vuln.tenable
Introduction
The tags beginning with vuln.tenable identify events generated by Tenable.io.
Tag structure
The full tag must have four levels. The first three are fixed as vuln.tenable.io. The fourth level identifies the type of events sent.
Technology | Brand | Product | Type |
---|---|---|---|
vuln | tenable | io |
|
Therefore, the valid tags and tables include:
- vuln.tenable.io.assets
- vuln.tenable.io.agents
- vuln.tenable.io.audit_log
- vuln.tenable.io.plugins
- vuln.tenable.io.scanners
- vuln.tenable.io.scans
How is the data sent to Devo?
To send logs to these tables, Devo provides a collector that you can download and use to send the required events to your Devo domain. You can download the collector and learn how to use it in Tenable.io collector.
Log samples
The following are sample logs sent to each of the vuln.tenable.io tags. Also, find how the information will be parsed in your data table under each sample log.
Extra columns
Fields marked as Extra in the table below are not shown by default in data tables and need to be explicitly requested in the query. You can find them marked as Extra when you perform a query so they can be easily identified. Learn more about this in Selecting unrevealed columns.
vuln.tenable.io.assets
2021-05-14 15:54:46.257 localhost=127.0.0.1 vuln.tenable.io.assets: {"time_end": "2020-12-23T08:41:18.279Z", "time_start": "2020-12-23T08:33:44.559Z", "id": "ca697ce4-8f35-4350-b61a-490f0b603554", "uuid": "ca697ce4-8f35-4350-b61a-490f0b603554", "operating_system": ["Linux Kernel 5.4.0-58-generic on Ubuntu 18.04"], "mac_address": ["0a:00:27:00:00:01", "02:42:65:5b:d3:29", "02:42:cf:21:04:ea", "02:42:cd:55:75:84", "0a:00:27:00:00:00", "e8:6a:64:3a:6b:11", "02:42:22:fb:09:74", "1c:1b:b5:23:99:7f"], "counts": {"vulnerabilities": {"total": 43, "severities": [{"count": 51, "level": 0, "name": "Info"}, {"count": 0, "level": 1, "name": "Low"}, {"count": 1, "level": 2, "name": "Medium"}, {"count": 1, "level": 3, "name": "High"}, {"count": 0, "level": 4, "name": "Critical"}]}, "audits": {"total": 0, "statuses": [{"count": 0, "level": 1, "name": "Passed"}, {"count": 0, "level": 2, "name": "Warning"}, {"count": 0, "level": 3, "name": "Failed"}]}}, "has_agent": true, "created_at": "2020-11-16T16:27:02.692Z", "updated_at": "2020-12-23T08:48:12.674Z", "first_seen": "2020-11-16T16:27:01.289Z", "last_seen": "2020-12-23T08:41:18.279Z", "last_scan_target": "192.168.1.239", "last_authenticated_scan_date": "2020-12-23T08:41:18.279Z", "last_licensed_scan_date": "2020-12-23T08:41:18.279Z", "last_scan_id": "2519b9ca-8409-458e-9cec-d2f4be19d255", "last_schedule_id": "template-0373df4f-5e95-44c7-277c-472b4eed818e56e8d65e0cb3f570", "sources": [{"name": "NESSUS_AGENT", "first_seen": "2020-11-16T16:27:01.289Z", "last_seen": "2020-11-16T16:27:01.289Z"}, {"name": "NESSUS_SCAN", "first_seen": "2020-12-21T16:32:41.144Z", "last_seen": "2020-12-23T08:41:18.279Z"}], "tags": [], "interfaces": [{"name": "lo", "fqdn": [], "mac_address": [], "ipv4": [], "ipv6": []}, {"name": "vboxnet1", "fqdn": [], "mac_address": ["0a:00:27:00:00:01"], "ipv4": [], "ipv6": []}, {"name": "br-a7d3f4f6d4dd", "fqdn": [], "mac_address": ["02:42:65:5b:d3:29"], "ipv4": ["172.21.0.1"], "ipv6": []}, {"name": "docker0", "fqdn": [], "mac_address": ["02:42:cf:21:04:ea"], "ipv4": ["172.234.0.1"], "ipv6": ["fe80:0:0:0:42:cfff:fe21:4ea"]}, {"name": "tun0", "fqdn": [], "mac_address": [], "ipv4": ["10.9.5.124"], "ipv6": ["fe80:0:0:0:73b5:795:a063:ba70"]}, {"name": "br