CISA KEV 集成
编辑CISA KEV 集成
编辑此集成用于 CISA KEV 日志。根据 CISA 的说法,这些数据对于当前了解已知被利用的漏洞以及丰富 Elastic Stack 中的其他漏洞扫描数据非常有用。该集成会定期检查最新的 CISA KEV 列表。它包括以下数据集,用于从 CISA KEV 网站检索日志
-
vulnerability数据集:支持 CISA 分类为已知被利用的漏洞。
示例富集策略和 ES|QL 相关查询
编辑可以创建富集策略,以便根据 CVE 编号丰富其他漏洞信息。
在安装集成后,可以使用以下请求来创建和执行富集策略
PUT /_enrich/policy/enrich_cve_with_context_cisa_kev
{
"match": {
"indices": ".ds-logs-cisa_kevs.vulnerability-*",
"match_field": "vulnerability.id",
"enrich_fields": ["cisa_kev.vulnerability.date_added", "cisa_kev.vulnerability.due_date", "cisa_kev.vulnerability.known_ransomware_campaign_use", "cisa_kev.vulnerability.name", "cisa_kev.vulnerability.notes","cisa_kev.vulnerability.product","cisa_kev.vulnerability.required_action","cisa_kev.vulnerability.vendor_project"]
}
}
PUT /_enrich/policy/enrich_cve_with_context_cisa_kev/_execute
这是一个示例 ES|QL 查询,它使用 logs-nessus.vulnerability* 的索引模式来使用 CISA KEV 信息丰富数据源,并保留前 10 个结果。请注意,必须首先创建富集策略(如上所示)
from logs-nessus.vulnerability* | where vulnerability.id IS NOT NULL | keep vulnerability.*, nessus.plugin.name, host.name | enrich enrich_cve_with_context_cisa_kev with cisa_kev.vulnerability.due_date, cisa_kev.vulnerability.known_ransomware_campaign_use, cisa_kev.vulnerability.name, cisa_kev.vulnerability.notes, cisa_kev.vulnerability.product, cisa_kev.vulnerability.required_action, cisa_kev.vulnerability.vendor_project, cisa_kev.vulnerability.date_added | where cisa_kev.vulnerability.name IS NOT NULL | stats count = COUNT(host.name) BY nessus.plugin.name, vulnerability.severity, cisa_kev.vulnerability.date_added, cisa_kev.vulnerability.product | sort count desc | keep nessus.plugin.name, vulnerability.severity, cisa_kev.vulnerability.product, cisa_kev.vulnerability.date_added, count | limit 10
日志
编辑漏洞
编辑CISA KEV data_stream 从端点 https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json 检索漏洞信息。
示例
以下是 vulnerability 的示例事件
{
"@timestamp": "2024-02-15T00:00:00.000Z",
"agent": {
"ephemeral_id": "39957f93-aff4-4e3f-84f0-66d18441ccd6",
"id": "7edf8be5-ad5d-4c57-a6bd-b86bddc66601",
"name": "docker-fleet-agent",
"type": "filebeat",
"version": "8.12.2"
},
"cisa_kev": {
"vulnerability": {
"date_added": "2024-02-15",
"due_date": "2024-03-07",
"known_ransomware_campaign_use": "Known",
"name": "Cisco ASA and FTD Information Disclosure Vulnerability",
"notes": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-info-disclose-9eJtycMB",
"product": "Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD)",
"required_action": "Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.",
"vendor_project": "Cisco"
}
},
"data_stream": {
"dataset": "cisa_kevs.vulnerability",
"namespace": "ep",
"type": "logs"
},
"ecs": {
"version": "8.11.0"
},
"elastic_agent": {
"id": "7edf8be5-ad5d-4c57-a6bd-b86bddc66601",
"snapshot": false,
"version": "8.12.2"
},
"event": {
"agent_id_status": "verified",
"category": [
"vulnerability"
],
"created": "2024-03-13T01:01:09.893Z",
"dataset": "cisa_kevs.vulnerability",
"ingested": "2024-03-13T01:01:21Z",
"kind": "enrichment",
"original": "{\"cveID\":\"CVE-2020-3259\",\"dateAdded\":\"2024-02-15\",\"dueDate\":\"2024-03-07\",\"knownRansomwareCampaignUse\":\"Known\",\"notes\":\"https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-info-disclose-9eJtycMB\",\"product\":\"Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD)\",\"requiredAction\":\"Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.\",\"shortDescription\":\"Cisco Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) contain an information disclosure vulnerability. An attacker could retrieve memory contents on an affected device, which could lead to the disclosure of confidential information due to a buffer tracking issue when the software parses invalid URLs that are requested from the web services interface. This vulnerability affects only specific AnyConnect and WebVPN configurations.\",\"vendorProject\":\"Cisco\",\"vulnerabilityName\":\"Cisco ASA and FTD Information Disclosure Vulnerability\"}",
"type": [
"info"
]
},
"input": {
"type": "httpjson"
},
"tags": [
"preserve_original_event",
"forwarded",
"cisa-kev"
],
"vulnerability": {
"description": "Cisco Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) contain an information disclosure vulnerability. An attacker could retrieve memory contents on an affected device, which could lead to the disclosure of confidential information due to a buffer tracking issue when the software parses invalid URLs that are requested from the web services interface. This vulnerability affects only specific AnyConnect and WebVPN configurations.",
"id": "CVE-2020-3259"
}
}
导出的字段
| 字段 | 描述 | 类型 |
|---|---|---|
@timestamp |
事件时间戳。 |
日期 |
cisa_kev.vulnerability.date_added |
漏洞以 YYYY-MM-DD 格式添加到目录的日期 |
日期 |
cisa_kev.vulnerability.due_date |
所需操作的到期日期,格式为 YYYY-MM-DD |
日期 |
cisa_kev.vulnerability.known_ransomware_campaign_use |
如果已知此漏洞已被用作勒索软件活动的一部分,则为已知;如果 CISA 缺乏确认该漏洞已用于勒索软件的证据,则为未知 |
关键字 |
cisa_kev.vulnerability.name |
漏洞的名称 |
关键字 |
cisa_kev.vulnerability.notes |
有关漏洞的任何其他注释 |
关键字 |
cisa_kev.vulnerability.product |
漏洞产品 |
关键字 |
cisa_kev.vulnerability.required_action |
解决漏洞所需的措施 |
关键字 |
cisa_kev.vulnerability.vendor_project |
漏洞的供应商或项目名称 |
关键字 |
data_stream.dataset |
数据流数据集。 |
常量关键字 |
data_stream.namespace |
数据流命名空间。 |
常量关键字 |
data_stream.type |
数据流类型。 |
常量关键字 |
input.type |
Filebeat 输入的类型。 |
关键字 |
变更日志
编辑变更日志
| 版本 | 详细信息 | Kibana 版本 |
|---|---|---|
1.4.0 |
增强 (查看拉取请求) |
8.13.0 或更高版本 |
1.3.1 |
错误修复 (查看拉取请求) |
8.13.0 或更高版本 |
1.3.0 |
增强 (查看拉取请求) |
8.13.0 或更高版本 |
1.2.0 |
增强 (查看拉取请求) |
8.13.0 或更高版本 |
1.1.0 |
增强 (查看拉取请求) |
8.11.4 或更高版本 |
1.0.1 |
错误修复 (查看拉取请求) |
8.11.4 或更高版本 |
1.0.0 |
增强 (查看拉取请求) |
8.11.4 或更高版本 |
0.1.0 |
增强 (查看拉取请求) |
— |