Skip to main content

Overview

The Vulnerability Detection module continuously scans your infrastructure to identify applications and systems affected by well-known vulnerabilities. It correlates installed software packages with vulnerability databases to help you prioritize and remediate security weaknesses before they can be exploited.

Key Features

Automated Vulnerability Scanning

Continuous vulnerability assessment across your infrastructure:
  • Automatic Package Detection: Automatically inventory installed software packages
  • CVE Correlation: Match packages against Common Vulnerabilities and Exposures (CVE) database
  • Real-time Updates: Continuous updates from vulnerability feeds
  • Multi-platform Support: Scan Linux, Windows, and macOS systems
  • Application Scanning: Detect vulnerabilities in installed applications

Comprehensive Vulnerability Data

Detailed vulnerability information for informed decision-making:
  • CVE Details: Complete CVE information including descriptions and references
  • CVSS Scores: Common Vulnerability Scoring System ratings
  • Severity Classification: Critical, High, Medium, and Low severity levels
  • Affected Packages: List of vulnerable package versions
  • Remediation Information: Patch availability and upgrade recommendations

Interactive Dashboards

Powerful visualization and analysis tools:
  • Overview Dashboard: Organization-wide vulnerability posture (Dashboard ID: vulnerabilities-overview-dashboard)
  • Agent Dashboard: Vulnerabilities for specific agents (Dashboard ID: vulnerabilities-pinned-agent-dashboard)
  • Inventory View: Detailed vulnerability inventory and states
  • Trend Analysis: Track vulnerability remediation progress

Data Sources

The Vulnerability Detection module uses specialized index patterns:

Vulnerability States

  • Pattern: wazuh-states-vulnerabilities*
  • Type: Current vulnerability state for all agents
  • Data: CVE information, affected packages, severity, status

Events Data

  • Pattern: wazuh-events*
  • Type: Vulnerability detection events and changes

Event Data Structure

Vulnerability events include:
FieldDescription
timestampWhen the vulnerability was detected
wazuh.agent.nameName of the affected agent
vulnerability.cveCVE identifier
vulnerability.severitySeverity level (Critical/High/Medium/Low)
vulnerability.cvss.scoreCVSS score
package.nameName of the vulnerable package
package.versionInstalled package version
vulnerability.statusStatus (Active, Patched, Under Evaluation)

Evaluation Filtering

The module includes advanced filtering for vulnerability management:

Under Evaluation Filter

Manage vulnerabilities under review:
  • Filter Component: VulsEvaluationFilter
  • Field: vulnerability.under_evaluation
  • Use Case: Track vulnerabilities being assessed for false positives or risk acceptance
// Filter implementation
vulnerabilityManagedFilters.underEvaluation
  managedField: UNDER_EVALUATION_FIELD
  component: VulsEvaluationFilter

Vulnerability Inventory

Access comprehensive vulnerability state information:

Inventory Dashboard

View detailed vulnerability inventory:
  • Current vulnerability states for all agents
  • Package version information
  • CVE details and references
  • Remediation status tracking
  • Historical vulnerability data
Dashboard ID: vulnerabilities-inventory-dashboard
Agent Dashboard ID: vulnerabilities-agent-inventory-dashboard

Vulnerability Lifecycle

Detection

  1. Agent inventories installed packages
  2. Package information sent to Wazuh manager
  3. Manager correlates packages with vulnerability database
  4. Vulnerabilities identified and indexed

Assessment

  1. Review detected vulnerabilities
  2. Evaluate severity and exploitability
  3. Mark for evaluation if needed
  4. Prioritize based on business impact

Remediation

  1. Plan remediation activities
  2. Test patches in staging environment
  3. Deploy patches to production
  4. Verify vulnerability resolution
  5. Document remediation actions

Use Cases

Continuous Vulnerability Management

Maintain ongoing vulnerability awareness:
  1. Monitor vulnerability detection dashboard daily
  2. Review new vulnerabilities as they’re discovered
  3. Assess criticality and exploitability
  4. Plan and execute remediation
  5. Track remediation progress

Compliance Requirements

Meet regulatory vulnerability management requirements:
  • PCI DSS 6.2: Identify and address vulnerabilities
  • HIPAA: Protect against known vulnerabilities
  • ISO 27001: Implement vulnerability management controls
  • NIST: Follow vulnerability management guidelines
  • SOC 2: Demonstrate vulnerability remediation processes