-6686f59549d8", "fqdn": [], "mac_address": ["02:42:cd:55:75:84"], "ipv4": ["172.18.0.1"], "ipv6": []}, {"name": "vboxnet0", "fqdn": [], "mac_address": ["0a:00:27:00:00:00"], "ipv4": [], "ipv6": []}, {"name": "tun1", "fqdn": [], "mac_address": [], "ipv4": ["10.8.1.213"], "ipv6": ["fe80:0:0:0:cc91:9097:d0ae:d247"]}, {"name": "enp0s31f6", "fqdn": [], "mac_address": ["e8:6a:64:3a:6b:11"], "ipv4": [], "ipv6": []}, {"name": "br-57afc8bee660", "fqdn": [], "mac_address": ["02:42:22:fb:09:74"], "ipv4": ["172.19.0.1"], "ipv6": []}, {"name": "wlp2s0", "fqdn": [], "mac_address": ["1c:1b:b5:23:99:7f"], "ipv4": ["192.168.1.239"], "ipv6": ["fe80:0:0:0:85f5:ef3e:2aeb:deca"]}, {"name": "UNKNOWN", "fqdn": ["ip-192-168-1-132.eu-west-1.compute.internal"], "mac_address": ["02:42:22:fb:09:74", "02:42:cf:21:04:ea", "02:42:65:5b:d3:29", "02:42:cd:55:75:84", "0a:00:27:00:00:01", "0a:00:27:00:00:00", "e8:6a:64:3a:6b:11", "1c:1b:b5:23:99:7f"], "ipv4": ["172.21.0.1", "172.234.0.1", "172.18.0.1", "172.19.0.1", "192.168.1.239", "10.9.5.124", "10.8.1.213"], "ipv6": ["fe80:0:0:0:42:cfff:fe21:4ea", "fe80:0:0:0:73b5:795:a063:ba70", "fe80:0:0:0:cc91:9097:d0ae:d247", "fe80:0:0:0:85f5:ef3e:2aeb:deca"]}], "ipv4": ["172.21.0.1", "172.234.0.1", "10.9.5.124", "172.18.0.1", "10.8.1.213", "172.19.0.1", "192.168.1.239"], "ipv6": ["fe80:0:0:0:42:cfff:fe21:4ea", "fe80:0:0:0:73b5:795:a063:ba70", "fe80:0:0:0:cc91:9097:d0ae:d247", "fe80:0:0:0:85f5:ef3e:2aeb:deca"], "fqdn": ["ip-192-168-1-132.eu-west-1.compute.internal"], "netbios_name": [], "system_type": ["general-purpose"], "tenable_uuid": ["09c8f361760b469fa27d9694fac01d81"], "hostname": ["2018-emea-0403"], "agent_name": ["2018-emea-0403"], "bios_uuid": [], "aws_ec2_instance_id": [], "aws_ec2_instance_ami_id": [], "aws_owner_id": [], "aws_availability_zone": [], "aws_region": [], "aws_vpc_id": [], "aws_ec2_instance_group_name": [], "aws_ec2_instance_state_name": [], "aws_ec2_instance_type": [], "aws_subnet_id": [], "aws_ec2_product_code": [], "aws_ec2_name": [], "azure_vm_id": [], "azure_resource_id": [], "gcp_project_id": [], "gcp_zone": [], "gcp_instance_id": [], "ssh_fingerprint": [], "mcafee_epo_guid": [], "mcafee_epo_agent_guid": [], "qualys_asset_id": [], "qualys_host_id": [], "servicenow_sysid": [], "installed_software": ["cpe:/a:apache:tomcat:8.5.13", "cpe:/a:apache:tomcat:8.5.50", "cpe:/a:kubernetes:kubernetes:1.20.0", "cpe:/a:kubernetes:kubernetes:1.20.1"], "bigfix_asset_id": [], "security_protection_level": null, "security_protections": [], "exposure_confidence_value": null, "network_name": "Default", "count": 1, "plugin_family": "Ubuntu Local Security Checks", "plugin_id": 141934, "plugin_name": "Ubuntu 18.04 LTS : Netty vulnerabilities (USN-4600-2)", "vulnerability_state": "Active", "vpr_score": 6.0, "accepted_count": 0, "recasted_count": 0, "counts_by_severity": [{"count": 1, "value": 3}], "cvss_base_score": 7.5, "cvss3_base_score": 9.8, "severity": 3}
And this is how the logs would be parsed:
Field | Value | Type | Extra fields |
---|---|---|---|
eventdate | date(2021-05-14 15:54:46.257) | timestamp | |
timeEnd | date(2020-12-23 08:41:18.279) | timestamp | |
timeStart | date(2020-12-23 08:33:44.559) | timestamp | |
id | ca697ce4-8f35-4350-b61a-490f0b603554 | str | |
uuid | ca697ce4-8f35-4350-b61a-490f0b603554 | str | |
operatingSystem | ["Linux Kernel 5.4.0-58-generic on Ubuntu 18.04"] | str | |
macAddress | ["0a:00:27:00:00:01", "02:42:65:5b:d3:29", "02:42:cf:21:04:ea", "02:42:cd:55:75:84", "0a:00:27:00:00:00", "e8:6a:64:3a:6b:11", "02:42:22:fb:09:74", "1c:1b:b5:23:99:7f"] | str | |
