = 'info' + df.loc[(df['cvss3'] > 0) & (df['cvss3'] < 3), 'cvss3_severity'] = 'low' + df.loc[(df['cvss3'] >= 3) & (df['cvss3'] < 6), 'cvss3_severity'] = 'medium' + df.loc[(df['cvss3'] >= 6) & (df['cvss3'] < 9), 'cvss3_severity'] = 'high' + df.loc[(df['cvss3'] > 9) & (df['cvss3'].notnull()), 'cvss3_severity'] = 'critical' + + df.fillna('', inplace=True) return df From eea417a0d9727f1797a7bcc781f18a17a5b2a042 Mon Sep 17 00:00:00 2001 From: pemontto Date: Wed, 17 Apr 2019 16:31:23 +1000 Subject: [PATCH 31/73] fix cvss info severity --- vulnwhisp/vulnwhisp.py | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/vulnwhisp/vulnwhisp.py b/vulnwhisp/vulnwhisp.py index b4677c3..e6bc285 100755 --- a/vulnwhisp/vulnwhisp.py +++ b/vulnwhisp/vulnwhisp.py @@ -282,7 +282,7 @@ class vulnWhispererBase(object): # Map CVSS to severity name df.loc[df['cvss'] == '', 'cvss'] = None df['cvss'] = df['cvss'].astype('float') - df.loc[df['cvss'] == 0, 'cvss_severity'] = 'info' + df.loc[df['cvss'].isnull(), 'cvss_severity'] = 'info' df.loc[(df['cvss'] > 0) & (df['cvss'] < 3), 'cvss_severity'] = 'low' df.loc[(df['cvss'] >= 3) & (df['cvss'] < 6), 'cvss_severity'] = 'medium' df.loc[(df['cvss'] >= 6) & (df['cvss'] < 9), 'cvss_severity'] = 'high' @@ -291,9 +291,9 @@ class vulnWhispererBase(object): if 'cvss3' in df: self.logger.info('Normalising CVSS3 severity') # Map CVSS to severity name - df.loc[df['cvss3'] =='', 'cvss3'] = None + df.loc[df['cvss3'] == '', 'cvss3'] = None df['cvss3'] = df['cvss3'].astype('float') - df.loc[df['cvss3'] == 0, 'cvss3_severity'] = 'info' + df.loc[df['cvss3'].isnull(), 'cvss3_severity'] = 'info' df.loc[(df['cvss3'] > 0) & (df['cvss3'] < 3), 'cvss3_severity'] = 'low' df.loc[(df['cvss3'] >= 3) & (df['cvss3'] < 6), 'cvss3_severity'] = 'medium' df.loc[(df['cvss3'] >= 6) & (df['cvss3'] < 9), 'cvss3_severity'] = 'high' From 9c7600b2645d52ab4ee8039a72d03b54d43501ad Mon Sep 17 00:00:00 2001 From: pemontto Date: Wed, 17 Apr 2019 16:31:37 +1000 Subject: [PATCH 32/73] Updates for normalised fields and json output --- .../elk6/logstash-vulnwhisperer-template.json | 54 +++++-------------- tests/test-docker.sh | 20 +++---- 2 files changed, 22 insertions(+), 52 deletions(-) diff --git a/resources/elk6/logstash-vulnwhisperer-template.json b/resources/elk6/logstash-vulnwhisperer-template.json index 946597f..4ef1ead 100755 --- a/resources/elk6/logstash-vulnwhisperer-template.json +++ b/resources/elk6/logstash-vulnwhisperer-template.json @@ -1,5 +1,6 @@ { "index_patterns": "logstash-vulnwhisperer-*", + "version": 2019041701, "mappings": { "doc": { "properties": { @@ -22,9 +23,6 @@ "asset_uuid": { "type": "keyword" }, - "assign_ip": { - "type": "ip" - }, "category": { "type": "keyword" }, @@ -34,7 +32,7 @@ "cvss_base": { "type": "float" }, - "cvss_temporal_vector": { + "cvss_severity": { "type": "keyword" }, "cvss_temporal": { @@ -49,7 +47,7 @@ "cvss3_base": { "type": "float" }, - "cvss3_temporal_vector": { + "cvss3_severity": { "type": "keyword" }, "cvss3_temporal": { @@ -117,24 +115,14 @@ "host_start": { "type": "date" }, - "impact": { - "fields": { - "keyword": { - "ignore_above": 256, - "type": "keyword" - } - }, - "norms": false, - "type": "text" - }, - "ip_status": { - "type": "keyword" - }, "ip": { "type": "ip" }, - "last_updated": { - "type": "date" + "mac_address": { + "type": "keyword" + }, + "netbios": { + "type": "keyword" }, "operating_system": { "type": "keyword" @@ -170,18 +158,9 @@ "protocol": { "type": "keyword" }, - "results": { - "type": "text" - }, "risk_number": { "type": "integer" }, - "risk_score_name": { - "type": "keyword" - }, - "risk_score": { - "type": "float" - }, "risk": { "type": "keyword" }, @@ -191,41 +170,32 @@ "scan_name": { "type": "keyword" }, - "scan_reference": { + "scan_source": { "type": "keyword" }, - "see_also": { + "severity": { "type": "keyword" }, "solution": { "type": "keyword" }, - "source": { + "ssl": { "type": "keyword" }, - "ssl": { + "state": { "type": "keyword" }, "synopsis": { "type": "keyword" }, - "system_type": { - "type": "keyword" - }, "tags": { "type": "keyword" }, - "threat": { - "type": "text" - }, "type": { "type": "keyword" }, "vendor_reference": { "type": "keyword" - }, - "vulnerability_state": { - "type": "keyword" } } } diff --git a/tests/test-docker.sh b/tests/test-docker.sh index 3d15b76..e67ef9b 100755 --- a/tests/test-docker.sh +++ b/tests/test-docker.sh @@ -29,13 +29,13 @@ done green "✅ Elasticsearch status is green..." count=0 -until [[ $(curl -s "$logstash_url/_node/stats" | jq '.events.out') -ge 1236 ]]; do - yellow "Waiting for Logstash load to finish... $(curl -s "$logstash_url/_node/stats" | jq '.events.out') of 1236 (attempt $count of 60)" +until [[ $(curl -s "$logstash_url/_node/stats" | jq '.events.out') -ge 1232 ]]; do + yellow "Waiting for Logstash load to finish... $(curl -s "$logstash_url/_node/stats" | jq '.events.out') of 1232 (attempt $count of 60)" ((count++)) && ((count==60)) && break sleep 5 done -if [[ count -le 60 && $(curl -s "$logstash_url/_node/stats" | jq '.events.out') -ge 1236 ]]; then +if [[ count -le 60 && $(curl -s "$logstash_url/_node/stats" | jq '.events.out') -ge 1232 ]]; then green "✅ Logstash load finished..." else red "❌ Logstash load didn't complete... $(curl -s "$logstash_url/_node/stats" | jq '.events.out')" @@ -49,7 +49,7 @@ until [[ $(curl -s "$elasticsearch_url/logstash-vulnwhisperer-2019.03/_count" | sleep 2 done if [[ count -le 50 && $(curl -s "$elasticsearch_url/logstash-vulnwhisperer-2019.03/_count" | jq '.count') -ge 1232 ]]; then - green "✅ logstash-vulnwhisperer-2019.03 document count >= 1232" + green "✅ logstash-vulnwhisperer-2019.03 document count $(curl -s "$elasticsearch_url/logstash-vulnwhisperer-2019.03/_count" | jq '.count') >= 1232" else red "❌ TIMED OUT waiting for logstash-vulnwhisperer-2019.03 document count: $(curl -s "$elasticsearch_url/logstash-vulnwhisperer-2019.03/_count" | jq) != 1232" fi @@ -63,10 +63,10 @@ fi # Test Nessus plugin_name:Backported Security Patch Detection (FTP) nessus_doc=$(curl -s "$elasticsearch_url/logstash-vulnwhisperer-2019.03/_search?q=plugin_name:%22Backported%20Security%20Patch%20Detection%20(FTP)%22%20AND%20asset:176.28.50.164%20AND%20tags:nessus" | jq '.hits.hits[]._source') -if echo $nessus_doc | jq '.risk' | grep -q "None"; then - green "✅ Passed: Nessus risk == None" +if echo $nessus_doc | jq '.risk' | grep -q "none"; then + green "✅ Passed: Nessus risk == none" else - red "❌ Failed: Nessus risk == None was: $(echo $nessus_doc | jq '.risk') instead" + red "❌ Failed: Nessus risk == none was: $(echo $nessus_doc | jq '.risk') instead" ((return_code = return_code + 1)) fi @@ -99,10 +99,10 @@ else fi # Test @XXXX -if echo $qualys_vuln_doc | jq '.cvss' | grep -q '6.8'; then - green "✅ Passed: Qualys VM cvss == 6.8" +if echo $qualys_vuln_doc | jq '.cvss' | grep -q '5.6'; then + green "✅ Passed: Qualys VM cvss == 5.6" else - red "❌ Failed: Qualys VM cvss == 6.8 was: $(echo $qualys_vuln_doc | jq '.cvss') instead" + red "❌ Failed: Qualys VM cvss == 5.6 was: $(echo $qualys_vuln_doc | jq '.cvss') instead" ((return_code = return_code + 1)) fi From 50f6c43a2fca5e991c1283429850f03d20b4c4b4 Mon Sep 17 00:00:00 2001 From: pemontto Date: Wed, 17 Apr 2019 19:05:10 +1000 Subject: [PATCH 33/73] Remove ELK5 resources --- .../docker-compose_ELK5_unsupported.yml | 72 --- .../docker/1000_nessus_process_file.conf | 195 -------- .../docker/2000_qualys_web_scans.conf | 153 ------ .../docker/3000_openvas.conf | 146 ------ .../docker/4000_jira.conf | 21 - .../docker/logstash.yml | 5 - .../logstash-vulnwhisperer-template.json | 122 ----- .../filebeat/filebeat.yml | 116 ----- .../1000_vulnWhispererBaseVisuals.json | 450 ------------------ ...hisperer_ReportingMitigationDashboard.json | 43 -- ...alysVisuals (required with Dashboard).json | 170 ------- ...eportingMitigationDashboardQualysRisk.json | 50 -- .../9000_vulnWhisperer_SavedSearch.json | 28 -- .../logstash/0001_input_beats.conf | 14 - .../logstash/1000_nessus_process_file.conf | 195 -------- .../logstash/2000_qualys_web_scans.conf | 153 ------ .../logstash/3000_openvas.conf | 146 ------ .../logstash/4000_jira.conf | 21 - .../logstash/9998_input_broker_rabbitmq.conf | 13 - .../logstash/9998_output_broker_rabbitmq.conf | 16 - 20 files changed, 2129 deletions(-) delete mode 100644 resources/elk5-old_compatibility/docker-compose_ELK5_unsupported.yml delete mode 100644 resources/elk5-old_compatibility/docker/1000_nessus_process_file.conf delete mode 100644 resources/elk5-old_compatibility/docker/2000_qualys_web_scans.conf delete mode 100644 resources/elk5-old_compatibility/docker/3000_openvas.conf delete mode 100755 resources/elk5-old_compatibility/docker/4000_jira.conf delete mode 100644 resources/elk5-old_compatibility/docker/logstash.yml delete mode 100755 resources/elk5-old_compatibility/elasticsearch/logstash-vulnwhisperer-template.json delete mode 100755 resources/elk5-old_compatibility/filebeat/filebeat.yml delete mode 100755 resources/elk5-old_compatibility/kibana/vuln_whisp_kibana/1000_vulnWhispererBaseVisuals.json delete mode 100755 resources/elk5-old_compatibility/kibana/vuln_whisp_kibana/1001_vulnWhisperer_ReportingMitigationDashboard.json delete mode 100755 resources/elk5-old_compatibility/kibana/vuln_whisp_kibana/2000_vulnWhisperer_QualysVisuals (required with Dashboard).json delete mode 100755 resources/elk5-old_compatibility/kibana/vuln_whisp_kibana/2001_vulnWhisperer_ReportingMitigationDashboardQualysRisk.json delete mode 100755 resources/elk5-old_compatibility/kibana/vuln_whisp_kibana/9000_vulnWhisperer_SavedSearch.json delete mode 100755 resources/elk5-old_compatibility/logstash/0001_input_beats.conf delete mode 100644 resources/elk5-old_compatibility/logstash/1000_nessus_process_file.conf delete mode 100644 resources/elk5-old_compatibility/logstash/2000_qualys_web_scans.conf delete mode 100644 resources/elk5-old_compatibility/logstash/3000_openvas.conf delete mode 100644 resources/elk5-old_compatibility/logstash/4000_jira.conf delete mode 100755 resources/elk5-old_compatibility/logstash/9998_input_broker_rabbitmq.conf delete mode 100755 resources/elk5-old_compatibility/logstash/9998_output_broker_rabbitmq.conf diff --git a/resources/elk5-old_compatibility/docker-compose_ELK5_unsupported.yml b/resources/elk5-old_compatibility/docker-compose_ELK5_unsupported.yml deleted file mode 100644 index 61cdae3..0000000 --- a/resources/elk5-old_compatibility/docker-compose_ELK5_unsupported.yml +++ /dev/null @@ -1,72 +0,0 @@ -version: '2' -services: - vulnwhisp-es1: - image: docker.elastic.co/elasticsearch/elasticsearch:5.6.2 - container_name: vulnwhisp-es1 - environment: - - cluster.name=vulnwhisperer - - bootstrap.memory_lock=true - - "ES_JAVA_OPTS=-Xms512m -Xmx512m" - ulimits: - memlock: - soft: -1 - hard: -1 - nofile: - soft: 65536 - hard: 65536 - mem_limit: 8g - volumes: - - esdata1:/usr/share/elasticsearch/data - ports: - - 9200:9200 - environment: - - xpack.security.enabled=false - #restart: always - networks: - esnet: - aliases: - - vulnwhisp-es1.local - vulnwhisp-ks1: - image: docker.elastic.co/kibana/kibana:5.6.2 - environment: - SERVER_NAME: vulnwhisp-ks1 - ELASTICSEARCH_URL: http://vulnwhisp-es1:9200 - ports: - - 5601:5601 - depends_on: - - vulnwhisp-es1 - networks: - esnet: - aliases: - - vulnwhisp-ks1.local - vulnwhisp-ls1: - image: docker.elastic.co/logstash/logstash:5.6.2 - container_name: vulnwhisp-ls1 - volumes: - - ./docker/1000_nessus_process_file.conf:/usr/share/logstash/pipeline/1000_nessus_process_file.conf - - ./docker/2000_qualys_web_scans.conf:/usr/share/logstash/pipeline/2000_qualys_web_scans.conf - - ./docker/3000_openvas.conf:/usr/share/logstash/pipeline/3000_openvas.conf - - ./docker/4000_jira.conf:/usr/share/logstash/pipeline/4000_jira.conf - - ./docker/logstash.yml:/usr/share/logstash/config/logstash.yml - - ./data/:/opt/VulnWhisperer/data - environment: - - xpack.monitoring.enabled=false - depends_on: - - vulnwhisp-es1 - networks: - esnet: - aliases: - - vulnwhisp-ls1.local - vulnwhisp-vulnwhisperer: - image: hasecuritysolutions/vulnwhisperer:latest - container_name: vulnwhisp-vulnwhisperer - volumes: - - ./data/:/opt/VulnWhisperer/data - - ./configs/frameworks_example.ini:/opt/VulnWhisperer/frameworks_example.ini - network_mode: host -volumes: - esdata1: - driver: local - -networks: - esnet: diff --git a/resources/elk5-old_compatibility/docker/1000_nessus_process_file.conf b/resources/elk5-old_compatibility/docker/1000_nessus_process_file.conf deleted file mode 100644 index 13e6f6c..0000000 --- a/resources/elk5-old_compatibility/docker/1000_nessus_process_file.conf +++ /dev/null @@ -1,195 +0,0 @@ -# Author: Austin Taylor and Justin Henderson -# Email: email@austintaylor.io -# Last Update: 12/20/2017 -# Version 0.3 -# Description: Take in nessus reports from vulnWhisperer and pumps into logstash - - -input { - file { - path => "/opt/VulnWhisperer/data/nessus/**/*.json" - start_position => "beginning" - tags => "nessus" - type => "nessus" - codec => json - } - file { - path => "/opt/VulnWhisperer/data/tenable/*.json" - start_position => "beginning" - tags => "nessus" - type => "nessus" - codec => json - } -} - -filter { - if "nessus" in [tags] or "tenable" in [tags] { - - #If using filebeats as your source, you will need to replace the "path" field to "source" - grok { - match => { "path" => "(?[a-zA-Z0-9_.\-]+)_%{INT:scan_id}_%{INT:history_id}_%{INT:last_updated}.(csv|json)$" } - tag_on_failure => [] - } - - date { - match => [ "last_updated", "UNIX" ] - target => "@timestamp" - remove_field => ["last_updated"] - } - - if [risk] == "None" { - mutate { add_field => { "risk_number" => 0 }} - } - if [risk] == "Low" { - mutate { add_field => { "risk_number" => 1 }} - } - if [risk] == "Medium" { - mutate { add_field => { "risk_number" => 2 }} - } - if [risk] == "High" { - mutate { add_field => { "risk_number" => 3 }} - } - if [risk] == "Critical" { - mutate { add_field => { "risk_number" => 4 }} - } - - if ![cve] or [cve] == "nan" { - mutate { remove_field => [ "cve" ] } - } - if ![cvss] or [cvss] == "nan" { - mutate { remove_field => [ "cvss" ] } - } - if ![cvss_base] or [cvss_base] == "nan" { - mutate { remove_field => [ "cvss_base" ] } - } - if ![cvss_temporal] or [cvss_temporal] == "nan" { - mutate { remove_field => [ "cvss_temporal" ] } - } - if ![cvss_temporal_vector] or [cvss_temporal_vector] == "nan" { - mutate { remove_field => [ "cvss_temporal_vector" ] } - } - if ![cvss_vector] or [cvss_vector] == "nan" { - mutate { remove_field => [ "cvss_vector" ] } - } - if ![cvss3_base] or [cvss3_base] == "nan" { - mutate { remove_field => [ "cvss3_base" ] } - } - if ![cvss3_temporal] or [cvss3_temporal] == "nan" { - mutate { remove_field => [ "cvss3_temporal" ] } - } - if ![cvss3_temporal_vector] or [cvss3_temporal_vector] == "nan" { - mutate { remove_field => [ "cvss3_temporal_vector" ] } - } - if ![description] or [description] == "nan" { - mutate { remove_field => [ "description" ] } - } - if ![mac_address] or [mac_address] == "nan" { - mutate { remove_field => [ "mac_address" ] } - } - if ![netbios] or [netbios] == "nan" { - mutate { remove_field => [ "netbios" ] } - } - if ![operating_system] or [operating_system] == "nan" { - mutate { remove_field => [ "operating_system" ] } - } - if ![plugin_output] or [plugin_output] == "nan" { - mutate { remove_field => [ "plugin_output" ] } - } - if ![see_also] or [see_also] == "nan" { - mutate { remove_field => [ "see_also" ] } - } - if ![synopsis] or [synopsis] == "nan" { - mutate { remove_field => [ "synopsis" ] } - } - if ![system_type] or [system_type] == "nan" { - mutate { remove_field => [ "system_type" ] } - } - - mutate { - remove_field => [ "message" ] - add_field => { "risk_score" => "%{cvss}" } - } - mutate { - convert => { "risk_score" => "float" } - } - if [risk_score] == 0 { - mutate { - add_field => { "risk_score_name" => "info" } - } - } - if [risk_score] > 0 and [risk_score] < 3 { - mutate { - add_field => { "risk_score_name" => "low" } - } - } - if [risk_score] >= 3 and [risk_score] < 6 { - mutate { - add_field => { "risk_score_name" => "medium" } - } - } - if [risk_score] >=6 and [risk_score] < 9 { - mutate { - add_field => { "risk_score_name" => "high" } - } - } - if [risk_score] >= 9 { - mutate { - add_field => { "risk_score_name" => "critical" } - } - } - - # Compensating controls - adjust risk_score - # Adobe and Java are not allowed to run in browser unless whitelisted - # Therefore, lower score by dividing by 3 (score is subjective to risk) - - #Modify and uncomment when ready to use - #if [risk_score] != 0 { - # if [plugin_name] =~ "Adobe" and [risk_score] > 6 or [plugin_name] =~ "Java" and [risk_score] > 6 { - # ruby { - # code => "event.set('risk_score', event.get('risk_score') / 3)" - # } - # mutate { - # add_field => { "compensating_control" => "Adobe and Flash removed from browsers unless whitelisted site." } - # } - # } - #} - - # Add tags for reporting based on assets or criticality - - if [asset] == "dc01" or [asset] == "dc02" or [asset] == "pki01" or [asset] == "192.168.0.54" or [asset] =~ "^192\.168\.0\." or [asset] =~ "^42.42.42." { - mutate { - add_tag => [ "critical_asset" ] - } - } - #if [asset] =~ "^192\.168\.[45][0-9][0-9]\.1$" or [asset] =~ "^192.168\.[50]\.[0-9]{1,2}\.1$"{ - # mutate { - # add_tag => [ "has_hipaa_data" ] - # } - #} - #if [asset] =~ "^192\.168\.[45][0-9][0-9]\." { - # mutate { - # add_tag => [ "hipaa_asset" ] - # } - #} - if [asset] =~ "^hr" { - mutate { - add_tag => [ "pci_asset" ] - } - } - #if [asset] =~ "^10\.0\.50\." { - # mutate { - # add_tag => [ "web_servers" ] - # } - #} - } -} - -output { - if "nessus" in [tags] or "tenable" in [tags] or [type] in [ "nessus", "tenable" ] { - # stdout { codec => rubydebug } - elasticsearch { - hosts => [ "vulnwhisp-es1.local:9200" ] - index => "logstash-vulnwhisperer-%{+YYYY.MM}" - } - } -} diff --git a/resources/elk5-old_compatibility/docker/2000_qualys_web_scans.conf b/resources/elk5-old_compatibility/docker/2000_qualys_web_scans.conf deleted file mode 100644 index 9d47a1c..0000000 --- a/resources/elk5-old_compatibility/docker/2000_qualys_web_scans.conf +++ /dev/null @@ -1,153 +0,0 @@ -# Author: Austin Taylor and Justin Henderson -# Email: austin@hasecuritysolutions.com -# Last Update: 12/30/2017 -# Version 0.3 -# Description: Take in qualys web scan reports from vulnWhisperer and pumps into logstash - -input { - file { - path => "/opt/VulnWhisperer/data/qualys/*.json" - type => json - codec => json - start_position => "beginning" - tags => [ "qualys" ] - } -} - -filter { - if "qualys" in [tags] { - grok { - match => { "path" => [ "(?qualys_vuln)_scan_%{DATA}_%{INT:last_updated}.json$", "(?qualys_web)_%{INT:app_id}_%{INT:last_updated}.json$" ] } - tag_on_failure => [] - } - - mutate { - replace => [ "message", "%{message}" ] - #gsub => [ - # "message", "\|\|\|", " ", - # "message", "\t\t", " ", - # "message", " ", " ", - # "message", " ", " ", - # "message", " ", " ", - # "message", "nan", " ", - # "message",'\n','' - #] - } - - if "qualys_web" in [tags] { - mutate { - add_field => { "asset" => "%{web_application_name}" } - add_field => { "risk_score" => "%{cvss}" } - } - } else if "qualys_vuln" in [tags] { - mutate { - add_field => { "asset" => "%{ip}" } - add_field => { "risk_score" => "%{cvss}" } - } - } - - if [risk] == "1" { - mutate { add_field => { "risk_number" => 0 }} - mutate { replace => { "risk" => "info" }} - } - if [risk] == "2" { - mutate { add_field => { "risk_number" => 1 }} - mutate { replace => { "risk" => "low" }} - } - if [risk] == "3" { - mutate { add_field => { "risk_number" => 2 }} - mutate { replace => { "risk" => "medium" }} - } - if [risk] == "4" { - mutate { add_field => { "risk_number" => 3 }} - mutate { replace => { "risk" => "high" }} - } - if [risk] == "5" { - mutate { add_field => { "risk_number" => 4 }} - mutate { replace => { "risk" => "critical" }} - } - - mutate { - remove_field => "message" - } - - if [first_time_detected] { - date { - match => [ "first_time_detected", "dd MMM yyyy HH:mma 'GMT'ZZ", "dd MMM yyyy HH:mma 'GMT'" ] - target => "first_time_detected" - } - } - if [first_time_tested] { - date { - match => [ "first_time_tested", "dd MMM yyyy HH:mma 'GMT'ZZ", "dd MMM yyyy HH:mma 'GMT'" ] - target => "first_time_tested" - } - } - if [last_time_detected] { - date { - match => [ "last_time_detected", "dd MMM yyyy HH:mma 'GMT'ZZ", "dd MMM yyyy HH:mma 'GMT'" ] - target => "last_time_detected" - } - } - if [last_time_tested] { - date { - match => [ "last_time_tested", "dd MMM yyyy HH:mma 'GMT'ZZ", "dd MMM yyyy HH:mma 'GMT'" ] - target => "last_time_tested" - } - } - date { - match => [ "last_updated", "UNIX" ] - target => "@timestamp" - remove_field => "last_updated" - } - mutate { - convert => { "plugin_id" => "integer"} - convert => { "id" => "integer"} - convert => { "risk_number" => "integer"} - convert => { "risk_score" => "float"} - convert => { "total_times_detected" => "integer"} - convert => { "cvss_temporal" => "float"} - convert => { "cvss" => "float"} - } - if [risk_score] == 0 { - mutate { - add_field => { "risk_score_name" => "info" } - } - } - if [risk_score] > 0 and [risk_score] < 3 { - mutate { - add_field => { "risk_score_name" => "low" } - } - } - if [risk_score] >= 3 and [risk_score] < 6 { - mutate { - add_field => { "risk_score_name" => "medium" } - } - } - if [risk_score] >=6 and [risk_score] < 9 { - mutate { - add_field => { "risk_score_name" => "high" } - } - } - if [risk_score] >= 9 { - mutate { - add_field => { "risk_score_name" => "critical" } - } - } - - if [asset] =~ "\.yourdomain\.(com|net)$" { - mutate { - add_tag => [ "critical_asset" ] - } - } - } -} -output { - if "qualys" in [tags] { - stdout { codec => rubydebug } - elasticsearch { - hosts => [ "vulnwhisp-es1.local:9200" ] - index => "logstash-vulnwhisperer-%{+YYYY.MM}" - } - } -} diff --git a/resources/elk5-old_compatibility/docker/3000_openvas.conf b/resources/elk5-old_compatibility/docker/3000_openvas.conf deleted file mode 100644 index 1b8c4b3..0000000 --- a/resources/elk5-old_compatibility/docker/3000_openvas.conf +++ /dev/null @@ -1,146 +0,0 @@ -# Author: Austin Taylor and Justin Henderson -# Email: austin@hasecuritysolutions.com -# Last Update: 03/04/2018 -# Version 0.3 -# Description: Take in qualys web scan reports from vulnWhisperer and pumps into logstash - -input { - file { - path => "/opt/VulnWhisperer/data/openvas/*.json" - type => json - codec => json - start_position => "beginning" - tags => [ "openvas_scan", "openvas" ] - } -} - -filter { - if "openvas_scan" in [tags] { - mutate { - replace => [ "message", "%{message}" ] - gsub => [ - "message", "\|\|\|", " ", - "message", "\t\t", " ", - "message", " ", " ", - "message", " ", " ", - "message", " ", " ", - "message", "nan", " ", - "message",'\n','' - ] - } - - - grok { - match => { "path" => "openvas_scan_%{DATA:scan_id}_%{INT:last_updated}.json$" } - tag_on_failure => [] - } - - mutate { - add_field => { "risk_score" => "%{cvss}" } - } - - if [risk] == "1" { - mutate { add_field => { "risk_number" => 0 }} - mutate { replace => { "risk" => "info" }} - } - if [risk] == "2" { - mutate { add_field => { "risk_number" => 1 }} - mutate { replace => { "risk" => "low" }} - } - if [risk] == "3" { - mutate { add_field => { "risk_number" => 2 }} - mutate { replace => { "risk" => "medium" }} - } - if [risk] == "4" { - mutate { add_field => { "risk_number" => 3 }} - mutate { replace => { "risk" => "high" }} - } - if [risk] == "5" { - mutate { add_field => { "risk_number" => 4 }} - mutate { replace => { "risk" => "critical" }} - } - - mutate { - remove_field => "message" - } - - if [first_time_detected] { - date { - match => [ "first_time_detected", "dd MMM yyyy HH:mma 'GMT'ZZ", "dd MMM yyyy HH:mma 'GMT'" ] - target => "first_time_detected" - } - } - if [first_time_tested] { - date { - match => [ "first_time_tested", "dd MMM yyyy HH:mma 'GMT'ZZ", "dd MMM yyyy HH:mma 'GMT'" ] - target => "first_time_tested" - } - } - if [last_time_detected] { - date { - match => [ "last_time_detected", "dd MMM yyyy HH:mma 'GMT'ZZ", "dd MMM yyyy HH:mma 'GMT'" ] - target => "last_time_detected" - } - } - if [last_time_tested] { - date { - match => [ "last_time_tested", "dd MMM yyyy HH:mma 'GMT'ZZ", "dd MMM yyyy HH:mma 'GMT'" ] - target => "last_time_tested" - } - } - date { - match => [ "last_updated", "UNIX" ] - target => "@timestamp" - remove_field => "last_updated" - } - mutate { - convert => { "plugin_id" => "integer"} - convert => { "id" => "integer"} - convert => { "risk_number" => "integer"} - convert => { "risk_score" => "float"} - convert => { "total_times_detected" => "integer"} - convert => { "cvss_temporal" => "float"} - convert => { "cvss" => "float"} - } - if [risk_score] == 0 { - mutate { - add_field => { "risk_score_name" => "info" } - } - } - if [risk_score] > 0 and [risk_score] < 3 { - mutate { - add_field => { "risk_score_name" => "low" } - } - } - if [risk_score] >= 3 and [risk_score] < 6 { - mutate { - add_field => { "risk_score_name" => "medium" } - } - } - if [risk_score] >=6 and [risk_score] < 9 { - mutate { - add_field => { "risk_score_name" => "high" } - } - } - if [risk_score] >= 9 { - mutate { - add_field => { "risk_score_name" => "critical" } - } - } - # Add your critical assets by subnet or by hostname. Comment this field out if you don't want to tag any, but the asset panel will break. - if [asset] =~ "^10\.0\.100\." { - mutate { - add_tag => [ "critical_asset" ] - } - } - } -} -output { - if "openvas" in [tags] { - stdout { codec => rubydebug } - elasticsearch { - hosts => [ "vulnwhisp-es1.local:9200" ] - index => "logstash-vulnwhisperer-%{+YYYY.MM}" - } - } -} diff --git a/resources/elk5-old_compatibility/docker/4000_jira.conf b/resources/elk5-old_compatibility/docker/4000_jira.conf deleted file mode 100755 index a9f4966..0000000 --- a/resources/elk5-old_compatibility/docker/4000_jira.conf +++ /dev/null @@ -1,21 +0,0 @@ -# Description: Take in jira tickets from vulnWhisperer and pumps into logstash - -input { - file { - path => "/opt/Vulnwhisperer/jira/*.json" - type => json - codec => json - start_position => "beginning" - tags => [ "jira" ] - } -} - -output { - if "jira" in [tags] { - stdout { codec => rubydebug } - elasticsearch { - hosts => [ "vulnwhisp-es1.local:9200" ] - index => "logstash-vulnwhisperer-%{+YYYY.MM}" - } - } -} diff --git a/resources/elk5-old_compatibility/docker/logstash.yml b/resources/elk5-old_compatibility/docker/logstash.yml deleted file mode 100644 index 977cac8..0000000 --- a/resources/elk5-old_compatibility/docker/logstash.yml +++ /dev/null @@ -1,5 +0,0 @@ -path.config: /usr/share/logstash/pipeline/ -xpack.monitoring.elasticsearch.password: changeme -xpack.monitoring.elasticsearch.url: vulnwhisp-es1.local:9200 -xpack.monitoring.elasticsearch.username: elastic -xpack.monitoring.enabled: false diff --git a/resources/elk5-old_compatibility/elasticsearch/logstash-vulnwhisperer-template.json b/resources/elk5-old_compatibility/elasticsearch/logstash-vulnwhisperer-template.json deleted file mode 100755 index b9d1a15..0000000 --- a/resources/elk5-old_compatibility/elasticsearch/logstash-vulnwhisperer-template.json +++ /dev/null @@ -1,122 +0,0 @@ -{ - "order": 0, - "template": "logstash-vulnwhisperer-*", - "settings": { - "index": { - "routing": { - "allocation": { - "total_shards_per_node": "2" - } - }, - "mapping": { - "total_fields": { - "limit": "3000" - } - }, - "refresh_interval": "5s", - "number_of_shards": "1", - "number_of_replicas": "0" - } - }, - "mappings": { - "_default_": { - "_all": { - "enabled": false - }, - "dynamic_templates": [ - { - "message_field": { - "path_match": "message", - "match_mapping_type": "string", - "mapping": { - "type": "text", - "norms": false - } - } - }, - { - "string_fields": { - "match": "*", - "match_mapping_type": "string", - "mapping": { - "type": "text", - "norms": false, - "fields": { - "keyword": { - "type": "keyword", - "ignore_above": 256 - } - } - } - } - } - ], - "properties": { - "plugin_id": { - "type": "float" - }, - "last_updated": { - "type": "date" - }, - "geoip": { - "dynamic": true, - "type": "object", - "properties": { - "ip": { - "type": "ip" - }, - "latitude": { - "type": "float" - }, - "location": { - "type": "geo_point" - }, - "longitude": { - "type": "float" - } - } - }, - "risk_score": { - "type": "float" - }, - "source": { - "type": "keyword" - }, - "synopsis": { - "type": "keyword" - }, - "see_also": { - "type": "keyword" - }, - "@timestamp": { - "type": "date" - }, - "cve": { - "type": "keyword" - }, - "solution": { - "type": "keyword" - }, - "port": { - "type": "integer" - }, - "host": { - "type": "text" - }, - "@version": { - "type": "keyword" - }, - "risk": { - "type": "keyword" - }, - "assign_ip": { - "type": "ip" - }, - "cvss": { - "type": "float" - } - } - } - }, - "aliases": {} -} diff --git a/resources/elk5-old_compatibility/filebeat/filebeat.yml b/resources/elk5-old_compatibility/filebeat/filebeat.yml deleted file mode 100755 index f4bb456..0000000 --- a/resources/elk5-old_compatibility/filebeat/filebeat.yml +++ /dev/null @@ -1,116 +0,0 @@ -###################### Filebeat Configuration Example ######################### - -# This file is an example configuration file highlighting only the most common -# options. The filebeat.full.yml file from the same directory contains all the -# supported options with more comments. You can use it as a reference. -# -# You can find the full configuration reference here: -# https://www.elastic.co/guide/en/beats/filebeat/index.html - -#=========================== Filebeat prospectors ============================= - -filebeat.prospectors: - -# Each - is a prospector. Most options can be set at the prospector level, so -# you can use different prospectors for various configurations. -# Below are the prospector specific configurations. - -- input_type: log - # Paths that should be crawled and fetched. Glob based paths. - paths: - # Linux Example - #- /var/log/*.log - - #Windows Example - - c:\nessus\My Scans\* - - # Exclude lines. A list of regular expressions to match. It drops the lines that are - # matching any regular expression from the list. - #exclude_lines: ["^DBG"] - - # Include lines. A list of regular expressions to match. It exports the lines that are - # matching any regular expression from the list. - #include_lines: ["^ERR", "^WARN"] - - # Exclude files. A list of regular expressions to match. Filebeat drops the files that - # are matching any regular expression from the list. By default, no files are dropped. - #exclude_files: [".gz$"] - - # Optional additional fields. These field can be freely picked - # to add additional information to the crawled log files for filtering - #fields: - # level: debug - # review: 1 - - ### Multiline options - - # Mutiline can be used for log messages spanning multiple lines. This is common - # for Java Stack Traces or C-Line Continuation - - # The regexp Pattern that has to be matched. The example pattern matches all lines starting with [ - #multiline.pattern: ^\[ - - # Defines if the pattern set under pattern should be negated or not. Default is false. - #multiline.negate: false - - # Match can be set to "after" or "before". It is used to define if lines should be append to a pattern - # that was (not) matched before or after or as long as a pattern is not matched based on negate. - # Note: After is the equivalent to previous and before is the equivalent to to next in Logstash - #multiline.match: after - - -#================================ General ===================================== - -# The name of the shipper that publishes the network data. It can be used to group -# all the transactions sent by a single shipper in the web interface. -#name: - -# The tags of the shipper are included in their own field with each -# transaction published. -#tags: ["service-X", "web-tier"] - -# Optional fields that you can specify to add additional information to the -# output. -#fields: -# env: staging - -#================================ Outputs ===================================== - -# Configure what outputs to use when sending the data collected by the beat. -# Multiple outputs may be used. - -#-------------------------- Elasticsearch output ------------------------------ -#output.elasticsearch: - # Array of hosts to connect to. -# hosts: ["logstash01:9200"] - - # Optional protocol and basic auth credentials. - #protocol: "https" - #username: "elastic" - #password: "changeme" - -#----------------------------- Logstash output -------------------------------- -output.logstash: - # The Logstash hosts - hosts: ["logstashserver1:5044", "logstashserver2:5044", "logstashserver3:5044"] - - # Optional SSL. By default is off. - # List of root certificates for HTTPS server verifications - #ssl.certificate_authorities: ["/etc/pki/root/ca.pem"] - - # Certificate for SSL client authentication - #ssl.certificate: "/etc/pki/client/cert.pem" - - # Client Certificate Key - #ssl.key: "/etc/pki/client/cert.key" - -#================================ Logging ===================================== - -# Sets log level. The default log level is info. -# Available log levels are: critical, error, warning, info, debug -#logging.level: debug - -# At debug level, you can selectively enable logging only for some components. -# To enable all selectors use ["*"]. Examples of other selectors are "beat", -# "publish", "service". -#logging.selectors: ["*"] diff --git a/resources/elk5-old_compatibility/kibana/vuln_whisp_kibana/1000_vulnWhispererBaseVisuals.json b/resources/elk5-old_compatibility/kibana/vuln_whisp_kibana/1000_vulnWhispererBaseVisuals.json deleted file mode 100755 index 83fadf2..0000000 --- a/resources/elk5-old_compatibility/kibana/vuln_whisp_kibana/1000_vulnWhispererBaseVisuals.json +++ /dev/null @@ -1,450 +0,0 @@ -[ - { - "_id": "80158c90-57c1-11e7-b484-a970fc9d150a", - "_type": "visualization", - "_source": { - "title": "VulnWhisperer - HIPAA TL", - "visState": "{\"type\":\"timelion\",\"title\":\"VulnWhisperer - HIPAA TL\",\"params\":{\"expression\":\".es(index=logstash-vulnwhisperer-*,q='risk_score:>9 AND tags:pci_asset').label(\\\"PCI Assets\\\"),.es(index=logstash-vulnwhisperer-*,q='risk_score:>9 AND tags:has_hipaa_data').label(\\\"Has HIPAA Data\\\"),.es(index=logstash-vulnwhisperer-*,q='risk_score:>9 AND tags:hipaa_asset').label(\\\"HIPAA Assets\\\")\",\"interval\":\"auto\"}}", - "uiStateJSON": "{}", - "description": "", - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - } - } - }, - { - "_id": "479deab0-8a39-11e7-a58a-9bfcb3761a3d", - "_type": "visualization", - "_source": { - "title": "VulnWhisperer - TL - TaggedAssetsPluginNames", - "visState": "{\"title\":\"VulnWhisperer - TL - TaggedAssetsPluginNames\",\"type\":\"timelion\",\"params\":{\"expression\":\".es(index='logstash-vulnwhisperer-*', q='tags:critical_asset OR tags:hipaa_asset OR tags:pci_asset', split=\\\"plugin_name.keyword:10\\\").bars(width=4).label(regex=\\\".*:(.+)>.*\\\",label=\\\"$1\\\")\",\"interval\":\"auto\"},\"aggs\":[],\"listeners\":{}}", - "uiStateJSON": "{}", - "description": "", - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"query\":{\"query_string\":{\"query\":\"*\",\"analyze_wildcard\":true}},\"filter\":[]}" - } - } - }, - { - "_id": "84f5c370-8a38-11e7-a58a-9bfcb3761a3d", - "_type": "visualization", - "_source": { - "title": "VulnWhisperer - TL - CriticalAssetsPluginNames", - "visState": "{\"title\":\"VulnWhisperer - TL - CriticalAssetsPluginNames\",\"type\":\"timelion\",\"params\":{\"expression\":\".es(index='logstash-vulnwhisperer-*', q='tags:critical_asset', split=\\\"plugin_name.keyword:10\\\").bars(width=4).label(regex=\\\".*:(.+)>.*\\\",label=\\\"$1\\\")\",\"interval\":\"auto\"},\"aggs\":[],\"listeners\":{}}", - "uiStateJSON": "{}", - "description": "", - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"query\":{\"query_string\":{\"query\":\"*\",\"analyze_wildcard\":true}},\"filter\":[]}" - } - } - }, - { - "_id": "307cdae0-8a38-11e7-a58a-9bfcb3761a3d", - "_type": "visualization", - "_source": { - "title": "VulnWhisperer - TL - PluginNames", - "visState": "{\"title\":\"VulnWhisperer - TL - PluginNames\",\"type\":\"timelion\",\"params\":{\"expression\":\".es(index='logstash-vulnwhisperer-*', split=\\\"plugin_name.keyword:25\\\").bars(width=4).label(regex=\\\".*:(.+)>.*\\\",label=\\\"$1\\\")\",\"interval\":\"auto\"},\"aggs\":[],\"listeners\":{}}", - "uiStateJSON": "{}", - "description": "", - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"query\":{\"query_string\":{\"query\":\"*\",\"analyze_wildcard\":true}},\"filter\":[]}" - } - } - }, - { - "_id": "5093c620-44e9-11e7-8014-ede06a7e69f8", - "_type": "visualization", - "_source": { - "title": "VulnWhisperer - Mitigation Readme", - "visState": "{\"title\":\"VulnWhisperer - Mitigation Readme\",\"type\":\"markdown\",\"params\":{\"markdown\":\"** Legend **\\n\\n* [Common Vulnerability Scoring System (CVSS)](https://nvd.nist.gov/vuln-metrics/cvss) is the NIST vulnerability scoring system\\n* Risk Number is residual risk score calculated from CVSS, which is adjusted to be specific to the netowrk owner, which accounts for services not in use such as Java and Flash\\n* Vulnerabilities by Tag are systems tagged with HIPAA and PCI identification.\\n\\n\\n** Workflow **\\n* Select 10.0 under Risk Number to identify Critical Vulnerabilities. \\n* For more information about a CVE, scroll down and click the CVE link.\\n* To filter by tags, use one of the following filters:\\n** tags:has_hipaa_data, tags:pci_asset, tags:hipaa_asset, tags:critical_asset**\"},\"aggs\":[],\"listeners\":{}}", - "uiStateJSON": "{}", - "description": "", - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"query\":{\"query_string\":{\"query\":\"*\",\"analyze_wildcard\":true}},\"filter\":[]}" - } - } - }, - { - "_id": "7e7fbc90-3df2-11e7-a44e-c79ca8efb780", - "_type": "visualization", - "_source": { - "title": "VulnWhisperer-PluginID", - "visState": "{\"title\":\"VulnWhisperer-PluginID\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showMeticsAtAllLevels\":false,\"showPartialRows\":false,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"plugin_id\",\"size\":50,\"order\":\"desc\",\"orderBy\":\"1\"}}],\"listeners\":{}}", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "description": "", - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"index\":\"logstash-vulnwhisperer-*\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"query\":\"*\"}},\"filter\":[]}" - } - } - }, - { - "_id": "5a3c0340-3eb3-11e7-a192-93f36fbd9d05", - "_type": "visualization", - "_source": { - "title": "VulnWhisperer-CVSSHeatmap", - "visState": "{\"title\":\"VulnWhisperer-CVSSHeatmap\",\"type\":\"heatmap\",\"params\":{\"addTooltip\":true,\"addLegend\":true,\"enableHover\":false,\"legendPosition\":\"right\",\"times\":[],\"colorsNumber\":4,\"colorSchema\":\"Yellow to Red\",\"setColorRange\":false,\"colorsRange\":[],\"invertColors\":false,\"percentageMode\":false,\"valueAxes\":[{\"show\":false,\"id\":\"ValueAxis-1\",\"type\":\"value\",\"scale\":{\"type\":\"linear\",\"defaultYExtents\":false},\"labels\":{\"show\":false,\"rotate\":0,\"color\":\"#555\"}}]},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"host.keyword\",\"size\":50,\"order\":\"desc\",\"orderBy\":\"1\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"group\",\"params\":{\"field\":\"cvss.keyword\",\"size\":50,\"order\":\"desc\",\"orderBy\":\"_term\"}}],\"listeners\":{}}", - "uiStateJSON": "{\"vis\":{\"defaultColors\":{\"0 - 3500\":\"rgb(255,255,204)\",\"3500 - 7000\":\"rgb(254,217,118)\",\"7000 - 10500\":\"rgb(253,141,60)\",\"10500 - 14000\":\"rgb(227,27,28)\"}}}", - "description": "", - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"index\":\"logstash-vulnwhisperer-*\",\"query\":{\"query_string\":{\"query\":\"*\",\"analyze_wildcard\":true}},\"filter\":[]}" - } - } - }, - { - "_id": "1de9e550-3df1-11e7-a44e-c79ca8efb780", - "_type": "visualization", - "_source": { - "title": "VulnWhisperer-Description", - "visState": "{\"title\":\"VulnWhisperer-Description\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"description.keyword\",\"size\":50,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Description\"}}],\"listeners\":{}}", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "description": "", - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"index\":\"logstash-vulnwhisperer-*\",\"query\":{\"query_string\":{\"query\":\"*\",\"analyze_wildcard\":true}},\"filter\":[]}" - } - } - }, - { - "_id": "13c7d4e0-3df3-11e7-a44e-c79ca8efb780", - "_type": "visualization", - "_source": { - "title": "VulnWhisperer-Solution", - "visState": "{\"title\":\"VulnWhisperer-Solution\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showMeticsAtAllLevels\":false,\"showPartialRows\":false,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"solution.keyword\",\"size\":50,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Solution\"}}],\"listeners\":{}}", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "description": "", - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"index\":\"logstash-vulnwhisperer-*\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"query\":\"*\"}},\"filter\":[]}" - } - } - }, - { - "_id": "297df800-3f7e-11e7-bd24-6903e3283192", - "_type": "visualization", - "_source": { - "title": "VulnWhisperer - Plugin Name", - "visState": "{\"title\":\"VulnWhisperer - Plugin Name\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"plugin_name.keyword\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Plugin Name\"}}],\"listeners\":{}}", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "description": "", - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"index\":\"logstash-vulnwhisperer-*\",\"query\":{\"query_string\":{\"query\":\"*\",\"analyze_wildcard\":true}},\"filter\":[]}" - } - } - }, - { - "_id": "de1a5f40-3f85-11e7-97f9-3777d794626d", - "_type": "visualization", - "_source": { - "title": "VulnWhisperer - ScanName", - "visState": "{\"title\":\"VulnWhisperer - ScanName\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"scan_name.keyword\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Scan Name\"}}],\"listeners\":{}}", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "description": "", - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"index\":\"logstash-vulnwhisperer-*\",\"query\":{\"query_string\":{\"query\":\"*\",\"analyze_wildcard\":true}},\"filter\":[]}" - } - } - }, - { - "_id": "ecbb99c0-3f84-11e7-97f9-3777d794626d", - "_type": "visualization", - "_source": { - "title": "VulnWhisperer - Total", - "visState": "{\"title\":\"VulnWhisperer - Total\",\"type\":\"metric\",\"params\":{\"handleNoResults\":true,\"fontSize\":60},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{\"customLabel\":\"Total\"}}],\"listeners\":{}}", - "uiStateJSON": "{}", - "description": "", - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"index\":\"logstash-vulnwhisperer-*\",\"query\":{\"query_string\":{\"query\":\"*\",\"analyze_wildcard\":true}},\"filter\":[]}" - } - } - }, - { - "_id": "471a3580-3f6b-11e7-88e7-df1abe6547fb", - "_type": "visualization", - "_source": { - "title": "VulnWhisperer - Vulnerabilities by Tag", - "visState": "{\"title\":\"VulnWhisperer - Vulnerabilities by Tag\",\"type\":\"table\",\"params\":{\"perPage\":3,\"showMeticsAtAllLevels\":false,\"showPartialRows\":false,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"3\",\"enabled\":true,\"type\":\"filters\",\"schema\":\"bucket\",\"params\":{\"filters\":[{\"input\":{\"query\":{\"query_string\":{\"query\":\"tags:has_hipaa_data\",\"analyze_wildcard\":true}}},\"label\":\"Systems with HIPAA data\"},{\"input\":{\"query\":{\"query_string\":{\"query\":\"tags:pci_asset\",\"analyze_wildcard\":true}}},\"label\":\"PCI Systems\"},{\"input\":{\"query\":{\"query_string\":{\"query\":\"tags:hipaa_asset\",\"analyze_wildcard\":true}}},\"label\":\"HIPAA Systems\"}]}}],\"listeners\":{}}", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "description": "", - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"index\":\"logstash-vulnwhisperer-*\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"query\":\"*\"}},\"filter\":[]}" - } - } - }, - { - "_id": "35b6d320-3f7f-11e7-bd24-6903e3283192", - "_type": "visualization", - "_source": { - "title": "VulnWhisperer - Residual Risk", - "visState": "{\"title\":\"VulnWhisperer - Residual Risk\",\"type\":\"table\",\"params\":{\"perPage\":15,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":0,\"direction\":\"desc\"},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"risk_score\",\"size\":50,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Risk Number\"}}],\"listeners\":{}}", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":0,\"direction\":\"desc\"}}}}", - "description": "", - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"index\":\"logstash-vulnwhisperer-*\",\"query\":{\"query_string\":{\"query\":\"*\",\"analyze_wildcard\":true}},\"filter\":[]}" - } - } - }, - { - "_id": "a9225930-3df2-11e7-a44e-c79ca8efb780", - "_type": "visualization", - "_source": { - "title": "VulnWhisperer-Risk", - "visState": "{\"title\":\"VulnWhisperer-Risk\",\"type\":\"table\",\"params\":{\"perPage\":4,\"showMeticsAtAllLevels\":false,\"showPartialRows\":false,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"risk\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Risk Severity\"}}],\"listeners\":{}}", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "description": "", - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"index\":\"logstash-vulnwhisperer-*\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"query\":\"*\"}},\"filter\":[]}" - } - } - }, - { - "_id": "2f979030-44b9-11e7-a818-f5f80dfc3590", - "_type": "visualization", - "_source": { - "title": "VulnWhisperer - ScanBarChart", - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Scan Name\",\"field\":\"plugin_name.keyword\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"defaultYExtents\":false,\"legendPosition\":\"right\",\"mode\":\"stacked\",\"scale\":\"linear\",\"setYExtents\":false,\"times\":[]},\"title\":\"VulnWhisperer - ScanBarChart\",\"type\":\"histogram\"}", - "uiStateJSON": "{}", - "description": "", - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"index\":\"logstash-vulnwhisperer-*\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"query\":\"*\"}},\"filter\":[]}" - } - } - }, - { - "_id": "a6508640-897a-11e7-bbc0-33592ce0be1e", - "_type": "visualization", - "_source": { - "title": "VulnWhisperer - Critical Assets Aggregated", - "visState": "{\"title\":\"VulnWhisperer - Critical Assets Aggregated\",\"type\":\"heatmap\",\"params\":{\"addTooltip\":true,\"addLegend\":true,\"enableHover\":true,\"legendPosition\":\"right\",\"times\":[],\"colorsNumber\":4,\"colorSchema\":\"Green to Red\",\"setColorRange\":true,\"colorsRange\":[{\"from\":0,\"to\":3},{\"from\":3,\"to\":7},{\"from\":7,\"to\":9},{\"from\":9,\"to\":11}],\"invertColors\":false,\"percentageMode\":false,\"valueAxes\":[{\"show\":false,\"id\":\"ValueAxis-1\",\"type\":\"value\",\"scale\":{\"type\":\"linear\",\"defaultYExtents\":false},\"labels\":{\"show\":true,\"rotate\":0,\"color\":\"white\"}}]},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"max\",\"schema\":\"metric\",\"params\":{\"field\":\"risk_score\",\"customLabel\":\"Residual Risk Score\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"interval\":\"auto\",\"customInterval\":\"2h\",\"min_doc_count\":1,\"extended_bounds\":{},\"customLabel\":\"Date\"}},{\"id\":\"4\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"group\",\"params\":{\"field\":\"host\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Critical Asset IP\"}},{\"id\":\"5\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"split\",\"params\":{\"field\":\"plugin_name.keyword\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\",\"row\":true}}],\"listeners\":{}}", - "uiStateJSON": "{\"vis\":{\"colors\":{\"0 - 3\":\"#7EB26D\",\"3 - 7\":\"#EAB839\",\"7 - 9\":\"#EF843C\",\"8 - 10\":\"#BF1B00\",\"9 - 11\":\"#BF1B00\"},\"defaultColors\":{\"0 - 3\":\"rgb(0,104,55)\",\"3 - 7\":\"rgb(135,203,103)\",\"7 - 9\":\"rgb(255,255,190)\",\"9 - 11\":\"rgb(249,142,82)\"},\"legendOpen\":false}}", - "description": "", - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"index\":\"logstash-vulnwhisperer-*\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"query\":\"*\"}},\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":\"Critical Asset\",\"disabled\":false,\"index\":\"logstash-vulnwhisperer-*\",\"key\":\"tags\",\"negate\":false,\"type\":\"phrase\",\"value\":\"critical_asset\"},\"query\":{\"match\":{\"tags\":{\"query\":\"critical_asset\",\"type\":\"phrase\"}}}}]}" - } - } - }, - { - "_id": "099a3820-3f68-11e7-a6bd-e764d950e506", - "_type": "visualization", - "_source": { - "title": "Timelion VulnWhisperer Example", - "visState": "{\"type\":\"timelion\",\"title\":\"Timelion VulnWhisperer Example\",\"params\":{\"expression\":\".es(index=logstash-vulnwhisperer-*,q=risk:high).label(\\\"Current High Risk\\\"),.es(index=logstash-vulnwhisperer-*,q=risk:high,offset=-1y).label(\\\"Last 1 Year High Risk\\\"),.es(index=logstash-vulnwhisperer-*,q=risk:medium).label(\\\"Current Medium Risk\\\"),.es(index=logstash-vulnwhisperer-*,q=risk:medium,offset=-1y).label(\\\"Last 1 Year Medium Risk\\\")\",\"interval\":\"auto\"}}", - "uiStateJSON": "{}", - "description": "", - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - } - } - }, - { - "_id": "67d432e0-44ec-11e7-a05f-d9719b331a27", - "_type": "visualization", - "_source": { - "title": "VulnWhisperer - TL-Critical Risk", - "visState": "{\"title\":\"VulnWhisperer - TL-Critical Risk\",\"type\":\"timelion\",\"params\":{\"expression\":\".es(index='logstash-vulnwhisperer-*',q='(risk_score:>=9 AND risk_score:<=10)').label(\\\"Original\\\"),.es(index='logstash-vulnwhisperer-*',q='(risk_score:>=9 AND risk_score:<=10)',offset=-1w).label(\\\"One week offset\\\"),.es(index='logstash-vulnwhisperer-*',q='(risk_score:>=9 AND risk_score:<=10)').subtract(.es(index='logstash-vulnwhisperer-*',q='(risk_score:>=9 AND risk_score:<=10)',offset=-1w)).label(\\\"Difference\\\").lines(steps=3,fill=2,width=1)\",\"interval\":\"auto\"},\"aggs\":[],\"listeners\":{}}", - "uiStateJSON": "{}", - "description": "", - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"query\":{\"query_string\":{\"query\":\"*\",\"analyze_wildcard\":true}},\"filter\":[]}" - } - } - }, - { - "_id": "a91b9fe0-44ec-11e7-a05f-d9719b331a27", - "_type": "visualization", - "_source": { - "title": "VulnWhisperer - TL-Medium Risk", - "visState": "{\"title\":\"VulnWhisperer - TL-Medium Risk\",\"type\":\"timelion\",\"params\":{\"expression\":\".es(index='logstash-vulnwhisperer-*',q='(risk_score:>=4 AND risk_score:<7)').label(\\\"Original\\\"),.es(index='logstash-vulnwhisperer-*',q='(risk_score:>=4 AND risk_score:<7)',offset=-1w).label(\\\"One week offset\\\"),.es(index='logstash-vulnwhisperer-*',q='(risk_score:>=4 AND risk_score:<7)').subtract(.es(index='logstash-vulnwhisperer-*',q='(risk_score:>=4 AND risk_score:<7)',offset=-1w)).label(\\\"Difference\\\").lines(steps=3,fill=2,width=1)\",\"interval\":\"auto\"},\"aggs\":[],\"listeners\":{}}", - "uiStateJSON": "{}", - "description": "", - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"query\":{\"query_string\":{\"query\":\"*\",\"analyze_wildcard\":true}},\"filter\":[]}" - } - } - }, - { - "_id": "8d9592d0-44ec-11e7-a05f-d9719b331a27", - "_type": "visualization", - "_source": { - "title": "VulnWhisperer - TL-High Risk", - "visState": "{\"title\":\"VulnWhisperer - TL-High Risk\",\"type\":\"timelion\",\"params\":{\"expression\":\".es(index='logstash-vulnwhisperer-*',q='(risk_score:>=7 AND risk_score:<9)').label(\\\"Original\\\"),.es(index='logstash-vulnwhisperer-*',q='(risk_score:>=7 AND risk_score:<9)',offset=-1w).label(\\\"One week offset\\\"),.es(index='logstash-vulnwhisperer-*',q='(risk_score:>=7 AND risk_score:<9)').subtract(.es(index='logstash-vulnwhisperer-*',q='(risk_score:>=7 AND risk_score:<9)',offset=-1w)).label(\\\"Difference\\\").lines(steps=3,fill=2,width=1)\",\"interval\":\"auto\"},\"aggs\":[],\"listeners\":{}}", - "uiStateJSON": "{}", - "description": "", - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"query\":{\"query_string\":{\"query\":\"*\",\"analyze_wildcard\":true}},\"filter\":[]}" - } - } - }, - { - "_id": "a2d66660-44ec-11e7-a05f-d9719b331a27", - "_type": "visualization", - "_source": { - "title": "VulnWhisperer - TL-Low Risk", - "visState": "{\"title\":\"VulnWhisperer - TL-Low Risk\",\"type\":\"timelion\",\"params\":{\"expression\":\".es(index='logstash-vulnwhisperer-*',q='(risk_score:>0 AND risk_score:<4)').label(\\\"Original\\\"),.es(index='logstash-vulnwhisperer-*',q='(risk_score:>0 AND risk_score:<4)',offset=-1w).label(\\\"One week offset\\\"),.es(index='logstash-vulnwhisperer-*',q='(risk_score:>0 AND risk_score:<4)').subtract(.es(index='logstash-vulnwhisperer-*',q='(risk_score:>0 AND risk_score:<4)',offset=-1w)).label(\\\"Difference\\\").lines(steps=3,fill=2,width=1)\",\"interval\":\"auto\"},\"aggs\":[],\"listeners\":{}}", - "uiStateJSON": "{}", - "description": "", - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"query\":{\"query_string\":{\"query\":\"*\",\"analyze_wildcard\":true}},\"filter\":[]}" - } - } - }, - { - "_id": "fb6eb020-49ab-11e7-8f8c-57ad64ec48a6", - "_type": "visualization", - "_source": { - "title": "VulnWhisperer - Critical Risk Score for Tagged Assets", - "visState": "{\"title\":\"VulnWhisperer - Critical Risk Score for Tagged Assets\",\"type\":\"timelion\",\"params\":{\"expression\":\".es(index=logstash-vulnwhisperer-*,q='risk_score:>9 AND tags:hipaa_asset').label(\\\"HIPAA Assets\\\"),.es(index=logstash-vulnwhisperer-*,q='risk_score:>9 AND tags:pci_asset').label(\\\"PCI Systems\\\"),.es(index=logstash-vulnwhisperer-*,q='risk_score:>9 AND tags:has_hipaa_data').label(\\\"Has HIPAA Data\\\")\",\"interval\":\"auto\"},\"aggs\":[],\"listeners\":{}}", - "uiStateJSON": "{}", - "description": "", - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"query\":{\"query_string\":{\"query\":\"*\",\"analyze_wildcard\":true}},\"filter\":[]}" - } - } - }, - { - "_id": "b2f2adb0-897f-11e7-a2d2-c57bca21b3aa", - "_type": "visualization", - "_source": { - "title": "VulnWhisperer - Risk: Total", - "visState": "{\"title\":\"VulnWhisperer - Risk: Total\",\"type\":\"goal\",\"params\":{\"addLegend\":true,\"addTooltip\":true,\"gauge\":{\"autoExtend\":false,\"backStyle\":\"Full\",\"colorSchema\":\"Green to Red\",\"colorsRange\":[{\"from\":0,\"to\":10000}],\"gaugeColorMode\":\"Background\",\"gaugeStyle\":\"Full\",\"gaugeType\":\"Metric\",\"invertColors\":false,\"labels\":{\"color\":\"black\",\"show\":false},\"orientation\":\"vertical\",\"percentageMode\":false,\"scale\":{\"color\":\"#333\",\"labels\":false,\"show\":true,\"width\":2},\"style\":{\"bgColor\":true,\"bgFill\":\"white\",\"fontSize\":\"34\",\"labelColor\":false,\"subText\":\"Risk\"},\"type\":\"simple\",\"useRanges\":false,\"verticalSplit\":false},\"type\":\"gauge\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{\"customLabel\":\"Total\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"filters\",\"schema\":\"group\",\"params\":{\"filters\":[{\"input\":{\"query\":{\"query_string\":{\"query\":\"*\",\"analyze_wildcard\":true}}},\"label\":\"Critical\"}]}}],\"listeners\":{}}", - "uiStateJSON": "{\"vis\":{\"colors\":{\"0 - 10000\":\"#64B0C8\"},\"defaultColors\":{\"0 - 10000\":\"rgb(0,104,55)\"},\"legendOpen\":false}}", - "description": "", - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"index\":\"logstash-vulnwhisperer-*\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"query\":\"*\"}},\"filter\":[]}" - } - } - }, - { - "_id": "465c5820-8977-11e7-857e-e1d56b17746d", - "_type": "visualization", - "_source": { - "title": "VulnWhisperer - Critical Assets", - "visState": "{\"title\":\"VulnWhisperer - Critical Assets\",\"type\":\"heatmap\",\"params\":{\"addTooltip\":true,\"addLegend\":true,\"enableHover\":true,\"legendPosition\":\"right\",\"times\":[],\"colorsNumber\":4,\"colorSchema\":\"Green to Red\",\"setColorRange\":true,\"colorsRange\":[{\"from\":0,\"to\":3},{\"from\":3,\"to\":7},{\"from\":7,\"to\":9},{\"from\":9,\"to\":11}],\"invertColors\":false,\"percentageMode\":false,\"valueAxes\":[{\"show\":false,\"id\":\"ValueAxis-1\",\"type\":\"value\",\"scale\":{\"type\":\"linear\",\"defaultYExtents\":false},\"labels\":{\"show\":false,\"rotate\":0,\"color\":\"white\"}}],\"type\":\"heatmap\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"max\",\"schema\":\"metric\",\"params\":{\"field\":\"risk_score\",\"customLabel\":\"Residual Risk Score\"}},{\"id\":\"2\",\"enabled\":false,\"type\":\"terms\",\"schema\":\"split\",\"params\":{\"field\":\"risk_score\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\",\"row\":true}},{\"id\":\"3\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"interval\":\"auto\",\"customInterval\":\"2h\",\"min_doc_count\":1,\"extended_bounds\":{},\"customLabel\":\"Date\"}},{\"id\":\"4\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"group\",\"params\":{\"field\":\"asset.keyword\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Critical Asset\"}}],\"listeners\":{}}", - "uiStateJSON": "{\"vis\":{\"defaultColors\":{\"0 - 3\":\"rgb(0,104,55)\",\"3 - 7\":\"rgb(135,203,103)\",\"7 - 9\":\"rgb(255,255,190)\",\"9 - 11\":\"rgb(249,142,82)\"},\"colors\":{\"8 - 10\":\"#BF1B00\",\"9 - 11\":\"#BF1B00\",\"7 - 9\":\"#EF843C\",\"3 - 7\":\"#EAB839\",\"0 - 3\":\"#7EB26D\"},\"legendOpen\":false}}", - "description": "", - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"index\":\"logstash-vulnwhisperer-*\",\"query\":{\"query_string\":{\"query\":\"*\",\"analyze_wildcard\":true}},\"filter\":[{\"meta\":{\"index\":\"logstash-vulnwhisperer-*\",\"negate\":false,\"disabled\":false,\"alias\":\"Critical Asset\",\"type\":\"phrase\",\"key\":\"tags\",\"value\":\"critical_asset\"},\"query\":{\"match\":{\"tags\":{\"query\":\"critical_asset\",\"type\":\"phrase\"}}},\"$state\":{\"store\":\"appState\"}}]}" - } - } - }, - { - "_id": "852816e0-3eb1-11e7-90cb-918f9cb01e3d", - "_type": "visualization", - "_source": { - "title": "VulnWhisperer-CVSS", - "visState": "{\"title\":\"VulnWhisperer-CVSS\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showMeticsAtAllLevels\":false,\"showPartialRows\":false,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\",\"type\":\"table\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"cvss.keyword\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"CVSS Score\"}},{\"id\":\"4\",\"enabled\":true,\"type\":\"cardinality\",\"schema\":\"metric\",\"params\":{\"field\":\"asset.keyword\",\"customLabel\":\"# of Assets\"}}],\"listeners\":{}}", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":0,\"direction\":\"desc\"}}}}", - "description": "", - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"index\":\"logstash-vulnwhisperer-*\",\"query\":{\"query_string\":{\"query\":\"*\",\"analyze_wildcard\":true}},\"filter\":[]}" - } - } - }, - { - "_id": "d048c220-80b3-11e7-8790-73b60225f736", - "_type": "visualization", - "_source": { - "title": "VulnWhisperer - Risk: High", - "visState": "{\"title\":\"VulnWhisperer - Risk: High\",\"type\":\"goal\",\"params\":{\"addTooltip\":true,\"addLegend\":true,\"type\":\"gauge\",\"gauge\":{\"verticalSplit\":false,\"autoExtend\":false,\"percentageMode\":false,\"gaugeType\":\"Metric\",\"gaugeStyle\":\"Full\",\"backStyle\":\"Full\",\"orientation\":\"vertical\",\"useRanges\":false,\"colorSchema\":\"Green to Red\",\"gaugeColorMode\":\"Background\",\"colorsRange\":[{\"from\":0,\"to\":1000}],\"invertColors\":false,\"labels\":{\"show\":false,\"color\":\"black\"},\"scale\":{\"show\":true,\"labels\":false,\"color\":\"#333\",\"width\":2},\"type\":\"simple\",\"style\":{\"bgFill\":\"white\",\"bgColor\":true,\"labelColor\":false,\"subText\":\"\",\"fontSize\":\"34\"},\"extendRange\":true}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{\"customLabel\":\"High Risk\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"filters\",\"schema\":\"group\",\"params\":{\"filters\":[{\"input\":{\"query\":{\"query_string\":{\"query\":\"risk_score_name:high\"}}},\"label\":\"\"}]}}],\"listeners\":{}}", - "uiStateJSON": "{\"vis\":{\"defaultColors\":{\"0 - 1000\":\"rgb(0,104,55)\"},\"legendOpen\":true,\"colors\":{\"0 - 10000\":\"#EF843C\",\"0 - 1000\":\"#E0752D\"}}}", - "description": "", - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"index\":\"logstash-vulnwhisperer-*\",\"query\":{\"query_string\":{\"query\":\"*\",\"analyze_wildcard\":true}},\"filter\":[]}" - } - } - }, - { - "_id": "db55bce0-80b3-11e7-8790-73b60225f736", - "_type": "visualization", - "_source": { - "title": "VulnWhisperer - Risk: Critical", - "visState": "{\"title\":\"VulnWhisperer - Risk: Critical\",\"type\":\"goal\",\"params\":{\"addLegend\":true,\"addTooltip\":true,\"gauge\":{\"autoExtend\":false,\"backStyle\":\"Full\",\"colorSchema\":\"Green to Red\",\"colorsRange\":[{\"from\":0,\"to\":10000}],\"gaugeColorMode\":\"Background\",\"gaugeStyle\":\"Full\",\"gaugeType\":\"Metric\",\"invertColors\":false,\"labels\":{\"color\":\"black\",\"show\":false},\"orientation\":\"vertical\",\"percentageMode\":false,\"scale\":{\"color\":\"#333\",\"labels\":false,\"show\":true,\"width\":2},\"style\":{\"bgColor\":true,\"bgFill\":\"white\",\"fontSize\":\"34\",\"labelColor\":false,\"subText\":\"Risk\"},\"type\":\"simple\",\"useRanges\":false,\"verticalSplit\":false},\"type\":\"gauge\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{\"customLabel\":\"Critical Risk\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"filters\",\"schema\":\"group\",\"params\":{\"filters\":[{\"input\":{\"query\":{\"query_string\":{\"query\":\"risk_score_name:critical\"}}},\"label\":\"Critical\"}]}}],\"listeners\":{}}", - "uiStateJSON": "{\"vis\":{\"colors\":{\"0 - 10000\":\"#BF1B00\"},\"defaultColors\":{\"0 - 10000\":\"rgb(0,104,55)\"},\"legendOpen\":false}}", - "description": "", - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"index\":\"logstash-vulnwhisperer-*\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"query\":\"*\"}},\"filter\":[]}" - } - } - }, - { - "_id": "56f0f5f0-3ebe-11e7-a192-93f36fbd9d05", - "_type": "visualization", - "_source": { - "title": "VulnWhisperer-RiskOverTime", - "visState": "{\"title\":\"VulnWhisperer-RiskOverTime\",\"type\":\"line\",\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"@timestamp per 12 hours\"},\"type\":\"category\"}],\"defaultYExtents\":false,\"drawLinesBetweenPoints\":true,\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"},\"valueAxis\":\"ValueAxis-1\"},\"interpolate\":\"linear\",\"legendPosition\":\"right\",\"orderBucketsBySum\":false,\"radiusRatio\":9,\"scale\":\"linear\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"mode\":\"normal\",\"show\":\"true\",\"showCircles\":true,\"type\":\"line\",\"valueAxis\":\"ValueAxis-1\"}],\"setYExtents\":false,\"showCircles\":true,\"times\":[],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}],\"type\":\"line\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"interval\":\"auto\",\"customInterval\":\"2h\",\"min_doc_count\":1,\"extended_bounds\":{}}},{\"id\":\"3\",\"enabled\":true,\"type\":\"filters\",\"schema\":\"group\",\"params\":{\"filters\":[{\"input\":{\"query\":{\"query_string\":{\"query\":\"risk_score_name:info\"}}},\"label\":\"Info\"},{\"input\":{\"query\":{\"query_string\":{\"query\":\"risk_score_name:low\"}}},\"label\":\"Low\"},{\"input\":{\"query\":{\"query_string\":{\"query\":\"risk_score_name:medium\"}}},\"label\":\"Medium\"},{\"input\":{\"query\":{\"query_string\":{\"query\":\"risk_score_name:high\"}}},\"label\":\"High\"},{\"input\":{\"query\":{\"query_string\":{\"query\":\"risk_score_name:critical\"}}},\"label\":\"Critical\"}]}}],\"listeners\":{}}", - "uiStateJSON": "{\"vis\":{\"colors\":{\"Critical\":\"#962D82\",\"High\":\"#BF1B00\",\"Low\":\"#629E51\",\"Medium\":\"#EAB839\",\"Info\":\"#65C5DB\"}}}", - "description": "", - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"index\":\"logstash-vulnwhisperer-*\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"query\":\"*\"}},\"filter\":[]}" - } - } - }, - { - "_id": "c1361da0-80b3-11e7-8790-73b60225f736", - "_type": "visualization", - "_source": { - "title": "VulnWhisperer - Risk: Medium", - "visState": "{\"title\":\"VulnWhisperer - Risk: Medium\",\"type\":\"goal\",\"params\":{\"addTooltip\":true,\"addLegend\":true,\"type\":\"gauge\",\"gauge\":{\"verticalSplit\":false,\"autoExtend\":false,\"percentageMode\":false,\"gaugeType\":\"Metric\",\"gaugeStyle\":\"Full\",\"backStyle\":\"Full\",\"orientation\":\"vertical\",\"useRanges\":false,\"colorSchema\":\"Green to Red\",\"gaugeColorMode\":\"Background\",\"colorsRange\":[{\"from\":0,\"to\":10000}],\"invertColors\":false,\"labels\":{\"show\":false,\"color\":\"black\"},\"scale\":{\"show\":true,\"labels\":false,\"color\":\"#333\",\"width\":2},\"type\":\"simple\",\"style\":{\"bgFill\":\"white\",\"bgColor\":true,\"labelColor\":false,\"subText\":\"\",\"fontSize\":\"34\"},\"extendRange\":false},\"isDisplayWarning\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{\"customLabel\":\"Medium Risk\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"filters\",\"schema\":\"group\",\"params\":{\"filters\":[{\"input\":{\"query\":{\"query_string\":{\"query\":\"risk_score_name:medium\"}}},\"label\":\"Medium Risk\"}]}}],\"listeners\":{}}", - "uiStateJSON": "{\"vis\":{\"defaultColors\":{\"0 - 10000\":\"rgb(0,104,55)\"},\"legendOpen\":true,\"colors\":{\"0 - 10000\":\"#EAB839\"}}}", - "description": "", - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"index\":\"logstash-vulnwhisperer-*\",\"query\":{\"query_string\":{\"query\":\"*\",\"analyze_wildcard\":true}},\"filter\":[]}" - } - } - }, - { - "_id": "e46ff7f0-897d-11e7-934b-67cec0a7da65", - "_type": "visualization", - "_source": { - "title": "VulnWhisperer - Risk: Low", - "visState": "{\"title\":\"VulnWhisperer - Risk: Low\",\"type\":\"goal\",\"params\":{\"addTooltip\":true,\"addLegend\":true,\"type\":\"gauge\",\"gauge\":{\"verticalSplit\":false,\"autoExtend\":false,\"percentageMode\":false,\"gaugeType\":\"Metric\",\"gaugeStyle\":\"Full\",\"backStyle\":\"Full\",\"orientation\":\"vertical\",\"useRanges\":false,\"colorSchema\":\"Green to Red\",\"gaugeColorMode\":\"Background\",\"colorsRange\":[{\"from\":0,\"to\":10000}],\"invertColors\":false,\"labels\":{\"show\":false,\"color\":\"black\"},\"scale\":{\"show\":true,\"labels\":false,\"color\":\"#333\",\"width\":2},\"type\":\"simple\",\"style\":{\"bgFill\":\"white\",\"bgColor\":true,\"labelColor\":false,\"subText\":\"\",\"fontSize\":\"34\"},\"extendRange\":false}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{\"customLabel\":\"Low Risk\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"filters\",\"schema\":\"group\",\"params\":{\"filters\":[{\"input\":{\"query\":{\"query_string\":{\"query\":\"risk_score_name:low\"}}},\"label\":\"Low Risk\"}]}}],\"listeners\":{}}", - "uiStateJSON": "{\"vis\":{\"defaultColors\":{\"0 - 10000\":\"rgb(0,104,55)\"},\"legendOpen\":true,\"colors\":{\"0 - 10000\":\"#629E51\"}}}", - "description": "", - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"index\":\"logstash-vulnwhisperer-*\",\"query\":{\"query_string\":{\"query\":\"*\",\"analyze_wildcard\":true}},\"filter\":[]}" - } - } - }, - { - "_id": "995e2280-3df3-11e7-a44e-c79ca8efb780", - "_type": "visualization", - "_source": { - "title": "VulnWhisperer-Asset", - "visState": "{\"title\":\"VulnWhisperer-Asset\",\"type\":\"table\",\"params\":{\"perPage\":15,\"showMeticsAtAllLevels\":false,\"showPartialRows\":false,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\",\"type\":\"table\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"asset.keyword\",\"size\":50,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Asset\"}}],\"listeners\":{}}", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "description": "", - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"index\":\"logstash-vulnwhisperer-*\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"query\":\"*\"}},\"filter\":[]}" - } - } - } -] diff --git a/resources/elk5-old_compatibility/kibana/vuln_whisp_kibana/1001_vulnWhisperer_ReportingMitigationDashboard.json b/resources/elk5-old_compatibility/kibana/vuln_whisp_kibana/1001_vulnWhisperer_ReportingMitigationDashboard.json deleted file mode 100755 index 7b51eac..0000000 --- a/resources/elk5-old_compatibility/kibana/vuln_whisp_kibana/1001_vulnWhisperer_ReportingMitigationDashboard.json +++ /dev/null @@ -1,43 +0,0 @@ -[ - { - "_id": "72051530-448e-11e7-a818-f5f80dfc3590", - "_type": "dashboard", - "_source": { - "title": "VulnWhisperer - Reporting", - "hits": 0, - "description": "", - "panelsJSON": "[{\"col\":1,\"id\":\"2f979030-44b9-11e7-a818-f5f80dfc3590\",\"panelIndex\":5,\"row\":12,\"size_x\":6,\"size_y\":4,\"type\":\"visualization\"},{\"col\":1,\"id\":\"8d9592d0-44ec-11e7-a05f-d9719b331a27\",\"panelIndex\":12,\"row\":8,\"size_x\":6,\"size_y\":4,\"type\":\"visualization\"},{\"col\":7,\"id\":\"67d432e0-44ec-11e7-a05f-d9719b331a27\",\"panelIndex\":14,\"row\":4,\"size_x\":6,\"size_y\":4,\"type\":\"visualization\"},{\"col\":10,\"id\":\"297df800-3f7e-11e7-bd24-6903e3283192\",\"panelIndex\":15,\"row\":8,\"size_x\":3,\"size_y\":4,\"type\":\"visualization\"},{\"col\":7,\"id\":\"471a3580-3f6b-11e7-88e7-df1abe6547fb\",\"panelIndex\":20,\"row\":8,\"size_x\":3,\"size_y\":4,\"type\":\"visualization\"},{\"col\":11,\"id\":\"995e2280-3df3-11e7-a44e-c79ca8efb780\",\"panelIndex\":22,\"row\":1,\"size_x\":2,\"size_y\":3,\"type\":\"visualization\"},{\"col\":9,\"id\":\"b2f2adb0-897f-11e7-a2d2-c57bca21b3aa\",\"panelIndex\":23,\"row\":1,\"size_x\":2,\"size_y\":3,\"type\":\"visualization\"},{\"col\":7,\"id\":\"db55bce0-80b3-11e7-8790-73b60225f736\",\"panelIndex\":25,\"row\":1,\"size_x\":2,\"size_y\":3,\"type\":\"visualization\"},{\"col\":5,\"id\":\"d048c220-80b3-11e7-8790-73b60225f736\",\"panelIndex\":26,\"row\":1,\"size_x\":2,\"size_y\":3,\"type\":\"visualization\"},{\"col\":1,\"id\":\"e46ff7f0-897d-11e7-934b-67cec0a7da65\",\"panelIndex\":27,\"row\":1,\"size_x\":2,\"size_y\":3,\"type\":\"visualization\"},{\"col\":3,\"id\":\"c1361da0-80b3-11e7-8790-73b60225f736\",\"panelIndex\":28,\"row\":1,\"size_x\":2,\"size_y\":3,\"type\":\"visualization\"},{\"col\":1,\"id\":\"479deab0-8a39-11e7-a58a-9bfcb3761a3d\",\"panelIndex\":29,\"row\":4,\"size_x\":6,\"size_y\":4,\"type\":\"visualization\"}]", - "optionsJSON": "{\"darkTheme\":false}", - "uiStateJSON": "{\"P-15\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"P-20\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"P-21\":{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}},\"P-22\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"P-23\":{\"vis\":{\"defaultColors\":{\"0 - 10000\":\"rgb(0,104,55)\"}}},\"P-24\":{\"vis\":{\"defaultColors\":{\"0 - 10000\":\"rgb(0,104,55)\"}}},\"P-25\":{\"vis\":{\"defaultColors\":{\"0 - 10000\":\"rgb(0,104,55)\"}}},\"P-26\":{\"vis\":{\"defaultColors\":{\"0 - 1000\":\"rgb(0,104,55)\"},\"legendOpen\":false}},\"P-27\":{\"vis\":{\"defaultColors\":{\"0 - 10000\":\"rgb(0,104,55)\"},\"legendOpen\":false}},\"P-28\":{\"vis\":{\"defaultColors\":{\"0 - 10000\":\"rgb(0,104,55)\"},\"legendOpen\":false}},\"P-5\":{\"vis\":{\"legendOpen\":false}}}", - "version": 1, - "timeRestore": true, - "timeTo": "now", - "timeFrom": "now-1y", - "refreshInterval": { - "display": "Off", - "pause": false, - "value": 0 - }, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"query\":{\"match_all\":{}}}],\"highlightAll\":true,\"version\":true}" - } - } - }, - { - "_id": "AWCUqesWib22Ai8JwW3u", - "_type": "dashboard", - "_source": { - "title": "VulnWhisperer - Risk Mitigation", - "hits": 0, - "description": "", - "panelsJSON": "[{\"col\":11,\"id\":\"995e2280-3df3-11e7-a44e-c79ca8efb780\",\"panelIndex\":20,\"row\":8,\"size_x\":2,\"size_y\":6,\"type\":\"visualization\"},{\"col\":1,\"id\":\"852816e0-3eb1-11e7-90cb-918f9cb01e3d\",\"panelIndex\":21,\"row\":10,\"size_x\":3,\"size_y\":5,\"type\":\"visualization\"},{\"col\":4,\"id\":\"297df800-3f7e-11e7-bd24-6903e3283192\",\"panelIndex\":27,\"row\":8,\"size_x\":3,\"size_y\":5,\"type\":\"visualization\"},{\"col\":9,\"id\":\"35b6d320-3f7f-11e7-bd24-6903e3283192\",\"panelIndex\":28,\"row\":8,\"size_x\":2,\"size_y\":6,\"type\":\"visualization\"},{\"col\":11,\"id\":\"471a3580-3f6b-11e7-88e7-df1abe6547fb\",\"panelIndex\":30,\"row\":1,\"size_x\":2,\"size_y\":3,\"type\":\"visualization\"},{\"col\":7,\"id\":\"de1a5f40-3f85-11e7-97f9-3777d794626d\",\"panelIndex\":31,\"row\":8,\"size_x\":2,\"size_y\":5,\"type\":\"visualization\"},{\"col\":10,\"id\":\"5093c620-44e9-11e7-8014-ede06a7e69f8\",\"panelIndex\":37,\"row\":4,\"size_x\":3,\"size_y\":4,\"type\":\"visualization\"},{\"col\":1,\"columns\":[\"host\",\"risk\",\"risk_score\",\"cve\",\"plugin_name\",\"solution\",\"plugin_output\"],\"id\":\"54648700-3f74-11e7-852e-69207a3d0726\",\"panelIndex\":38,\"row\":15,\"size_x\":12,\"size_y\":6,\"sort\":[\"@timestamp\",\"desc\"],\"type\":\"search\"},{\"col\":1,\"id\":\"fb6eb020-49ab-11e7-8f8c-57ad64ec48a6\",\"panelIndex\":39,\"row\":8,\"size_x\":3,\"size_y\":2,\"type\":\"visualization\"},{\"col\":5,\"id\":\"465c5820-8977-11e7-857e-e1d56b17746d\",\"panelIndex\":40,\"row\":4,\"size_x\":5,\"size_y\":4,\"type\":\"visualization\"},{\"col\":1,\"id\":\"56f0f5f0-3ebe-11e7-a192-93f36fbd9d05\",\"panelIndex\":46,\"row\":4,\"size_x\":4,\"size_y\":4,\"type\":\"visualization\"},{\"col\":1,\"id\":\"e46ff7f0-897d-11e7-934b-67cec0a7da65\",\"panelIndex\":47,\"row\":1,\"size_x\":2,\"size_y\":3,\"type\":\"visualization\"},{\"col\":3,\"id\":\"c1361da0-80b3-11e7-8790-73b60225f736\",\"panelIndex\":48,\"row\":1,\"size_x\":2,\"size_y\":3,\"type\":\"visualization\"},{\"col\":5,\"id\":\"d048c220-80b3-11e7-8790-73b60225f736\",\"panelIndex\":49,\"row\":1,\"size_x\":2,\"size_y\":3,\"type\":\"visualization\"},{\"col\":7,\"id\":\"db55bce0-80b3-11e7-8790-73b60225f736\",\"panelIndex\":50,\"row\":1,\"size_x\":2,\"size_y\":3,\"type\":\"visualization\"},{\"col\":9,\"id\":\"b2f2adb0-897f-11e7-a2d2-c57bca21b3aa\",\"panelIndex\":51,\"row\":1,\"size_x\":2,\"size_y\":3,\"type\":\"visualization\"}]", - "optionsJSON": "{\"darkTheme\":false}", - "uiStateJSON": "{\"P-11\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"P-2\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"P-20\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"P-21\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":0,\"direction\":\"desc\"}}}},\"P-27\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"P-28\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":0,\"direction\":\"desc\"}}}},\"P-3\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":0,\"direction\":\"asc\"}}}},\"P-30\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"P-31\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"P-40\":{\"vis\":{\"defaultColors\":{\"0 - 3\":\"rgb(0,104,55)\",\"3 - 7\":\"rgb(135,203,103)\",\"7 - 9\":\"rgb(255,255,190)\",\"9 - 11\":\"rgb(249,142,82)\"}}},\"P-41\":{\"vis\":{\"defaultColors\":{\"0 - 10000\":\"rgb(0,104,55)\"}}},\"P-42\":{\"vis\":{\"defaultColors\":{\"0 - 10000\":\"rgb(0,104,55)\"}}},\"P-43\":{\"vis\":{\"defaultColors\":{\"0 - 1000\":\"rgb(0,104,55)\"}}},\"P-44\":{\"vis\":{\"defaultColors\":{\"0 - 10000\":\"rgb(0,104,55)\"}}},\"P-45\":{\"vis\":{\"defaultColors\":{\"0 - 10000\":\"rgb(0,104,55)\"}}},\"P-46\":{\"vis\":{\"legendOpen\":true}},\"P-47\":{\"vis\":{\"defaultColors\":{\"0 - 10000\":\"rgb(0,104,55)\"},\"legendOpen\":false}},\"P-48\":{\"vis\":{\"defaultColors\":{\"0 - 10000\":\"rgb(0,104,55)\"},\"legendOpen\":false}},\"P-49\":{\"vis\":{\"defaultColors\":{\"0 - 1000\":\"rgb(0,104,55)\"},\"legendOpen\":false}},\"P-5\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"P-50\":{\"vis\":{\"defaultColors\":{\"0 - 10000\":\"rgb(0,104,55)\"}}},\"P-51\":{\"vis\":{\"defaultColors\":{\"0 - 10000\":\"rgb(0,104,55)\"}}},\"P-6\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"P-8\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}}", - "version": 1, - "timeRestore": false, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"query\":{\"match_all\":{}}}],\"highlightAll\":true,\"version\":true}" - } - } - } -] \ No newline at end of file diff --git a/resources/elk5-old_compatibility/kibana/vuln_whisp_kibana/2000_vulnWhisperer_QualysVisuals (required with Dashboard).json b/resources/elk5-old_compatibility/kibana/vuln_whisp_kibana/2000_vulnWhisperer_QualysVisuals (required with Dashboard).json deleted file mode 100755 index b55fe40..0000000 --- a/resources/elk5-old_compatibility/kibana/vuln_whisp_kibana/2000_vulnWhisperer_QualysVisuals (required with Dashboard).json +++ /dev/null @@ -1,170 +0,0 @@ -[ - { - "_id": "AWCUo-jRib22Ai8JwW1N", - "_type": "visualization", - "_source": { - "title": "VulnWhisperer - Risk: High Qualys Scoring", - "visState": "{\"title\":\"VulnWhisperer - Risk: High Qualys Scoring\",\"type\":\"goal\",\"params\":{\"addTooltip\":true,\"addLegend\":true,\"type\":\"gauge\",\"gauge\":{\"verticalSplit\":false,\"autoExtend\":false,\"percentageMode\":false,\"gaugeType\":\"Metric\",\"gaugeStyle\":\"Full\",\"backStyle\":\"Full\",\"orientation\":\"vertical\",\"useRanges\":false,\"colorSchema\":\"Green to Red\",\"gaugeColorMode\":\"Background\",\"colorsRange\":[{\"from\":0,\"to\":1000}],\"invertColors\":false,\"labels\":{\"show\":false,\"color\":\"black\"},\"scale\":{\"show\":true,\"labels\":false,\"color\":\"#333\",\"width\":2},\"type\":\"simple\",\"style\":{\"bgFill\":\"white\",\"bgColor\":true,\"labelColor\":false,\"subText\":\"\",\"fontSize\":\"34\"},\"extendRange\":true}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{\"customLabel\":\"High Risk\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"filters\",\"schema\":\"group\",\"params\":{\"filters\":[{\"input\":{\"query\":{\"query_string\":{\"query\":\"risk:high\"}}},\"label\":\"\"}]}}],\"listeners\":{}}", - "uiStateJSON": "{\"vis\":{\"defaultColors\":{\"0 - 1000\":\"rgb(0,104,55)\"},\"legendOpen\":true,\"colors\":{\"0 - 10000\":\"#EF843C\",\"0 - 1000\":\"#E0752D\"}}}", - "description": "", - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"index\":\"logstash-vulnwhisperer-*\",\"query\":{\"query_string\":{\"query\":\"*\",\"analyze_wildcard\":true}},\"filter\":[]}" - } - } - }, - { - "_id": "AWCUozGBib22Ai8JwW1B", - "_type": "visualization", - "_source": { - "title": "VulnWhisperer - Risk: Medium Qualys Scoring", - "visState": "{\"title\":\"VulnWhisperer - Risk: Medium Qualys Scoring\",\"type\":\"goal\",\"params\":{\"addTooltip\":true,\"addLegend\":true,\"type\":\"gauge\",\"gauge\":{\"verticalSplit\":false,\"autoExtend\":false,\"percentageMode\":false,\"gaugeType\":\"Metric\",\"gaugeStyle\":\"Full\",\"backStyle\":\"Full\",\"orientation\":\"vertical\",\"useRanges\":false,\"colorSchema\":\"Green to Red\",\"gaugeColorMode\":\"Background\",\"colorsRange\":[{\"from\":0,\"to\":10000}],\"invertColors\":false,\"labels\":{\"show\":false,\"color\":\"black\"},\"scale\":{\"show\":true,\"labels\":false,\"color\":\"#333\",\"width\":2},\"type\":\"simple\",\"style\":{\"bgFill\":\"white\",\"bgColor\":true,\"labelColor\":false,\"subText\":\"\",\"fontSize\":\"34\"},\"extendRange\":false}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{\"customLabel\":\"Medium Risk\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"filters\",\"schema\":\"group\",\"params\":{\"filters\":[{\"input\":{\"query\":{\"query_string\":{\"query\":\"risk:medium\"}}},\"label\":\"Medium Risk\"}]}}],\"listeners\":{}}", - "uiStateJSON": "{\"vis\":{\"defaultColors\":{\"0 - 10000\":\"rgb(0,104,55)\"},\"legendOpen\":true,\"colors\":{\"0 - 10000\":\"#EAB839\"}}}", - "description": "", - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"index\":\"logstash-vulnwhisperer-*\",\"query\":{\"query_string\":{\"query\":\"*\",\"analyze_wildcard\":true}},\"filter\":[]}" - } - } - }, - { - "_id": "AWCUpE3Kib22Ai8JwW1c", - "_type": "visualization", - "_source": { - "title": "VulnWhisperer - Risk: Critical Qualys Scoring", - "visState": "{\"title\":\"VulnWhisperer - Risk: Critical Qualys Scoring\",\"type\":\"goal\",\"params\":{\"addLegend\":true,\"addTooltip\":true,\"gauge\":{\"autoExtend\":false,\"backStyle\":\"Full\",\"colorSchema\":\"Green to Red\",\"colorsRange\":[{\"from\":0,\"to\":10000}],\"gaugeColorMode\":\"Background\",\"gaugeStyle\":\"Full\",\"gaugeType\":\"Metric\",\"invertColors\":false,\"labels\":{\"color\":\"black\",\"show\":false},\"orientation\":\"vertical\",\"percentageMode\":false,\"scale\":{\"color\":\"#333\",\"labels\":false,\"show\":true,\"width\":2},\"style\":{\"bgColor\":true,\"bgFill\":\"white\",\"fontSize\":\"34\",\"labelColor\":false,\"subText\":\"Risk\"},\"type\":\"simple\",\"useRanges\":false,\"verticalSplit\":false},\"type\":\"gauge\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{\"customLabel\":\"Critical Risk\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"filters\",\"schema\":\"group\",\"params\":{\"filters\":[{\"input\":{\"query\":{\"query_string\":{\"query\":\"risk:critical\"}}},\"label\":\"Critical\"}]}}],\"listeners\":{}}", - "uiStateJSON": "{\"vis\":{\"colors\":{\"0 - 10000\":\"#BF1B00\"},\"defaultColors\":{\"0 - 10000\":\"rgb(0,104,55)\"},\"legendOpen\":false}}", - "description": "", - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"index\":\"logstash-vulnwhisperer-*\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"query\":\"*\"}},\"filter\":[]}" - } - } - }, - { - "_id": "AWCUyeHGib22Ai8JwX62", - "_type": "visualization", - "_source": { - "title": "VulnWhisperer-RiskOverTime Qualys Scoring", - "visState": "{\"title\":\"VulnWhisperer-RiskOverTime Qualys Scoring\",\"type\":\"line\",\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"@timestamp per 12 hours\"},\"type\":\"category\"}],\"defaultYExtents\":false,\"drawLinesBetweenPoints\":true,\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"},\"valueAxis\":\"ValueAxis-1\"},\"interpolate\":\"linear\",\"legendPosition\":\"right\",\"orderBucketsBySum\":false,\"radiusRatio\":9,\"scale\":\"linear\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"mode\":\"normal\",\"show\":\"true\",\"showCircles\":true,\"type\":\"line\",\"valueAxis\":\"ValueAxis-1\"}],\"setYExtents\":false,\"showCircles\":true,\"times\":[],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}],\"type\":\"line\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"interval\":\"auto\",\"customInterval\":\"2h\",\"min_doc_count\":1,\"extended_bounds\":{}}},{\"id\":\"3\",\"enabled\":true,\"type\":\"filters\",\"schema\":\"group\",\"params\":{\"filters\":[{\"input\":{\"query\":{\"query_string\":{\"query\":\"risk:info\"}}},\"label\":\"Info\"},{\"input\":{\"query\":{\"query_string\":{\"query\":\"risk:low\"}}},\"label\":\"Low\"},{\"input\":{\"query\":{\"query_string\":{\"query\":\"risk:medium\"}}},\"label\":\"Medium\"},{\"input\":{\"query\":{\"query_string\":{\"query\":\"risk:high\"}}},\"label\":\"High\"},{\"input\":{\"query\":{\"query_string\":{\"query\":\"risk:critical\"}}},\"label\":\"Critical\"}]}}],\"listeners\":{}}", - "uiStateJSON": "{\"vis\":{\"colors\":{\"Critical\":\"#962D82\",\"High\":\"#BF1B00\",\"Low\":\"#629E51\",\"Medium\":\"#EAB839\",\"Info\":\"#65C5DB\"}}}", - "description": "", - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"index\":\"logstash-vulnwhisperer-*\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"query\":\"*\"}},\"filter\":[]}" - } - } - }, - { - "_id": "AWCUos-Fib22Ai8JwW0y", - "_type": "visualization", - "_source": { - "title": "VulnWhisperer - Risk: Low Qualys Scoring", - "visState": "{\"title\":\"VulnWhisperer - Risk: Low Qualys Scoring\",\"type\":\"goal\",\"params\":{\"addTooltip\":true,\"addLegend\":true,\"type\":\"gauge\",\"gauge\":{\"verticalSplit\":false,\"autoExtend\":false,\"percentageMode\":false,\"gaugeType\":\"Metric\",\"gaugeStyle\":\"Full\",\"backStyle\":\"Full\",\"orientation\":\"vertical\",\"useRanges\":false,\"colorSchema\":\"Green to Red\",\"gaugeColorMode\":\"Background\",\"colorsRange\":[{\"from\":0,\"to\":10000}],\"invertColors\":false,\"labels\":{\"show\":false,\"color\":\"black\"},\"scale\":{\"show\":true,\"labels\":false,\"color\":\"#333\",\"width\":2},\"type\":\"simple\",\"style\":{\"bgFill\":\"white\",\"bgColor\":true,\"labelColor\":false,\"subText\":\"\",\"fontSize\":\"34\"},\"extendRange\":false}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{\"customLabel\":\"Low Risk\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"filters\",\"schema\":\"group\",\"params\":{\"filters\":[{\"input\":{\"query\":{\"query_string\":{\"query\":\"risk:low\"}}},\"label\":\"Low Risk\"}]}}],\"listeners\":{}}", - "uiStateJSON": "{\"vis\":{\"defaultColors\":{\"0 - 10000\":\"rgb(0,104,55)\"},\"legendOpen\":true,\"colors\":{\"0 - 10000\":\"#629E51\"}}}", - "description": "", - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"index\":\"logstash-vulnwhisperer-*\",\"query\":{\"query_string\":{\"query\":\"*\",\"analyze_wildcard\":true}},\"filter\":[]}" - } - } - }, - { - "_id": "AWCg9Wsfib22Ai8Jww3v", - "_type": "visualization", - "_source": { - "title": "VulnWhisperer - Qualys: Category Description", - "visState": "{\"title\":\"VulnWhisperer - Qualys: Category Description\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"type\":\"table\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"category_description.keyword\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Category Description\"}}],\"listeners\":{}}", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "description": "", - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"index\":\"logstash-vulnwhisperer-*\",\"query\":{\"match_all\":{}},\"filter\":[]}" - } - } - }, - { - "_id": "AWCg88f1ib22Ai8Jww3C", - "_type": "visualization", - "_source": { - "title": "VulnWhisperer - QualysOS", - "visState": "{\"title\":\"VulnWhisperer - QualysOS\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"type\":\"table\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"operating_system.keyword\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\"}}],\"listeners\":{}}", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "description": "", - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"index\":\"logstash-vulnwhisperer-*\",\"query\":{\"match_all\":{}},\"filter\":[]}" - } - } - }, - { - "_id": "AWCg9JUAib22Ai8Jww3Y", - "_type": "visualization", - "_source": { - "title": "VulnWhisperer - QualysOwner", - "visState": "{\"title\":\"VulnWhisperer - QualysOwner\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"type\":\"table\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"owner.keyword\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\"}}],\"listeners\":{}}", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "description": "", - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"index\":\"logstash-vulnwhisperer-*\",\"query\":{\"match_all\":{}},\"filter\":[]}" - } - } - }, - { - "_id": "AWCg9tE6ib22Ai8Jww4R", - "_type": "visualization", - "_source": { - "title": "VulnWhisperer - Qualys: Impact", - "visState": "{\"title\":\"VulnWhisperer - Qualys: Impact\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"type\":\"table\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"impact.keyword\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Impact\"}}],\"listeners\":{}}", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "description": "", - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"index\":\"logstash-vulnwhisperer-*\",\"query\":{\"match_all\":{}},\"filter\":[]}" - } - } - }, - { - "_id": "AWCg9igvib22Ai8Jww36", - "_type": "visualization", - "_source": { - "title": "VulnWhisperer - Qualys: Level", - "visState": "{\"title\":\"VulnWhisperer - Qualys: Level\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"type\":\"table\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"level.keyword\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Level\"}}],\"listeners\":{}}", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "description": "", - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"index\":\"logstash-vulnwhisperer-*\",\"query\":{\"match_all\":{}},\"filter\":[]}" - } - } - }, - { - "_id": "AWCUsp_3ib22Ai8JwW7R", - "_type": "visualization", - "_source": { - "title": "VulnWhisperer - TL-Critical Risk Qualys Scoring", - "visState": "{\"title\":\"VulnWhisperer - TL-Critical Risk Qualys Scoring\",\"type\":\"timelion\",\"params\":{\"expression\":\".es(index='logstash-vulnwhisperer-*',q='(risk:critical)').label(\\\"Original\\\"),.es(index='logstash-vulnwhisperer-*',q='(risk:critical)',offset=-1w).label(\\\"One week offset\\\"),.es(index='logstash-vulnwhisperer-*',q='(risk:critical)').subtract(.es(index='logstash-vulnwhisperer-*',q='(risk:critical)',offset=-1w)).label(\\\"Difference\\\").lines(steps=3,fill=2,width=1)\",\"interval\":\"auto\",\"type\":\"timelion\"},\"aggs\":[],\"listeners\":{}}", - "uiStateJSON": "{}", - "description": "", - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"query\":{\"query_string\":{\"query\":\"*\",\"analyze_wildcard\":true}},\"filter\":[]}" - } - } - }, - { - "_id": "AWCUtHETib22Ai8JwW79", - "_type": "visualization", - "_source": { - "title": "VulnWhisperer - TL-High Risk Qualys Scoring", - "visState": "{\"title\":\"VulnWhisperer - TL-High Risk Qualys Scoring\",\"type\":\"timelion\",\"params\":{\"expression\":\".es(index='logstash-vulnwhisperer-*',q='(risk:high)').label(\\\"Original\\\"),.es(index='logstash-vulnwhisperer-*',q='(risk:high)',offset=-1w).label(\\\"One week offset\\\"),.es(index='logstash-vulnwhisperer-*',q='(risk:high)').subtract(.es(index='logstash-vulnwhisperer-*',q='(risk:high)',offset=-1w)).label(\\\"Difference\\\").lines(steps=3,fill=2,width=1)\",\"interval\":\"auto\",\"type\":\"timelion\"},\"aggs\":[],\"listeners\":{}}", - "uiStateJSON": "{}", - "description": "", - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"query\":{\"query_string\":{\"query\":\"*\",\"analyze_wildcard\":true}},\"filter\":[]}" - } - } - } -] \ No newline at end of file diff --git a/resources/elk5-old_compatibility/kibana/vuln_whisp_kibana/2001_vulnWhisperer_ReportingMitigationDashboardQualysRisk.json b/resources/elk5-old_compatibility/kibana/vuln_whisp_kibana/2001_vulnWhisperer_ReportingMitigationDashboardQualysRisk.json deleted file mode 100755 index 06bbc0b..0000000 --- a/resources/elk5-old_compatibility/kibana/vuln_whisp_kibana/2001_vulnWhisperer_ReportingMitigationDashboardQualysRisk.json +++ /dev/null @@ -1,50 +0,0 @@ -[ - { - "_id": "AWCUrIBqib22Ai8JwW43", - "_type": "dashboard", - "_source": { - "title": "VulnWhisperer - Reporting Qualys Scoring", - "hits": 0, - "description": "", - "panelsJSON": "[{\"col\":1,\"id\":\"2f979030-44b9-11e7-a818-f5f80dfc3590\",\"panelIndex\":5,\"row\":11,\"size_x\":6,\"size_y\":4,\"type\":\"visualization\"},{\"col\":10,\"id\":\"297df800-3f7e-11e7-bd24-6903e3283192\",\"panelIndex\":15,\"row\":7,\"size_x\":3,\"size_y\":4,\"type\":\"visualization\"},{\"col\":7,\"id\":\"471a3580-3f6b-11e7-88e7-df1abe6547fb\",\"panelIndex\":20,\"row\":7,\"size_x\":3,\"size_y\":4,\"type\":\"visualization\"},{\"col\":11,\"id\":\"995e2280-3df3-11e7-a44e-c79ca8efb780\",\"panelIndex\":22,\"row\":1,\"size_x\":2,\"size_y\":3,\"type\":\"visualization\"},{\"col\":9,\"id\":\"b2f2adb0-897f-11e7-a2d2-c57bca21b3aa\",\"panelIndex\":23,\"row\":1,\"size_x\":2,\"size_y\":3,\"type\":\"visualization\"},{\"col\":1,\"id\":\"479deab0-8a39-11e7-a58a-9bfcb3761a3d\",\"panelIndex\":29,\"row\":4,\"size_x\":6,\"size_y\":4,\"type\":\"visualization\"},{\"size_x\":6,\"size_y\":3,\"panelIndex\":30,\"type\":\"visualization\",\"id\":\"AWCUtHETib22Ai8JwW79\",\"col\":1,\"row\":8},{\"size_x\":6,\"size_y\":3,\"panelIndex\":31,\"type\":\"visualization\",\"id\":\"AWCUsp_3ib22Ai8JwW7R\",\"col\":7,\"row\":4},{\"size_x\":2,\"size_y\":3,\"panelIndex\":33,\"type\":\"visualization\",\"id\":\"AWCUozGBib22Ai8JwW1B\",\"col\":3,\"row\":1},{\"size_x\":2,\"size_y\":3,\"panelIndex\":34,\"type\":\"visualization\",\"id\":\"AWCUo-jRib22Ai8JwW1N\",\"col\":5,\"row\":1},{\"size_x\":2,\"size_y\":3,\"panelIndex\":35,\"type\":\"visualization\",\"id\":\"AWCUpE3Kib22Ai8JwW1c\",\"col\":7,\"row\":1},{\"size_x\":2,\"size_y\":3,\"panelIndex\":36,\"type\":\"visualization\",\"id\":\"AWCUos-Fib22Ai8JwW0y\",\"col\":1,\"row\":1}]", - "optionsJSON": "{\"darkTheme\":false}", - "uiStateJSON": "{\"P-15\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"P-20\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"P-21\":{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}},\"P-22\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"P-23\":{\"vis\":{\"defaultColors\":{\"0 - 10000\":\"rgb(0,104,55)\"}}},\"P-24\":{\"vis\":{\"defaultColors\":{\"0 - 10000\":\"rgb(0,104,55)\"}}},\"P-5\":{\"vis\":{\"legendOpen\":false}},\"P-33\":{\"vis\":{\"defaultColors\":{\"0 - 10000\":\"rgb(0,104,55)\"},\"legendOpen\":false}},\"P-34\":{\"vis\":{\"defaultColors\":{\"0 - 1000\":\"rgb(0,104,55)\"},\"legendOpen\":false}},\"P-35\":{\"vis\":{\"defaultColors\":{\"0 - 10000\":\"rgb(0,104,55)\"}}},\"P-27\":{\"vis\":{\"defaultColors\":{\"0 - 10000\":\"rgb(0,104,55)\"}}},\"P-28\":{\"vis\":{\"defaultColors\":{\"0 - 10000\":\"rgb(0,104,55)\"}}},\"P-26\":{\"vis\":{\"defaultColors\":{\"0 - 1000\":\"rgb(0,104,55)\"}}},\"P-25\":{\"vis\":{\"defaultColors\":{\"0 - 10000\":\"rgb(0,104,55)\"}}},\"P-32\":{\"vis\":{\"defaultColors\":{\"0 - 10000\":\"rgb(0,104,55)\"}}},\"P-36\":{\"vis\":{\"defaultColors\":{\"0 - 10000\":\"rgb(0,104,55)\"},\"legendOpen\":false}}}", - "version": 1, - "timeRestore": true, - "timeTo": "now", - "timeFrom": "now-30d", - "refreshInterval": { - "display": "Off", - "pause": false, - "value": 0 - }, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"query\":\"-vulnerability_category:\\\"INFORMATION_GATHERED\\\"\"}}}],\"highlightAll\":true,\"version\":true}" - } - } - }, - { - "_id": "5dba30c0-3df3-11e7-a44e-c79ca8efb780", - "_type": "dashboard", - "_source": { - "title": "VulnWhisperer - Risk Mitigation Qualys Web Scoring", - "hits": 0, - "description": "", - "panelsJSON": "[{\"col\":11,\"id\":\"995e2280-3df3-11e7-a44e-c79ca8efb780\",\"panelIndex\":20,\"row\":8,\"size_x\":2,\"size_y\":7,\"type\":\"visualization\"},{\"col\":1,\"id\":\"852816e0-3eb1-11e7-90cb-918f9cb01e3d\",\"panelIndex\":21,\"row\":10,\"size_x\":3,\"size_y\":5,\"type\":\"visualization\"},{\"col\":4,\"id\":\"297df800-3f7e-11e7-bd24-6903e3283192\",\"panelIndex\":27,\"row\":8,\"size_x\":3,\"size_y\":4,\"type\":\"visualization\"},{\"col\":9,\"id\":\"35b6d320-3f7f-11e7-bd24-6903e3283192\",\"panelIndex\":28,\"row\":8,\"size_x\":2,\"size_y\":7,\"type\":\"visualization\"},{\"col\":11,\"id\":\"471a3580-3f6b-11e7-88e7-df1abe6547fb\",\"panelIndex\":30,\"row\":1,\"size_x\":2,\"size_y\":3,\"type\":\"visualization\"},{\"col\":7,\"id\":\"de1a5f40-3f85-11e7-97f9-3777d794626d\",\"panelIndex\":31,\"row\":8,\"size_x\":2,\"size_y\":4,\"type\":\"visualization\"},{\"col\":10,\"id\":\"5093c620-44e9-11e7-8014-ede06a7e69f8\",\"panelIndex\":37,\"row\":4,\"size_x\":3,\"size_y\":4,\"type\":\"visualization\"},{\"col\":1,\"columns\":[\"host\",\"risk\",\"risk_score\",\"cve\",\"plugin_name\",\"solution\",\"plugin_output\"],\"id\":\"54648700-3f74-11e7-852e-69207a3d0726\",\"panelIndex\":38,\"row\":15,\"size_x\":12,\"size_y\":6,\"sort\":[\"@timestamp\",\"desc\"],\"type\":\"search\"},{\"col\":1,\"id\":\"fb6eb020-49ab-11e7-8f8c-57ad64ec48a6\",\"panelIndex\":39,\"row\":8,\"size_x\":3,\"size_y\":2,\"type\":\"visualization\"},{\"col\":5,\"id\":\"465c5820-8977-11e7-857e-e1d56b17746d\",\"panelIndex\":40,\"row\":4,\"size_x\":5,\"size_y\":4,\"type\":\"visualization\"},{\"col\":9,\"id\":\"b2f2adb0-897f-11e7-a2d2-c57bca21b3aa\",\"panelIndex\":45,\"row\":1,\"size_x\":2,\"size_y\":3,\"type\":\"visualization\"},{\"col\":1,\"id\":\"AWCUos-Fib22Ai8JwW0y\",\"panelIndex\":47,\"row\":1,\"size_x\":2,\"size_y\":3,\"type\":\"visualization\"},{\"col\":3,\"id\":\"AWCUozGBib22Ai8JwW1B\",\"panelIndex\":48,\"row\":1,\"size_x\":2,\"size_y\":3,\"type\":\"visualization\"},{\"col\":5,\"id\":\"AWCUo-jRib22Ai8JwW1N\",\"panelIndex\":49,\"row\":1,\"size_x\":2,\"size_y\":3,\"type\":\"visualization\"},{\"col\":7,\"id\":\"AWCUpE3Kib22Ai8JwW1c\",\"panelIndex\":50,\"row\":1,\"size_x\":2,\"size_y\":3,\"type\":\"visualization\"},{\"col\":1,\"id\":\"AWCUyeHGib22Ai8JwX62\",\"panelIndex\":51,\"row\":4,\"size_x\":4,\"size_y\":4,\"type\":\"visualization\"},{\"col\":4,\"id\":\"AWCg88f1ib22Ai8Jww3C\",\"panelIndex\":52,\"row\":12,\"size_x\":3,\"size_y\":3,\"type\":\"visualization\"},{\"col\":7,\"id\":\"AWCg9JUAib22Ai8Jww3Y\",\"panelIndex\":53,\"row\":12,\"size_x\":2,\"size_y\":3,\"type\":\"visualization\"}]", - "optionsJSON": "{\"darkTheme\":false}", - "uiStateJSON": "{\"P-11\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"P-2\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"P-20\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"P-21\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":0,\"direction\":\"desc\"}}}},\"P-27\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"P-28\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":0,\"direction\":\"desc\"}}}},\"P-3\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":0,\"direction\":\"asc\"}}}},\"P-30\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"P-31\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"P-40\":{\"vis\":{\"defaultColors\":{\"0 - 3\":\"rgb(0,104,55)\",\"3 - 7\":\"rgb(135,203,103)\",\"7 - 9\":\"rgb(255,255,190)\",\"9 - 11\":\"rgb(249,142,82)\"}}},\"P-41\":{\"vis\":{\"defaultColors\":{\"0 - 10000\":\"rgb(0,104,55)\"}}},\"P-42\":{\"vis\":{\"defaultColors\":{\"0 - 10000\":\"rgb(0,104,55)\"}}},\"P-43\":{\"vis\":{\"defaultColors\":{\"0 - 1000\":\"rgb(0,104,55)\"}}},\"P-44\":{\"vis\":{\"defaultColors\":{\"0 - 10000\":\"rgb(0,104,55)\"}}},\"P-45\":{\"vis\":{\"defaultColors\":{\"0 - 10000\":\"rgb(0,104,55)\"}}},\"P-47\":{\"vis\":{\"defaultColors\":{\"0 - 10000\":\"rgb(0,104,55)\"},\"legendOpen\":false}},\"P-48\":{\"vis\":{\"defaultColors\":{\"0 - 10000\":\"rgb(0,104,55)\"},\"legendOpen\":false}},\"P-49\":{\"vis\":{\"defaultColors\":{\"0 - 1000\":\"rgb(0,104,55)\"},\"legendOpen\":false}},\"P-5\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"P-50\":{\"vis\":{\"defaultColors\":{\"0 - 10000\":\"rgb(0,104,55)\"}}},\"P-6\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"P-8\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"P-52\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"P-53\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}}", - "version": 1, - "timeRestore": true, - "timeTo": "now", - "timeFrom": "now-30d", - "refreshInterval": { - "display": "Off", - "pause": false, - "value": 0 - }, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"query\":\"-vulnerability_category:\\\"INFORMATION_GATHERED\\\"\"}}}],\"highlightAll\":true,\"version\":true}" - } - } - } -] \ No newline at end of file diff --git a/resources/elk5-old_compatibility/kibana/vuln_whisp_kibana/9000_vulnWhisperer_SavedSearch.json b/resources/elk5-old_compatibility/kibana/vuln_whisp_kibana/9000_vulnWhisperer_SavedSearch.json deleted file mode 100755 index 038f46d..0000000 --- a/resources/elk5-old_compatibility/kibana/vuln_whisp_kibana/9000_vulnWhisperer_SavedSearch.json +++ /dev/null @@ -1,28 +0,0 @@ -[ - { - "_id": "54648700-3f74-11e7-852e-69207a3d0726", - "_type": "search", - "_source": { - "title": "VulnWhisperer - Saved Search", - "description": "", - "hits": 0, - "columns": [ - "host", - "risk", - "risk_score", - "cve", - "plugin_name", - "solution", - "plugin_output" - ], - "sort": [ - "@timestamp", - "desc" - ], - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"index\":\"logstash-vulnwhisperer-*\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"query\":\"*\"}},\"filter\":[],\"highlight\":{\"pre_tags\":[\"@kibana-highlighted-field@\"],\"post_tags\":[\"@/kibana-highlighted-field@\"],\"fields\":{\"*\":{}},\"require_field_match\":false,\"fragment_size\":2147483647}}" - } - } - } -] \ No newline at end of file diff --git a/resources/elk5-old_compatibility/logstash/0001_input_beats.conf b/resources/elk5-old_compatibility/logstash/0001_input_beats.conf deleted file mode 100755 index ff31b3b..0000000 --- a/resources/elk5-old_compatibility/logstash/0001_input_beats.conf +++ /dev/null @@ -1,14 +0,0 @@ -input { - beats { - port => 5044 - tags => "beats" - } -} - -filter { - if [beat][hostname] == "filebeathost" { - mutate { - add_tag => ["nessus"] - } - } -} diff --git a/resources/elk5-old_compatibility/logstash/1000_nessus_process_file.conf b/resources/elk5-old_compatibility/logstash/1000_nessus_process_file.conf deleted file mode 100644 index b1c4b1a..0000000 --- a/resources/elk5-old_compatibility/logstash/1000_nessus_process_file.conf +++ /dev/null @@ -1,195 +0,0 @@ -# Author: Austin Taylor and Justin Henderson -# Email: email@austintaylor.io -# Last Update: 12/20/2017 -# Version 0.3 -# Description: Take in nessus reports from vulnWhisperer and pumps into logstash - - -input { - file { - path => "/opt/VulnWhisperer/data/nessus/**/*.json" - start_position => "beginning" - tags => "nessus" - type => "nessus" - codec => json - } - file { - path => "/opt/VulnWhisperer/data/tenable/*.json" - start_position => "beginning" - tags => "nessus" - type => "nessus" - codec => json - } -} - -filter { - if "nessus" in [tags] or "tenable" in [tags] { - - #If using filebeats as your source, you will need to replace the "path" field to "source" - grok { - match => { "path" => "(?[a-zA-Z0-9_.\-]+)_%{INT:scan_id}_%{INT:history_id}_%{INT:last_updated}.(csv|json)$" } - tag_on_failure => [] - } - - date { - match => [ "last_updated", "UNIX" ] - target => "@timestamp" - remove_field => ["last_updated"] - } - - if [risk] == "None" { - mutate { add_field => { "risk_number" => 0 }} - } - if [risk] == "Low" { - mutate { add_field => { "risk_number" => 1 }} - } - if [risk] == "Medium" { - mutate { add_field => { "risk_number" => 2 }} - } - if [risk] == "High" { - mutate { add_field => { "risk_number" => 3 }} - } - if [risk] == "Critical" { - mutate { add_field => { "risk_number" => 4 }} - } - - if ![cve] or [cve] == "nan" { - mutate { remove_field => [ "cve" ] } - } - if ![cvss] or [cvss] == "nan" { - mutate { remove_field => [ "cvss" ] } - } - if ![cvss_base] or [cvss_base] == "nan" { - mutate { remove_field => [ "cvss_base" ] } - } - if ![cvss_temporal] or [cvss_temporal] == "nan" { - mutate { remove_field => [ "cvss_temporal" ] } - } - if ![cvss_temporal_vector] or [cvss_temporal_vector] == "nan" { - mutate { remove_field => [ "cvss_temporal_vector" ] } - } - if ![cvss_vector] or [cvss_vector] == "nan" { - mutate { remove_field => [ "cvss_vector" ] } - } - if ![cvss3_base] or [cvss3_base] == "nan" { - mutate { remove_field => [ "cvss3_base" ] } - } - if ![cvss3_temporal] or [cvss3_temporal] == "nan" { - mutate { remove_field => [ "cvss3_temporal" ] } - } - if ![cvss3_temporal_vector] or [cvss3_temporal_vector] == "nan" { - mutate { remove_field => [ "cvss3_temporal_vector" ] } - } - if ![description] or [description] == "nan" { - mutate { remove_field => [ "description" ] } - } - if ![mac_address] or [mac_address] == "nan" { - mutate { remove_field => [ "mac_address" ] } - } - if ![netbios] or [netbios] == "nan" { - mutate { remove_field => [ "netbios" ] } - } - if ![operating_system] or [operating_system] == "nan" { - mutate { remove_field => [ "operating_system" ] } - } - if ![plugin_output] or [plugin_output] == "nan" { - mutate { remove_field => [ "plugin_output" ] } - } - if ![see_also] or [see_also] == "nan" { - mutate { remove_field => [ "see_also" ] } - } - if ![synopsis] or [synopsis] == "nan" { - mutate { remove_field => [ "synopsis" ] } - } - if ![system_type] or [system_type] == "nan" { - mutate { remove_field => [ "system_type" ] } - } - - mutate { - remove_field => [ "message" ] - add_field => { "risk_score" => "%{cvss}" } - } - mutate { - convert => { "risk_score" => "float" } - } - if [risk_score] == 0 { - mutate { - add_field => { "risk_score_name" => "info" } - } - } - if [risk_score] > 0 and [risk_score] < 3 { - mutate { - add_field => { "risk_score_name" => "low" } - } - } - if [risk_score] >= 3 and [risk_score] < 6 { - mutate { - add_field => { "risk_score_name" => "medium" } - } - } - if [risk_score] >=6 and [risk_score] < 9 { - mutate { - add_field => { "risk_score_name" => "high" } - } - } - if [risk_score] >= 9 { - mutate { - add_field => { "risk_score_name" => "critical" } - } - } - - # Compensating controls - adjust risk_score - # Adobe and Java are not allowed to run in browser unless whitelisted - # Therefore, lower score by dividing by 3 (score is subjective to risk) - - #Modify and uncomment when ready to use - #if [risk_score] != 0 { - # if [plugin_name] =~ "Adobe" and [risk_score] > 6 or [plugin_name] =~ "Java" and [risk_score] > 6 { - # ruby { - # code => "event.set('risk_score', event.get('risk_score') / 3)" - # } - # mutate { - # add_field => { "compensating_control" => "Adobe and Flash removed from browsers unless whitelisted site." } - # } - # } - #} - - # Add tags for reporting based on assets or criticality - - if [asset] == "dc01" or [asset] == "dc02" or [asset] == "pki01" or [asset] == "192.168.0.54" or [asset] =~ "^192\.168\.0\." or [asset] =~ "^42.42.42." { - mutate { - add_tag => [ "critical_asset" ] - } - } - #if [asset] =~ "^192\.168\.[45][0-9][0-9]\.1$" or [asset] =~ "^192.168\.[50]\.[0-9]{1,2}\.1$"{ - # mutate { - # add_tag => [ "has_hipaa_data" ] - # } - #} - #if [asset] =~ "^192\.168\.[45][0-9][0-9]\." { - # mutate { - # add_tag => [ "hipaa_asset" ] - # } - #} - if [asset] =~ "^hr" { - mutate { - add_tag => [ "pci_asset" ] - } - } - #if [asset] =~ "^10\.0\.50\." { - # mutate { - # add_tag => [ "web_servers" ] - # } - #} - } -} - -output { - if "nessus" in [tags] or "tenable" in [tags] or [type] in [ "nessus", "tenable" ] { - # stdout { codec => rubydebug } - elasticsearch { - hosts => [ "localhost:9200" ] - index => "logstash-vulnwhisperer-%{+YYYY.MM}" - } - } -} diff --git a/resources/elk5-old_compatibility/logstash/2000_qualys_web_scans.conf b/resources/elk5-old_compatibility/logstash/2000_qualys_web_scans.conf deleted file mode 100644 index fe98ef8..0000000 --- a/resources/elk5-old_compatibility/logstash/2000_qualys_web_scans.conf +++ /dev/null @@ -1,153 +0,0 @@ -# Author: Austin Taylor and Justin Henderson -# Email: austin@hasecuritysolutions.com -# Last Update: 12/30/2017 -# Version 0.3 -# Description: Take in qualys web scan reports from vulnWhisperer and pumps into logstash - -input { - file { - path => [ "/opt/VulnWhisperer/data/qualys/*.json" , "/opt/VulnWhisperer/data/qualys_web/*.json", "/opt/VulnWhisperer/data/qualys_vuln/*.json" ] - type => json - codec => json - start_position => "beginning" - tags => [ "qualys" ] - } -} - -filter { - if "qualys" in [tags] { - grok { - match => { "path" => [ "(?qualys_vuln)_scan_%{DATA}_%{INT:last_updated}.json$", "(?qualys_web)_%{INT:app_id}_%{INT:last_updated}.json$" ] } - tag_on_failure => [] - } - - mutate { - replace => [ "message", "%{message}" ] - #gsub => [ - # "message", "\|\|\|", " ", - # "message", "\t\t", " ", - # "message", " ", " ", - # "message", " ", " ", - # "message", " ", " ", - # "message", "nan", " ", - # "message",'\n','' - #] - } - - if "qualys_web" in [tags] { - mutate { - add_field => { "asset" => "%{web_application_name}" } - add_field => { "risk_score" => "%{cvss}" } - } - } else if "qualys_vuln" in [tags] { - mutate { - add_field => { "asset" => "%{ip}" } - add_field => { "risk_score" => "%{cvss}" } - } - } - - if [risk] == "1" { - mutate { add_field => { "risk_number" => 0 }} - mutate { replace => { "risk" => "info" }} - } - if [risk] == "2" { - mutate { add_field => { "risk_number" => 1 }} - mutate { replace => { "risk" => "low" }} - } - if [risk] == "3" { - mutate { add_field => { "risk_number" => 2 }} - mutate { replace => { "risk" => "medium" }} - } - if [risk] == "4" { - mutate { add_field => { "risk_number" => 3 }} - mutate { replace => { "risk" => "high" }} - } - if [risk] == "5" { - mutate { add_field => { "risk_number" => 4 }} - mutate { replace => { "risk" => "critical" }} - } - - mutate { - remove_field => "message" - } - - if [first_time_detected] { - date { - match => [ "first_time_detected", "dd MMM yyyy HH:mma 'GMT'ZZ", "dd MMM yyyy HH:mma 'GMT'" ] - target => "first_time_detected" - } - } - if [first_time_tested] { - date { - match => [ "first_time_tested", "dd MMM yyyy HH:mma 'GMT'ZZ", "dd MMM yyyy HH:mma 'GMT'" ] - target => "first_time_tested" - } - } - if [last_time_detected] { - date { - match => [ "last_time_detected", "dd MMM yyyy HH:mma 'GMT'ZZ", "dd MMM yyyy HH:mma 'GMT'" ] - target => "last_time_detected" - } - } - if [last_time_tested] { - date { - match => [ "last_time_tested", "dd MMM yyyy HH:mma 'GMT'ZZ", "dd MMM yyyy HH:mma 'GMT'" ] - target => "last_time_tested" - } - } - date { - match => [ "last_updated", "UNIX" ] - target => "@timestamp" - remove_field => "last_updated" - } - mutate { - convert => { "plugin_id" => "integer"} - convert => { "id" => "integer"} - convert => { "risk_number" => "integer"} - convert => { "risk_score" => "float"} - convert => { "total_times_detected" => "integer"} - convert => { "cvss_temporal" => "float"} - convert => { "cvss" => "float"} - } - if [risk_score] == 0 { - mutate { - add_field => { "risk_score_name" => "info" } - } - } - if [risk_score] > 0 and [risk_score] < 3 { - mutate { - add_field => { "risk_score_name" => "low" } - } - } - if [risk_score] >= 3 and [risk_score] < 6 { - mutate { - add_field => { "risk_score_name" => "medium" } - } - } - if [risk_score] >=6 and [risk_score] < 9 { - mutate { - add_field => { "risk_score_name" => "high" } - } - } - if [risk_score] >= 9 { - mutate { - add_field => { "risk_score_name" => "critical" } - } - } - - if [asset] =~ "\.yourdomain\.(com|net)$" { - mutate { - add_tag => [ "critical_asset" ] - } - } - } -} -output { - if "qualys" in [tags] { - stdout { codec => rubydebug } - elasticsearch { - hosts => [ "localhost:9200" ] - index => "logstash-vulnwhisperer-%{+YYYY.MM}" - } - } -} diff --git a/resources/elk5-old_compatibility/logstash/3000_openvas.conf b/resources/elk5-old_compatibility/logstash/3000_openvas.conf deleted file mode 100644 index 32e889c..0000000 --- a/resources/elk5-old_compatibility/logstash/3000_openvas.conf +++ /dev/null @@ -1,146 +0,0 @@ -# Author: Austin Taylor and Justin Henderson -# Email: austin@hasecuritysolutions.com -# Last Update: 03/04/2018 -# Version 0.3 -# Description: Take in qualys web scan reports from vulnWhisperer and pumps into logstash - -input { - file { - path => "/opt/VulnWhisperer/openvas/*.json" - type => json - codec => json - start_position => "beginning" - tags => [ "openvas_scan", "openvas" ] - } -} - -filter { - if "openvas_scan" in [tags] { - mutate { - replace => [ "message", "%{message}" ] - gsub => [ - "message", "\|\|\|", " ", - "message", "\t\t", " ", - "message", " ", " ", - "message", " ", " ", - "message", " ", " ", - "message", "nan", " ", - "message",'\n','' - ] - } - - - grok { - match => { "path" => "openvas_scan_%{DATA:scan_id}_%{INT:last_updated}.json$" } - tag_on_failure => [] - } - - mutate { - add_field => { "risk_score" => "%{cvss}" } - } - - if [risk] == "1" { - mutate { add_field => { "risk_number" => 0 }} - mutate { replace => { "risk" => "info" }} - } - if [risk] == "2" { - mutate { add_field => { "risk_number" => 1 }} - mutate { replace => { "risk" => "low" }} - } - if [risk] == "3" { - mutate { add_field => { "risk_number" => 2 }} - mutate { replace => { "risk" => "medium" }} - } - if [risk] == "4" { - mutate { add_field => { "risk_number" => 3 }} - mutate { replace => { "risk" => "high" }} - } - if [risk] == "5" { - mutate { add_field => { "risk_number" => 4 }} - mutate { replace => { "risk" => "critical" }} - } - - mutate { - remove_field => "message" - } - - if [first_time_detected] { - date { - match => [ "first_time_detected", "dd MMM yyyy HH:mma 'GMT'ZZ", "dd MMM yyyy HH:mma 'GMT'" ] - target => "first_time_detected" - } - } - if [first_time_tested] { - date { - match => [ "first_time_tested", "dd MMM yyyy HH:mma 'GMT'ZZ", "dd MMM yyyy HH:mma 'GMT'" ] - target => "first_time_tested" - } - } - if [last_time_detected] { - date { - match => [ "last_time_detected", "dd MMM yyyy HH:mma 'GMT'ZZ", "dd MMM yyyy HH:mma 'GMT'" ] - target => "last_time_detected" - } - } - if [last_time_tested] { - date { - match => [ "last_time_tested", "dd MMM yyyy HH:mma 'GMT'ZZ", "dd MMM yyyy HH:mma 'GMT'" ] - target => "last_time_tested" - } - } - date { - match => [ "last_updated", "UNIX" ] - target => "@timestamp" - remove_field => "last_updated" - } - mutate { - convert => { "plugin_id" => "integer"} - convert => { "id" => "integer"} - convert => { "risk_number" => "integer"} - convert => { "risk_score" => "float"} - convert => { "total_times_detected" => "integer"} - convert => { "cvss_temporal" => "float"} - convert => { "cvss" => "float"} - } - if [risk_score] == 0 { - mutate { - add_field => { "risk_score_name" => "info" } - } - } - if [risk_score] > 0 and [risk_score] < 3 { - mutate { - add_field => { "risk_score_name" => "low" } - } - } - if [risk_score] >= 3 and [risk_score] < 6 { - mutate { - add_field => { "risk_score_name" => "medium" } - } - } - if [risk_score] >=6 and [risk_score] < 9 { - mutate { - add_field => { "risk_score_name" => "high" } - } - } - if [risk_score] >= 9 { - mutate { - add_field => { "risk_score_name" => "critical" } - } - } - # Add your critical assets by subnet or by hostname. Comment this field out if you don't want to tag any, but the asset panel will break. - if [asset] =~ "^10\.0\.100\." { - mutate { - add_tag => [ "critical_asset" ] - } - } - } -} -output { - if "openvas" in [tags] { - stdout { codec => rubydebug } - elasticsearch { - hosts => [ "localhost:9200" ] - index => "logstash-vulnwhisperer-%{+YYYY.MM}" - } - } -} diff --git a/resources/elk5-old_compatibility/logstash/4000_jira.conf b/resources/elk5-old_compatibility/logstash/4000_jira.conf deleted file mode 100644 index 03a0b04..0000000 --- a/resources/elk5-old_compatibility/logstash/4000_jira.conf +++ /dev/null @@ -1,21 +0,0 @@ -# Description: Take in jira tickets from vulnWhisperer and pumps into logstash - -input { - file { - path => "/opt/VulnWhisperer/jira/*.json" - type => json - codec => json - start_position => "beginning" - tags => [ "jira" ] - } -} - -output { - if "jira" in [tags] { - stdout { codec => rubydebug } - elasticsearch { - hosts => [ "localhost:9200" ] - index => "logstash-vulnwhisperer-%{+YYYY.MM}" - } - } -} diff --git a/resources/elk5-old_compatibility/logstash/9998_input_broker_rabbitmq.conf b/resources/elk5-old_compatibility/logstash/9998_input_broker_rabbitmq.conf deleted file mode 100755 index 60e7d9c..0000000 --- a/resources/elk5-old_compatibility/logstash/9998_input_broker_rabbitmq.conf +++ /dev/null @@ -1,13 +0,0 @@ -input { - rabbitmq { - key => "nessus" - queue => "nessus" - durable => true - exchange => "nessus" - user => "logstash" - password => "yourpassword" - host => "buffer01" - port => 5672 - tags => [ "queue_nessus", "rabbitmq" ] - } -} diff --git a/resources/elk5-old_compatibility/logstash/9998_output_broker_rabbitmq.conf b/resources/elk5-old_compatibility/logstash/9998_output_broker_rabbitmq.conf deleted file mode 100755 index dbf4855..0000000 --- a/resources/elk5-old_compatibility/logstash/9998_output_broker_rabbitmq.conf +++ /dev/null @@ -1,16 +0,0 @@ -output { - if "nessus" in [tags]{ - rabbitmq { - key => "nessus" - exchange => "nessus" - exchange_type => "direct" - user => "logstash" - password => "yourbufferpassword" - host => "buffer01" - port => 5672 - durable => true - persistent => true - } - } - -} From 08334973be3ef55d453986828deb2c2a4be5ed63 Mon Sep 17 00:00:00 2001 From: pemontto Date: Wed, 17 Apr 2019 19:10:21 +1000 Subject: [PATCH 34/73] bring inline with master --- .gitignore | 1 - Dockerfile | 3 +-- resources/elk6/pipeline/1000_nessus_process_file.conf | 2 -- resources/elk6/pipeline/2000_qualys_web_scans.conf | 2 -- resources/elk6/pipeline/3000_openvas.conf | 3 +-- tests/test-vuln_whisperer.sh | 2 +- 6 files changed, 3 insertions(+), 10 deletions(-) diff --git a/.gitignore b/.gitignore index 4ca7c68..9fc0cb6 100644 --- a/.gitignore +++ b/.gitignore @@ -1,6 +1,5 @@ # Vulnwhisperer stuff data/ -docker_data/ logs/ elk6/vulnwhisperer.ini resources/elk6/vulnwhisperer.ini diff --git a/Dockerfile b/Dockerfile index a2806ee..667cba1 100644 --- a/Dockerfile +++ b/Dockerfile @@ -20,8 +20,7 @@ RUN python setup.py clean --all && \ WORKDIR /opt/VulnWhisperer -RUN python setup.py install && \ - ln -s /opt/VulnWhisperer /tmp/VulnWhisperer +RUN python setup.py install CMD vuln_whisperer -c /opt/VulnWhisperer/frameworks_example.ini diff --git a/resources/elk6/pipeline/1000_nessus_process_file.conf b/resources/elk6/pipeline/1000_nessus_process_file.conf index f22ade4..d300b93 100644 --- a/resources/elk6/pipeline/1000_nessus_process_file.conf +++ b/resources/elk6/pipeline/1000_nessus_process_file.conf @@ -47,8 +47,6 @@ filter { convert => { "cvss3" => "float"} convert => { "cvss3_base" => "float"} convert => { "cvss3_temporal" => "float"} - convert => { "id" => "integer"} - convert => { "plugin_id" => "integer"} convert => { "risk_number" => "integer"} convert => { "total_times_detected" => "integer"} } diff --git a/resources/elk6/pipeline/2000_qualys_web_scans.conf b/resources/elk6/pipeline/2000_qualys_web_scans.conf index 02fe101..145852c 100644 --- a/resources/elk6/pipeline/2000_qualys_web_scans.conf +++ b/resources/elk6/pipeline/2000_qualys_web_scans.conf @@ -43,8 +43,6 @@ filter { convert => { "cvss3" => "float"} convert => { "cvss3_base" => "float"} convert => { "cvss3_temporal" => "float"} - convert => { "id" => "integer"} - convert => { "plugin_id" => "integer"} convert => { "risk_number" => "integer"} convert => { "total_times_detected" => "integer"} } diff --git a/resources/elk6/pipeline/3000_openvas.conf b/resources/elk6/pipeline/3000_openvas.conf index 5a3b7d3..7017acd 100644 --- a/resources/elk6/pipeline/3000_openvas.conf +++ b/resources/elk6/pipeline/3000_openvas.conf @@ -31,6 +31,7 @@ filter { tag_on_failure => [] } + # TODO - move this mapping into the vulnwhisperer module translate { field => "[risk_number]" destination => "[risk]" @@ -100,8 +101,6 @@ filter { convert => { "cvss3" => "float"} convert => { "cvss3_base" => "float"} convert => { "cvss3_temporal" => "float"} - convert => { "id" => "integer"} - convert => { "plugin_id" => "integer"} convert => { "risk_number" => "integer"} convert => { "total_times_detected" => "integer"} } diff --git a/tests/test-vuln_whisperer.sh b/tests/test-vuln_whisperer.sh index 7739e8b..05d49f0 100755 --- a/tests/test-vuln_whisperer.sh +++ b/tests/test-vuln_whisperer.sh @@ -79,7 +79,7 @@ else ((return_code = return_code + 1)) fi -yellow "*********************************************" +yellow "\n*********************************************" yellow "* Test only Qualys VM with one failed scan *" yellow "*********************************************" rm -rf /opt/VulnWhisperer/* From e3907940bc078bffdf836c314c4e161f2f8e6e1f Mon Sep 17 00:00:00 2001 From: pemontto Date: Wed, 17 Apr 2019 19:27:04 +1000 Subject: [PATCH 35/73] remove unnecessary conditional --- vulnwhisp/vulnwhisp.py | 77 ++++++++++++++++-------------------------- 1 file changed, 30 insertions(+), 47 deletions(-) diff --git a/vulnwhisp/vulnwhisp.py b/vulnwhisp/vulnwhisp.py index e6bc285..7fd84cc 100755 --- a/vulnwhisp/vulnwhisp.py +++ b/vulnwhisp/vulnwhisp.py @@ -411,8 +411,7 @@ class vulnWhispererNessus(vulnWhispererBase): all_scans = self.scan_count(scans) if self.uuids: scan_list = [ - scan - for scan in all_scans + scan for scan in all_scans if scan["uuid"] not in self.uuids and scan["status"] in ["completed", "imported"] ] @@ -503,55 +502,39 @@ class vulnWhispererNessus(vulnWhispererBase): self.logger.error('Could not download {} scan {}: {}'.format(self.CONFIG_SECTION, scan_id, str(e))) self.exit_code += 1 continue - + + self.logger.info('Processing {}/{} for scan: {}'.format(scan_count, len(scan_list), scan_name.encode('utf8'))) vuln_ready = pd.read_csv(io.StringIO(file_req.decode('utf-8'))) - if len(vuln_ready) > 2: - self.logger.info('Processing {}/{} for scan: {}'.format(scan_count, len(scan_list), scan_name.encode('utf8'))) - # Map and transform fields - vuln_ready = self.nessus.normalise(vuln_ready) - vuln_ready = self.common_normalise(vuln_ready) + # Map and transform fields + vuln_ready = self.nessus.normalise(vuln_ready) + vuln_ready = self.common_normalise(vuln_ready) - # Set common fields - vuln_ready['scan_name'] = scan_name.encode('utf8') - vuln_ready['scan_id'] = uuid + # Set common fields + vuln_ready['scan_name'] = scan_name.encode('utf8') + vuln_ready['scan_id'] = uuid - # Add timestamp and convert to milliseconds - vuln_ready['_timestamp'] = norm_time - vuln_ready['scan_source'] = self.CONFIG_SECTION + # Add timestamp + vuln_ready['_timestamp'] = norm_time + vuln_ready['scan_source'] = self.CONFIG_SECTION - vuln_ready.to_json(relative_path_name, orient='records', lines=True) + vuln_ready.to_json(relative_path_name, orient='records', lines=True) - record_meta = ( - scan_name, - scan_id, - norm_time, - file_name, - time.time(), - vuln_ready.shape[0], - self.CONFIG_SECTION, - uuid, - 1, - 0, - ) - self.record_insert(record_meta) - self.logger.info('{filename} records written to {path} '.format(filename=vuln_ready.shape[0], - path=file_name.encode('utf8'))) - else: - record_meta = ( - scan_name, - scan_id, - norm_time, - file_name, - time.time(), - vuln_ready.shape[0], - self.CONFIG_SECTION, - uuid, - 1, - 0, - ) - self.record_insert(record_meta) - self.logger.warn('{} has no host available... Updating database and skipping!'.format(file_name)) + record_meta = ( + scan_name, + scan_id, + norm_time, + file_name, + time.time(), + vuln_ready.shape[0], + self.CONFIG_SECTION, + uuid, + 1, + 0, + ) + self.record_insert(record_meta) + self.logger.info('{records} records written to {path} '.format(records=vuln_ready.shape[0], + path=file_name.encode('utf8'))) self.conn.close() self.logger.info('Scan aggregation complete! Connection to database closed.') else: @@ -691,7 +674,7 @@ class vulnWhispererQualys(vulnWhispererBase): # Set common fields vuln_ready['scan_name'] = scan_name.encode('utf8') vuln_ready['scan_id'] = report_id - # Add timestamp and convert to milliseconds + # Add timestamp vuln_ready['_timestamp'] = launched_date vuln_ready['scan_source'] = self.CONFIG_SECTION @@ -969,7 +952,7 @@ class vulnWhispererQualysVuln(vulnWhispererBase): vuln_ready['scan_name'] = scan_name.encode('utf8') vuln_ready['scan_id'] = report_id - # Add timestamp and convert to milliseconds + # Add timestamp vuln_ready['_timestamp'] = launched_date vuln_ready['scan_source'] = self.CONFIG_SECTION From a2e27d816bcac42f458e59249cf37f958cc7709e Mon Sep 17 00:00:00 2001 From: pemontto Date: Thu, 18 Apr 2019 11:33:25 +1000 Subject: [PATCH 36/73] Ensure empty fields are output as nulls --- vulnwhisp/vulnwhisp.py | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) diff --git a/vulnwhisp/vulnwhisp.py b/vulnwhisp/vulnwhisp.py index 7fd84cc..7925d5f 100755 --- a/vulnwhisp/vulnwhisp.py +++ b/vulnwhisp/vulnwhisp.py @@ -9,6 +9,7 @@ from frameworks.qualys_vuln import qualysVulnScan from frameworks.openvas import OpenVAS_API from reporting.jira_api import JiraAPI import pandas as pd +import numpy as np from lxml import objectify import sys import os @@ -282,7 +283,8 @@ class vulnWhispererBase(object): # Map CVSS to severity name df.loc[df['cvss'] == '', 'cvss'] = None df['cvss'] = df['cvss'].astype('float') - df.loc[df['cvss'].isnull(), 'cvss_severity'] = 'info' + # df.loc[df['cvss'].isnull(), 'cvss_severity'] = 'info' + df.loc[df['cvss'] == 0, 'cvss3_severity'] = 'info' df.loc[(df['cvss'] > 0) & (df['cvss'] < 3), 'cvss_severity'] = 'low' df.loc[(df['cvss'] >= 3) & (df['cvss'] < 6), 'cvss_severity'] = 'medium' df.loc[(df['cvss'] >= 6) & (df['cvss'] < 9), 'cvss_severity'] = 'high' @@ -293,13 +295,16 @@ class vulnWhispererBase(object): # Map CVSS to severity name df.loc[df['cvss3'] == '', 'cvss3'] = None df['cvss3'] = df['cvss3'].astype('float') - df.loc[df['cvss3'].isnull(), 'cvss3_severity'] = 'info' + # df.loc[df['cvss3'].isnull(), 'cvss3_severity'] = 'info' + df.loc[df['cvss3'] == 0, 'cvss3_severity'] = 'info' df.loc[(df['cvss3'] > 0) & (df['cvss3'] < 3), 'cvss3_severity'] = 'low' df.loc[(df['cvss3'] >= 3) & (df['cvss3'] < 6), 'cvss3_severity'] = 'medium' df.loc[(df['cvss3'] >= 6) & (df['cvss3'] < 9), 'cvss3_severity'] = 'high' df.loc[(df['cvss3'] > 9) & (df['cvss3'].notnull()), 'cvss3_severity'] = 'critical' - df.fillna('', inplace=True) + # Ensure empty strings are output as nulls + df.replace({'': np.nan}, inplace=True) + return df From e6c397397b6c428ef007cada4ce1f57e014eb5cd Mon Sep 17 00:00:00 2001 From: pemontto Date: Thu, 18 Apr 2019 11:34:01 +1000 Subject: [PATCH 37/73] Update mappings and transforms --- vulnwhisp/frameworks/nessus.py | 14 +++++++++----- vulnwhisp/frameworks/openvas.py | 1 + vulnwhisp/frameworks/qualys_vuln.py | 11 +++++++---- vulnwhisp/frameworks/qualys_web.py | 1 + 4 files changed, 18 insertions(+), 9 deletions(-) diff --git a/vulnwhisp/frameworks/nessus.py b/vulnwhisp/frameworks/nessus.py index 1d6de7f..2bc306a 100755 --- a/vulnwhisp/frameworks/nessus.py +++ b/vulnwhisp/frameworks/nessus.py @@ -33,6 +33,7 @@ class NessusAPI(object): 'cvss3 temporal vector': 'cvss3_temporal_vector', 'fqdn': 'dns', 'host': 'asset', + 'ip address': 'ip', 'name': 'plugin_name', 'os': 'operating_system', 'see also': 'exploitability', @@ -200,8 +201,11 @@ class NessusAPI(object): if self.profile == 'tenable': # Prefer CVSS Base Score over CVSS for tenable self.logger.debug('Dropping redundant tenable fields') - df.drop('CVSS', axis=1, inplace=True) - df.drop('IP Address', axis=1, inplace=True) + df.drop('CVSS', axis=1, inplace=True, errors='ignore') + + if self.profile == 'nessus': + # Set IP from Host field + df['ip'] = df['Host'] # Lowercase and map fields from COLUMN_MAPPING df.columns = [x.lower() for x in df.columns] @@ -213,18 +217,18 @@ class NessusAPI(object): def transform_values(self, df): self.logger.debug('Transforming values') + df.fillna('', inplace=True) + # upper/lowercase fields self.logger.debug('Changing case of fields') df['cve'] = df['cve'].str.upper() df['protocol'] = df['protocol'].str.lower() df['risk'] = df['risk'].str.lower() - # Copy asset to IP - df['ip'] = df['asset'] - # Map risk to a SEVERITY MAPPING value self.logger.debug('Mapping risk to severity number') df['risk_number'] = df['risk'].str.lower().map(self.SEVERITY_MAPPING) df.fillna('', inplace=True) + return df \ No newline at end of file diff --git a/vulnwhisp/frameworks/openvas.py b/vulnwhisp/frameworks/openvas.py index 6c63c4c..3b2d958 100644 --- a/vulnwhisp/frameworks/openvas.py +++ b/vulnwhisp/frameworks/openvas.py @@ -203,4 +203,5 @@ class OpenVAS_API(object): def transform_values(self, df): self.logger.debug('Transforming values') + df.fillna('', inplace=True) return df \ No newline at end of file diff --git a/vulnwhisp/frameworks/qualys_vuln.py b/vulnwhisp/frameworks/qualys_vuln.py index 118d8f2..a202aab 100644 --- a/vulnwhisp/frameworks/qualys_vuln.py +++ b/vulnwhisp/frameworks/qualys_vuln.py @@ -156,32 +156,35 @@ class qualysVulnScan: def transform_values(self, df): self.logger.info('Transforming values') + df.fillna('', inplace=True) + # upper/lowercase fields self.logger.info('Changing case of fields') df['cve'] = df['cve'].str.upper() df['protocol'] = df['protocol'].str.lower() # Contruct the CVSS vector + self.logger.info('Extracting CVSS components') df['cvss_vector'] = ( - df.loc[df['cvss_base'].notnull(), 'cvss_base'] + df.loc[df['cvss_base'].str.contains(' \('), 'cvss_base'] .str.split() .apply(lambda x: x[1]) .str.strip('()') ) df['cvss_base'] = ( - df.loc[df['cvss_base'].notnull(), 'cvss_base'] + df.loc[df['cvss_base'].str.contains(' \('), 'cvss_base'] .str.split() .apply(lambda x: x[0]) ) df['cvss_temporal_vector'] = ( - df.loc[df['cvss_temporal'].notnull(), 'cvss_temporal'] + df.loc[df['cvss_temporal'].str.contains(' \('), 'cvss_temporal'] .str.split() .apply(lambda x: x[1]) .str.strip('()') ) df['cvss_temporal'] = ( - df.loc[df['cvss_temporal'].notnull(), 'cvss_temporal'] + df.loc[df['cvss_temporal'].str.contains(' \('), 'cvss_temporal'] .str.split() .apply(lambda x: x[0]) ) diff --git a/vulnwhisp/frameworks/qualys_web.py b/vulnwhisp/frameworks/qualys_web.py index b288449..98081a6 100644 --- a/vulnwhisp/frameworks/qualys_web.py +++ b/vulnwhisp/frameworks/qualys_web.py @@ -476,4 +476,5 @@ class qualysScanReport: def transform_values(self, df): self.logger.debug('Transforming values') + df.fillna('', inplace=True) return df \ No newline at end of file From 2b6afe31c200d1eb03d802a5cf5266379573a840 Mon Sep 17 00:00:00 2001 From: pemontto Date: Thu, 18 Apr 2019 16:12:54 +1000 Subject: [PATCH 38/73] minor updates --- docker-compose.v6.yml | 2 ++ vulnwhisp/frameworks/nessus.py | 2 +- vulnwhisp/vulnwhisp.py | 2 +- 3 files changed, 4 insertions(+), 2 deletions(-) diff --git a/docker-compose.v6.yml b/docker-compose.v6.yml index ab570b7..e693b13 100644 --- a/docker-compose.v6.yml +++ b/docker-compose.v6.yml @@ -8,6 +8,7 @@ services: - bootstrap.memory_lock=true - "ES_JAVA_OPTS=-Xms1g -Xmx1g" - xpack.security.enabled=false + - path.repo=/snapshots ulimits: memlock: soft: -1 @@ -18,6 +19,7 @@ services: mem_limit: 8g volumes: - esdata1:/usr/share/elasticsearch/data + - ./data/es_snapshots:/snapshots ports: - 9200:9200 #restart: always diff --git a/vulnwhisp/frameworks/nessus.py b/vulnwhisp/frameworks/nessus.py index 2bc306a..7b51501 100755 --- a/vulnwhisp/frameworks/nessus.py +++ b/vulnwhisp/frameworks/nessus.py @@ -227,7 +227,7 @@ class NessusAPI(object): # Map risk to a SEVERITY MAPPING value self.logger.debug('Mapping risk to severity number') - df['risk_number'] = df['risk'].str.lower().map(self.SEVERITY_MAPPING) + df['risk_number'] = df['risk'].map(self.SEVERITY_MAPPING) df.fillna('', inplace=True) diff --git a/vulnwhisp/vulnwhisp.py b/vulnwhisp/vulnwhisp.py index 7925d5f..633945b 100755 --- a/vulnwhisp/vulnwhisp.py +++ b/vulnwhisp/vulnwhisp.py @@ -947,7 +947,7 @@ class vulnWhispererQualysVuln(vulnWhispererBase): else: try: - self.logger.info('Processing report ID: {}'.format(report_id)) + self.logger.info('Processing {}: {}'.format(report_id, scan_name.encode('utf8'))) vuln_ready = self.qualys_scan.process_data(scan_id=report_id) # Map and transform fields vuln_ready = self.qualys_scan.normalise(vuln_ready) From 7c2aa541561286a97d82a9446420ac49def622ae Mon Sep 17 00:00:00 2001 From: pemontto Date: Mon, 22 Apr 2019 10:56:01 +1000 Subject: [PATCH 39/73] refactor cvss normalisation --- vulnwhisp/vulnwhisp.py | 85 ++++++++++++++++-------------------------- 1 file changed, 32 insertions(+), 53 deletions(-) diff --git a/vulnwhisp/vulnwhisp.py b/vulnwhisp/vulnwhisp.py index 633945b..e39bf60 100755 --- a/vulnwhisp/vulnwhisp.py +++ b/vulnwhisp/vulnwhisp.py @@ -246,63 +246,42 @@ class vulnWhispererBase(object): def common_normalise(self, df): """Map and transform common data values""" - self.logger.info('Start common mapping') + self.logger.info('Start common normalisation') - if 'cvss_base' in df: - self.logger.info('Normalising CVSS base') - # CVSS = cvss_temporal or cvss_base - df['cvss'] = df['cvss_base'] - df.loc[df['cvss_temporal'] != '', 'cvss'] = df['cvss_temporal'] + self.logger.info('Normalising CVSS') + for cvss_version in ['cvss', 'cvss3']: + if cvss_version + '_base' in df: + self.logger.info('Normalising {} base'.format(cvss_version)) + # CVSS = cvss_temporal or cvss_base + df[cvss_version] = df[cvss_version + '_base'] + df.loc[df[cvss_version + '_temporal'] != '', cvss_version] = df[cvss_version + '_temporal'] - if 'cvss3_base' in df: - self.logger.info('Normalising CVSS3 base') - # CVSS3 = cvss3_temporal or cvss3_base - df['cvss3'] = df['cvss3_base'] - df.loc[df['cvss3_temporal'] != '', 'cvss3'] = df['cvss3_temporal'] + # Combine CVSS and CVSS3 vectors + if cvss_version + '_vector' in df and cvss_version + '_temporal_vector' in df: + self.logger.info('Normalising {} vector'.format(cvss_version)) + df[cvss_version + '_vector'] = ( + df[[cvss_version + '_vector', cvss_version + '_temporal_vector']] + .apply(lambda x: '{}/{}'.format(x[0], x[1]), axis=1) + .str.rstrip('/nan') + ) + df.drop(cvss_version + '_temporal_vector', axis=1, inplace=True) - # Combine CVSS and CVSS3 vectors - if 'cvss_vector' in df and 'cvss_temporal_vector' in df: - self.logger.info('Normalising CVSS Vector') - df['cvss_vector'] = ( - df[['cvss_vector', 'cvss_temporal_vector']] - .apply(lambda x: '{}/{}'.format(x[0], x[1]), axis=1) - .str.rstrip('/nan') - ) - df.drop('cvss_temporal_vector', axis=1, inplace=True) - if 'cvss3_vector' in df and 'cvss3_temporal_vector' in df: - self.logger.info('Normalising CVSS3 Vector') - df['cvss3_vector'] = ( - df[['cvss3_vector', 'cvss3_temporal_vector']] - .apply(lambda x: '{}/{}'.format(x[0], x[1]), axis=1) - .str.rstrip('/nan') - ) - df.drop('cvss3_temporal_vector', axis=1, inplace=True) + if cvss_version in df: + self.logger.info('Normalising {} severity'.format(cvss_version)) + # Map CVSS to severity name + df.loc[df[cvss_version] == '', cvss_version] = None + df[cvss_version] = df[cvss_version].astype('float') + # df.loc[df[cvss_version].isnull(), cvss_version + '_severity'] = 'info' + df.loc[df[cvss_version] == 0, cvss_version + '_severity'] = 'info' + df.loc[(df[cvss_version] > 0) & (df[cvss_version] < 3), cvss_version + '_severity'] = 'low' + df.loc[(df[cvss_version] >= 3) & (df[cvss_version] < 6), cvss_version + '_severity'] = 'medium' + df.loc[(df[cvss_version] >= 6) & (df[cvss_version] < 9), cvss_version + '_severity'] = 'high' + df.loc[(df[cvss_version] > 9) & (df[cvss_version].notnull()), cvss_version + '_severity'] = 'critical' - if 'cvss' in df: - self.logger.info('Normalising CVSS severity') - # Map CVSS to severity name - df.loc[df['cvss'] == '', 'cvss'] = None - df['cvss'] = df['cvss'].astype('float') - # df.loc[df['cvss'].isnull(), 'cvss_severity'] = 'info' - df.loc[df['cvss'] == 0, 'cvss3_severity'] = 'info' - df.loc[(df['cvss'] > 0) & (df['cvss'] < 3), 'cvss_severity'] = 'low' - df.loc[(df['cvss'] >= 3) & (df['cvss'] < 6), 'cvss_severity'] = 'medium' - df.loc[(df['cvss'] >= 6) & (df['cvss'] < 9), 'cvss_severity'] = 'high' - df.loc[(df['cvss'] > 9) & (df['cvss'].notnull()), 'cvss_severity'] = 'critical' - - if 'cvss3' in df: - self.logger.info('Normalising CVSS3 severity') - # Map CVSS to severity name - df.loc[df['cvss3'] == '', 'cvss3'] = None - df['cvss3'] = df['cvss3'].astype('float') - # df.loc[df['cvss3'].isnull(), 'cvss3_severity'] = 'info' - df.loc[df['cvss3'] == 0, 'cvss3_severity'] = 'info' - df.loc[(df['cvss3'] > 0) & (df['cvss3'] < 3), 'cvss3_severity'] = 'low' - df.loc[(df['cvss3'] >= 3) & (df['cvss3'] < 6), 'cvss3_severity'] = 'medium' - df.loc[(df['cvss3'] >= 6) & (df['cvss3'] < 9), 'cvss3_severity'] = 'high' - df.loc[(df['cvss3'] > 9) & (df['cvss3'].notnull()), 'cvss3_severity'] = 'critical' - - # Ensure empty strings are output as nulls + # Make rename cvss to cvss2 + # Make cvss with no suffix == cvss3 else cvss2 + # cvss = cvss3 if cvss3 else cvss2 + # cvss_severity = cvss3_severity if cvss3_severity else cvss2_severity df.replace({'': np.nan}, inplace=True) return df From 8d59831855ada5faf0076899f7d31b0e4ebaab3c Mon Sep 17 00:00:00 2001 From: pemontto Date: Mon, 22 Apr 2019 11:18:49 +1000 Subject: [PATCH 40/73] don't use reserved _timestamp --- .../pipeline/1000_nessus_process_file.conf | 4 ++-- .../elk6/pipeline/2000_qualys_web_scans.conf | 4 ++-- resources/elk6/pipeline/3000_openvas.conf | 4 ++-- vulnwhisp/vulnwhisp.py | 18 ++++++------------ 4 files changed, 12 insertions(+), 18 deletions(-) diff --git a/resources/elk6/pipeline/1000_nessus_process_file.conf b/resources/elk6/pipeline/1000_nessus_process_file.conf index d300b93..c0c4f27 100644 --- a/resources/elk6/pipeline/1000_nessus_process_file.conf +++ b/resources/elk6/pipeline/1000_nessus_process_file.conf @@ -28,9 +28,9 @@ filter { if "nessus" in [tags] or "tenable" in [tags] { date { - match => [ "_timestamp", "UNIX" ] + match => [ "scan_time", "UNIX" ] target => "@timestamp" - remove_field => ["_timestamp"] + remove_field => ["scan_time"] } #If using filebeats as your source, you will need to replace the "path" field to "source" diff --git a/resources/elk6/pipeline/2000_qualys_web_scans.conf b/resources/elk6/pipeline/2000_qualys_web_scans.conf index 145852c..aad34f1 100644 --- a/resources/elk6/pipeline/2000_qualys_web_scans.conf +++ b/resources/elk6/pipeline/2000_qualys_web_scans.conf @@ -20,9 +20,9 @@ input { filter { if "qualys" in [tags] { date { - match => [ "_timestamp", "UNIX" ] + match => [ "scan_time", "UNIX" ] target => "@timestamp" - remove_field => ["_timestamp"] + remove_field => ["scan_time"] } grok { diff --git a/resources/elk6/pipeline/3000_openvas.conf b/resources/elk6/pipeline/3000_openvas.conf index 7017acd..47aed47 100644 --- a/resources/elk6/pipeline/3000_openvas.conf +++ b/resources/elk6/pipeline/3000_openvas.conf @@ -21,9 +21,9 @@ input { filter { if "openvas_scan" in [tags] { date { - match => [ "_timestamp", "UNIX" ] + match => [ "scan_time", "UNIX" ] target => "@timestamp" - remove_field => ["_timestamp"] + remove_field => ["scan_time"] } grok { diff --git a/vulnwhisp/vulnwhisp.py b/vulnwhisp/vulnwhisp.py index e39bf60..2291500 100755 --- a/vulnwhisp/vulnwhisp.py +++ b/vulnwhisp/vulnwhisp.py @@ -278,7 +278,7 @@ class vulnWhispererBase(object): df.loc[(df[cvss_version] >= 6) & (df[cvss_version] < 9), cvss_version + '_severity'] = 'high' df.loc[(df[cvss_version] > 9) & (df[cvss_version].notnull()), cvss_version + '_severity'] = 'critical' - # Make rename cvss to cvss2 + # Rename cvss to cvss2 # Make cvss with no suffix == cvss3 else cvss2 # cvss = cvss3 if cvss3 else cvss2 # cvss_severity = cvss3_severity if cvss3_severity else cvss2_severity @@ -497,9 +497,7 @@ class vulnWhispererNessus(vulnWhispererBase): # Set common fields vuln_ready['scan_name'] = scan_name.encode('utf8') vuln_ready['scan_id'] = uuid - - # Add timestamp - vuln_ready['_timestamp'] = norm_time + vuln_ready['scan_time'] = norm_time vuln_ready['scan_source'] = self.CONFIG_SECTION vuln_ready.to_json(relative_path_name, orient='records', lines=True) @@ -658,8 +656,7 @@ class vulnWhispererQualys(vulnWhispererBase): # Set common fields vuln_ready['scan_name'] = scan_name.encode('utf8') vuln_ready['scan_id'] = report_id - # Add timestamp - vuln_ready['_timestamp'] = launched_date + vuln_ready['scan_time'] = launched_date vuln_ready['scan_source'] = self.CONFIG_SECTION record_meta = ( @@ -680,7 +677,7 @@ class vulnWhispererQualys(vulnWhispererBase): vuln_ready.to_json(relative_path_name, orient='records', lines=True) elif output_format == 'csv': - vuln_ready.to_csv(relative_path_name, index=False, header=True) # add when timestamp occured + vuln_ready.to_csv(relative_path_name, index=False, header=True) self.logger.info('Report written to {}'.format(report_name)) @@ -833,8 +830,7 @@ class vulnWhispererOpenVAS(vulnWhispererBase): # Set common fields vuln_ready['scan_name'] = scan_name.encode('utf8') vuln_ready['scan_id'] = report_id - # Add _timestamp and convert to milliseconds - vuln_ready['_timestamp'] = launched_date + vuln_ready['scan_time'] = launched_date vuln_ready['scan_source'] = self.CONFIG_SECTION vuln_ready.to_json(relative_path_name, orient='records', lines=True) @@ -935,9 +931,7 @@ class vulnWhispererQualysVuln(vulnWhispererBase): # Set common fields vuln_ready['scan_name'] = scan_name.encode('utf8') vuln_ready['scan_id'] = report_id - - # Add timestamp - vuln_ready['_timestamp'] = launched_date + vuln_ready['scan_time'] = launched_date vuln_ready['scan_source'] = self.CONFIG_SECTION except Exception as e: From 0c3200567e874850bc817ffc1509dca2db976679 Mon Sep 17 00:00:00 2001 From: pemontto Date: Mon, 22 Apr 2019 11:38:41 +1000 Subject: [PATCH 41/73] remove unnecessary groks --- .../pipeline/1000_nessus_process_file.conf | 7 ------- .../elk6/pipeline/2000_qualys_web_scans.conf | 19 +++++++++++-------- resources/elk6/pipeline/3000_openvas.conf | 6 ------ 3 files changed, 11 insertions(+), 21 deletions(-) diff --git a/resources/elk6/pipeline/1000_nessus_process_file.conf b/resources/elk6/pipeline/1000_nessus_process_file.conf index c0c4f27..91c3dd5 100644 --- a/resources/elk6/pipeline/1000_nessus_process_file.conf +++ b/resources/elk6/pipeline/1000_nessus_process_file.conf @@ -33,13 +33,6 @@ filter { remove_field => ["scan_time"] } - #If using filebeats as your source, you will need to replace the "path" field to "source" - # Remove when scan name is included in event (current method is error prone) - grok { - match => { "path" => "([a-zA-Z0-9_.