diff --git a/packages/tenable_sc/_dev/build/docs/README.md b/packages/tenable_sc/_dev/build/docs/README.md index 291a47679a9..2fcd5e30c00 100644 --- a/packages/tenable_sc/_dev/build/docs/README.md +++ b/packages/tenable_sc/_dev/build/docs/README.md @@ -4,7 +4,7 @@ The Tenable.sc integration collects and parses data from the [Tenable.sc](https: ## Compatibility -This module has been tested against `Tenable.sc version 5.18` +This module has been tested against `Tenable.sc version 5.22`. ## Requirements diff --git a/packages/tenable_sc/changelog.yml b/packages/tenable_sc/changelog.yml index df15f8819b7..c4c905a8035 100644 --- a/packages/tenable_sc/changelog.yml +++ b/packages/tenable_sc/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "1.4.1" + changes: + - description: Fix an indefinite pagination bug by adding explicit pagination termination conditions. In Agent versions >= 8.2.0 pagination termination was never happening. + type: bugfix + link: https://github.com/elastic/integrations/pull/3961 - version: "1.4.0" changes: - description: Update package to ECS 8.4.0 diff --git a/packages/tenable_sc/data_stream/asset/agent/stream/httpjson.yml.hbs b/packages/tenable_sc/data_stream/asset/agent/stream/httpjson.yml.hbs index 71a78287abe..51046aaaa1f 100644 --- a/packages/tenable_sc/data_stream/asset/agent/stream/httpjson.yml.hbs +++ b/packages/tenable_sc/data_stream/asset/agent/stream/httpjson.yml.hbs @@ -16,8 +16,8 @@ request.transforms: # Follow Tenable's format: https://developer.tenable.com/docs/user-agent-header # NOTE: The "Build" version must be kept in sync with this package's version. target: header.User-Agent - value: '[[userAgent "Integration/1.0 (Elastic; Tenable.sc; Build/1.1.0)"]]' - - set: + value: '[[userAgent "Integration/1.0 (Elastic; Tenable.sc; Build/1.4.1)"]]' + - set: target: body.query.tool value: 'sumip' - append: @@ -35,19 +35,19 @@ request.transforms: "value": "[[(now (parseDuration "-{{initial_interval}}")).Unix]]-[[(now).Unix]]" } value_type: json - - set: + - set: target: body.query.type value: 'vuln' - - set: + - set: target: body.sourceType value: 'cumulative' - - set: + - set: target: body.startOffset value: 0 - - set: + - set: target: body.endOffset value: {{batch_size}} - - set: + - set: target: body.type value: 'vuln' - set: @@ -55,12 +55,12 @@ request.transforms: value: 'accesskey={{access_key}}; secretkey={{secret_key}}' response.split: target: body.response.results -response.pagination: +response.pagination: - set: target: body.startOffset - value: '[[toInt .last_response.body.response.endOffset]]' + value: '[[if (ne (toInt .last_response.body.response.returnedRecords) 0)]][[toInt .last_response.body.response.endOffset]][[else]][[.last_response.terminate_pagination]][[end]]' fail_on_template_error: true - - set: + - set: target: body.endOffset value: '[[add (toInt .last_response.body.response.endOffset) {{batch_size}}]]' fail_on_template_error: true diff --git a/packages/tenable_sc/data_stream/asset/sample_event.json b/packages/tenable_sc/data_stream/asset/sample_event.json index ee9e0c394e0..511fc1dba89 100644 --- a/packages/tenable_sc/data_stream/asset/sample_event.json +++ b/packages/tenable_sc/data_stream/asset/sample_event.json @@ -1,8 +1,8 @@ { - "@timestamp": "2022-02-14T16:30:33.654Z", + "@timestamp": "2022-08-05T07:41:25.259Z", "agent": { - "ephemeral_id": "2bf50bac-f76f-4c1a-b758-e2f62bffd73d", - "id": "ecf3f02f-66cb-4b07-8a38-d84956c78dcc", + "ephemeral_id": "08f233b0-4102-4a26-a631-e3339f030cdb", + "id": "652f8609-1989-4515-8c01-c16c9e892066", "name": "docker-fleet-agent", "type": "filebeat", "version": "8.2.0" @@ -13,19 +13,19 @@ "type": "logs" }, "ecs": { - "version": "8.3.0" + "version": "8.4.0" }, "elastic_agent": { - "id": "ecf3f02f-66cb-4b07-8a38-d84956c78dcc", - "snapshot": true, + "id": "652f8609-1989-4515-8c01-c16c9e892066", + "snapshot": false, "version": "8.2.0" }, "event": { "agent_id_status": "verified", "category": "host", - "created": "2022-02-14T16:30:33.654Z", + "created": "2022-08-05T07:41:25.259Z", "dataset": "tenable_sc.asset", - "ingested": "2022-02-14T16:30:37Z", + "ingested": "2022-08-05T07:41:28Z", "kind": "state", "original": "{\"biosGUID\":\"9e8c4d43-982b-4405-a76c-d56c1d6cf117\",\"dnsName\":\"rnkmigauv2l8zeyf.example\",\"hostUniqueness\":\"repositoryID,ip,dnsName\",\"ip\":\"0.0.228.153\",\"lastAuthRun\":\"\",\"lastUnauthRun\":\"\",\"macAddress\":\"00:00:00:47:05:0d\",\"mcafeeGUID\":\"\",\"netbiosName\":\"UNKNOWN\\\\RNKMIGAUV2L8ZEYF.EXAMPLE\",\"osCPE\":\"cpe:/o:microsoft:windows_10:::x64-home\",\"pluginSet\":\"201901281542\",\"policyName\":\"Basic Agent Scan\",\"repository\":{\"dataFormat\":\"IPv4\",\"description\":\"\",\"id\":\"2\",\"name\":\"Staged-Large\",\"sciID\":\"1\"},\"score\":\"307\",\"severityCritical\":\"6\",\"severityHigh\":\"4\",\"severityInfo\":\"131\",\"severityLow\":\"0\",\"severityMedium\":\"9\",\"total\":\"150\",\"tpmID\":\"\",\"uniqueness\":\"repositoryID,ip,dnsName\",\"uuid\":\"4add65d0-27fc-491c-91ba-3f498a61f49e\"}", "type": "info" diff --git a/packages/tenable_sc/data_stream/plugin/agent/stream/httpjson.yml.hbs b/packages/tenable_sc/data_stream/plugin/agent/stream/httpjson.yml.hbs index 07de952af7d..595b3ef8d28 100644 --- a/packages/tenable_sc/data_stream/plugin/agent/stream/httpjson.yml.hbs +++ b/packages/tenable_sc/data_stream/plugin/agent/stream/httpjson.yml.hbs @@ -16,8 +16,8 @@ request.transforms: # Follow Tenable's format: https://developer.tenable.com/docs/user-agent-header # NOTE: The "Build" version must be kept in sync with this package's version. target: header.User-Agent - value: '[[userAgent "Integration/1.0 (Elastic; Tenable.sc; Build/1.1.0)"]]' - - set: + value: '[[userAgent "Integration/1.0 (Elastic; Tenable.sc; Build/1.4.1)"]]' + - set: target: url.params.fields value: id,name,description,family,type,copyright,version,sourceFile,dependencies,requiredPorts,requiredUDPPorts,cpe,srcPort,dstPort,protocol,riskFactor,solution,seeAlso,synopsis,checkType,exploitEase,exploitAvailable,exploitFrameworks,cvssVector,cvssVectorBF,baseScore,temporalScore,cvssV3Vector,cvssV3VectorBF,cvssV3BaseScore,cvssV3TemporalScore,vprScore,vprContext,stigSeverity,pluginPubDate,pluginModDate,patchPubDate,patchModDate,vulnPubDate,modifiedTime,md5,xrefs - set: @@ -39,18 +39,18 @@ request.transforms: - set: target: url.params.sortDirection value: ASC - - set: + - set: target: url.params.startOffset value: 0 - - set: + - set: target: url.params.endOffset value: {{batch_size}} -response.pagination: +response.pagination: - set: target: url.params.startOffset - value: '[[toInt (.last_response.url.params.Get "endOffset")]]' + value: '[[if (ne (len .last_response.body.response) 0)]][[toInt (.last_response.url.params.Get "endOffset")]][[else]][[.last_response.terminate_pagination]][[end]]' fail_on_template_error: true - - set: + - set: target: url.params.endOffset value: '[[add (toInt (.last_response.url.params.Get "endOffset")) {{batch_size}}]]' fail_on_template_error: true diff --git a/packages/tenable_sc/data_stream/plugin/sample_event.json b/packages/tenable_sc/data_stream/plugin/sample_event.json index b78a17cc29a..4bc05949832 100644 --- a/packages/tenable_sc/data_stream/plugin/sample_event.json +++ b/packages/tenable_sc/data_stream/plugin/sample_event.json @@ -1,8 +1,8 @@ { "@timestamp": "2021-09-27T01:33:53.000Z", "agent": { - "ephemeral_id": "a8c9d489-b7e1-486f-b50e-7b2cba60651a", - "id": "ecf3f02f-66cb-4b07-8a38-d84956c78dcc", + "ephemeral_id": "a3549a4b-827d-45b3-b9a0-f4a74879ed47", + "id": "652f8609-1989-4515-8c01-c16c9e892066", "name": "docker-fleet-agent", "type": "filebeat", "version": "8.2.0" @@ -13,18 +13,18 @@ "type": "logs" }, "ecs": { - "version": "8.3.0" + "version": "8.4.0" }, "elastic_agent": { - "id": "ecf3f02f-66cb-4b07-8a38-d84956c78dcc", - "snapshot": true, + "id": "652f8609-1989-4515-8c01-c16c9e892066", + "snapshot": false, "version": "8.2.0" }, "event": { "agent_id_status": "verified", - "created": "2022-02-14T16:31:46.081Z", + "created": "2022-08-05T07:42:26.483Z", "dataset": "tenable_sc.plugin", - "ingested": "2022-02-14T16:31:49Z", + "ingested": "2022-08-05T07:42:29Z", "kind": "event", "original": "{\"baseScore\":\"7.8\",\"checkType\":\"remote\",\"copyright\":\"This script is Copyright (C) 2003-2020 John Lampe\",\"cpe\":\"\",\"cvssV3BaseScore\":null,\"cvssV3TemporalScore\":null,\"cvssV3Vector\":\"\",\"cvssV3VectorBF\":\"0\",\"cvssVector\":\"AV:N/AC:L/Au:N/C:N/I:N/A:C/E:U/RL:OF/RC:C\",\"cvssVectorBF\":\"2164920932\",\"dependencies\":\"find_service1.nasl,http_version.nasl,www_fingerprinting_hmap.nasl\",\"description\":\"Microsoft IIS, running Frontpage extensions, is vulnerable to a remote denial of service attack usually called the 'malformed web submission' vulnerability. An attacker, exploiting this vulnerability, will be able to render the service unusable.\\n\\nIf this machine serves a business-critical function, there could be an impact to the business.\",\"dstPort\":null,\"exploitAvailable\":\"false\",\"exploitEase\":\"No known exploits are available\",\"exploitFrameworks\":\"\",\"family\":{\"id\":\"11\",\"name\":\"Web Servers\",\"type\":\"active\"},\"id\":\"10585\",\"md5\":\"38b2147401eb5c3a15af52182682f345\",\"modifiedTime\":\"1632706433\",\"name\":\"Microsoft IIS Frontpage Server Extensions (FPSE) Malformed Form DoS\",\"patchModDate\":\"-1\",\"patchPubDate\":\"-1\",\"pluginModDate\":\"1591963200\",\"pluginPubDate\":\"1058875200\",\"protocol\":\"\",\"requiredPorts\":\"\",\"requiredUDPPorts\":\"\",\"riskFactor\":\"High\",\"seeAlso\":\"https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2000/ms00-100\",\"solution\":\"Microsoft has released a set of patches for IIS 4.0 and 5.0.\",\"sourceFile\":\"IIS_frontpage_DOS_2.nasl\",\"srcPort\":null,\"stigSeverity\":null,\"synopsis\":\"The remote web server is vulnerable to a denial of service\",\"temporalScore\":\"5.8\",\"type\":\"active\",\"version\":\"1.28\",\"vprContext\":\"[{\\\"id\\\":\\\"age_of_vuln\\\",\\\"name\\\":\\\"Vulnerability Age\\\",\\\"type\\\":\\\"string\\\",\\\"value\\\":\\\"730 days +\\\"},{\\\"id\\\":\\\"cvssV3_impactScore\\\",\\\"name\\\":\\\"CVSS v3 Impact Score\\\",\\\"type\\\":\\\"number\\\",\\\"value\\\":3.6000000000000001},{\\\"id\\\":\\\"exploit_code_maturity\\\",\\\"name\\\":\\\"Exploit Code Maturity\\\",\\\"type\\\":\\\"string\\\",\\\"value\\\":\\\"Unproven\\\"},{\\\"id\\\":\\\"product_coverage\\\",\\\"name\\\":\\\"Product Coverage\\\",\\\"type\\\":\\\"string\\\",\\\"value\\\":\\\"Low\\\"},{\\\"id\\\":\\\"threat_intensity_last_28\\\",\\\"name\\\":\\\"Threat Intensity\\\",\\\"type\\\":\\\"string\\\",\\\"value\\\":\\\"Very Low\\\"},{\\\"id\\\":\\\"threat_recency\\\",\\\"name\\\":\\\"Threat Recency\\\",\\\"type\\\":\\\"string\\\",\\\"value\\\":\\\"\\u003e 