countsVulnerabilitiesTotal | 43 | int | |
countsVulnerabilitiesSeverities | [{"count": 51, "level": 0, "name": "Info"}, {"count": 0, "level": 1, "name": "Low"}, {"count": 1, "level": 2, "name": "Medium"}, {"count": 1, "level": 3, "name": "High"}, {"count": 0, "level": 4, "name": "Critical"}] | str | |
countsAuditsTotal | 0 | int | |
countsAuditsStatuses | [{"count": 0, "level": 1, "name": "Passed"}, {"count": 0, "level": 2, "name": "Warning"}, {"count": 0, "level": 3, "name": "Failed"}] | str | |
hasAgent | true | bool | |
createdAt | date(2020-11-16 16:27:02.692) | timestamp | |
updatedAt | date(2020-12-23 08:48:12.674) | timestamp | |
firstSeen | date(2020-11-16 16:27:01.289) | timestamp | |
lastSeen | date(2020-12-23 08:41:18.279) | timestamp | |
lastScanTarget | ip4(192.168.1.239) | ip | |
lastAuthenticatedScanDate | date(2020-12-23 08:41:18.279) | timestamp | |
lastLicensedScanDate | date(2020-12-23 08:41:18.279) | timestamp | |
lastScanId | 2519b9ca-8409-458e-9cec-d2f4be19d255 | str | |
lastScheduleId | template-0373df4f-5e95-44c7-277c-472b4eed818e56e8d65e0cb3f570 | str | |
sources | [{"name": "NESSUS_AGENT", "first_seen": "2020-11-16T16:27:01.289Z", "last_seen": "2020-11-16T16:27:01.289Z"}, {"name": "NESSUS_SCAN", "first_seen": "2020-12-21T16:32:41.144Z", "last_seen": "2020-12-23T08:41:18.279Z"}] | str | |
tags | [] | str | |
interfaces | [{"name": "lo", "fqdn": [], "mac_address": [], "ipv4": [], "ipv6": []}, {"name": "vboxnet1", "fqdn": [], "mac_address": ["0a:00:27:00:00:01"], "ipv4": [], "ipv6": []}, {"name": "br-a7d3f4f6d4dd", "fqdn": [], "mac_address": ["02:42:65:5b:d3:29"], "ipv4": ["172.21.0.1"], "ipv6": []}, {"name": "docker0", "fqdn": [], "mac_address": ["02:42:cf:21:04:ea"], "ipv4": ["172.234.0.1"], "ipv6": ["fe80:0:0:0:42:cfff:fe21:4ea"]}, {"name": "tun0", "fqdn": [], "mac_address": [], "ipv4": ["10.9.5.124"], "ipv6": ["fe80:0:0:0:73b5:795:a063:ba70"]}, {"name": "br-6686f59549d8", "fqdn": [], "mac_address": ["02:42:cd:55:75:84"], "ipv4": ["172.18.0.1"], "ipv6": []}, {"name": "vboxnet0", "fqdn": [], "mac_address": ["0a:00:27:00:00:00"], "ipv4": [], "ipv6": []}, {"name": "tun1", "fqdn": [], "mac_address": [], "ipv4": ["10.8.1.213"], "ipv6": ["fe80:0:0:0:cc91:9097:d0ae:d247"]}, {"name": "enp0s31f6", "fqdn": [], "mac_address": ["e8:6a:64:3a:6b:11"], "ipv4": [], "ipv6": []}, {"name": "br-57afc8bee660", "fqdn": [], "mac_address": ["02:42:22:fb:09:74"], "ipv4": ["172.19.0.1"], "ipv6": []}, {"name": "wlp2s0", "fqdn": [], "mac_address": ["1c:1b:b5:23:99:7f"], "ipv4": ["192.168.1.239"], "ipv6": ["fe80:0:0:0:85f5:ef3e:2aeb:deca"]}, {"name": "UNKNOWN", "fqdn": ["ip-192-168-1-132.eu-west-1.compute.internal"], "mac_address": ["02:42:22:fb:09:74", "02:42:cf:21:04:ea", "02:42:65:5b:d3:29", "02:42:cd:55:75:84", "0a:00:27:00:00:01", "0a:00:27:00:00:00", "e8:6a:64:3a:6b:11", "1c:1b:b5:23:99:7f"], "ipv4": ["172.21.0.1", "172.234.0.1", "172.18.0.1", "172.19.0.1", "192.168.1.239", "10.9.5.124", "10.8.1.213"], "ipv6": ["fe80:0:0:0:42:cfff:fe21:4ea", "fe80:0:0:0:73b5:795:a063:ba70", "fe80:0:0:0:cc91:9097:d0ae:d247", "fe80:0:0:0:85f5:ef3e:2aeb:deca"]}] | str | |
ipv4 | ["172.21.0.1", "172.234.0.1", "10.9.5.124", "172.18.0.1", "10.8.1.213", "172.19.0.1", "192.168.1.239"] | str | |
ipv6 | ["fe80:0:0:0:42:cfff:fe21:4ea", "fe80:0:0:0:73b5:795:a063:ba70", "fe80:0:0:0:cc91:9097:d0ae:d247", "fe80:0:0:0:85f5:ef3e:2aeb:deca"] | str | |
fqdn | ["ip-192-168-1-132.eu-west-1.compute.internal"] | str | |