\-]+)_%{INT}_%{INT:history_id}_%{INT}.json$" } - tag_on_failure => [] - } - mutate { convert => { "cvss" => "float"} convert => { "cvss_base" => "float"} diff --git a/resources/elk6/pipeline/2000_qualys_web_scans.conf b/resources/elk6/pipeline/2000_qualys_web_scans.conf index aad34f1..652e48a 100644 --- a/resources/elk6/pipeline/2000_qualys_web_scans.conf +++ b/resources/elk6/pipeline/2000_qualys_web_scans.conf @@ -6,11 +6,19 @@ input { file { - path => [ "/opt/VulnWhisperer/data/qualys/*.json" , "/opt/VulnWhisperer/data/qualys_web/*.json", "/opt/VulnWhisperer/data/qualys_vuln/*.json"] - type => json + path => [ "/opt/VulnWhisperer/data/qualys_vuln/*.json" ] codec => json start_position => "beginning" - tags => [ "qualys" ] + tags => [ "qualys_vuln" ] + mode => "read" + start_position => "beginning" + file_completed_action => "delete" + } + file { + path => [ "/opt/VulnWhisperer/data/qualys_web/*.json" ] + codec => json + start_position => "beginning" + tags => [ "qualys_web" ] mode => "read" start_position => "beginning" file_completed_action => "delete" @@ -25,11 +33,6 @@ filter { remove_field => ["scan_time"] } - grok { - match => { "path" => [ "(?qualys_vuln)_scan_%{DATA}_%{INT}.json$", "(?qualys_web)_%{INT:app_id}_%{INT}.json$" ] } - tag_on_failure => [] - } - if "qualys_web" in [tags] { mutate { add_field => { "asset" => "%{web_application_name}" } diff --git a/resources/elk6/pipeline/3000_openvas.conf b/resources/elk6/pipeline/3000_openvas.conf index 47aed47..00ef7cc 100644 --- a/resources/elk6/pipeline/3000_openvas.conf +++ b/resources/elk6/pipeline/3000_openvas.conf @@ -7,7 +7,6 @@ input { file { path => "/opt/VulnWhisperer/data/openvas/*.json" - type => json codec => json start_position => "beginning" tags => [ "openvas_scan", "openvas" ] @@ -26,11 +25,6 @@ filter { remove_field => ["scan_time"] } - grok { - match => { "path" => "openvas_scan_%{DATA}_%{INT}.json$" } - tag_on_failure => [] - } - # TODO - move this mapping into the vulnwhisperer module translate { field => "[risk_number]" From 85cca87e5845b27722b87265a1dfb84d550fce05 Mon Sep 17 00:00:00 2001 From: pemontto Date: Mon, 22 Apr 2019 11:41:51 +1000 Subject: [PATCH 42/73] move fields from logstash into vulnwhisperer --- vulnwhisp/vulnwhisp.py | 13 ++++++------- 1 file changed, 6 insertions(+), 7 deletions(-) diff --git a/vulnwhisp/vulnwhisp.py b/vulnwhisp/vulnwhisp.py index 2291500..96847dc 100755 --- a/vulnwhisp/vulnwhisp.py +++ b/vulnwhisp/vulnwhisp.py @@ -410,7 +410,6 @@ class vulnWhispererNessus(vulnWhispererBase): return self.exit_code # Create scan subfolders - for f in folders: if not os.path.exists(self.path_check(f['name'])): if f['name'] == 'Trash' and self.nessus_trash: @@ -422,8 +421,6 @@ class vulnWhispererNessus(vulnWhispererBase): self.logger.info('Directory already exists for {scan} - Skipping creation'.format( scan=self.path_check(f['name']).encode('utf8'))) - # try download and save scans into each folder the belong to - scan_count = 0 # TODO Rewrite this part to go through the scans that have aleady been processed @@ -495,10 +492,11 @@ class vulnWhispererNessus(vulnWhispererBase): vuln_ready = self.common_normalise(vuln_ready) # Set common fields - vuln_ready['scan_name'] = scan_name.encode('utf8') + vuln_ready['history_id'] = history_id vuln_ready['scan_id'] = uuid - vuln_ready['scan_time'] = norm_time + vuln_ready['scan_name'] = scan_name.encode('utf8') vuln_ready['scan_source'] = self.CONFIG_SECTION + vuln_ready['scan_time'] = norm_time vuln_ready.to_json(relative_path_name, orient='records', lines=True) @@ -654,10 +652,11 @@ class vulnWhispererQualys(vulnWhispererBase): vuln_ready.rename(columns=self.COLUMN_MAPPING, inplace=True) # Set common fields + vuln_ready['app_id'] = report_id + vuln_ready['scan_id'] = scan_reference vuln_ready['scan_name'] = scan_name.encode('utf8') - vuln_ready['scan_id'] = report_id - vuln_ready['scan_time'] = launched_date vuln_ready['scan_source'] = self.CONFIG_SECTION + vuln_ready['scan_time'] = launched_date record_meta = ( scan_name, From 50f4d76fecd7b5b013e36ffa5c9e3215683d9040 Mon Sep 17 00:00:00 2001 From: pemontto Date: Mon, 22 Apr 2019 12:34:21 +1000 Subject: [PATCH 43/73] move setup.py install to install --- .travis.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.travis.yml b/.travis.yml index d98caaa..9eba2c1 100644 --- a/.travis.yml +++ b/.travis.yml @@ -22,13 +22,13 @@ before_install: install: - pip install -r requirements.txt - pip install flake8 # pytest # add another testing frameworks later + - python setup.py install before_script: # stop the build if there are Python syntax errors or undefined names - flake8 . --count --exclude=deps/qualysapi --select=E901,E999,F821,F822,F823 --show-source --statistics # exit-zero treats all errors as warnings. The GitHub editor is 127 chars wide - flake8 . --count --exit-zero --exclude=deps/qualysapi --max-complexity=10 --max-line-length=127 --statistics script: - - python setup.py install - bash tests/test-vuln_whisperer.sh - bash tests/test-docker.sh notifications: From 7999810d28c08e768cbb0a62a791896138fc5b93 Mon Sep 17 00:00:00 2001 From: pemontto Date: Mon, 22 Apr 2019 13:48:25 +1000 Subject: [PATCH 44/73] fix qualys logstash conditionals --- resources/elk6/pipeline/2000_qualys_web_scans.conf | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/resources/elk6/pipeline/2000_qualys_web_scans.conf b/resources/elk6/pipeline/2000_qualys_web_scans.conf index 652e48a..bde33f4 100644 --- a/resources/elk6/pipeline/2000_qualys_web_scans.conf +++ b/resources/elk6/pipeline/2000_qualys_web_scans.conf @@ -26,7 +26,7 @@ input { } filter { - if "qualys" in [tags] { + if "qualys_vuln" in [tags] or "qualys_web" in [tags] { date { match => [ "scan_time", "UNIX" ] target => "@timestamp" @@ -82,7 +82,7 @@ filter { } } output { - if "qualys" in [tags] { + if "qualys_vuln" in [tags] or "qualys_web" in [tags] { stdout { codec => dots } From 51fa81cb05432ea6de3dbb9384fcd7cf84e51e81 Mon Sep 17 00:00:00 2001 From: pemontto Date: Tue, 23 Apr 2019 16:59:55 +1000 Subject: [PATCH 45/73] restructure and write openvas to db --- vulnwhisp/vulnwhisp.py | 293 ++++++++++++++++++++++------------------- 1 file changed, 154 insertions(+), 139 deletions(-) diff --git a/vulnwhisp/vulnwhisp.py b/vulnwhisp/vulnwhisp.py index 96847dc..71c38b3 100755 --- a/vulnwhisp/vulnwhisp.py +++ b/vulnwhisp/vulnwhisp.py @@ -388,138 +388,142 @@ class vulnWhispererNessus(vulnWhispererBase): def whisper_nessus(self): - if self.nessus_connect: - scan_data = self.nessus.scans - folders = scan_data['folders'] - scans = scan_data['scans'] if scan_data['scans'] else [] - all_scans = self.scan_count(scans) - if self.uuids: - scan_list = [ - scan for scan in all_scans - if scan["uuid"] not in self.uuids - and scan["status"] in ["completed", "imported"] - ] + if not self.nessus_connect: + self.logger.error('Failed to use scanner at {host}:{port}'.format(host=self.hostname, port=self.nessus_port)) + self.exit_code += 1 + return self.exit_code + + scan_data = self.nessus.scans + folders = scan_data['folders'] + scans = scan_data['scans'] if scan_data['scans'] else [] + all_scans = self.scan_count(scans) + if self.uuids: + scan_list = [ + scan for scan in all_scans + if scan["uuid"] not in self.uuids + and scan["status"] in ["completed", "imported"] + ] + else: + scan_list = all_scans + self.logger.info( + "Identified {new} scans to be processed".format(new=len(scan_list)) + ) + + if not scan_list: + self.logger.warn("No new scans to process. Exiting...") + return self.exit_code + + # Create scan subfolders + for f in folders: + if not os.path.exists(self.path_check(f['name'])): + if f['name'] == 'Trash' and self.nessus_trash: + os.makedirs(self.path_check(f['name'])) + elif f['name'] != 'Trash': + os.makedirs(self.path_check(f['name'])) else: - scan_list = all_scans - self.logger.info( - "Identified {new} scans to be processed".format(new=len(scan_list)) + os.path.exists(self.path_check(f['name'])) + self.logger.info('Directory already exists for {scan} - Skipping creation'.format( + scan=self.path_check(f['name']).encode('utf8'))) + + scan_count = 0 + + # TODO Rewrite this part to go through the scans that have aleady been processed + + for s in scan_list: + scan_count += 1 + ( + scan_name, + scan_id, + history_id, + norm_time, + status, + uuid, + ) = ( + s['scan_name'], + s['scan_id'], + s['history_id'], + s['norm_time'], + s['status'], + s['uuid'], ) - if not scan_list: - self.logger.warn("No new scans to process. Exiting...") - return self.exit_code + # TODO Create directory sync function which scans the directory for files that exist already and populates the database - # Create scan subfolders - for f in folders: - if not os.path.exists(self.path_check(f['name'])): - if f['name'] == 'Trash' and self.nessus_trash: - os.makedirs(self.path_check(f['name'])) - elif f['name'] != 'Trash': - os.makedirs(self.path_check(f['name'])) - else: - os.path.exists(self.path_check(f['name'])) - self.logger.info('Directory already exists for {scan} - Skipping creation'.format( - scan=self.path_check(f['name']).encode('utf8'))) - - scan_count = 0 - - # TODO Rewrite this part to go through the scans that have aleady been processed - - for s in scan_list: - scan_count += 1 - ( - scan_name, - scan_id, - history_id, - norm_time, - status, - uuid, - ) = ( - s['scan_name'], - s['scan_id'], - s['history_id'], - s['norm_time'], - s['status'], - s['uuid'], - ) - - # TODO Create directory sync function which scans the directory for files that exist already and populates the database - - folder_id = s['folder_id'] - if self.CONFIG_SECTION == 'tenable': - folder_name = '' - else: - folder_name = next(f['name'] for f in folders if f['id'] == folder_id) - if status in ['completed', 'imported']: - file_name = '%s_%s_%s_%s.%s' % (scan_name, scan_id, - history_id, norm_time, 'json') - repls = (('\\', '_'), ('/', '_'), (' ', '_')) - file_name = reduce(lambda a, kv: a.replace(*kv), repls, file_name) - relative_path_name = self.path_check(folder_name + '/' + file_name).encode('utf8') - - if os.path.isfile(relative_path_name): - if self.develop: - csv_in = pd.read_json(relative_path_name, lines=True) - record_meta = ( - scan_name, - scan_id, - norm_time, - file_name, - time.time(), - csv_in.shape[0], - self.CONFIG_SECTION, - uuid, - 1, - 0, - ) - self.record_insert(record_meta) - self.logger.info('File {filename} already exists! Updating database'.format(filename=relative_path_name)) - else: - try: - file_req = \ - self.nessus.download_scan(scan_id=scan_id, history=history_id, - export_format='csv') - except Exception as e: - self.logger.error('Could not download {} scan {}: {}'.format(self.CONFIG_SECTION, scan_id, str(e))) - self.exit_code += 1 - continue - - self.logger.info('Processing {}/{} for scan: {}'.format(scan_count, len(scan_list), scan_name.encode('utf8'))) - vuln_ready = pd.read_csv(io.StringIO(file_req.decode('utf-8'))) - - # Map and transform fields - vuln_ready = self.nessus.normalise(vuln_ready) - vuln_ready = self.common_normalise(vuln_ready) - - # Set common fields - vuln_ready['history_id'] = history_id - vuln_ready['scan_id'] = uuid - vuln_ready['scan_name'] = scan_name.encode('utf8') - vuln_ready['scan_source'] = self.CONFIG_SECTION - vuln_ready['scan_time'] = norm_time - - vuln_ready.to_json(relative_path_name, orient='records', lines=True) + folder_id = s['folder_id'] + if self.CONFIG_SECTION == 'tenable': + folder_name = '' + else: + folder_name = next(f['name'] for f in folders if f['id'] == folder_id) + if status in ['completed', 'imported']: + file_name = '%s_%s_%s_%s.%s' % (scan_name, scan_id, + history_id, norm_time, 'json') + repls = (('\\', '_'), ('/', '_'), (' ', '_')) + file_name = reduce(lambda a, kv: a.replace(*kv), repls, file_name) + relative_path_name = self.path_check(folder_name + '/' + file_name).encode('utf8') + if os.path.isfile(relative_path_name): + if self.develop: + csv_in = pd.read_json(relative_path_name, lines=True) record_meta = ( scan_name, scan_id, norm_time, file_name, time.time(), - vuln_ready.shape[0], + csv_in.shape[0], self.CONFIG_SECTION, uuid, 1, 0, ) self.record_insert(record_meta) - self.logger.info('{records} records written to {path} '.format(records=vuln_ready.shape[0], - path=file_name.encode('utf8'))) - self.conn.close() - self.logger.info('Scan aggregation complete! Connection to database closed.') - else: - self.logger.error('Failed to use scanner at {host}:{port}'.format(host=self.hostname, port=self.nessus_port)) - self.exit_code += 1 + self.logger.info('File {filename} already exists! Updating database'.format(filename=relative_path_name)) + else: + try: + file_req = \ + self.nessus.download_scan(scan_id=scan_id, history=history_id, + export_format='csv') + except Exception as e: + self.logger.error('Could not download {} scan {}: {}'.format(self.CONFIG_SECTION, scan_id, str(e))) + self.exit_code += 1 + continue + + self.logger.info('Processing {}/{} for scan: {}'.format(scan_count, len(scan_list), scan_name.encode('utf8'))) + vuln_ready = pd.read_csv(io.StringIO(file_req.decode('utf-8'))) + + # Map and transform fields + vuln_ready = self.nessus.normalise(vuln_ready) + vuln_ready = self.common_normalise(vuln_ready) + + # Set common fields + vuln_ready['history_id'] = history_id + vuln_ready['scan_id'] = uuid + vuln_ready['scan_name'] = scan_name.encode('utf8') + vuln_ready['scan_source'] = self.CONFIG_SECTION + vuln_ready['scan_time'] = norm_time + + vuln_ready.to_json(relative_path_name, orient='records', lines=True) + self.logger.info('{records} records written to {path} '.format(records=vuln_ready.shape[0], + path=relative_path_name)) + + record_meta = ( + scan_name, + scan_id, + norm_time, + file_name, + time.time(), + vuln_ready.shape[0], + self.CONFIG_SECTION, + uuid, + 1, + 0, + ) + self.record_insert(record_meta) + self.logger.info('Scan {} ({}) written to database'.format(scan_name.encode('utf8'), uuid)) + + self.conn.close() + self.logger.info('Scan aggregation complete! Connection to database closed.') + return self.exit_code @@ -658,6 +662,15 @@ class vulnWhispererQualys(vulnWhispererBase): vuln_ready['scan_source'] = self.CONFIG_SECTION vuln_ready['scan_time'] = launched_date + if output_format == 'json': + vuln_ready.to_json(relative_path_name, orient='records', lines=True) + + elif output_format == 'csv': + vuln_ready.to_csv(relative_path_name, index=False, header=True) + + self.logger.info('{records} records written to {path} '.format(records=vuln_ready.shape[0], + path=relative_path_name)) + record_meta = ( scan_name, scan_reference, @@ -671,14 +684,7 @@ class vulnWhispererQualys(vulnWhispererBase): 0, ) self.record_insert(record_meta) - - if output_format == 'json': - vuln_ready.to_json(relative_path_name, orient='records', lines=True) - - elif output_format == 'csv': - vuln_ready.to_csv(relative_path_name, index=False, header=True) - - self.logger.info('Report written to {}'.format(report_name)) + self.logger.info('Scan {} ({}) written to database'.format(scan_name.encode('utf8'), report_id)) if cleanup: self.logger.info('Removing report {} from Qualys Database'.format(generated_report_id)) @@ -804,17 +810,6 @@ class vulnWhispererOpenVAS(vulnWhispererBase): self.record_insert(record_meta) self.logger.info('File {filename} already exists! Updating database'.format(filename=relative_path_name)) - record_meta = ( - scan_name, - scan_reference, - launched_date, - report_name, - time.time(), - file_length, - self.CONFIG_SECTION, - report_id, - 1, - ) else: vuln_ready = self.openvas_api.process_report(report_id=report_id) @@ -833,7 +828,24 @@ class vulnWhispererOpenVAS(vulnWhispererBase): vuln_ready['scan_source'] = self.CONFIG_SECTION vuln_ready.to_json(relative_path_name, orient='records', lines=True) - self.logger.info('Report written to {}'.format(report_name)) + self.logger.info('{records} records written to {path} '.format(records=vuln_ready.shape[0], + path=relative_path_name)) + + record_meta = ( + scan_name, + scan_reference, + launched_date, + report_name, + time.time(), + vuln_ready.shape[0], + self.CONFIG_SECTION, + report_id, + 1, + 0, + ) + self.record_insert(record_meta) + self.logger.info('Scan {} ({}) written to database'.format(scan_name.encode('utf8'), report_id)) + return report @@ -938,6 +950,12 @@ class vulnWhispererQualysVuln(vulnWhispererBase): self.exit_code += 1 return self.exit_code + if output_format == 'json': + vuln_ready.to_json(relative_path_name, orient='records', lines=True) + + self.logger.info('{records} records written to {path} '.format(records=vuln_ready.shape[0], + path=relative_path_name)) + record_meta = ( scan_name, scan_reference, @@ -951,11 +969,8 @@ class vulnWhispererQualysVuln(vulnWhispererBase): 0, ) self.record_insert(record_meta) + self.logger.info('Scan {} ({}) written to database'.format(scan_name.encode('utf8'), report_id)) - if output_format == 'json': - vuln_ready.to_json(relative_path_name, orient='records', lines=True) - - self.logger.info('Report written to {}'.format(report_name)) return self.exit_code From 73ae99f0541f662af9992777db2df2be5e16cc03 Mon Sep 17 00:00:00 2001 From: pemontto Date: Wed, 24 Apr 2019 09:03:14 +1000 Subject: [PATCH 46/73] reorganise imports --- bin/vuln_whisperer | 11 ++++++----- vulnwhisp/frameworks/qualys_web.py | 15 ++++++++------- vulnwhisp/test/mock.py | 3 ++- vulnwhisp/vulnwhisp.py | 29 +++++++++++++++-------------- 4 files changed, 31 insertions(+), 27 deletions(-) diff --git a/bin/vuln_whisperer b/bin/vuln_whisperer index 09ed142..e9def6c 100644 --- a/bin/vuln_whisperer +++ b/bin/vuln_whisperer @@ -3,13 +3,14 @@ __author__ = 'Austin Taylor' -from vulnwhisp.vulnwhisp import vulnWhisperer +import argparse +import logging +import os +import sys + from vulnwhisp.base.config import vwConfig from vulnwhisp.test.mock import mockAPI -import os -import argparse -import sys -import logging +from vulnwhisp.vulnwhisp import vulnWhisperer def isFileValid(parser, arg): diff --git a/vulnwhisp/frameworks/qualys_web.py b/vulnwhisp/frameworks/qualys_web.py index 98081a6..b52f0ee 100644 --- a/vulnwhisp/frameworks/qualys_web.py +++ b/vulnwhisp/frameworks/qualys_web.py @@ -2,18 +2,19 @@ # -*- coding: utf-8 -*- __author__ = 'Austin Taylor' -from lxml import objectify -from lxml.builder import E +import csv +import logging +import os +import sys import xml.etree.ElementTree as ET + +import dateutil.parser as dp import pandas as pd import qualysapi import qualysapi.config as qcconf import requests -import sys -import os -import csv -import logging -import dateutil.parser as dp +from lxml import objectify +from lxml.builder import E class qualysWhisperAPI(object): diff --git a/vulnwhisp/test/mock.py b/vulnwhisp/test/mock.py index 8af8cbc..95d3f32 100644 --- a/vulnwhisp/test/mock.py +++ b/vulnwhisp/test/mock.py @@ -1,5 +1,6 @@ -import os import logging +import os + import httpretty diff --git a/vulnwhisp/vulnwhisp.py b/vulnwhisp/vulnwhisp.py index 71c38b3..1c06de2 100755 --- a/vulnwhisp/vulnwhisp.py +++ b/vulnwhisp/vulnwhisp.py @@ -2,23 +2,25 @@ # -*- coding: utf-8 -*- __author__ = 'Austin Taylor' -from base.config import vwConfig -from frameworks.nessus import NessusAPI -from frameworks.qualys_web import qualysScanReport -from frameworks.qualys_vuln import qualysVulnScan -from frameworks.openvas import OpenVAS_API -from reporting.jira_api import JiraAPI -import pandas as pd -import numpy as np -from lxml import objectify -import sys -import os import io -import time -import sqlite3 import json import logging +import os import socket +import sqlite3 +import sys +import time + +import numpy as np +import pandas as pd +from lxml import objectify + +from base.config import vwConfig +from frameworks.nessus import NessusAPI +from frameworks.openvas import OpenVAS_API +from frameworks.qualys_vuln import qualysVulnScan +from frameworks.qualys_web import qualysScanReport +from reporting.jira_api import JiraAPI class vulnWhispererBase(object): @@ -846,7 +848,6 @@ class vulnWhispererOpenVAS(vulnWhispererBase): self.record_insert(record_meta) self.logger.info('Scan {} ({}) written to database'.format(scan_name.encode('utf8'), report_id)) - return report def identify_scans_to_process(self): From 24cf2ca623026b65e208e830868b761e4569b006 Mon Sep 17 00:00:00 2001 From: pemontto Date: Wed, 24 Apr 2019 09:06:05 +1000 Subject: [PATCH 47/73] Add OpenVAS mock endpoints --- configs/test.ini | 2 +- vulnwhisp/test/mock.py | 25 ++++++++++++++++++++++++- 2 files changed, 25 insertions(+), 2 deletions(-) diff --git a/configs/test.ini b/configs/test.ini index b5f04b5..1990aaf 100755 --- a/configs/test.ini +++ b/configs/test.ini @@ -59,7 +59,7 @@ db_path = /opt/VulnWhisperer/data/database verbose = true [openvas] -enabled = false +enabled = true hostname = openvas port = 4000 username = exampleuser diff --git a/vulnwhisp/test/mock.py b/vulnwhisp/test/mock.py index 95d3f32..4e668e9 100644 --- a/vulnwhisp/test/mock.py +++ b/vulnwhisp/test/mock.py @@ -19,6 +19,13 @@ class mockAPI(object): self.logger.info('mockAPI initialised, API requests will be mocked') self.logger.info('Test path resolved as {}'.format(self.mock_dir)) + self.openvas_requests = { + 'request_1': ('POST', 200, 'omp'), + 'request_2': ('GET', 200, 'omp?cmd=get_reports&token=efbe7076-4ae9-4e57-89cc-bcd6bd93f1f3&max_results=1&ignore_pagination=1&filter=apply_overrides%3D1+min_qod%3D70+autofp%3D0+first%3D1+rows%3D0+levels%3Dhml+sort-reverse%3Dseverity'), + 'request_3': ('GET', 200, 'omp?cmd=get_report_formats&token=efbe7076-4ae9-4e57-89cc-bcd6bd93f1f3'), + 'request_4': ('GET', 200, 'omp?token=efbe7076-4ae9-4e57-89cc-bcd6bd93f1f3&cmd=get_report&report_id=4c6c900c-71f5-42f7-91e2-1b19b7976606&filter=apply_overrides%3D0+min_qod%3D70+autofp%3D0+levels%3Dhml+first%3D1+rows%3D0+sort-reverse%3Dseverity&ignore_pagination=1&report_format_id=c1645568-627a-11e3-a660-406186ea4fc5&submit=Download') + } + def get_directories(self, path): dir, subdirs, files = next(os.walk(path)) return subdirs @@ -67,6 +74,20 @@ class mockAPI(object): httpretty.POST, 'https://{}:443/{}'.format(framework, 'api/2.0/fo/scan/'), body=self.qualys_vuln_callback) + def create_openvas_resource(self, framework): + for filename in self.get_files('{}/{}'.format(self.mock_dir, framework)): + try: + method, status, resource = self.openvas_requests[filename] + self.logger.debug('Adding mocked {} endpoint {} {}'.format(framework, method, resource)) + except: + self.logger.error('Cound not find mocked {} endpoint for file {}/{}/{}'.format(framework, self.mock_dir, framework, filename)) + continue + httpretty.register_uri( + getattr(httpretty, method), 'https://{}:4000/{}'.format(framework, resource), + body=open('{}/{}/{}'.format(self.mock_dir, framework, filename)).read(), + status=status + ) + def mock_endpoints(self): for framework in self.get_directories(self.mock_dir): if framework in ['nessus', 'tenable']: @@ -74,4 +95,6 @@ class mockAPI(object): elif framework == 'qualys_vuln': self.qualys_vuln_path = self.mock_dir + '/' + framework self.create_qualys_vuln_resource(framework) - httpretty.enable() \ No newline at end of file + elif framework == 'openvas': + self.create_openvas_resource(framework) + httpretty.enable() From d41011a5edb43ad2a941b44c86e97effb0c68a28 Mon Sep 17 00:00:00 2001 From: pemontto Date: Wed, 24 Apr 2019 09:20:27 +1000 Subject: [PATCH 48/73] refactor qualys cvss extraction --- vulnwhisp/frameworks/qualys_vuln.py | 29 +++++------------------------ 1 file changed, 5 insertions(+), 24 deletions(-) diff --git a/vulnwhisp/frameworks/qualys_vuln.py b/vulnwhisp/frameworks/qualys_vuln.py index a202aab..19ca865 100644 --- a/vulnwhisp/frameworks/qualys_vuln.py +++ b/vulnwhisp/frameworks/qualys_vuln.py @@ -11,7 +11,6 @@ import pandas as pd import qualysapi - class qualysWhisperAPI(object): SCANS = 'api/2.0/fo/scan' @@ -165,29 +164,11 @@ class qualysVulnScan: # Contruct the CVSS vector self.logger.info('Extracting CVSS components') - df['cvss_vector'] = ( - df.loc[df['cvss_base'].str.contains(' \('), 'cvss_base'] - .str.split() - .apply(lambda x: x[1]) - .str.strip('()') - ) - df['cvss_base'] = ( - df.loc[df['cvss_base'].str.contains(' \('), 'cvss_base'] - .str.split() - .apply(lambda x: x[0]) - ) + df['cvss_vector'] = df['cvss_base'].str.extract('\((.*)\)', expand=False) + df['cvss_base'] = df['cvss_base'].str.extract('^([^ ]+)', expand=False) + df['cvss_temporal_vector'] = df['cvss_temporal'].str.extract('\((.*)\)', expand=False) + df['cvss_temporal'] = df['cvss_temporal'].str.extract('^([^ ]+)', expand=False) - df['cvss_temporal_vector'] = ( - df.loc[df['cvss_temporal'].str.contains(' \('), 'cvss_temporal'] - .str.split() - .apply(lambda x: x[1]) - .str.strip('()') - ) - df['cvss_temporal'] = ( - df.loc[df['cvss_temporal'].str.contains(' \('), 'cvss_temporal'] - .str.split() - .apply(lambda x: x[0]) - ) # Convert Qualys severity to standardised risk number df['risk_number'] = df['severity'].astype(int)-1 @@ -195,4 +176,4 @@ class qualysVulnScan: df.fillna('', inplace=True) - return df \ No newline at end of file + return df From abf6b9f048b7222c743a0a9b3d0e846fe93f1d5d Mon Sep 17 00:00:00 2001 From: pemontto Date: Wed, 24 Apr 2019 09:25:02 +1000 Subject: [PATCH 49/73] Remove debug output from logstash --- resources/elk6/pipeline/1000_nessus_process_file.conf | 3 --- resources/elk6/pipeline/2000_qualys_web_scans.conf | 3 --- resources/elk6/pipeline/3000_openvas.conf | 3 --- 3 files changed, 9 deletions(-) diff --git a/resources/elk6/pipeline/1000_nessus_process_file.conf b/resources/elk6/pipeline/1000_nessus_process_file.conf index 91c3dd5..e344183 100644 --- a/resources/elk6/pipeline/1000_nessus_process_file.conf +++ b/resources/elk6/pipeline/1000_nessus_process_file.conf @@ -48,9 +48,6 @@ filter { output { if "nessus" in [tags] or "tenable" in [tags]{ - stdout { - codec => dots - } elasticsearch { hosts => [ "elasticsearch:9200" ] index => "logstash-vulnwhisperer-%{+YYYY.MM}" diff --git a/resources/elk6/pipeline/2000_qualys_web_scans.conf b/resources/elk6/pipeline/2000_qualys_web_scans.conf index bde33f4..d074b8a 100644 --- a/resources/elk6/pipeline/2000_qualys_web_scans.conf +++ b/resources/elk6/pipeline/2000_qualys_web_scans.conf @@ -83,9 +83,6 @@ filter { } output { if "qualys_vuln" in [tags] or "qualys_web" in [tags] { - stdout { - codec => dots - } elasticsearch { hosts => [ "elasticsearch:9200" ] index => "logstash-vulnwhisperer-%{+YYYY.MM}" diff --git a/resources/elk6/pipeline/3000_openvas.conf b/resources/elk6/pipeline/3000_openvas.conf index 00ef7cc..539475c 100644 --- a/resources/elk6/pipeline/3000_openvas.conf +++ b/resources/elk6/pipeline/3000_openvas.conf @@ -109,9 +109,6 @@ filter { } output { if "openvas" in [tags] { - stdout { - codec => dots - } elasticsearch { hosts => [ "elasticsearch:9200" ] index => "logstash-vulnwhisperer-%{+YYYY.MM}" From ac364f149dc157b022c5249810ce80374a6654fe Mon Sep 17 00:00:00 2001 From: pemontto Date: Wed, 24 Apr 2019 09:25:22 +1000 Subject: [PATCH 50/73] Update docker test output --- tests/test-docker.sh | 24 +++++++++++++----------- 1 file changed, 13 insertions(+), 11 deletions(-) diff --git a/tests/test-docker.sh b/tests/test-docker.sh index e67ef9b..e8c84c7 100755 --- a/tests/test-docker.sh +++ b/tests/test-docker.sh @@ -34,6 +34,7 @@ until [[ $(curl -s "$logstash_url/_node/stats" | jq '.events.out') -ge 1232 ]]; ((count++)) && ((count==60)) && break sleep 5 done +green "$(curl -s "$logstash_url/_node/stats" | jq '.events.out') logs processed" if [[ count -le 60 && $(curl -s "$logstash_url/_node/stats" | jq '.events.out') -ge 1232 ]]; then green "✅ Logstash load finished..." @@ -43,26 +44,27 @@ fi count=0 -until [[ $(curl -s "$elasticsearch_url/logstash-vulnwhisperer-2019.03/_count" | jq '.count') -ge 1232 ]] ; do - yellow "Waiting for Elasticsearch index to sync... $(curl -s "$elasticsearch_url/logstash-vulnwhisperer-2019.03/_count" | jq '.count') of 1232 logs loaded (attempt $count of 150)" +until [[ $(curl -s "$elasticsearch_url/logstash-vulnwhisperer-*/_count" | jq '.count') -ge 1232 ]] ; do + yellow "Waiting for Elasticsearch index to sync... $(curl -s "$elasticsearch_url/logstash-vulnwhisperer-*/_count" | jq '.count') of 1232 logs loaded (attempt $count of 150)" ((count++)) && ((count==150)) && break sleep 2 done -if [[ count -le 50 && $(curl -s "$elasticsearch_url/logstash-vulnwhisperer-2019.03/_count" | jq '.count') -ge 1232 ]]; then - green "✅ logstash-vulnwhisperer-2019.03 document count $(curl -s "$elasticsearch_url/logstash-vulnwhisperer-2019.03/_count" | jq '.count') >= 1232" +if [[ count -le 50 && $(curl -s "$elasticsearch_url/logstash-vulnwhisperer-*/_count" | jq '.count') -ge 1232 ]]; then + green "✅ logstash-vulnwhisperer-* document count $(curl -s "$elasticsearch_url/logstash-vulnwhisperer-*/_count" | jq '.count') >= 1232" else - red "❌ TIMED OUT waiting for logstash-vulnwhisperer-2019.03 document count: $(curl -s "$elasticsearch_url/logstash-vulnwhisperer-2019.03/_count" | jq) != 1232" + red "❌ TIMED OUT waiting for logstash-vulnwhisperer-* document count: $(curl -s "$elasticsearch_url/logstash-vulnwhisperer-*/_count" | jq) != 1232" fi +green "$(curl -s "$elasticsearch_url/logstash-vulnwhisperer-*/_count" | jq '.count') documents in index" -# if [[ $(curl -s "$elasticsearch_url/logstash-vulnwhisperer-2019.03/_count" | jq '.count') == 1232 ]]; then -# green "✅ Passed: logstash-vulnwhisperer-2019.03 document count == 1232" +# if [[ $(curl -s "$elasticsearch_url/logstash-vulnwhisperer-*/_count" | jq '.count') == 1232 ]]; then +# green "✅ Passed: logstash-vulnwhisperer-* document count == 1232" # else -# red "❌ Failed: logstash-vulnwhisperer-2019.03 document count == 1232 was: $(curl -s "$elasticsearch_url/logstash-vulnwhisperer-2019.03/_count") instead" +# red "❌ Failed: logstash-vulnwhisperer-* document count == 1232 was: $(curl -s "$elasticsearch_url/logstash-vulnwhisperer-*/_count") instead" # ((return_code = return_code + 1)) # fi # Test Nessus plugin_name:Backported Security Patch Detection (FTP) -nessus_doc=$(curl -s "$elasticsearch_url/logstash-vulnwhisperer-2019.03/_search?q=plugin_name:%22Backported%20Security%20Patch%20Detection%20(FTP)%22%20AND%20asset:176.28.50.164%20AND%20tags:nessus" | jq '.hits.hits[]._source') +nessus_doc=$(curl -s "$elasticsearch_url/logstash-vulnwhisperer-*/_search?q=plugin_name:%22Backported%20Security%20Patch%20Detection%20(FTP)%22%20AND%20asset:176.28.50.164%20AND%20tags:nessus" | jq '.hits.hits[]._source') if echo $nessus_doc | jq '.risk' | grep -q "none"; then green "✅ Passed: Nessus risk == none" else @@ -71,7 +73,7 @@ else fi # Test Tenable plugin_name:Backported Security Patch Detection (FTP) -tenable_doc=$(curl -s "$elasticsearch_url/logstash-vulnwhisperer-2019.03/_search?q=plugin_name:%22Backported%20Security%20Patch%20Detection%20(FTP)%22%20AND%20asset:176.28.50.164%20AND%20tags:tenable" | jq '.hits.hits[]._source') +tenable_doc=$(curl -s "$elasticsearch_url/logstash-vulnwhisperer-*/_search?q=plugin_name:%22Backported%20Security%20Patch%20Detection%20(FTP)%22%20AND%20asset:176.28.50.164%20AND%20tags:tenable" | jq '.hits.hits[]._source') # Test asset if echo $tenable_doc | jq .asset | grep -q '176.28.50.164'; then green "✅ Passed: Tenable asset == 176.28.50.164" @@ -89,7 +91,7 @@ else fi # Test Qualys plugin_name:OpenSSL Multiple Remote Security Vulnerabilities -qualys_vuln_doc=$(curl -s "$elasticsearch_url/logstash-vulnwhisperer-2019.03/_search?q=tags:qualys_vuln%20AND%20ip:%22176.28.50.164%22%20AND%20plugin_name:%22OpenSSL%20Multiple%20Remote%20Security%20Vulnerabilities%22%20AND%20port:465" | jq '.hits.hits[]._source') +qualys_vuln_doc=$(curl -s "$elasticsearch_url/logstash-vulnwhisperer-*/_search?q=tags:qualys_vuln%20AND%20ip:%22176.28.50.164%22%20AND%20plugin_name:%22OpenSSL%20Multiple%20Remote%20Security%20Vulnerabilities%22%20AND%20port:465" | jq '.hits.hits[]._source') # Test @timestamp if echo $qualys_vuln_doc | jq '.["@timestamp"]' | grep -q '2019-03-30T10:17:41.000Z'; then green "✅ Passed: Qualys VM @timestamp == 2019-03-30T10:17:41.000Z" From 97ed4c7838ff78e4d2954aadf9185b84d4c0d029 Mon Sep 17 00:00:00 2001 From: pemontto Date: Wed, 24 Apr 2019 09:31:21 +1000 Subject: [PATCH 51/73] Update cvss extraction regex --- vulnwhisp/frameworks/qualys_vuln.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/vulnwhisp/frameworks/qualys_vuln.py b/vulnwhisp/frameworks/qualys_vuln.py index 19ca865..bffd4de 100644 --- a/vulnwhisp/frameworks/qualys_vuln.py +++ b/vulnwhisp/frameworks/qualys_vuln.py @@ -165,9 +165,9 @@ class qualysVulnScan: # Contruct the CVSS vector self.logger.info('Extracting CVSS components') df['cvss_vector'] = df['cvss_base'].str.extract('\((.*)\)', expand=False) - df['cvss_base'] = df['cvss_base'].str.extract('^([^ ]+)', expand=False) + df['cvss_base'] = df['cvss_base'].str.extract('^(\d+(?:\.\d+)?)', expand=False) df['cvss_temporal_vector'] = df['cvss_temporal'].str.extract('\((.*)\)', expand=False) - df['cvss_temporal'] = df['cvss_temporal'].str.extract('^([^ ]+)', expand=False) + df['cvss_temporal'] = df['cvss_temporal'].str.extract('^(\d+(?:\.\d+)?)', expand=False) # Convert Qualys severity to standardised risk number From 5539dd4ed8d39805648be31bdb3ce56d88bfbba3 Mon Sep 17 00:00:00 2001 From: pemontto Date: Wed, 24 Apr 2019 11:43:29 +1000 Subject: [PATCH 52/73] Fix docker tests output --- tests/test-docker.sh | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/tests/test-docker.sh b/tests/test-docker.sh index e8c84c7..4976eab 100755 --- a/tests/test-docker.sh +++ b/tests/test-docker.sh @@ -34,12 +34,11 @@ until [[ $(curl -s "$logstash_url/_node/stats" | jq '.events.out') -ge 1232 ]]; ((count++)) && ((count==60)) && break sleep 5 done -green "$(curl -s "$logstash_url/_node/stats" | jq '.events.out') logs processed" if [[ count -le 60 && $(curl -s "$logstash_url/_node/stats" | jq '.events.out') -ge 1232 ]]; then - green "✅ Logstash load finished..." + green "✅ Logstash load finished $(curl -s "$logstash_url/_node/stats" | jq '.events.out') logs processed..." else - red "❌ Logstash load didn't complete... $(curl -s "$logstash_url/_node/stats" | jq '.events.out')" + red "❌ Logstash load didn't complete $(curl -s "$logstash_url/_node/stats" | jq '.events.out') logs processed... $(curl -s "$logstash_url/_node/stats" | jq '.events.out')" fi @@ -54,7 +53,6 @@ if [[ count -le 50 && $(curl -s "$elasticsearch_url/logstash-vulnwhisperer-*/_co else red "❌ TIMED OUT waiting for logstash-vulnwhisperer-* document count: $(curl -s "$elasticsearch_url/logstash-vulnwhisperer-*/_count" | jq) != 1232" fi -green "$(curl -s "$elasticsearch_url/logstash-vulnwhisperer-*/_count" | jq '.count') documents in index" # if [[ $(curl -s "$elasticsearch_url/logstash-vulnwhisperer-*/_count" | jq '.count') == 1232 ]]; then # green "✅ Passed: logstash-vulnwhisperer-* document count == 1232" From afffef306a6fb0b2141b65f88ff4b4868ecc3c2e Mon Sep 17 00:00:00 2001 From: pemontto Date: Thu, 25 Apr 2019 10:59:18 +0100 Subject: [PATCH 53/73] Update submodule to latest commit --- tests/data | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/data b/tests/data index 55dc683..eea0512 160000 --- a/tests/data +++ b/tests/data @@ -1 +1 @@ -Subproject commit 55dc6832f8e39f17c97295aadb7de4d6a1277d73 +Subproject commit eea0512099d1d6f437884d969ab2986e73dae087 From c320fc8c633afeee94fe522d655ba640576e1fe5 Mon Sep 17 00:00:00 2001 From: pemontto Date: Thu, 25 Apr 2019 11:05:06 +0100 Subject: [PATCH 54/73] Specify master branch --- .gitmodules | 1 + 1 file changed, 1 insertion(+) diff --git a/.gitmodules b/.gitmodules index f3817e8..3a4f23c 100644 --- a/.gitmodules +++ b/.gitmodules @@ -1,3 +1,4 @@ [submodule "tests/data"] path = tests/data url = https://github.com/HASecuritySolutions/VulnWhisperer-tests.git + branch = master From 5264aea802f19da07b8252a405cbe4ab1b2a0a8f Mon Sep 17 00:00:00 2001 From: pemontto Date: Thu, 25 Apr 2019 11:31:04 +0100 Subject: [PATCH 55/73] Fix qualys web unicode issues --- vulnwhisp/frameworks/qualys_web.py | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/vulnwhisp/frameworks/qualys_web.py b/vulnwhisp/frameworks/qualys_web.py index b52f0ee..d0b11b2 100644 --- a/vulnwhisp/frameworks/qualys_web.py +++ b/vulnwhisp/frameworks/qualys_web.py @@ -110,7 +110,6 @@ class qualysWhisperAPI(object): _records = [] try: total = int(self.get_was_scan_count(status=status)) - self.logger.error('Already have WAS scan count') self.logger.info('Retrieving information for {} scans'.format(total)) for i in range(0, total): if i % limit == 0: @@ -445,7 +444,7 @@ class qualysScanReport: return merged_df def download_file(self, path='', file_id=None): - report = self.qw.download_report(file_id) + report = self.qw.download_report(file_id).encode('utf-8') filename = path + str(file_id) + '.csv' file_out = open(filename, 'w') for line in report.splitlines(): @@ -478,4 +477,4 @@ class qualysScanReport: def transform_values(self, df): self.logger.debug('Transforming values') df.fillna('', inplace=True) - return df \ No newline at end of file + return df From 7919d3e56900d4b6a4fc8b0b337f66f3a16bf458 Mon Sep 17 00:00:00 2001 From: pemontto Date: Thu, 25 Apr 2019 14:13:31 +0100 Subject: [PATCH 56/73] Remove counter for nessus download --- tests/data | 2 +- vulnwhisp/frameworks/nessus.py | 9 +-------- 2 files changed, 2 insertions(+), 9 deletions(-) diff --git a/tests/data b/tests/data index eea0512..8d3c7de 160000 --- a/tests/data +++ b/tests/data @@ -1 +1 @@ -Subproject commit eea0512099d1d6f437884d969ab2986e73dae087 +Subproject commit 8d3c7de5261f9ae55fb94066c414c9dc16e20b83 diff --git a/vulnwhisp/frameworks/nessus.py b/vulnwhisp/frameworks/nessus.py index 7b51501..32c50ab 100755 --- a/vulnwhisp/frameworks/nessus.py +++ b/vulnwhisp/frameworks/nessus.py @@ -135,8 +135,6 @@ class NessusAPI(object): def download_scan(self, scan_id=None, history=None, export_format=''): running = True - counter = 0 - data = {'format': export_format} if not history: query = self.EXPORT.format(scan_id=scan_id) @@ -149,19 +147,14 @@ class NessusAPI(object): token_id = req['token'] if 'token' in req else req['temp_token'] except Exception as e: self.logger.error('{}'.format(str(e))) - self.logger.info('Download for file id {}'.format(str(file_id))) + self.logger.info('Downloading file id {}'.format(str(file_id))) while running: time.sleep(2) - counter += 2 report_status = self.request(self.EXPORT_STATUS.format(scan_id=scan_id, file_id=file_id), method='GET', json_output=True) running = report_status['status'] != 'ready' sys.stdout.write('.') sys.stdout.flush() - # FIXME: why? can this be removed in favour of a counter? - if counter % 60 == 0: - self.logger.info('Completed: {}'.format(counter)) - self.logger.info('Done: {}'.format(counter)) if self.profile == 'tenable': content = self.request(self.EXPORT_FILE_DOWNLOAD.format(scan_id=scan_id, file_id=file_id), method='GET', download=True) else: From f922e396def2fd8bfab0cf8febdeb925ee53aaa7 Mon Sep 17 00:00:00 2001 From: pemontto Date: Thu, 25 Apr 2019 14:14:03 +0100 Subject: [PATCH 57/73] Add mock tests for qualys web --- configs/test.ini | 4 +- vulnwhisp/test/mock.py | 114 +++++++++++++++++++++++++++++------------ 2 files changed, 82 insertions(+), 36 deletions(-) diff --git a/configs/test.ini b/configs/test.ini index 1990aaf..6cd5424 100755 --- a/configs/test.ini +++ b/configs/test.ini @@ -22,7 +22,7 @@ verbose=true [qualys_web] #Reference https://www.qualys.com/docs/qualys-was-api-user-guide.pdf to find your API -enabled = false +enabled = true hostname = qualys_web username = exampleuser password = examplepass @@ -34,7 +34,7 @@ verbose=true #Note, this applies only to failed connections and timeouts, never to requests where the server returns a response. max_retries = 10 # Template ID will need to be retrieved for each document. Please follow the reference guide above for instructions on how to get your template ID. -template_id = 126024 +template_id = 289109 [qualys_vuln] #Reference https://www.qualys.com/docs/qualys-was-api-user-guide.pdf to find your API diff --git a/vulnwhisp/test/mock.py b/vulnwhisp/test/mock.py index 4e668e9..c18e25e 100644 --- a/vulnwhisp/test/mock.py +++ b/vulnwhisp/test/mock.py @@ -28,28 +28,11 @@ class mockAPI(object): def get_directories(self, path): dir, subdirs, files = next(os.walk(path)) - return subdirs + return sorted(subdirs) def get_files(self, path): dir, subdirs, files = next(os.walk(path)) - return files - - def qualys_vuln_callback(self, request, uri, response_headers): - self.logger.debug('Simulating response for {} ({})'.format(uri, request.body)) - if 'list' in request.parsed_body['action']: - return [200, - response_headers, - open('{}/{}'.format(self.qualys_vuln_path, 'scans')).read()] - elif 'fetch' in request.parsed_body['action']: - try: - response_body = open('{}/{}'.format( - self.qualys_vuln_path, - request.parsed_body['scan_ref'][0].replace('/', '_')) - ).read() - except: - # Can't find the file, just send an empty response - response_body = '' - return [200, response_headers, response_body] + return sorted(files) def create_nessus_resource(self, framework): for filename in self.get_files('{}/{}'.format(self.mock_dir, framework)): @@ -61,32 +44,91 @@ class mockAPI(object): body=open('{}/{}/{}'.format(self.mock_dir, framework, filename)).read() ) + def qualys_vuln_callback(self, request, uri, response_headers): + self.logger.debug('Simulating response for {} ({})'.format(uri, request.body)) + if 'list' in request.parsed_body['action']: + return [200, + response_headers, + open(self.qualys_vuln_path + '/scans').read()] + elif 'fetch' in request.parsed_body['action']: + try: + response_body = open('{}/{}'.format( + self.qualys_vuln_path, + request.parsed_body['scan_ref'][0].replace('/', '_')) + ).read() + except: + # Can't find the file, just send an empty response + response_body = '' + return [200, response_headers, response_body] + def create_qualys_vuln_resource(self, framework): # Create health check endpoint - self.logger.debug('Adding mocked {} endpoint {} {}'.format(framework, 'GET', 'msp/about.php')) + self.logger.debug('Adding mocked {} endpoint GET msp/about.php'.format(framework)) httpretty.register_uri( httpretty.GET, - 'https://{}:443/{}'.format(framework, 'msp/about.php'), + 'https://{}:443/msp/about.php'.format(framework), body='') - + self.logger.debug('Adding mocked {} endpoint {} {}'.format(framework, 'POST', 'api/2.0/fo/scan')) httpretty.register_uri( - httpretty.POST, 'https://{}:443/{}'.format(framework, 'api/2.0/fo/scan/'), + httpretty.POST, 'https://{}:443/api/2.0/fo/scan/'.format(framework), body=self.qualys_vuln_callback) - def create_openvas_resource(self, framework): + def qualys_web_callback(self, request, uri, response_headers): + self.logger.debug('Simulating response for {} ({})'.format(uri, request.body)) + report_id = request.parsed_body.split('')[1].split('<')[0] + response_body = open('{}/create_{}'.format(self.qualys_web_path, report_id)).read() + return [200, response_headers, response_body] + + def create_qualys_web_resource(self, framework): for filename in self.get_files('{}/{}'.format(self.mock_dir, framework)): - try: - method, status, resource = self.openvas_requests[filename] + if filename.startswith('POST') or filename.startswith('GET'): + method, resource = filename.split('_', 1) + resource = resource.replace('_', '/') self.logger.debug('Adding mocked {} endpoint {} {}'.format(framework, method, resource)) - except: - self.logger.error('Cound not find mocked {} endpoint for file {}/{}/{}'.format(framework, self.mock_dir, framework, filename)) - continue - httpretty.register_uri( - getattr(httpretty, method), 'https://{}:4000/{}'.format(framework, resource), - body=open('{}/{}/{}'.format(self.mock_dir, framework, filename)).read(), - status=status - ) + httpretty.register_uri( + getattr(httpretty, method), 'https://{}:443/{}'.format(framework, resource), + body=open('{}/{}/{}'.format(self.mock_dir, framework, filename)).read() + ) + + self.logger.debug('Adding mocked {} endpoint {} {}'.format(framework, 'POST', 'qps/rest/3.0/create/was/report')) + httpretty.register_uri( + httpretty.POST, 'https://{}:443/qps/rest/3.0/create/was/report'.format(framework), + body=self.qualys_web_callback) + + def openvas_callback(self, request, uri, response_headers): + self.logger.debug('Simulating response for {} ({})'.format(uri, request.body)) + if request.querystring['cmd'][0] in ['get_reports', 'get_report_formats']: + response_body = open('{}/{}'.format(self.openvas_path, request.querystring['cmd'][0])).read() + + if request.querystring['cmd'][0] == 'get_report': + response_body = open('{}/report_{}'.format(self.openvas_path, request.querystring['report_id'][0])).read() + + return [200, response_headers, response_body] + + def create_openvas_resource(self, framework): + # Create login endpoint + httpretty.register_uri( + httpretty.POST, 'https://{}:4000/omp'.format(framework), + body=open('{}/{}/{}'.format(self.mock_dir, framework, 'login')).read() + ) + + # Create GET requests endpoint + httpretty.register_uri( + httpretty.GET, 'https://{}:4000/omp'.format(framework), + body=self.openvas_callback + ) + # try: + # method, status, resource = self.openvas_requests[filename] + # self.logger.debug('Adding mocked {} endpoint {} {}'.format(framework, method, resource)) + # except: + # self.logger.error('Cound not find mocked {} endpoint for file {}/{}/{}'.format(framework, self.mock_dir, framework, filename)) + # continue + # httpretty.register_uri( + # getattr(httpretty, method), 'https://{}:4000/{}'.format(framework, resource), + # body=open('{}/{}/{}'.format(self.mock_dir, framework, filename)).read(), + # status=status + # ) def mock_endpoints(self): for framework in self.get_directories(self.mock_dir): @@ -95,6 +137,10 @@ class mockAPI(object): elif framework == 'qualys_vuln': self.qualys_vuln_path = self.mock_dir + '/' + framework self.create_qualys_vuln_resource(framework) + elif framework == 'qualys_web': + self.qualys_web_path = self.mock_dir + '/' + framework + self.create_qualys_web_resource(framework) elif framework == 'openvas': + self.openvas_path = self.mock_dir + '/' + framework self.create_openvas_resource(framework) httpretty.enable() From e8340e6b67c8f30fed1f8a49b4c6ca93a8ea39f5 Mon Sep 17 00:00:00 2001 From: pemontto Date: Sat, 27 Apr 2019 07:23:37 +0100 Subject: [PATCH 58/73] Support alternate Qualys WAS CSV header --- vulnwhisp/frameworks/qualys_web.py | 21 +++++++++++++++++++++ 1 file changed, 21 insertions(+) diff --git a/vulnwhisp/frameworks/qualys_web.py b/vulnwhisp/frameworks/qualys_web.py index d0b11b2..34547f8 100644 --- a/vulnwhisp/frameworks/qualys_web.py +++ b/vulnwhisp/frameworks/qualys_web.py @@ -297,6 +297,16 @@ class qualysScanReport: WEB_SCAN_VULN_HEADER[WEB_SCAN_VULN_BLOCK.index(qualysReportFields.CATEGORIES[0])] = \ 'Vulnerability Category' + # Add an alternative vulnerability header + WEB_SCAN_VULN_BLOCK_ALT = WEB_SCAN_VULN_BLOCK[:] + WEB_SCAN_VULN_BLOCK_ALT.insert(WEB_SCAN_VULN_BLOCK_ALT.index('First Time Detected'), 'Detection Date') + remove_fields = ['Last Time Tested', 'Times Detected', 'First Time Detected', 'Last Time Detected'] + WEB_SCAN_VULN_BLOCK_ALT = [x for x in WEB_SCAN_VULN_BLOCK_ALT if x not in remove_fields] + + WEB_SCAN_VULN_HEADER_ALT = WEB_SCAN_VULN_BLOCK_ALT[:] + WEB_SCAN_VULN_HEADER_ALT[WEB_SCAN_VULN_BLOCK_ALT.index(qualysReportFields.CATEGORIES[0])] = \ + 'Vulnerability Category' + WEB_SCAN_SENSITIVE_HEADER = list(WEB_SCAN_VULN_HEADER) WEB_SCAN_SENSITIVE_HEADER.insert(WEB_SCAN_SENSITIVE_HEADER.index('Url' ), 'Content') @@ -358,6 +368,17 @@ class qualysScanReport: self.WEB_SCAN_INFO_BLOCK], pop_last=True), columns=self.WEB_SCAN_VULN_HEADER) + if len(dict_tracker['WEB_SCAN_VULN_BLOCK']) == 0: + # Try alternative headers + dict_tracker["WEB_SCAN_VULN_BLOCK"] = pd.DataFrame( + self.utils.grab_section( + report, + self.WEB_SCAN_VULN_BLOCK_ALT, + end=[self.WEB_SCAN_SENSITIVE_BLOCK, self.WEB_SCAN_INFO_BLOCK], + pop_last=True, + ), + columns=self.WEB_SCAN_VULN_HEADER_ALT, + ) dict_tracker['WEB_SCAN_SENSITIVE_BLOCK'] = pd.DataFrame(self.utils.grab_section(report, self.WEB_SCAN_SENSITIVE_BLOCK, end=[ From 92cad06b2b8b9a81f50c71382a637095591581d3 Mon Sep 17 00:00:00 2001 From: pemontto Date: Sat, 27 Apr 2019 07:26:35 +0100 Subject: [PATCH 59/73] Update Qualys WAS mapping and transforms --- vulnwhisp/frameworks/qualys_web.py | 44 ++++++++++++++++++------ vulnwhisp/vulnwhisp.py | 55 ++---------------------------- 2 files changed, 36 insertions(+), 63 deletions(-) diff --git a/vulnwhisp/frameworks/qualys_web.py b/vulnwhisp/frameworks/qualys_web.py index 34547f8..82f93f3 100644 --- a/vulnwhisp/frameworks/qualys_web.py +++ b/vulnwhisp/frameworks/qualys_web.py @@ -282,13 +282,24 @@ class qualysUtils: def iso_to_epoch(self, dt): return dp.parse(dt).strftime('%s') - def cleanser(self, _data): - repls = (('\n', '|||'), ('\r', '|||'), (',', ';'), ('\t', '|||')) - if _data: - _data = reduce(lambda a, kv: a.replace(*kv), repls, str(_data)) - return _data - class qualysScanReport: + + COLUMN_MAPPING = { + 'DescriptionCatSev': 'category_description', + 'DescriptionSeverity': 'severity_description', + 'Evidence #1': 'evidence', + 'Payload #1': 'payload', + 'Request Headers #1': 'request_headers', + 'Request Method #1': 'request_method', + 'Request URL #1': 'request_url', + 'Response #1': 'response', + 'URL': 'url', + 'Url': 'uri', + 'QID': 'plugin_id', + } + + SEVERITY_MAPPING = {0: 'none', 1: 'low', 2: 'medium', 3: 'high',4: 'critical'} + # URL Vulnerability Information WEB_SCAN_VULN_BLOCK = list(qualysReportFields.VULN_BLOCK) WEB_SCAN_VULN_BLOCK.insert(WEB_SCAN_VULN_BLOCK.index('QID'), 'Detection ID') @@ -444,9 +455,6 @@ class qualysScanReport: 'Request Headers #1', 'Response #1', 'Evidence #1', 'Description', 'Impact', 'Solution', 'Url', 'Content'] - for col in columns_to_cleanse: - merged_df[col] = merged_df[col].apply(self.utils.cleanser) - merged_df = merged_df.drop(['QID_y', 'QID_x'], axis=1) merged_df = merged_df.rename(columns={'Id': 'QID'}) @@ -493,9 +501,25 @@ class qualysScanReport: def map_fields(self, df): self.logger.debug('Mapping fields') + + df.rename(columns=self.COLUMN_MAPPING, inplace=True) + + # Lowercase and map fields from COLUMN_MAPPING + df.columns = [x.lower() for x in df.columns] + df.columns = [x.replace(' ', '_') for x in df.columns] + return df - + def transform_values(self, df): self.logger.debug('Transforming values') + df.fillna('', inplace=True) + + self.logger.info('Changing case of fields') + df['cwe'] = df['cwe'].str.upper() + + # Convert Qualys severity to standardised risk number + df['risk_number'] = df['severity'].astype(int)-1 + df['risk'] = df['risk_number'].map(self.SEVERITY_MAPPING) + df.fillna('', inplace=True) return df diff --git a/vulnwhisp/vulnwhisp.py b/vulnwhisp/vulnwhisp.py index 1c06de2..2da3878 100755 --- a/vulnwhisp/vulnwhisp.py +++ b/vulnwhisp/vulnwhisp.py @@ -532,54 +532,6 @@ class vulnWhispererNessus(vulnWhispererBase): class vulnWhispererQualys(vulnWhispererBase): CONFIG_SECTION = 'qualys_web' - COLUMN_MAPPING = {'Access Path': 'access_path', - 'Ajax Request': 'ajax_request', - 'Ajax Request ID': 'ajax_request_id', - 'Authentication': 'authentication', - 'CVSS Base': 'cvss', - 'CVSS Temporal': 'cvss_temporal', - 'CWE': 'cwe', - 'Category': 'category', - 'Content': 'content', - 'DescriptionSeverity': 'severity_description', - 'DescriptionCatSev': 'category_description', - 'Detection ID': 'detection_id', - 'Evidence #1': 'evidence_1', - 'First Time Detected': 'first_time_detected', - 'Form Entry Point': 'form_entry_point', - 'Function': 'function', - 'Groups': 'groups', - 'ID': 'id', - 'Ignore Comments': 'ignore_comments', - 'Ignore Date': 'ignore_date', - 'Ignore Reason': 'ignore_reason', - 'Ignore User': 'ignore_user', - 'Ignored': 'ignored', - 'Impact': 'impact', - 'Last Time Detected': 'last_time_detected', - 'Last Time Tested': 'last_time_tested', - 'Level': 'level', - 'OWASP': 'owasp', - 'Operating System': 'operating_system', - 'Owner': 'owner', - 'Param': 'param', - 'Payload #1': 'payload_1', - 'QID': 'plugin_id', - 'Request Headers #1': 'request_headers_1', - 'Request Method #1': 'request_method_1', - 'Request URL #1': 'request_url_1', - 'Response #1': 'response_1', - 'Scope': 'scope', - 'Severity': 'risk', - 'Severity Level': 'security_level', - 'Solution': 'solution', - 'Times Detected': 'times_detected', - 'Title': 'plugin_name', - 'URL': 'url', - 'Url': 'uri', - 'Vulnerability Category': 'vulnerability_category', - 'WASC': 'wasc', - 'Web Application Name': 'web_application_name'} def __init__( self, config=None, @@ -654,8 +606,6 @@ class vulnWhispererQualys(vulnWhispererBase): # Map and transform fields vuln_ready = self.qualys_scan.normalise(vuln_ready) vuln_ready = self.common_normalise(vuln_ready) - # TODO remove the line below once normalising complete - vuln_ready.rename(columns=self.COLUMN_MAPPING, inplace=True) # Set common fields vuln_ready['app_id'] = report_id @@ -690,9 +640,8 @@ class vulnWhispererQualys(vulnWhispererBase): if cleanup: self.logger.info('Removing report {} from Qualys Database'.format(generated_report_id)) - cleaning_up = \ - self.qualys_scan.qw.delete_report(generated_report_id) - os.remove(self.path_check(str(generated_report_id) + '.csv')) + cleaning_up = self.qualys_scan.qw.delete_report(generated_report_id) + # os.remove(self.path_check(str(generated_report_id) + '.csv')) self.logger.info('Deleted report from local disk: {}'.format(self.path_check(str(generated_report_id)))) else: self.logger.error('Could not process report ID: {}'.format(status)) From b49dfbde89bf2f3470ac4a46bcc3f02b5426e0b3 Mon Sep 17 00:00:00 2001 From: pemontto Date: Sat, 27 Apr 2019 17:14:11 +0100 Subject: [PATCH 60/73] Update docker test for new doc count --- tests/test-docker.sh | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/tests/test-docker.sh b/tests/test-docker.sh index 4976eab..ecadba4 100755 --- a/tests/test-docker.sh +++ b/tests/test-docker.sh @@ -29,13 +29,13 @@ done green "✅ Elasticsearch status is green..." count=0 -until [[ $(curl -s "$logstash_url/_node/stats" | jq '.events.out') -ge 1232 ]]; do - yellow "Waiting for Logstash load to finish... $(curl -s "$logstash_url/_node/stats" | jq '.events.out') of 1232 (attempt $count of 60)" +until [[ $(curl -s "$logstash_url/_node/stats" | jq '.events.out') -ge 1617 ]]; do + yellow "Waiting for Logstash load to finish... $(curl -s "$logstash_url/_node/stats" | jq '.events.out') of 1617 (attempt $count of 60)" ((count++)) && ((count==60)) && break sleep 5 done -if [[ count -le 60 && $(curl -s "$logstash_url/_node/stats" | jq '.events.out') -ge 1232 ]]; then +if [[ count -le 60 && $(curl -s "$logstash_url/_node/stats" | jq '.events.out') -ge 1617 ]]; then green "✅ Logstash load finished $(curl -s "$logstash_url/_node/stats" | jq '.events.out') logs processed..." else red "❌ Logstash load didn't complete $(curl -s "$logstash_url/_node/stats" | jq '.events.out') logs processed... $(curl -s "$logstash_url/_node/stats" | jq '.events.out')" @@ -43,15 +43,15 @@ fi count=0 -until [[ $(curl -s "$elasticsearch_url/logstash-vulnwhisperer-*/_count" | jq '.count') -ge 1232 ]] ; do - yellow "Waiting for Elasticsearch index to sync... $(curl -s "$elasticsearch_url/logstash-vulnwhisperer-*/_count" | jq '.count') of 1232 logs loaded (attempt $count of 150)" +until [[ $(curl -s "$elasticsearch_url/logstash-vulnwhisperer-*/_count" | jq '.count') -ge 1617 ]] ; do + yellow "Waiting for Elasticsearch index to sync... $(curl -s "$elasticsearch_url/logstash-vulnwhisperer-*/_count" | jq '.count') of 1617 logs loaded (attempt $count of 150)" ((count++)) && ((count==150)) && break sleep 2 done -if [[ count -le 50 && $(curl -s "$elasticsearch_url/logstash-vulnwhisperer-*/_count" | jq '.count') -ge 1232 ]]; then - green "✅ logstash-vulnwhisperer-* document count $(curl -s "$elasticsearch_url/logstash-vulnwhisperer-*/_count" | jq '.count') >= 1232" +if [[ count -le 50 && $(curl -s "$elasticsearch_url/logstash-vulnwhisperer-*/_count" | jq '.count') -ge 1617 ]]; then + green "✅ logstash-vulnwhisperer-* document count $(curl -s "$elasticsearch_url/logstash-vulnwhisperer-*/_count" | jq '.count') >= 1617" else - red "❌ TIMED OUT waiting for logstash-vulnwhisperer-* document count: $(curl -s "$elasticsearch_url/logstash-vulnwhisperer-*/_count" | jq) != 1232" + red "❌ TIMED OUT waiting for logstash-vulnwhisperer-* document count: $(curl -s "$elasticsearch_url/logstash-vulnwhisperer-*/_count" | jq) != 1617" fi # if [[ $(curl -s "$elasticsearch_url/logstash-vulnwhisperer-*/_count" | jq '.count') == 1232 ]]; then From b31d1b80988b0f843b5ce862392ac983788f0126 Mon Sep 17 00:00:00 2001 From: pemontto Date: Mon, 29 Apr 2019 16:18:07 +0100 Subject: [PATCH 61/73] Support tenable API keys --- configs/frameworks_example.ini | 2 ++ configs/test.ini | 2 ++ vulnwhisp/frameworks/nessus.py | 16 ++++++++++++++-- vulnwhisp/vulnwhisp.py | 27 ++++++++++++++++----------- 4 files changed, 34 insertions(+), 13 deletions(-) diff --git a/configs/frameworks_example.ini b/configs/frameworks_example.ini index 20410cb..3529aeb 100755 --- a/configs/frameworks_example.ini +++ b/configs/frameworks_example.ini @@ -13,6 +13,8 @@ verbose=true enabled=true hostname=cloud.tenable.com port=443 +access_key= +secret_key= username=tenable.io_username password=tenable.io_password write_path=/opt/VulnWhisperer/data/tenable/ diff --git a/configs/test.ini b/configs/test.ini index 6cd5424..7bd5625 100755 --- a/configs/test.ini +++ b/configs/test.ini @@ -13,6 +13,8 @@ verbose=true enabled=true hostname=tenable port=443 +access_key= +secret_key= username=tenable.io_username password=tenable.io_password write_path=/opt/VulnWhisperer/data/tenable/ diff --git a/vulnwhisp/frameworks/nessus.py b/vulnwhisp/frameworks/nessus.py index 32c50ab..8c855f9 100755 --- a/vulnwhisp/frameworks/nessus.py +++ b/vulnwhisp/frameworks/nessus.py @@ -42,7 +42,7 @@ class NessusAPI(object): } SEVERITY_MAPPING = {'none': 0, 'low': 1, 'medium': 2, 'high': 3, 'critical': 4} - def __init__(self, hostname=None, port=None, username=None, password=None, verbose=True, profile=None): + def __init__(self, hostname=None, port=None, username=None, password=None, verbose=True, profile=None, access_key=None, secret_key=None): self.logger = logging.getLogger('NessusAPI') if verbose: self.logger.setLevel(logging.DEBUG) @@ -51,6 +51,9 @@ class NessusAPI(object): self.user = username self.password = password + self.api_keys = False + self.access_key = access_key + self.secret_key = secret_key self.base = 'https://{hostname}:{port}'.format(hostname=hostname, port=port) self.verbose = verbose self.profile = profile @@ -71,7 +74,13 @@ class NessusAPI(object): 'X-Cookie': None } + if self.profile == 'tenable' and all((self.access_key, self.secret_key)): + self.logger.debug('Using Tenable API keys') + self.api_keys = True + self.session.headers['X-ApiKeys'] = 'accessKey={}; secretKey={}'.format(self.access_key, self.secret_key) + else: self.login() + self.scans = self.get_scans() self.scan_ids = self.get_scan_ids() @@ -97,8 +106,10 @@ class NessusAPI(object): if url == self.base + self.SESSION: break try: - self.login() timeout += 1 + if self.api_keys: + continue + self.login() self.logger.info('Token refreshed') except Exception as e: self.logger.error('Could not refresh token\nReason: {}'.format(str(e))) @@ -144,6 +155,7 @@ class NessusAPI(object): req = self.request(query, data=json.dumps(data), method='POST', json_output=True) try: file_id = req['file'] + if not self.api_keys: token_id = req['token'] if 'token' in req else req['temp_token'] except Exception as e: self.logger.error('{}'.format(str(e))) diff --git a/vulnwhisp/vulnwhisp.py b/vulnwhisp/vulnwhisp.py index 2da3878..d15bc03 100755 --- a/vulnwhisp/vulnwhisp.py +++ b/vulnwhisp/vulnwhisp.py @@ -315,6 +315,8 @@ class vulnWhispererNessus(vulnWhispererBase): self.develop = True self.purge = purge + self.access_key = None + self.secret_key = None if config is not None: try: @@ -324,21 +326,30 @@ class vulnWhispererNessus(vulnWhispererBase): 'trash') try: - self.logger.info('Attempting to connect to nessus...') + self.access_key = self.config.get(self.CONFIG_SECTION,'access_key') + self.secret_key = self.config.get(self.CONFIG_SECTION,'secret_key') + except: + pass + + try: + self.logger.info('Attempting to connect to {}...'