[RFC] Stage 1- Introducing new fields in ECS Vulnerability fields #2449
There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change | ||||
|---|---|---|---|---|---|---|
| @@ -0,0 +1,104 @@ | ||||||
| - name: vulnerability | ||||||
| title: Vulnerability | ||||||
| group: 2 | ||||||
| short: These fields contain information about vulnerabilities. | ||||||
| description: > | ||||||
| These fields contain information about vulnerabilities identified in assets. | ||||||
| They help in tracking, mitigating, and documenting vulnerabilities. | ||||||
|
|
||||||
|
|
||||||
| fields: | ||||||
| - name: vendor.id | ||||||
| level: extended | ||||||
| type: keyword | ||||||
| description: > | ||||||
| A vulnerability doesn't necessarily have a CVE associated with it. It makes sense to separate vulnerability ID (like CVEs) to the vendor/detection IDs. | ||||||
|
|
||||||
| - name: title | ||||||
| level: extended | ||||||
| type: keyword | ||||||
| description: > | ||||||
| Title/Name/Short Description for vulnerability, to be used in flyout and dashboards. | ||||||
|
There was a problem hiding this comment.
Suggested change
I think an |
||||||
|
|
||||||
| - name: mitigation | ||||||
| level: extended | ||||||
| type: text | ||||||
| description: > | ||||||
| Explains how to fix or mitigate the problem, could be used to store resolution from the scanner vendor or document mitigation in place. | ||||||
|
There was a problem hiding this comment.
Suggested change
|
||||||
|
|
||||||
| - name: published | ||||||
| level: extended | ||||||
| type: date | ||||||
| description: > | ||||||
| The “published” field indicates the date when information about a specific vulnerability was publicly disclosed or made available. It represents the moment when details about the vulnerability were shared with the security community, vendors, and the public. This field helps security professionals track the timeline of vulnerability awareness, in ISO 8601 format - YYYY-MM-DD. | ||||||
|
There was a problem hiding this comment. I don't think "in ISO 8601 format - YYYY-MM-DD" is needed given that we have said it is a |
||||||
|
|
||||||
| - name: patch | ||||||
| type: group | ||||||
| description: > | ||||||
| Information about patches available for the vulnerability. | ||||||
| fields: | ||||||
| - name: exists | ||||||
| level: extended | ||||||
| type: boolean | ||||||
| description: > | ||||||
| Indicates whether a security fix or update (commonly known as a patch) is available to address the identified vulnerability. | ||||||
|
|
||||||
| - name: name | ||||||
| level: extended | ||||||
| type: text | ||||||
| description: > | ||||||
| Name of the patch. | ||||||
|
There was a problem hiding this comment. Can you give an example of a named patch? I'm not sure follow what would go into this field. |
||||||
|
|
||||||
| - name: code | ||||||
| level: extended | ||||||
| type: keyword | ||||||
| description: > | ||||||
| Associated patch code, for example, ESA-2020-13. | ||||||
|
|
||||||
| - name: evidence | ||||||
| level: extended | ||||||
| type: text | ||||||
| description: > | ||||||
| A demonstration of the validity of a vulnerability claim, e.g., app.any.run replaying the exploitation of the vulnerability. | ||||||
|
|
||||||
| - name: status | ||||||
|
There was a problem hiding this comment. If the example values list are the only values to be allowed, then this should have an |
||||||
| level: extended | ||||||
| type: keyword | ||||||
| description: > | ||||||
| The status field helps security teams track vulnerabilities, prioritize actions, and communicate their progress effectively. Examples: open/ignored/patched/mitigated/false_positive/risk_accepted/reopened. | ||||||
|
There was a problem hiding this comment.
Suggested change
|
||||||
|
|
||||||
| - name: tags | ||||||
| level: extended | ||||||
| type: keyword | ||||||
| description: > | ||||||
| This is different from cloud provider assigned resource tags, this is specifically for vulnerability. Vulnerability tags serve as a way to add custom metadata to vulnerabilities, enhancing their context and aiding in search and automation. | ||||||
|
There was a problem hiding this comment.
Suggested change
|
||||||
|
|
||||||
| - name: first_found | ||||||
| level: extended | ||||||
| type: date | ||||||
| description: > | ||||||
| First time a vulnerability was found on the asset, in ISO 8601 format: 2016-05-23T08:05:34.853Z. | ||||||
|
There was a problem hiding this comment.
Suggested change
Given the |
||||||
|
|
||||||
| - name: last_found | ||||||
| level: extended | ||||||
| type: date | ||||||
| description: > | ||||||
| Last time a vulnerability was found on the asset, in ISO 8601 format: 2016-05-23T08:05:34.853Z. | ||||||
|
There was a problem hiding this comment.
Suggested change
|
||||||
|
|
||||||
| - name: last_scanned | ||||||
| level: extended | ||||||
| type: date | ||||||
| description: > | ||||||
| Last time a scan was performed on the asset. It's important as some companies are scanning on a quarterly basis. If last_found and last_scanned are close, it means it's still an active vulnerability, in ISO 8601 format: 2016-05-23T08:05:34.853Z. | ||||||
|
There was a problem hiding this comment.
Suggested change
I'm not sure about added value of "It's important as some companies are scanning on a quarterly basis." section. Perhaps the additional context could be phrased in terms of it be in important indicator of staleness. |
||||||
|
|
||||||
| - name: age | ||||||
|
There was a problem hiding this comment. Given that this is derived data, I think we should omit this field. Users of the data can calculate it on their own via the various means you mentioned if they need it. |
||||||
| level: extended | ||||||
| type: long | ||||||
| description: > | ||||||
| Number of days since the vulnerability is active. It should be dynamically calculated (runtime fields, ingest, ...). It could either be the difference between the last_found date and the published date (preferred). It could also be the difference between the first_found and last_found dates. | ||||||
|
|
||||||
| - name: uid | ||||||
| level: extended | ||||||
| type: keyword | ||||||
| description: > | ||||||
| It's extremely important to be able to deduplicate different scans. It's often that we have different scanners showing the same vulnerability on the same asset. | ||||||
|
There was a problem hiding this comment.
Suggested change
|
||||||
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.