netbiosName | [] | str | |
systemType | ["general-purpose"] | str | |
tenableUuid | ["09c8f361760b469fa27d9694fac01d81"] | str | |
hostname2 | ["2018-emea-0403"] | str | |
agentName | ["2018-emea-0403"] | str | |
biosUuid | [] | str | |
awsEc2InstanceId | [] | str | |
awsEc2InstanceAmiId | [] | str | |
awsOwnerId | [] | str | |
awsAvailabilityZone | [] | str | |
awsRegion | [] | str | |
awsVpcId | [] | str | |
awsEc2InstanceGroupName | [] | str | |
awsEc2InstanceStateName | [] | str | |
awsEc2InstanceType | [] | str | |
awsSubnetId | [] | str | |
awsEc2ProductCode | [] | str | |
awsEc2Name | [] | str | |
azureVmId | [] | str | |
azureResourceId | [] | str | |
gcpProjectId | [] | str | |
gcpZone | [] | str | |
gcpInstanceId | [] | str | |
sshFingerprint | [] | str | |
mcafeeEpoGuid | [] | str | |
mcafeeEpoAgentGuid | [] | str | |
qualysAssetId | [] | str | |
qualysHostId | [] | str | |
servicenowSysid | [] | str | |
installedSoftware | ["cpe:/a:apache:tomcat:8.5.13", "cpe:/a:apache:tomcat:8.5.50", "cpe:/a:kubernetes:kubernetes:1.20.0", "cpe:/a:kubernetes:kubernetes:1.20.1"] | str | |
bigfixAssetId | [] | str | |
securityProtectionLevel | null | str | |
securityProtections | [] | str | |
exposureConfidenceValue | null | str | |
networkName | Default | str | |
count | 1 | int | |
pluginFamily | Ubuntu Local Security Checks | str | |
pluginId | 141934 | int | |
pluginName | Ubuntu 18.04 LTS : Netty vulnerabilities (USN-4600-2) | str | |
vulnerabilityState | Active | str | |
vprScore | 6.0D | float | |
acceptedCount | 0 | int | |
recastedCount | 0 | int | |
countsBySeverity | [{"count": 1, "value": 3}] | str | |
cvssBaseScore | 7.5D | float | |
cvss3BaseScore | 9.8D | float | |
severity | 3 | int | |
hostchain | localhost=127.0.0.1 | str | ✓ |
tag | vuln.tenable.io.assets | str | ✓ |
vuln.tenable.io.agents
2021-05-14 16:31:28.453 localhost=127.0.0.1 vuln.tenable.io.agents: {"id": 38246924, "uuid": "736ebd7d-34f9-4eff-b632-7c7a415cd795", "name": "alerts-1-pro-cloud-manulife-aws-ca-central-1", "platform": "LINUX", "distro": "ubuntu1110-x86-64", "ip": "10.5.27.171", "plugin_feed_id": "202105132205", "core_build": "47", "core_version": "8.2.4", "linked_on": 1618955646, "last_connect": 1621002605, "status": "on", "groups": [{"name": "CIS Scans", "id": 192286}], "aws_instance_id": "i-05f341cb22087d7ed", "aws_account_id": "175688291360", "supports_remote_logs": true, "network_uuid": "00000000-0000-0000-0000-000000000000", "network_name": "Default"}
And this is how the logs would be parsed:
Field | Value | Type | Extra fields |
---|---|---|---|
eventdate | date(2021-05-14 16:31:28.453) | timestamp | |
id | 38246924L | int | |
uuid | 736ebd7d-34f9-4eff-b632-7c7a415cd795 | str | |
name | alerts-1-pro-cloud-manulife-aws-ca-central-1 | str | |
platform | LINUX | str | |
distro | ubuntu1110-x86-64 | str | |
ip | ip4(10.5.27.171) | ip | |
pluginFeedId | 202105132205 | str | |
coreBuild | 47 | str | |
coreVersion | 8.2.4 | str | |
linkedOn | date(1618955646000) | timestamp | |
lastConnect | date(1621002605000) | timestamp | |
status | on | str | |
groups | [{"name": "CIS Scans", "id": 192286}] | str | |
awsInstanceId | i-05f341cb22087d7ed | str | |
awsAccountId | 175688291360 | str | |
supportsRemoteLogs | true | bool | |
networkUuid | 00000000-0000-0000-0000-000000000000 | str | |
networkName | Default | str | |
hostchain | localhost=127.0.0.1 | str | ✓ |
tag | vuln.tenable.io.agents | str | ✓ |
vuln.tenable.io.audit_log