.format(self.CONFIG_SECTION)) self.nessus = \ NessusAPI(hostname=self.hostname, port=self.nessus_port, username=self.username, password=self.password, - profile=self.CONFIG_SECTION + profile=self.CONFIG_SECTION, + access_key=self.access_key, + secret_key=self.secret_key ) self.nessus_connect = True - self.logger.info('Connected to nessus on {host}:{port}'.format(host=self.hostname, + self.logger.info('Connected to {} on {host}:{port}'.format(self.CONFIG_SECTION, host=self.hostname, port=str(self.nessus_port))) except Exception as e: self.logger.error('Exception: {}'.format(str(e))) raise Exception( - 'Could not connect to nessus -- Please verify your settings in {config} are correct and try again.\nReason: {e}'.format( + 'Could not connect to {} -- Please verify your settings in {config} are correct and try again.\nReason: {e}'.format( + self.CONFIG_SECTION, config=self.config.config_in, e=e)) except Exception as e: @@ -641,7 +652,7 @@ class vulnWhispererQualys(vulnWhispererBase): if cleanup: self.logger.info('Removing report {} from Qualys Database'.format(generated_report_id)) cleaning_up = self.qualys_scan.qw.delete_report(generated_report_id) - # os.remove(self.path_check(str(generated_report_id) + '.csv')) + os.remove(self.path_check(str(generated_report_id) + '.csv')) self.logger.info('Deleted report from local disk: {}'.format(self.path_check(str(generated_report_id)))) else: self.logger.error('Could not process report ID: {}'.format(status)) @@ -1266,9 +1277,6 @@ class vulnWhisperer(object): if self.profile == 'nessus': vw = vulnWhispererNessus(config=self.config, - username=self.username, - password=self.password, - verbose=self.verbose, profile=self.profile) self.exit_code += vw.whisper_nessus() @@ -1282,9 +1290,6 @@ class vulnWhisperer(object): elif self.profile == 'tenable': vw = vulnWhispererNessus(config=self.config, - username=self.username, - password=self.password, - verbose=self.verbose, profile=self.profile) self.exit_code += vw.whisper_nessus() From 1a0406fdb2b6282da5a19dc0dfa87190811ba38f Mon Sep 17 00:00:00 2001 From: pemontto Date: Mon, 29 Apr 2019 16:20:07 +0100 Subject: [PATCH 62/73] Fix indents --- vulnwhisp/frameworks/nessus.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/vulnwhisp/frameworks/nessus.py b/vulnwhisp/frameworks/nessus.py index 8c855f9..3a56726 100755 --- a/vulnwhisp/frameworks/nessus.py +++ b/vulnwhisp/frameworks/nessus.py @@ -79,7 +79,7 @@ class NessusAPI(object): self.api_keys = True self.session.headers['X-ApiKeys'] = 'accessKey={}; secretKey={}'.format(self.access_key, self.secret_key) else: - self.login() + self.login() self.scans = self.get_scans() self.scan_ids = self.get_scan_ids() @@ -156,7 +156,7 @@ class NessusAPI(object): try: file_id = req['file'] if not self.api_keys: - token_id = req['token'] if 'token' in req else req['temp_token'] + token_id = req['token'] if 'token' in req else req['temp_token'] except Exception as e: self.logger.error('{}'.format(str(e))) self.logger.info('Downloading file id {}'.format(str(file_id))) From 47409ba0b9df68c3b6b3cf633141c0f4e9e30893 Mon Sep 17 00:00:00 2001 From: pemontto Date: Mon, 29 Apr 2019 16:22:02 +0100 Subject: [PATCH 63/73] more Qualys WAS mappings and transforms --- vulnwhisp/frameworks/qualys_web.py | 16 +++++++++++----- 1 file changed, 11 insertions(+), 5 deletions(-) diff --git a/vulnwhisp/frameworks/qualys_web.py b/vulnwhisp/frameworks/qualys_web.py index 82f93f3..ab6dc92 100644 --- a/vulnwhisp/frameworks/qualys_web.py +++ b/vulnwhisp/frameworks/qualys_web.py @@ -286,19 +286,21 @@ class qualysScanReport: COLUMN_MAPPING = { 'DescriptionCatSev': 'category_description', - 'DescriptionSeverity': 'severity_description', + 'DescriptionSeverity': 'synopsis', 'Evidence #1': 'evidence', 'Payload #1': 'payload', + 'QID': 'plugin_id', 'Request Headers #1': 'request_headers', 'Request Method #1': 'request_method', 'Request URL #1': 'request_url', - 'Response #1': 'response', - 'URL': 'url', + 'Response #1': 'plugin_output', + 'Title': 'plugin_name', 'Url': 'uri', - 'QID': 'plugin_id', + 'URL': 'url', + 'Vulnerability Category': 'type', } - SEVERITY_MAPPING = {0: 'none', 1: 'low', 2: 'medium', 3: 'high',4: 'critical'} + SEVERITY_MAPPING = {0: 'none', 1: 'low', 2: 'medium', 3: 'high', 4: 'critical'} # URL Vulnerability Information WEB_SCAN_VULN_BLOCK = list(qualysReportFields.VULN_BLOCK) @@ -521,5 +523,9 @@ class qualysScanReport: df['risk_number'] = df['severity'].astype(int)-1 df['risk'] = df['risk_number'].map(self.SEVERITY_MAPPING) + # Extract dns field from URL + df['dns'] = df['url'].str.extract('https?://([^/]+)', expand=False) + df.loc[df['uri'] != '','dns'] = df.loc[df['uri'] != '','uri'].str.extract('https?://([^/]+)', expand=False) + df.fillna('', inplace=True) return df From eb9695605ba539a00b78cab07892e14d8b44ed51 Mon Sep 17 00:00:00 2001 From: pemontto Date: Mon, 29 Apr 2019 16:55:17 +0100 Subject: [PATCH 64/73] more flexible config support --- vulnwhisp/frameworks/nessus.py | 4 ++-- vulnwhisp/vulnwhisp.py | 8 ++++++-- 2 files changed, 8 insertions(+), 4 deletions(-) diff --git a/vulnwhisp/frameworks/nessus.py b/vulnwhisp/frameworks/nessus.py index 3a56726..9be8103 100755 --- a/vulnwhisp/frameworks/nessus.py +++ b/vulnwhisp/frameworks/nessus.py @@ -46,8 +46,8 @@ class NessusAPI(object): self.logger = logging.getLogger('NessusAPI') if verbose: self.logger.setLevel(logging.DEBUG) - if username is None or password is None: - raise Exception('ERROR: Missing username or password.') + if not all((username, password)) and not all((access_key, secret_key)): + raise Exception('ERROR: Missing username, password or API keys.') self.user = username self.password = password diff --git a/vulnwhisp/vulnwhisp.py b/vulnwhisp/vulnwhisp.py index d15bc03..1e2b827 100755 --- a/vulnwhisp/vulnwhisp.py +++ b/vulnwhisp/vulnwhisp.py @@ -58,8 +58,12 @@ class vulnWhispererBase(object): except: self.enabled = False self.hostname = self.config.get(self.CONFIG_SECTION, 'hostname') - self.username = self.config.get(self.CONFIG_SECTION, 'username') - self.password = self.config.get(self.CONFIG_SECTION, 'password') + try: + self.username = self.config.get(self.CONFIG_SECTION, 'username') + self.password = self.config.get(self.CONFIG_SECTION, 'password') + except: + self.username = None + self.password = None self.write_path = self.config.get(self.CONFIG_SECTION, 'write_path') self.db_path = self.config.get(self.CONFIG_SECTION, 'db_path') self.verbose = self.config.getbool(self.CONFIG_SECTION, 'verbose') From e752655990fcbcb34c357579610c5a686d0e6dcb Mon Sep 17 00:00:00 2001 From: pemontto Date: Mon, 29 Apr 2019 17:20:52 +0100 Subject: [PATCH 65/73] add nessus API key support --- configs/frameworks_example.ini | 2 ++ configs/test.ini | 2 ++ vulnwhisp/frameworks/nessus.py | 8 ++++---- 3 files changed, 8 insertions(+), 4 deletions(-) diff --git a/configs/frameworks_example.ini b/configs/frameworks_example.ini index 3529aeb..61a8af5 100755 --- a/configs/frameworks_example.ini +++ b/configs/frameworks_example.ini @@ -2,6 +2,8 @@ enabled=true hostname=localhost port=8834 +access_key= +secret_key= username=nessus_username password=nessus_password write_path=/opt/VulnWhisperer/data/nessus/ diff --git a/configs/test.ini b/configs/test.ini index 7bd5625..ed73b36 100755 --- a/configs/test.ini +++ b/configs/test.ini @@ -2,6 +2,8 @@ enabled=true hostname=nessus port=443 +access_key= +secret_key= username=nessus_username password=nessus_password write_path=/opt/VulnWhisperer/data/nessus/ diff --git a/vulnwhisp/frameworks/nessus.py b/vulnwhisp/frameworks/nessus.py index 9be8103..4796c2b 100755 --- a/vulnwhisp/frameworks/nessus.py +++ b/vulnwhisp/frameworks/nessus.py @@ -74,8 +74,8 @@ class NessusAPI(object): 'X-Cookie': None } - if self.profile == 'tenable' and all((self.access_key, self.secret_key)): - self.logger.debug('Using Tenable API keys') + if all((self.access_key, self.secret_key)): + self.logger.debug('Using {} API keys'.format(self.profile)) self.api_keys = True self.session.headers['X-ApiKeys'] = 'accessKey={}; secretKey={}'.format(self.access_key, self.secret_key) else: @@ -155,7 +155,7 @@ class NessusAPI(object): req = self.request(query, data=json.dumps(data), method='POST', json_output=True) try: file_id = req['file'] - if not self.api_keys: + if self.profile == 'nessus': token_id = req['token'] if 'token' in req else req['temp_token'] except Exception as e: self.logger.error('{}'.format(str(e))) @@ -167,7 +167,7 @@ class NessusAPI(object): running = report_status['status'] != 'ready' sys.stdout.write('.') sys.stdout.flush() - if self.profile == 'tenable': + if self.profile == 'tenable' or self.api_keys: content = self.request(self.EXPORT_FILE_DOWNLOAD.format(scan_id=scan_id, file_id=file_id), method='GET', download=True) else: content = self.request(self.EXPORT_TOKEN_DOWNLOAD.format(token_id=token_id), method='GET', download=True) From 762734d6a61c9b8104fe4a16441a2f7064bdd887 Mon Sep 17 00:00:00 2001 From: pemontto Date: Mon, 29 Apr 2019 22:39:44 +0100 Subject: [PATCH 66/73] cleanups --- vulnwhisp/frameworks/nessus.py | 4 +- vulnwhisp/frameworks/openvas.py | 4 +- vulnwhisp/frameworks/qualys_vuln.py | 2 +- vulnwhisp/frameworks/qualys_web.py | 2 +- vulnwhisp/test/mock.py | 24 +------- vulnwhisp/vulnwhisp.py | 96 ++++++++++++++--------------- 6 files changed, 57 insertions(+), 75 deletions(-) diff --git a/vulnwhisp/frameworks/nessus.py b/vulnwhisp/frameworks/nessus.py index 4796c2b..66b5626 100755 --- a/vulnwhisp/frameworks/nessus.py +++ b/vulnwhisp/frameworks/nessus.py @@ -218,7 +218,7 @@ class NessusAPI(object): df.columns = [x.replace(' ', '_') for x in df.columns] return df - + def transform_values(self, df): self.logger.debug('Transforming values') @@ -236,4 +236,4 @@ class NessusAPI(object): df.fillna('', inplace=True) - return df \ No newline at end of file + return df diff --git a/vulnwhisp/frameworks/openvas.py b/vulnwhisp/frameworks/openvas.py index 3b2d958..14f6393 100644 --- a/vulnwhisp/frameworks/openvas.py +++ b/vulnwhisp/frameworks/openvas.py @@ -200,8 +200,8 @@ class OpenVAS_API(object): def map_fields(self, df): self.logger.debug('Mapping fields') return df - + def transform_values(self, df): self.logger.debug('Transforming values') df.fillna('', inplace=True) - return df \ No newline at end of file + return df diff --git a/vulnwhisp/frameworks/qualys_vuln.py b/vulnwhisp/frameworks/qualys_vuln.py index bffd4de..4592c7a 100644 --- a/vulnwhisp/frameworks/qualys_vuln.py +++ b/vulnwhisp/frameworks/qualys_vuln.py @@ -151,7 +151,7 @@ class qualysVulnScan: df.columns = [x.replace(' ', '_') for x in df.columns] return df - + def transform_values(self, df): self.logger.info('Transforming values') diff --git a/vulnwhisp/frameworks/qualys_web.py b/vulnwhisp/frameworks/qualys_web.py index ab6dc92..270d7b8 100644 --- a/vulnwhisp/frameworks/qualys_web.py +++ b/vulnwhisp/frameworks/qualys_web.py @@ -459,7 +459,7 @@ class qualysScanReport: merged_df = merged_df.drop(['QID_y', 'QID_x'], axis=1) merged_df = merged_df.rename(columns={'Id': 'QID'}) - + merged_df = merged_df.assign(**df_dict['SCAN_META'].to_dict(orient='records')[0]) merged_df = pd.merge(merged_df, df_dict['CATEGORY_HEADER'], how='left', left_on=['Category', 'Severity Level'], diff --git a/vulnwhisp/test/mock.py b/vulnwhisp/test/mock.py index c18e25e..3bef89e 100644 --- a/vulnwhisp/test/mock.py +++ b/vulnwhisp/test/mock.py @@ -19,13 +19,6 @@ class mockAPI(object): self.logger.info('mockAPI initialised, API requests will be mocked') self.logger.info('Test path resolved as {}'.format(self.mock_dir)) - self.openvas_requests = { - 'request_1': ('POST', 200, 'omp'), - 'request_2': ('GET', 200, 'omp?cmd=get_reports&token=efbe7076-4ae9-4e57-89cc-bcd6bd93f1f3&max_results=1&ignore_pagination=1&filter=apply_overrides%3D1+min_qod%3D70+autofp%3D0+first%3D1+rows%3D0+levels%3Dhml+sort-reverse%3Dseverity'), - 'request_3': ('GET', 200, 'omp?cmd=get_report_formats&token=efbe7076-4ae9-4e57-89cc-bcd6bd93f1f3'), - 'request_4': ('GET', 200, 'omp?token=efbe7076-4ae9-4e57-89cc-bcd6bd93f1f3&cmd=get_report&report_id=4c6c900c-71f5-42f7-91e2-1b19b7976606&filter=apply_overrides%3D0+min_qod%3D70+autofp%3D0+levels%3Dhml+first%3D1+rows%3D0+sort-reverse%3Dseverity&ignore_pagination=1&report_format_id=c1645568-627a-11e3-a660-406186ea4fc5&submit=Download') - } - def get_directories(self, path): dir, subdirs, files = next(os.walk(path)) return sorted(subdirs) @@ -53,13 +46,13 @@ class mockAPI(object): elif 'fetch' in request.parsed_body['action']: try: response_body = open('{}/{}'.format( - self.qualys_vuln_path, + self.qualys_vuln_path, request.parsed_body['scan_ref'][0].replace('/', '_')) ).read() except: # Can't find the file, just send an empty response response_body = '' - return [200, response_headers, response_body] + return [200, response_headers, response_body] def create_qualys_vuln_resource(self, framework): # Create health check endpoint @@ -90,7 +83,7 @@ class mockAPI(object): getattr(httpretty, method), 'https://{}:443/{}'.format(framework, resource), body=open('{}/{}/{}'.format(self.mock_dir, framework, filename)).read() ) - + self.logger.debug('Adding mocked {} endpoint {} {}'.format(framework, 'POST', 'qps/rest/3.0/create/was/report')) httpretty.register_uri( httpretty.POST, 'https://{}:443/qps/rest/3.0/create/was/report'.format(framework), @@ -118,17 +111,6 @@ class mockAPI(object): httpretty.GET, 'https://{}:4000/omp'.format(framework), body=self.openvas_callback ) - # try: - # method, status, resource = self.openvas_requests[filename] - # self.logger.debug('Adding mocked {} endpoint {} {}'.format(framework, method, resource)) - # except: - # self.logger.error('Cound not find mocked {} endpoint for file {}/{}/{}'.format(framework, self.mock_dir, framework, filename)) - # continue - # httpretty.register_uri( - # getattr(httpretty, method), 'https://{}:4000/{}'.format(framework, resource), - # body=open('{}/{}/{}'.format(self.mock_dir, framework, filename)).read(), - # status=status - # ) def mock_endpoints(self): for framework in self.get_directories(self.mock_dir): diff --git a/vulnwhisp/vulnwhisp.py b/vulnwhisp/vulnwhisp.py index 1e2b827..7f22001 100755 --- a/vulnwhisp/vulnwhisp.py +++ b/vulnwhisp/vulnwhisp.py @@ -63,7 +63,7 @@ class vulnWhispererBase(object): self.password = self.config.get(self.CONFIG_SECTION, 'password') except: self.username = None - self.password = None + self.password = None self.write_path = self.config.get(self.CONFIG_SECTION, 'write_path') self.db_path = self.config.get(self.CONFIG_SECTION, 'db_path') self.verbose = self.config.getbool(self.CONFIG_SECTION, 'verbose') @@ -146,7 +146,7 @@ class vulnWhispererBase(object): def record_insert(self, record): #for backwards compatibility with older versions without "reported" field - + try: #-1 to get the latest column, 1 to get the column name (old version would be "processed", new "reported") #TODO delete backward compatibility check after some versions @@ -173,7 +173,7 @@ class vulnWhispererBase(object): return True except Exception as e: self.logger.error('Failed while setting scan with file {} as processed'.format(filename)) - + return False def retrieve_uuids(self): @@ -202,7 +202,7 @@ class vulnWhispererBase(object): def get_latest_results(self, source, scan_name): processed = 0 results = [] - + try: self.conn.text_factory = str self.cur.execute('SELECT filename FROM scan_history WHERE source="{}" AND scan_name="{}" ORDER BY last_modified DESC LIMIT 1;'.format(source, scan_name)) @@ -221,10 +221,10 @@ class vulnWhispererBase(object): except Exception as e: self.logger.error("Error when getting latest results from {}.{} : {}".format(source, scan_name, e)) return results, reported - + def get_scan_profiles(self): # Returns a list of source.scan_name elements from the database - + # we get the list of sources try: self.conn.text_factory = str @@ -233,7 +233,7 @@ class vulnWhispererBase(object): except: sources = [] self.logger.error("Process failed at executing 'SELECT DISTINCT source FROM scan_history;'") - + results = [] # we get the list of scans within each source @@ -251,7 +251,7 @@ class vulnWhispererBase(object): return results def common_normalise(self, df): - """Map and transform common data values""" + """Map and transform common data values""" self.logger.info('Start common normalisation') self.logger.info('Normalising CVSS') @@ -332,8 +332,8 @@ class vulnWhispererNessus(vulnWhispererBase): try: self.access_key = self.config.get(self.CONFIG_SECTION,'access_key') self.secret_key = self.config.get(self.CONFIG_SECTION,'secret_key') - except: - pass + except: + pass try: self.logger.info('Attempting to connect to {}...'.format(self.CONFIG_SECTION)) @@ -504,7 +504,7 @@ class vulnWhispererNessus(vulnWhispererBase): self.logger.error('Could not download {} scan {}: {}'.format(self.CONFIG_SECTION, scan_id, str(e))) self.exit_code += 1 continue - + self.logger.info('Processing {}/{} for scan: {}'.format(scan_count, len(scan_list), scan_name.encode('utf8'))) vuln_ready = pd.read_csv(io.StringIO(file_req.decode('utf-8'))) @@ -562,7 +562,7 @@ class vulnWhispererQualys(vulnWhispererBase): self.logger = logging.getLogger('vulnWhispererQualys') if debug: self.logger.setLevel(logging.DEBUG) - + self.qualys_scan = qualysScanReport(config=config) self.latest_scans = self.qualys_scan.qw.get_all_scans() self.directory_check() @@ -782,11 +782,11 @@ class vulnWhispererOpenVAS(vulnWhispererBase): # Map and transform fields vuln_ready = self.openvas_api.normalise(vuln_ready) vuln_ready = self.common_normalise(vuln_ready) - # TODO move the following to the openvas_api.transform_values + # TODO move the following to the openvas_api.transform_values vuln_ready.rename(columns=self.COLUMN_MAPPING, inplace=True) vuln_ready.port = vuln_ready.port.fillna(0).astype(int) vuln_ready.fillna('', inplace=True) - + # Set common fields vuln_ready['scan_name'] = scan_name.encode('utf8') vuln_ready['scan_id'] = report_id @@ -853,7 +853,7 @@ class vulnWhispererQualysVuln(vulnWhispererBase): username=None, password=None, ): - + super(vulnWhispererQualysVuln, self).__init__(config=config) self.logger = logging.getLogger('vulnWhispererQualysVuln') if debug: @@ -989,8 +989,8 @@ class vulnWhispererJIRA(vulnWhispererBase): self.config_path = config self.config = vwConfig(config) self.host_resolv_cache = {} - self.directory_check() - + self.directory_check() + if config is not None: try: self.logger.info('Attempting to connect to jira...') @@ -1007,16 +1007,16 @@ class vulnWhispererJIRA(vulnWhispererBase): 'Could not connect to nessus -- Please verify your settings in {config} are correct and try again.\nReason: {e}'.format( config=self.config.config_in, e=e)) sys.exit(1) - + profiles = [] profiles = self.get_scan_profiles() - + if not self.config.exists_jira_profiles(profiles): self.config.update_jira_profiles(profiles) self.logger.info("Jira profiles have been created in {config}, please fill the variables before rerunning the module.".format(config=self.config_path)) sys.exit(0) - - + + def get_env_variables(self, source, scan_name): # function returns an array with [jira_project, jira_components, datafile_path] @@ -1027,32 +1027,32 @@ class vulnWhispererJIRA(vulnWhispererBase): if project == "": self.logger.error('JIRA project is missing on the configuration file!') sys.exit(0) - + # check that project actually exists if not self.jira.project_exists(project): self.logger.error("JIRA project '{project}' doesn't exist!".format(project=project)) sys.exit(0) - + components = self.config.get(jira_section,'components').split(',') - + #cleaning empty array from '' if not components[0]: components = [] - + min_critical = self.config.get(jira_section,'min_critical_to_report') if not min_critical: self.logger.error('"min_critical_to_report" variable on config file is empty.') sys.exit(0) - + #datafile path filename, reported = self.get_latest_results(source, scan_name) fullpath = "" - + # search data files under user specified directory for root, dirnames, filenames in os.walk(vwConfig(self.config_path).get(source,'write_path')): if filename in filenames: fullpath = "{}/{}".format(root,filename) - + if reported: self.logger.warn('Last Scan of "{scan_name}" for source "{source}" has already been reported; will be skipped.'.format(scan_name=scan_name, source=source)) return [False] * 5 @@ -1060,7 +1060,7 @@ class vulnWhispererJIRA(vulnWhispererBase): if not fullpath: self.logger.error('Scan of "{scan_name}" for source "{source}" has not been found. Please check that the scanner data files are in place.'.format(scan_name=scan_name, source=source)) sys.exit(1) - + dns_resolv = self.config.get('jira','dns_resolv') if dns_resolv in ('False', 'false', ''): dns_resolv = False @@ -1074,22 +1074,22 @@ class vulnWhispererJIRA(vulnWhispererBase): def parse_nessus_vulnerabilities(self, fullpath, source, scan_name, min_critical): - + vulnerabilities = [] # we need to parse the CSV - risks = ['none', 'low', 'medium', 'high', 'critical'] + risks = ['none', 'low', 'medium', 'high', 'critical'] min_risk = int([i for i,x in enumerate(risks) if x == min_critical][0]) df = pd.read_csv(fullpath, delimiter=',') - + #nessus fields we want - ['Host','Protocol','Port', 'Name', 'Synopsis', 'Description', 'Solution', 'See Also'] for index in range(len(df)): # filtering vulnerabilities by criticality, discarding low risk to_report = int([i for i,x in enumerate(risks) if x == df.loc[index]['Risk'].lower()][0]) if to_report < min_risk: continue - + if not vulnerabilities or df.loc[index]['Name'] not in [entry['title'] for entry in vulnerabilities]: vuln = {} #vulnerabilities should have all the info for creating all JIRA labels @@ -1103,7 +1103,7 @@ class vulnWhispererJIRA(vulnWhispererBase): vuln['ips'] = [] vuln['ips'].append("{} - {}/{}".format(df.loc[index]['Host'], df.loc[index]['Protocol'], df.loc[index]['Port'])) vuln['risk'] = df.loc[index]['Risk'].lower() - + # Nessus "nan" value gets automatically casted to float by python if not (type(df.loc[index]['See Also']) is float): vuln['references'] = df.loc[index]['See Also'].split("\\n") @@ -1116,24 +1116,24 @@ class vulnWhispererJIRA(vulnWhispererBase): for vuln in vulnerabilities: if vuln['title'] == df.loc[index]['Name']: vuln['ips'].append("{} - {}/{}".format(df.loc[index]['Host'], df.loc[index]['Protocol'], df.loc[index]['Port'])) - + return vulnerabilities - + def parse_qualys_vuln_vulnerabilities(self, fullpath, source, scan_name, min_critical, dns_resolv = False): #parsing of the qualys vulnerabilities schema #parse json vulnerabilities = [] - risks = ['info', 'low', 'medium', 'high', 'critical'] + risks = ['info', 'low', 'medium', 'high', 'critical'] # +1 as array is 0-4, but score is 1-5 min_risk = int([i for i,x in enumerate(risks) if x == min_critical][0])+1 - + try: - data=[json.loads(line) for line in open(fullpath).readlines()] + data=[json.loads(line) for line in open(fullpath).readlines()] except Exception as e: self.logger.warn("Scan has no vulnerabilities, skipping.") return vulnerabilities - + #qualys fields we want - [] for index in range(len(data)): if int(data[index]['risk']) < min_risk: @@ -1142,7 +1142,7 @@ class vulnWhispererJIRA(vulnWhispererBase): elif data[index]['type'] == 'Practice' or data[index]['type'] == 'Ig': self.logger.debug("Vulnerability '{vuln}' ignored, as it is 'Practice/Potential', not verified.".format(vuln=data[index]['plugin_name'])) continue - + if not vulnerabilities or data[index]['plugin_name'] not in [entry['title'] for entry in vulnerabilities]: vuln = {} #vulnerabilities should have all the info for creating all JIRA labels @@ -1155,12 +1155,12 @@ class vulnWhispererJIRA(vulnWhispererBase): vuln['solution'] = data[index]['solution'].replace('\\n',' ') vuln['ips'] = [] #TODO ADDED DNS RESOLUTION FROM QUALYS! \n SEPARATORS INSTEAD OF \\n! - + vuln['ips'].append("{ip} - {protocol}/{port} - {dns}".format(**self.get_asset_fields(data[index], dns_resolv))) #different risk system than Nessus! vuln['risk'] = risks[int(data[index]['risk'])-1] - + # Nessus "nan" value gets automatically casted to float by python if not (type(data[index]['vendor_reference']) is float or data[index]['vendor_reference'] == None): vuln['references'] = data[index]['vendor_reference'].split("\\n") @@ -1178,8 +1178,8 @@ class vulnWhispererJIRA(vulnWhispererBase): def get_asset_fields(self, vuln, dns_resolv): values = {} values['ip'] = vuln['ip'] - values['protocol'] = vuln['protocol'] - values['port'] = vuln['port'] + values['protocol'] = vuln['protocol'] + values['port'] = vuln['port'] values['dns'] = '' if dns_resolv: if vuln['dns']: @@ -1229,12 +1229,12 @@ class vulnWhispererJIRA(vulnWhispererBase): #***Qualys VM parsing*** if source == "qualys_vuln": vulnerabilities = self.parse_qualys_vuln_vulnerabilities(fullpath, source, scan_name, min_critical, dns_resolv) - + #***JIRA sync*** if vulnerabilities: self.logger.info('{source} data has been successfuly parsed'.format(source=source.upper())) self.logger.info('Starting JIRA sync') - + self.jira.sync(vulnerabilities, project, components) else: self.logger.info("[{source}.{scan_name}] No vulnerabilities or vulnerabilities not parsed.".format(source=source, scan_name=scan_name)) @@ -1300,7 +1300,7 @@ class vulnWhisperer(object): elif self.profile == 'qualys_vuln': vw = vulnWhispererQualysVuln(config=self.config) self.exit_code += vw.process_vuln_scans() - + elif self.profile == 'jira': #first we check config fields are created, otherwise we create them vw = vulnWhispererJIRA(config=self.config) From be06f4811abada12cf1a77c9348566374cf6095c Mon Sep 17 00:00:00 2001 From: pemontto Date: Tue, 30 Apr 2019 08:34:33 +0100 Subject: [PATCH 67/73] fix whitespace --- bin/vuln_whisperer | 2 +- vulnwhisp/base/config.py | 6 +- vulnwhisp/reporting/jira_api.py | 126 ++++++++++++++++---------------- 3 files changed, 67 insertions(+), 67 deletions(-) diff --git a/bin/vuln_whisperer b/bin/vuln_whisperer index e9def6c..37e0abf 100644 --- a/bin/vuln_whisperer +++ b/bin/vuln_whisperer @@ -79,7 +79,7 @@ def main(): \nPlease specify a section using -s. \ \nExample vuln_whisperer -c config.ini -s nessus')) logger.info('No section was specified, vulnwhisperer will scrape enabled modules from the config file.') - + config = vwConfig(config_in=args.config) enabled_sections = config.get_sections_with_attribute('enabled') diff --git a/vulnwhisp/base/config.py b/vulnwhisp/base/config.py index e8490d6..630b21b 100644 --- a/vulnwhisp/base/config.py +++ b/vulnwhisp/base/config.py @@ -31,7 +31,7 @@ class vwConfig(object): for section in self.config.sections(): try: if self.get(section, attribute) in check: - sections.append(section) + sections.append(section) except: self.logger.warn("Section {} has no option '{}'".format(section, attribute)) return sections @@ -45,7 +45,7 @@ class vwConfig(object): return True def update_jira_profiles(self, profiles): - # create JIRA profiles in the ini config file + # create JIRA profiles in the ini config file self.logger.debug('Updating Jira profiles: {}'.format(str(profiles))) for profile in profiles: @@ -67,7 +67,7 @@ class vwConfig(object): self.config.set(section_name, 'min_critical_to_report', 'high') self.config.set(section_name, '; automatically report, boolean value ') self.config.set(section_name, 'autoreport', 'false') - + # TODO: try/catch this # writing changes back to file with open(self.config_in, 'w') as configfile: diff --git a/vulnwhisp/reporting/jira_api.py b/vulnwhisp/reporting/jira_api.py index 12b3360..63ddb07 100644 --- a/vulnwhisp/reporting/jira_api.py +++ b/vulnwhisp/reporting/jira_api.py @@ -40,12 +40,12 @@ class JiraAPI(object): self.close_obsolete_tickets() # deletes the tag "server_decommission" from those tickets closed <=3 months ago self.decommission_cleanup() - + self.jira_still_vulnerable_comment = '''This ticket has been reopened due to the vulnerability not having been fixed (if multiple assets are affected, all need to be fixed; if the server is down, lastest known vulnerability might be the one reported). - In the case of the team accepting the risk and wanting to close the ticket, please add the label "*risk_accepted*" to the ticket before closing it. - If server has been decommissioned, please add the label "*server_decommission*" to the ticket before closing it. - If when checking the vulnerability it looks like a false positive, _+please elaborate in a comment+_ and add the label "*false_positive*" before closing it; we will review it and report it to the vendor. - + If you have further doubts, please contact the Security Team.''' def create_ticket(self, title, desc, project="IS", components=[], tags=[], attachment_contents = []): @@ -67,31 +67,31 @@ class JiraAPI(object): if not exists: self.logger.error("Error creating Ticket: component {} not found".format(component)) return 0 - + new_issue = self.jira.create_issue(project=project, summary=title, description=desc, issuetype={'name': 'Bug'}, labels=labels, components=components_ticket) - + self.logger.info("Ticket {} created successfully".format(new_issue)) - + if attachment_contents: self.add_content_as_attachment(new_issue, attachment_contents) - + return new_issue - + #Basic JIRA Metrics def metrics_open_tickets(self, project=None): - jql = "labels= vulnerability_management and resolution = Unresolved" + jql = "labels= vulnerability_management and resolution = Unresolved" if project: jql += " and (project='{}')".format(project) - self.logger.debug('Executing: {}'.format(jql)) + self.logger.debug('Executing: {}'.format(jql)) return len(self.jira.search_issues(jql, maxResults=0)) def metrics_closed_tickets(self, project=None): - jql = "labels= vulnerability_management and NOT resolution = Unresolved AND created >=startOfMonth(-{})".format(self.max_time_tracking) + jql = "labels= vulnerability_management and NOT resolution = Unresolved AND created >=startOfMonth(-{})".format(self.max_time_tracking) if project: jql += " and (project='{}')".format(project) return len(self.jira.search_issues(jql, maxResults=0)) @@ -105,10 +105,10 @@ class JiraAPI(object): # if it has, they will be replaced by "_" if " " in vuln['scan_name']: vuln['scan_name'] = "_".join(vuln['scan_name'].split(" ")) - + # we exclude from the vulnerabilities to report those assets that already exist with *risk_accepted*/*server_decommission* vuln = self.exclude_accepted_assets(vuln) - + # make sure after exclusion of risk_accepted assets there are still assets if vuln['ips']: exists = False @@ -140,18 +140,18 @@ class JiraAPI(object): self.create_ticket(title=vuln['title'], desc=tpl, project=project, components=components, tags=[vuln['source'], vuln['scan_name'], 'vulnerability', vuln['risk']], attachment_contents = attachment_contents) else: self.logger.info("Ignoring vulnerability as all assets are already reported in a risk_accepted ticket") - + self.close_fixed_tickets(vulnerabilities) # we reinitialize so the next sync redoes the query with their specific variables self.all_tickets = [] self.excluded_tickets = [] return True - + def exclude_accepted_assets(self, vuln): # we want to check JIRA tickets with risk_accepted/server_decommission or false_positive labels sharing the same source # will exclude tickets older than 12 months, old tickets will get closed for higiene and recreated if still vulnerable - labels = [vuln['source'], vuln['scan_name'], 'vulnerability_management', 'vulnerability'] - + labels = [vuln['source'], vuln['scan_name'], 'vulnerability_management', 'vulnerability'] + if not self.excluded_tickets: jql = "{} AND labels in (risk_accepted,server_decommission, false_positive) AND NOT labels=advisory AND created >=startOfMonth(-{})".format(" AND ".join(["labels={}".format(label) for label in labels]), self.max_time_tracking) self.excluded_tickets = self.jira.search_issues(jql, maxResults=0) @@ -169,14 +169,14 @@ class JiraAPI(object): #checking_assets is a list, we add to our full list for later delete all assets assets_to_exclude+=checking_assets tickets_excluded_assets.append(checking_ticketid) - + if assets_to_exclude: assets_to_remove = [] self.logger.warn("Vulnerable Assets seen on an already existing risk_accepted Jira ticket: {}".format(', '.join(tickets_excluded_assets))) self.logger.debug("Original assets: {}".format(vuln['ips'])) - #assets in vulnerability have the structure "ip - hostname - port", so we need to match by partial + #assets in vulnerability have the structure "ip - hostname - port", so we need to match by partial for exclusion in assets_to_exclude: - # for efficiency, we walk the backwards the array of ips from the scanners, as we will be popping out the matches + # for efficiency, we walk the backwards the array of ips from the scanners, as we will be popping out the matches # and we don't want it to affect the rest of the processing (otherwise, it would miss the asset right after the removed one) for index in range(len(vuln['ips']))[::-1]: if exclusion == vuln['ips'][index].split(" - ")[0]: @@ -194,28 +194,28 @@ class JiraAPI(object): # we need to return if the vulnerability has already been reported and the ID of the ticket for further processing #function returns array [duplicated(bool), update(bool), ticketid, ticket_assets] title = vuln['title'] - labels = [vuln['source'], vuln['scan_name'], 'vulnerability_management', 'vulnerability'] + labels = [vuln['source'], vuln['scan_name'], 'vulnerability_management', 'vulnerability'] #list(set()) to remove duplicates assets = list(set(re.findall(r"\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\b", ",".join(vuln['ips'])))) - + if not self.all_tickets: self.logger.info("Retrieving all JIRA tickets with the following tags {}".format(labels)) # we want to check all JIRA tickets, to include tickets moved to other queues # will exclude tickets older than 12 months, old tickets will get closed for higiene and recreated if still vulnerable jql = "{} AND NOT labels=advisory AND created >=startOfMonth(-{})".format(" AND ".join(["labels={}".format(label) for label in labels]), self.max_time_tracking) - + self.all_tickets = self.jira.search_issues(jql, maxResults=0) - + #WARNING: function IGNORES DUPLICATES, after finding a "duplicate" will just return it exists #it wont iterate over the rest of tickets looking for other possible duplicates/similar issues self.logger.info("Comparing Vulnerabilities to created tickets") for index in range(len(self.all_tickets)): checking_ticketid, checking_title, checking_assets = self.ticket_get_unique_fields(self.all_tickets[index]) # added "not risk_accepted", as if it is risk_accepted, we will create a new ticket excluding the accepted assets - if title.encode('ascii') == checking_title.encode('ascii') and not self.is_risk_accepted(self.jira.issue(checking_ticketid)): + if title.encode('ascii') == checking_title.encode('ascii') and not self.is_risk_accepted(self.jira.issue(checking_ticketid)): difference = list(set(assets).symmetric_difference(checking_assets)) #to check intersection - set(assets) & set(checking_assets) - if difference: + if difference: self.logger.info("Asset mismatch, ticket to update. Ticket ID: {}".format(checking_ticketid)) return False, True, checking_ticketid, checking_assets #this will automatically validate else: @@ -230,12 +230,12 @@ class JiraAPI(object): try: affected_assets_section = ticket.raw.get('fields', {}).get('description').encode("ascii").split("{panel:title=Affected Assets}")[1].split("{panel}")[0] assets = list(set(re.findall(r"\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\b", affected_assets_section))) - + except Exception as e: self.logger.error("Ticket IPs regex failed. Ticket ID: {}. Reason: {}".format(ticketid, e)) assets = [] - - try: + + try: if not assets: #check if attachment, if so, get assets from attachment affected_assets_section = self.check_ips_attachment(ticket) @@ -243,7 +243,7 @@ class JiraAPI(object): assets = list(set(re.findall(r"\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\b", affected_assets_section))) except Exception as e: self.logger.error("Ticket IPs Attachment regex failed. Ticket ID: {}. Reason: {}".format(ticketid, e)) - + return ticketid, title, assets def check_ips_attachment(self, ticket): @@ -260,11 +260,11 @@ class JiraAPI(object): if item.get('filename') == self.attachment_filename: if not latest: latest = item.get('created') - attachment_id = item.get('id') + attachment_id = item.get('id') else: if latest < item.get('created'): - latest = item.get('created') - attachment_id = item.get('id') + latest = item.get('created') + attachment_id = item.get('id') affected_assets_section = self.jira.attachment(attachment_id).get() except Exception as e: @@ -300,7 +300,7 @@ class JiraAPI(object): return True def get_ticket_reported_assets(self, ticket): - #[METRICS] return a list with all the affected assets for that vulnerability (including already resolved ones) + #[METRICS] return a list with all the affected assets for that vulnerability (including already resolved ones) return list(set(re.findall(r"\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\b",str(self.jira.issue(ticket).raw)))) def get_resolution_time(self, ticket): @@ -311,7 +311,7 @@ class JiraAPI(object): #dates follow format '2018-11-06T10:36:13.849+0100' created = [int(x) for x in ticket_data['created'].split('.')[0].replace('T', '-').replace(':','-').split('-')] resolved =[int(x) for x in ticket_data['resolutiondate'].split('.')[0].replace('T', '-').replace(':','-').split('-')] - + start = datetime(created[0],created[1],created[2],created[3],created[4],created[5]) end = datetime(resolved[0],resolved[1],resolved[2],resolved[3],resolved[4],resolved[5]) return (end-start).days @@ -323,7 +323,7 @@ class JiraAPI(object): def ticket_update_assets(self, vuln, ticketid, ticket_assets): # correct description will always be in the vulnerability to report, only needed to update description to new one self.logger.info("Ticket {} exists, UPDATE requested".format(ticketid)) - + #for now, if a vulnerability has been accepted ('accepted_risk'), ticket is completely ignored and not updated (no new assets) #TODO when vulnerability accepted, create a new ticket with only the non-accepted vulnerable assets @@ -335,12 +335,12 @@ class JiraAPI(object): if self.is_risk_accepted(ticket_obj): return 0 self.reopen_ticket(ticketid=ticketid, comment=self.jira_still_vulnerable_comment) - + #First will do the comparison of assets ticket_obj.update() assets = list(set(re.findall(r"\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\b", ",".join(vuln['ips'])))) difference = list(set(assets).symmetric_difference(ticket_assets)) - + comment = '' added = '' removed = '' @@ -356,13 +356,13 @@ class JiraAPI(object): removed += '* {}\n'.format(asset) comment = added + removed - + #then will check if assets are too many that need to be added as an attachment attachment_contents = [] if len(vuln['ips']) > self.max_ips_ticket: attachment_contents = vuln['ips'] vuln['ips'] = ["Affected hosts ({assets}) exceed Jira's allowed character limit, added as an attachment.".format(assets = len(attachment_contents))] - + #fill the ticket description template try: tpl = template(self.template_path, vuln) @@ -376,7 +376,7 @@ class JiraAPI(object): if attachment_contents: self.clean_old_attachments(ticket_obj) self.add_content_as_attachment(ticket_obj, attachment_contents) - + ticket_obj.update(description=tpl, comment=comment, fields={"labels":ticket_obj.fields.labels}) self.logger.info("Ticket {} updated successfully".format(ticketid)) self.add_label(ticketid, 'updated') @@ -386,24 +386,24 @@ class JiraAPI(object): def add_label(self, ticketid, label): ticket_obj = self.jira.issue(ticketid) - + if label not in [x.encode('utf8') for x in ticket_obj.fields.labels]: ticket_obj.fields.labels.append(label) - + try: ticket_obj.update(fields={"labels":ticket_obj.fields.labels}) self.logger.info("Added label {label} to ticket {ticket}".format(label=label, ticket=ticketid)) except: self.logger.error("Error while trying to add label {label} to ticket {ticket}".format(label=label, ticket=ticketid)) - + return 0 def remove_label(self, ticketid, label): ticket_obj = self.jira.issue(ticketid) - + if label in [x.encode('utf8') for x in ticket_obj.fields.labels]: ticket_obj.fields.labels.remove(label) - + try: ticket_obj.update(fields={"labels":ticket_obj.fields.labels}) self.logger.info("Removed label {label} from ticket {ticket}".format(label=label, ticket=ticketid)) @@ -411,7 +411,7 @@ class JiraAPI(object): self.logger.error("Error while trying to remove label {label} to ticket {ticket}".format(label=label, ticket=ticketid)) else: self.logger.error("Error: label {label} not in ticket {ticket}".format(label=label, ticket=ticketid)) - + return 0 def close_fixed_tickets(self, vulnerabilities): @@ -431,7 +431,7 @@ class JiraAPI(object): self.logger.info("Ticket {} is still vulnerable".format(ticket)) continue self.logger.info("Ticket {} is no longer vulnerable".format(ticket)) - self.close_ticket(ticket, self.JIRA_RESOLUTION_FIXED, comment) + self.close_ticket(ticket, self.JIRA_RESOLUTION_FIXED, comment) return 0 @@ -484,7 +484,7 @@ class JiraAPI(object): self.logger.debug("Ticket {} exists, REOPEN requested".format(ticketid)) # this will reopen a ticket by ticketid ticket_obj = self.jira.issue(ticketid) - + if self.is_ticket_resolved(ticket_obj): if (not self.is_risk_accepted(ticket_obj) or ignore_labels): try: @@ -516,21 +516,21 @@ class JiraAPI(object): # continue with ticket data so that a new ticket is created in place of the "lost" one self.logger.error("error closing ticket {}: {}".format(ticketid, e)) return 0 - + return 0 def close_obsolete_tickets(self): - # Close tickets older than 12 months, vulnerabilities not solved will get created a new ticket + # Close tickets older than 12 months, vulnerabilities not solved will get created a new ticket self.logger.info("Closing obsolete tickets older than {} months".format(self.max_time_tracking)) jql = "labels=vulnerability_management AND created Date: Wed, 1 May 2019 10:33:37 +0100 Subject: [PATCH 68/73] write output to .tmp then rename --- vulnwhisp/vulnwhisp.py | 18 +++++++++++------- 1 file changed, 11 insertions(+), 7 deletions(-) diff --git a/vulnwhisp/vulnwhisp.py b/vulnwhisp/vulnwhisp.py index 7f22001..78d750b 100755 --- a/vulnwhisp/vulnwhisp.py +++ b/vulnwhisp/vulnwhisp.py @@ -519,7 +519,8 @@ class vulnWhispererNessus(vulnWhispererBase): vuln_ready['scan_source'] = self.CONFIG_SECTION vuln_ready['scan_time'] = norm_time - vuln_ready.to_json(relative_path_name, orient='records', lines=True) + vuln_ready.to_json(relative_path_name + '.tmp', orient='records', lines=True) + os.rename(relative_path_name + '.tmp', relative_path_name) self.logger.info('{records} records written to {path} '.format(records=vuln_ready.shape[0], path=relative_path_name)) @@ -630,10 +631,10 @@ class vulnWhispererQualys(vulnWhispererBase): vuln_ready['scan_time'] = launched_date if output_format == 'json': - vuln_ready.to_json(relative_path_name, orient='records', lines=True) - + vuln_ready.to_json(relative_path_name + '.tmp', orient='records', lines=True) elif output_format == 'csv': - vuln_ready.to_csv(relative_path_name, index=False, header=True) + vuln_ready.to_csv(relative_path_name + '.tmp', index=False, header=True) + os.rename(relative_path_name + '.tmp', relative_path_name) self.logger.info('{records} records written to {path} '.format(records=vuln_ready.shape[0], path=relative_path_name)) @@ -793,7 +794,8 @@ class vulnWhispererOpenVAS(vulnWhispererBase): vuln_ready['scan_time'] = launched_date vuln_ready['scan_source'] = self.CONFIG_SECTION - vuln_ready.to_json(relative_path_name, orient='records', lines=True) + vuln_ready.to_json(relative_path_name + '.tmp', orient='records', lines=True) + os.rename(relative_path_name + '.tmp', relative_path_name) self.logger.info('{records} records written to {path} '.format(records=vuln_ready.shape[0], path=relative_path_name)) @@ -916,8 +918,10 @@ class vulnWhispererQualysVuln(vulnWhispererBase): return self.exit_code if output_format == 'json': - vuln_ready.to_json(relative_path_name, orient='records', lines=True) - + vuln_ready.to_json(relative_path_name + '.tmp', orient='records', lines=True) + elif output_format == 'csv': + vuln_ready.to_csv(relative_path_name + '.tmp', index=False, header=True) + os.rename(relative_path_name + '.tmp', relative_path_name) self.logger.info('{records} records written to {path} '.format(records=vuln_ready.shape[0], path=relative_path_name)) From 5b6a51f02ceea685b43dbab57927862332894f2d Mon Sep 17 00:00:00 2001 From: pemontto Date: Wed, 1 May 2019 17:51:46 +0100 Subject: [PATCH 69/73] add unique document id --- .../pipeline/1000_nessus_process_file.conf | 21 ++++++++++++--- .../elk6/pipeline/2000_qualys_web_scans.conf | 24 +++++++++++++---- resources/elk6/pipeline/3000_openvas.conf | 24 +++++++++++++---- vulnwhisp/frameworks/openvas.py | 1 + vulnwhisp/frameworks/qualys_vuln.py | 2 ++ vulnwhisp/frameworks/qualys_web.py | 3 +++ vulnwhisp/vulnwhisp.py | 26 ++++++++++++++----- 7 files changed, 81 insertions(+), 20 deletions(-) diff --git a/resources/elk6/pipeline/1000_nessus_process_file.conf b/resources/elk6/pipeline/1000_nessus_process_file.conf index e344183..d575581 100644 --- a/resources/elk6/pipeline/1000_nessus_process_file.conf +++ b/resources/elk6/pipeline/1000_nessus_process_file.conf @@ -43,14 +43,29 @@ filter { convert => { "risk_number" => "integer"} convert => { "total_times_detected" => "integer"} } + + if [_unique] { + # Set document ID from _unique + mutate { + rename => { "_unique" => "[@metadata][id]" } + } + } } } output { if "nessus" in [tags] or "tenable" in [tags]{ - elasticsearch { - hosts => [ "elasticsearch:9200" ] - index => "logstash-vulnwhisperer-%{+YYYY.MM}" + if [@metadata][id] { + elasticsearch { + hosts => [ "elasticsearch:9200" ] + index => "logstash-vulnwhisperer-%{+YYYY.MM}" + document_id => "%{[@metadata][id]}" + } + } else { + elasticsearch { + hosts => [ "elasticsearch:9200" ] + index => "logstash-vulnwhisperer-%{+YYYY.MM}" + } } } } diff --git a/resources/elk6/pipeline/2000_qualys_web_scans.conf b/resources/elk6/pipeline/2000_qualys_web_scans.conf index d074b8a..e19f6f3 100644 --- a/resources/elk6/pipeline/2000_qualys_web_scans.conf +++ b/resources/elk6/pipeline/2000_qualys_web_scans.conf @@ -6,7 +6,7 @@ input { file { - path => [ "/opt/VulnWhisperer/data/qualys_vuln/*.json" ] + path => [ "/opt/VulnWhisperer/data/qualys_vuln/*.json" ] codec => json start_position => "beginning" tags => [ "qualys_vuln" ] @@ -15,7 +15,7 @@ input { file_completed_action => "delete" } file { - path => [ "/opt/VulnWhisperer/data/qualys_web/*.json" ] + path => [ "/opt/VulnWhisperer/data/qualys_web/*.json" ] codec => json start_position => "beginning" tags => [ "qualys_web" ] @@ -79,13 +79,27 @@ filter { # add_tag => [ "critical_asset" ] # } # } + if [_unique] { + # Set document ID from _unique + mutate { + rename => { "_unique" => "[@metadata][id]" } + } + } } } output { if "qualys_vuln" in [tags] or "qualys_web" in [tags] { - elasticsearch { - hosts => [ "elasticsearch:9200" ] - index => "logstash-vulnwhisperer-%{+YYYY.MM}" + if [@metadata][id] { + elasticsearch { + hosts => [ "elasticsearch:9200" ] + index => "logstash-vulnwhisperer-%{+YYYY.MM}" + document_id => "%{[@metadata][id]}" + } + } else { + elasticsearch { + hosts => [ "elasticsearch:9200" ] + index => "logstash-vulnwhisperer-%{+YYYY.MM}" + } } } } diff --git a/resources/elk6/pipeline/3000_openvas.conf b/resources/elk6/pipeline/3000_openvas.conf index 539475c..6cc35cc 100644 --- a/resources/elk6/pipeline/3000_openvas.conf +++ b/resources/elk6/pipeline/3000_openvas.conf @@ -100,18 +100,32 @@ filter { } # Add your critical assets by subnet or by hostname. Comment this field out if you don't want to tag any, but the asset panel will break. - if [asset] =~ "^10\.0\.100\." { + # if [asset] =~ "^10\.0\.100\." { + # mutate { + # add_tag => [ "critical_asset" ] + # } + # } + if [_unique] { + # Set document ID from _unique mutate { - add_tag => [ "critical_asset" ] + rename => { "_unique" => "[@metadata][id]" } } } } } output { if "openvas" in [tags] { - elasticsearch { - hosts => [ "elasticsearch:9200" ] - index => "logstash-vulnwhisperer-%{+YYYY.MM}" + if [@metadata][id] { + elasticsearch { + hosts => [ "elasticsearch:9200" ] + index => "logstash-vulnwhisperer-%{+YYYY.MM}" + document_id => "%{[@metadata][id]}" + } + } else { + elasticsearch { + hosts => [ "elasticsearch:9200" ] + index => "logstash-vulnwhisperer-%{+YYYY.MM}" + } } } } diff --git a/vulnwhisp/frameworks/openvas.py b/vulnwhisp/frameworks/openvas.py index 14f6393..c411f7d 100644 --- a/vulnwhisp/frameworks/openvas.py +++ b/vulnwhisp/frameworks/openvas.py @@ -110,6 +110,7 @@ class OpenVAS_API(object): ] token = requests.post(self.base + self.OMP, data=data, verify=False) return token + def get_report_formats(self): params = ( ('cmd', 'get_report_formats'), diff --git a/vulnwhisp/frameworks/qualys_vuln.py b/vulnwhisp/frameworks/qualys_vuln.py index 4592c7a..9b33986 100644 --- a/vulnwhisp/frameworks/qualys_vuln.py +++ b/vulnwhisp/frameworks/qualys_vuln.py @@ -169,6 +169,8 @@ class qualysVulnScan: df['cvss_temporal_vector'] = df['cvss_temporal'].str.extract('\((.*)\)', expand=False) df['cvss_temporal'] = df['cvss_temporal'].str.extract('^(\d+(?:\.\d+)?)', expand=False) + # Set asset to ip + df['asset'] = df['ip'] # Convert Qualys severity to standardised risk number df['risk_number'] = df['severity'].astype(int)-1 diff --git a/vulnwhisp/frameworks/qualys_web.py b/vulnwhisp/frameworks/qualys_web.py index 270d7b8..6905074 100644 --- a/vulnwhisp/frameworks/qualys_web.py +++ b/vulnwhisp/frameworks/qualys_web.py @@ -527,5 +527,8 @@ class qualysScanReport: df['dns'] = df['url'].str.extract('https?://([^/]+)', expand=False) df.loc[df['uri'] != '','dns'] = df.loc[df['uri'] != '','uri'].str.extract('https?://([^/]+)', expand=False) + # Set asset to dns + df['asset'] = df['dns'] + df.fillna('', inplace=True) return df diff --git a/vulnwhisp/vulnwhisp.py b/vulnwhisp/vulnwhisp.py index 78d750b..6ee8d79 100755 --- a/vulnwhisp/vulnwhisp.py +++ b/vulnwhisp/vulnwhisp.py @@ -275,7 +275,7 @@ class vulnWhispererBase(object): if cvss_version in df: self.logger.info('Normalising {} severity'.format(cvss_version)) # Map CVSS to severity name - df.loc[df[cvss_version] == '', cvss_version] = None + df.loc[df[cvss_version].astype(str) == '', cvss_version] = None df[cvss_version] = df[cvss_version].astype('float') # df.loc[df[cvss_version].isnull(), cvss_version + '_severity'] = 'info' df.loc[df[cvss_version] == 0, cvss_version + '_severity'] = 'info' @@ -284,6 +284,13 @@ class vulnWhispererBase(object): df.loc[(df[cvss_version] >= 6) & (df[cvss_version] < 9), cvss_version + '_severity'] = 'high' df.loc[(df[cvss_version] > 9) & (df[cvss_version].notnull()), cvss_version + '_severity'] = 'critical' + self.logger.info('Creating Unique Document ID') + df['_unique'] = df.index.values + if 'history_id' in df: + df['_unique'] = df[['scan_id', 'history_id', '_unique']].apply(lambda x: '_'.join(x.astype(str)), axis=1) + else: + df['_unique'] = df[['scan_id', '_unique']].apply(lambda x: '_'.join(x.astype(str)), axis=1) + # Rename cvss to cvss2 # Make cvss with no suffix == cvss3 else cvss2 # cvss = cvss3 if cvss3 else cvss2 @@ -510,7 +517,6 @@ class vulnWhispererNessus(vulnWhispererBase): # Map and transform fields vuln_ready = self.nessus.normalise(vuln_ready) - vuln_ready = self.common_normalise(vuln_ready) # Set common fields vuln_ready['history_id'] = history_id @@ -519,6 +525,8 @@ class vulnWhispererNessus(vulnWhispererBase): vuln_ready['scan_source'] = self.CONFIG_SECTION vuln_ready['scan_time'] = norm_time + vuln_ready = self.common_normalise(vuln_ready) + vuln_ready.to_json(relative_path_name + '.tmp', orient='records', lines=True) os.rename(relative_path_name + '.tmp', relative_path_name) self.logger.info('{records} records written to {path} '.format(records=vuln_ready.shape[0], @@ -621,7 +629,6 @@ class vulnWhispererQualys(vulnWhispererBase): vuln_ready = self.qualys_scan.process_data(path=self.write_path, file_id=str(generated_report_id)) # Map and transform fields vuln_ready = self.qualys_scan.normalise(vuln_ready) - vuln_ready = self.common_normalise(vuln_ready) # Set common fields vuln_ready['app_id'] = report_id @@ -630,6 +637,8 @@ class vulnWhispererQualys(vulnWhispererBase): vuln_ready['scan_source'] = self.CONFIG_SECTION vuln_ready['scan_time'] = launched_date + vuln_ready = self.common_normalise(vuln_ready) + if output_format == 'json': vuln_ready.to_json(relative_path_name + '.tmp', orient='records', lines=True) elif output_format == 'csv': @@ -699,6 +708,7 @@ class vulnWhispererOpenVAS(vulnWhispererBase): 'Hostname': 'hostname', 'Port': 'port', 'Port Protocol': 'protocol', + 'CVEs': 'cve', 'CVSS': 'cvss', 'Severity': 'severity', 'Solution Type': 'category', @@ -782,11 +792,10 @@ class vulnWhispererOpenVAS(vulnWhispererBase): vuln_ready = self.openvas_api.process_report(report_id=report_id) # Map and transform fields vuln_ready = self.openvas_api.normalise(vuln_ready) - vuln_ready = self.common_normalise(vuln_ready) + # TODO move the following to the openvas_api.transform_values vuln_ready.rename(columns=self.COLUMN_MAPPING, inplace=True) - vuln_ready.port = vuln_ready.port.fillna(0).astype(int) - vuln_ready.fillna('', inplace=True) + vuln_ready.port = vuln_ready.port.replace('', 0).astype(int) # Set common fields vuln_ready['scan_name'] = scan_name.encode('utf8') @@ -794,6 +803,8 @@ class vulnWhispererOpenVAS(vulnWhispererBase): vuln_ready['scan_time'] = launched_date vuln_ready['scan_source'] = self.CONFIG_SECTION + vuln_ready = self.common_normalise(vuln_ready) + vuln_ready.to_json(relative_path_name + '.tmp', orient='records', lines=True) os.rename(relative_path_name + '.tmp', relative_path_name) self.logger.info('{records} records written to {path} '.format(records=vuln_ready.shape[0], @@ -904,7 +915,6 @@ class vulnWhispererQualysVuln(vulnWhispererBase): vuln_ready = self.qualys_scan.process_data(scan_id=report_id) # Map and transform fields vuln_ready = self.qualys_scan.normalise(vuln_ready) - vuln_ready = self.common_normalise(vuln_ready) # Set common fields vuln_ready['scan_name'] = scan_name.encode('utf8') @@ -912,6 +922,8 @@ class vulnWhispererQualysVuln(vulnWhispererBase): vuln_ready['scan_time'] = launched_date vuln_ready['scan_source'] = self.CONFIG_SECTION + vuln_ready = self.common_normalise(vuln_ready) + except Exception as e: self.logger.error('Could not process {}: {}'.format(report_id, str(e))) self.exit_code += 1 From e2c2b47d4dd0f74b4952563ce5291da04f59a9d5 Mon Sep 17 00:00:00 2001 From: pemontto Date: Wed, 1 May 2019 19:39:48 +0100 Subject: [PATCH 70/73] update kibana API objects --- kibana_APIonly.json | 464 ++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 464 insertions(+) create mode 100644 kibana_APIonly.json diff --git a/kibana_APIonly.json b/kibana_APIonly.json new file mode 100644 index 0000000..6603b11 --- /dev/null +++ b/kibana_APIonly.json @@ -0,0 +1,464 @@ +[ + { + "attributes": { + "hits": 0, + "timeFrom": "now-30d", + "timeRestore": true, + "description": "", + "title": "VulnWhisperer - Reporting", + "panelsJSON": "[{\"embeddableConfig\":{\"vis\":{\"legendOpen\":false}},\"gridData\":{\"x\":0,\"y\":54,\"w\":24,\"h\":20,\"i\":\"5\"},\"id\":\"2f979030-44b9-11e7-a818-f5f80dfc3590\",\"panelIndex\":\"5\",\"type\":\"visualization\",\"version\":\"6.4.3\"},{\"gridData\":{\"x\":0,\"y\":34,\"w\":24,\"h\":20,\"i\":\"12\"},\"id\":\"8d9592d0-44ec-11e7-a05f-d9719b331a27\",\"panelIndex\":\"12\",\"type\":\"visualization\",\"version\":\"6.4.3\"},{\"gridData\":{\"x\":24,\"y\":14,\"w\":24,\"h\":20,\"i\":\"14\"},\"id\":\"67d432e0-44ec-11e7-a05f-d9719b331a27\",\"panelIndex\":\"14\",\"type\":\"visualization\",\"version\":\"6.4.3\"},{\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"gridData\":{\"x\":36,\"y\":34,\"w\":12,\"h\":20,\"i\":\"15\"},\"id\":\"297df800-3f7e-11e7-bd24-6903e3283192\",\"panelIndex\":\"15\",\"type\":\"visualization\",\"version\":\"6.4.3\"},{\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"gridData\":{\"x\":24,\"y\":34,\"w\":12,\"h\":20,\"i\":\"20\"},\"id\":\"471a3580-3f6b-11e7-88e7-df1abe6547fb\",\"panelIndex\":\"20\",\"type\":\"visualization\",\"version\":\"6.4.3\"},{\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"gridData\":{\"x\":40,\"y\":0,\"w\":8,\"h\":14,\"i\":\"22\"},\"id\":\"995e2280-3df3-11e7-a44e-c79ca8efb780\",\"panelIndex\":\"22\",\"type\":\"visualization\",\"version\":\"6.4.3\"},{\"gridData\":{\"x\":0,\"y\":14,\"w\":24,\"h\":20,\"i\":\"29\"},\"id\":\"479deab0-8a39-11e7-a58a-9bfcb3761a3d\",\"panelIndex\":\"29\",\"type\":\"visualization\",\"version\":\"6.4.3\"},{\"gridData\":{\"x\":0,\"y\":0,\"w\":10,\"h\":14,\"i\":\"34\"},\"version\":\"6.6.0\",\"panelIndex\":\"34\",\"type\":\"visualization\",\"id\":\"bee32150-6c3a-11e9-be42-ab2ba67e4720\",\"embeddableConfig\":{}},{\"gridData\":{\"x\":10,\"y\":0,\"w\":10,\"h\":14,\"i\":\"35\"},\"version\":\"6.6.0\",\"panelIndex\":\"35\",\"type\":\"visualization\",\"id\":\"b4c2f790-6c3a-11e9-be42-ab2ba67e4720\",\"embeddableConfig\":{}},{\"gridData\":{\"x\":30,\"y\":0,\"w\":10,\"h\":14,\"i\":\"36\"},\"version\":\"6.6.0\",\"panelIndex\":\"36\",\"type\":\"visualization\",\"id\":\"ed8c5210-6c3a-11e9-be42-ab2ba67e4720\",\"embeddableConfig\":{}},{\"gridData\":{\"x\":20,\"y\":0,\"w\":10,\"h\":14,\"i\":\"37\"},\"version\":\"6.6.0\",\"panelIndex\":\"37\",\"type\":\"visualization\",\"id\":\"c81da600-6c3a-11e9-be42-ab2ba67e4720\",\"embeddableConfig\":{}}]", + "timeTo": "now", + "optionsJSON": "{\"darkTheme\":false,\"useMargins\":false}", + "version": 1, + "refreshInterval": { + "pause": true, + "value": 0 + }, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":{\"match_all\":{}}}}" + } + }, + "version": 1, + "type": "dashboard", + "id": "72051530-448e-11e7-a818-f5f80dfc3590" + }, + { + "attributes": { + "hits": 0, + "timeFrom": "now-30d", + "timeRestore": true, + "description": "", + "title": "VulnWhisperer - Risk Mitigation", + "panelsJSON": "[{\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"gridData\":{\"x\":40,\"y\":15,\"w\":8,\"h\":30,\"i\":\"20\"},\"id\":\"995e2280-3df3-11e7-a44e-c79ca8efb780\",\"panelIndex\":\"20\",\"type\":\"visualization\",\"version\":\"6.4.3\"},{\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":0,\"direction\":\"desc\"}}}},\"gridData\":{\"x\":0,\"y\":35,\"w\":12,\"h\":25,\"i\":\"21\"},\"id\":\"852816e0-3eb1-11e7-90cb-918f9cb01e3d\",\"panelIndex\":\"21\",\"type\":\"visualization\",\"version\":\"6.4.3\"},{\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"gridData\":{\"x\":12,\"y\":35,\"w\":13,\"h\":24,\"i\":\"27\"},\"id\":\"297df800-3f7e-11e7-bd24-6903e3283192\",\"panelIndex\":\"27\",\"type\":\"visualization\",\"version\":\"6.4.3\"},{\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":0,\"direction\":\"desc\"}}}},\"gridData\":{\"x\":32,\"y\":15,\"w\":8,\"h\":30,\"i\":\"28\"},\"id\":\"35b6d320-3f7f-11e7-bd24-6903e3283192\",\"panelIndex\":\"28\",\"type\":\"visualization\",\"version\":\"6.4.3\"},{\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"gridData\":{\"x\":40,\"y\":0,\"w\":8,\"h\":15,\"i\":\"30\"},\"id\":\"471a3580-3f6b-11e7-88e7-df1abe6547fb\",\"panelIndex\":\"30\",\"type\":\"visualization\",\"version\":\"6.4.3\"},{\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"gridData\":{\"x\":32,\"y\":0,\"w\":8,\"h\":15,\"i\":\"31\"},\"id\":\"de1a5f40-3f85-11e7-97f9-3777d794626d\",\"panelIndex\":\"31\",\"type\":\"visualization\",\"version\":\"6.4.3\"},{\"gridData\":{\"x\":16,\"y\":15,\"w\":16,\"h\":10,\"i\":\"37\"},\"id\":\"5093c620-44e9-11e7-8014-ede06a7e69f8\",\"panelIndex\":\"37\",\"type\":\"visualization\",\"version\":\"6.4.3\"},{\"embeddableConfig\":{\"columns\":[\"host\",\"risk\",\"risk_score\",\"cve\",\"plugin_name\",\"solution\",\"plugin_output\"],\"sort\":[\"@timestamp\",\"desc\"]},\"gridData\":{\"x\":0,\"y\":60,\"w\":48,\"h\":30,\"i\":\"38\"},\"id\":\"54648700-3f74-11e7-852e-69207a3d0726\",\"panelIndex\":\"38\",\"type\":\"search\",\"version\":\"6.4.3\"},{\"gridData\":{\"x\":16,\"y\":25,\"w\":16,\"h\":10,\"i\":\"39\"},\"id\":\"fb6eb020-49ab-11e7-8f8c-57ad64ec48a6\",\"panelIndex\":\"39\",\"type\":\"visualization\",\"version\":\"6.4.3\"},{\"embeddableConfig\":{\"vis\":{\"legendOpen\":true}},\"gridData\":{\"x\":0,\"y\":15,\"w\":16,\"h\":20,\"i\":\"46\"},\"id\":\"56f0f5f0-3ebe-11e7-a192-93f36fbd9d05\",\"panelIndex\":\"46\",\"type\":\"visualization\",\"version\":\"6.4.3\"},{\"gridData\":{\"x\":0,\"y\":0,\"w\":8,\"h\":15,\"i\":\"47\"},\"version\":\"6.6.0\",\"panelIndex\":\"47\",\"type\":\"visualization\",\"id\":\"bee32150-6c3a-11e9-be42-ab2ba67e4720\",\"embeddableConfig\":{}},{\"gridData\":{\"x\":8,\"y\":0,\"w\":8,\"h\":15,\"i\":\"48\"},\"version\":\"6.6.0\",\"panelIndex\":\"48\",\"type\":\"visualization\",\"id\":\"b4c2f790-6c3a-11e9-be42-ab2ba67e4720\",\"embeddableConfig\":{}},{\"gridData\":{\"x\":24,\"y\":0,\"w\":8,\"h\":15,\"i\":\"49\"},\"version\":\"6.6.0\",\"panelIndex\":\"49\",\"type\":\"visualization\",\"id\":\"ed8c5210-6c3a-11e9-be42-ab2ba67e4720\",\"embeddableConfig\":{}},{\"gridData\":{\"x\":16,\"y\":0,\"w\":8,\"h\":15,\"i\":\"50\"},\"version\":\"6.6.0\",\"panelIndex\":\"50\",\"type\":\"visualization\",\"id\":\"c81da600-6c3a-11e9-be42-ab2ba67e4720\",\"embeddableConfig\":{}}]", + "timeTo": "now", + "optionsJSON": "{\"darkTheme\":false,\"useMargins\":false}", + "version": 1, + "refreshInterval": { + "pause": true, + "value": 0 + }, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":{\"match_all\":{}}}}" + } + }, + "version": 1, + "type": "dashboard", + "id": "AWCUqesWib22Ai8JwW3u" + }, + { + "attributes": { + "visState": "{\"title\":\"VulnWhisperer - Critical Assets\",\"type\":\"heatmap\",\"params\":{\"addTooltip\":true,\"addLegend\":true,\"enableHover\":true,\"legendPosition\":\"right\",\"times\":[],\"colorsNumber\":4,\"colorSchema\":\"Green to Red\",\"setColorRange\":true,\"colorsRange\":[{\"from\":0,\"to\":3},{\"from\":3,\"to\":7},{\"from\":7,\"to\":9},{\"from\":9,\"to\":11}],\"invertColors\":false,\"percentageMode\":false,\"valueAxes\":[{\"show\":false,\"id\":\"ValueAxis-1\",\"type\":\"value\",\"scale\":{\"type\":\"linear\",\"defaultYExtents\":false},\"labels\":{\"show\":false,\"rotate\":0,\"color\":\"white\"}}],\"type\":\"heatmap\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"max\",\"schema\":\"metric\",\"params\":{\"field\":\"risk_score\",\"customLabel\":\"Residual Risk Score\"}},{\"id\":\"2\",\"enabled\":false,\"type\":\"terms\",\"schema\":\"split\",\"params\":{\"field\":\"risk_score\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\",\"row\":true}},{\"id\":\"3\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"interval\":\"auto\",\"customInterval\":\"2h\",\"min_doc_count\":1,\"extended_bounds\":{},\"customLabel\":\"Date\"}},{\"id\":\"4\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"group\",\"params\":{\"field\":\"asset.keyword\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Critical Asset\"}}],\"listeners\":{}}", + "description": "", + "title": "VulnWhisperer - Critical Assets", + "uiStateJSON": "{\"vis\":{\"defaultColors\":{\"0 - 3\":\"rgb(0,104,55)\",\"3 - 7\":\"rgb(135,203,103)\",\"7 - 9\":\"rgb(255,255,190)\",\"9 - 11\":\"rgb(249,142,82)\"},\"colors\":{\"8 - 10\":\"#BF1B00\",\"9 - 11\":\"#BF1B00\",\"7 - 9\":\"#EF843C\",\"3 - 7\":\"#EAB839\",\"0 - 3\":\"#7EB26D\"},\"legendOpen\":false}}", + "version": 1, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"index\":\"4a6d9090-f66e-11e8-8f42-af2e41422cf8\",\"query\":{\"query\":{\"query_string\":{\"query\":\"*\",\"analyze_wildcard\":true}},\"language\":\"lucene\"},\"filter\":[{\"meta\":{\"index\":\"logstash-vulnwhisperer-*\",\"negate\":false,\"disabled\":false,\"alias\":\"Critical Asset\",\"type\":\"phrase\",\"key\":\"tags\",\"value\":\"critical_asset\"},\"query\":{\"match\":{\"tags\":{\"query\":\"critical_asset\",\"type\":\"phrase\"}}},\"$state\":{\"store\":\"appState\"}}]}" + } + }, + "version": 1, + "type": "visualization", + "id": "465c5820-8977-11e7-857e-e1d56b17746d" + }, + { + "attributes": { + "visState": "{\"title\":\"VulnWhisperer-RiskOverTime\",\"type\":\"line\",\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"@timestamp per 12 hours\"},\"type\":\"category\"}],\"defaultYExtents\":false,\"drawLinesBetweenPoints\":true,\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"},\"valueAxis\":\"ValueAxis-1\"},\"interpolate\":\"linear\",\"legendPosition\":\"right\",\"orderBucketsBySum\":false,\"radiusRatio\":9,\"scale\":\"linear\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"mode\":\"normal\",\"show\":\"true\",\"showCircles\":true,\"type\":\"line\",\"valueAxis\":\"ValueAxis-1\"}],\"setYExtents\":false,\"showCircles\":true,\"times\":[],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}],\"type\":\"line\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"interval\":\"auto\",\"customInterval\":\"2h\",\"min_doc_count\":1,\"extended_bounds\":{}}},{\"id\":\"3\",\"enabled\":true,\"type\":\"filters\",\"schema\":\"group\",\"params\":{\"filters\":[{\"input\":{\"query\":{\"query_string\":{\"query\":\"risk_score_name:info\"}}},\"label\":\"Info\"},{\"input\":{\"query\":{\"query_string\":{\"query\":\"risk_score_name:low\"}}},\"label\":\"Low\"},{\"input\":{\"query\":{\"query_string\":{\"query\":\"risk_score_name:medium\"}}},\"label\":\"Medium\"},{\"input\":{\"query\":{\"query_string\":{\"query\":\"risk_score_name:high\"}}},\"label\":\"High\"},{\"input\":{\"query\":{\"query_string\":{\"query\":\"risk_score_name:critical\"}}},\"label\":\"Critical\"}]}}],\"listeners\":{}}", + "description": "", + "title": "VulnWhisperer-RiskOverTime", + "uiStateJSON": "{\"vis\":{\"colors\":{\"Critical\":\"#962D82\",\"High\":\"#BF1B00\",\"Low\":\"#629E51\",\"Medium\":\"#EAB839\",\"Info\":\"#65C5DB\"}}}", + "version": 1, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"index\":\"4a6d9090-f66e-11e8-8f42-af2e41422cf8\",\"query\":{\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"query\":\"*\"}},\"language\":\"lucene\"},\"filter\":[]}" + } + }, + "version": 1, + "type": "visualization", + "id": "56f0f5f0-3ebe-11e7-a192-93f36fbd9d05" + }, + { + "attributes": { + "visState": "{\"title\":\"VulnWhisperer - Mitigation Readme\",\"type\":\"markdown\",\"params\":{\"markdown\":\"** Legend **\\n\\n* [Common Vulnerability Scoring System (CVSS)](https://nvd.nist.gov/vuln-metrics/cvss) is the NIST vulnerability scoring system\\n* Risk Number is residual risk score calculated from CVSS, which is adjusted to be specific to Heartland which accounts for services not in use such as Java and Flash\\n* Vulnerabilities by Tag are systems tagged with HIPAA and PCI identification.