Technical documentation of Elasticsearch indexes
Cyberwatch ships an Elasticsearch and Kibana module to ease the analysis and creation of visualizations on the data generated by the software.
Cyberwatch publishes its data daily into the Elasticsearch indexes described below. This data is used to query or produce visualizations in Kibana.
The same data is also available as JSON exports.
Content of the asset index
The computers index represents the list of supervised assets with the following information for each:
| Field | Type | Description | Examples of possible values |
|---|---|---|---|
| _id | Integer | Asset ID in Cyberwatch | 388 |
| agent_version | Text | Agent version used for supervision in case of agent supervision. Empty for agentless connections | 4.2 |
| compliance_rules_count | Integer | Number of compliance rules affected to the asset | 72 |
| compliance_rules_failed_count | Integer | Number of compliance rules who failed affected to the asset | 32 |
| compliance_rules_succeed_count | Integer | Number of compliance rules who succeed affected to the asset | 40 |
| computer_category | Text | Differentiates assets category | server, desktop, hypervisor, network_device... |
| computer_description | Text | Description of the asset as defined in Cyberwatch | Production server for ticketing platform |
| computer_environment | Text | Criticality of the asset as defined in Cyberwatch | Medium |
| computer_name | Text | Hostname of the asset | server01 |
| computer_os | Text | Unique key of the operating system | debian_9_64, windows_2008... |
| computer_os_arch | Text | Architecture of the operating system | AMD64, x86_64, i3686... |
| computer_os_build | Text | Kernel version of the operating system | oracle_8_64, windows_10_21h1_64 |
| computer_os_name | Text | Name of the operating system | Debian GNU/Linux 9 (stretch), Microsoft® Windows Server® 2008 Standard... |
| computer_status | Text | Global asset status for Cyberwatch | server_vulnerable, server_compliant... |
| computer_status_compliance | Text | Status of the asset regarding Cyberwatch compliance module | cbw_compliance_server_compliant, cbw_compliance_server_not_compliant... |
| created_at | Date | Creation date of the asset in Cyberwatch | 01/01/2018 |
| critical_cve_announcements_count | Integer | Number of prioritized vulnerabilities on the asset | 0 |
| cve_announcements_count | Integer | Number of active vulnerabilities on the asset | 0 |
| project | Text | Name of the project | my-project |
| groups | Table of text elements | Lists of asset groups | production, Paris |
| has_exploits | Boolean | Indicates the detection public exploits for at least one of the asset's active vulnerabilities | true |
| host | Text | Domain name or IP address of the asset | server01.example.com, 192.168.0.1... |
| last_communication | Date | Last communication of the asset with Cyberwatch | 07/08/18 |
| max_cve_epss | Float | Maximum EPSS score of vulnerabilities detected on this asset | 0.93672 |
| max_cve_level | Text | Maximum level of vulnerabilities detected on this asset | level_medium |
| need_reboot | Boolean | Indicates the need for the asset to reboot | true |
| repositories | Table of text elements | Repositories associated to the asset | CIS_Benchmark, CIS_Benchmark_level_1 |
| remote_ip | Text | IP of the asset | 192.168.0.1 |
| scan_only | Boolean | Indicates the asset is in supervision only mode | false |
| updated_at | Date | Last update of the asset | 07/08/18 |
| updates_count | Integer | Number of available patches | 22 |
Content of the computers_cves index
The computers_cves index represents a list of asset/vulnerability pairs with the following information:
| field | Type | Description | Examples of possible values |
|---|---|---|---|
| _id | Integer | Asset/vulnerability pair ID in Cyberwatch | 5153 |
| active | Boolean | Indicates the current presence of the vulnerability on the asset | true |
| certfr_exploit_added_at | Date | Date of addition into CERTFR-ALE | 01/01/18 |
| cisa_exploit_added_at | Date | Date of addition into CISA KEV | 07/08/18 |
| computer_category | Text | Differentiates servers and workstations | server, desktop, hypervisor, network_device... |
| computer_description | Text | Description of the asset as defined in Cyberwatch | Production server for ticketing platform |
| computer_environment | Text | Criticality of the asset as defined in Cyberwatch | Medium |
| computer_id | Integer | Asset ID in Cyberwatch | 255 |
| computer_name | Text | Hostname of the asset | server01 |
| computer_os | Text | Unique key of the operating system | debian_9_64, windows_2008... |
| computer_os_arch | Text | Architecture of the operating system | AMD64, x86_64, i3686... |
| computer_os_build | Text | Kernel version of the operating system | oracle_8_64, windows_10_21h1_64 |
| computer_os_name | Text | Name of the operating system | Debian GNU/Linux 9 (stretch), Microsoft® Windows Server® 2008 Standard... |
| created_at | Date | Creation date of the asset in Cyberwatch | 01/01/2018 |
| critical | Boolean | Indicates whether the vulnerability is to be prioritized on the asset | false |
| cve_code | Text | Unique identifier of the vulnerability | CVE-2016-6321 |
| cve_epss | Float | EPSS score of the vulnerability | 0.93672 |