365 days\\\"},{\\\"id\\\":\\\"threat_sources_last_28\\\",\\\"name\\\":\\\"Threat Sources\\\",\\\"type\\\":\\\"string\\\",\\\"value\\\":\\\"No recorded events\\\"}]\",\"vprScore\":\"4.4\",\"vulnPubDate\":\"977486400\",\"xrefs\":\"CVE:CVE-2001-0096, BID:2144, MSFT:MS00-100, MSKB:280322\"}", "type": "info" diff --git a/packages/tenable_sc/data_stream/vulnerability/agent/stream/httpjson.yml.hbs b/packages/tenable_sc/data_stream/vulnerability/agent/stream/httpjson.yml.hbs index 7379c15cd38..bb54ae9ca70 100644 --- a/packages/tenable_sc/data_stream/vulnerability/agent/stream/httpjson.yml.hbs +++ b/packages/tenable_sc/data_stream/vulnerability/agent/stream/httpjson.yml.hbs @@ -16,8 +16,8 @@ request.transforms: # Follow Tenable's format: https://developer.tenable.com/docs/user-agent-header # NOTE: The "Build" version must be kept in sync with this package's version. target: header.User-Agent - value: '[[userAgent "Integration/1.0 (Elastic; Tenable.sc; Build/1.1.0)"]]' - - set: + value: '[[userAgent "Integration/1.0 (Elastic; Tenable.sc; Build/1.4.1)"]]' + - set: target: body.query.tool value: 'vulndetails' - append: @@ -35,25 +35,25 @@ request.transforms: "value": "[[(now (parseDuration "-{{initial_interval}}")).Unix]]-[[(now).Unix]]" } value_type: json - - set: + - set: target: body.query.type value: 'vuln' - - set: + - set: target: body.startOffset value: 0 - - set: + - set: target: body.endOffset value: {{batch_size}} - - set: + - set: target: body.sourceType value: 'cumulative' - - set: + - set: target: body.sortField value: 'lastSeen' - - set: + - set: target: body.sort_direction value: 'ASC' - - set: + - set: target: body.type value: 'vuln' - set: @@ -61,12 +61,12 @@ request.transforms: value: 'accesskey={{access_key}}; secretkey={{secret_key}}' response.split: target: body.response.results -response.pagination: +response.pagination: - set: target: body.startOffset - value: '[[toInt .last_response.body.response.endOffset]]' + value: '[[if (ne (toInt .last_response.body.response.returnedRecords) 0)]][[toInt .last_response.body.response.endOffset]][[else]][[.last_response.terminate_pagination]][[end]]' fail_on_template_error: true - - set: + - set: target: body.endOffset value: '[[add (toInt .last_response.body.response.endOffset) {{batch_size}}]]' fail_on_template_error: true diff --git a/packages/tenable_sc/data_stream/vulnerability/sample_event.json b/packages/tenable_sc/data_stream/vulnerability/sample_event.json index ed62fbde4e4..d9673a611e7 100644 --- a/packages/tenable_sc/data_stream/vulnerability/sample_event.json +++ b/packages/tenable_sc/data_stream/vulnerability/sample_event.json @@ -1,8 +1,8 @@ { "@timestamp": "2021-09-25T16:08:45.000Z", "agent": { - "ephemeral_id": "e54df727-cc1b-4dcf-8dd5-6d4c93723135", - "id": "ecf3f02f-66cb-4b07-8a38-d84956c78dcc", + "ephemeral_id": "cf27b2ee-f5a5-4903-8cb5-dd438e02fbf1", + "id": "652f8609-1989-4515-8c01-c16c9e892066", "name": "docker-fleet-agent", "type": "filebeat", "version": "8.2.0" @@ -13,19 +13,19 @@ "type": "logs" }, "ecs": { - "version": "8.3.0" + "version": "8.4.0" }, "elastic_agent": { - "id": "ecf3f02f-66cb-4b07-8a38-d84956c78dcc", - "snapshot": true, + "id": "652f8609-1989-4515-8c01-c16c9e892066", + "snapshot": false, "version": "8.2.0" }, "event": { "agent_id_status": "verified", "category": "threat", - "created": "2022-02-14T16:32:52.226Z", + "created": "2022-08-05T07:43:39.730Z", "dataset": "tenable_sc.vulnerability", - "ingested": "2022-02-14T16:32:55Z", + "ingested": "2022-08-05T07:43:43Z", "kind": "event", "original": "{\"acceptRisk\":\"0\",\"baseScore\":\"0.0\",\"bid\":\"\",\"checkType\":\"remote\",\"cpe\":\"\",\"cve\":\"CVE-1999-0524\",\"cvssV3BaseScore\":\"0.0\",\"cvssV3TemporalScore\":\"\",\"cvssV3Vector\":\"AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N\",\"cvssVector\":\"AV:L/AC:L/Au:N/C:N/I:N/A:N\",\"description\":\"The