\\n\\n\\n** Workflow **\\n* Select 10.0 under Risk Number to identify Critical Vulnerabilities. \\n* For more information about a CVE, scroll down and click the CVE link.\\n* To filter by tags, use one of the following filters:\\n** tags:has_hipaa_data, tags:pci_asset, tags:hipaa_asset, tags:critical_asset**\"},\"aggs\":[],\"listeners\":{}}", + "description": "", + "title": "VulnWhisperer - Mitigation Readme", + "uiStateJSON": "{}", + "version": 1, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"query\":{\"query\":{\"query_string\":{\"query\":\"*\",\"analyze_wildcard\":true}},\"language\":\"lucene\"},\"filter\":[]}" + } + }, + "version": 1, + "type": "visualization", + "id": "5093c620-44e9-11e7-8014-ede06a7e69f8" + }, + { + "attributes": { + "visState": "{\"title\":\"VulnWhisperer - Vulnerabilities by Tag\",\"type\":\"table\",\"params\":{\"perPage\":3,\"showMeticsAtAllLevels\":false,\"showPartialRows\":false,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"3\",\"enabled\":true,\"type\":\"filters\",\"schema\":\"bucket\",\"params\":{\"filters\":[{\"input\":{\"query\":{\"query_string\":{\"query\":\"tags:has_hipaa_data\",\"analyze_wildcard\":true}}},\"label\":\"Systems with HIPAA data\"},{\"input\":{\"query\":{\"query_string\":{\"query\":\"tags:pci_asset\",\"analyze_wildcard\":true}}},\"label\":\"PCI Systems\"},{\"input\":{\"query\":{\"query_string\":{\"query\":\"tags:hipaa_asset\",\"analyze_wildcard\":true}}},\"label\":\"HIPAA Systems\"}]}}],\"listeners\":{}}", + "description": "", + "title": "VulnWhisperer - Vulnerabilities by Tag", + "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", + "version": 1, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"index\":\"4a6d9090-f66e-11e8-8f42-af2e41422cf8\",\"query\":{\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"query\":\"*\"}},\"language\":\"lucene\"},\"filter\":[]}" + } + }, + "version": 1, + "type": "visualization", + "id": "471a3580-3f6b-11e7-88e7-df1abe6547fb" + }, + { + "attributes": { + "visState": "{\"title\":\"VulnWhisperer-Description\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"description.keyword\",\"size\":50,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Description\"}}],\"listeners\":{}}", + "description": "", + "title": "VulnWhisperer-Description", + "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", + "version": 1, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"index\":\"4a6d9090-f66e-11e8-8f42-af2e41422cf8\",\"query\":{\"query\":{\"query_string\":{\"query\":\"*\",\"analyze_wildcard\":true}},\"language\":\"lucene\"},\"filter\":[]}" + } + }, + "version": 1, + "type": "visualization", + "id": "1de9e550-3df1-11e7-a44e-c79ca8efb780" + }, + { + "attributes": { + "visState": "{\n \"title\": \"VulnWhisperer-Solution\",\n \"type\": \"table\",\n \"params\": {\n \"perPage\": 10,\n \"showMeticsAtAllLevels\": false,\n \"showPartialRows\": false,\n \"showTotal\": false,\n \"sort\": {\n \"columnIndex\": null,\n \"direction\": null\n },\n \"totalFunc\": \"sum\"\n },\n \"aggs\": [\n {\n \"id\": \"1\",\n \"enabled\": true,\n \"type\": \"count\",\n \"schema\": \"metric\",\n \"params\": {}\n },\n {\n \"id\": \"2\",\n \"enabled\": true,\n \"type\": \"terms\",\n \"schema\": \"bucket\",\n \"params\": {\n \"field\": \"solution\",\n \"size\": 50,\n \"order\": \"desc\",\n \"orderBy\": \"1\",\n \"customLabel\": \"Solution\"\n }\n }\n ],\n \"listeners\": {}\n}", + "description": "", + "title": "VulnWhisperer-Solution", + "uiStateJSON": "{\n \"vis\": {\n \"params\": {\n \"sort\": {\n \"columnIndex\": null,\n \"direction\": null\n }\n }\n }\n}", + "version": 1, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\n \"index\": \"4a6d9090-f66e-11e8-8f42-af2e41422cf8\",\n \"query\": {\n \"query\": {\n \"query_string\": {\n \"analyze_wildcard\": true,\n \"query\": \"*\"\n }\n },\n \"language\": \"lucene\"\n },\n \"filter\": []\n}" + } + }, + "version": 1, + "type": "visualization", + "id": "13c7d4e0-3df3-11e7-a44e-c79ca8efb780" + }, + { + "attributes": { + "visState": "{\"title\":\"VulnWhisperer - AggTest\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"top_hits\",\"schema\":\"metric\",\"params\":{\"field\":\"@timestamp\",\"aggregate\":\"concat\",\"size\":1,\"sortField\":\"@timestamp\",\"sortOrder\":\"desc\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"asset.keyword\",\"size\":1000,\"order\":\"desc\",\"orderBy\":\"_key\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"plugin_id\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"_key\",\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"}}]}", + "description": "", + "title": "VulnWhisperer - AggTest", + "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", + "version": 1, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"index\":\"4a6d9090-f66e-11e8-8f42-af2e41422cf8\",\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[]}" + } + }, + "version": 1, + "type": "visualization", + "id": "f9b68640-fda5-11e8-8f42-af2e41422cf8" + }, + { + "attributes": { + "visState": "{\"title\":\"VulnWhisperer-CVSS\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showTotal\":false,\"sort\":{\"columnIndex\":0,\"direction\":\"desc\"},\"totalFunc\":\"sum\",\"type\":\"table\",\"showMetricsAtAllLevels\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"cardinality\",\"schema\":\"metric\",\"params\":{\"field\":\"scan_fingerprint\",\"customLabel\":\"Unique Findings\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"cvss\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"CVSS Score\"}},{\"id\":\"4\",\"enabled\":true,\"type\":\"cardinality\",\"schema\":\"metric\",\"params\":{\"field\":\"asset.keyword\",\"customLabel\":\"# of Assets\"}}]}", + "description": "", + "title": "VulnWhisperer-CVSS", + "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":0,\"direction\":\"desc\"}}}}", + "version": 1, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"index\":\"4a6d9090-f66e-11e8-8f42-af2e41422cf8\",\"query\":{\"query\":{\"query_string\":{\"query\":\"*\",\"analyze_wildcard\":true,\"default_field\":\"*\"}},\"language\":\"lucene\"},\"filter\":[]}" + } + }, + "version": 1, + "type": "visualization", + "id": "852816e0-3eb1-11e7-90cb-918f9cb01e3d" + }, + { + "attributes": { + "visState": "{\"title\":\"VulnWhisperer-Asset\",\"type\":\"table\",\"params\":{\"perPage\":15,\"showPartialRows\":false,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\",\"type\":\"table\",\"showMetricsAtAllLevels\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"cardinality\",\"schema\":\"metric\",\"params\":{\"field\":\"scan_fingerprint\",\"customLabel\":\"Findings\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"asset.keyword\",\"size\":50,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Asset\"}}]}", + "description": "", + "title": "VulnWhisperer-Asset", + "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", + "version": 1, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"index\":\"4a6d9090-f66e-11e8-8f42-af2e41422cf8\",\"query\":{\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"query\":\"*\",\"default_field\":\"*\"}},\"language\":\"lucene\"},\"filter\":[]}" + } + }, + "version": 1, + "type": "visualization", + "id": "995e2280-3df3-11e7-a44e-c79ca8efb780" + }, + { + "attributes": { + "visState": "{\"title\":\"VulnWhisperer - TL-Critical Risk\",\"type\":\"timelion\",\"params\":{\"expression\":\".es(index='logstash-vulnwhisperer-*',q='(risk_score:>=9 AND risk_score:<=10)').label(\\\"Original\\\"),.es(index='logstash-vulnwhisperer-*',q='(risk_score:>=9 AND risk_score:<=10)',offset=-1w).label(\\\"One week offset\\\"),.es(index='logstash-vulnwhisperer-*',q='(risk_score:>=9 AND risk_score:<=10)').subtract(.es(index='logstash-vulnwhisperer-*',q='(risk_score:>=9 AND risk_score:<=10)',offset=-1w)).label(\\\"Difference\\\").lines(steps=3,fill=2,width=1)\",\"interval\":\"auto\"},\"aggs\":[],\"listeners\":{}}", + "description": "", + "title": "VulnWhisperer - TL-Critical Risk", + "uiStateJSON": "{}", + "version": 1, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"query\":{\"query\":{\"query_string\":{\"query\":\"*\",\"analyze_wildcard\":true}},\"language\":\"lucene\"},\"filter\":[]}" + } + }, + "version": 1, + "type": "visualization", + "id": "67d432e0-44ec-11e7-a05f-d9719b331a27" + }, + { + "attributes": { + "visState": "{\"title\":\"VulnWhisperer - TL-High Risk\",\"type\":\"timelion\",\"params\":{\"expression\":\".es(index='logstash-vulnwhisperer-*',q='(risk_score:>=7 AND risk_score:<9)').label(\\\"Original\\\"),.es(index='logstash-vulnwhisperer-*',q='(risk_score:>=7 AND risk_score:<9)',offset=-1w).label(\\\"One week offset\\\"),.es(index='logstash-vulnwhisperer-*',q='(risk_score:>=7 AND risk_score:<9)').subtract(.es(index='logstash-vulnwhisperer-*',q='(risk_score:>=7 AND risk_score:<9)',offset=-1w)).label(\\\"Difference\\\").lines(steps=3,fill=2,width=1)\",\"interval\":\"auto\"},\"aggs\":[],\"listeners\":{}}", + "description": "", + "title": "VulnWhisperer - TL-High Risk", + "uiStateJSON": "{}", + "version": 1, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"query\":{\"query\":{\"query_string\":{\"query\":\"*\",\"analyze_wildcard\":true}},\"language\":\"lucene\"},\"filter\":[]}" + } + }, + "version": 1, + "type": "visualization", + "id": "8d9592d0-44ec-11e7-a05f-d9719b331a27" + }, + { + "attributes": { + "visState": "{\n \"title\": \"VulnWhisperer - ScanBarChart\",\n \"type\": \"histogram\",\n \"params\": {\n \"addLegend\": true,\n \"addTimeMarker\": false,\n \"addTooltip\": true,\n \"defaultYExtents\": false,\n \"legendPosition\": \"right\",\n \"mode\": \"stacked\",\n \"scale\": \"linear\",\n \"setYExtents\": false,\n \"times\": [],\n \"type\": \"histogram\",\n \"grid\": {\n \"categoryLines\": false,\n \"style\": {\n \"color\": \"#eee\"\n }\n },\n \"categoryAxes\": [\n {\n \"id\": \"CategoryAxis-1\",\n \"type\": \"category\",\n \"position\": \"bottom\",\n \"show\": true,\n \"style\": {},\n \"scale\": {\n \"type\": \"linear\"\n },\n \"labels\": {\n \"show\": true,\n \"truncate\": 100\n },\n \"title\": {}\n }\n ],\n \"valueAxes\": [\n {\n \"id\": \"ValueAxis-1\",\n \"name\": \"LeftAxis-1\",\n \"type\": \"value\",\n \"position\": \"left\",\n \"show\": true,\n \"style\": {},\n \"scale\": {\n \"type\": \"linear\",\n \"mode\": \"normal\",\n \"setYExtents\": false,\n \"defaultYExtents\": false\n },\n \"labels\": {\n \"show\": true,\n \"rotate\": 0,\n \"filter\": false,\n \"truncate\": 100\n },\n \"title\": {\n \"text\": \"Unique count of scan_fingerprint\"\n }\n }\n ],\n \"seriesParams\": [\n {\n \"show\": \"true\",\n \"type\": \"histogram\",\n \"mode\": \"stacked\",\n \"data\": {\n \"label\": \"Unique count of scan_fingerprint\",\n \"id\": \"1\"\n },\n \"valueAxis\": \"ValueAxis-1\"\n }\n ]\n },\n \"aggs\": [\n {\n \"id\": \"1\",\n \"enabled\": true,\n \"type\": \"cardinality\",\n \"schema\": \"metric\",\n \"params\": {\n \"field\": \"scan_fingerprint\"\n }\n },\n {\n \"id\": \"2\",\n \"enabled\": true,\n \"type\": \"terms\",\n \"schema\": \"segment\",\n \"params\": {\n \"field\": \"plugin_name\",\n \"size\": 10,\n \"order\": \"desc\",\n \"orderBy\": \"1\",\n \"otherBucket\": false,\n \"otherBucketLabel\": \"Other\",\n \"missingBucket\": false,\n \"missingBucketLabel\": \"Missing\",\n \"customLabel\": \"Scan Name\"\n }\n }\n ]\n}", + "description": "", + "title": "VulnWhisperer - ScanBarChart", + "uiStateJSON": "{}", + "version": 1, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\n \"index\": \"4a6d9090-f66e-11e8-8f42-af2e41422cf8\",\n \"query\": {\n \"query\": {\n \"query_string\": {\n \"analyze_wildcard\": true,\n \"query\": \"*\",\n \"default_field\": \"*\"\n }\n },\n \"language\": \"lucene\"\n },\n \"filter\": []\n}" + } + }, + "version": 1, + "type": "visualization", + "id": "2f979030-44b9-11e7-a818-f5f80dfc3590" + }, + { + "attributes": { + "visState": "{\n \"title\": \"VulnWhisperer - Plugin Name\",\n \"type\": \"table\",\n \"params\": {\n \"perPage\": 10,\n \"showPartialRows\": false,\n \"sort\": {\n \"columnIndex\": null,\n \"direction\": null\n },\n \"showTotal\": false,\n \"totalFunc\": \"sum\",\n \"showMetricsAtAllLevels\": false\n },\n \"aggs\": [\n {\n \"id\": \"1\",\n \"enabled\": true,\n \"type\": \"cardinality\",\n \"schema\": \"metric\",\n \"params\": {\n \"field\": \"scan_fingerprint\",\n \"customLabel\": \"Count\"\n }\n },\n {\n \"id\": \"2\",\n \"enabled\": true,\n \"type\": \"terms\",\n \"schema\": \"bucket\",\n \"params\": {\n \"field\": \"plugin_name\",\n \"size\": 10,\n \"order\": \"desc\",\n \"orderBy\": \"1\",\n \"otherBucket\": false,\n \"otherBucketLabel\": \"Other\",\n \"missingBucket\": false,\n \"missingBucketLabel\": \"Missing\",\n \"customLabel\": \"Plugin Name\"\n }\n }\n ]\n}", + "description": "", + "title": "VulnWhisperer - Plugin Name", + "uiStateJSON": "{\n \"vis\": {\n \"params\": {\n \"sort\": {\n \"columnIndex\": null,\n \"direction\": null\n }\n }\n }\n}", + "version": 1, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\n \"index\": \"4a6d9090-f66e-11e8-8f42-af2e41422cf8\",\n \"query\": {\n \"query\": {\n \"query_string\": {\n \"query\": \"*\",\n \"analyze_wildcard\": true,\n \"default_field\": \"*\"\n }\n },\n \"language\": \"lucene\"\n },\n \"filter\": []\n}" + } + }, + "version": 1, + "type": "visualization", + "id": "297df800-3f7e-11e7-bd24-6903e3283192" + }, + { + "attributes": { + "visState": "{\n \"title\": \"VulnWhisperer - TL - TaggedAssetsPluginNames\",\n \"type\": \"timelion\",\n \"params\": {\n \"expression\": \".es(index='logstash-vulnwhisperer-*', q='tags:critical_asset OR tags:hipaa_asset OR tags:pci_asset', split=\\\"plugin_name:10\\\").bars(width=4).label(regex=\\\".*:(.+)>.*\\\",label=\\\"$1\\\")\",\n \"interval\": \"auto\"\n },\n \"aggs\": [],\n \"listeners\": {}\n}", + "description": "", + "title": "VulnWhisperer - TL - TaggedAssetsPluginNames", + "uiStateJSON": "{}", + "version": 1, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\n \"query\": {\n \"query\": {\n \"query_string\": {\n \"query\": \"*\",\n \"analyze_wildcard\": true\n }\n },\n \"language\": \"lucene\"\n },\n \"filter\": []\n}" + } + }, + "version": 1, + "type": "visualization", + "id": "479deab0-8a39-11e7-a58a-9bfcb3761a3d" + }, + { + "attributes": { + "visState": "{\n \"title\": \"VulnWhisperer - ScanName\",\n \"type\": \"table\",\n \"params\": {\n \"perPage\": 10,\n \"showPartialRows\": false,\n \"sort\": {\n \"columnIndex\": null,\n \"direction\": null\n },\n \"showTotal\": false,\n \"totalFunc\": \"sum\",\n \"showMetricsAtAllLevels\": false\n },\n \"aggs\": [\n {\n \"id\": \"1\",\n \"enabled\": true,\n \"type\": \"count\",\n \"schema\": \"metric\",\n \"params\": {}\n },\n {\n \"id\": \"2\",\n \"enabled\": true,\n \"type\": \"terms\",\n \"schema\": \"bucket\",\n \"params\": {\n \"field\": \"scan_name\",\n \"size\": 20,\n \"order\": \"desc\",\n \"orderBy\": \"1\",\n \"otherBucket\": false,\n \"otherBucketLabel\": \"Other\",\n \"missingBucket\": false,\n \"missingBucketLabel\": \"Missing\",\n \"customLabel\": \"Scan Name\"\n }\n }\n ]\n}", + "description": "", + "title": "VulnWhisperer - ScanName", + "uiStateJSON": "{\n \"vis\": {\n \"params\": {\n \"sort\": {\n \"columnIndex\": null,\n \"direction\": null\n }\n }\n }\n}", + "version": 1, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\n \"index\": \"4a6d9090-f66e-11e8-8f42-af2e41422cf8\",\n \"query\": {\n \"query\": {\n \"query_string\": {\n \"query\": \"*\",\n \"analyze_wildcard\": true,\n \"default_field\": \"*\"\n }\n },\n \"language\": \"lucene\"\n },\n \"filter\": []\n}" + } + }, + "version": 1, + "type": "visualization", + "id": "de1a5f40-3f85-11e7-97f9-3777d794626d" + }, + { + "attributes": { + "visState": "{\n \"title\": \"VulnWhisperer - Residual Risk\",\n \"type\": \"table\",\n \"params\": {\n \"perPage\": 15,\n \"showPartialRows\": false,\n \"sort\": {\n \"columnIndex\": 0,\n \"direction\": \"desc\"\n },\n \"showTotal\": false,\n \"totalFunc\": \"sum\",\n \"showMetricsAtAllLevels\": false\n },\n \"aggs\": [\n {\n \"id\": \"1\",\n \"enabled\": true,\n \"type\": \"cardinality\",\n \"schema\": \"metric\",\n \"params\": {\n \"field\": \"scan_fingerprint\",\n \"customLabel\": \"Count\"\n }\n },\n {\n \"id\": \"2\",\n \"enabled\": true,\n \"type\": \"terms\",\n \"schema\": \"bucket\",\n \"params\": {\n \"field\": \"risk_number\",\n \"size\": 50,\n \"order\": \"desc\",\n \"orderBy\": \"1\",\n \"otherBucket\": false,\n \"otherBucketLabel\": \"Other\",\n \"missingBucket\": false,\n \"missingBucketLabel\": \"Missing\",\n \"customLabel\": \"Risk Number\"\n }\n }\n ]\n}", + "description": "", + "title": "VulnWhisperer - Residual Risk", + "uiStateJSON": "{\n \"vis\": {\n \"params\": {\n \"sort\": {\n \"columnIndex\": 0,\n \"direction\": \"desc\"\n }\n }\n }\n}", + "version": 1, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\n \"index\": \"4a6d9090-f66e-11e8-8f42-af2e41422cf8\",\n \"query\": {\n \"query\": {\n \"query_string\": {\n \"query\": \"*\",\n \"analyze_wildcard\": true,\n \"default_field\": \"*\"\n }\n },\n \"language\": \"lucene\"\n },\n \"filter\": []\n}" + } + }, + "version": 1, + "type": "visualization", + "id": "35b6d320-3f7f-11e7-bd24-6903e3283192" + }, + { + "attributes": { + "visState": "{\"title\":\"VulnWhisperer - Risk High\",\"type\":\"metric\",\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"metric\",\"metric\":{\"percentageMode\":false,\"useRanges\":false,\"colorSchema\":\"Green to Red\",\"metricColorMode\":\"None\",\"colorsRange\":[{\"from\":0,\"to\":10000}],\"labels\":{\"show\":true},\"invertColors\":false,\"style\":{\"bgFill\":\"#000\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"fontSize\":60}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"filters\",\"schema\":\"group\",\"params\":{\"filters\":[{\"input\":{\"query\":\"risk:high\"},\"label\":\"Risk: High\"}]}}]}", + "description": "", + "title": "VulnWhisperer - Risk High", + "uiStateJSON": "{}", + "version": 1, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"index\":\"4a6d9090-f66e-11e8-8f42-af2e41422cf8\",\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[]}" + } + }, + "version": 1, + "type": "visualization", + "id": "b4c2f790-6c3a-11e9-be42-ab2ba67e4720" + }, + { + "attributes": { + "visState": "{\"title\":\"VulnWhisperer - Risk Low\",\"type\":\"metric\",\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"metric\",\"metric\":{\"percentageMode\":false,\"useRanges\":false,\"colorSchema\":\"Green to Red\",\"metricColorMode\":\"None\",\"colorsRange\":[{\"from\":0,\"to\":10000}],\"labels\":{\"show\":true},\"invertColors\":false,\"style\":{\"bgFill\":\"#000\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"fontSize\":60}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"filters\",\"schema\":\"group\",\"params\":{\"filters\":[{\"input\":{\"query\":\"risk:low\"},\"label\":\"Risk: Low\"}]}}]}", + "description": "", + "title": "VulnWhisperer - Risk Low", + "uiStateJSON": "{}", + "version": 1, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"index\":\"4a6d9090-f66e-11e8-8f42-af2e41422cf8\",\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[]}" + } + }, + "version": 1, + "type": "visualization", + "id": "ed8c5210-6c3a-11e9-be42-ab2ba67e4720" + }, + { + "attributes": { + "visState": "{\n \"title\": \"VulnWhisperer - Critical Risk Score for Tagged Assets\",\n \"type\": \"timelion\",\n \"params\": {\n \"expression\": \".es(index=logstash-vulnwhisperer-*,q='risk_number:>9 AND tags:hipaa_asset').label(\\\"HIPAA Assets\\\"),.es(index=logstash-vulnwhisperer-*,q='risk_number:>9 AND tags:pci_asset').label(\\\"PCI Systems\\\"),.es(index=logstash-vulnwhisperer-*,q='risk_number:>9 AND tags:has_hipaa_data').label(\\\"Has HIPAA Data\\\")\",\n \"interval\": \"auto\"\n },\n \"aggs\": [],\n \"listeners\": {}\n}", + "description": "", + "title": "VulnWhisperer - Critical Risk Score for Tagged Assets", + "uiStateJSON": "{}", + "version": 1, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\n \"query\": {\n \"query\": {\n \"query_string\": {\n \"query\": \"*\",\n \"analyze_wildcard\": true\n }\n },\n \"language\": \"lucene\"\n },\n \"filter\": []\n}" + } + }, + "version": 1, + "type": "visualization", + "id": "fb6eb020-49ab-11e7-8f8c-57ad64ec48a6" + }, + { + "attributes": { + "visState": "{\"title\":\"VulnWhisperer - Risk Critical\",\"type\":\"metric\",\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"metric\",\"metric\":{\"percentageMode\":false,\"useRanges\":false,\"colorSchema\":\"Green to Red\",\"metricColorMode\":\"None\",\"colorsRange\":[{\"from\":0,\"to\":10000}],\"labels\":{\"show\":true},\"invertColors\":false,\"style\":{\"bgFill\":\"#000\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"fontSize\":60}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"filters\",\"schema\":\"group\",\"params\":{\"filters\":[{\"input\":{\"query\":\"risk:critical\"},\"label\":\"Risk: Critical\"}]}}]}", + "description": "", + "title": "VulnWhisperer - Risk Critical", + "uiStateJSON": "{}", + "version": 1, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"index\":\"4a6d9090-f66e-11e8-8f42-af2e41422cf8\",\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[]}" + } + }, + "version": 1, + "type": "visualization", + "id": "bee32150-6c3a-11e9-be42-ab2ba67e4720" + }, + { + "attributes": { + "visState": "{\"title\":\"VulnWhisperer - Risk Medium\",\"type\":\"metric\",\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"metric\",\"metric\":{\"percentageMode\":false,\"useRanges\":false,\"colorSchema\":\"Green to Red\",\"metricColorMode\":\"None\",\"colorsRange\":[{\"from\":0,\"to\":10000}],\"labels\":{\"show\":true},\"invertColors\":false,\"style\":{\"bgFill\":\"#000\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"fontSize\":60}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"filters\",\"schema\":\"group\",\"params\":{\"filters\":[{\"input\":{\"query\":\"risk:medium\"},\"label\":\"Risk: Medium\"}]}}]}", + "description": "", + "title": "VulnWhisperer - Risk Medium", + "uiStateJSON": "{}", + "version": 1, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"index\":\"4a6d9090-f66e-11e8-8f42-af2e41422cf8\",\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[]}" + } + }, + "version": 1, + "type": "visualization", + "id": "c81da600-6c3a-11e9-be42-ab2ba67e4720" + }, + { + "attributes": { + "sort": [ + "@timestamp", + "desc" + ], + "hits": 0, + "description": "", + "title": "VulnWhisperer - High Risk", + "version": 1, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"index\":\"4a6d9090-f66e-11e8-8f42-af2e41422cf8\",\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"query\":\"*\",\"default_field\":\"*\"}}},\"filter\":[{\"meta\":{\"negate\":false,\"index\":\"4a6d9090-f66e-11e8-8f42-af2e41422cf8\",\"type\":\"phrase\",\"key\":\"risk\",\"value\":\"High\",\"params\":{\"query\":\"High\",\"type\":\"phrase\"},\"disabled\":false,\"alias\":null},\"query\":{\"match\":{\"risk\":{\"query\":\"High\",\"type\":\"phrase\"}}},\"$state\":{\"store\":\"appState\"}}],\"highlight\":{\"pre_tags\":[\"@kibana-highlighted-field@\"],\"post_tags\":[\"@/kibana-highlighted-field@\"],\"fields\":{\"*\":{}},\"require_field_match\":false,\"fragment_size\":2147483647},\"highlightAll\":true,\"version\":true}" + }, + "columns": [ + "host", + "risk", + "risk_score", + "cve", + "plugin_name", + "solution", + "plugin_output" + ] + }, + "version": 1, + "type": "search", + "id": "159d2500-f773-11e8-8f42-af2e41422cf8" + }, + { + "attributes": { + "sort": [ + "@timestamp", + "desc" + ], + "hits": 0, + "description": "", + "title": "VulnWhisperer - Saved Search", + "version": 1, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"index\":\"4a6d9090-f66e-11e8-8f42-af2e41422cf8\",\"query\":{\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"query\":\"*\"}},\"language\":\"lucene\"},\"filter\":[],\"highlight\":{\"pre_tags\":[\"@kibana-highlighted-field@\"],\"post_tags\":[\"@/kibana-highlighted-field@\"],\"fields\":{\"*\":{}},\"require_field_match\":false,\"fragment_size\":2147483647}}" + }, + "columns": [ + "host", + "risk", + "risk_score", + "cve", + "plugin_name", + "solution", + "plugin_output" + ] + }, + "version": 1, + "type": "search", + "id": "54648700-3f74-11e7-852e-69207a3d0726" + }, + { + "attributes": { + "sort": [ + "@timestamp", + "desc" + ], + "hits": 0, + "description": "", + "title": "VulnWhisperer - Compliance", + "version": 1, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"index\":\"4a6d9090-f66e-11e8-8f42-af2e41422cf8\",\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":\"\"},\"filter\":[]}" + }, + "columns": [ + "plugin_id", + "cve", + "cvss", + "risk", + "asset", + "protocol", + "port", + "plugin_name", + "synopsis", + "description", + "solution", + "see_also", + "plugin_output" + ] + }, + "version": 1, + "type": "search", + "id": "41a7e430-fdb5-11e8-8f42-af2e41422cf8" + }, + { + "version": 1, + "migrationVersion": { + "index-pattern": "6.5.0" + }, + "attributes": { + "fields": "[{\"name\":\"@timestamp\",\"type\":\"date\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"@version\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"_id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":false},{\"name\":\"_index\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":false},{\"name\":\"_score\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":false,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"_source\",\"type\":\"_source\",\"count\":0,\"scripted\":false,\"searchable\":false,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"_type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":false},{\"name\":\"access_path\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"access_path.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"affected_software\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"affected_software.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"ajax_request\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ajax_request.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"app_id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"app_id.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"asset\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"asset.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"asset_uuid\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"authentication\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"authentication.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"bids\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"bids.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"category\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"category_description\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"category_description.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"certs\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"certs.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"cve\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"cvss\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"cvss3\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"cvss3_base\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"cvss3_severity\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"cvss3_temporal\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"cvss3_vector\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"cvss_base\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"cvss_severity\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"cvss_temporal\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"cvss_vector\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"cwe\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"cwe.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"date\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"date.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"description\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"description.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"detection_date\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"detection_date.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"detection_id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"detection_id.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"dns\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"epoch\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"evidence\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"evidence.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"exploitability\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"exploitability.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"false_pos\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"false_pos.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"form_entry_point\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"form_entry_point.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"fqdn\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"geoip.ip\",\"type\":\"ip\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"geoip.latitude\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"geoip.location\",\"type\":\"geo_point\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"geoip.longitude\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"groups\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"groups.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"high\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"high.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"history_id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"host\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"host_end\",\"type\":\"date\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"host_start\",\"type\":\"date\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"hostname\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"hostname.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"id.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"ignored\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ignored.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"impact\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"impact.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"ip\",\"type\":\"ip\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"last_time_detected\",\"type\":\"date\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"level\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"level.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"links\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"links.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"log\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"log.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"low\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"low.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"mac_address\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"medium\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"medium.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"netbios\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"nvt_oid\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"nvt_oid.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"operating_system\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"owasp\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"owasp.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"owner\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"owner.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"param\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"param.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"path\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"payload\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"payload.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"pci_vuln\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"plugin_family\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"plugin_id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"plugin_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"plugin_output\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"plugin_output.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"port\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"product_detection_result\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"product_detection_result.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"protocol\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"report_ids\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"report_ids.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"request_headers\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"request_headers.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"request_method\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"request_method.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"request_url\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"request_url.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"result_id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"result_id.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"risk\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"risk_number\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"scan_highest_severity\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan_highest_severity.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"scan_id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"scan_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"scan_severity\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan_severity.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"scan_source\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"scope\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scope.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"see_also\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"see_also.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"severity\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"severity_level\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"severity_level.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"severity_rate\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"severity_rate.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"solution\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"ssl\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"state\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"status\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"status.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"synopsis\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"tags\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"task\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"task.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"task_id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"task_id.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"task_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"task_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"timestamp\",\"type\":\"date\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"uri\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"uri.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"url\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"url.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"vendor_reference\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"vulnerability_detection_method\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"vulnerability_detection_method.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"vulnerability_insight\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"vulnerability_insight.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"wasc\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"wasc.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"web_application_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"web_application_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"scan_fingerprint\",\"type\":\"string\",\"count\":1,\"scripted\":true,\"script\":\"doc['asset.keyword']+'_'+doc['plugin_id']\",\"lang\":\"painless\",\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":false}]", + "fieldFormatMap": "{\"plugin_id\":{\"id\":\"number\",\"params\":{\"pattern\":\"00.[000]\"}}}", + "timeFieldName": "@timestamp", + "title": "logstash-vulnwhisperer-*" + }, + "type": "index-pattern", + "id": "4a6d9090-f66e-11e8-8f42-af2e41422cf8" + } +] \ No newline at end of file From 98a84af5d0a3d5cab5f619b05cf2918a1c90aaf2 Mon Sep 17 00:00:00 2001 From: pemontto Date: Wed, 1 May 2019 20:50:41 +0100 Subject: [PATCH 71/73] use web_application_name as asset --- resources/elk6/pipeline/2000_qualys_web_scans.conf | 6 ------ vulnwhisp/frameworks/qualys_web.py | 4 ++-- 2 files changed, 2 insertions(+), 8 deletions(-) diff --git a/resources/elk6/pipeline/2000_qualys_web_scans.conf b/resources/elk6/pipeline/2000_qualys_web_scans.conf index e19f6f3..ce28f17 100644 --- a/resources/elk6/pipeline/2000_qualys_web_scans.conf +++ b/resources/elk6/pipeline/2000_qualys_web_scans.conf @@ -33,12 +33,6 @@ filter { remove_field => ["scan_time"] } - if "qualys_web" in [tags] { - mutate { - add_field => { "asset" => "%{web_application_name}" } - } - } - mutate { convert => { "cvss" => "float"} convert => { "cvss_base" => "float"} diff --git a/vulnwhisp/frameworks/qualys_web.py b/vulnwhisp/frameworks/qualys_web.py index 6905074..40b80e5 100644 --- a/vulnwhisp/frameworks/qualys_web.py +++ b/vulnwhisp/frameworks/qualys_web.py @@ -527,8 +527,8 @@ class qualysScanReport: df['dns'] = df['url'].str.extract('https?://([^/]+)', expand=False) df.loc[df['uri'] != '','dns'] = df.loc[df['uri'] != '','uri'].str.extract('https?://([^/]+)', expand=False) - # Set asset to dns - df['asset'] = df['dns'] + # Set asset to web_application_name + df['asset'] = df['web_application_name'] df.fillna('', inplace=True) return df From 9c27f5d4a247e15a85b13f073ecbd62f326a5ea4 Mon Sep 17 00:00:00 2001 From: pemontto Date: Wed, 1 May 2019 20:51:49 +0100 Subject: [PATCH 72/73] kibana object updates --- resources/elk6/kibana.json | 774 ++++++++++++++++------------- resources/elk6/kibana_APIonly.json | 753 +++++++++++++++------------- vulnwhisp/vulnwhisp.py | 4 +- 3 files changed, 837 insertions(+), 694 deletions(-) diff --git a/resources/elk6/kibana.json b/resources/elk6/kibana.json index 363a972..acd107d 100644 --- a/resources/elk6/kibana.json +++ b/resources/elk6/kibana.json @@ -3,33 +3,36 @@ "_id": "AWCUqesWib22Ai8JwW3u", "_type": "dashboard", "_source": { - "title": "VulnWhisperer - Risk Mitigation", "hits": 0, + "timeFrom": "now-30d", + "timeRestore": true, "description": "", + "title": "VulnWhisperer - Risk Mitigation", "panelsJSON": "[{\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"gridData\":{\"h\":30,\"i\":\"20\",\"w\":8,\"x\":40,\"y\":15},\"id\":\"995e2280-3df3-11e7-a44e-c79ca8efb780\",\"panelIndex\":\"20\",\"type\":\"visualization\",\"version\":\"6.4.3\"},{\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":0,\"direction\":\"desc\"}}}},\"gridData\":{\"h\":30,\"i\":\"21\",\"w\":12,\"x\":0,\"y\":35},\"id\":\"852816e0-3eb1-11e7-90cb-918f9cb01e3d\",\"panelIndex\":\"21\",\"type\":\"visualization\",\"version\":\"6.4.3\"},{\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"gridData\":{\"h\":30,\"i\":\"27\",\"w\":12,\"x\":12,\"y\":35},\"id\":\"297df800-3f7e-11e7-bd24-6903e3283192\",\"panelIndex\":\"27\",\"type\":\"visualization\",\"version\":\"6.4.3\"},{\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":0,\"direction\":\"desc\"}}}},\"gridData\":{\"h\":30,\"i\":\"28\",\"w\":8,\"x\":32,\"y\":15},\"id\":\"35b6d320-3f7f-11e7-bd24-6903e3283192\",\"panelIndex\":\"28\",\"type\":\"visualization\",\"version\":\"6.4.3\"},{\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"gridData\":{\"h\":15,\"i\":\"30\",\"w\":8,\"x\":40,\"y\":0},\"id\":\"471a3580-3f6b-11e7-88e7-df1abe6547fb\",\"panelIndex\":\"30\",\"type\":\"visualization\",\"version\":\"6.4.3\"},{\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"gridData\":{\"h\":20,\"i\":\"31\",\"w\":8,\"x\":24,\"y\":35},\"id\":\"de1a5f40-3f85-11e7-97f9-3777d794626d\",\"panelIndex\":\"31\",\"type\":\"visualization\",\"version\":\"6.4.3\"},{\"gridData\":{\"h\":10,\"i\":\"37\",\"w\":16,\"x\":16,\"y\":25},\"id\":\"5093c620-44e9-11e7-8014-ede06a7e69f8\",\"panelIndex\":\"37\",\"type\":\"visualization\",\"version\":\"6.4.3\"},{\"embeddableConfig\":{\"columns\":[\"host\",\"risk\",\"risk_score\",\"cve\",\"plugin_name\",\"solution\",\"plugin_output\"],\"sort\":[\"@timestamp\",\"desc\"]},\"gridData\":{\"h\":30,\"i\":\"38\",\"w\":48,\"x\":0,\"y\":65},\"id\":\"54648700-3f74-11e7-852e-69207a3d0726\",\"panelIndex\":\"38\",\"type\":\"search\",\"version\":\"6.4.3\"},{\"gridData\":{\"h\":10,\"i\":\"39\",\"w\":16,\"x\":16,\"y\":15},\"id\":\"fb6eb020-49ab-11e7-8f8c-57ad64ec48a6\",\"panelIndex\":\"39\",\"type\":\"visualization\",\"version\":\"6.4.3\"},{\"embeddableConfig\":{\"vis\":{\"legendOpen\":true}},\"gridData\":{\"h\":20,\"i\":\"46\",\"w\":16,\"x\":0,\"y\":15},\"id\":\"56f0f5f0-3ebe-11e7-a192-93f36fbd9d05\",\"panelIndex\":\"46\",\"type\":\"visualization\",\"version\":\"6.4.3\"},{\"embeddableConfig\":{\"vis\":{\"defaultColors\":{\"0 - 50\":\"rgb(247,252,245)\",\"50 - 100\":\"rgb(0,68,27)\"},\"legendOpen\":false}},\"gridData\":{\"h\":15,\"i\":\"47\",\"w\":9,\"x\":30,\"y\":0},\"id\":\"e6b5b920-f77a-11e8-8f42-af2e41422cf8\",\"panelIndex\":\"47\",\"type\":\"visualization\",\"version\":\"6.4.3\"},{\"embeddableConfig\":{\"vis\":{\"defaultColors\":{\"0 - 10\":\"rgb(255,245,240)\",\"10 - 20\":\"rgb(103,0,13)\"},\"legendOpen\":false}},\"gridData\":{\"h\":15,\"i\":\"48\",\"w\":10,\"x\":0,\"y\":0},\"id\":\"8c9c9430-f77b-11e8-8f42-af2e41422cf8\",\"panelIndex\":\"48\",\"type\":\"visualization\",\"version\":\"6.4.3\"},{\"embeddableConfig\":{\"vis\":{\"colors\":{\"0 - 10\":\"#E5AC0E\"},\"defaultColors\":{\"0 - 10\":\"rgb(8,48,107)\"},\"legendOpen\":false}},\"gridData\":{\"h\":15,\"i\":\"50\",\"w\":10,\"x\":20,\"y\":0},\"id\":\"61b43c00-f77b-11e8-8f42-af2e41422cf8\",\"panelIndex\":\"50\",\"type\":\"visualization\",\"version\":\"6.4.3\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":15,\"i\":\"51\",\"w\":10,\"x\":10,\"y\":0},\"id\":\"c533c120-fe8c-11e8-8f42-af2e41422cf8\",\"panelIndex\":\"51\",\"type\":\"visualization\",\"version\":\"6.4.3\"}]", + "timeTo": "now", "optionsJSON": "{\"darkTheme\":false,\"useMargins\":false}", "version": 1, - "timeRestore": true, - "timeTo": "now", - "timeFrom": "now-30d", "kibanaSavedObjectMeta": { "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":{\"match_all\":{}}}}" } + }, + "_meta": { + "savedObjectVersion": 2 } }, { "_id": "72051530-448e-11e7-a818-f5f80dfc3590", "_type": "dashboard", "_source": { - "title": "VulnWhisperer - Reporting", "hits": 0, + "timeFrom": "now-30d", + "timeRestore": true, "description": "", + "title": "VulnWhisperer - Reporting", "panelsJSON": "[{\"embeddableConfig\":{\"vis\":{\"legendOpen\":false}},\"gridData\":{\"h\":20,\"i\":\"5\",\"w\":24,\"x\":0,\"y\":56},\"id\":\"2f979030-44b9-11e7-a818-f5f80dfc3590\",\"panelIndex\":\"5\",\"type\":\"visualization\",\"version\":\"6.4.3\"},{\"gridData\":{\"h\":20,\"i\":\"12\",\"w\":24,\"x\":0,\"y\":36},\"id\":\"8d9592d0-44ec-11e7-a05f-d9719b331a27\",\"panelIndex\":\"12\",\"type\":\"visualization\",\"version\":\"6.4.3\"},{\"gridData\":{\"h\":20,\"i\":\"14\",\"w\":24,\"x\":24,\"y\":16},\"id\":\"67d432e0-44ec-11e7-a05f-d9719b331a27\",\"panelIndex\":\"14\",\"type\":\"visualization\",\"version\":\"6.4.3\"},{\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"gridData\":{\"h\":20,\"i\":\"15\",\"w\":12,\"x\":36,\"y\":36},\"id\":\"297df800-3f7e-11e7-bd24-6903e3283192\",\"panelIndex\":\"15\",\"type\":\"visualization\",\"version\":\"6.4.3\"},{\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"gridData\":{\"h\":20,\"i\":\"20\",\"w\":12,\"x\":24,\"y\":36},\"id\":\"471a3580-3f6b-11e7-88e7-df1abe6547fb\",\"panelIndex\":\"20\",\"type\":\"visualization\",\"version\":\"6.4.3\"},{\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"gridData\":{\"h\":15,\"i\":\"22\",\"w\":8,\"x\":40,\"y\":0},\"id\":\"995e2280-3df3-11e7-a44e-c79ca8efb780\",\"panelIndex\":\"22\",\"type\":\"visualization\",\"version\":\"6.4.3\"},{\"gridData\":{\"h\":20,\"i\":\"29\",\"w\":24,\"x\":0,\"y\":16},\"id\":\"479deab0-8a39-11e7-a58a-9bfcb3761a3d\",\"panelIndex\":\"29\",\"type\":\"visualization\",\"version\":\"6.4.3\"},{\"embeddableConfig\":{\"vis\":{\"defaultColors\":{\"0 - 50\":\"rgb(247,252,245)\",\"50 - 100\":\"rgb(0,68,27)\"},\"legendOpen\":false}},\"gridData\":{\"h\":16,\"i\":\"30\",\"w\":10,\"x\":30,\"y\":0},\"id\":\"e6b5b920-f77a-11e8-8f42-af2e41422cf8\",\"panelIndex\":\"30\",\"type\":\"visualization\",\"version\":\"6.4.3\"},{\"embeddableConfig\":{\"vis\":{\"colors\":{\"0 - 10\":\"#EAB839\"},\"defaultColors\":{\"0 - 10\":\"rgb(8,48,107)\"},\"legendOpen\":false}},\"gridData\":{\"h\":16,\"i\":\"31\",\"w\":9,\"x\":21,\"y\":0},\"id\":\"61b43c00-f77b-11e8-8f42-af2e41422cf8\",\"panelIndex\":\"31\",\"type\":\"visualization\",\"version\":\"6.4.3\"},{\"embeddableConfig\":{\"vis\":{\"colors\":{\"10 - 20\":\"#890F02\"},\"defaultColors\":{\"0 - 10\":\"rgb(255,245,240)\",\"10 - 20\":\"rgb(103,0,13)\"},\"legendOpen\":false}},\"gridData\":{\"h\":16,\"i\":\"32\",\"w\":11,\"x\":0,\"y\":0},\"id\":\"8c9c9430-f77b-11e8-8f42-af2e41422cf8\",\"panelIndex\":\"32\",\"type\":\"visualization\",\"version\":\"6.4.3\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":15,\"i\":\"33\",\"w\":10,\"x\":11,\"y\":0},\"id\":\"c533c120-fe8c-11e8-8f42-af2e41422cf8\",\"panelIndex\":\"33\",\"type\":\"visualization\",\"version\":\"6.4.3\"}]", + "timeTo": "now", "optionsJSON": "{\"darkTheme\":false,\"useMargins\":false}", "version": 1, - "timeRestore": true, - "timeTo": "now", - "timeFrom": "now-30d", "refreshInterval": { "pause": true, "value": 0 @@ -37,15 +40,400 @@ "kibanaSavedObjectMeta": { "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":{\"match_all\":{}}}}" } + }, + "_meta": { + "savedObjectVersion": 2 + } + }, + { + "_id": "465c5820-8977-11e7-857e-e1d56b17746d", + "_type": "visualization", + "_source": { + "visState": "{\"title\":\"VulnWhisperer - Critical Assets\",\"type\":\"heatmap\",\"params\":{\"addTooltip\":true,\"addLegend\":true,\"enableHover\":true,\"legendPosition\":\"right\",\"times\":[],\"colorsNumber\":4,\"colorSchema\":\"Green to Red\",\"setColorRange\":true,\"colorsRange\":[{\"from\":0,\"to\":3},{\"from\":3,\"to\":7},{\"from\":7,\"to\":9},{\"from\":9,\"to\":11}],\"invertColors\":false,\"percentageMode\":false,\"valueAxes\":[{\"show\":false,\"id\":\"ValueAxis-1\",\"type\":\"value\",\"scale\":{\"type\":\"linear\",\"defaultYExtents\":false},\"labels\":{\"show\":false,\"rotate\":0,\"color\":\"white\"}}],\"type\":\"heatmap\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"max\",\"schema\":\"metric\",\"params\":{\"field\":\"risk_score\",\"customLabel\":\"Residual Risk Score\"}},{\"id\":\"2\",\"enabled\":false,\"type\":\"terms\",\"schema\":\"split\",\"params\":{\"field\":\"risk_score\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\",\"row\":true}},{\"id\":\"3\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"interval\":\"auto\",\"customInterval\":\"2h\",\"min_doc_count\":1,\"extended_bounds\":{},\"customLabel\":\"Date\"}},{\"id\":\"4\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"group\",\"params\":{\"field\":\"asset.keyword\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Critical Asset\"}}],\"listeners\":{}}", + "description": "", + "title": "VulnWhisperer - Critical Assets", + "uiStateJSON": "{\"vis\":{\"defaultColors\":{\"0 - 3\":\"rgb(0,104,55)\",\"3 - 7\":\"rgb(135,203,103)\",\"7 - 9\":\"rgb(255,255,190)\",\"9 - 11\":\"rgb(249,142,82)\"},\"colors\":{\"8 - 10\":\"#BF1B00\",\"9 - 11\":\"#BF1B00\",\"7 - 9\":\"#EF843C\",\"3 - 7\":\"#EAB839\",\"0 - 3\":\"#7EB26D\"},\"legendOpen\":false}}", + "version": 1, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"index\":\"4a6d9090-f66e-11e8-8f42-af2e41422cf8\",\"query\":{\"query\":{\"query_string\":{\"query\":\"*\",\"analyze_wildcard\":true}},\"language\":\"lucene\"},\"filter\":[{\"meta\":{\"index\":\"logstash-vulnwhisperer-*\",\"negate\":false,\"disabled\":false,\"alias\":\"Critical Asset\",\"type\":\"phrase\",\"key\":\"tags\",\"value\":\"critical_asset\"},\"query\":{\"match\":{\"tags\":{\"query\":\"critical_asset\",\"type\":\"phrase\"}}},\"$state\":{\"store\":\"appState\"}}]}" + } + }, + "_meta": { + "savedObjectVersion": 2 + } + }, + { + "_id": "5093c620-44e9-11e7-8014-ede06a7e69f8", + "_type": "visualization", + "_source": { + "visState": "{\"title\":\"VulnWhisperer - Mitigation Readme\",\"type\":\"markdown\",\"params\":{\"markdown\":\"** Legend **\\n\\n* [Common Vulnerability Scoring System (CVSS)](https://nvd.nist.gov/vuln-metrics/cvss) is the NIST vulnerability scoring system\\n* Risk Number is residual risk score calculated from CVSS, which is adjusted to be specific to Heartland which accounts for services not in use such as Java and Flash\\n* Vulnerabilities by Tag are systems tagged with HIPAA and PCI identification.\\n\\n\\n** Workflow **\\n* Select 10.0 under Risk Number to identify Critical Vulnerabilities. \\n* For more information about a CVE, scroll down and click the CVE link.\\n* To filter by tags, use one of the following filters:\\n** tags:has_hipaa_data, tags:pci_asset, tags:hipaa_asset, tags:critical_asset**\"},\"aggs\":[],\"listeners\":{}}", + "description": "", + "title": "VulnWhisperer - Mitigation Readme", + "uiStateJSON": "{}", + "version": 1, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"query\":{\"query\":{\"query_string\":{\"query\":\"*\",\"analyze_wildcard\":true}},\"language\":\"lucene\"},\"filter\":[]}" + } + }, + "_meta": { + "savedObjectVersion": 2 + } + }, + { + "_id": "471a3580-3f6b-11e7-88e7-df1abe6547fb", + "_type": "visualization", + "_source": { + "visState": "{\"title\":\"VulnWhisperer - Vulnerabilities by Tag\",\"type\":\"table\",\"params\":{\"perPage\":3,\"showMeticsAtAllLevels\":false,\"showPartialRows\":false,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"3\",\"enabled\":true,\"type\":\"filters\",\"schema\":\"bucket\",\"params\":{\"filters\":[{\"input\":{\"query\":{\"query_string\":{\"query\":\"tags:has_hipaa_data\",\"analyze_wildcard\":true}}},\"label\":\"Systems with HIPAA data\"},{\"input\":{\"query\":{\"query_string\":{\"query\":\"tags:pci_asset\",\"analyze_wildcard\":true}}},\"label\":\"PCI Systems\"},{\"input\":{\"query\":{\"query_string\":{\"query\":\"tags:hipaa_asset\",\"analyze_wildcard\":true}}},\"label\":\"HIPAA Systems\"}]}}],\"listeners\":{}}", + "description": "", + "title": "VulnWhisperer - Vulnerabilities by Tag", + "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", + "version": 1, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"index\":\"4a6d9090-f66e-11e8-8f42-af2e41422cf8\",\"query\":{\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"query\":\"*\"}},\"language\":\"lucene\"},\"filter\":[]}" + } + }, + "_meta": { + "savedObjectVersion": 2 + } + }, + { + "_id": "1de9e550-3df1-11e7-a44e-c79ca8efb780", + "_type": "visualization", + "_source": { + "visState": "{\"title\":\"VulnWhisperer-Description\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"description.keyword\",\"size\":50,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Description\"}}],\"listeners\":{}}", + "description": "", + "title": "VulnWhisperer-Description", + "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", + "version": 1, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"index\":\"4a6d9090-f66e-11e8-8f42-af2e41422cf8\",\"query\":{\"query\":{\"query_string\":{\"query\":\"*\",\"analyze_wildcard\":true}},\"language\":\"lucene\"},\"filter\":[]}" + } + }, + "_meta": { + "savedObjectVersion": 2 + } + }, + { + "_id": "fb6eb020-49ab-11e7-8f8c-57ad64ec48a6", + "_type": "visualization", + "_source": { + "visState": "{\"title\":\"VulnWhisperer - Critical Risk Score for Tagged Assets\",\"type\":\"timelion\",\"params\":{\"expression\":\".es(index=logstash-vulnwhisperer-*,q='risk_score:>9 AND tags:hipaa_asset').label(\\\"HIPAA Assets\\\"),.es(index=logstash-vulnwhisperer-*,q='risk_score:>9 AND tags:pci_asset').label(\\\"PCI Systems\\\"),.es(index=logstash-vulnwhisperer-*,q='risk_score:>9 AND tags:has_hipaa_data').label(\\\"Has HIPAA Data\\\")\",\"interval\":\"auto\"},\"aggs\":[],\"listeners\":{}}", + "description": "", + "title": "VulnWhisperer - Critical Risk Score for Tagged Assets", + "uiStateJSON": "{}", + "version": 1, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"query\":{\"query\":{\"query_string\":{\"query\":\"*\",\"analyze_wildcard\":true}},\"language\":\"lucene\"},\"filter\":[]}" + } + }, + "_meta": { + "savedObjectVersion": 2 + } + }, + { + "_id": "13c7d4e0-3df3-11e7-a44e-c79ca8efb780", + "_type": "visualization", + "_source": { + "visState": "{\n \"title\": \"VulnWhisperer-Solution\",\n \"type\": \"table\",\n \"params\": {\n \"perPage\": 10,\n \"showMeticsAtAllLevels\": false,\n \"showPartialRows\": false,\n \"showTotal\": false,\n \"sort\": {\n \"columnIndex\": null,\n \"direction\": null\n },\n \"totalFunc\": \"sum\"\n },\n \"aggs\": [\n {\n \"id\": \"1\",\n \"enabled\": true,\n \"type\": \"count\",\n \"schema\": \"metric\",\n \"params\": {}\n },\n {\n \"id\": \"2\",\n \"enabled\": true,\n \"type\": \"terms\",\n \"schema\": \"bucket\",\n \"params\": {\n \"field\": \"solution\",\n \"size\": 50,\n \"order\": \"desc\",\n \"orderBy\": \"1\",\n \"customLabel\": \"Solution\"\n }\n }\n ],\n \"listeners\": {}\n}", + "description": "", + "title": "VulnWhisperer-Solution", + "uiStateJSON": "{\n \"vis\": {\n \"params\": {\n \"sort\": {\n \"columnIndex\": null,\n \"direction\": null\n }\n }\n }\n}", + "version": 1, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\n \"index\": \"4a6d9090-f66e-11e8-8f42-af2e41422cf8\",\n \"query\": {\n \"query\": {\n \"query_string\": {\n \"analyze_wildcard\": true,\n \"query\": \"*\"\n }\n },\n \"language\": \"lucene\"\n },\n \"filter\": []\n}" + } + }, + "_meta": { + "savedObjectVersion": 2 + } + }, + { + "_id": "f9b68640-fda5-11e8-8f42-af2e41422cf8", + "_type": "visualization", + "_source": { + "visState": "{\"title\":\"VulnWhisperer - AggTest\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"top_hits\",\"schema\":\"metric\",\"params\":{\"field\":\"@timestamp\",\"aggregate\":\"concat\",\"size\":1,\"sortField\":\"@timestamp\",\"sortOrder\":\"desc\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"asset.keyword\",\"size\":1000,\"order\":\"desc\",\"orderBy\":\"_key\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"plugin_id\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"_key\",\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"}}]}", + "description": "", + "title": "VulnWhisperer - AggTest", + "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", + "version": 1, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"index\":\"4a6d9090-f66e-11e8-8f42-af2e41422cf8\",\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[]}" + } + }, + "_meta": { + "savedObjectVersion": 2 + } + }, + { + "_id": "995e2280-3df3-11e7-a44e-c79ca8efb780", + "_type": "visualization", + "_source": { + "visState": "{\"title\":\"VulnWhisperer-Asset\",\"type\":\"table\",\"params\":{\"perPage\":15,\"showPartialRows\":false,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\",\"type\":\"table\",\"showMetricsAtAllLevels\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"cardinality\",\"schema\":\"metric\",\"params\":{\"field\":\"scan_fingerprint\",\"customLabel\":\"Findings\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"asset.keyword\",\"size\":50,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Asset\"}}]}", + "description": "", + "title": "VulnWhisperer-Asset", + "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", + "version": 1, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"index\":\"4a6d9090-f66e-11e8-8f42-af2e41422cf8\",\"query\":{\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"query\":\"*\",\"default_field\":\"*\"}},\"language\":\"lucene\"},\"filter\":[]}" + } + }, + "_meta": { + "savedObjectVersion": 2 + } + }, + { + "_id": "67d432e0-44ec-11e7-a05f-d9719b331a27", + "_type": "visualization", + "_source": { + "visState": "{\"title\":\"VulnWhisperer - TL-Critical Risk\",\"type\":\"timelion\",\"params\":{\"expression\":\".es(index='logstash-vulnwhisperer-*',q='(risk_score:>=9 AND risk_score:<=10)').label(\\\"Original\\\"),.es(index='logstash-vulnwhisperer-*',q='(risk_score:>=9 AND risk_score:<=10)',offset=-1w).label(\\\"One week offset\\\"),.es(index='logstash-vulnwhisperer-*',q='(risk_score:>=9 AND risk_score:<=10)').subtract(.es(index='logstash-vulnwhisperer-*',q='(risk_score:>=9 AND risk_score:<=10)',offset=-1w)).label(\\\"Difference\\\").lines(steps=3,fill=2,width=1)\",\"interval\":\"auto\"},\"aggs\":[],\"listeners\":{}}", + "description": "", + "title": "VulnWhisperer - TL-Critical Risk", + "uiStateJSON": "{}", + "version": 1, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"query\":{\"query\":{\"query_string\":{\"query\":\"*\",\"analyze_wildcard\":true}},\"language\":\"lucene\"},\"filter\":[]}" + } + }, + "_meta": { + "savedObjectVersion": 2 + } + }, + { + "_id": "8d9592d0-44ec-11e7-a05f-d9719b331a27", + "_type": "visualization", + "_source": { + "visState": "{\"title\":\"VulnWhisperer - TL-High Risk\",\"type\":\"timelion\",\"params\":{\"expression\":\".es(index='logstash-vulnwhisperer-*',q='(risk_score:>=7 AND risk_score:<9)').label(\\\"Original\\\"),.es(index='logstash-vulnwhisperer-*',q='(risk_score:>=7 AND risk_score:<9)',offset=-1w).label(\\\"One week offset\\\"),.es(index='logstash-vulnwhisperer-*',q='(risk_score:>=7 AND risk_score:<9)').subtract(.es(index='logstash-vulnwhisperer-*',q='(risk_score:>=7 AND risk_score:<9)',offset=-1w)).label(\\\"Difference\\\").lines(steps=3,fill=2,width=1)\",\"interval\":\"auto\"},\"aggs\":[],\"listeners\":{}}", + "description": "", + "title": "VulnWhisperer - TL-High Risk", + "uiStateJSON": "{}", + "version": 1, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"query\":{\"query\":{\"query_string\":{\"query\":\"*\",\"analyze_wildcard\":true}},\"language\":\"lucene\"},\"filter\":[]}" + } + }, + "_meta": { + "savedObjectVersion": 2 + } + }, + { + "_id": "2f979030-44b9-11e7-a818-f5f80dfc3590", + "_type": "visualization", + "_source": { + "visState": "{\n \"title\": \"VulnWhisperer - ScanBarChart\",\n \"type\": \"histogram\",\n \"params\": {\n \"addLegend\": true,\n \"addTimeMarker\": false,\n \"addTooltip\": true,\n \"defaultYExtents\": false,\n \"legendPosition\": \"right\",\n \"mode\": \"stacked\",\n \"scale\": \"linear\",\n \"setYExtents\": false,\n \"times\": [],\n \"type\": \"histogram\",\n \"grid\": {\n \"categoryLines\": false,\n \"style\": {\n \"color\": \"#eee\"\n }\n },\n \"categoryAxes\": [\n {\n \"id\": \"CategoryAxis-1\",\n \"type\": \"category\",\n \"position\": \"bottom\",\n \"show\": true,\n \"style\": {},\n \"scale\": {\n \"type\": \"linear\"\n },\n \"labels\": {\n \"show\": true,\n \"truncate\": 100\n },\n \"title\": {}\n }\n ],\n \"valueAxes\": [\n {\n \"id\": \"ValueAxis-1\",\n \"name\": \"LeftAxis-1\",\n \"type\": \"value\",\n \"position\": \"left\",\n \"show\": true,\n \"style\": {},\n \"scale\": {\n \"type\": \"linear\",\n \"mode\": \"normal\",\n \"setYExtents\": false,\n \"defaultYExtents\": false\n },\n \"labels\": {\n \"show\": true,\n \"rotate\": 0,\n \"filter\": false,\n \"truncate\": 100\n },\n \"title\": {\n \"text\": \"Unique count of scan_fingerprint\"\n }\n }\n ],\n \"seriesParams\": [\n {\n \"show\": \"true\",\n \"type\": \"histogram\",\n \"mode\": \"stacked\",\n \"data\": {\n \"label\": \"Unique count of scan_fingerprint\",\n \"id\": \"1\"\n },\n \"valueAxis\": \"ValueAxis-1\"\n }\n ]\n },\n \"aggs\": [\n {\n \"id\": \"1\",\n \"enabled\": true,\n \"type\": \"cardinality\",\n \"schema\": \"metric\",\n \"params\": {\n \"field\": \"scan_fingerprint\"\n }\n },\n {\n \"id\": \"2\",\n \"enabled\": true,\n \"type\": \"terms\",\n \"schema\": \"segment\",\n \"params\": {\n \"field\": \"plugin_name\",\n \"size\": 10,\n \"order\": \"desc\",\n \"orderBy\": \"1\",\n \"otherBucket\": false,\n \"otherBucketLabel\": \"Other\",\n \"missingBucket\": false,\n \"missingBucketLabel\": \"Missing\",\n \"customLabel\": \"Scan Name\"\n }\n }\n ]\n}", + "description": "", + "title": "VulnWhisperer - ScanBarChart", + "uiStateJSON": "{}", + "version": 1, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\n \"index\": \"4a6d9090-f66e-11e8-8f42-af2e41422cf8\",\n \"query\": {\n \"query\": {\n \"query_string\": {\n \"analyze_wildcard\": true,\n \"query\": \"*\",\n \"default_field\": \"*\"\n }\n },\n \"language\": \"lucene\"\n },\n \"filter\": []\n}" + } + }, + "_meta": { + "savedObjectVersion": 2 + } + }, + { + "_id": "297df800-3f7e-11e7-bd24-6903e3283192", + "_type": "visualization", + "_source": { + "visState": "{\n \"title\": \"VulnWhisperer - Plugin Name\",\n \"type\": \"table\",\n \"params\": {\n \"perPage\": 10,\n \"showPartialRows\": false,\n \"sort\": {\n \"columnIndex\": null,\n \"direction\": null\n },\n \"showTotal\": false,\n \"totalFunc\": \"sum\",\n \"showMetricsAtAllLevels\": false\n },\n \"aggs\": [\n {\n \"id\": \"1\",\n \"enabled\": true,\n \"type\": \"cardinality\",\n \"schema\": \"metric\",\n \"params\": {\n \"field\": \"scan_fingerprint\",\n \"customLabel\": \"Count\"\n }\n },\n {\n \"id\": \"2\",\n \"enabled\": true,\n \"type\": \"terms\",\n \"schema\": \"bucket\",\n \"params\": {\n \"field\": \"plugin_name\",\n \"size\": 10,\n \"order\": \"desc\",\n \"orderBy\": \"1\",\n \"otherBucket\": false,\n \"otherBucketLabel\": \"Other\",\n \"missingBucket\": false,\n \"missingBucketLabel\": \"Missing\",\n \"customLabel\": \"Plugin Name\"\n }\n }\n ]\n}", + "description": "", + "title": "VulnWhisperer - Plugin Name", + "uiStateJSON": "{\n \"vis\": {\n \"params\": {\n \"sort\": {\n \"columnIndex\": null,\n \"direction\": null\n }\n }\n }\n}", + "version": 1, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\n \"index\": \"4a6d9090-f66e-11e8-8f42-af2e41422cf8\",\n \"query\": {\n \"query\": {\n \"query_string\": {\n \"query\": \"*\",\n \"analyze_wildcard\": true,\n \"default_field\": \"*\"\n }\n },\n \"language\": \"lucene\"\n },\n \"filter\": []\n}" + } + }, + "_meta": { + "savedObjectVersion": 2 + } + }, + { + "_id": "479deab0-8a39-11e7-a58a-9bfcb3761a3d", + "_type": "visualization", + "_source": { + "visState": "{\n \"title\": \"VulnWhisperer - TL - TaggedAssetsPluginNames\",\n \"type\": \"timelion\",\n \"params\": {\n \"expression\": \".es(index='logstash-vulnwhisperer-*', q='tags:critical_asset OR tags:hipaa_asset OR tags:pci_asset', split=\\\"plugin_name:10\\\").bars(width=4).label(regex=\\\".