-
Notifications
You must be signed in to change notification settings - Fork 419
/
vulnerability.yml
181 lines (150 loc) · 6.09 KB
/
vulnerability.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
# Licensed to Elasticsearch B.V. under one or more contributor
# license agreements. See the NOTICE file distributed with
# this work for additional information regarding copyright
# ownership. Elasticsearch B.V. licenses this file to you under
# the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing,
# software distributed under the License is distributed on an
# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
# KIND, either express or implied. See the License for the
# specific language governing permissions and limitations
# under the License.
---
- name: vulnerability
title: Vulnerability
group: 2
short: Fields to describe the vulnerability relevant to an event.
description: >
The vulnerability fields describe information about a vulnerability that is
relevant to an event.
type: group
fields:
- name: classification
level: extended
type: keyword
short: Classification of the vulnerability.
description: >
The classification of the vulnerability scoring system.
For example (https://www.first.org/cvss/)
example: CVSS
- name: enumeration
level: extended
type: keyword
short: Identifier of the vulnerability.
description: >
The type of identifier used for this vulnerability.
For example (https://cve.mitre.org/about/)
example: CVE
- name: reference
level: extended
type: keyword
short: Reference of the vulnerability.
description: >
A resource that provides additional information, context, and
mitigations for the identified vulnerability.
example: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6111
- name: score.base
level: extended
type: float
short: Vulnerability Base score.
description: >
Scores can range from 0.0 to 10.0, with 10.0 being the most severe.
Base scores cover an assessment for exploitability metrics (attack vector,
complexity, privileges, and user interaction), impact metrics (confidentiality,
integrity, and availability), and scope.
For example (https://www.first.org/cvss/specification-document)
example: 5.5
- name: score.temporal
level: extended
type: float
short: Vulnerability Temporal score.
description: >
Scores can range from 0.0 to 10.0, with 10.0 being the most severe.
Temporal scores cover an assessment for code maturity, remediation level, and
confidence.
For example (https://www.first.org/cvss/specification-document)
- name: score.environmental
level: extended
type: float
short: Vulnerability Environmental score.
description: >
Scores can range from 0.0 to 10.0, with 10.0 being the most severe.
Environmental scores cover an assessment for any modified Base metrics,
confidentiality, integrity, and availability requirements.
For example (https://www.first.org/cvss/specification-document)
example: 5.5
- name: score.version
level: extended
type: keyword
short: CVSS version.
description: >
The National Vulnerability Database (NVD) provides qualitative severity rankings
of "Low", "Medium", and "High" for CVSS v2.0 base score ranges in addition to the
severity ratings for CVSS v3.0 as they are defined in the CVSS v3.0 specification.
CVSS is owned and managed by FIRST.Org, Inc. (FIRST), a US-based non-profit
organization, whose mission is to help computer security incident response teams
across the world.
For example (https://nvd.nist.gov/vuln-metrics/cvss)
example: 2.0
- name: category
level: extended
type: keyword
short: Category of a vulnerability.
description: >
The type of system or architecture that the vulnerability affects. These may be
platform-specific (for example, Debian or SUSE) or general (for example, Database
or Firewall).
For example (https://qualysguard.qualys.com/qwebhelp/fo_portal/knowledgebase/vulnerability_categories.htm[Qualys vulnerability categories])
This field must be an array.
example: '["Firewall"]'
normalize:
- array
- name: description
level: extended
type: keyword
multi_fields:
- type: match_only_text
name: text
short: Description of the vulnerability.
description: >
The description of the vulnerability that provides additional context of the
vulnerability.
For example (https://cve.mitre.org/about/faqs.html#cve_entry_descriptions_created[Common Vulnerabilities and Exposure CVE description])
example: In macOS before 2.12.6, there is a vulnerability in the RPC...
- name: id
level: extended
type: keyword
short: ID of the vulnerability.
description: >
The identification (ID) is the number portion of a vulnerability entry. It
includes a unique identification number for the vulnerability.
For example (https://cve.mitre.org/about/faqs.html#what_is_cve_id[Common Vulnerabilities and Exposure CVE ID])
example: CVE-2019-00001
- name: scanner.vendor
level: extended
type: keyword
short: Name of the scanner vendor.
description: >
The name of the vulnerability scanner vendor.
example: Tenable
- name: severity
level: extended
type: keyword
short: Severity of the vulnerability.
description: >
The severity of the vulnerability can help with metrics and internal
prioritization regarding remediation.
For example (https://nvd.nist.gov/vuln-metrics/cvss)
example: Critical
- name: report_id
level: extended
type: keyword
short: Scan identification number.
description: >
The report or scan identification number.
example: 20191018.0001