remote host answers to an ICMP timestamp request. This allows an attacker to know the date that is set on the targeted machine, which may assist an unauthenticated, remote attacker in defeating time-based authentication protocols.\\n\\nTimestamps returned from machines running Windows Vista / 7 / 2008 / 2008 R2 are deliberately incorrect, but usually within 1000 seconds of the actual system time.\",\"dnsName\":\"_gateway.lxd\",\"exploitAvailable\":\"No\",\"exploitEase\":\"\",\"exploitFrameworks\":\"\",\"family\":{\"id\":\"30\",\"name\":\"General\",\"type\":\"active\"},\"firstSeen\":\"1551284872\",\"hasBeenMitigated\":\"0\",\"hostUniqueness\":\"repositoryID,ip,dnsName\",\"ip\":\"10.238.64.1\",\"ips\":\"10.238.64.1\",\"lastSeen\":\"1632586125\",\"macAddress\":\"00:16:3e:a1:12:f7\",\"netbiosName\":\"\",\"operatingSystem\":\"Linux Kernel 2.6\",\"patchPubDate\":\"-1\",\"pluginID\":\"10114\",\"pluginInfo\":\"10114 (0/1) ICMP Timestamp Request Remote Date Disclosure\",\"pluginModDate\":\"1570190400\",\"pluginName\":\"ICMP Timestamp Request Remote Date Disclosure\",\"pluginPubDate\":\"933508800\",\"pluginText\":\"\\u003cplugin_output\\u003eThe remote clock is synchronized with the local clock.\\n\\u003c/plugin_output\\u003e\",\"port\":\"0\",\"protocol\":\"ICMP\",\"recastRisk\":\"0\",\"repository\":{\"dataFormat\":\"IPv4\",\"description\":\"\",\"id\":\"1\",\"name\":\"Live\",\"sciID\":\"1\"},\"riskFactor\":\"None\",\"seeAlso\":\"\",\"severity\":{\"description\":\"Informative\",\"id\":\"0\",\"name\":\"Info\"},\"solution\":\"Filter out the ICMP timestamp requests (13), and the outgoing ICMP timestamp replies (14).\",\"stigSeverity\":\"\",\"synopsis\":\"It is possible to determine the exact time set on the remote host.\",\"temporalScore\":\"\",\"uniqueness\":\"repositoryID,ip,dnsName\",\"uuid\":\"\",\"version\":\"1.48\",\"vprContext\":\"[{\\\"id\\\":\\\"age_of_vuln\\\",\\\"name\\\":\\\"Vulnerability Age\\\",\\\"type\\\":\\\"string\\\",\\\"value\\\":\\\"730 days +\\\"},{\\\"id\\\":\\\"cvssV3_impactScore\\\",\\\"name\\\":\\\"CVSS v3 Impact Score\\\",\\\"type\\\":\\\"number\\\",\\\"value\\\":0},{\\\"id\\\":\\\"exploit_code_maturity\\\",\\\"name\\\":\\\"Exploit Code Maturity\\\",\\\"type\\\":\\\"string\\\",\\\"value\\\":\\\"Unproven\\\"},{\\\"id\\\":\\\"product_coverage\\\",\\\"name\\\":\\\"Product Coverage\\\",\\\"type\\\":\\\"string\\\",\\\"value\\\":\\\"Very High\\\"},{\\\"id\\\":\\\"threat_intensity_last_28\\\",\\\"name\\\":\\\"Threat Intensity\\\",\\\"type\\\":\\\"string\\\",\\\"value\\\":\\\"Very Low\\\"},{\\\"id\\\":\\\"threat_recency\\\",\\\"name\\\":\\\"Threat Recency\\\",\\\"type\\\":\\\"string\\\",\\\"value\\\":\\\"No recorded events\\\"},{\\\"id\\\":\\\"threat_sources_last_28\\\",\\\"name\\\":\\\"Threat Sources\\\",\\\"type\\\":\\\"string\\\",\\\"value\\\":\\\"No recorded events\\\"}]\",\"vprScore\":\"0.8\",\"vulnPubDate\":\"788961600\",\"xref\":\"CWE #200\"}", "type": "info" diff --git a/packages/tenable_sc/docs/README.md b/packages/tenable_sc/docs/README.md index c573421ab89..b3761673507 100644 --- a/packages/tenable_sc/docs/README.md +++ b/packages/tenable_sc/docs/README.md @@ -4,7 +4,7 @@ The Tenable.sc integration collects and parses data from the [Tenable.sc](https: ## Compatibility -This