2021-03-25 11:27:34.003 localhost=127.0.0.1 vuln.tenable.io.audit_log: {"id": "5f9061fd59d3408e9048ebbc05e2f572", "action": "audit.log.view", "crud": "r", "is_failure": "None", "received": "2021-03-10T17:56:13Z", "description": "POST /enterprise/v1/graphql", "actor": {"id": "enterprise:3db4f7b", "name": "Tenable.IO enterprisetoken 12e58d32-9b43-4495-b4bf-f92340a31afe"}, "is_anonymous": "None", "target": {"id": "None", "name": "None", "type": "None"}, "fields": "None"}
And this is how the logs would be parsed:
Field | Value | Type | Extra fields |
---|---|---|---|
eventdate | date(2021-03-25 11:27:34.003) | timestamp | |
id | 5f9061fd59d3408e9048ebbc05e2f572 | str | |
action | audit.log.view | str | |
crud | r | str | |
isFailure | None | str | |
received | date(2021-03-10 17:56:13.000) | timestamp | |
description | POST /enterprise/v1/graphql | str | |
actorId | enterprise:3db4f7b | str | |
actorName | Tenable.IO enterprisetoken 12e58d32-9b43-4495-b4bf-f92340a31afe | str | |
isAnonymous | None | str | |
targetId | None | str | |
targetName | None | str | |
targetType | None | str | |
fields | None | str | |
hostchain | localhost=127.0.0.1 | str | ✓ |
tag | vuln.tenable.io.audit_log | str | ✓ |
vuln.tenable.io.plugins
2021-05-14 16:44:54.602 localhost=127.0.0.1 vuln.tenable.io.plugins: {"id": 34821, "name": "MS08-067: Vulnerability in Server Service Could Allow Remote Code Execution (958644) (ECLIPSEDWING) (uncredentialed check / IPS)", "attributes": {"plugin_type": "REMOTE", "intel_type": "SENSOR", "synopsis": "Arbitrary code can be executed on the remote host due to a flaw in the \'Server\' service.", "description": "The remote host is affected by a buffer overrun in the \'Server\' service that may allow an attacker to execute arbitrary code on the remote host with \'SYSTEM\' privileges.\\n\\nECLIPSEDWING is one of multiple Equation Group vulnerabilities and exploits disclosed on 2017/04/14 by a group known as the Shadow Brokers.", "solution": "Microsoft has released a set of patches for Windows 2000, XP, 2003, Vista and 2008.", "see_also": ["http://www.microsoft.com/technet/security/bulletin/ms08-067.mspx"], "plugin_publication_date": "2008-11-21T00:00:00Z", "vuln_publication_date": "2008-10-23T00:00:00Z", "patch_publication_date": "2008-10-23T00:00:00Z", "has_patch": true, "exploitability_ease": "AVAILABLE", "exploit_available": true, "risk_factor": "CRITICAL", "stig_severity": "I", "cpe": ["cpe:/o:microsoft:windows"], "plugin_modification_date": "2021-05-10T00:00:00Z", "plugin_version": 1.144, "always_run": false, "compliance": false, "exploited_by_malware": true, "in_the_news": true, "exploit_framework_canvas": true, "exploit_framework_exploithub": false, "exploit_framework_core": false, "exploit_framework_d2_elliot": false, "exploit_framework_metasploit": true, "cvss_vector": {"raw": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "AccessVector": "Network", "AccessComplexity": "Low", "Authentication": "None required", "Confidentiality-Impact": "Complete", "Integrity-Impact": "Complete", "Availability-Impact": "Complete"}, "cvss_temporal_vector": {"raw": "E:H/RL:OF/RC:C", "Exploitability": "High", "RemediationLevel": "Official Fix", "ReportConfidence": "Confirmed"}, "cvss_temporal_score": 8.7, "cvss_base_score": 10.0, "cvss3_vector": {"raw": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "AttackVector": "Network", "AttackComplexity": "Low", "PrivilegesRequired": "None", "UserInteraction": "None", "Scope": "Unchanged", "Confidentiality-Impact": "High", "Integrity-Impact": "High", "Availability-Impact": "High"}, "cvss3_base_score": 