Patch Management

Support systematic patch management:
  1. Identify systems requiring patches
  2. Prioritize patches by severity and exploitability
  3. Schedule patch deployment windows
  4. Verify patch application
  5. Confirm vulnerability remediation

Risk Assessment

Inform security risk assessments:
  • Quantify vulnerability exposure
  • Assess potential business impact
  • Calculate risk scores
  • Support risk acceptance decisions
  • Track risk reduction over time

Incident Response

Support security incident investigations:
  1. Check if exploited vulnerabilities were known
  2. Identify other systems with same vulnerability
  3. Assess scope of potential compromise
  4. Prioritize emergency patching
  5. Document incident findings

Integration with Other Modules

Vulnerability Detection integrates with:
  • Threat Hunting: Correlate vulnerability exploits with security events
  • Malware Detection: Link malware infections to exploited vulnerabilities
  • System Inventory: Cross-reference with installed software inventory
  • Configuration Assessment: Verify configurations reduce vulnerability risk
  • MITRE ATT&CK: Map vulnerabilities to exploitation techniques

Vulnerability Sources

The module leverages multiple vulnerability intelligence sources:

National Vulnerability Database (NVD)

  • Official CVE repository
  • CVSS scores and metrics
  • Detailed vulnerability descriptions
  • References and advisories

Operating System Vendors

  • Red Hat Security Advisories (RHSA)
  • Debian Security Advisories (DSA)
  • Ubuntu Security Notices (USN)
  • Microsoft Security Updates
  • Apple Security Updates

Package Repositories

  • Distribution-specific vulnerability data
  • Package-level vulnerability tracking
  • Patch availability information

Severity Levels

Critical (CVSS 9.0-10.0)

  • Immediate action required
  • Remote code execution without authentication
  • Critical infrastructure impact
  • Widespread exploitation observed

High (CVSS 7.0-8.9)

  • Urgent remediation needed
  • Significant security impact
  • Exploitation likely
  • Sensitive data exposure risk

Medium (CVSS 4.0-6.9)

  • Scheduled remediation
  • Moderate security impact
  • Limited exploitation risk
  • Requires specific conditions

Low (CVSS 0.1-3.9)

  • Low priority remediation
  • Minimal security impact
  • Unlikely exploitation
  • Limited scope

Best Practices

  1. Regular Scanning: Ensure continuous vulnerability scanning is enabled
  2. Prioritize Remediation: Focus on critical and high severity vulnerabilities first
  3. Patch Testing: Test patches before production deployment
  4. Track Metrics: Monitor vulnerability detection and remediation metrics
  5. Automate Workflows: Integrate with patch management and ticketing systems
  6. Document Exceptions: Formally document accepted risks and compensating controls
  7. Update Feeds: Ensure vulnerability feeds are regularly updated
  8. Cross-functional Teams: Involve security, operations, and development teams

Configuration

Enable Vulnerability Detection

<vulnerability-detector>
  <enabled>yes</enabled>
  <interval>5m</interval>
  <run_on_start>yes</run_on_start>
</vulnerability-detector>

Configure Feeds

<vulnerability-detector>
  <feed name="nvd">
    <update_interval>1h</update_interval>
  </feed>
</vulnerability-detector>

Performance Considerations

  • Scan Intervals: Balance between detection speed and system load
  • Feed Updates: Schedule feed updates during off-peak hours
  • Index Management: Regularly maintain vulnerability indices
  • Agent Load: Monitor agent resource usage during scans

Component Architecture

The Vulnerability Detection module architecture: 
// Dashboard component
DashboardVuls
  DataSource: VulnerabilitiesDataSource
  Repository: VulnerabilitiesDataSourceRepository
  Dashboard ID: vulnerabilities-overview-dashboard
  Agent Dashboard ID: vulnerabilities-pinned-agent-dashboard
  Managed Filters: vulnerabilityManagedFilters
    - underEvaluation filter
Location in codebase: /plugins/main/public/components/overview/vulnerabilities/

Sample Data

The module supports sample data for testing:
  • Category: Vulnerabilities
  • Pattern: wazuh-states-vulnerabilities*

Reporting

Generate comprehensive vulnerability reports:
  • Executive Summary: High-level vulnerability posture
  • Detailed Inventory: Complete vulnerability listings
  • Remediation Status: Patch deployment progress
  • Trend Analysis: Vulnerability trends over time
  • Compliance Reports: Vulnerability management compliance