module has been tested against `Tenable.sc version 5.18` +This module has been tested against `Tenable.sc version 5.22`. ## Requirements @@ -29,10 +29,10 @@ An example event for `asset` looks as following: ```json { - "@timestamp": "2022-02-14T16:30:33.654Z", + "@timestamp": "2022-08-05T07:41:25.259Z", "agent": { - "ephemeral_id": "2bf50bac-f76f-4c1a-b758-e2f62bffd73d", - "id": "ecf3f02f-66cb-4b07-8a38-d84956c78dcc", + "ephemeral_id": "08f233b0-4102-4a26-a631-e3339f030cdb", + "id": "652f8609-1989-4515-8c01-c16c9e892066", "name": "docker-fleet-agent", "type": "filebeat", "version": "8.2.0" @@ -43,19 +43,19 @@ An example event for `asset` looks as following: "type": "logs" }, "ecs": { - "version": "8.3.0" + "version": "8.4.0" }, "elastic_agent": { - "id": "ecf3f02f-66cb-4b07-8a38-d84956c78dcc", - "snapshot": true, + "id": "652f8609-1989-4515-8c01-c16c9e892066", + "snapshot": false, "version": "8.2.0" }, "event": { "agent_id_status": "verified", "category": "host", - "created": "2022-02-14T16:30:33.654Z", + "created": "2022-08-05T07:41:25.259Z", "dataset": "tenable_sc.asset", - "ingested": "2022-02-14T16:30:37Z", + "ingested": "2022-08-05T07:41:28Z", "kind": "state", "original": "{\"biosGUID\":\"9e8c4d43-982b-4405-a76c-d56c1d6cf117\",\"dnsName\":\"rnkmigauv2l8zeyf.example\",\"hostUniqueness\":\"repositoryID,ip,dnsName\",\"ip\":\"0.0.228.153\",\"lastAuthRun\":\"\",\"lastUnauthRun\":\"\",\"macAddress\":\"00:00:00:47:05:0d\",\"mcafeeGUID\":\"\",\"netbiosName\":\"UNKNOWN\\\\RNKMIGAUV2L8ZEYF.EXAMPLE\",\"osCPE\":\"cpe:/o:microsoft:windows_10:::x64-home\",\"pluginSet\":\"201901281542\",\"policyName\":\"Basic Agent Scan\",\"repository\":{\"dataFormat\":\"IPv4\",\"description\":\"\",\"id\":\"2\",\"name\":\"Staged-Large\",\"sciID\":\"1\"},\"score\":\"307\",\"severityCritical\":\"6\",\"severityHigh\":\"4\",\"severityInfo\":\"131\",\"severityLow\":\"0\",\"severityMedium\":\"9\",\"total\":\"150\",\"tpmID\":\"\",\"uniqueness\":\"repositoryID,ip,dnsName\",\"uuid\":\"4add65d0-27fc-491c-91ba-3f498a61f49e\"}", "type": "info" @@ -223,8 +223,8 @@ An example event for `plugin` looks as following: { "@timestamp": "2021-09-27T01:33:53.000Z", "agent": { - "ephemeral_id": "a8c9d489-b7e1-486f-b50e-7b2cba60651a", - "id": "ecf3f02f-66cb-4b07-8a38-d84956c78dcc", + "ephemeral_id": "a3549a4b-827d-45b3-b9a0-f4a74879ed47", + "id": "652f8609-1989-4515-8c01-c16c9e892066", "name": "docker-fleet-agent", "type": "filebeat", "version": "8.2.0" @@ -235,18 +235,18 @@ An example event for `plugin` looks as following: "type": "logs" }, "ecs": { - "version": "8.3.0" + "version": "8.4.0" }, "elastic_agent": { - "id": "ecf3f02f-66cb-4b07-8a38-d84956c78dcc", - "snapshot": true, + "id": "652f8609-1989-4515-8c01-c16c9e892066", + "snapshot": false, "version": "8.2.0" }, "event": { "agent_id_status": "verified", - "created": "2022-02-14T16:31:46.081Z", + "created": "2022-08-05T07:42:26.483Z", "dataset": "tenable_sc.plugin", - "ingested": "2022-02-14T16:31:49Z", + "ingested": "2022-08-05T07:42:29Z", "kind": "event", "original": "{\"baseScore\":\"7.8\",\"checkType\":\"remote\",\"copyright\":\"This script is Copyright (C) 2003-2020 John Lampe\",\"cpe\":\"\",\"cvssV3BaseScore\":null,\"cvssV3TemporalScore\":null,\"cvssV3Vector\":\"\",\"cvssV3VectorBF\":\"0\",\"cvssVector\":\"AV:N/AC:L/Au:N/C:N/I:N/A:C/E:U/RL:OF/RC:C\",\"cvssVectorBF\":\"2164920932\",\"dependencies\":\"find_service1.nasl,http_version.nasl,www_fingerprinting_hmap.nasl\",\"description\":\"Microsoft IIS, running Frontpage extensions, is vulnerable to a remote denial of service attack usually called the 'malformed web submission' vulnerability. An attacker, exploiting this vulnerability, will be able to render the service unusable.