*:(.+)>.*\\\",label=\\\"$1\\\")\",\n \"interval\": \"auto\"\n },\n \"aggs\": [],\n \"listeners\": {}\n}", + "description": "", + "title": "VulnWhisperer - TL - TaggedAssetsPluginNames", + "uiStateJSON": "{}", + "version": 1, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\n \"query\": {\n \"query\": {\n \"query_string\": {\n \"query\": \"*\",\n \"analyze_wildcard\": true\n }\n },\n \"language\": \"lucene\"\n },\n \"filter\": []\n}" + } + }, + "_meta": { + "savedObjectVersion": 2 + } + }, + { + "_id": "de1a5f40-3f85-11e7-97f9-3777d794626d", + "_type": "visualization", + "_source": { + "visState": "{\n \"title\": \"VulnWhisperer - ScanName\",\n \"type\": \"table\",\n \"params\": {\n \"perPage\": 10,\n \"showPartialRows\": false,\n \"sort\": {\n \"columnIndex\": null,\n \"direction\": null\n },\n \"showTotal\": false,\n \"totalFunc\": \"sum\",\n \"showMetricsAtAllLevels\": false\n },\n \"aggs\": [\n {\n \"id\": \"1\",\n \"enabled\": true,\n \"type\": \"count\",\n \"schema\": \"metric\",\n \"params\": {}\n },\n {\n \"id\": \"2\",\n \"enabled\": true,\n \"type\": \"terms\",\n \"schema\": \"bucket\",\n \"params\": {\n \"field\": \"scan_name\",\n \"size\": 20,\n \"order\": \"desc\",\n \"orderBy\": \"1\",\n \"otherBucket\": false,\n \"otherBucketLabel\": \"Other\",\n \"missingBucket\": false,\n \"missingBucketLabel\": \"Missing\",\n \"customLabel\": \"Scan Name\"\n }\n }\n ]\n}", + "description": "", + "title": "VulnWhisperer - ScanName", + "uiStateJSON": "{\n \"vis\": {\n \"params\": {\n \"sort\": {\n \"columnIndex\": null,\n \"direction\": null\n }\n }\n }\n}", + "version": 1, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\n \"index\": \"4a6d9090-f66e-11e8-8f42-af2e41422cf8\",\n \"query\": {\n \"query\": {\n \"query_string\": {\n \"query\": \"*\",\n \"analyze_wildcard\": true,\n \"default_field\": \"*\"\n }\n },\n \"language\": \"lucene\"\n },\n \"filter\": []\n}" + } + }, + "_meta": { + "savedObjectVersion": 2 + } + }, + { + "_id": "8c9c9430-f77b-11e8-8f42-af2e41422cf8", + "_type": "visualization", + "_source": { + "visState": "{\n \"title\": \"VulnWhisperer - Risk: Critical\",\n \"type\": \"metric\",\n \"params\": {\n \"addTooltip\": true,\n \"addLegend\": false,\n \"type\": \"metric\",\n \"metric\": {\n \"percentageMode\": false,\n \"useRanges\": false,\n \"colorSchema\": \"Green to Red\",\n \"metricColorMode\": \"None\",\n \"colorsRange\": [\n {\n \"from\": 0,\n \"to\": 10000\n }\n ],\n \"labels\": {\n \"show\": true\n },\n \"invertColors\": false,\n \"style\": {\n \"bgFill\": \"#000\",\n \"bgColor\": false,\n \"labelColor\": false,\n \"subText\": \"\",\n \"fontSize\": 60\n }\n }\n },\n \"aggs\": [\n {\n \"id\": \"1\",\n \"enabled\": true,\n \"type\": \"count\",\n \"schema\": \"metric\",\n \"params\": {}\n },\n {\n \"id\": \"2\",\n \"enabled\": true,\n \"type\": \"filters\",\n \"schema\": \"group\",\n \"params\": {\n \"filters\": [\n {\n \"input\": {\n \"query\": \"risk:critical\"\n },\n \"label\": \"Risk: Critical\"\n }\n ]\n }\n }\n ]\n}", + "description": "", + "title": "VulnWhisperer - Risk: Critical", + "uiStateJSON": "{\n \"vis\": {\n \"defaultColors\": {\n \"0 - 10\": \"rgb(255,245,240)\",\n \"10 - 20\": \"rgb(103,0,13)\"\n }\n }\n}", + "version": 1, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\n \"index\": \"4a6d9090-f66e-11e8-8f42-af2e41422cf8\",\n \"query\": {\n \"language\": \"lucene\",\n \"query\": \"\"\n },\n \"filter\": []\n}" + } + }, + "_meta": { + "savedObjectVersion": 2 + } + }, + { + "_id": "852816e0-3eb1-11e7-90cb-918f9cb01e3d", + "_type": "visualization", + "_source": { + "visState": "{\"title\":\"VulnWhisperer-CVSS\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showTotal\":false,\"sort\":{\"columnIndex\":0,\"direction\":\"desc\"},\"totalFunc\":\"sum\",\"type\":\"table\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{\"customLabel\":\"# of Findings\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"cvss_severity\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"CVSS Severity\"}},{\"id\":\"4\",\"enabled\":true,\"type\":\"cardinality\",\"schema\":\"metric\",\"params\":{\"field\":\"asset.keyword\",\"customLabel\":\"# of Assets\"}}]}", + "description": "", + "title": "VulnWhisperer-CVSS", + "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":0,\"direction\":\"desc\"}}}}", + "version": 1, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"index\":\"4a6d9090-f66e-11e8-8f42-af2e41422cf8\",\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"default_field\":\"*\",\"query\":\"*\"}}},\"filter\":[]}" + } + }, + "_meta": { + "savedObjectVersion": 2 + } + }, + { + "_id": "c533c120-fe8c-11e8-8f42-af2e41422cf8", + "_type": "visualization", + "_source": { + "visState": "{\n \"title\": \"VulnWhisperer - Risk: High\",\n \"type\": \"metric\",\n \"params\": {\n \"addTooltip\": true,\n \"addLegend\": false,\n \"type\": \"metric\",\n \"metric\": {\n \"percentageMode\": false,\n \"useRanges\": false,\n \"colorSchema\": \"Green to Red\",\n \"metricColorMode\": \"None\",\n \"colorsRange\": [\n {\n \"from\": 0,\n \"to\": 10000\n }\n ],\n \"labels\": {\n \"show\": true\n },\n \"invertColors\": false,\n \"style\": {\n \"bgFill\": \"#000\",\n \"bgColor\": false,\n \"labelColor\": false,\n \"subText\": \"\",\n \"fontSize\": 60\n }\n }\n },\n \"aggs\": [\n {\n \"id\": \"1\",\n \"enabled\": true,\n \"type\": \"count\",\n \"schema\": \"metric\",\n \"params\": {}\n },\n {\n \"id\": \"2\",\n \"enabled\": true,\n \"type\": \"filters\",\n \"schema\": \"group\",\n \"params\": {\n \"filters\": [\n {\n \"input\": {\n \"query\": \"risk:high\"\n },\n \"label\": \"Risk: High\"\n }\n ]\n }\n }\n ]\n}", + "description": "", + "title": "VulnWhisperer - Risk: High", + "uiStateJSON": "{\n \"vis\": {\n \"defaultColors\": {\n \"1 - 5\": \"rgb(255,245,240)\",\n \"5 - 19999\": \"rgb(103,0,13)\"\n }\n }\n}", + "version": 1, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\n \"index\": \"4a6d9090-f66e-11e8-8f42-af2e41422cf8\",\n \"query\": {\n \"query\": \"\",\n \"language\": \"lucene\"\n },\n \"filter\": []\n}" + } + }, + "_meta": { + "savedObjectVersion": 2 + } + }, + { + "_id": "e6b5b920-f77a-11e8-8f42-af2e41422cf8", + "_type": "visualization", + "_source": { + "visState": "{\n \"title\": \"VulnWhisperer - Risk: Low\",\n \"type\": \"metric\",\n \"params\": {\n \"addTooltip\": true,\n \"addLegend\": false,\n \"type\": \"metric\",\n \"metric\": {\n \"percentageMode\": false,\n \"useRanges\": false,\n \"colorSchema\": \"Green to Red\",\n \"metricColorMode\": \"None\",\n \"colorsRange\": [\n {\n \"from\": 0,\n \"to\": 10000\n }\n ],\n \"labels\": {\n \"show\": true\n },\n \"invertColors\": false,\n \"style\": {\n \"bgFill\": \"#000\",\n \"bgColor\": false,\n \"labelColor\": false,\n \"subText\": \"\",\n \"fontSize\": 60\n }\n }\n },\n \"aggs\": [\n {\n \"id\": \"1\",\n \"enabled\": true,\n \"type\": \"count\",\n \"schema\": \"metric\",\n \"params\": {}\n },\n {\n \"id\": \"2\",\n \"enabled\": true,\n \"type\": \"filters\",\n \"schema\": \"group\",\n \"params\": {\n \"filters\": [\n {\n \"input\": {\n \"query\": \"risk:low\"\n },\n \"label\": \"Risk: Low\"\n }\n ]\n }\n }\n ]\n}", + "description": "", + "title": "VulnWhisperer - Risk: Low", + "uiStateJSON": "{\n \"vis\": {\n \"defaultColors\": {\n \"0 - 50\": \"rgb(247,252,245)\",\n \"50 - 100\": \"rgb(0,68,27)\"\n }\n }\n}", + "version": 1, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\n \"index\": \"4a6d9090-f66e-11e8-8f42-af2e41422cf8\",\n \"query\": {\n \"query\": \"\",\n \"language\": \"lucene\"\n },\n \"filter\": []\n}" + } + }, + "_meta": { + "savedObjectVersion": 2 + } + }, + { + "_id": "c1137860-6c46-11e9-a9d6-b94c6bfb6357", + "_type": "visualization", + "_source": { + "visState": "{\"title\":\"METRIC YO\",\"type\":\"metric\",\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"metric\",\"metric\":{\"percentageMode\":false,\"useRanges\":false,\"colorSchema\":\"Green to Red\",\"metricColorMode\":\"None\",\"colorsRange\":[{\"from\":0,\"to\":10000}],\"labels\":{\"show\":true},\"invertColors\":false,\"style\":{\"bgFill\":\"#000\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"fontSize\":60}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"filters\",\"schema\":\"group\",\"params\":{\"filters\":[{\"input\":{\"query\":\"risk:critical\"},\"label\":\"Risk: Critical\"}]}}]}", + "description": "", + "title": "METRIC YO", + "uiStateJSON": "{}", + "version": 1, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"index\":\"4a6d9090-f66e-11e8-8f42-af2e41422cf8\",\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[]}" + } + }, + "_meta": { + "savedObjectVersion": 2 + } + }, + { + "_id": "61b43c00-f77b-11e8-8f42-af2e41422cf8", + "_type": "visualization", + "_source": { + "visState": "{\n \"title\": \"VulnWhisperer - Risk: Medium\",\n \"type\": \"metric\",\n \"params\": {\n \"addTooltip\": true,\n \"addLegend\": false,\n \"type\": \"metric\",\n \"metric\": {\n \"percentageMode\": false,\n \"useRanges\": false,\n \"colorSchema\": \"Green to Red\",\n \"metricColorMode\": \"None\",\n \"colorsRange\": [\n {\n \"from\": 0,\n \"to\": 10000\n }\n ],\n \"labels\": {\n \"show\": true\n },\n \"invertColors\": false,\n \"style\": {\n \"bgFill\": \"#000\",\n \"bgColor\": false,\n \"labelColor\": false,\n \"subText\": \"\",\n \"fontSize\": 60\n }\n }\n },\n \"aggs\": [\n {\n \"id\": \"1\",\n \"enabled\": true,\n \"type\": \"count\",\n \"schema\": \"metric\",\n \"params\": {}\n },\n {\n \"id\": \"2\",\n \"enabled\": true,\n \"type\": \"filters\",\n \"schema\": \"group\",\n \"params\": {\n \"filters\": [\n {\n \"input\": {\n \"query\": \"risk:medium\"\n },\n \"label\": \"Risk: Medium\"\n }\n ]\n }\n }\n ]\n}", + "description": "", + "title": "VulnWhisperer - Risk: Medium", + "uiStateJSON": "{\n \"vis\": {\n \"defaultColors\": {\n \"0 - 10\": \"rgb(8,48,107)\"\n }\n }\n}", + "version": 1, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\n \"index\": \"4a6d9090-f66e-11e8-8f42-af2e41422cf8\",\n \"query\": {\n \"query\": \"\",\n \"language\": \"lucene\"\n },\n \"filter\": []\n}" + } + }, + "_meta": { + "savedObjectVersion": 2 + } + }, + { + "_id": "35b6d320-3f7f-11e7-bd24-6903e3283192", + "_type": "visualization", + "_source": { + "visState": "{\n \"title\": \"VulnWhisperer - Residual Risk\",\n \"type\": \"table\",\n \"params\": {\n \"perPage\": 15,\n \"showPartialRows\": false,\n \"sort\": {\n \"columnIndex\": 0,\n \"direction\": \"desc\"\n },\n \"showTotal\": false,\n \"totalFunc\": \"sum\",\n \"showMetricsAtAllLevels\": false\n },\n \"aggs\": [\n {\n \"id\": \"1\",\n \"enabled\": true,\n \"type\": \"cardinality\",\n \"schema\": \"metric\",\n \"params\": {\n \"field\": \"scan_fingerprint\",\n \"customLabel\": \"Count\"\n }\n },\n {\n \"id\": \"2\",\n \"enabled\": true,\n \"type\": \"terms\",\n \"schema\": \"bucket\",\n \"params\": {\n \"field\": \"risk_number\",\n \"size\": 50,\n \"order\": \"desc\",\n \"orderBy\": \"1\",\n \"otherBucket\": false,\n \"otherBucketLabel\": \"Other\",\n \"missingBucket\": false,\n \"missingBucketLabel\": \"Missing\",\n \"customLabel\": \"Risk Number\"\n }\n }\n ]\n}", + "description": "", + "title": "VulnWhisperer - Residual Risk", + "uiStateJSON": "{\n \"vis\": {\n \"params\": {\n \"sort\": {\n \"columnIndex\": 0,\n \"direction\": \"desc\"\n }\n }\n }\n}", + "version": 1, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\n \"index\": \"4a6d9090-f66e-11e8-8f42-af2e41422cf8\",\n \"query\": {\n \"query\": {\n \"query_string\": {\n \"query\": \"*\",\n \"analyze_wildcard\": true,\n \"default_field\": \"*\"\n }\n },\n \"language\": \"lucene\"\n },\n \"filter\": []\n}" + } + }, + "_meta": { + "savedObjectVersion": 2 + } + }, + { + "_id": "56f0f5f0-3ebe-11e7-a192-93f36fbd9d05", + "_type": "visualization", + "_source": { + "visState": "{\"title\":\"VulnWhisperer-RiskOverTime\",\"type\":\"line\",\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"@timestamp per 12 hours\"},\"type\":\"category\"}],\"defaultYExtents\":false,\"drawLinesBetweenPoints\":true,\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"},\"valueAxis\":\"ValueAxis-1\"},\"interpolate\":\"linear\",\"legendPosition\":\"right\",\"orderBucketsBySum\":false,\"radiusRatio\":9,\"scale\":\"linear\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"mode\":\"normal\",\"show\":\"true\",\"showCircles\":true,\"type\":\"line\",\"valueAxis\":\"ValueAxis-1\"}],\"setYExtents\":false,\"showCircles\":true,\"times\":[],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\",\"setYExtents\":false,\"defaultYExtents\":false},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}],\"type\":\"line\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"timeRange\":{\"from\":\"now-6M\",\"to\":\"now\",\"mode\":\"quick\"},\"useNormalizedEsInterval\":true,\"interval\":\"auto\",\"time_zone\":\"Europe/London\",\"drop_partials\":false,\"customInterval\":\"2h\",\"min_doc_count\":1,\"extended_bounds\":{}}},{\"id\":\"3\",\"enabled\":true,\"type\":\"filters\",\"schema\":\"group\",\"params\":{\"filters\":[{\"input\":{\"query\":\"cvss_severity:info\"},\"label\":\"Info\"},{\"input\":{\"query\":\"cvss_severity:low\"},\"label\":\"Low\"},{\"input\":{\"query\":\"cvss_severity:medium\"},\"label\":\"Medium\"},{\"input\":{\"query\":\"cvss_severity:high\"},\"label\":\"High\"},{\"input\":{\"query\":\"cvss_severity:critical\"},\"label\":\"Critical\"}]}}]}", + "description": "", + "title": "VulnWhisperer-RiskOverTime", + "uiStateJSON": "{\"vis\":{\"colors\":{\"Critical\":\"#962D82\",\"High\":\"#BF1B00\",\"Low\":\"#629E51\",\"Medium\":\"#EAB839\",\"Info\":\"#65C5DB\"}}}", + "version": 1, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"index\":\"4a6d9090-f66e-11e8-8f42-af2e41422cf8\",\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"query\":\"*\",\"default_field\":\"*\"}}},\"filter\":[]}" + } + }, + "_meta": { + "savedObjectVersion": 2 } }, { "_id": "159d2500-f773-11e8-8f42-af2e41422cf8", "_type": "search", "_source": { - "title": "VulnWhisperer - High Risk", - "description": "", + "sort": [ + "@timestamp", + "desc" + ], "hits": 0, + "description": "", + "title": "VulnWhisperer - High Risk", + "version": 1, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"index\":\"4a6d9090-f66e-11e8-8f42-af2e41422cf8\",\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"query\":\"*\",\"default_field\":\"*\"}}},\"filter\":[{\"meta\":{\"negate\":false,\"index\":\"4a6d9090-f66e-11e8-8f42-af2e41422cf8\",\"type\":\"phrase\",\"key\":\"risk\",\"value\":\"High\",\"params\":{\"query\":\"High\",\"type\":\"phrase\"},\"disabled\":false,\"alias\":null},\"query\":{\"match\":{\"risk\":{\"query\":\"High\",\"type\":\"phrase\"}}},\"$state\":{\"store\":\"appState\"}}],\"highlight\":{\"pre_tags\":[\"@kibana-highlighted-field@\"],\"post_tags\":[\"@/kibana-highlighted-field@\"],\"fields\":{\"*\":{}},\"require_field_match\":false,\"fragment_size\":2147483647},\"highlightAll\":true,\"version\":true}" + }, "columns": [ "host", "risk", @@ -54,24 +442,27 @@ "plugin_name", "solution", "plugin_output" - ], - "sort": [ - "@timestamp", - "desc" - ], - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"index\":\"4a6d9090-f66e-11e8-8f42-af2e41422cf8\",\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"query\":\"*\",\"default_field\":\"*\"}}},\"filter\":[{\"meta\":{\"negate\":false,\"index\":\"4a6d9090-f66e-11e8-8f42-af2e41422cf8\",\"type\":\"phrase\",\"key\":\"risk\",\"value\":\"High\",\"params\":{\"query\":\"High\",\"type\":\"phrase\"},\"disabled\":false,\"alias\":null},\"query\":{\"match\":{\"risk\":{\"query\":\"High\",\"type\":\"phrase\"}}},\"$state\":{\"store\":\"appState\"}}],\"highlight\":{\"pre_tags\":[\"@kibana-highlighted-field@\"],\"post_tags\":[\"@/kibana-highlighted-field@\"],\"fields\":{\"*\":{}},\"require_field_match\":false,\"fragment_size\":2147483647},\"highlightAll\":true,\"version\":true}" - } + ] + }, + "_meta": { + "savedObjectVersion": 2 } }, { "_id": "54648700-3f74-11e7-852e-69207a3d0726", "_type": "search", "_source": { - "title": "VulnWhisperer - Saved Search", - "description": "", + "sort": [ + "@timestamp", + "desc" + ], "hits": 0, + "description": "", + "title": "VulnWhisperer - Saved Search", + "version": 1, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"index\":\"4a6d9090-f66e-11e8-8f42-af2e41422cf8\",\"query\":{\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"query\":\"*\"}},\"language\":\"lucene\"},\"filter\":[],\"highlight\":{\"pre_tags\":[\"@kibana-highlighted-field@\"],\"post_tags\":[\"@/kibana-highlighted-field@\"],\"fields\":{\"*\":{}},\"require_field_match\":false,\"fragment_size\":2147483647}}" + }, "columns": [ "host", "risk", @@ -80,24 +471,27 @@ "plugin_name", "solution", "plugin_output" - ], - "sort": [ - "@timestamp", - "desc" - ], - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"index\":\"4a6d9090-f66e-11e8-8f42-af2e41422cf8\",\"query\":{\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"query\":\"*\"}},\"language\":\"lucene\"},\"filter\":[],\"highlight\":{\"pre_tags\":[\"@kibana-highlighted-field@\"],\"post_tags\":[\"@/kibana-highlighted-field@\"],\"fields\":{\"*\":{}},\"require_field_match\":false,\"fragment_size\":2147483647}}" - } + ] + }, + "_meta": { + "savedObjectVersion": 2 } }, { "_id": "41a7e430-fdb5-11e8-8f42-af2e41422cf8", "_type": "search", "_source": { - "title": "VulnWhisperer - Compliance", - "description": "", + "sort": [ + "@timestamp", + "desc" + ], "hits": 0, + "description": "", + "title": "VulnWhisperer - Compliance", + "version": 1, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"index\":\"4a6d9090-f66e-11e8-8f42-af2e41422cf8\",\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":\"\"},\"filter\":[]}" + }, "columns": [ "plugin_id", "cve", @@ -112,322 +506,26 @@ "solution", "see_also", "plugin_output" - ], - "sort": [ - "@timestamp", - "desc" - ], - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"index\":\"4a6d9090-f66e-11e8-8f42-af2e41422cf8\",\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":\"\"},\"filter\":[]}" - } - } - }, - { - "_id": "465c5820-8977-11e7-857e-e1d56b17746d", - "_type": "visualization", - "_source": { - "title": "VulnWhisperer - Critical Assets", - "visState": "{\"title\":\"VulnWhisperer - Critical Assets\",\"type\":\"heatmap\",\"params\":{\"addTooltip\":true,\"addLegend\":true,\"enableHover\":true,\"legendPosition\":\"right\",\"times\":[],\"colorsNumber\":4,\"colorSchema\":\"Green to Red\",\"setColorRange\":true,\"colorsRange\":[{\"from\":0,\"to\":3},{\"from\":3,\"to\":7},{\"from\":7,\"to\":9},{\"from\":9,\"to\":11}],\"invertColors\":false,\"percentageMode\":false,\"valueAxes\":[{\"show\":false,\"id\":\"ValueAxis-1\",\"type\":\"value\",\"scale\":{\"type\":\"linear\",\"defaultYExtents\":false},\"labels\":{\"show\":false,\"rotate\":0,\"color\":\"white\"}}],\"type\":\"heatmap\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"max\",\"schema\":\"metric\",\"params\":{\"field\":\"risk_score\",\"customLabel\":\"Residual Risk Score\"}},{\"id\":\"2\",\"enabled\":false,\"type\":\"terms\",\"schema\":\"split\",\"params\":{\"field\":\"risk_score\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\",\"row\":true}},{\"id\":\"3\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"interval\":\"auto\",\"customInterval\":\"2h\",\"min_doc_count\":1,\"extended_bounds\":{},\"customLabel\":\"Date\"}},{\"id\":\"4\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"group\",\"params\":{\"field\":\"asset.keyword\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Critical Asset\"}}],\"listeners\":{}}", - "uiStateJSON": "{\"vis\":{\"defaultColors\":{\"0 - 3\":\"rgb(0,104,55)\",\"3 - 7\":\"rgb(135,203,103)\",\"7 - 9\":\"rgb(255,255,190)\",\"9 - 11\":\"rgb(249,142,82)\"},\"colors\":{\"8 - 10\":\"#BF1B00\",\"9 - 11\":\"#BF1B00\",\"7 - 9\":\"#EF843C\",\"3 - 7\":\"#EAB839\",\"0 - 3\":\"#7EB26D\"},\"legendOpen\":false}}", - "description": "", - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"index\":\"4a6d9090-f66e-11e8-8f42-af2e41422cf8\",\"query\":{\"query\":{\"query_string\":{\"query\":\"*\",\"analyze_wildcard\":true}},\"language\":\"lucene\"},\"filter\":[{\"meta\":{\"index\":\"logstash-vulnwhisperer-*\",\"negate\":false,\"disabled\":false,\"alias\":\"Critical Asset\",\"type\":\"phrase\",\"key\":\"tags\",\"value\":\"critical_asset\"},\"query\":{\"match\":{\"tags\":{\"query\":\"critical_asset\",\"type\":\"phrase\"}}},\"$state\":{\"store\":\"appState\"}}]}" - } - } - }, - { - "_id": "56f0f5f0-3ebe-11e7-a192-93f36fbd9d05", - "_type": "visualization", - "_source": { - "title": "VulnWhisperer-RiskOverTime", - "visState": "{\"title\":\"VulnWhisperer-RiskOverTime\",\"type\":\"line\",\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"@timestamp per 12 hours\"},\"type\":\"category\"}],\"defaultYExtents\":false,\"drawLinesBetweenPoints\":true,\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"},\"valueAxis\":\"ValueAxis-1\"},\"interpolate\":\"linear\",\"legendPosition\":\"right\",\"orderBucketsBySum\":false,\"radiusRatio\":9,\"scale\":\"linear\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"mode\":\"normal\",\"show\":\"true\",\"showCircles\":true,\"type\":\"line\",\"valueAxis\":\"ValueAxis-1\"}],\"setYExtents\":false,\"showCircles\":true,\"times\":[],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}],\"type\":\"line\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"interval\":\"auto\",\"customInterval\":\"2h\",\"min_doc_count\":1,\"extended_bounds\":{}}},{\"id\":\"3\",\"enabled\":true,\"type\":\"filters\",\"schema\":\"group\",\"params\":{\"filters\":[{\"input\":{\"query\":{\"query_string\":{\"query\":\"risk_score_name:info\"}}},\"label\":\"Info\"},{\"input\":{\"query\":{\"query_string\":{\"query\":\"risk_score_name:low\"}}},\"label\":\"Low\"},{\"input\":{\"query\":{\"query_string\":{\"query\":\"risk_score_name:medium\"}}},\"label\":\"Medium\"},{\"input\":{\"query\":{\"query_string\":{\"query\":\"risk_score_name:high\"}}},\"label\":\"High\"},{\"input\":{\"query\":{\"query_string\":{\"query\":\"risk_score_name:critical\"}}},\"label\":\"Critical\"}]}}],\"listeners\":{}}", - "uiStateJSON": "{\"vis\":{\"colors\":{\"Critical\":\"#962D82\",\"High\":\"#BF1B00\",\"Low\":\"#629E51\",\"Medium\":\"#EAB839\",\"Info\":\"#65C5DB\"}}}", - "description": "", - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"index\":\"4a6d9090-f66e-11e8-8f42-af2e41422cf8\",\"query\":{\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"query\":\"*\"}},\"language\":\"lucene\"},\"filter\":[]}" - } - } - }, - { - "_id": "5093c620-44e9-11e7-8014-ede06a7e69f8", - "_type": "visualization", - "_source": { - "title": "VulnWhisperer - Mitigation Readme", - "visState": "{\"title\":\"VulnWhisperer - Mitigation Readme\",\"type\":\"markdown\",\"params\":{\"markdown\":\"** Legend **\\n\\n* [Common Vulnerability Scoring System (CVSS)](https://nvd.nist.gov/vuln-metrics/cvss) is the NIST vulnerability scoring system\\n* Risk Number is residual risk score calculated from CVSS, which is adjusted to be specific to Heartland which accounts for services not in use such as Java and Flash\\n* Vulnerabilities by Tag are systems tagged with HIPAA and PCI identification.\\n\\n\\n** Workflow **\\n* Select 10.0 under Risk Number to identify Critical Vulnerabilities. \\n* For more information about a CVE, scroll down and click the CVE link.\\n* To filter by tags, use one of the following filters:\\n** tags:has_hipaa_data, tags:pci_asset, tags:hipaa_asset, tags:critical_asset**\"},\"aggs\":[],\"listeners\":{}}", - "uiStateJSON": "{}", - "description": "", - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"query\":{\"query\":{\"query_string\":{\"query\":\"*\",\"analyze_wildcard\":true}},\"language\":\"lucene\"},\"filter\":[]}" - } - } - }, - { - "_id": "471a3580-3f6b-11e7-88e7-df1abe6547fb", - "_type": "visualization", - "_source": { - "title": "VulnWhisperer - Vulnerabilities by Tag", - "visState": "{\"title\":\"VulnWhisperer - Vulnerabilities by Tag\",\"type\":\"table\",\"params\":{\"perPage\":3,\"showMeticsAtAllLevels\":false,\"showPartialRows\":false,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"3\",\"enabled\":true,\"type\":\"filters\",\"schema\":\"bucket\",\"params\":{\"filters\":[{\"input\":{\"query\":{\"query_string\":{\"query\":\"tags:has_hipaa_data\",\"analyze_wildcard\":true}}},\"label\":\"Systems with HIPAA data\"},{\"input\":{\"query\":{\"query_string\":{\"query\":\"tags:pci_asset\",\"analyze_wildcard\":true}}},\"label\":\"PCI Systems\"},{\"input\":{\"query\":{\"query_string\":{\"query\":\"tags:hipaa_asset\",\"analyze_wildcard\":true}}},\"label\":\"HIPAA Systems\"}]}}],\"listeners\":{}}", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "description": "", - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"index\":\"4a6d9090-f66e-11e8-8f42-af2e41422cf8\",\"query\":{\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"query\":\"*\"}},\"language\":\"lucene\"},\"filter\":[]}" - } - } - }, - { - "_id": "1de9e550-3df1-11e7-a44e-c79ca8efb780", - "_type": "visualization", - "_source": { - "title": "VulnWhisperer-Description", - "visState": "{\"title\":\"VulnWhisperer-Description\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"description.keyword\",\"size\":50,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Description\"}}],\"listeners\":{}}", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "description": "", - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"index\":\"4a6d9090-f66e-11e8-8f42-af2e41422cf8\",\"query\":{\"query\":{\"query_string\":{\"query\":\"*\",\"analyze_wildcard\":true}},\"language\":\"lucene\"},\"filter\":[]}" - } - } - }, - { - "_id": "fb6eb020-49ab-11e7-8f8c-57ad64ec48a6", - "_type": "visualization", - "_source": { - "title": "VulnWhisperer - Critical Risk Score for Tagged Assets", - "visState": "{\"title\":\"VulnWhisperer - Critical Risk Score for Tagged Assets\",\"type\":\"timelion\",\"params\":{\"expression\":\".es(index=logstash-vulnwhisperer-*,q='risk_score:>9 AND tags:hipaa_asset').label(\\\"HIPAA Assets\\\"),.es(index=logstash-vulnwhisperer-*,q='risk_score:>9 AND tags:pci_asset').label(\\\"PCI Systems\\\"),.es(index=logstash-vulnwhisperer-*,q='risk_score:>9 AND tags:has_hipaa_data').label(\\\"Has HIPAA Data\\\")\",\"interval\":\"auto\"},\"aggs\":[],\"listeners\":{}}", - "uiStateJSON": "{}", - "description": "", - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"query\":{\"query\":{\"query_string\":{\"query\":\"*\",\"analyze_wildcard\":true}},\"language\":\"lucene\"},\"filter\":[]}" - } - } - }, - { - "_id": "13c7d4e0-3df3-11e7-a44e-c79ca8efb780", - "_type": "visualization", - "_source": { - "title": "VulnWhisperer-Solution", - "visState": "{\n \"title\": \"VulnWhisperer-Solution\",\n \"type\": \"table\",\n \"params\": {\n \"perPage\": 10,\n \"showMeticsAtAllLevels\": false,\n \"showPartialRows\": false,\n \"showTotal\": false,\n \"sort\": {\n \"columnIndex\": null,\n \"direction\": null\n },\n \"totalFunc\": \"sum\"\n },\n \"aggs\": [\n {\n \"id\": \"1\",\n \"enabled\": true,\n \"type\": \"count\",\n \"schema\": \"metric\",\n \"params\": {}\n },\n {\n \"id\": \"2\",\n \"enabled\": true,\n \"type\": \"terms\",\n \"schema\": \"bucket\",\n \"params\": {\n \"field\": \"solution\",\n \"size\": 50,\n \"order\": \"desc\",\n \"orderBy\": \"1\",\n \"customLabel\": \"Solution\"\n }\n }\n ],\n \"listeners\": {}\n}", - "uiStateJSON": "{\n \"vis\": {\n \"params\": {\n \"sort\": {\n \"columnIndex\": null,\n \"direction\": null\n }\n }\n }\n}", - "description": "", - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\n \"index\": \"4a6d9090-f66e-11e8-8f42-af2e41422cf8\",\n \"query\": {\n \"query\": {\n \"query_string\": {\n \"analyze_wildcard\": true,\n \"query\": \"*\"\n }\n },\n \"language\": \"lucene\"\n },\n \"filter\": []\n}" - } - } - }, - { - "_id": "f9b68640-fda5-11e8-8f42-af2e41422cf8", - "_type": "visualization", - "_source": { - "title": "VulnWhisperer - AggTest", - "visState": "{\"title\":\"VulnWhisperer - AggTest\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"top_hits\",\"schema\":\"metric\",\"params\":{\"field\":\"@timestamp\",\"aggregate\":\"concat\",\"size\":1,\"sortField\":\"@timestamp\",\"sortOrder\":\"desc\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"asset.keyword\",\"size\":1000,\"order\":\"desc\",\"orderBy\":\"_key\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"plugin_id\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"_key\",\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"}}]}", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "description": "", - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"index\":\"4a6d9090-f66e-11e8-8f42-af2e41422cf8\",\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[]}" - } - } - }, - { - "_id": "852816e0-3eb1-11e7-90cb-918f9cb01e3d", - "_type": "visualization", - "_source": { - "title": "VulnWhisperer-CVSS", - "visState": "{\"title\":\"VulnWhisperer-CVSS\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showTotal\":false,\"sort\":{\"columnIndex\":0,\"direction\":\"desc\"},\"totalFunc\":\"sum\",\"type\":\"table\",\"showMetricsAtAllLevels\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"cardinality\",\"schema\":\"metric\",\"params\":{\"field\":\"scan_fingerprint\",\"customLabel\":\"Unique Findings\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"cvss\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"CVSS Score\"}},{\"id\":\"4\",\"enabled\":true,\"type\":\"cardinality\",\"schema\":\"metric\",\"params\":{\"field\":\"asset.keyword\",\"customLabel\":\"# of Assets\"}}]}", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":0,\"direction\":\"desc\"}}}}", - "description": "", - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"index\":\"4a6d9090-f66e-11e8-8f42-af2e41422cf8\",\"query\":{\"query\":{\"query_string\":{\"query\":\"*\",\"analyze_wildcard\":true,\"default_field\":\"*\"}},\"language\":\"lucene\"},\"filter\":[]}" - } - } - }, - { - "_id": "35b6d320-3f7f-11e7-bd24-6903e3283192", - "_type": "visualization", - "_source": { - "title": "VulnWhisperer - Residual Risk", - "visState": "{\"title\":\"VulnWhisperer - Residual Risk\",\"type\":\"table\",\"params\":{\"perPage\":15,\"showPartialRows\":false,\"sort\":{\"columnIndex\":0,\"direction\":\"desc\"},\"showTotal\":false,\"totalFunc\":\"sum\",\"showMetricsAtAllLevels\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"cardinality\",\"schema\":\"metric\",\"params\":{\"field\":\"scan_fingerprint\",\"customLabel\":\"Count\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"risk_score\",\"size\":50,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Risk Number\"}}]}", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":0,\"direction\":\"desc\"}}}}", - "description": "", - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"index\":\"4a6d9090-f66e-11e8-8f42-af2e41422cf8\",\"query\":{\"query\":{\"query_string\":{\"query\":\"*\",\"analyze_wildcard\":true,\"default_field\":\"*\"}},\"language\":\"lucene\"},\"filter\":[]}" - } - } - }, - { - "_id": "995e2280-3df3-11e7-a44e-c79ca8efb780", - "_type": "visualization", - "_source": { - "title": "VulnWhisperer-Asset", - "visState": "{\"title\":\"VulnWhisperer-Asset\",\"type\":\"table\",\"params\":{\"perPage\":15,\"showPartialRows\":false,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\",\"type\":\"table\",\"showMetricsAtAllLevels\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"cardinality\",\"schema\":\"metric\",\"params\":{\"field\":\"scan_fingerprint\",\"customLabel\":\"Findings\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"asset.keyword\",\"size\":50,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Asset\"}}]}", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "description": "", - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"index\":\"4a6d9090-f66e-11e8-8f42-af2e41422cf8\",\"query\":{\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"query\":\"*\",\"default_field\":\"*\"}},\"language\":\"lucene\"},\"filter\":[]}" - } - } - }, - { - "_id": "67d432e0-44ec-11e7-a05f-d9719b331a27", - "_type": "visualization", - "_source": { - "title": "VulnWhisperer - TL-Critical Risk", - "visState": "{\"title\":\"VulnWhisperer - TL-Critical Risk\",\"type\":\"timelion\",\"params\":{\"expression\":\".es(index='logstash-vulnwhisperer-*',q='(risk_score:>=9 AND risk_score:<=10)').label(\\\"Original\\\"),.es(index='logstash-vulnwhisperer-*',q='(risk_score:>=9 AND risk_score:<=10)',offset=-1w).label(\\\"One week offset\\\"),.es(index='logstash-vulnwhisperer-*',q='(risk_score:>=9 AND risk_score:<=10)').subtract(.es(index='logstash-vulnwhisperer-*',q='(risk_score:>=9 AND risk_score:<=10)',offset=-1w)).label(\\\"Difference\\\").lines(steps=3,fill=2,width=1)\",\"interval\":\"auto\"},\"aggs\":[],\"listeners\":{}}", - "uiStateJSON": "{}", - "description": "", - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"query\":{\"query\":{\"query_string\":{\"query\":\"*\",\"analyze_wildcard\":true}},\"language\":\"lucene\"},\"filter\":[]}" - } - } - }, - { - "_id": "8d9592d0-44ec-11e7-a05f-d9719b331a27", - "_type": "visualization", - "_source": { - "title": "VulnWhisperer - TL-High Risk", - "visState": "{\"title\":\"VulnWhisperer - TL-High Risk\",\"type\":\"timelion\",\"params\":{\"expression\":\".es(index='logstash-vulnwhisperer-*',q='(risk_score:>=7 AND risk_score:<9)').label(\\\"Original\\\"),.es(index='logstash-vulnwhisperer-*',q='(risk_score:>=7 AND risk_score:<9)',offset=-1w).label(\\\"One week offset\\\"),.es(index='logstash-vulnwhisperer-*',q='(risk_score:>=7 AND risk_score:<9)').subtract(.es(index='logstash-vulnwhisperer-*',q='(risk_score:>=7 AND risk_score:<9)',offset=-1w)).label(\\\"Difference\\\").lines(steps=3,fill=2,width=1)\",\"interval\":\"auto\"},\"aggs\":[],\"listeners\":{}}", - "uiStateJSON": "{}", - "description": "", - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"query\":{\"query\":{\"query_string\":{\"query\":\"*\",\"analyze_wildcard\":true}},\"language\":\"lucene\"},\"filter\":[]}" - } - } - }, - { - "_id": "2f979030-44b9-11e7-a818-f5f80dfc3590", - "_type": "visualization", - "_source": { - "title": "VulnWhisperer - ScanBarChart", - "visState": "{\n \"title\": \"VulnWhisperer - ScanBarChart\",\n \"type\": \"histogram\",\n \"params\": {\n \"addLegend\": true,\n \"addTimeMarker\": false,\n \"addTooltip\": true,\n \"defaultYExtents\": false,\n \"legendPosition\": \"right\",\n \"mode\": \"stacked\",\n \"scale\": \"linear\",\n \"setYExtents\": false,\n \"times\": [],\n \"type\": \"histogram\",\n \"grid\": {\n \"categoryLines\": false,\n \"style\": {\n \"color\": \"#eee\"\n }\n },\n \"categoryAxes\": [\n {\n \"id\": \"CategoryAxis-1\",\n \"type\": \"category\",\n \"position\": \"bottom\",\n \"show\": true,\n \"style\": {},\n \"scale\": {\n \"type\": \"linear\"\n },\n \"labels\": {\n \"show\": true,\n \"truncate\": 100\n },\n \"title\": {}\n }\n ],\n \"valueAxes\": [\n {\n \"id\": \"ValueAxis-1\",\n \"name\": \"LeftAxis-1\",\n \"type\": \"value\",\n \"position\": \"left\",\n \"show\": true,\n \"style\": {},\n \"scale\": {\n \"type\": \"linear\",\n \"mode\": \"normal\",\n \"setYExtents\": false,\n \"defaultYExtents\": false\n },\n \"labels\": {\n \"show\": true,\n \"rotate\": 0,\n \"filter\": false,\n \"truncate\": 100\n },\n \"title\": {\n \"text\": \"Unique count of scan_fingerprint\"\n }\n }\n ],\n \"seriesParams\": [\n {\n \"show\": \"true\",\n \"type\": \"histogram\",\n \"mode\": \"stacked\",\n \"data\": {\n \"label\": \"Unique count of scan_fingerprint\",\n \"id\": \"1\"\n },\n \"valueAxis\": \"ValueAxis-1\"\n }\n ]\n },\n \"aggs\": [\n {\n \"id\": \"1\",\n \"enabled\": true,\n \"type\": \"cardinality\",\n \"schema\": \"metric\",\n \"params\": {\n \"field\": \"scan_fingerprint\"\n }\n },\n {\n \"id\": \"2\",\n \"enabled\": true,\n \"type\": \"terms\",\n \"schema\": \"segment\",\n \"params\": {\n \"field\": \"plugin_name\",\n \"size\": 10,\n \"order\": \"desc\",\n \"orderBy\": \"1\",\n \"otherBucket\": false,\n \"otherBucketLabel\": \"Other\",\n \"missingBucket\": false,\n \"missingBucketLabel\": \"Missing\",\n \"customLabel\": \"Scan Name\"\n }\n }\n ]\n}", - "uiStateJSON": "{}", - "description": "", - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\n \"index\": \"4a6d9090-f66e-11e8-8f42-af2e41422cf8\",\n \"query\": {\n \"query\": {\n \"query_string\": {\n \"analyze_wildcard\": true,\n \"query\": \"*\",\n \"default_field\": \"*\"\n }\n },\n \"language\": \"lucene\"\n },\n \"filter\": []\n}" - } - } - }, - { - "_id": "8c9c9430-f77b-11e8-8f42-af2e41422cf8", - "_type": "visualization", - "_source": { - "title": "VulnWhisperer - Risk: Critical", - "visState": "{\"title\":\"VulnWhisperer - Risk: Critical\",\"type\":\"gauge\",\"params\":{\"type\":\"gauge\",\"addTooltip\":true,\"addLegend\":true,\"isDisplayWarning\":false,\"gauge\":{\"verticalSplit\":false,\"extendRange\":true,\"percentageMode\":false,\"gaugeType\":\"Arc\",\"gaugeStyle\":\"Full\",\"backStyle\":\"Full\",\"orientation\":\"vertical\",\"colorSchema\":\"Reds\",\"gaugeColorMode\":\"Labels\",\"colorsRange\":[{\"from\":0,\"to\":10},{\"from\":10,\"to\":20}],\"invertColors\":false,\"labels\":{\"show\":true,\"color\":\"black\"},\"scale\":{\"show\":true,\"labels\":false,\"color\":\"#333\"},\"type\":\"meter\",\"style\":{\"bgWidth\":0.9,\"width\":0.9,\"mask\":false,\"bgMask\":false,\"maskBars\":50,\"bgFill\":\"#eee\",\"bgColor\":false,\"subText\":\"\",\"fontSize\":60,\"labelColor\":true}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"cardinality\",\"schema\":\"metric\",\"params\":{\"field\":\"scan_fingerprint\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"filters\",\"schema\":\"group\",\"params\":{\"filters\":[{\"input\":{\"query\":\"risk_score_name:critical\"},\"label\":\"Critical Risk\"}]}}]}", - "uiStateJSON": "{\"vis\":{\"defaultColors\":{\"0 - 10\":\"rgb(255,245,240)\",\"10 - 20\":\"rgb(103,0,13)\"}}}", - "description": "", - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"index\":\"4a6d9090-f66e-11e8-8f42-af2e41422cf8\",\"query\":{\"language\":\"lucene\",\"query\":\"\"},\"filter\":[]}" - } - } - }, - { - "_id": "e6b5b920-f77a-11e8-8f42-af2e41422cf8", - "_type": "visualization", - "_source": { - "title": "VulnWhisperer - Risk: Low", - "visState": "{\"title\":\"VulnWhisperer - Risk: Low\",\"type\":\"gauge\",\"params\":{\"type\":\"gauge\",\"addTooltip\":true,\"addLegend\":true,\"isDisplayWarning\":false,\"gauge\":{\"verticalSplit\":false,\"extendRange\":true,\"percentageMode\":false,\"gaugeType\":\"Arc\",\"gaugeStyle\":\"Full\",\"backStyle\":\"Full\",\"orientation\":\"vertical\",\"colorSchema\":\"Greens\",\"gaugeColorMode\":\"Labels\",\"colorsRange\":[{\"from\":0,\"to\":50},{\"from\":50,\"to\":100}],\"invertColors\":false,\"labels\":{\"show\":true,\"color\":\"black\"},\"scale\":{\"show\":true,\"labels\":false,\"color\":\"#333\"},\"type\":\"meter\",\"style\":{\"bgWidth\":0.9,\"width\":0.9,\"mask\":false,\"bgMask\":false,\"maskBars\":50,\"bgFill\":\"#eee\",\"bgColor\":false,\"subText\":\"\",\"fontSize\":60,\"labelColor\":true}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"cardinality\",\"schema\":\"metric\",\"params\":{\"field\":\"scan_fingerprint\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"filters\",\"schema\":\"group\",\"params\":{\"filters\":[{\"input\":{\"query\":\"risk_score_name:low\"},\"label\":\"Low Risk\"}]}}]}", - "uiStateJSON": "{\"vis\":{\"defaultColors\":{\"0 - 50\":\"rgb(247,252,245)\",\"50 - 100\":\"rgb(0,68,27)\"}}}", - "description": "", - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"index\":\"4a6d9090-f66e-11e8-8f42-af2e41422cf8\",\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[]}" - } - } - }, - { - "_id": "c533c120-fe8c-11e8-8f42-af2e41422cf8", - "_type": "visualization", - "_source": { - "title": "VulnWhisperer - Risk: High", - "visState": "{\"title\":\"VulnWhisperer - Risk: High\",\"type\":\"goal\",\"params\":{\"addTooltip\":true,\"addLegend\":false,\"isDisplayWarning\":false,\"type\":\"gauge\",\"gauge\":{\"verticalSplit\":false,\"autoExtend\":false,\"percentageMode\":false,\"gaugeType\":\"Arc\",\"gaugeStyle\":\"Full\",\"backStyle\":\"Full\",\"orientation\":\"vertical\",\"useRanges\":false,\"colorSchema\":\"Reds\",\"gaugeColorMode\":\"None\",\"colorsRange\":[{\"from\":1,\"to\":5},{\"from\":5,\"to\":19999}],\"invertColors\":false,\"labels\":{\"show\":true,\"color\":\"black\"},\"scale\":{\"show\":false,\"labels\":false,\"color\":\"#333\",\"width\":2},\"type\":\"meter\",\"style\":{\"bgFill\":\"#000\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"fontSize\":60}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"cardinality\",\"schema\":\"metric\",\"params\":{\"field\":\"scan_fingerprint\",\"customLabel\":\"Risk: High\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"filters\",\"schema\":\"group\",\"params\":{\"filters\":[{\"input\":{\"query\":\"risk_score_name:high\"},\"label\":\"risk: High\"}]}}]}", - "uiStateJSON": "{\"vis\":{\"defaultColors\":{\"1 - 5\":\"rgb(255,245,240)\",\"5 - 19999\":\"rgb(103,0,13)\"}}}", - "description": "", - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"index\":\"4a6d9090-f66e-11e8-8f42-af2e41422cf8\",\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[]}" - } - } - }, - { - "_id": "61b43c00-f77b-11e8-8f42-af2e41422cf8", - "_type": "visualization", - "_source": { - "title": "VulnWhisperer - Risk: Medium", - "visState": "{\"title\":\"VulnWhisperer - Risk: Medium\",\"type\":\"gauge\",\"params\":{\"type\":\"gauge\",\"addTooltip\":true,\"addLegend\":true,\"isDisplayWarning\":false,\"gauge\":{\"verticalSplit\":false,\"extendRange\":false,\"percentageMode\":false,\"gaugeType\":\"Arc\",\"gaugeStyle\":\"Full\",\"backStyle\":\"Full\",\"orientation\":\"vertical\",\"colorSchema\":\"Blues\",\"gaugeColorMode\":\"Labels\",\"colorsRange\":[{\"from\":0,\"to\":10}],\"invertColors\":true,\"labels\":{\"show\":true,\"color\":\"black\"},\"scale\":{\"show\":true,\"labels\":false,\"color\":\"#333\"},\"type\":\"meter\",\"style\":{\"bgWidth\":0.9,\"width\":0.9,\"mask\":false,\"bgMask\":false,\"maskBars\":50,\"bgFill\":\"#eee\",\"bgColor\":false,\"subText\":\"\",\"fontSize\":60,\"labelColor\":true}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"cardinality\",\"schema\":\"metric\",\"params\":{\"field\":\"scan_fingerprint\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"filters\",\"schema\":\"group\",\"params\":{\"filters\":[{\"input\":{\"query\":\"risk_score_name:medium\"},\"label\":\"Medium Risk\"}]}}]}", - "uiStateJSON": "{\"vis\":{\"defaultColors\":{\"0 - 10\":\"rgb(8,48,107)\"}}}", - "description": "", - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"index\":\"4a6d9090-f66e-11e8-8f42-af2e41422cf8\",\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[]}" - } - } - }, - { - "_id": "297df800-3f7e-11e7-bd24-6903e3283192", - "_type": "visualization", - "_source": { - "title": "VulnWhisperer - Plugin Name", - "visState": "{\n \"title\": \"VulnWhisperer - Plugin Name\",\n \"type\": \"table\",\n \"params\": {\n \"perPage\": 10,\n \"showPartialRows\": false,\n \"sort\": {\n \"columnIndex\": null,\n \"direction\": null\n },\n \"showTotal\": false,\n \"totalFunc\": \"sum\",\n \"showMetricsAtAllLevels\": false\n },\n \"aggs\": [\n {\n \"id\": \"1\",\n \"enabled\": true,\n \"type\": \"cardinality\",\n \"schema\": \"metric\",\n \"params\": {\n \"field\": \"scan_fingerprint\",\n \"customLabel\": \"Count\"\n }\n },\n {\n \"id\": \"2\",\n \"enabled\": true,\n \"type\": \"terms\",\n \"schema\": \"bucket\",\n \"params\": {\n \"field\": \"plugin_name\",\n \"size\": 10,\n \"order\": \"desc\",\n \"orderBy\": \"1\",\n \"otherBucket\": false,\n \"otherBucketLabel\": \"Other\",\n \"missingBucket\": false,\n \"missingBucketLabel\": \"Missing\",\n \"customLabel\": \"Plugin Name\"\n }\n }\n ]\n}", - "uiStateJSON": "{\n \"vis\": {\n \"params\": {\n \"sort\": {\n \"columnIndex\": null,\n \"direction\": null\n }\n }\n }\n}", - "description": "", - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\n \"index\": \"4a6d9090-f66e-11e8-8f42-af2e41422cf8\",\n \"query\": {\n \"query\": {\n \"query_string\": {\n \"query\": \"*\",\n \"analyze_wildcard\": true,\n \"default_field\": \"*\"\n }\n },\n \"language\": \"lucene\"\n },\n \"filter\": []\n}" - } - } - }, - { - "_id": "479deab0-8a39-11e7-a58a-9bfcb3761a3d", - "_type": "visualization", - "_source": { - "title": "VulnWhisperer - TL - TaggedAssetsPluginNames", - "visState": "{\n \"title\": \"VulnWhisperer - TL - TaggedAssetsPluginNames\",\n \"type\": \"timelion\",\n \"params\": {\n \"expression\": \".es(index='logstash-vulnwhisperer-*', q='tags:critical_asset OR tags:hipaa_asset OR tags:pci_asset', split=\\\"plugin_name:10\\\").bars(width=4).label(regex=\\\".*:(.+)>.*\\\",label=\\\"$1\\\")\",\n \"interval\": \"auto\"\n },\n \"aggs\": [],\n \"listeners\": {}\n}", - "uiStateJSON": "{}", - "description": "", - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\n \"query\": {\n \"query\": {\n \"query_string\": {\n \"query\": \"*\",\n \"analyze_wildcard\": true\n }\n },\n \"language\": \"lucene\"\n },\n \"filter\": []\n}" - } + ] + }, + "_meta": { + "savedObjectVersion": 2 } }, { "_id": "4a6d9090-f66e-11e8-8f42-af2e41422cf8", "_type": "index-pattern", "_source": { - "title": "logstash-vulnwhisperer-*", + "fields": "[{\"name\":\"@timestamp\",\"type\":\"date\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"@version\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"_id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":false},{\"name\":\"_index\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":false},{\"name\":\"_score\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":false,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"_source\",\"type\":\"_source\",\"count\":0,\"scripted\":false,\"searchable\":false,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"_type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":false},{\"name\":\"access_path\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"access_path.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"affected_software\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"affected_software.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"ajax_request\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ajax_request.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"app_id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"app_id.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"asset\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"asset.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"asset_uuid\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"authentication\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"authentication.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"bids\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"bids.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"category\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"category_description\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"category_description.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"certs\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"certs.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"cve\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"cvss\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"cvss3\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"cvss3_base\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"cvss3_severity\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"cvss3_temporal\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"cvss3_vector\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"cvss_base\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"cvss_severity\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"cvss_temporal\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"cvss_vector\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"cwe\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"cwe.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"date\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"date.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"description\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"description.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"detection_date\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"detection_date.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"detection_id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"detection_id.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"dns\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"epoch\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"evidence\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"evidence.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"exploitability\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"exploitability.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"false_pos\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"false_pos.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"form_entry_point\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"form_entry_point.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"fqdn\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"geoip.ip\",\"type\":\"ip\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"geoip.latitude\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"geoip.location\",\"type\":\"geo_point\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"geoip.longitude\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"groups\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"groups.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"high\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"high.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"history_id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"host\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"host_end\",\"type\":\"date\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"host_start\",\"type\":\"date\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"hostname\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"hostname.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"id.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"ignored\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ignored.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"impact\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"impact.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"ip\",\"type\":\"ip\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"last_time_detected\",\"type\":\"date\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"level\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"level.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"links\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"links.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"log\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"log.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"low\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"low.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"mac_address\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"medium\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"medium.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"netbios\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"nvt_oid\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"nvt_oid.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"operating_system\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"owasp\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"owasp.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"owner\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"owner.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"param\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"param.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"path\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"payload\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"payload.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"pci_vuln\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"plugin_family\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"plugin_id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"plugin_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"plugin_output\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"plugin_output.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"port\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"product_detection_result\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"product_detection_result.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"protocol\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"report_ids\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"report_ids.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"request_headers\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"request_headers.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"request_method\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"request_method.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"request_url\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"request_url.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"result_id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"result_id.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"risk\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"risk_number\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"scan_highest_severity\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan_highest_severity.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"scan_id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"scan_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"scan_severity\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan_severity.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"scan_source\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"scope\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scope.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"see_also\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"see_also.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"severity\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"severity_level\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"severity_level.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"severity_rate\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"severity_rate.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"solution\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"ssl\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"state\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"status\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"status.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"synopsis\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"tags\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"task\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"task.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"task_id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"task_id.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"timestamp\",\"type\":\"date\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"uri\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"uri.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"url\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"url.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"vendor_reference\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"vulnerability_detection_method\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"vulnerability_detection_method.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"vulnerability_insight\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"vulnerability_insight.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"wasc\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"wasc.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"web_application_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"web_application_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"scan_fingerprint\",\"type\":\"string\",\"count\":1,\"scripted\":true,\"script\":\"doc['asset.keyword']+'_'+doc['plugin_id']\",\"lang\":\"painless\",\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":false}]", + "fieldFormatMap": "{\"plugin_id\":{\"id\":\"number\",\"params\":{\"pattern\":\"00.[000]\"}}}", "timeFieldName": "@timestamp", - "fields": "[{\"name\":\"@timestamp\",\"type\":\"date\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"@version\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"_id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":false},{\"name\":\"_index\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":false},{\"name\":\"_score\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":false,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"_source\",\"type\":\"_source\",\"count\":0,\"scripted\":false,\"searchable\":false,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"_type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":false},{\"name\":\"asset\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"asset.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"asset_uuid\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"assign_ip\",\"type\":\"ip\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"category\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"cve\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"cvss\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"cvss3\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"cvss3_base\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"cvss3_temporal\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"cvss3_temporal_vector\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"cvss3_vector\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"cvss_base\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"cvss_temporal\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"cvss_temporal_vector\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"cvss_vector\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"description\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"description.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"dns\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"exploitability\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"exploitability.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"fqdn\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"geoip.ip\",\"type\":\"ip\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"geoip.latitude\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"geoip.location\",\"type\":\"geo_point\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"geoip.longitude\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"history_id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"host\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"host_end\",\"type\":\"date\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"host_start\",\"type\":\"date\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"impact\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"impact.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"ip\",\"type\":\"ip\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"ip_status\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"last_updated\",\"type\":\"date\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"operating_system\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"path\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"pci_vuln\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"plugin_family\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"plugin_id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"plugin_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"plugin_output\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"plugin_output.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"port\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"protocol\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"results\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"risk\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"risk_number\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"risk_score\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"risk_score_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"scan_id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"scan_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"scan_reference\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"see_also\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"solution\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"ssl\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"synopsis\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system_type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"tags\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"vendor_reference\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"vulnerability_state\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"scan_fingerprint\",\"type\":\"string\",\"count\":1,\"scripted\":true,\"script\":\"doc['asset.keyword']+'_'+doc['plugin_id']\",\"lang\":\"painless\",\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":false}]", - "fieldFormatMap": "{\"plugin_id\":{\"id\":\"number\",\"params\":{\"pattern\":\"00.