9.8, "cve": ["CVE-2008-4250"], "bid": [31874], "xref": ["CWE:94", "MSFT:MS08-067", "IAVA:2008-A-0081-S", "MSKB:958644", "CERT:827267", "EDB-ID:6824", "EDB-ID:7104", "EDB-ID:7132"], "xrefs": [{"type": "CWE", "id": "94"}, {"type": "MSFT", "id": "MS08-067"}, {"type": "IAVA", "id": "2008-A-0081-S"}, {"type": "MSKB", "id": "958644"}, {"type": "CERT", "id": "827267"}, {"type": "EDB-ID", "id": "6824"}, {"type": "EDB-ID", "id": "7104"}, {"type": "EDB-ID", "id": "7132"}], "vpr": {"score": 8.9, "drivers": {"age_of_vuln": {"lower_bound": 731}, "exploit_code_maturity": "HIGH", "cvss_impact_score_predicted": false, "threat_intensity_last28": "VERY_LOW", "threat_recency": {"lower_bound": 31, "upper_bound": 120}, "threat_sources_last28": ["No recorded events"], "product_coverage": "HIGH"}, "updated": "2021-03-09T05:19:13Z"}}}
And this is how the logs would be parsed:
Field | Value | Type | Extra fields |
---|---|---|---|
eventdate | date(2021-05-14 16:44:54.602) | timestamp | |
id | 34821 | int | |
name | MS08-067: Vulnerability in Server Service Could Allow Remote Code Execution (958644) (ECLIPSEDWING) (uncredentialed check / IPS) | str | |
attributesPluginType | REMOTE | str | |
attributesIntelType | SENSOR | str | |
attributesSynopsis | Arbitrary code can be executed on the remote host due to a flaw in the \Server\ service. | str | |
attributesDescription | The remote host is affected by a buffer overrun in the \Server\ service that may allow an attacker to execute arbitrary code on the remote host with \SYSTEM\ privileges.\n\nECLIPSEDWING is one of multiple Equation Group vulnerabilities and exploits disclosed on 2017/04/14 by a group known as the Shadow Brokers. | str | |
attributesSolution | Microsoft has released a set of patches for Windows 2000, XP, 2003, Vista and 2008. | str | |
attributesSeeAlso | ["http://www.microsoft.com/technet/security/bulletin/ms08-067.mspx"] | str | |
attributesPluginPublicationDate | date(2008-11-21 00:00:00.000) | timestamp | |
attributesVulnPublicationDate | date(2008-10-23 00:00:00.000) | timestamp | |
attributesPatchPublicationDate | date(2008-10-23 00:00:00.000) | timestamp | |
attributesHasPatch | true | bool | |
attributesExploitabilityEase | AVAILABLE | str | |
attributesExploitAvailable | true | bool | |
attributesRiskFactor | CRITICAL | str | |
attributesStigSeverity | I | str | |
attributesCpe | ["cpe:/o:microsoft:windows"] | str | |
attributesPluginModificationDate | date(2021-05-10 00:00:00.000) | timestamp | |
attributesPluginVersion | 1.144D | float | |
attributesAlwaysRun | false | bool | |
attributesCompliance | false | bool | |
attributesExploitedByMalware | true | bool | |
attributesInTheNews | true | bool | |
attributesExploitFrameworkCanvas | true | bool | |
attributesExploitFrameworkExploithub | false | bool | |
attributesExploitFrameworkCore | false | bool | |
attributesExploitFrameworkD2Elliot | false | bool | |
attributesExploitFrameworkMetasploit | true | bool | |
attributesCvssVectorRaw | AV:N/AC:L/Au:N/C:C/I:C/A:C | str | |
attributesCvssVectorAccessVector | Network | str | |
attributesCvssVectorAccessComplexity | Low | str | |
attributesCvssVectorAuthentication | None required | str | |
attributesCvssVectorConfidentialityImpact | Complete | str | |
attributesCvssVectorIntegrityImpact | Complete | str | |
attributesCvssVectorAvailabilityImpact | Complete | str | |
attributesCvssTemporalVectorRaw | E:H/RL:OF/RC:C | str | |