\\n\\nIf this machine serves a business-critical function, there could be an impact to the business.\",\"dstPort\":null,\"exploitAvailable\":\"false\",\"exploitEase\":\"No known exploits are available\",\"exploitFrameworks\":\"\",\"family\":{\"id\":\"11\",\"name\":\"Web Servers\",\"type\":\"active\"},\"id\":\"10585\",\"md5\":\"38b2147401eb5c3a15af52182682f345\",\"modifiedTime\":\"1632706433\",\"name\":\"Microsoft IIS Frontpage Server Extensions (FPSE) Malformed Form DoS\",\"patchModDate\":\"-1\",\"patchPubDate\":\"-1\",\"pluginModDate\":\"1591963200\",\"pluginPubDate\":\"1058875200\",\"protocol\":\"\",\"requiredPorts\":\"\",\"requiredUDPPorts\":\"\",\"riskFactor\":\"High\",\"seeAlso\":\"https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2000/ms00-100\",\"solution\":\"Microsoft has released a set of patches for IIS 4.0 and 5.0.\",\"sourceFile\":\"IIS_frontpage_DOS_2.nasl\",\"srcPort\":null,\"stigSeverity\":null,\"synopsis\":\"The remote web server is vulnerable to a denial of service\",\"temporalScore\":\"5.8\",\"type\":\"active\",\"version\":\"1.28\",\"vprContext\":\"[{\\\"id\\\":\\\"age_of_vuln\\\",\\\"name\\\":\\\"Vulnerability Age\\\",\\\"type\\\":\\\"string\\\",\\\"value\\\":\\\"730 days +\\\"},{\\\"id\\\":\\\"cvssV3_impactScore\\\",\\\"name\\\":\\\"CVSS v3 Impact Score\\\",\\\"type\\\":\\\"number\\\",\\\"value\\\":3.6000000000000001},{\\\"id\\\":\\\"exploit_code_maturity\\\",\\\"name\\\":\\\"Exploit Code Maturity\\\",\\\"type\\\":\\\"string\\\",\\\"value\\\":\\\"Unproven\\\"},{\\\"id\\\":\\\"product_coverage\\\",\\\"name\\\":\\\"Product Coverage\\\",\\\"type\\\":\\\"string\\\",\\\"value\\\":\\\"Low\\\"},{\\\"id\\\":\\\"threat_intensity_last_28\\\",\\\"name\\\":\\\"Threat Intensity\\\",\\\"type\\\":\\\"string\\\",\\\"value\\\":\\\"Very Low\\\"},{\\\"id\\\":\\\"threat_recency\\\",\\\"name\\\":\\\"Threat Recency\\\",\\\"type\\\":\\\"string\\\",\\\"value\\\":\\\"\\u003e 365 days\\\"},{\\\"id\\\":\\\"threat_sources_last_28\\\",\\\"name\\\":\\\"Threat Sources\\\",\\\"type\\\":\\\"string\\\",\\\"value\\\":\\\"No recorded events\\\"}]\",\"vprScore\":\"4.4\",\"vulnPubDate\":\"977486400\",\"xrefs\":\"CVE:CVE-2001-0096, BID:2144, MSFT:MS00-100, MSKB:280322\"}", "type": "info" @@ -479,8 +479,8 @@ An example event for `vulnerability` looks as following: { "@timestamp": "2021-09-25T16:08:45.000Z", "agent": { - "ephemeral_id": "e54df727-cc1b-4dcf-8dd5-6d4c93723135", - "id": "ecf3f02f-66cb-4b07-8a38-d84956c78dcc", + "ephemeral_id": "cf27b2ee-f5a5-4903-8cb5-dd438e02fbf1", + "id": "652f8609-1989-4515-8c01-c16c9e892066", "name": "docker-fleet-agent", "type": "filebeat", "version": "8.2.0" @@ -491,19 +491,19 @@ An example event for `vulnerability` looks as following: "type": "logs" }, "ecs": { - "version": "8.3.0" + "version": "8.4.0" }, "elastic_agent": { - "id": "ecf3f02f-66cb-4b07-8a38-d84956c78dcc", - "snapshot": true, + "id": "652f8609-1989-4515-8c01-c16c9e892066", + "snapshot": false, "version": "8.2.0" }, "event": { "agent_id_status": "verified", "category": "threat", - "created": "2022-02-14T16:32:52.226Z", + "created": "2022-08-05T07:43:39.730Z", "dataset": "tenable_sc.vulnerability", - "ingested": "2022-02-14T16:32:55Z", + "ingested": "2022-08-05T07:43:43Z", "kind": "event", "original": "{\"acceptRisk\":\"0\",\"baseScore\":\"0.0\",\"bid\":\"\",\"checkType\":\"remote\",\"cpe\":\"\",\"cve\":\"CVE-1999-0524\",\"cvssV3BaseScore\":\"0.0\",\"cvssV3TemporalScore\":\"\",\"cvssV3Vector\":\"AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N\",\"cvssVector\":\"AV:L/AC:L/Au:N/C:N/I:N/A:N\",\"description\":\"The remote host answers to an ICMP timestamp request. This allows an attacker to know the date that is set on the targeted machine, which may assist an unauthenticated, remote attacker in defeating time-based authentication protocols.