# Licensed to Elasticsearch B.V. under one or more contributor # license agreements. See the NOTICE file distributed with # this work for additional information regarding copyright # ownership. Elasticsearch B.V. licenses this file to you under # the Apache License, Version 2.0 (the "License"); you may # not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, # software distributed under the License is distributed on an # "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY # KIND, either express or implied. See the License for the # specific language governing permissions and limitations # under the License. --- - name: vulnerability title: Vulnerability group: 2 short: Fields to describe the vulnerability relevant to an event. description: > The vulnerability fields describe information about a vulnerability that is relevant to an event. type: group fields: - name: classification level: extended type: keyword short: Classification of the vulnerability. description: > The classification of the vulnerability scoring system. For example (https://www.first.org/cvss/) example: CVSS - name: enumeration level: extended type: keyword short: Identifier of the vulnerability. description: > The type of identifier used for this vulnerability. For example (https://cve.mitre.org/about/) example: CVE - name: reference level: extended type: keyword short: Reference of the vulnerability. description: > A resource that provides additional information, context, and mitigations for the identified vulnerability. example: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6111 - name: score.base level: extended type: float short: Vulnerability Base score. description: > Scores can range from 0.0 to 10.0, with 10.0 being the most severe. Base scores cover an assessment for exploitability metrics (attack vector, complexity, privileges, and user interaction), impact metrics (confidentiality, integrity, and availability), and scope. For example (https://www.first.org/cvss/specification-document) example: 5.5 - name: score.temporal level: extended type: float short: Vulnerability Temporal score. description: > Scores can range from 0.0 to 10.0, with 10.0 being the most severe. Temporal scores cover an assessment for code maturity, remediation level, and confidence. For example (https://www.first.org/cvss/specification-document) - name: score.environmental level: extended type: float short: Vulnerability Environmental score. description: > Scores can range from 0.0 to 10.0, with 10.0 being the most severe. Environmental scores cover an assessment for any modified Base metrics, confidentiality, integrity, and availability requirements. For example (https://www.first.org/cvss/specification-document) example: 5.5 - name: score.version level: extended type: keyword short: CVSS version. description: > The National Vulnerability Database (NVD) provides qualitative severity rankings of "Low", "Medium", and "High" for CVSS v2.0 base score ranges in addition to the severity ratings for CVSS v3.0 as they are defined in the CVSS v3.0 specification. CVSS is owned and managed by FIRST.Org, Inc. (FIRST), a US-based non-profit organization, whose mission is to help computer security incident response teams across the world. For example (https://nvd.nist.gov/vuln-metrics/cvss) example: 2.0 - name: category level: extended type: keyword short: Category of a vulnerability. description: > The type of system or architecture that the vulnerability affects. These may be platform-specific (for example, Debian or SUSE) or general (for example, Database or Firewall). For example (https://qualysguard.qualys.com/qwebhelp/fo_portal/knowledgebase/vulnerability_categories.htm[Qualys vulnerability categories]) This field must be an array. example: '["Firewall"]' normalize: - array - name: description level: extended type: keyword multi_fields: - type: match_only_text name: text short: Description of the vulnerability. description: > The description of the vulnerability that provides additional context of the vulnerability. For example (https://cve.mitre.org/about/faqs.html#cve_entry_descriptions_created[Common Vulnerabilities and Exposure CVE description]) example: In macOS before 2.12.6, there is a vulnerability in the RPC... - name: id level: extended type: keyword short: ID of the vulnerability. description: > The identification (ID) is the number portion of a vulnerability entry. It includes a unique identification number for the vulnerability. For example (https://cve.mitre.org/about/faqs.html#what_is_cve_id)[Common Vulnerabilities and Exposure CVE ID] example: CVE-2019-00001 - name: scanner.vendor level: extended type: keyword short: Name of the scanner vendor. description: > The name of the vulnerability scanner vendor. example: Tenable - name: severity level: extended type: keyword short: Severity of the vulnerability. description: > The severity of the vulnerability can help with metrics and internal prioritization regarding remediation. For example (https://nvd.nist.gov/vuln-metrics/cvss) example: Critical - name: report_id level: extended type: keyword short: Scan identification number. description: > The report or scan identification number. example: 20191018.0001