attributesCvssTemporalVectorExploitability | High | str | |
attributesCvssTemporalVectorRemediationLevel | Official Fix | str | |
attributesCvssTemporalVectorReportConfidence | Confirmed | str | |
attributesCvssTemporalScore | 8.7D | float | |
attributesCvssBaseScore | 10.0D | float | |
attributesCvss3VectorRaw | AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H | str | |
attributesCvss3VectorAttackVector | Network | str | |
attributesCvss3VectorAttackComplexity | Low | str | |
attributesCvss3VectorPrivilegesRequired | None | str | |
attributesCvss3VectorUserInteraction | None | str | |
attributesCvss3VectorScope | Unchanged | str | |
attributesCvss3VectorConfidentialityImpact | High | str | |
attributesCvss3VectorIntegrityImpact | High | str | |
attributesCvss3VectorAvailabilityImpact | High | str | |
attributesCvss3BaseScore | 9.8D | float | |
attributesCve | ["CVE-2008-4250"] | str | |
attributesBid | [31874] | str | |
attributesXref | ["CWE:94", "MSFT:MS08-067", "IAVA:2008-A-0081-S", "MSKB:958644", "CERT:827267", "EDB-ID:6824", "EDB-ID:7104", "EDB-ID:7132"] | str | |
attributesXrefs | [{"type": "CWE", "id": "94"}, {"type": "MSFT", "id": "MS08-067"}, {"type": "IAVA", "id": "2008-A-0081-S"}, {"type": "MSKB", "id": "958644"}, {"type": "CERT", "id": "827267"}, {"type": "EDB-ID", "id": "6824"}, {"type": "EDB-ID", "id": "7104"}, {"type": "EDB-ID", "id": "7132"}] | str | |
attributesVprScore | 8.9D | float | |
attributesVprDriversAgeOfVulnLowerBound | 731 | int | |
attributesVprDriversExploitCodeMaturity | HIGH | str | |
attributesVprDriversCvssImpactScorePredicted | false | bool | |
attributesVprDriversThreatIntensityLast28 | VERY_LOW | str | |
attributesVprDriversThreatRecencyLowerBound | 31 | int | |
attributesVprDriversThreatRecencyUpperBound | 120 | int | |
attributesVprDriversThreatSourcesLast28 | ["No recorded events"] | str | |
attributesVprDriversProductCoverage | HIGH | str | |
attributesVprUpdated | date(2021-03-09 05:19:13.000) | timestamp | |
hostchain | localhost=127.0.0.1 | str | ✓ |
tag | vuln.tenable.io.plugins | str | ✓ |
vuln.tenable.io.scanners
2021-05-14 16:47:46.074 localhost=127.0.0.1 vuln.tenable.io.scanners: {"creation_date": 1608567093, "distro": "ubuntu1110-x86-64", "engine_version": "18.13.10", "group": false, "hostname": "2018-EMEA-0403", "id": 330182, "ip_addresses": ["192.168.1.239", "172.19.0.1", "172.18.0.1", "172.22.0.1", "172.29.0.1", "172.21.0.1", "172.234.0.1", "172.31.0.1", "172.30.0.1", "100.96.2.51", "fd:0:0:8112::3"], "key": "7d686cbe361103e4cc9842fbdf1b735de38b7a14542bde707114cf431aae1b00", "last_connect": 1617958416, "last_modification_date": 1617869849, "linked": 1, "loaded_plugin_set": "202104071310", "name": "2018-EMEA-0403", "network_name": "Default", "num_hosts": 0, "num_scans": 0, "num_sessions": 0, "num_tcp_sessions": 0, "owner": "system", "owner_id": 2014562, "owner_name": "system", "owner_uuid": "40b641a4-6164-4393-b1f3-8c2f19327720", "platform": "LINUX", "pool": false, "scan_count": 0, "shared": 1, "source": "service", "status": "off", "timestamp": 1617869849, "type": "managed", "ui_build": "2", "ui_version": "8.13.2", "user_permissions": 128, "uuid": "71135b7a-a087-4849-bedb-fbcb0109bbf8", "remote_uuid": "d14d5c10-c843-5a4f-9ad5-0cebf9f871f728b8b8417bade83b", "supports_remote_logs": false, "supports_webapp": false}
And this is how the logs would be parsed:
Field | Value | Type | Extra fields |
---|---|---|---|
eventdate | date(2021-05-14 16:47:46.074) | timestamp | |