\\n\\nTimestamps returned from machines running Windows Vista / 7 / 2008 / 2008 R2 are deliberately incorrect, but usually within 1000 seconds of the actual system time.\",\"dnsName\":\"_gateway.lxd\",\"exploitAvailable\":\"No\",\"exploitEase\":\"\",\"exploitFrameworks\":\"\",\"family\":{\"id\":\"30\",\"name\":\"General\",\"type\":\"active\"},\"firstSeen\":\"1551284872\",\"hasBeenMitigated\":\"0\",\"hostUniqueness\":\"repositoryID,ip,dnsName\",\"ip\":\"10.238.64.1\",\"ips\":\"10.238.64.1\",\"lastSeen\":\"1632586125\",\"macAddress\":\"00:16:3e:a1:12:f7\",\"netbiosName\":\"\",\"operatingSystem\":\"Linux Kernel 2.6\",\"patchPubDate\":\"-1\",\"pluginID\":\"10114\",\"pluginInfo\":\"10114 (0/1) ICMP Timestamp Request Remote Date Disclosure\",\"pluginModDate\":\"1570190400\",\"pluginName\":\"ICMP Timestamp Request Remote Date Disclosure\",\"pluginPubDate\":\"933508800\",\"pluginText\":\"\\u003cplugin_output\\u003eThe remote clock is synchronized with the local clock.\\n\\u003c/plugin_output\\u003e\",\"port\":\"0\",\"protocol\":\"ICMP\",\"recastRisk\":\"0\",\"repository\":{\"dataFormat\":\"IPv4\",\"description\":\"\",\"id\":\"1\",\"name\":\"Live\",\"sciID\":\"1\"},\"riskFactor\":\"None\",\"seeAlso\":\"\",\"severity\":{\"description\":\"Informative\",\"id\":\"0\",\"name\":\"Info\"},\"solution\":\"Filter out the ICMP timestamp requests (13), and the outgoing ICMP timestamp replies (14).\",\"stigSeverity\":\"\",\"synopsis\":\"It is possible to determine the exact time set on the remote host.\",\"temporalScore\":\"\",\"uniqueness\":\"repositoryID,ip,dnsName\",\"uuid\":\"\",\"version\":\"1.48\",\"vprContext\":\"[{\\\"id\\\":\\\"age_of_vuln\\\",\\\"name\\\":\\\"Vulnerability Age\\\",\\\"type\\\":\\\"string\\\",\\\"value\\\":\\\"730 days +\\\"},{\\\"id\\\":\\\"cvssV3_impactScore\\\",\\\"name\\\":\\\"CVSS v3 Impact Score\\\",\\\"type\\\":\\\"number\\\",\\\"value\\\":0},{\\\"id\\\":\\\"exploit_code_maturity\\\",\\\"name\\\":\\\"Exploit Code Maturity\\\",\\\"type\\\":\\\"string\\\",\\\"value\\\":\\\"Unproven\\\"},{\\\"id\\\":\\\"product_coverage\\\",\\\"name\\\":\\\"Product Coverage\\\",\\\"type\\\":\\\"string\\\",\\\"value\\\":\\\"Very High\\\"},{\\\"id\\\":\\\"threat_intensity_last_28\\\",\\\"name\\\":\\\"Threat Intensity\\\",\\\"type\\\":\\\"string\\\",\\\"value\\\":\\\"Very Low\\\"},{\\\"id\\\":\\\"threat_recency\\\",\\\"name\\\":\\\"Threat Recency\\\",\\\"type\\\":\\\"string\\\",\\\"value\\\":\\\"No recorded events\\\"},{\\\"id\\\":\\\"threat_sources_last_28\\\",\\\"name\\\":\\\"Threat Sources\\\",\\\"type\\\":\\\"string\\\",\\\"value\\\":\\\"No recorded events\\\"}]\",\"vprScore\":\"0.8\",\"vulnPubDate\":\"788961600\",\"xref\":\"CWE #200\"}", "type": "info" diff --git a/packages/tenable_sc/manifest.yml b/packages/tenable_sc/manifest.yml index 39c995f6974..9385ac7051f 100644 --- a/packages/tenable_sc/manifest.yml +++ b/packages/tenable_sc/manifest.yml @@ -2,7 +2,7 @@ format_version: 1.0.0 name: tenable_sc title: Tenable.sc # The version must be updated in the pipeline as well. Until elastic/kibana#121310 is implemented we will have to manually sync these. -version: "1.4.0" +version: "1.4.1" license: basic description: | Collect logs from Tenable.sc with Elastic Agent.