[000]\"}}}" + "title": "logstash-vulnwhisperer-*" + }, + "_meta": { + "savedObjectVersion": 2 }, "_migrationVersion": { "index-pattern": "6.5.0" } - }, - { - "_id": "de1a5f40-3f85-11e7-97f9-3777d794626d", - "_type": "visualization", - "_source": { - "title": "VulnWhisperer - ScanName", - "visState": "{\n \"title\": \"VulnWhisperer - ScanName\",\n \"type\": \"table\",\n \"params\": {\n \"perPage\": 10,\n \"showPartialRows\": false,\n \"sort\": {\n \"columnIndex\": null,\n \"direction\": null\n },\n \"showTotal\": false,\n \"totalFunc\": \"sum\",\n \"showMetricsAtAllLevels\": false\n },\n \"aggs\": [\n {\n \"id\": \"1\",\n \"enabled\": true,\n \"type\": \"count\",\n \"schema\": \"metric\",\n \"params\": {}\n },\n {\n \"id\": \"2\",\n \"enabled\": true,\n \"type\": \"terms\",\n \"schema\": \"bucket\",\n \"params\": {\n \"field\": \"scan_name\",\n \"size\": 20,\n \"order\": \"desc\",\n \"orderBy\": \"1\",\n \"otherBucket\": false,\n \"otherBucketLabel\": \"Other\",\n \"missingBucket\": false,\n \"missingBucketLabel\": \"Missing\",\n \"customLabel\": \"Scan Name\"\n }\n }\n ]\n}", - "uiStateJSON": "{\n \"vis\": {\n \"params\": {\n \"sort\": {\n \"columnIndex\": null,\n \"direction\": null\n }\n }\n }\n}", - "description": "", - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\n \"index\": \"4a6d9090-f66e-11e8-8f42-af2e41422cf8\",\n \"query\": {\n \"query\": {\n \"query_string\": {\n \"query\": \"*\",\n \"analyze_wildcard\": true,\n \"default_field\": \"*\"\n }\n },\n \"language\": \"lucene\"\n },\n \"filter\": []\n}" - } - } } ] \ No newline at end of file diff --git a/resources/elk6/kibana_APIonly.json b/resources/elk6/kibana_APIonly.json index b42dd58..e197946 100755 --- a/resources/elk6/kibana_APIonly.json +++ b/resources/elk6/kibana_APIonly.json @@ -1,35 +1,34 @@ [ { - "id": "AWCUqesWib22Ai8JwW3u", - "type": "dashboard", "attributes": { - "title": "VulnWhisperer - Risk Mitigation", "hits": 0, + "timeFrom": "now-30d", + "timeRestore": true, "description": "", + "title": "VulnWhisperer - Risk Mitigation", "panelsJSON": "[{\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"gridData\":{\"h\":30,\"i\":\"20\",\"w\":8,\"x\":40,\"y\":15},\"id\":\"995e2280-3df3-11e7-a44e-c79ca8efb780\",\"panelIndex\":\"20\",\"type\":\"visualization\",\"version\":\"6.4.3\"},{\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":0,\"direction\":\"desc\"}}}},\"gridData\":{\"h\":30,\"i\":\"21\",\"w\":12,\"x\":0,\"y\":35},\"id\":\"852816e0-3eb1-11e7-90cb-918f9cb01e3d\",\"panelIndex\":\"21\",\"type\":\"visualization\",\"version\":\"6.4.3\"},{\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"gridData\":{\"h\":30,\"i\":\"27\",\"w\":12,\"x\":12,\"y\":35},\"id\":\"297df800-3f7e-11e7-bd24-6903e3283192\",\"panelIndex\":\"27\",\"type\":\"visualization\",\"version\":\"6.4.3\"},{\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":0,\"direction\":\"desc\"}}}},\"gridData\":{\"h\":30,\"i\":\"28\",\"w\":8,\"x\":32,\"y\":15},\"id\":\"35b6d320-3f7f-11e7-bd24-6903e3283192\",\"panelIndex\":\"28\",\"type\":\"visualization\",\"version\":\"6.4.3\"},{\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"gridData\":{\"h\":15,\"i\":\"30\",\"w\":8,\"x\":40,\"y\":0},\"id\":\"471a3580-3f6b-11e7-88e7-df1abe6547fb\",\"panelIndex\":\"30\",\"type\":\"visualization\",\"version\":\"6.4.3\"},{\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"gridData\":{\"h\":20,\"i\":\"31\",\"w\":8,\"x\":24,\"y\":35},\"id\":\"de1a5f40-3f85-11e7-97f9-3777d794626d\",\"panelIndex\":\"31\",\"type\":\"visualization\",\"version\":\"6.4.3\"},{\"gridData\":{\"h\":10,\"i\":\"37\",\"w\":16,\"x\":16,\"y\":25},\"id\":\"5093c620-44e9-11e7-8014-ede06a7e69f8\",\"panelIndex\":\"37\",\"type\":\"visualization\",\"version\":\"6.4.3\"},{\"embeddableConfig\":{\"columns\":[\"host\",\"risk\",\"risk_score\",\"cve\",\"plugin_name\",\"solution\",\"plugin_output\"],\"sort\":[\"@timestamp\",\"desc\"]},\"gridData\":{\"h\":30,\"i\":\"38\",\"w\":48,\"x\":0,\"y\":65},\"id\":\"54648700-3f74-11e7-852e-69207a3d0726\",\"panelIndex\":\"38\",\"type\":\"search\",\"version\":\"6.4.3\"},{\"gridData\":{\"h\":10,\"i\":\"39\",\"w\":16,\"x\":16,\"y\":15},\"id\":\"fb6eb020-49ab-11e7-8f8c-57ad64ec48a6\",\"panelIndex\":\"39\",\"type\":\"visualization\",\"version\":\"6.4.3\"},{\"embeddableConfig\":{\"vis\":{\"legendOpen\":true}},\"gridData\":{\"h\":20,\"i\":\"46\",\"w\":16,\"x\":0,\"y\":15},\"id\":\"56f0f5f0-3ebe-11e7-a192-93f36fbd9d05\",\"panelIndex\":\"46\",\"type\":\"visualization\",\"version\":\"6.4.3\"},{\"embeddableConfig\":{\"vis\":{\"defaultColors\":{\"0 - 50\":\"rgb(247,252,245)\",\"50 - 100\":\"rgb(0,68,27)\"},\"legendOpen\":false}},\"gridData\":{\"h\":15,\"i\":\"47\",\"w\":9,\"x\":30,\"y\":0},\"id\":\"e6b5b920-f77a-11e8-8f42-af2e41422cf8\",\"panelIndex\":\"47\",\"type\":\"visualization\",\"version\":\"6.4.3\"},{\"embeddableConfig\":{\"vis\":{\"defaultColors\":{\"0 - 10\":\"rgb(255,245,240)\",\"10 - 20\":\"rgb(103,0,13)\"},\"legendOpen\":false}},\"gridData\":{\"h\":15,\"i\":\"48\",\"w\":10,\"x\":0,\"y\":0},\"id\":\"8c9c9430-f77b-11e8-8f42-af2e41422cf8\",\"panelIndex\":\"48\",\"type\":\"visualization\",\"version\":\"6.4.3\"},{\"embeddableConfig\":{\"vis\":{\"colors\":{\"0 - 10\":\"#E5AC0E\"},\"defaultColors\":{\"0 - 10\":\"rgb(8,48,107)\"},\"legendOpen\":false}},\"gridData\":{\"h\":15,\"i\":\"50\",\"w\":10,\"x\":20,\"y\":0},\"id\":\"61b43c00-f77b-11e8-8f42-af2e41422cf8\",\"panelIndex\":\"50\",\"type\":\"visualization\",\"version\":\"6.4.3\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":15,\"i\":\"51\",\"w\":10,\"x\":10,\"y\":0},\"id\":\"c533c120-fe8c-11e8-8f42-af2e41422cf8\",\"panelIndex\":\"51\",\"type\":\"visualization\",\"version\":\"6.4.3\"}]", + "timeTo": "now", "optionsJSON": "{\"darkTheme\":false,\"useMargins\":false}", "version": 1, - "timeRestore": true, - "timeTo": "now", - "timeFrom": "now-30d", "kibanaSavedObjectMeta": { "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":{\"match_all\":{}}}}" } - } + }, + "version": 1, + "type": "dashboard", + "id": "AWCUqesWib22Ai8JwW3u" }, { - "id": "72051530-448e-11e7-a818-f5f80dfc3590", - "type": "dashboard", "attributes": { - "title": "VulnWhisperer - Reporting", "hits": 0, + "timeFrom": "now-30d", + "timeRestore": true, "description": "", + "title": "VulnWhisperer - Reporting", "panelsJSON": "[{\"embeddableConfig\":{\"vis\":{\"legendOpen\":false}},\"gridData\":{\"h\":20,\"i\":\"5\",\"w\":24,\"x\":0,\"y\":56},\"id\":\"2f979030-44b9-11e7-a818-f5f80dfc3590\",\"panelIndex\":\"5\",\"type\":\"visualization\",\"version\":\"6.4.3\"},{\"gridData\":{\"h\":20,\"i\":\"12\",\"w\":24,\"x\":0,\"y\":36},\"id\":\"8d9592d0-44ec-11e7-a05f-d9719b331a27\",\"panelIndex\":\"12\",\"type\":\"visualization\",\"version\":\"6.4.3\"},{\"gridData\":{\"h\":20,\"i\":\"14\",\"w\":24,\"x\":24,\"y\":16},\"id\":\"67d432e0-44ec-11e7-a05f-d9719b331a27\",\"panelIndex\":\"14\",\"type\":\"visualization\",\"version\":\"6.4.3\"},{\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"gridData\":{\"h\":20,\"i\":\"15\",\"w\":12,\"x\":36,\"y\":36},\"id\":\"297df800-3f7e-11e7-bd24-6903e3283192\",\"panelIndex\":\"15\",\"type\":\"visualization\",\"version\":\"6.4.3\"},{\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"gridData\":{\"h\":20,\"i\":\"20\",\"w\":12,\"x\":24,\"y\":36},\"id\":\"471a3580-3f6b-11e7-88e7-df1abe6547fb\",\"panelIndex\":\"20\",\"type\":\"visualization\",\"version\":\"6.4.3\"},{\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"gridData\":{\"h\":15,\"i\":\"22\",\"w\":8,\"x\":40,\"y\":0},\"id\":\"995e2280-3df3-11e7-a44e-c79ca8efb780\",\"panelIndex\":\"22\",\"type\":\"visualization\",\"version\":\"6.4.3\"},{\"gridData\":{\"h\":20,\"i\":\"29\",\"w\":24,\"x\":0,\"y\":16},\"id\":\"479deab0-8a39-11e7-a58a-9bfcb3761a3d\",\"panelIndex\":\"29\",\"type\":\"visualization\",\"version\":\"6.4.3\"},{\"embeddableConfig\":{\"vis\":{\"defaultColors\":{\"0 - 50\":\"rgb(247,252,245)\",\"50 - 100\":\"rgb(0,68,27)\"},\"legendOpen\":false}},\"gridData\":{\"h\":16,\"i\":\"30\",\"w\":10,\"x\":30,\"y\":0},\"id\":\"e6b5b920-f77a-11e8-8f42-af2e41422cf8\",\"panelIndex\":\"30\",\"type\":\"visualization\",\"version\":\"6.4.3\"},{\"embeddableConfig\":{\"vis\":{\"colors\":{\"0 - 10\":\"#EAB839\"},\"defaultColors\":{\"0 - 10\":\"rgb(8,48,107)\"},\"legendOpen\":false}},\"gridData\":{\"h\":16,\"i\":\"31\",\"w\":9,\"x\":21,\"y\":0},\"id\":\"61b43c00-f77b-11e8-8f42-af2e41422cf8\",\"panelIndex\":\"31\",\"type\":\"visualization\",\"version\":\"6.4.3\"},{\"embeddableConfig\":{\"vis\":{\"colors\":{\"10 - 20\":\"#890F02\"},\"defaultColors\":{\"0 - 10\":\"rgb(255,245,240)\",\"10 - 20\":\"rgb(103,0,13)\"},\"legendOpen\":false}},\"gridData\":{\"h\":16,\"i\":\"32\",\"w\":11,\"x\":0,\"y\":0},\"id\":\"8c9c9430-f77b-11e8-8f42-af2e41422cf8\",\"panelIndex\":\"32\",\"type\":\"visualization\",\"version\":\"6.4.3\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":15,\"i\":\"33\",\"w\":10,\"x\":11,\"y\":0},\"id\":\"c533c120-fe8c-11e8-8f42-af2e41422cf8\",\"panelIndex\":\"33\",\"type\":\"visualization\",\"version\":\"6.4.3\"}]", + "timeTo": "now", "optionsJSON": "{\"darkTheme\":false,\"useMargins\":false}", "version": 1, - "timeRestore": true, - "timeTo": "now", - "timeFrom": "now-30d", "refreshInterval": { "pause": true, "value": 0 @@ -37,41 +36,354 @@ "kibanaSavedObjectMeta": { "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":{\"match_all\":{}}}}" } - } + }, + "version": 1, + "type": "dashboard", + "id": "72051530-448e-11e7-a818-f5f80dfc3590" }, { - "id": "159d2500-f773-11e8-8f42-af2e41422cf8", - "type": "search", "attributes": { - "title": "VulnWhisperer - High Risk", + "visState": "{\"title\":\"VulnWhisperer - Critical Assets\",\"type\":\"heatmap\",\"params\":{\"addTooltip\":true,\"addLegend\":true,\"enableHover\":true,\"legendPosition\":\"right\",\"times\":[],\"colorsNumber\":4,\"colorSchema\":\"Green to Red\",\"setColorRange\":true,\"colorsRange\":[{\"from\":0,\"to\":3},{\"from\":3,\"to\":7},{\"from\":7,\"to\":9},{\"from\":9,\"to\":11}],\"invertColors\":false,\"percentageMode\":false,\"valueAxes\":[{\"show\":false,\"id\":\"ValueAxis-1\",\"type\":\"value\",\"scale\":{\"type\":\"linear\",\"defaultYExtents\":false},\"labels\":{\"show\":false,\"rotate\":0,\"color\":\"white\"}}],\"type\":\"heatmap\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"max\",\"schema\":\"metric\",\"params\":{\"field\":\"risk_score\",\"customLabel\":\"Residual Risk Score\"}},{\"id\":\"2\",\"enabled\":false,\"type\":\"terms\",\"schema\":\"split\",\"params\":{\"field\":\"risk_score\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\",\"row\":true}},{\"id\":\"3\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"interval\":\"auto\",\"customInterval\":\"2h\",\"min_doc_count\":1,\"extended_bounds\":{},\"customLabel\":\"Date\"}},{\"id\":\"4\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"group\",\"params\":{\"field\":\"asset.keyword\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Critical Asset\"}}],\"listeners\":{}}", "description": "", - "hits": 0, - "columns": [ - "host", - "risk", - "risk_score", - "cve", - "plugin_name", - "solution", - "plugin_output" - ], + "title": "VulnWhisperer - Critical Assets", + "uiStateJSON": "{\"vis\":{\"defaultColors\":{\"0 - 3\":\"rgb(0,104,55)\",\"3 - 7\":\"rgb(135,203,103)\",\"7 - 9\":\"rgb(255,255,190)\",\"9 - 11\":\"rgb(249,142,82)\"},\"colors\":{\"8 - 10\":\"#BF1B00\",\"9 - 11\":\"#BF1B00\",\"7 - 9\":\"#EF843C\",\"3 - 7\":\"#EAB839\",\"0 - 3\":\"#7EB26D\"},\"legendOpen\":false}}", + "version": 1, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"index\":\"4a6d9090-f66e-11e8-8f42-af2e41422cf8\",\"query\":{\"query\":{\"query_string\":{\"query\":\"*\",\"analyze_wildcard\":true}},\"language\":\"lucene\"},\"filter\":[{\"meta\":{\"index\":\"logstash-vulnwhisperer-*\",\"negate\":false,\"disabled\":false,\"alias\":\"Critical Asset\",\"type\":\"phrase\",\"key\":\"tags\",\"value\":\"critical_asset\"},\"query\":{\"match\":{\"tags\":{\"query\":\"critical_asset\",\"type\":\"phrase\"}}},\"$state\":{\"store\":\"appState\"}}]}" + } + }, + "version": 1, + "type": "visualization", + "id": "465c5820-8977-11e7-857e-e1d56b17746d" + }, + { + "attributes": { + "visState": "{\"title\":\"VulnWhisperer - Mitigation Readme\",\"type\":\"markdown\",\"params\":{\"markdown\":\"** Legend **\\n\\n* [Common Vulnerability Scoring System (CVSS)](https://nvd.nist.gov/vuln-metrics/cvss) is the NIST vulnerability scoring system\\n* Risk Number is residual risk score calculated from CVSS, which is adjusted to be specific to Heartland which accounts for services not in use such as Java and Flash\\n* Vulnerabilities by Tag are systems tagged with HIPAA and PCI identification.\\n\\n\\n** Workflow **\\n* Select 10.0 under Risk Number to identify Critical Vulnerabilities. \\n* For more information about a CVE, scroll down and click the CVE link.\\n* To filter by tags, use one of the following filters:\\n** tags:has_hipaa_data, tags:pci_asset, tags:hipaa_asset, tags:critical_asset**\"},\"aggs\":[],\"listeners\":{}}", + "description": "", + "title": "VulnWhisperer - Mitigation Readme", + "uiStateJSON": "{}", + "version": 1, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"query\":{\"query\":{\"query_string\":{\"query\":\"*\",\"analyze_wildcard\":true}},\"language\":\"lucene\"},\"filter\":[]}" + } + }, + "version": 1, + "type": "visualization", + "id": "5093c620-44e9-11e7-8014-ede06a7e69f8" + }, + { + "attributes": { + "visState": "{\"title\":\"VulnWhisperer - Vulnerabilities by Tag\",\"type\":\"table\",\"params\":{\"perPage\":3,\"showMeticsAtAllLevels\":false,\"showPartialRows\":false,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"3\",\"enabled\":true,\"type\":\"filters\",\"schema\":\"bucket\",\"params\":{\"filters\":[{\"input\":{\"query\":{\"query_string\":{\"query\":\"tags:has_hipaa_data\",\"analyze_wildcard\":true}}},\"label\":\"Systems with HIPAA data\"},{\"input\":{\"query\":{\"query_string\":{\"query\":\"tags:pci_asset\",\"analyze_wildcard\":true}}},\"label\":\"PCI Systems\"},{\"input\":{\"query\":{\"query_string\":{\"query\":\"tags:hipaa_asset\",\"analyze_wildcard\":true}}},\"label\":\"HIPAA Systems\"}]}}],\"listeners\":{}}", + "description": "", + "title": "VulnWhisperer - Vulnerabilities by Tag", + "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", + "version": 1, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"index\":\"4a6d9090-f66e-11e8-8f42-af2e41422cf8\",\"query\":{\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"query\":\"*\"}},\"language\":\"lucene\"},\"filter\":[]}" + } + }, + "version": 1, + "type": "visualization", + "id": "471a3580-3f6b-11e7-88e7-df1abe6547fb" + }, + { + "attributes": { + "visState": "{\"title\":\"VulnWhisperer-Description\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"description.keyword\",\"size\":50,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Description\"}}],\"listeners\":{}}", + "description": "", + "title": "VulnWhisperer-Description", + "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", + "version": 1, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"index\":\"4a6d9090-f66e-11e8-8f42-af2e41422cf8\",\"query\":{\"query\":{\"query_string\":{\"query\":\"*\",\"analyze_wildcard\":true}},\"language\":\"lucene\"},\"filter\":[]}" + } + }, + "version": 1, + "type": "visualization", + "id": "1de9e550-3df1-11e7-a44e-c79ca8efb780" + }, + { + "attributes": { + "visState": "{\"title\":\"VulnWhisperer - Critical Risk Score for Tagged Assets\",\"type\":\"timelion\",\"params\":{\"expression\":\".es(index=logstash-vulnwhisperer-*,q='risk_score:>9 AND tags:hipaa_asset').label(\\\"HIPAA Assets\\\"),.es(index=logstash-vulnwhisperer-*,q='risk_score:>9 AND tags:pci_asset').label(\\\"PCI Systems\\\"),.es(index=logstash-vulnwhisperer-*,q='risk_score:>9 AND tags:has_hipaa_data').label(\\\"Has HIPAA Data\\\")\",\"interval\":\"auto\"},\"aggs\":[],\"listeners\":{}}", + "description": "", + "title": "VulnWhisperer - Critical Risk Score for Tagged Assets", + "uiStateJSON": "{}", + "version": 1, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"query\":{\"query\":{\"query_string\":{\"query\":\"*\",\"analyze_wildcard\":true}},\"language\":\"lucene\"},\"filter\":[]}" + } + }, + "version": 1, + "type": "visualization", + "id": "fb6eb020-49ab-11e7-8f8c-57ad64ec48a6" + }, + { + "attributes": { + "visState": "{\n \"title\": \"VulnWhisperer-Solution\",\n \"type\": \"table\",\n \"params\": {\n \"perPage\": 10,\n \"showMeticsAtAllLevels\": false,\n \"showPartialRows\": false,\n \"showTotal\": false,\n \"sort\": {\n \"columnIndex\": null,\n \"direction\": null\n },\n \"totalFunc\": \"sum\"\n },\n \"aggs\": [\n {\n \"id\": \"1\",\n \"enabled\": true,\n \"type\": \"count\",\n \"schema\": \"metric\",\n \"params\": {}\n },\n {\n \"id\": \"2\",\n \"enabled\": true,\n \"type\": \"terms\",\n \"schema\": \"bucket\",\n \"params\": {\n \"field\": \"solution\",\n \"size\": 50,\n \"order\": \"desc\",\n \"orderBy\": \"1\",\n \"customLabel\": \"Solution\"\n }\n }\n ],\n \"listeners\": {}\n}", + "description": "", + "title": "VulnWhisperer-Solution", + "uiStateJSON": "{\n \"vis\": {\n \"params\": {\n \"sort\": {\n \"columnIndex\": null,\n \"direction\": null\n }\n }\n }\n}", + "version": 1, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\n \"index\": \"4a6d9090-f66e-11e8-8f42-af2e41422cf8\",\n \"query\": {\n \"query\": {\n \"query_string\": {\n \"analyze_wildcard\": true,\n \"query\": \"*\"\n }\n },\n \"language\": \"lucene\"\n },\n \"filter\": []\n}" + } + }, + "version": 1, + "type": "visualization", + "id": "13c7d4e0-3df3-11e7-a44e-c79ca8efb780" + }, + { + "attributes": { + "visState": "{\"title\":\"VulnWhisperer - AggTest\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"top_hits\",\"schema\":\"metric\",\"params\":{\"field\":\"@timestamp\",\"aggregate\":\"concat\",\"size\":1,\"sortField\":\"@timestamp\",\"sortOrder\":\"desc\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"asset.keyword\",\"size\":1000,\"order\":\"desc\",\"orderBy\":\"_key\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"plugin_id\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"_key\",\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"}}]}", + "description": "", + "title": "VulnWhisperer - AggTest", + "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", + "version": 1, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"index\":\"4a6d9090-f66e-11e8-8f42-af2e41422cf8\",\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[]}" + } + }, + "version": 1, + "type": "visualization", + "id": "f9b68640-fda5-11e8-8f42-af2e41422cf8" + }, + { + "attributes": { + "visState": "{\"title\":\"VulnWhisperer-Asset\",\"type\":\"table\",\"params\":{\"perPage\":15,\"showPartialRows\":false,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\",\"type\":\"table\",\"showMetricsAtAllLevels\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"cardinality\",\"schema\":\"metric\",\"params\":{\"field\":\"scan_fingerprint\",\"customLabel\":\"Findings\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"asset.keyword\",\"size\":50,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Asset\"}}]}", + "description": "", + "title": "VulnWhisperer-Asset", + "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", + "version": 1, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"index\":\"4a6d9090-f66e-11e8-8f42-af2e41422cf8\",\"query\":{\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"query\":\"*\",\"default_field\":\"*\"}},\"language\":\"lucene\"},\"filter\":[]}" + } + }, + "version": 1, + "type": "visualization", + "id": "995e2280-3df3-11e7-a44e-c79ca8efb780" + }, + { + "attributes": { + "visState": "{\"title\":\"VulnWhisperer - TL-Critical Risk\",\"type\":\"timelion\",\"params\":{\"expression\":\".es(index='logstash-vulnwhisperer-*',q='(risk_score:>=9 AND risk_score:<=10)').label(\\\"Original\\\"),.es(index='logstash-vulnwhisperer-*',q='(risk_score:>=9 AND risk_score:<=10)',offset=-1w).label(\\\"One week offset\\\"),.es(index='logstash-vulnwhisperer-*',q='(risk_score:>=9 AND risk_score:<=10)').subtract(.es(index='logstash-vulnwhisperer-*',q='(risk_score:>=9 AND risk_score:<=10)',offset=-1w)).label(\\\"Difference\\\").lines(steps=3,fill=2,width=1)\",\"interval\":\"auto\"},\"aggs\":[],\"listeners\":{}}", + "description": "", + "title": "VulnWhisperer - TL-Critical Risk", + "uiStateJSON": "{}", + "version": 1, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"query\":{\"query\":{\"query_string\":{\"query\":\"*\",\"analyze_wildcard\":true}},\"language\":\"lucene\"},\"filter\":[]}" + } + }, + "version": 1, + "type": "visualization", + "id": "67d432e0-44ec-11e7-a05f-d9719b331a27" + }, + { + "attributes": { + "visState": "{\"title\":\"VulnWhisperer - TL-High Risk\",\"type\":\"timelion\",\"params\":{\"expression\":\".es(index='logstash-vulnwhisperer-*',q='(risk_score:>=7 AND risk_score:<9)').label(\\\"Original\\\"),.es(index='logstash-vulnwhisperer-*',q='(risk_score:>=7 AND risk_score:<9)',offset=-1w).label(\\\"One week offset\\\"),.es(index='logstash-vulnwhisperer-*',q='(risk_score:>=7 AND risk_score:<9)').subtract(.es(index='logstash-vulnwhisperer-*',q='(risk_score:>=7 AND risk_score:<9)',offset=-1w)).label(\\\"Difference\\\").lines(steps=3,fill=2,width=1)\",\"interval\":\"auto\"},\"aggs\":[],\"listeners\":{}}", + "description": "", + "title": "VulnWhisperer - TL-High Risk", + "uiStateJSON": "{}", + "version": 1, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"query\":{\"query\":{\"query_string\":{\"query\":\"*\",\"analyze_wildcard\":true}},\"language\":\"lucene\"},\"filter\":[]}" + } + }, + "version": 1, + "type": "visualization", + "id": "8d9592d0-44ec-11e7-a05f-d9719b331a27" + }, + { + "attributes": { + "visState": "{\n \"title\": \"VulnWhisperer - ScanBarChart\",\n \"type\": \"histogram\",\n \"params\": {\n \"addLegend\": true,\n \"addTimeMarker\": false,\n \"addTooltip\": true,\n \"defaultYExtents\": false,\n \"legendPosition\": \"right\",\n \"mode\": \"stacked\",\n \"scale\": \"linear\",\n \"setYExtents\": false,\n \"times\": [],\n \"type\": \"histogram\",\n \"grid\": {\n \"categoryLines\": false,\n \"style\": {\n \"color\": \"#eee\"\n }\n },\n \"categoryAxes\": [\n {\n \"id\": \"CategoryAxis-1\",\n \"type\": \"category\",\n \"position\": \"bottom\",\n \"show\": true,\n \"style\": {},\n \"scale\": {\n \"type\": \"linear\"\n },\n \"labels\": {\n \"show\": true,\n \"truncate\": 100\n },\n \"title\": {}\n }\n ],\n \"valueAxes\": [\n {\n \"id\": \"ValueAxis-1\",\n \"name\": \"LeftAxis-1\",\n \"type\": \"value\",\n \"position\": \"left\",\n \"show\": true,\n \"style\": {},\n \"scale\": {\n \"type\": \"linear\",\n \"mode\": \"normal\",\n \"setYExtents\": false,\n \"defaultYExtents\": false\n },\n \"labels\": {\n \"show\": true,\n \"rotate\": 0,\n \"filter\": false,\n \"truncate\": 100\n },\n \"title\": {\n \"text\": \"Unique count of scan_fingerprint\"\n }\n }\n ],\n \"seriesParams\": [\n {\n \"show\": \"true\",\n \"type\": \"histogram\",\n \"mode\": \"stacked\",\n \"data\": {\n \"label\": \"Unique count of scan_fingerprint\",\n \"id\": \"1\"\n },\n \"valueAxis\": \"ValueAxis-1\"\n }\n ]\n },\n \"aggs\": [\n {\n \"id\": \"1\",\n \"enabled\": true,\n \"type\": \"cardinality\",\n \"schema\": \"metric\",\n \"params\": {\n \"field\": \"scan_fingerprint\"\n }\n },\n {\n \"id\": \"2\",\n \"enabled\": true,\n \"type\": \"terms\",\n \"schema\": \"segment\",\n \"params\": {\n \"field\": \"plugin_name\",\n \"size\": 10,\n \"order\": \"desc\",\n \"orderBy\": \"1\",\n \"otherBucket\": false,\n \"otherBucketLabel\": \"Other\",\n \"missingBucket\": false,\n \"missingBucketLabel\": \"Missing\",\n \"customLabel\": \"Scan Name\"\n }\n }\n ]\n}", + "description": "", + "title": "VulnWhisperer - ScanBarChart", + "uiStateJSON": "{}", + "version": 1, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\n \"index\": \"4a6d9090-f66e-11e8-8f42-af2e41422cf8\",\n \"query\": {\n \"query\": {\n \"query_string\": {\n \"analyze_wildcard\": true,\n \"query\": \"*\",\n \"default_field\": \"*\"\n }\n },\n \"language\": \"lucene\"\n },\n \"filter\": []\n}" + } + }, + "version": 1, + "type": "visualization", + "id": "2f979030-44b9-11e7-a818-f5f80dfc3590" + }, + { + "attributes": { + "visState": "{\n \"title\": \"VulnWhisperer - Plugin Name\",\n \"type\": \"table\",\n \"params\": {\n \"perPage\": 10,\n \"showPartialRows\": false,\n \"sort\": {\n \"columnIndex\": null,\n \"direction\": null\n },\n \"showTotal\": false,\n \"totalFunc\": \"sum\",\n \"showMetricsAtAllLevels\": false\n },\n \"aggs\": [\n {\n \"id\": \"1\",\n \"enabled\": true,\n \"type\": \"cardinality\",\n \"schema\": \"metric\",\n \"params\": {\n \"field\": \"scan_fingerprint\",\n \"customLabel\": \"Count\"\n }\n },\n {\n \"id\": \"2\",\n \"enabled\": true,\n \"type\": \"terms\",\n \"schema\": \"bucket\",\n \"params\": {\n \"field\": \"plugin_name\",\n \"size\": 10,\n \"order\": \"desc\",\n \"orderBy\": \"1\",\n \"otherBucket\": false,\n \"otherBucketLabel\": \"Other\",\n \"missingBucket\": false,\n \"missingBucketLabel\": \"Missing\",\n \"customLabel\": \"Plugin Name\"\n }\n }\n ]\n}", + "description": "", + "title": "VulnWhisperer - Plugin Name", + "uiStateJSON": "{\n \"vis\": {\n \"params\": {\n \"sort\": {\n \"columnIndex\": null,\n \"direction\": null\n }\n }\n }\n}", + "version": 1, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\n \"index\": \"4a6d9090-f66e-11e8-8f42-af2e41422cf8\",\n \"query\": {\n \"query\": {\n \"query_string\": {\n \"query\": \"*\",\n \"analyze_wildcard\": true,\n \"default_field\": \"*\"\n }\n },\n \"language\": \"lucene\"\n },\n \"filter\": []\n}" + } + }, + "version": 1, + "type": "visualization", + "id": "297df800-3f7e-11e7-bd24-6903e3283192" + }, + { + "attributes": { + "visState": "{\n \"title\": \"VulnWhisperer - TL - TaggedAssetsPluginNames\",\n \"type\": \"timelion\",\n \"params\": {\n \"expression\": \".es(index='logstash-vulnwhisperer-*', q='tags:critical_asset OR tags:hipaa_asset OR tags:pci_asset', split=\\\"plugin_name:10\\\").bars(width=4).label(regex=\\\".*:(.+)>.*\\\",label=\\\"$1\\\")\",\n \"interval\": \"auto\"\n },\n \"aggs\": [],\n \"listeners\": {}\n}", + "description": "", + "title": "VulnWhisperer - TL - TaggedAssetsPluginNames", + "uiStateJSON": "{}", + "version": 1, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\n \"query\": {\n \"query\": {\n \"query_string\": {\n \"query\": \"*\",\n \"analyze_wildcard\": true\n }\n },\n \"language\": \"lucene\"\n },\n \"filter\": []\n}" + } + }, + "version": 1, + "type": "visualization", + "id": "479deab0-8a39-11e7-a58a-9bfcb3761a3d" + }, + { + "attributes": { + "visState": "{\n \"title\": \"VulnWhisperer - ScanName\",\n \"type\": \"table\",\n \"params\": {\n \"perPage\": 10,\n \"showPartialRows\": false,\n \"sort\": {\n \"columnIndex\": null,\n \"direction\": null\n },\n \"showTotal\": false,\n \"totalFunc\": \"sum\",\n \"showMetricsAtAllLevels\": false\n },\n \"aggs\": [\n {\n \"id\": \"1\",\n \"enabled\": true,\n \"type\": \"count\",\n \"schema\": \"metric\",\n \"params\": {}\n },\n {\n \"id\": \"2\",\n \"enabled\": true,\n \"type\": \"terms\",\n \"schema\": \"bucket\",\n \"params\": {\n \"field\": \"scan_name\",\n \"size\": 20,\n \"order\": \"desc\",\n \"orderBy\": \"1\",\n \"otherBucket\": false,\n \"otherBucketLabel\": \"Other\",\n \"missingBucket\": false,\n \"missingBucketLabel\": \"Missing\",\n \"customLabel\": \"Scan Name\"\n }\n }\n ]\n}", + "description": "", + "title": "VulnWhisperer - ScanName", + "uiStateJSON": "{\n \"vis\": {\n \"params\": {\n \"sort\": {\n \"columnIndex\": null,\n \"direction\": null\n }\n }\n }\n}", + "version": 1, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\n \"index\": \"4a6d9090-f66e-11e8-8f42-af2e41422cf8\",\n \"query\": {\n \"query\": {\n \"query_string\": {\n \"query\": \"*\",\n \"analyze_wildcard\": true,\n \"default_field\": \"*\"\n }\n },\n \"language\": \"lucene\"\n },\n \"filter\": []\n}" + } + }, + "version": 1, + "type": "visualization", + "id": "de1a5f40-3f85-11e7-97f9-3777d794626d" + }, + { + "attributes": { + "visState": "{\n \"title\": \"VulnWhisperer - Risk: Critical\",\n \"type\": \"metric\",\n \"params\": {\n \"addTooltip\": true,\n \"addLegend\": false,\n \"type\": \"metric\",\n \"metric\": {\n \"percentageMode\": false,\n \"useRanges\": false,\n \"colorSchema\": \"Green to Red\",\n \"metricColorMode\": \"None\",\n \"colorsRange\": [\n {\n \"from\": 0,\n \"to\": 10000\n }\n ],\n \"labels\": {\n \"show\": true\n },\n \"invertColors\": false,\n \"style\": {\n \"bgFill\": \"#000\",\n \"bgColor\": false,\n \"labelColor\": false,\n \"subText\": \"\",\n \"fontSize\": 60\n }\n }\n },\n \"aggs\": [\n {\n \"id\": \"1\",\n \"enabled\": true,\n \"type\": \"count\",\n \"schema\": \"metric\",\n \"params\": {}\n },\n {\n \"id\": \"2\",\n \"enabled\": true,\n \"type\": \"filters\",\n \"schema\": \"group\",\n \"params\": {\n \"filters\": [\n {\n \"input\": {\n \"query\": \"risk:critical\"\n },\n \"label\": \"Risk: Critical\"\n }\n ]\n }\n }\n ]\n}", + "description": "", + "title": "VulnWhisperer - Risk: Critical", + "uiStateJSON": "{\n \"vis\": {\n \"defaultColors\": {\n \"0 - 10\": \"rgb(255,245,240)\",\n \"10 - 20\": \"rgb(103,0,13)\"\n }\n }\n}", + "version": 1, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\n \"index\": \"4a6d9090-f66e-11e8-8f42-af2e41422cf8\",\n \"query\": {\n \"language\": \"lucene\",\n \"query\": \"\"\n },\n \"filter\": []\n}" + } + }, + "version": 1, + "type": "visualization", + "id": "8c9c9430-f77b-11e8-8f42-af2e41422cf8" + }, + { + "attributes": { + "visState": "{\"title\":\"VulnWhisperer-CVSS\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showTotal\":false,\"sort\":{\"columnIndex\":0,\"direction\":\"desc\"},\"totalFunc\":\"sum\",\"type\":\"table\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{\"customLabel\":\"# of Findings\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"cvss_severity\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"CVSS Severity\"}},{\"id\":\"4\",\"enabled\":true,\"type\":\"cardinality\",\"schema\":\"metric\",\"params\":{\"field\":\"asset.keyword\",\"customLabel\":\"# of Assets\"}}]}", + "description": "", + "title": "VulnWhisperer-CVSS", + "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":0,\"direction\":\"desc\"}}}}", + "version": 1, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"index\":\"4a6d9090-f66e-11e8-8f42-af2e41422cf8\",\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"default_field\":\"*\",\"query\":\"*\"}}},\"filter\":[]}" + } + }, + "version": 1, + "type": "visualization", + "id": "852816e0-3eb1-11e7-90cb-918f9cb01e3d" + }, + { + "attributes": { + "visState": "{\n \"title\": \"VulnWhisperer - Risk: High\",\n \"type\": \"metric\",\n \"params\": {\n \"addTooltip\": true,\n \"addLegend\": false,\n \"type\": \"metric\",\n \"metric\": {\n \"percentageMode\": false,\n \"useRanges\": false,\n \"colorSchema\": \"Green to Red\",\n \"metricColorMode\": \"None\",\n \"colorsRange\": [\n {\n \"from\": 0,\n \"to\": 10000\n }\n ],\n \"labels\": {\n \"show\": true\n },\n \"invertColors\": false,\n \"style\": {\n \"bgFill\": \"#000\",\n \"bgColor\": false,\n \"labelColor\": false,\n \"subText\": \"\",\n \"fontSize\": 60\n }\n }\n },\n \"aggs\": [\n {\n \"id\": \"1\",\n \"enabled\": true,\n \"type\": \"count\",\n \"schema\": \"metric\",\n \"params\": {}\n },\n {\n \"id\": \"2\",\n \"enabled\": true,\n \"type\": \"filters\",\n \"schema\": \"group\",\n \"params\": {\n \"filters\": [\n {\n \"input\": {\n \"query\": \"risk:high\"\n },\n \"label\": \"Risk: High\"\n }\n ]\n }\n }\n ]\n}", + "description": "", + "title": "VulnWhisperer - Risk: High", + "uiStateJSON": "{\n \"vis\": {\n \"defaultColors\": {\n \"1 - 5\": \"rgb(255,245,240)\",\n \"5 - 19999\": \"rgb(103,0,13)\"\n }\n }\n}", + "version": 1, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\n \"index\": \"4a6d9090-f66e-11e8-8f42-af2e41422cf8\",\n \"query\": {\n \"query\": \"\",\n \"language\": \"lucene\"\n },\n \"filter\": []\n}" + } + }, + "version": 1, + "type": "visualization", + "id": "c533c120-fe8c-11e8-8f42-af2e41422cf8" + }, + { + "attributes": { + "visState": "{\n \"title\": \"VulnWhisperer - Risk: Low\",\n \"type\": \"metric\",\n \"params\": {\n \"addTooltip\": true,\n \"addLegend\": false,\n \"type\": \"metric\",\n \"metric\": {\n \"percentageMode\": false,\n \"useRanges\": false,\n \"colorSchema\": \"Green to Red\",\n \"metricColorMode\": \"None\",\n \"colorsRange\": [\n {\n \"from\": 0,\n \"to\": 10000\n }\n ],\n \"labels\": {\n \"show\": true\n },\n \"invertColors\": false,\n \"style\": {\n \"bgFill\": \"#000\",\n \"bgColor\": false,\n \"labelColor\": false,\n \"subText\": \"\",\n \"fontSize\": 60\n }\n }\n },\n \"aggs\": [\n {\n \"id\": \"1\",\n \"enabled\": true,\n \"type\": \"count\",\n \"schema\": \"metric\",\n \"params\": {}\n },\n {\n \"id\": \"2\",\n \"enabled\": true,\n \"type\": \"filters\",\n \"schema\": \"group\",\n \"params\": {\n \"filters\": [\n {\n \"input\": {\n \"query\": \"risk:low\"\n },\n \"label\": \"Risk: Low\"\n }\n ]\n }\n }\n ]\n}", + "description": "", + "title": "VulnWhisperer - Risk: Low", + "uiStateJSON": "{\n \"vis\": {\n \"defaultColors\": {\n \"0 - 50\": \"rgb(247,252,245)\",\n \"50 - 100\": \"rgb(0,68,27)\"\n }\n }\n}", + "version": 1, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\n \"index\": \"4a6d9090-f66e-11e8-8f42-af2e41422cf8\",\n \"query\": {\n \"query\": \"\",\n \"language\": \"lucene\"\n },\n \"filter\": []\n}" + } + }, + "version": 1, + "type": "visualization", + "id": "e6b5b920-f77a-11e8-8f42-af2e41422cf8" + }, + { + "attributes": { + "visState": "{\"title\":\"METRIC YO\",\"type\":\"metric\",\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"metric\",\"metric\":{\"percentageMode\":false,\"useRanges\":false,\"colorSchema\":\"Green to Red\",\"metricColorMode\":\"None\",\"colorsRange\":[{\"from\":0,\"to\":10000}],\"labels\":{\"show\":true},\"invertColors\":false,\"style\":{\"bgFill\":\"#000\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"fontSize\":60}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"filters\",\"schema\":\"group\",\"params\":{\"filters\":[{\"input\":{\"query\":\"risk:critical\"},\"label\":\"Risk: Critical\"}]}}]}", + "description": "", + "title": "METRIC YO", + "uiStateJSON": "{}", + "version": 1, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"index\":\"4a6d9090-f66e-11e8-8f42-af2e41422cf8\",\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[]}" + } + }, + "version": 1, + "type": "visualization", + "id": "c1137860-6c46-11e9-a9d6-b94c6bfb6357" + }, + { + "attributes": { + "visState": "{\n \"title\": \"VulnWhisperer - Risk: Medium\",\n \"type\": \"metric\",\n \"params\": {\n \"addTooltip\": true,\n \"addLegend\": false,\n \"type\": \"metric\",\n \"metric\": {\n \"percentageMode\": false,\n \"useRanges\": false,\n \"colorSchema\": \"Green to Red\",\n \"metricColorMode\": \"None\",\n \"colorsRange\": [\n {\n \"from\": 0,\n \"to\": 10000\n }\n ],\n \"labels\": {\n \"show\": true\n },\n \"invertColors\": false,\n \"style\": {\n \"bgFill\": \"#000\",\n \"bgColor\": false,\n \"labelColor\": false,\n \"subText\": \"\",\n \"fontSize\": 60\n }\n }\n },\n \"aggs\": [\n {\n \"id\": \"1\",\n \"enabled\": true,\n \"type\": \"count\",\n \"schema\": \"metric\",\n \"params\": {}\n },\n {\n \"id\": \"2\",\n \"enabled\": true,\n \"type\": \"filters\",\n \"schema\": \"group\",\n \"params\": {\n \"filters\": [\n {\n \"input\": {\n \"query\": \"risk:medium\"\n },\n \"label\": \"Risk: Medium\"\n }\n ]\n }\n }\n ]\n}", + "description": "", + "title": "VulnWhisperer - Risk: Medium", + "uiStateJSON": "{\n \"vis\": {\n \"defaultColors\": {\n \"0 - 10\": \"rgb(8,48,107)\"\n }\n }\n}", + "version": 1, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\n \"index\": \"4a6d9090-f66e-11e8-8f42-af2e41422cf8\",\n \"query\": {\n \"query\": \"\",\n \"language\": \"lucene\"\n },\n \"filter\": []\n}" + } + }, + "version": 1, + "type": "visualization", + "id": "61b43c00-f77b-11e8-8f42-af2e41422cf8" + }, + { + "attributes": { + "visState": "{\n \"title\": \"VulnWhisperer - Residual Risk\",\n \"type\": \"table\",\n \"params\": {\n \"perPage\": 15,\n \"showPartialRows\": false,\n \"sort\": {\n \"columnIndex\": 0,\n \"direction\": \"desc\"\n },\n \"showTotal\": false,\n \"totalFunc\": \"sum\",\n \"showMetricsAtAllLevels\": false\n },\n \"aggs\": [\n {\n \"id\": \"1\",\n \"enabled\": true,\n \"type\": \"cardinality\",\n \"schema\": \"metric\",\n \"params\": {\n \"field\": \"scan_fingerprint\",\n \"customLabel\": \"Count\"\n }\n },\n {\n \"id\": \"2\",\n \"enabled\": true,\n \"type\": \"terms\",\n \"schema\": \"bucket\",\n \"params\": {\n \"field\": \"risk_number\",\n \"size\": 50,\n \"order\": \"desc\",\n \"orderBy\": \"1\",\n \"otherBucket\": false,\n \"otherBucketLabel\": \"Other\",\n \"missingBucket\": false,\n \"missingBucketLabel\": \"Missing\",\n \"customLabel\": \"Risk Number\"\n }\n }\n ]\n}", + "description": "", + "title": "VulnWhisperer - Residual Risk", + "uiStateJSON": "{\n \"vis\": {\n \"params\": {\n \"sort\": {\n \"columnIndex\": 0,\n \"direction\": \"desc\"\n }\n }\n }\n}", + "version": 1, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\n \"index\": \"4a6d9090-f66e-11e8-8f42-af2e41422cf8\",\n \"query\": {\n \"query\": {\n \"query_string\": {\n \"query\": \"*\",\n \"analyze_wildcard\": true,\n \"default_field\": \"*\"\n }\n },\n \"language\": \"lucene\"\n },\n \"filter\": []\n}" + } + }, + "version": 1, + "type": "visualization", + "id": "35b6d320-3f7f-11e7-bd24-6903e3283192" + }, + { + "attributes": { + "visState": "{\"title\":\"VulnWhisperer-RiskOverTime\",\"type\":\"line\",\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"@timestamp per 12 hours\"},\"type\":\"category\"}],\"defaultYExtents\":false,\"drawLinesBetweenPoints\":true,\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"},\"valueAxis\":\"ValueAxis-1\"},\"interpolate\":\"linear\",\"legendPosition\":\"right\",\"orderBucketsBySum\":false,\"radiusRatio\":9,\"scale\":\"linear\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"mode\":\"normal\",\"show\":\"true\",\"showCircles\":true,\"type\":\"line\",\"valueAxis\":\"ValueAxis-1\"}],\"setYExtents\":false,\"showCircles\":true,\"times\":[],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\",\"setYExtents\":false,\"defaultYExtents\":false},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}],\"type\":\"line\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"timeRange\":{\"from\":\"now-6M\",\"to\":\"now\",\"mode\":\"quick\"},\"useNormalizedEsInterval\":true,\"interval\":\"auto\",\"time_zone\":\"Europe/London\",\"drop_partials\":false,\"customInterval\":\"2h\",\"min_doc_count\":1,\"extended_bounds\":{}}},{\"id\":\"3\",\"enabled\":true,\"type\":\"filters\",\"schema\":\"group\",\"params\":{\"filters\":[{\"input\":{\"query\":\"cvss_severity:info\"},\"label\":\"Info\"},{\"input\":{\"query\":\"cvss_severity:low\"},\"label\":\"Low\"},{\"input\":{\"query\":\"cvss_severity:medium\"},\"label\":\"Medium\"},{\"input\":{\"query\":\"cvss_severity:high\"},\"label\":\"High\"},{\"input\":{\"query\":\"cvss_severity:critical\"},\"label\":\"Critical\"}]}}]}", + "description": "", + "title": "VulnWhisperer-RiskOverTime", + "uiStateJSON": "{\"vis\":{\"colors\":{\"Critical\":\"#962D82\",\"High\":\"#BF1B00\",\"Low\":\"#629E51\",\"Medium\":\"#EAB839\",\"Info\":\"#65C5DB\"}}}", + "version": 1, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"index\":\"4a6d9090-f66e-11e8-8f42-af2e41422cf8\",\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"query\":\"*\",\"default_field\":\"*\"}}},\"filter\":[]}" + } + }, + "version": 1, + "type": "visualization", + "id": "56f0f5f0-3ebe-11e7-a192-93f36fbd9d05" + }, + { + "attributes": { "sort": [ "@timestamp", "desc" ], + "hits": 0, + "description": "", + "title": "VulnWhisperer - High Risk", "version": 1, "kibanaSavedObjectMeta": { "searchSourceJSON": "{\"index\":\"4a6d9090-f66e-11e8-8f42-af2e41422cf8\",\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"query\":\"*\",\"default_field\":\"*\"}}},\"filter\":[{\"meta\":{\"negate\":false,\"index\":\"4a6d9090-f66e-11e8-8f42-af2e41422cf8\",\"type\":\"phrase\",\"key\":\"risk\",\"value\":\"High\",\"params\":{\"query\":\"High\",\"type\":\"phrase\"},\"disabled\":false,\"alias\":null},\"query\":{\"match\":{\"risk\":{\"query\":\"High\",\"type\":\"phrase\"}}},\"$state\":{\"store\":\"appState\"}}],\"highlight\":{\"pre_tags\":[\"@kibana-highlighted-field@\"],\"post_tags\":[\"@/kibana-highlighted-field@\"],\"fields\":{\"*\":{}},\"require_field_match\":false,\"fragment_size\":2147483647},\"highlightAll\":true,\"version\":true}" - } - } - }, - { - "id": "54648700-3f74-11e7-852e-69207a3d0726", - "type": "search", - "attributes": { - "title": "VulnWhisperer - Saved Search", - "description": "", - "hits": 0, + }, "columns": [ "host", "risk", @@ -80,24 +392,52 @@ "plugin_name", "solution", "plugin_output" - ], + ] + }, + "version": 1, + "type": "search", + "id": "159d2500-f773-11e8-8f42-af2e41422cf8" + }, + { + "attributes": { "sort": [ "@timestamp", "desc" ], + "hits": 0, + "description": "", + "title": "VulnWhisperer - Saved Search", "version": 1, "kibanaSavedObjectMeta": { "searchSourceJSON": "{\"index\":\"4a6d9090-f66e-11e8-8f42-af2e41422cf8\",\"query\":{\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"query\":\"*\"}},\"language\":\"lucene\"},\"filter\":[],\"highlight\":{\"pre_tags\":[\"@kibana-highlighted-field@\"],\"post_tags\":[\"@/kibana-highlighted-field@\"],\"fields\":{\"*\":{}},\"require_field_match\":false,\"fragment_size\":2147483647}}" - } - } + }, + "columns": [ + "host", + "risk", + "risk_score", + "cve", + "plugin_name", + "solution", + "plugin_output" + ] + }, + "version": 1, + "type": "search", + "id": "54648700-3f74-11e7-852e-69207a3d0726" }, { - "id": "41a7e430-fdb5-11e8-8f42-af2e41422cf8", - "type": "search", "attributes": { - "title": "VulnWhisperer - Compliance", - "description": "", + "sort": [ + "@timestamp", + "desc" + ], "hits": 0, + "description": "", + "title": "VulnWhisperer - Compliance", + "version": 1, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"index\":\"4a6d9090-f66e-11e8-8f42-af2e41422cf8\",\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":\"\"},\"filter\":[]}" + }, "columns": [ "plugin_id", "cve", @@ -112,319 +452,24 @@ "solution", "see_also", "plugin_output" - ], - "sort": [ - "@timestamp", - "desc" - ], - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"index\":\"4a6d9090-f66e-11e8-8f42-af2e41422cf8\",\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":\"\"},\"filter\":[]}" - } - } + ] + }, + "version": 1, + "type": "search", + "id": "41a7e430-fdb5-11e8-8f42-af2e41422cf8" }, { - "id": "465c5820-8977-11e7-857e-e1d56b17746d", - "type": "visualization", + "version": 1, + "migrationVersion": { + "index-pattern": "6.5.0" + }, "attributes": { - "title": "VulnWhisperer - Critical Assets", - "visState": "{\"title\":\"VulnWhisperer - Critical Assets\",\"type\":\"heatmap\",\"params\":{\"addTooltip\":true,\"addLegend\":true,\"enableHover\":true,\"legendPosition\":\"right\",\"times\":[],\"colorsNumber\":4,\"colorSchema\":\"Green to Red\",\"setColorRange\":true,\"colorsRange\":[{\"from\":0,\"to\":3},{\"from\":3,\"to\":7},{\"from\":7,\"to\":9},{\"from\":9,\"to\":11}],\"invertColors\":false,\"percentageMode\":false,\"valueAxes\":[{\"show\":false,\"id\":\"ValueAxis-1\",\"type\":\"value\",\"scale\":{\"type\":\"linear\",\"defaultYExtents\":false},\"labels\":{\"show\":false,\"rotate\":0,\"color\":\"white\"}}],\"type\":\"heatmap\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"max\",\"schema\":\"metric\",\"params\":{\"field\":\"risk_score\",\"customLabel\":\"Residual Risk Score\"}},{\"id\":\"2\",\"enabled\":false,\"type\":\"terms\",\"schema\":\"split\",\"params\":{\"field\":\"risk_score\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\",\"row\":true}},{\"id\":\"3\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"interval\":\"auto\",\"customInterval\":\"2h\",\"min_doc_count\":1,\"extended_bounds\":{},\"customLabel\":\"Date\"}},{\"id\":\"4\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"group\",\"params\":{\"field\":\"asset.keyword\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Critical Asset\"}}],\"listeners\":{}}", - "uiStateJSON": "{\"vis\":{\"defaultColors\":{\"0 - 3\":\"rgb(0,104,55)\",\"3 - 7\":\"rgb(135,203,103)\",\"7 - 9\":\"rgb(255,255,190)\",\"9 - 11\":\"rgb(249,142,82)\"},\"colors\":{\"8 - 10\":\"#BF1B00\",\"9 - 11\":\"#BF1B00\",\"7 - 9\":\"#EF843C\",\"3 - 7\":\"#EAB839\",\"0 - 3\":\"#7EB26D\"},\"legendOpen\":false}}", - "description": "", - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"index\":\"4a6d9090-f66e-11e8-8f42-af2e41422cf8\",\"query\":{\"query\":{\"query_string\":{\"query\":\"*\",\"analyze_wildcard\":true}},\"language\":\"lucene\"},\"filter\":[{\"meta\":{\"index\":\"logstash-vulnwhisperer-*\",\"negate\":false,\"disabled\":false,\"alias\":\"Critical Asset\",\"type\":\"phrase\",\"key\":\"tags\",\"value\":\"critical_asset\"},\"query\":{\"match\":{\"tags\":{\"query\":\"critical_asset\",\"type\":\"phrase\"}}},\"$state\":{\"store\":\"appState\"}}]}" - } - } - }, - { - "id": "56f0f5f0-3ebe-11e7-a192-93f36fbd9d05", - "type": "visualization", - "attributes": { - "title": "VulnWhisperer-RiskOverTime", - "visState": "{\"title\":\"VulnWhisperer-RiskOverTime\",\"type\":\"line\",\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"@timestamp per 12 hours\"},\"type\":\"category\"}],\"defaultYExtents\":false,\"drawLinesBetweenPoints\":true,\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"},\"valueAxis\":\"ValueAxis-1\"},\"interpolate\":\"linear\",\"legendPosition\":\"right\",\"orderBucketsBySum\":false,\"radiusRatio\":9,\"scale\":\"linear\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"mode\":\"normal\",\"show\":\"true\",\"showCircles\":true,\"type\":\"line\",\"valueAxis\":\"ValueAxis-1\"}],\"setYExtents\":false,\"showCircles\":true,\"times\":[],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}],\"type\":\"line\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"interval\":\"auto\",\"customInterval\":\"2h\",\"min_doc_count\":1,\"extended_bounds\":{}}},{\"id\":\"3\",\"enabled\":true,\"type\":\"filters\",\"schema\":\"group\",\"params\":{\"filters\":[{\"input\":{\"query\":{\"query_string\":{\"query\":\"risk_score_name:info\"}}},\"label\":\"Info\"},{\"input\":{\"query\":{\"query_string\":{\"query\":\"risk_score_name:low\"}}},\"label\":\"Low\"},{\"input\":{\"query\":{\"query_string\":{\"query\":\"risk_score_name:medium\"}}},\"label\":\"Medium\"},{\"input\":{\"query\":{\"query_string\":{\"query\":\"risk_score_name:high\"}}},\"label\":\"High\"},{\"input\":{\"query\":{\"query_string\":{\"query\":\"risk_score_name:critical\"}}},\"label\":\"Critical\"}]}}],\"listeners\":{}}", - "uiStateJSON": "{\"vis\":{\"colors\":{\"Critical\":\"#962D82\",\"High\":\"#BF1B00\",\"Low\":\"#629E51\",\"Medium\":\"#EAB839\",\"Info\":\"#65C5DB\"}}}", - "description": "", - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"index\":\"4a6d9090-f66e-11e8-8f42-af2e41422cf8\",\"query\":{\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"query\":\"*\"}},\"language\":\"lucene\"},\"filter\":[]}" - } - } - }, - { - "id": "5093c620-44e9-11e7-8014-ede06a7e69f8", - "type": "visualization", - "attributes": { - "title": "VulnWhisperer - Mitigation Readme", - "visState": "{\"title\":\"VulnWhisperer - Mitigation Readme\",\"type\":\"markdown\",\"params\":{\"markdown\":\"** Legend **\\n\\n* [Common Vulnerability Scoring System (CVSS)](https://nvd.nist.gov/vuln-metrics/cvss) is the NIST vulnerability scoring system\\n* Risk Number is residual risk score calculated from CVSS, which is adjusted to be specific to Heartland which accounts for services not in use such as Java and Flash\\n* Vulnerabilities by Tag are systems tagged with HIPAA and PCI identification.\\n\\n\\n** Workflow **\\n* Select 10.0 under Risk Number to identify Critical Vulnerabilities. \\n* For more information about a CVE, scroll down and click the CVE link.\\n* To filter by tags, use one of the following filters:\\n** tags:has_hipaa_data, tags:pci_asset, tags:hipaa_asset, tags:critical_asset**\"},\"aggs\":[],\"listeners\":{}}", - "uiStateJSON": "{}", - "description": "", - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"query\":{\"query\":{\"query_string\":{\"query\":\"*\",\"analyze_wildcard\":true}},\"language\":\"lucene\"},\"filter\":[]}" - } - } - }, - { - "id": "471a3580-3f6b-11e7-88e7-df1abe6547fb", - "type": "visualization", - "attributes": { - "title": "VulnWhisperer - Vulnerabilities by Tag", - "visState": "{\"title\":\"VulnWhisperer - Vulnerabilities by Tag\",\"type\":\"table\",\"params\":{\"perPage\":3,\"showMeticsAtAllLevels\":false,\"showPartialRows\":false,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"3\",\"enabled\":true,\"type\":\"filters\",\"schema\":\"bucket\",\"params\":{\"filters\":[{\"input\":{\"query\":{\"query_string\":{\"query\":\"tags:has_hipaa_data\",\"analyze_wildcard\":true}}},\"label\":\"Systems with HIPAA data\"},{\"input\":{\"query\":{\"query_string\":{\"query\":\"tags:pci_asset\",\"analyze_wildcard\":true}}},\"label\":\"PCI Systems\"},{\"input\":{\"query\":{\"query_string\":{\"query\":\"tags:hipaa_asset\",\"analyze_wildcard\":true}}},\"label\":\"HIPAA Systems\"}]}}],\"listeners\":{}}", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "description": "", - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"index\":\"4a6d9090-f66e-11e8-8f42-af2e41422cf8\",\"query\":{\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"query\":\"*\"}},\"language\":\"lucene\"},\"filter\":[]}" - } - } - }, - { - "id": "1de9e550-3df1-11e7-a44e-c79ca8efb780", - "type": "visualization", - "attributes": { - "title": "VulnWhisperer-Description", - "visState": "{\"title\":\"VulnWhisperer-Description\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"description.keyword\",\"size\":50,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Description\"}}],\"listeners\":{}}", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "description": "", - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"index\":\"4a6d9090-f66e-11e8-8f42-af2e41422cf8\",\"query\":{\"query\":{\"query_string\":{\"query\":\"*\",\"analyze_wildcard\":true}},\"language\":\"lucene\"},\"filter\":[]}" - } - } - }, - { - "id": "fb6eb020-49ab-11e7-8f8c-57ad64ec48a6", - "type": "visualization", - "attributes": { - "title": "VulnWhisperer - Critical Risk Score for Tagged Assets", - "visState": "{\"title\":\"VulnWhisperer - Critical Risk Score for Tagged Assets\",\"type\":\"timelion\",\"params\":{\"expression\":\".es(index=logstash-vulnwhisperer-*,q='risk_score:>9 AND tags:hipaa_asset').label(\\\"HIPAA Assets\\\"),.es(index=logstash-vulnwhisperer-*,q='risk_score:>9 AND tags:pci_asset').label(\\\"PCI Systems\\\"),.es(index=logstash-vulnwhisperer-*,q='risk_score:>9 AND tags:has_hipaa_data').label(\\\"Has HIPAA Data\\\")\",\"interval\":\"auto\"},\"aggs\":[],\"listeners\":{}}", - "uiStateJSON": "{}", - "description": "", - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"query\":{\"query\":{\"query_string\":{\"query\":\"*\",\"analyze_wildcard\":true}},\"language\":\"lucene\"},\"filter\":[]}" - } - } - }, - { - "id": "13c7d4e0-3df3-11e7-a44e-c79ca8efb780", - "type": "visualization", - "attributes": { - "title": "VulnWhisperer-Solution", - "visState": "{\n \"title\": \"VulnWhisperer-Solution\",\n \"type\": \"table\",\n \"params\": {\n \"perPage\": 10,\n \"showMeticsAtAllLevels\": false,\n \"showPartialRows\": false,\n \"showTotal\": false,\n \"sort\": {\n \"columnIndex\": null,\n \"direction\": null\n },\n \"totalFunc\": \"sum\"\n },\n \"aggs\": [\n {\n \"id\": \"1\",\n \"enabled\": true,\n \"type\": \"count\",\n \"schema\": \"metric\",\n \"params\": {}\n },\n {\n \"id\": \"2\",\n \"enabled\": true,\n \"type\": \"terms\",\n \"schema\": \"bucket\",\n \"params\": {\n \"field\": \"solution\",\n \"size\": 50,\n \"order\": \"desc\",\n \"orderBy\": \"1\",\n \"customLabel\": \"Solution\"\n }\n }\n ],\n \"listeners\": {}\n}", - "uiStateJSON": "{\n \"vis\": {\n \"params\": {\n \"sort\": {\n \"columnIndex\": null,\n \"direction\": null\n }\n }\n }\n}", - "description": "", - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\n \"index\": \"4a6d9090-f66e-11e8-8f42-af2e41422cf8\",\n \"query\": {\n \"query\": {\n \"query_string\": {\n \"analyze_wildcard\": true,\n \"query\": \"*\"\n }\n },\n \"language\": \"lucene\"\n },\n \"filter\": []\n}" - } - } - }, - { - "id": "f9b68640-fda5-11e8-8f42-af2e41422cf8", - "type": "visualization", - "attributes": { - "title": "VulnWhisperer - AggTest", - "visState": "{\"title\":\"VulnWhisperer - AggTest\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"top_hits\",\"schema\":\"metric\",\"params\":{\"field\":\"@timestamp\",\"aggregate\":\"concat\",\"size\":1,\"sortField\":\"@timestamp\",\"sortOrder\":\"desc\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"asset.keyword\",\"size\":1000,\"order\":\"desc\",\"orderBy\":\"_key\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"plugin_id\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"_key\",\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"}}]}", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "description": "", - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"index\":\"4a6d9090-f66e-11e8-8f42-af2e41422cf8\",\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[]}" - } - } - }, - { - "id": "852816e0-3eb1-11e7-90cb-918f9cb01e3d", - "type": "visualization", - "attributes": { - "title": "VulnWhisperer-CVSS", - "visState": "{\"title\":\"VulnWhisperer-CVSS\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showTotal\":false,\"sort\":{\"columnIndex\":0,\"direction\":\"desc\"},\"totalFunc\":\"sum\",\"type\":\"table\",\"showMetricsAtAllLevels\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"cardinality\",\"schema\":\"metric\",\"params\":{\"field\":\"scan_fingerprint\",\"customLabel\":\"Unique Findings\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"cvss\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"CVSS Score\"}},{\"id\":\"4\",\"enabled\":true,\"type\":\"cardinality\",\"schema\":\"metric\",\"params\":{\"field\":\"asset.keyword\",\"customLabel\":\"# of Assets\"}}]}", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":0,\"direction\":\"desc\"}}}}", - "description": "", - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"index\":\"4a6d9090-f66e-11e8-8f42-af2e41422cf8\",\"query\":{\"query\":{\"query_string\":{\"query\":\"*\",\"analyze_wildcard\":true,\"default_field\":\"*\"}},\"language\":\"lucene\"},\"filter\":[]}" - } - } - }, - { - "id": "35b6d320-3f7f-11e7-bd24-6903e3283192", - "type": "visualization", - "attributes": { - "title": "VulnWhisperer - Residual Risk", - "visState": "{\"title\":\"VulnWhisperer - Residual Risk\",\"type\":\"table\",\"params\":{\"perPage\":15,\"showPartialRows\":false,\"sort\":{\"columnIndex\":0,\"direction\":\"desc\"},\"showTotal\":false,\"totalFunc\":\"sum\",\"showMetricsAtAllLevels\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"cardinality\",\"schema\":\"metric\",\"params\":{\"field\":\"scan_fingerprint\",\"customLabel\":\"Count\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"risk_score\",\"size\":50,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Risk Number\"}}]}", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":0,\"direction\":\"desc\"}}}}", - "description": "", - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"index\":\"4a6d9090-f66e-11e8-8f42-af2e41422cf8\",\"query\":{\"query\":{\"query_string\":{\"query\":\"*\",\"analyze_wildcard\":true,\"default_field\":\"*\"}},\"language\":\"lucene\"},\"filter\":[]}" - } - } - }, - { - "id": "995e2280-3df3-11e7-a44e-c79ca8efb780", - "type": "visualization", - "attributes": { - "title": "VulnWhisperer-Asset", - "visState": "{\"title\":\"VulnWhisperer-Asset\",\"type\":\"table\",\"params\":{\"perPage\":15,\"showPartialRows\":false,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\",\"type\":\"table\",\"showMetricsAtAllLevels\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"cardinality\",\"schema\":\"metric\",\"params\":{\"field\":\"scan_fingerprint\",\"customLabel\":\"Findings\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"asset.keyword\",\"size\":50,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Asset\"}}]}", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "description": "", - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"index\":\"4a6d9090-f66e-11e8-8f42-af2e41422cf8\",\"query\":{\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"query\":\"*\",\"default_field\":\"*\"}},\"language\":\"lucene\"},\"filter\":[]}" - } - } - }, - { - "id": "67d432e0-44ec-11e7-a05f-d9719b331a27", - "type": "visualization", - "attributes": { - "title": "VulnWhisperer - TL-Critical Risk", - "visState": "{\"title\":\"VulnWhisperer - TL-Critical Risk\",\"type\":\"timelion\",\"params\":{\"expression\":\".es(index='logstash-vulnwhisperer-*',q='(risk_score:>=9 AND risk_score:<=10)').label(\\\"Original\\\"),.es(index='logstash-vulnwhisperer-*',q='(risk_score:>=9 AND risk_score:<=10)',offset=-1w).label(\\\"One week offset\\\"),.es(index='logstash-vulnwhisperer-*',q='(risk_score:>=9 AND risk_score:<=10)').subtract(.es(index='logstash-vulnwhisperer-*',q='(risk_score:>=9 AND risk_score:<=10)',offset=-1w)).label(\\\"Difference\\\").lines(steps=3,fill=2,width=1)\",\"interval\":\"auto\"},\"aggs\":[],\"listeners\":{}}", - "uiStateJSON": "{}", - "description": "", - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"query\":{\"query\":{\"query_string\":{\"query\":\"*\",\"analyze_wildcard\":true}},\"language\":\"lucene\"},\"filter\":[]}" - } - } - }, - { - "id": "8d9592d0-44ec-11e7-a05f-d9719b331a27", - "type": "visualization", - "attributes": { - "title": "VulnWhisperer - TL-High Risk", - "visState": "{\"title\":\"VulnWhisperer - TL-High Risk\",\"type\":\"timelion\",\"params\":{\"expression\":\".es(index='logstash-vulnwhisperer-*',q='(risk_score:>=7 AND risk_score:<9)').label(\\\"Original\\\"),.es(index='logstash-vulnwhisperer-*',q='(risk_score:>=7 AND risk_score:<9)',offset=-1w).label(\\\"One week offset\\\"),.es(index='logstash-vulnwhisperer-*',q='(risk_score:>=7 AND risk_score:<9)').subtract(.es(index='logstash-vulnwhisperer-*',q='(risk_score:>=7 AND risk_score:<9)',offset=-1w)).label(\\\"Difference\\\").lines(steps=3,fill=2,width=1)\",\"interval\":\"auto\"},\"aggs\":[],\"listeners\":{}}", - "uiStateJSON": "{}", - "description": "", - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"query\":{\"query\":{\"query_string\":{\"query\":\"*\",\"analyze_wildcard\":true}},\"language\":\"lucene\"},\"filter\":[]}" - } - } - }, - { - "id": "2f979030-44b9-11e7-a818-f5f80dfc3590", - "type": "visualization", - "attributes": { - "title": "VulnWhisperer - ScanBarChart", - "visState": "{\n \"title\": \"VulnWhisperer - ScanBarChart\",\n \"type\": \"histogram\",\n \"params\": {\n \"addLegend\": true,\n \"addTimeMarker\": false,\n \"addTooltip\": true,\n \"defaultYExtents\": false,\n \"legendPosition\": \"right\",\n \"mode\": \"stacked\",\n \"scale\": \"linear\",\n \"setYExtents\": false,\n \"times\": [],\n \"type\": \"histogram\",\n \"grid\": {\n \"categoryLines\": false,\n \"style\": {\n \"color\": \"#eee\"\n }\n },\n \"categoryAxes\": [\n {\n \"id\": \"CategoryAxis-1\",\n \"type\": \"category\",\n \"position\": \"bottom\",\n \"show\": true,\n \"style\": {},\n \"scale\": {\n \"type\": \"linear\"\n },\n \"labels\": {\n \"show\": true,\n \"truncate\": 100\n },\n \"title\": {}\n }\n ],\n \"valueAxes\": [\n {\n \"id\": \"ValueAxis-1\",\n \"name\": \"LeftAxis-1\",\n \"type\": \"value\",\n \"position\": \"left\",\n \"show\": true,\n \"style\": {},\n \"scale\": {\n \"type\": \"linear\",\n \"mode\": \"normal\",\n \"setYExtents\": false,\n \"defaultYExtents\": false\n },\n \"labels\": {\n \"show\": true,\n \"rotate\": 0,\n \"filter\": false,\n \"truncate\": 100\n },\n \"title\": {\n \"text\": \"Unique count of scan_fingerprint\"\n }\n }\n ],\n \"seriesParams\": [\n {\n \"show\": \"true\",\n \"type\": \"histogram\",\n \"mode\": \"stacked\",\n \"data\": {\n \"label\": \"Unique count of scan_fingerprint\",\n \"id\": \"1\"\n },\n \"valueAxis\": \"ValueAxis-1\"\n }\n ]\n },\n \"aggs\": [\n {\n \"id\": \"1\",\n \"enabled\": true,\n \"type\": \"cardinality\",\n \"schema\": \"metric\",\n \"params\": {\n \"field\": \"scan_fingerprint\"\n }\n },\n {\n \"id\": \"2\",\n \"enabled\": true,\n \"type\": \"terms\",\n \"schema\": \"segment\",\n \"params\": {\n \"field\": \"plugin_name\",\n \"size\": 10,\n \"order\": \"desc\",\n \"orderBy\": \"1\",\n \"otherBucket\": false,\n \"otherBucketLabel\": \"Other\",\n \"missingBucket\": false,\n \"missingBucketLabel\": \"Missing\",\n \"customLabel\": \"Scan Name\"\n }\n }\n ]\n}", - "uiStateJSON": "{}", - "description": "", - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\n \"index\": \"4a6d9090-f66e-11e8-8f42-af2e41422cf8\",\n \"query\": {\n \"query\": {\n \"query_string\": {\n \"analyze_wildcard\": true,\n \"query\": \"*\",\n \"default_field\": \"*\"\n }\n },\n \"language\": \"lucene\"\n },\n \"filter\": []\n}" - } - } - }, - { - "id": "8c9c9430-f77b-11e8-8f42-af2e41422cf8", - "type": "visualization", - "attributes": { - "title": "VulnWhisperer - Risk: Critical", - "visState": "{\"title\":\"VulnWhisperer - Risk: Critical\",\"type\":\"gauge\",\"params\":{\"type\":\"gauge\",\"addTooltip\":true,\"addLegend\":true,\"isDisplayWarning\":false,\"gauge\":{\"verticalSplit\":false,\"extendRange\":true,\"percentageMode\":false,\"gaugeType\":\"Arc\",\"gaugeStyle\":\"Full\",\"backStyle\":\"Full\",\"orientation\":\"vertical\",\"colorSchema\":\"Reds\",\"gaugeColorMode\":\"Labels\",\"colorsRange\":[{\"from\":0,\"to\":10},{\"from\":10,\"to\":20}],\"invertColors\":false,\"labels\":{\"show\":true,\"color\":\"black\"},\"scale\":{\"show\":true,\"labels\":false,\"color\":\"#333\"},\"type\":\"meter\",\"style\":{\"bgWidth\":0.9,\"width\":0.9,\"mask\":false,\"bgMask\":false,\"maskBars\":50,\"bgFill\":\"#eee\",\"bgColor\":false,\"subText\":\"\",\"fontSize\":60,\"labelColor\":true}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"cardinality\",\"schema\":\"metric\",\"params\":{\"field\":\"scan_fingerprint\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"filters\",\"schema\":\"group\",\"params\":{\"filters\":[{\"input\":{\"query\":\"risk_score_name:critical\"},\"label\":\"Critical Risk\"}]}}]}", - "uiStateJSON": "{\"vis\":{\"defaultColors\":{\"0 - 10\":\"rgb(255,245,240)\",\"10 - 20\":\"rgb(103,0,13)\"}}}", - "description": "", - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"index\":\"4a6d9090-f66e-11e8-8f42-af2e41422cf8\",\"query\":{\"language\":\"lucene\",\"query\":\"\"},\"filter\":[]}" - } - } - }, - { - "id": "e6b5b920-f77a-11e8-8f42-af2e41422cf8", - "type": "visualization", - "attributes": { - "title": "VulnWhisperer - Risk: Low", - "visState": "{\"title\":\"VulnWhisperer - Risk: Low\",\"type\":\"gauge\",\"params\":{\"type\":\"gauge\",\"addTooltip\":true,\"addLegend\":true,\"isDisplayWarning\":false,\"gauge\":{\"verticalSplit\":false,\"extendRange\":true,\"percentageMode\":false,\"gaugeType\":\"Arc\",\"gaugeStyle\":\"Full\",\"backStyle\":\"Full\",\"orientation\":\"vertical\",\"colorSchema\":\"Greens\",\"gaugeColorMode\":\"Labels\",\"colorsRange\":[{\"from\":0,\"to\":50},{\"from\":50,\"to\":100}],\"invertColors\":false,\"labels\":{\"show\":true,\"color\":\"black\"},\"scale\":{\"show\":true,\"labels\":false,\"color\":\"#333\"},\"type\":\"meter\",\"style\":{\"bgWidth\":0.9,\"width\":0.9,\"mask\":false,\"bgMask\":false,\"maskBars\":50,\"bgFill\":\"#eee\",\"bgColor\":false,\"subText\":\"\",\"fontSize\":60,\"labelColor\":true}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"cardinality\",\"schema\":\"metric\",\"params\":{\"field\":\"scan_fingerprint\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"filters\",\"schema\":\"group\",\"params\":{\"filters\":[{\"input\":{\"query\":\"risk_score_name:low\"},\"label\":\"Low Risk\"}]}}]}", - "uiStateJSON": "{\"vis\":{\"defaultColors\":{\"0 - 50\":\"rgb(247,252,245)\",\"50 - 100\":\"rgb(0,68,27)\"}}}", - "description": "", - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"index\":\"4a6d9090-f66e-11e8-8f42-af2e41422cf8\",\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[]}" - } - } - }, - { - "id": "c533c120-fe8c-11e8-8f42-af2e41422cf8", - "type": "visualization", - "attributes": { - "title": "VulnWhisperer - Risk: High", - "visState": "{\"title\":\"VulnWhisperer - Risk: High\",\"type\":\"goal\",\"params\":{\"addTooltip\":true,\"addLegend\":false,\"isDisplayWarning\":false,\"type\":\"gauge\",\"gauge\":{\"verticalSplit\":false,\"autoExtend\":false,\"percentageMode\":false,\"gaugeType\":\"Arc\",\"gaugeStyle\":\"Full\",\"backStyle\":\"Full\",\"orientation\":\"vertical\",\"useRanges\":false,\"colorSchema\":\"Reds\",\"gaugeColorMode\":\"None\",\"colorsRange\":[{\"from\":1,\"to\":5},{\"from\":5,\"to\":19999}],\"invertColors\":false,\"labels\":{\"show\":true,\"color\":\"black\"},\"scale\":{\"show\":false,\"labels\":false,\"color\":\"#333\",\"width\":2},\"type\":\"meter\",\"style\":{\"bgFill\":\"#000\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"fontSize\":60}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"cardinality\",\"schema\":\"metric\",\"params\":{\"field\":\"scan_fingerprint\",\"customLabel\":\"Risk: High\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"filters\",\"schema\":\"group\",\"params\":{\"filters\":[{\"input\":{\"query\":\"risk_score_name:high\"},\"label\":\"risk: High\"}]}}]}", - "uiStateJSON": "{\"vis\":{\"defaultColors\":{\"1 - 5\":\"rgb(255,245,240)\",\"5 - 19999\":\"rgb(103,0,13)\"}}}", - "description": "", - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"index\":\"4a6d9090-f66e-11e8-8f42-af2e41422cf8\",\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[]}" - } - } - }, - { - "id": "61b43c00-f77b-11e8-8f42-af2e41422cf8", - "type": "visualization", - "attributes": { - "title": "VulnWhisperer - Risk: Medium", - "visState": "{\"title\":\"VulnWhisperer - Risk: Medium\",\"type\":\"gauge\",\"params\":{\"type\":\"gauge\",\"addTooltip\":true,\"addLegend\":true,\"isDisplayWarning\":false,\"gauge\":{\"verticalSplit\":false,\"extendRange\":false,\"percentageMode\":false,\"gaugeType\":\"Arc\",\"gaugeStyle\":\"Full\",\"backStyle\":\"Full\",\"orientation\":\"vertical\",\"colorSchema\":\"Blues\",\"gaugeColorMode\":\"Labels\",\"colorsRange\":[{\"from\":0,\"to\":10}],\"invertColors\":true,\"labels\":{\"show\":true,\"color\":\"black\"},\"scale\":{\"show\":true,\"labels\":false,\"color\":\"#333\"},\"type\":\"meter\",\"style\":{\"bgWidth\":0.9,\"width\":0.9,\"mask\":false,\"bgMask\":false,\"maskBars\":50,\"bgFill\":\"#eee\",\"bgColor\":false,\"subText\":\"\",\"fontSize\":60,\"labelColor\":true}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"cardinality\",\"schema\":\"metric\",\"params\":{\"field\":\"scan_fingerprint\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"filters\",\"schema\":\"group\",\"params\":{\"filters\":[{\"input\":{\"query\":\"risk_score_name:medium\"},\"label\":\"Medium Risk\"}]}}]}", - "uiStateJSON": "{\"vis\":{\"defaultColors\":{\"0 - 10\":\"rgb(8,48,107)\"}}}", - "description": "", - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"index\":\"4a6d9090-f66e-11e8-8f42-af2e41422cf8\",\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[]}" - } - } - }, - { - "id": "297df800-3f7e-11e7-bd24-6903e3283192", - "type": "visualization", - "attributes": { - "title": "VulnWhisperer - Plugin Name", - "visState": "{\n \"title\": \"VulnWhisperer - Plugin Name\",\n \"type\": \"table\",\n \"params\": {\n \"perPage\": 10,\n \"showPartialRows\": false,\n \"sort\": {\n \"columnIndex\": null,\n \"direction\": null\n },\n \"showTotal\": false,\n \"totalFunc\": \"sum\",\n \"showMetricsAtAllLevels\": false\n },\n \"aggs\": [\n {\n \"id\": \"1\",\n \"enabled\": true,\n \"type\": \"cardinality\",\n \"schema\": \"metric\",\n \"params\": {\n \"field\": \"scan_fingerprint\",\n \"customLabel\": \"Count\"\n }\n },\n {\n \"id\": \"2\",\n \"enabled\": true,\n \"type\": \"terms\",\n \"schema\": \"bucket\",\n \"params\": {\n \"field\": \"plugin_name\",\n \"size\": 10,\n \"order\": \"desc\",\n \"orderBy\": \"1\",\n \"otherBucket\": false,\n \"otherBucketLabel\": \"Other\",\n \"missingBucket\": false,\n \"missingBucketLabel\": \"Missing\",\n \"customLabel\": \"Plugin Name\"\n }\n }\n ]\n}", - "uiStateJSON": "{\n \"vis\": {\n \"params\": {\n \"sort\": {\n \"columnIndex\": null,\n \"direction\": null\n }\n }\n }\n}", - "description": "", - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\n \"index\": \"4a6d9090-f66e-11e8-8f42-af2e41422cf8\",\n \"query\": {\n \"query\": {\n \"query_string\": {\n \"query\": \"*\",\n \"analyze_wildcard\": true,\n \"default_field\": \"*\"\n }\n },\n \"language\": \"lucene\"\n },\n \"filter\": []\n}" - } - } - }, - { - "id": "479deab0-8a39-11e7-a58a-9bfcb3761a3d", - "type": "visualization", - "attributes": { - "title": "VulnWhisperer - TL - TaggedAssetsPluginNames", - "visState": "{\n \"title\": \"VulnWhisperer - TL - TaggedAssetsPluginNames\",\n \"type\": \"timelion\",\n \"params\": {\n \"expression\": \".es(index='logstash-vulnwhisperer-*', q='tags:critical_asset OR tags:hipaa_asset OR tags:pci_asset', split=\\\"plugin_name:10\\\").bars(width=4).label(regex=\\\".*:(.+)>.*\\\",label=\\\"$1\\\")\",\n \"interval\": \"auto\"\n },\n \"aggs\": [],\n \"listeners\": {}\n}", - "uiStateJSON": "{}", - "description": "", - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\n \"query\": {\n \"query\": {\n \"query_string\": {\n \"query\": \"*\",\n \"analyze_wildcard\": true\n }\n },\n \"language\": \"lucene\"\n },\n \"filter\": []\n}" - } - } - }, - { - "id": "4a6d9090-f66e-11e8-8f42-af2e41422cf8", - "type": "index-pattern", - "attributes": { - "title": "logstash-vulnwhisperer-*", + "fields": "[{\"name\":\"@timestamp\",\"type\":\"date\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"@version\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"_id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":false},{\"name\":\"_index\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":false},{\"name\":\"_score\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":false,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"_source\",\"type\":\"_source\",\"count\":0,\"scripted\":false,\"searchable\":false,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"_type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":false},{\"name\":\"access_path\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"access_path.