creationDate | date(1608567093000) | timestamp | |
distro | ubuntu1110-x86-64 | str | |
engineVersion | 18.13.10 | str | |
group2 | false | bool | |
hostname2 | 2018-EMEA-0403 | str | |
id | 330182 | int | |
ipAddresses | ["192.168.1.239", "172.19.0.1", "172.18.0.1", "172.22.0.1", "172.29.0.1", "172.21.0.1", "172.234.0.1", "172.31.0.1", "172.30.0.1", "100.96.2.51", "fd:0:0:8112::3"] | str | |
key | 7d686cbe361103e4cc9842fbdf1b735de38b7a14542bde707114cf431aae1b00 | str | |
lastConnect | date(1617958416000) | timestamp | |
lastModificationDate | date(1617869849000) | timestamp | |
linked | 1 | int | |
loadedPluginSet | 202104071310 | str | |
name | 2018-EMEA-0403 | str | |
networkName | Default | str | |
numHosts | 0 | int | |
numScans | 0 | int | |
numSessions | 0 | int | |
numTcpSessions | 0 | int | |
owner | system | str | |
ownerId | 2014562L | int | |
ownerName | system | str | |
ownerUuid | 40b641a4-6164-4393-b1f3-8c2f19327720 | str | |
platform | LINUX | str | |
pool | false | bool | |
scanCount | 0 | int | |
shared | 1 | int | |
source | service | str | |
status | off | str | |
timestamp | date(1617869849000) | timestamp | |
type | managed | str | |
uiBuild | 2 | str | |
uiVersion | 8.13.2 | str | |
userPermissions | 128 | int | |
uuid | 71135b7a-a087-4849-bedb-fbcb0109bbf8 | str | |
remoteUuid | d14d5c10-c843-5a4f-9ad5-0cebf9f871f728b8b8417bade83b | str | |
supportsRemoteLogs | false | bool | |
supportsWebapp | false | bool | |
hostchain | localhost=127.0.0.1 | str | ✓ |
tag | vuln.tenable.io.scanners | str | ✓ |
vuln.tenable.io.scans
2021-05-14 16:57:08.165 localhost=127.0.0.1 vuln.tenable.io.scans: {"template_uuid": "40345bfc-48be-37bc-9bce-526bdce37582e8fee83bcefdc746", "legacy": false, "folder_id": 119, "type": "remote", "read": false, "last_modification_date": 1620915797, "creation_date": 1620915544, "status": "completed", "uuid": "6a7e84b5-1590-43e4-95d2-5ce9d09021c5", "shared": true, "user_permissions": 64, "owner": "devo@devo.com", "schedule_uuid": "1f6806ad-0ce5-be93-6deb-1c2c1aadd5702dabace3aba39c83", "timezone": "America/Chicago", "rrules": "FREQ=WEEKLY;INTERVAL=1;BYDAY=FR", "starttime": "20210504T220000", "enabled": false, "control": true, "wizard_uuid": "40345bfc-48be-37bc-9bce-526bdce37582e8fee83bcefdc746", "policy_id": 191, "name": "Copy of Manulife - CIS Scan - Ubuntu 20.04", "id": 192}
And this is how the logs would be parsed:
Field | Value | Type | Extra fields |
---|---|---|---|
eventdate | date(2021-05-14 16:57:08.165) | timestamp | |
templateUuid | 40345bfc-48be-37bc-9bce-526bdce37582e8fee83bcefdc746 | str | |
legacy | false | bool | |
folderId | 119 | int | |
type | remote | str | |
read | false | bool | |
lastModificationDate | date(1620915797000) | timestamp | |
creationDate | date(1620915544000) | timestamp | |
status | completed | str | |
uuid | 6a7e84b5-1590-43e4-95d2-5ce9d09021c5 | str | |
shared | true | bool | |
userPermissions | 64 | int | |
owner | devo@devo.com | str | |
scheduleUuid | 1f6806ad-0ce5-be93-6deb-1c2c1aadd5702dabace3aba39c83 | str | |
timezone | America/Chicago | str | |
rrules | FREQ=WEEKLY;INTERVAL=1;BYDAY=FR | str | |
starttime | 20210504T220000 | str | |
enabled | false | bool | |
control | true | bool | |
wizardUuid | 40345bfc-48be-37bc-9bce-526bdce37582e8fee83bcefdc746 | str | |
policyId | 191 | int | |
name | Copy of Manulife - CIS Scan - Ubuntu 20.04 | str | |
id | 192 | int | |
hostchain | localhost=127.0.0.1 | str | ✓ |
tag | vuln.tenable.io.scans | str | ✓ |