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"affected_software\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"affected_software.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"ajax_request\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ajax_request.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"app_id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"app_id.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"asset\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"asset.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"asset_uuid\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"authentication\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"authentication.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"bids\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"bids.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"category\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"category_description\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"category_description.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"certs\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"certs.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"cve\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"cvss\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"cvss3\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"cvss3_base\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"cvss3_severity\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"cvss3_temporal\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"cvss3_vector\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"cvss_base\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"cvss_severity\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"cvss_temporal\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"cvss_vector\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"cwe\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"cwe.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"date\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"date.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"description\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"description.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"detection_date\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"detection_date.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"detection_id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"detection_id.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"dns\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"epoch\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"evidence\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"evidence.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"exploitability\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"exploitability.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"false_pos\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"false_pos.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"form_entry_point\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"form_entry_point.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"fqdn\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"geoip.ip\",\"type\":\"ip\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"geoip.latitude\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"geoip.location\",\"type\":\"geo_point\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"geoip.longitude\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"groups\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"groups.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"high\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"high.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"history_id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"host\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"host_end\",\"type\":\"date\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"host_start\",\"type\":\"date\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"hostname\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"hostname.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"id.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"ignored\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ignored.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"impact\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"impact.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"ip\",\"type\":\"ip\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"last_time_detected\",\"type\":\"date\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"level\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"level.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"links\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"links.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"log\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"log.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"low\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"low.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"mac_address\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"medium\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"medium.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"netbios\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"nvt_oid\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"nvt_oid.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"operating_system\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"owasp\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"owasp.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"owner\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"owner.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"param\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"param.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"path\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"payload\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"payload.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"pci_vuln\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"plugin_family\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"plugin_id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"plugin_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"plugin_output\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"plugin_output.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"port\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"product_detection_result\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"product_detection_result.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"protocol\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"report_ids\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"report_ids.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"request_headers\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"request_headers.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"request_method\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"request_method.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"request_url\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"request_url.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"result_id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"result_id.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"risk\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"risk_number\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"scan_highest_severity\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan_highest_severity.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"scan_id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"scan_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"scan_severity\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan_severity.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"scan_source\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"scope\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scope.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"see_also\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"see_also.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"severity\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"severity_level\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"severity_level.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"severity_rate\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"severity_rate.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"solution\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"ssl\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"state\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"status\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"status.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"synopsis\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"tags\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"task\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"task.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"task_id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"task_id.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"timestamp\",\"type\":\"date\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"uri\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"uri.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"url\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"url.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"vendor_reference\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"vulnerability_detection_method\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"vulnerability_detection_method.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"vulnerability_insight\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"vulnerability_insight.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"wasc\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"wasc.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"web_application_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"web_application_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"scan_fingerprint\",\"type\":\"string\",\"count\":1,\"scripted\":true,\"script\":\"doc['asset.keyword']+'_'+doc['plugin_id']\",\"lang\":\"painless\",\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":false}]", + "fieldFormatMap": "{\"plugin_id\":{\"id\":\"number\",\"params\":{\"pattern\":\"00.[000]\"}}}", "timeFieldName": "@timestamp", - "fields": "[{\"name\":\"@timestamp\",\"type\":\"date\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"@version\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"_id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":false},{\"name\":\"_index\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":false},{\"name\":\"_score\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":false,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"_source\",\"type\":\"_source\",\"count\":0,\"scripted\":false,\"searchable\":false,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"_type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":false},{\"name\":\"asset\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"asset.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"asset_uuid\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"assign_ip\",\"type\":\"ip\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"category\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"cve\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"cvss\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"cvss3\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"cvss3_base\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"cvss3_temporal\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"cvss3_temporal_vector\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"cvss3_vector\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"cvss_base\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"cvss_temporal\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"cvss_temporal_vector\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"cvss_vector\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"description\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"description.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"dns\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"exploitability\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"exploitability.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"fqdn\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"geoip.ip\",\"type\":\"ip\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"geoip.latitude\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"geoip.location\",\"type\":\"geo_point\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"geoip.longitude\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"history_id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"host\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"host_end\",\"type\":\"date\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"host_start\",\"type\":\"date\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"impact\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"impact.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"ip\",\"type\":\"ip\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"ip_status\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"last_updated\",\"type\":\"date\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"operating_system\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"path\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"pci_vuln\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"plugin_family\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"plugin_id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"plugin_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"plugin_output\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"plugin_output.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"port\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"protocol\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"results\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"risk\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"risk_number\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"risk_score\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"risk_score_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"scan_id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"scan_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"scan_reference\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"see_also\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"solution\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"ssl\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"synopsis\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system_type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"tags\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"vendor_reference\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"vulnerability_state\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"scan_fingerprint\",\"type\":\"string\",\"count\":1,\"scripted\":true,\"script\":\"doc['asset.keyword']+'_'+doc['plugin_id']\",\"lang\":\"painless\",\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":false}]", - "fieldFormatMap": "{\"plugin_id\":{\"id\":\"number\",\"params\":{\"pattern\":\"00.[000]\"}}}" - } - }, - { - "id": "de1a5f40-3f85-11e7-97f9-3777d794626d", - "type": "visualization", - "attributes": { - "title": "VulnWhisperer - ScanName", - "visState": "{\n \"title\": \"VulnWhisperer - ScanName\",\n \"type\": \"table\",\n \"params\": {\n \"perPage\": 10,\n \"showPartialRows\": false,\n \"sort\": {\n \"columnIndex\": null,\n \"direction\": null\n },\n \"showTotal\": false,\n \"totalFunc\": \"sum\",\n \"showMetricsAtAllLevels\": false\n },\n \"aggs\": [\n {\n \"id\": \"1\",\n \"enabled\": true,\n \"type\": \"count\",\n \"schema\": \"metric\",\n \"params\": {}\n },\n {\n \"id\": \"2\",\n \"enabled\": true,\n \"type\": \"terms\",\n \"schema\": \"bucket\",\n \"params\": {\n \"field\": \"scan_name\",\n \"size\": 20,\n \"order\": \"desc\",\n \"orderBy\": \"1\",\n \"otherBucket\": false,\n \"otherBucketLabel\": \"Other\",\n \"missingBucket\": false,\n \"missingBucketLabel\": \"Missing\",\n \"customLabel\": \"Scan Name\"\n }\n }\n ]\n}", - "uiStateJSON": "{\n \"vis\": {\n \"params\": {\n \"sort\": {\n \"columnIndex\": null,\n \"direction\": null\n }\n }\n }\n}", - "description": "", - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\n \"index\": \"4a6d9090-f66e-11e8-8f42-af2e41422cf8\",\n \"query\": {\n \"query\": {\n \"query_string\": {\n \"query\": \"*\",\n \"analyze_wildcard\": true,\n \"default_field\": \"*\"\n }\n },\n \"language\": \"lucene\"\n },\n \"filter\": []\n}" - } - } + "title": "logstash-vulnwhisperer-*" + }, + "type": "index-pattern", + "id": "4a6d9090-f66e-11e8-8f42-af2e41422cf8" } ] \ No newline at end of file diff --git a/vulnwhisp/vulnwhisp.py b/vulnwhisp/vulnwhisp.py index 6ee8d79..69fb790 100755 --- a/vulnwhisp/vulnwhisp.py +++ b/vulnwhisp/vulnwhisp.py @@ -717,7 +717,7 @@ class vulnWhispererOpenVAS(vulnWhispererBase): 'Specific Result': 'plugin_output', 'NVT OID': 'nvt_oid', 'Task ID': 'task_id', - 'Task Name': 'task_name', + 'Task Name': 'scan_name', 'Timestamp': 'timestamp', 'Result ID': 'result_id', 'Impact': 'description', @@ -798,7 +798,7 @@ class vulnWhispererOpenVAS(vulnWhispererBase): vuln_ready.port = vuln_ready.port.replace('', 0).astype(int) # Set common fields - vuln_ready['scan_name'] = scan_name.encode('utf8') + # vuln_ready['scan_name'] = scan_name.encode('utf8') vuln_ready['scan_id'] = report_id vuln_ready['scan_time'] = launched_date vuln_ready['scan_source'] = self.CONFIG_SECTION From 74dd2d7ae72f1bee7bed9f5d61e6e7727d8dc72f Mon Sep 17 00:00:00 2001 From: pemontto Date: Thu, 2 May 2019 08:32:04 +0100 Subject: [PATCH 73/73] remove from root --- kibana_APIonly.json | 464 -------------------------------------------- 1 file changed, 464 deletions(-) delete mode 100644 kibana_APIonly.json diff --git a/kibana_APIonly.json b/kibana_APIonly.json deleted file mode 100644 index 6603b11..0000000 --- a/kibana_APIonly.json +++ /dev/null @@ -1,464 +0,0 @@ -[ - { - "attributes": { - "hits": 0, - "timeFrom": "now-30d", - "timeRestore": true, - "description": "", - "title": "VulnWhisperer - Reporting", - "panelsJSON": "[{\"embeddableConfig\":{\"vis\":{\"legendOpen\":false}},\"gridData\":{\"x\":0,\"y\":54,\"w\":24,\"h\":20,\"i\":\"5\"},\"id\":\"2f979030-44b9-11e7-a818-f5f80dfc3590\",\"panelIndex\":\"5\",\"type\":\"visualization\",\"version\":\"6.4.3\"},{\"gridData\":{\"x\":0,\"y\":34,\"w\":24,\"h\":20,\"i\":\"12\"},\"id\":\"8d9592d0-44ec-11e7-a05f-d9719b331a27\",\"panelIndex\":\"12\",\"type\":\"visualization\",\"version\":\"6.4.3\"},{\"gridData\":{\"x\":24,\"y\":14,\"w\":24,\"h\":20,\"i\":\"14\"},\"id\":\"67d432e0-44ec-11e7-a05f-d9719b331a27\",\"panelIndex\":\"14\",\"type\":\"visualization\",\"version\":\"6.4.3\"},{\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"gridData\":{\"x\":36,\"y\":34,\"w\":12,\"h\":20,\"i\":\"15\"},\"id\":\"297df800-3f7e-11e7-bd24-6903e3283192\",\"panelIndex\":\"15\",\"type\":\"visualization\",\"version\":\"6.4.3\"},{\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"gridData\":{\"x\":24,\"y\":34,\"w\":12,\"h\":20,\"i\":\"20\"},\"id\":\"471a3580-3f6b-11e7-88e7-df1abe6547fb\",\"panelIndex\":\"20\",\"type\":\"visualization\",\"version\":\"6.4.3\"},{\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"gridData\":{\"x\":40,\"y\":0,\"w\":8,\"h\":14,\"i\":\"22\"},\"id\":\"995e2280-3df3-11e7-a44e-c79ca8efb780\",\"panelIndex\":\"22\",\"type\":\"visualization\",\"version\":\"6.4.3\"},{\"gridData\":{\"x\":0,\"y\":14,\"w\":24,\"h\":20,\"i\":\"29\"},\"id\":\"479deab0-8a39-11e7-a58a-9bfcb3761a3d\",\"panelIndex\":\"29\",\"type\":\"visualization\",\"version\":\"6.4.3\"},{\"gridData\":{\"x\":0,\"y\":0,\"w\":10,\"h\":14,\"i\":\"34\"},\"version\":\"6.6.0\",\"panelIndex\":\"34\",\"type\":\"visualization\",\"id\":\"bee32150-6c3a-11e9-be42-ab2ba67e4720\",\"embeddableConfig\":{}},{\"gridData\":{\"x\":10,\"y\":0,\"w\":10,\"h\":14,\"i\":\"35\"},\"version\":\"6.6.0\",\"panelIndex\":\"35\",\"type\":\"visualization\",\"id\":\"b4c2f790-6c3a-11e9-be42-ab2ba67e4720\",\"embeddableConfig\":{}},{\"gridData\":{\"x\":30,\"y\":0,\"w\":10,\"h\":14,\"i\":\"36\"},\"version\":\"6.6.0\",\"panelIndex\":\"36\",\"type\":\"visualization\",\"id\":\"ed8c5210-6c3a-11e9-be42-ab2ba67e4720\",\"embeddableConfig\":{}},{\"gridData\":{\"x\":20,\"y\":0,\"w\":10,\"h\":14,\"i\":\"37\"},\"version\":\"6.6.0\",\"panelIndex\":\"37\",\"type\":\"visualization\",\"id\":\"c81da600-6c3a-11e9-be42-ab2ba67e4720\",\"embeddableConfig\":{}}]", - "timeTo": "now", - "optionsJSON": "{\"darkTheme\":false,\"useMargins\":false}", - "version": 1, - "refreshInterval": { - "pause": true, - "value": 0 - }, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":{\"match_all\":{}}}}" - } - }, - "version": 1, - "type": "dashboard", - "id": "72051530-448e-11e7-a818-f5f80dfc3590" - }, - { - "attributes": { - "hits": 0, - "timeFrom": "now-30d", - "timeRestore": true, - "description": "", - "title": "VulnWhisperer - Risk Mitigation", - "panelsJSON": "[{\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"gridData\":{\"x\":40,\"y\":15,\"w\":8,\"h\":30,\"i\":\"20\"},\"id\":\"995e2280-3df3-11e7-a44e-c79ca8efb780\",\"panelIndex\":\"20\",\"type\":\"visualization\",\"version\":\"6.4.3\"},{\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":0,\"direction\":\"desc\"}}}},\"gridData\":{\"x\":0,\"y\":35,\"w\":12,\"h\":25,\"i\":\"21\"},\"id\":\"852816e0-3eb1-11e7-90cb-918f9cb01e3d\",\"panelIndex\":\"21\",\"type\":\"visualization\",\"version\":\"6.4.3\"},{\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"gridData\":{\"x\":12,\"y\":35,\"w\":13,\"h\":24,\"i\":\"27\"},\"id\":\"297df800-3f7e-11e7-bd24-6903e3283192\",\"panelIndex\":\"27\",\"type\":\"visualization\",\"version\":\"6.4.3\"},{\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":0,\"direction\":\"desc\"}}}},\"gridData\":{\"x\":32,\"y\":15,\"w\":8,\"h\":30,\"i\":\"28\"},\"id\":\"35b6d320-3f7f-11e7-bd24-6903e3283192\",\"panelIndex\":\"28\",\"type\":\"visualization\",\"version\":\"6.4.3\"},{\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"gridData\":{\"x\":40,\"y\":0,\"w\":8,\"h\":15,\"i\":\"30\"},\"id\":\"471a3580-3f6b-11e7-88e7-df1abe6547fb\",\"panelIndex\":\"30\",\"type\":\"visualization\",\"version\":\"6.4.3\"},{\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"gridData\":{\"x\":32,\"y\":0,\"w\":8,\"h\":15,\"i\":\"31\"},\"id\":\"de1a5f40-3f85-11e7-97f9-3777d794626d\",\"panelIndex\":\"31\",\"type\":\"visualization\",\"version\":\"6.4.3\"},{\"gridData\":{\"x\":16,\"y\":15,\"w\":16,\"h\":10,\"i\":\"37\"},\"id\":\"5093c620-44e9-11e7-8014-ede06a7e69f8\",\"panelIndex\":\"37\",\"type\":\"visualization\",\"version\":\"6.4.3\"},{\"embeddableConfig\":{\"columns\":[\"host\",\"risk\",\"risk_score\",\"cve\",\"plugin_name\",\"solution\",\"plugin_output\"],\"sort\":[\"@timestamp\",\"desc\"]},\"gridData\":{\"x\":0,\"y\":60,\"w\":48,\"h\":30,\"i\":\"38\"},\"id\":\"54648700-3f74-11e7-852e-69207a3d0726\",\"panelIndex\":\"38\",\"type\":\"search\",\"version\":\"6.4.3\"},{\"gridData\":{\"x\":16,\"y\":25,\"w\":16,\"h\":10,\"i\":\"39\"},\"id\":\"fb6eb020-49ab-11e7-8f8c-57ad64ec48a6\",\"panelIndex\":\"39\",\"type\":\"visualization\",\"version\":\"6.4.3\"},{\"embeddableConfig\":{\"vis\":{\"legendOpen\":true}},\"gridData\":{\"x\":0,\"y\":15,\"w\":16,\"h\":20,\"i\":\"46\"},\"id\":\"56f0f5f0-3ebe-11e7-a192-93f36fbd9d05\",\"panelIndex\":\"46\",\"type\":\"visualization\",\"version\":\"6.4.3\"},{\"gridData\":{\"x\":0,\"y\":0,\"w\":8,\"h\":15,\"i\":\"47\"},\"version\":\"6.6.0\",\"panelIndex\":\"47\",\"type\":\"visualization\",\"id\":\"bee32150-6c3a-11e9-be42-ab2ba67e4720\",\"embeddableConfig\":{}},{\"gridData\":{\"x\":8,\"y\":0,\"w\":8,\"h\":15,\"i\":\"48\"},\"version\":\"6.6.0\",\"panelIndex\":\"48\",\"type\":\"visualization\",\"id\":\"b4c2f790-6c3a-11e9-be42-ab2ba67e4720\",\"embeddableConfig\":{}},{\"gridData\":{\"x\":24,\"y\":0,\"w\":8,\"h\":15,\"i\":\"49\"},\"version\":\"6.6.0\",\"panelIndex\":\"49\",\"type\":\"visualization\",\"id\":\"ed8c5210-6c3a-11e9-be42-ab2ba67e4720\",\"embeddableConfig\":{}},{\"gridData\":{\"x\":16,\"y\":0,\"w\":8,\"h\":15,\"i\":\"50\"},\"version\":\"6.6.0\",\"panelIndex\":\"50\",\"type\":\"visualization\",\"id\":\"c81da600-6c3a-11e9-be42-ab2ba67e4720\",\"embeddableConfig\":{}}]", - "timeTo": "now", - "optionsJSON": "{\"darkTheme\":false,\"useMargins\":false}", - "version": 1, - "refreshInterval": { - "pause": true, - "value": 0 - }, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":{\"match_all\":{}}}}" - } - }, - "version": 1, - "type": "dashboard", - "id": "AWCUqesWib22Ai8JwW3u" - }, - { - "attributes": { - "visState": "{\"title\":\"VulnWhisperer - Critical Assets\",\"type\":\"heatmap\",\"params\":{\"addTooltip\":true,\"addLegend\":true,\"enableHover\":true,\"legendPosition\":\"right\",\"times\":[],\"colorsNumber\":4,\"colorSchema\":\"Green to Red\",\"setColorRange\":true,\"colorsRange\":[{\"from\":0,\"to\":3},{\"from\":3,\"to\":7},{\"from\":7,\"to\":9},{\"from\":9,\"to\":11}],\"invertColors\":false,\"percentageMode\":false,\"valueAxes\":[{\"show\":false,\"id\":\"ValueAxis-1\",\"type\":\"value\",\"scale\":{\"type\":\"linear\",\"defaultYExtents\":false},\"labels\":{\"show\":false,\"rotate\":0,\"color\":\"white\"}}],\"type\":\"heatmap\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"max\",\"schema\":\"metric\",\"params\":{\"field\":\"risk_score\",\"customLabel\":\"Residual Risk Score\"}},{\"id\":\"2\",\"enabled\":false,\"type\":\"terms\",\"schema\":\"split\",\"params\":{\"field\":\"risk_score\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\",\"row\":true}},{\"id\":\"3\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"interval\":\"auto\",\"customInterval\":\"2h\",\"min_doc_count\":1,\"extended_bounds\":{},\"customLabel\":\"Date\"}},{\"id\":\"4\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"group\",\"params\":{\"field\":\"asset.keyword\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Critical Asset\"}}],\"listeners\":{}}", - "description": "", - "title": "VulnWhisperer - Critical Assets", - "uiStateJSON": "{\"vis\":{\"defaultColors\":{\"0 - 3\":\"rgb(0,104,55)\",\"3 - 7\":\"rgb(135,203,103)\",\"7 - 9\":\"rgb(255,255,190)\",\"9 - 11\":\"rgb(249,142,82)\"},\"colors\":{\"8 - 10\":\"#BF1B00\",\"9 - 11\":\"#BF1B00\",\"7 - 9\":\"#EF843C\",\"3 - 7\":\"#EAB839\",\"0 - 3\":\"#7EB26D\"},\"legendOpen\":false}}", - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"index\":\"4a6d9090-f66e-11e8-8f42-af2e41422cf8\",\"query\":{\"query\":{\"query_string\":{\"query\":\"*\",\"analyze_wildcard\":true}},\"language\":\"lucene\"},\"filter\":[{\"meta\":{\"index\":\"logstash-vulnwhisperer-*\",\"negate\":false,\"disabled\":false,\"alias\":\"Critical Asset\",\"type\":\"phrase\",\"key\":\"tags\",\"value\":\"critical_asset\"},\"query\":{\"match\":{\"tags\":{\"query\":\"critical_asset\",\"type\":\"phrase\"}}},\"$state\":{\"store\":\"appState\"}}]}" - } - }, - "version": 1, - "type": "visualization", - "id": "465c5820-8977-11e7-857e-e1d56b17746d" - }, - { - "attributes": { - "visState": "{\"title\":\"VulnWhisperer-RiskOverTime\",\"type\":\"line\",\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"@timestamp per 12 hours\"},\"type\":\"category\"}],\"defaultYExtents\":false,\"drawLinesBetweenPoints\":true,\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"},\"valueAxis\":\"ValueAxis-1\"},\"interpolate\":\"linear\",\"legendPosition\":\"right\",\"orderBucketsBySum\":false,\"radiusRatio\":9,\"scale\":\"linear\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"mode\":\"normal\",\"show\":\"true\",\"showCircles\":true,\"type\":\"line\",\"valueAxis\":\"ValueAxis-1\"}],\"setYExtents\":false,\"showCircles\":true,\"times\":[],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}],\"type\":\"line\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"interval\":\"auto\",\"customInterval\":\"2h\",\"min_doc_count\":1,\"extended_bounds\":{}}},{\"id\":\"3\",\"enabled\":true,\"type\":\"filters\",\"schema\":\"group\",\"params\":{\"filters\":[{\"input\":{\"query\":{\"query_string\":{\"query\":\"risk_score_name:info\"}}},\"label\":\"Info\"},{\"input\":{\"query\":{\"query_string\":{\"query\":\"risk_score_name:low\"}}},\"label\":\"Low\"},{\"input\":{\"query\":{\"query_string\":{\"query\":\"risk_score_name:medium\"}}},\"label\":\"Medium\"},{\"input\":{\"query\":{\"query_string\":{\"query\":\"risk_score_name:high\"}}},\"label\":\"High\"},{\"input\":{\"query\":{\"query_string\":{\"query\":\"risk_score_name:critical\"}}},\"label\":\"Critical\"}]}}],\"listeners\":{}}", - "description": "", - "title": "VulnWhisperer-RiskOverTime", - "uiStateJSON": "{\"vis\":{\"colors\":{\"Critical\":\"#962D82\",\"High\":\"#BF1B00\",\"Low\":\"#629E51\",\"Medium\":\"#EAB839\",\"Info\":\"#65C5DB\"}}}", - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"index\":\"4a6d9090-f66e-11e8-8f42-af2e41422cf8\",\"query\":{\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"query\":\"*\"}},\"language\":\"lucene\"},\"filter\":[]}" - } - }, - "version": 1, - "type": "visualization", - "id": "56f0f5f0-3ebe-11e7-a192-93f36fbd9d05" - }, - { - "attributes": { - "visState": "{\"title\":\"VulnWhisperer - Mitigation Readme\",\"type\":\"markdown\",\"params\":{\"markdown\":\"** Legend **\\n\\n* [Common Vulnerability Scoring System (CVSS)](https://nvd.nist.gov/vuln-metrics/cvss) is the NIST vulnerability scoring system\\n* Risk Number is residual risk score calculated from CVSS, which is adjusted to be specific to Heartland which accounts for services not in use such as Java and Flash\\n* Vulnerabilities by Tag are systems tagged with HIPAA and PCI identification.\\n\\n\\n** Workflow **\\n* Select 10.0 under Risk Number to identify Critical Vulnerabilities. \\n* For more information about a CVE, scroll down and click the CVE link.\\n* To filter by tags, use one of the following filters:\\n** tags:has_hipaa_data, tags:pci_asset, tags:hipaa_asset, tags:critical_asset**\"},\"aggs\":[],\"listeners\":{}}", - "description": "", - "title": "VulnWhisperer - Mitigation Readme", - "uiStateJSON": "{}", - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"query\":{\"query\":{\"query_string\":{\"query\":\"*\",\"analyze_wildcard\":true}},\"language\":\"lucene\"},\"filter\":[]}" - } - }, - "version": 1, - "type": "visualization", - "id": "5093c620-44e9-11e7-8014-ede06a7e69f8" - }, - { - "attributes": { - "visState": "{\"title\":\"VulnWhisperer - Vulnerabilities by Tag\",\"type\":\"table\",\"params\":{\"perPage\":3,\"showMeticsAtAllLevels\":false,\"showPartialRows\":false,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"3\",\"enabled\":true,\"type\":\"filters\",\"schema\":\"bucket\",\"params\":{\"filters\":[{\"input\":{\"query\":{\"query_string\":{\"query\":\"tags:has_hipaa_data\",\"analyze_wildcard\":true}}},\"label\":\"Systems with HIPAA data\"},{\"input\":{\"query\":{\"query_string\":{\"query\":\"tags:pci_asset\",\"analyze_wildcard\":true}}},\"label\":\"PCI Systems\"},{\"input\":{\"query\":{\"query_string\":{\"query\":\"tags:hipaa_asset\",\"analyze_wildcard\":true}}},\"label\":\"HIPAA Systems\"}]}}],\"listeners\":{}}", - "description": "", - "title": "VulnWhisperer - Vulnerabilities by Tag", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"index\":\"4a6d9090-f66e-11e8-8f42-af2e41422cf8\",\"query\":{\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"query\":\"*\"}},\"language\":\"lucene\"},\"filter\":[]}" - } - }, - "version": 1, - "type": "visualization", - "id": "471a3580-3f6b-11e7-88e7-df1abe6547fb" - }, - { - "attributes": { - "visState": "{\"title\":\"VulnWhisperer-Description\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"description.keyword\",\"size\":50,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Description\"}}],\"listeners\":{}}", - "description": "", - "title": "VulnWhisperer-Description", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"index\":\"4a6d9090-f66e-11e8-8f42-af2e41422cf8\",\"query\":{\"query\":{\"query_string\":{\"query\":\"*\",\"analyze_wildcard\":true}},\"language\":\"lucene\"},\"filter\":[]}" - } - }, - "version": 1, - "type": "visualization", - "id": "1de9e550-3df1-11e7-a44e-c79ca8efb780" - }, - { - "attributes": { - "visState": "{\n \"title\": \"VulnWhisperer-Solution\",\n \"type\": \"table\",\n \"params\": {\n \"perPage\": 10,\n \"showMeticsAtAllLevels\": false,\n \"showPartialRows\": false,\n \"showTotal\": false,\n \"sort\": {\n \"columnIndex\": null,\n \"direction\": null\n },\n \"totalFunc\": \"sum\"\n },\n \"aggs\": [\n {\n \"id\": \"1\",\n \"enabled\": true,\n \"type\": \"count\",\n \"schema\": \"metric\",\n \"params\": {}\n },\n {\n \"id\": \"2\",\n \"enabled\": true,\n \"type\": \"terms\",\n \"schema\": \"bucket\",\n \"params\": {\n \"field\": \"solution\",\n \"size\": 50,\n \"order\": \"desc\",\n \"orderBy\": \"1\",\n \"customLabel\": \"Solution\"\n }\n }\n ],\n \"listeners\": {}\n}", - "description": "", - "title": "VulnWhisperer-Solution", - "uiStateJSON": "{\n \"vis\": {\n \"params\": {\n \"sort\": {\n \"columnIndex\": null,\n \"direction\": null\n }\n }\n }\n}", - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\n \"index\": \"4a6d9090-f66e-11e8-8f42-af2e41422cf8\",\n \"query\": {\n \"query\": {\n \"query_string\": {\n \"analyze_wildcard\": true,\n \"query\": \"*\"\n }\n },\n \"language\": \"lucene\"\n },\n \"filter\": []\n}" - } - }, - "version": 1, - "type": "visualization", - "id": "13c7d4e0-3df3-11e7-a44e-c79ca8efb780" - }, - { - "attributes": { - "visState": "{\"title\":\"VulnWhisperer - AggTest\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"top_hits\",\"schema\":\"metric\",\"params\":{\"field\":\"@timestamp\",\"aggregate\":\"concat\",\"size\":1,\"sortField\":\"@timestamp\",\"sortOrder\":\"desc\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"asset.keyword\",\"size\":1000,\"order\":\"desc\",\"orderBy\":\"_key\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"plugin_id\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"_key\",\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"}}]}", - "description": "", - "title": "VulnWhisperer - AggTest", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"index\":\"4a6d9090-f66e-11e8-8f42-af2e41422cf8\",\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[]}" - } - }, - "version": 1, - "type": "visualization", - "id": "f9b68640-fda5-11e8-8f42-af2e41422cf8" - }, - { - "attributes": { - "visState": "{\"title\":\"VulnWhisperer-CVSS\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showTotal\":false,\"sort\":{\"columnIndex\":0,\"direction\":\"desc\"},\"totalFunc\":\"sum\",\"type\":\"table\",\"showMetricsAtAllLevels\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"cardinality\",\"schema\":\"metric\",\"params\":{\"field\":\"scan_fingerprint\",\"customLabel\":\"Unique Findings\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"cvss\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"CVSS Score\"}},{\"id\":\"4\",\"enabled\":true,\"type\":\"cardinality\",\"schema\":\"metric\",\"params\":{\"field\":\"asset.keyword\",\"customLabel\":\"# of Assets\"}}]}", - "description": "", - "title": "VulnWhisperer-CVSS", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":0,\"direction\":\"desc\"}}}}", - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"index\":\"4a6d9090-f66e-11e8-8f42-af2e41422cf8\",\"query\":{\"query\":{\"query_string\":{\"query\":\"*\",\"analyze_wildcard\":true,\"default_field\":\"*\"}},\"language\":\"lucene\"},\"filter\":[]}" - } - }, - "version": 1, - "type": "visualization", - "id": "852816e0-3eb1-11e7-90cb-918f9cb01e3d" - }, - { - "attributes": { - "visState": "{\"title\":\"VulnWhisperer-Asset\",\"type\":\"table\",\"params\":{\"perPage\":15,\"showPartialRows\":false,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\",\"type\":\"table\",\"showMetricsAtAllLevels\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"cardinality\",\"schema\":\"metric\",\"params\":{\"field\":\"scan_fingerprint\",\"customLabel\":\"Findings\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"asset.keyword\",\"size\":50,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Asset\"}}]}", - "description": "", - "title": "VulnWhisperer-Asset", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"index\":\"4a6d9090-f66e-11e8-8f42-af2e41422cf8\",\"query\":{\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"query\":\"*\",\"default_field\":\"*\"}},\"language\":\"lucene\"},\"filter\":[]}" - } - }, - "version": 1, - "type": "visualization", - "id": "995e2280-3df3-11e7-a44e-c79ca8efb780" - }, - { - "attributes": { - "visState": "{\"title\":\"VulnWhisperer - TL-Critical Risk\",\"type\":\"timelion\",\"params\":{\"expression\":\".es(index='logstash-vulnwhisperer-*',q='(risk_score:>=9 AND risk_score:<=10)').label(\\\"Original\\\"),.es(index='logstash-vulnwhisperer-*',q='(risk_score:>=9 AND risk_score:<=10)',offset=-1w).label(\\\"One week offset\\\"),.es(index='logstash-vulnwhisperer-*',q='(risk_score:>=9 AND risk_score:<=10)').subtract(.es(index='logstash-vulnwhisperer-*',q='(risk_score:>=9 AND risk_score:<=10)',offset=-1w)).label(\\\"Difference\\\").lines(steps=3,fill=2,width=1)\",\"interval\":\"auto\"},\"aggs\":[],\"listeners\":{}}", - "description": "", - "title": "VulnWhisperer - TL-Critical Risk", - "uiStateJSON": "{}", - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"query\":{\"query\":{\"query_string\":{\"query\":\"*\",\"analyze_wildcard\":true}},\"language\":\"lucene\"},\"filter\":[]}" - } - }, - "version": 1, - "type": "visualization", - "id": "67d432e0-44ec-11e7-a05f-d9719b331a27" - }, - { - "attributes": { - "visState": "{\"title\":\"VulnWhisperer - TL-High Risk\",\"type\":\"timelion\",\"params\":{\"expression\":\".es(index='logstash-vulnwhisperer-*',q='(risk_score:>=7 AND risk_score:<9)').label(\\\"Original\\\"),.es(index='logstash-vulnwhisperer-*',q='(risk_score:>=7 AND risk_score:<9)',offset=-1w).label(\\\"One week offset\\\"),.es(index='logstash-vulnwhisperer-*',q='(risk_score:>=7 AND risk_score:<9)').subtract(.es(index='logstash-vulnwhisperer-*',q='(risk_score:>=7 AND risk_score:<9)',offset=-1w)).label(\\\"Difference\\\").lines(steps=3,fill=2,width=1)\",\"interval\":\"auto\"},\"aggs\":[],\"listeners\":{}}", - "description": "", - "title": "VulnWhisperer - TL-High Risk", - "uiStateJSON": "{}", - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"query\":{\"query\":{\"query_string\":{\"query\":\"*\",\"analyze_wildcard\":true}},\"language\":\"lucene\"},\"filter\":[]}" - } - }, - "version": 1, - "type": "visualization", - "id": "8d9592d0-44ec-11e7-a05f-d9719b331a27" - }, - { - "attributes": { - "visState": "{\n \"title\": \"VulnWhisperer - ScanBarChart\",\n \"type\": \"histogram\",\n \"params\": {\n \"addLegend\": true,\n \"addTimeMarker\": false,\n \"addTooltip\": true,\n \"defaultYExtents\": false,\n \"legendPosition\": \"right\",\n \"mode\": \"stacked\",\n \"scale\": \"linear\",\n \"setYExtents\": false,\n \"times\": [],\n \"type\": \"histogram\",\n \"grid\": {\n \"categoryLines\": false,\n \"style\": {\n \"color\": \"#eee\"\n }\n },\n \"categoryAxes\": [\n {\n \"id\": \"CategoryAxis-1\",\n \"type\": \"category\",\n \"position\": \"bottom\",\n \"show\": true,\n \"style\": {},\n \"scale\": {\n \"type\": \"linear\"\n },\n \"labels\": {\n \"show\": true,\n \"truncate\": 100\n },\n \"title\": {}\n }\n ],\n \"valueAxes\": [\n {\n \"id\": \"ValueAxis-1\",\n \"name\": \"LeftAxis-1\",\n \"type\": \"value\",\n \"position\": \"left\",\n \"show\": true,\n \"style\": {},\n \"scale\": {\n \"type\": \"linear\",\n \"mode\": \"normal\",\n \"setYExtents\": false,\n \"defaultYExtents\": false\n },\n \"labels\": {\n \"show\": true,\n \"rotate\": 0,\n \"filter\": false,\n \"truncate\": 100\n },\n \"title\": {\n \"text\": \"Unique count of scan_fingerprint\"\n }\n }\n ],\n \"seriesParams\": [\n {\n \"show\": \"true\",\n \"type\": \"histogram\",\n \"mode\": \"stacked\",\n \"data\": {\n \"label\": \"Unique count of scan_fingerprint\",\n \"id\": \"1\"\n },\n \"valueAxis\": \"ValueAxis-1\"\n }\n ]\n },\n \"aggs\": [\n {\n \"id\": \"1\",\n \"enabled\": true,\n \"type\": \"cardinality\",\n \"schema\": \"metric\",\n \"params\": {\n \"field\": \"scan_fingerprint\"\n }\n },\n {\n \"id\": \"2\",\n \"enabled\": true,\n \"type\": \"terms\",\n \"schema\": \"segment\",\n \"params\": {\n \"field\": \"plugin_name\",\n \"size\": 10,\n \"order\": \"desc\",\n \"orderBy\": \"1\",\n \"otherBucket\": false,\n \"otherBucketLabel\": \"Other\",\n \"missingBucket\": false,\n \"missingBucketLabel\": \"Missing\",\n \"customLabel\": \"Scan Name\"\n }\n }\n ]\n}", - "description": "", - "title": "VulnWhisperer - ScanBarChart", - "uiStateJSON": "{}", - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\n \"index\": \"4a6d9090-f66e-11e8-8f42-af2e41422cf8\",\n \"query\": {\n \"query\": {\n \"query_string\": {\n \"analyze_wildcard\": true,\n \"query\": \"*\",\n \"default_field\": \"*\"\n }\n },\n \"language\": \"lucene\"\n },\n \"filter\": []\n}" - } - }, - "version": 1, - "type": "visualization", - "id": "2f979030-44b9-11e7-a818-f5f80dfc3590" - }, - { - "attributes": { - "visState": "{\n \"title\": \"VulnWhisperer - Plugin Name\",\n \"type\": \"table\",\n \"params\": {\n \"perPage\": 10,\n \"showPartialRows\": false,\n \"sort\": {\n \"columnIndex\": null,\n \"direction\": null\n },\n \"showTotal\": false,\n \"totalFunc\": \"sum\",\n \"showMetricsAtAllLevels\": false\n },\n \"aggs\": [\n {\n \"id\": \"1\",\n \"enabled\": true,\n \"type\": \"cardinality\",\n \"schema\": \"metric\",\n \"params\": {\n \"field\": \"scan_fingerprint\",\n \"customLabel\": \"Count\"\n }\n },\n {\n \"id\": \"2\",\n \"enabled\": true,\n \"type\": \"terms\",\n \"schema\": \"bucket\",\n \"params\": {\n \"field\": \"plugin_name\",\n \"size\": 10,\n \"order\": \"desc\",\n \"orderBy\": \"1\",\n \"otherBucket\": false,\n \"otherBucketLabel\": \"Other\",\n \"missingBucket\": false,\n \"missingBucketLabel\": \"Missing\",\n \"customLabel\": \"Plugin Name\"\n }\n }\n ]\n}", - "description": "", - "title": "VulnWhisperer - Plugin Name", - "uiStateJSON": "{\n \"vis\": {\n \"params\": {\n \"sort\": {\n \"columnIndex\": null,\n \"direction\": null\n }\n }\n }\n}", - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\n \"index\": \"4a6d9090-f66e-11e8-8f42-af2e41422cf8\",\n \"query\": {\n \"query\": {\n \"query_string\": {\n \"query\": \"*\",\n \"analyze_wildcard\": true,\n \"default_field\": \"*\"\n }\n },\n \"language\": \"lucene\"\n },\n \"filter\": []\n}" - } - }, - "version": 1, - "type": "visualization", - "id": "297df800-3f7e-11e7-bd24-6903e3283192" - }, - { - "attributes": { - "visState": "{\n \"title\": \"VulnWhisperer - TL - TaggedAssetsPluginNames\",\n \"type\": \"timelion\",\n \"params\": {\n \"expression\": \".es(index='logstash-vulnwhisperer-*', q='tags:critical_asset OR tags:hipaa_asset OR tags:pci_asset', split=\\\"plugin_name:10\\\").bars(width=4).label(regex=\\\".*:(.+)>.*\\\",label=\\\"$1\\\")\",\n \"interval\": \"auto\"\n },\n \"aggs\": [],\n \"listeners\": {}\n}", - "description": "", - "title": "VulnWhisperer - TL - TaggedAssetsPluginNames", - "uiStateJSON": "{}", - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\n \"query\": {\n \"query\": {\n \"query_string\": {\n \"query\": \"*\",\n \"analyze_wildcard\": true\n }\n },\n \"language\": \"lucene\"\n },\n \"filter\": []\n}" - } - }, - "version": 1, - "type": "visualization", - "id": "479deab0-8a39-11e7-a58a-9bfcb3761a3d" - }, - { - "attributes": { - "visState": "{\n \"title\": \"VulnWhisperer - ScanName\",\n \"type\": \"table\",\n \"params\": {\n \"perPage\": 10,\n \"showPartialRows\": false,\n \"sort\": {\n \"columnIndex\": null,\n \"direction\": null\n },\n \"showTotal\": false,\n \"totalFunc\": \"sum\",\n \"showMetricsAtAllLevels\": false\n },\n \"aggs\": [\n {\n \"id\": \"1\",\n \"enabled\": true,\n \"type\": \"count\",\n \"schema\": \"metric\",\n \"params\": {}\n },\n {\n \"id\": \"2\",\n \"enabled\": true,\n \"type\": \"terms\",\n \"schema\": \"bucket\",\n \"params\": {\n \"field\": \"scan_name\",\n \"size\": 20,\n \"order\": \"desc\",\n \"orderBy\": \"1\",\n \"otherBucket\": false,\n \"otherBucketLabel\": \"Other\",\n \"missingBucket\": false,\n \"missingBucketLabel\": \"Missing\",\n \"customLabel\": \"Scan Name\"\n }\n }\n ]\n}", - "description": "", - "title": "VulnWhisperer - ScanName", - "uiStateJSON": "{\n \"vis\": {\n \"params\": {\n \"sort\": {\n \"columnIndex\": null,\n \"direction\": null\n }\n }\n }\n}", - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\n \"index\": \"4a6d9090-f66e-11e8-8f42-af2e41422cf8\",\n \"query\": {\n \"query\": {\n \"query_string\": {\n \"query\": \"*\",\n \"analyze_wildcard\": true,\n \"default_field\": \"*\"\n }\n },\n \"language\": \"lucene\"\n },\n \"filter\": []\n}" - } - }, - "version": 1, - "type": "visualization", - "id": "de1a5f40-3f85-11e7-97f9-3777d794626d" - }, - { - "attributes": { - "visState": "{\n \"title\": \"VulnWhisperer - Residual Risk\",\n \"type\": \"table\",\n \"params\": {\n \"perPage\": 15,\n \"showPartialRows\": false,\n \"sort\": {\n \"columnIndex\": 0,\n \"direction\": \"desc\"\n },\n \"showTotal\": false,\n \"totalFunc\": \"sum\",\n \"showMetricsAtAllLevels\": false\n },\n \"aggs\": [\n {\n \"id\": \"1\",\n \"enabled\": true,\n \"type\": \"cardinality\",\n \"schema\": \"metric\",\n \"params\": {\n \"field\": \"scan_fingerprint\",\n \"customLabel\": \"Count\"\n }\n },\n {\n \"id\": \"2\",\n \"enabled\": true,\n \"type\": \"terms\",\n \"schema\": \"bucket\",\n \"params\": {\n \"field\": \"risk_number\",\n \"size\": 50,\n \"order\": \"desc\",\n \"orderBy\": \"1\",\n \"otherBucket\": false,\n \"otherBucketLabel\": \"Other\",\n \"missingBucket\": false,\n \"missingBucketLabel\": \"Missing\",\n \"customLabel\": \"Risk Number\"\n }\n }\n ]\n}", - "description": "", - "title": "VulnWhisperer - Residual Risk", - "uiStateJSON": "{\n \"vis\": {\n \"params\": {\n \"sort\": {\n \"columnIndex\": 0,\n \"direction\": \"desc\"\n }\n }\n }\n}", - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\n \"index\": \"4a6d9090-f66e-11e8-8f42-af2e41422cf8\",\n \"query\": {\n \"query\": {\n \"query_string\": {\n \"query\": \"*\",\n \"analyze_wildcard\": true,\n \"default_field\": \"*\"\n }\n },\n \"language\": \"lucene\"\n },\n \"filter\": []\n}" - } - }, - "version": 1, - "type": "visualization", - "id": "35b6d320-3f7f-11e7-bd24-6903e3283192" - }, - { - "attributes": { - "visState": "{\"title\":\"VulnWhisperer - Risk High\",\"type\":\"metric\",\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"metric\",\"metric\":{\"percentageMode\":false,\"useRanges\":false,\"colorSchema\":\"Green to Red\",\"metricColorMode\":\"None\",\"colorsRange\":[{\"from\":0,\"to\":10000}],\"labels\":{\"show\":true},\"invertColors\":false,\"style\":{\"bgFill\":\"#000\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"fontSize\":60}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"filters\",\"schema\":\"group\",\"params\":{\"filters\":[{\"input\":{\"query\":\"risk:high\"},\"label\":\"Risk: High\"}]}}]}", - "description": "", - "title": "VulnWhisperer - Risk High", - "uiStateJSON": "{}", - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"index\":\"4a6d9090-f66e-11e8-8f42-af2e41422cf8\",\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[]}" - } - }, - "version": 1, - "type": "visualization", - "id": "b4c2f790-6c3a-11e9-be42-ab2ba67e4720" - }, - { - "attributes": { - "visState": "{\"title\":\"VulnWhisperer - Risk Low\",\"type\":\"metric\",\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"metric\",\"metric\":{\"percentageMode\":false,\"useRanges\":false,\"colorSchema\":\"Green to Red\",\"metricColorMode\":\"None\",\"colorsRange\":[{\"from\":0,\"to\":10000}],\"labels\":{\"show\":true},\"invertColors\":false,\"style\":{\"bgFill\":\"#000\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"fontSize\":60}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"filters\",\"schema\":\"group\",\"params\":{\"filters\":[{\"input\":{\"query\":\"risk:low\"},\"label\":\"Risk: Low\"}]}}]}", - "description": "", - "title": "VulnWhisperer - Risk Low", - "uiStateJSON": "{}", - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"index\":\"4a6d9090-f66e-11e8-8f42-af2e41422cf8\",\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[]}" - } - }, - "version": 1, - "type": "visualization", - "id": "ed8c5210-6c3a-11e9-be42-ab2ba67e4720" - }, - { - "attributes": { - "visState": "{\n \"title\": \"VulnWhisperer - Critical Risk Score for Tagged Assets\",\n \"type\": \"timelion\",\n \"params\": {\n \"expression\": \".es(index=logstash-vulnwhisperer-*,q='risk_number:>9 AND tags:hipaa_asset').label(\\\"HIPAA Assets\\\"),.es(index=logstash-vulnwhisperer-*,q='risk_number:>9 AND tags:pci_asset').label(\\\"PCI Systems\\\"),.es(index=logstash-vulnwhisperer-*,q='risk_number:>9 AND tags:has_hipaa_data').label(\\\"Has HIPAA Data\\\")\",\n \"interval\": \"auto\"\n },\n \"aggs\": [],\n \"listeners\": {}\n}", - "description": "", - "title": "VulnWhisperer - Critical Risk Score for Tagged Assets", - "uiStateJSON": "{}", - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\n \"query\": {\n \"query\": {\n \"query_string\": {\n \"query\": \"*\",\n \"analyze_wildcard\": true\n }\n },\n \"language\": \"lucene\"\n },\n \"filter\": []\n}" - } - }, - "version": 1, - "type": "visualization", - "id": "fb6eb020-49ab-11e7-8f8c-57ad64ec48a6" - }, - { - "attributes": { - "visState": "{\"title\":\"VulnWhisperer - Risk Critical\",\"type\":\"metric\",\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"metric\",\"metric\":{\"percentageMode\":false,\"useRanges\":false,\"colorSchema\":\"Green to Red\",\"metricColorMode\":\"None\",\"colorsRange\":[{\"from\":0,\"to\":10000}],\"labels\":{\"show\":true},\"invertColors\":false,\"style\":{\"bgFill\":\"#000\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"fontSize\":60}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"filters\",\"schema\":\"group\",\"params\":{\"filters\":[{\"input\":{\"query\":\"risk:critical\"},\"label\":\"Risk: Critical\"}]}}]}", - "description": "", - "title": "VulnWhisperer - Risk Critical", - "uiStateJSON": "{}", - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"index\":\"4a6d9090-f66e-11e8-8f42-af2e41422cf8\",\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[]}" - } - }, - "version": 1, - "type": "visualization", - "id": "bee32150-6c3a-11e9-be42-ab2ba67e4720" - }, - { - "attributes": { - "visState": "{\"title\":\"VulnWhisperer - Risk Medium\",\"type\":\"metric\",\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"metric\",\"metric\":{\"percentageMode\":false,\"useRanges\":false,\"colorSchema\":\"Green to Red\",\"metricColorMode\":\"None\",\"colorsRange\":[{\"from\":0,\"to\":10000}],\"labels\":{\"show\":true},\"invertColors\":false,\"style\":{\"bgFill\":\"#000\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"fontSize\":60}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"filters\",\"schema\":\"group\",\"params\":{\"filters\":[{\"input\":{\"query\":\"risk:medium\"},\"label\":\"Risk: Medium\"}]}}]}", - "description": "", - "title": "VulnWhisperer - Risk Medium", - "uiStateJSON": "{}", - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"index\":\"4a6d9090-f66e-11e8-8f42-af2e41422cf8\",\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[]}" - } - }, - "version": 1, - "type": "visualization", - "id": "c81da600-6c3a-11e9-be42-ab2ba67e4720" - }, - { - "attributes": { - "sort": [ - "@timestamp", - "desc" - ], - "hits": 0, - "description": "", - "title": "VulnWhisperer - High Risk", - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"index\":\"4a6d9090-f66e-11e8-8f42-af2e41422cf8\",\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"query\":\"*\",\"default_field\":\"*\"}}},\"filter\":[{\"meta\":{\"negate\":false,\"index\":\"4a6d9090-f66e-11e8-8f42-af2e41422cf8\",\"type\":\"phrase\",\"key\":\"risk\",\"value\":\"High\",\"params\":{\"query\":\"High\",\"type\":\"phrase\"},\"disabled\":false,\"alias\":null},\"query\":{\"match\":{\"risk\":{\"query\":\"High\",\"type\":\"phrase\"}}},\"$state\":{\"store\":\"appState\"}}],\"highlight\":{\"pre_tags\":[\"@kibana-highlighted-field@\"],\"post_tags\":[\"@/kibana-highlighted-field@\"],\"fields\":{\"*\":{}},\"require_field_match\":false,\"fragment_size\":2147483647},\"highlightAll\":true,\"version\":true}" - }, - "columns": [ - "host", - "risk", - "risk_score", - "cve", - "plugin_name", - "solution", - "plugin_output" - ] - }, - "version": 1, - "type": "search", - "id": "159d2500-f773-11e8-8f42-af2e41422cf8" - }, - { - "attributes": { - "sort": [ - "@timestamp", - "desc" - ], - "hits": 0, - "description": "", - "title": "VulnWhisperer - Saved Search", - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"index\":\"4a6d9090-f66e-11e8-8f42-af2e41422cf8\",\"query\":{\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"query\":\"*\"}},\"language\":\"lucene\"},\"filter\":[],\"highlight\":{\"pre_tags\":[\"@kibana-highlighted-field@\"],\"post_tags\":[\"@/kibana-highlighted-field@\"],\"fields\":{\"*\":{}},\"require_field_match\":false,\"fragment_size\":2147483647}}" - }, - "columns": [ - "host", - "risk", - "risk_score", - "cve", - "plugin_name", - "solution", - "plugin_output" - ] - }, - "version": 1, - "type": "search", - "id": "54648700-3f74-11e7-852e-69207a3d0726" - }, - { - "attributes": { - "sort": [ - "@timestamp", - "desc" - ], - "hits": 0, - "description": "", - "title": "VulnWhisperer - Compliance", - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"index\":\"4a6d9090-f66e-11e8-8f42-af2e41422cf8\",\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":\"\"},\"filter\":[]}" - }, - "columns": [ - "plugin_id", - "cve", - "cvss", - "risk", - "asset", - "protocol", - "port", - "plugin_name", - "synopsis", - "description", - "solution", - "see_also", - "plugin_output" - ] - }, - "version": 1, - "type": "search", - "id": "41a7e430-fdb5-11e8-8f42-af2e41422cf8" - }, - { - "version": 1, - "migrationVersion": { - "index-pattern": "6.5.0" - }, - "attributes": { - "fields": "[{\"name\":\"@timestamp\",\"type\":\"date\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"@version\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"_id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":false},{\"name\":\"_index\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":false},{\"name\":\"_score\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":false,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"_source\",\"type\":\"_source\",\"count\":0,\"scripted\":false,\"searchable\":false,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"_type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":false},{\"name\":\"access_path\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"access_path.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"affected_software\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"affected_software.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"ajax_request\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ajax_request.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"app_id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"app_id.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"asset\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"asset.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"asset_uuid\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"authentication\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"authentication.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"bids\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"bids.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"category\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"category_description\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"category_description.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"certs\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"certs.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"cve\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"cvss\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"cvss3\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"cvss3_base\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"cvss3_severity\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"cvss3_temporal\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"cvss3_vector\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"cvss_base\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"cvss_severity\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"cvss_temporal\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"cvss_vector\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"cwe\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"cwe.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"date\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"date.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"description\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"description.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"detection_date\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"detection_date.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"detection_id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"detection_id.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"dns\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"epoch\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"evidence\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"evidence.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"exploitability\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"exploitability.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"false_pos\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"false_pos.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"form_entry_point\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"form_entry_point.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"fqdn\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"geoip.ip\",\"type\":\"ip\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"geoip.latitude\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"geoip.location\",\"type\":\"geo_point\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"geoip.longitude\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"groups\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"groups.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"high\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"high.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"history_id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"host\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"host_end\",\"type\":\"date\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"host_start\",\"type\":\"date\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"hostname\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"hostname.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"id.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"ignored\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ignored.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"impact\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"impact.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"ip\",\"type\":\"ip\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"last_time_detected\",\"type\":\"date\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"level\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"level.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"links\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"links.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"log\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"log.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"low\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"low.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"mac_address\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"medium\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"medium.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"netbios\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"nvt_oid\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"nvt_oid.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"operating_system\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"owasp\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"owasp.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"owner\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"owner.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"param\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"param.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"path\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"payload\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"payload.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"pci_vuln\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"plugin_family\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"plugin_id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"plugin_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"plugin_output\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"plugin_output.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"port\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"product_detection_result\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"product_detection_result.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"protocol\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"report_ids\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"report_ids.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"request_headers\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"request_headers.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"request_method\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"request_method.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"request_url\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"request_url.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"result_id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"result_id.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"risk\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"risk_number\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"scan_highest_severity\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan_highest_severity.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"scan_id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"scan_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"scan_severity\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan_severity.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"scan_source\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"scope\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scope.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"see_also\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"see_also.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"severity\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"severity_level\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"severity_level.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"severity_rate\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"severity_rate.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"solution\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"ssl\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"state\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"status\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"status.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"synopsis\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"tags\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"task\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"task.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"task_id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"task_id.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"task_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"task_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"timestamp\",\"type\":\"date\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"uri\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"uri.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"url\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"url.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"vendor_reference\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"vulnerability_detection_method\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"vulnerability_detection_method.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"vulnerability_insight\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"vulnerability_insight.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"wasc\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"wasc.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"web_application_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"web_application_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"scan_fingerprint\",\"type\":\"string\",\"count\":1,\"scripted\":true,\"script\":\"doc['asset.keyword']+'_'+doc['plugin_id']\",\"lang\":\"painless\",\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":false}]", - "fieldFormatMap": "{\"plugin_id\":{\"id\":\"number\",\"params\":{\"pattern\":\"00.[000]\"}}}", - "timeFieldName": "@timestamp", - "title": "logstash-vulnwhisperer-*" - }, - "type": "index-pattern", - "id": "4a6d9090-f66e-11e8-8f42-af2e41422cf8" - } -] \ No newline at end of file