| cve_level | Text | Severity level of the vulnerability as configured in Cyberwatch | medium |
| cve_published_at | Date | CVE Publication Date | 07/08/18 |
| cve_score | Float | Severity score of the vulnerability | 7.6 |
| cve_status | Text | Vulnerability status on the affected asset | active, active_with_exploits, fixed, ignored |
| environmental_score | Float | Environmental score of the vulnerability | 7.6 |
| cvss_v3_access_complexity | Text | Vulnerability exploitability metric: access complexity | access_complexity_medium |
| cvss_v3_access_vector | Text | Vulnerability exploitability metric: access vector | access_vector_network |
| cvss_v3_availability_impact | Text | Vulnerability impact metric: availability | availability_impact_partial |
| cvss_v3_confidentiality_impact | Text | Vulnerability impact metric: confidentiality | confidentiality_impact_partial |
| cvss_v3_integrity_impact | Text | Vulnerability impact metric: integrity | integrity_impact_partial |
| cvss_v3_privileges_required | Text | Vulnerability impact metric: privileges required | privileges_required_none |
| cvss_v3_scope | Text | Vulnerability exploitability metric: scope | scope_unchanged |
| cvss_v3_user_interaction | Text | Vulnerability exploitability metric: user interaction | user_interaction_required |
| exploit_code_maturity | Text | Available public exploits maturity for the vulnerability | functional |
| fixed_at | Date | Correction date of the vulnerability on the asset | 07/08/18 |
| project | Text | Name of the project | my-project |
| groups | Table of text elements | Lists of groups | production, Paris |
| ignored | Boolean | Indicates whether the vulnerability has been ignored on the asset or not | false |
| most_regularly_used_cve | Boolean | Indicates whether the vulnerability is one of the most regularly used cve or not | 7.6 |
| ssvc_decision | Text | SSVC decision according to CISA’s criteria | Track |
| updated_at | Date | Last update | 07/08/18 |
Content of the computers_groups index
The computers_groups index represents a list of groups/assets pairs with the following information:
| field | Type | Description | Examples of possible values |
|---|---|---|---|
| _id | Integer | ID of the group in Cyberwatch | 15 |
| average_exploitable_vulns | Integer | Average number of vulnerabilities with public exploits on each asset of the group | 58 |
| average_high_vulns | Integer | Average number of high severity vulnerabilities on each asset of the group | 63 |
| average_low_or_med_vulns | Integer | Average number of low or medium severity vulnerabilities on each asset of the group | 85 |
| computers_count | Integer | Number of assets in the group | 73 |
| groups | Text | Name of the group | admin_group |
Content of the computers_security_issues index
Index computers_security_issues lists the occurrences of the detected security issues in your IT infrastructure. Each entry represents a security issue on one specific asset, so if a security issue affects 3 assets, the index will have 3 entries.
| Field | Type | Description | Examples of possible values |
|---|---|---|---|
| _id | Integer | ID of the occurrence of the security issue. | 123 |
| computer_category | Text | Category of the affected asset. | server, desktop, hypervisor, network_device, network_target_or_website, docker_image, industrial_device |
| computer_description | Text | User description of the affected asset. | Production server for ticketing platform |
| computer_environment | Text | Criticality of the affected asset. | low, medium, high |
| computer_id | Integer | ID of the affected asset. | 80 |
| computer_name | Text | Name of the affected asset. | DESKTOP-1234 |
| computer_os | Text | Unique key of the operating system | ubuntu_2104_64, windows_10_21h1_64 |
| computer_os_arch | Text | Architecture of the operating system | i386, x86, x86_64, AMD64 |
| computer_os_build | Text | Kernel version of the operating system | oracle_8_64, windows_10_21h1_64 |
| computer_os_name | Text | Name of the operating system | Ubuntu 21.04, Microsoft Windows 10 |
| created_at | Date | Date of the first detection of the security issue. | 07/08/18 |
| project | Text | Name of the project | my-project |
| groups | List of text elements | Lists of asset groups. | production, Paris |
| payload | Text | Content of the payload. | X-Frame-Options is not set |
| security_issue_code | Text | Reference of the type of the security issue. | WSTG-INPV-01 |
| security_issue_level | Text | Criticality of the security issue. | info, low, medium, high, critical |
| security_issue_title | Text | Denomination of the security issue. | HTTP Strict Transport Security |
| status | Text | Status of the security issue. | active, fixed, ignored |
| updated_at | Date | Date of the last update of the security issue. | 07/08/18 |
Content of the cve_announcements index
The cve_announcements index represents the list of vulnerabilities that have been detected by Cyberwatch with the following information:
| field | Type | Description | Examples of possible values |
|---|---|---|---|
| _id | Integer | Id of the vulnerability in Cyberwatch | 102783 |
| certfr_exploit_added_at | Date | Date of addition into CERTFR-ALE | 01/01/18 |
| cisa_exploit_added_at | Date | Date of addition into CISA KEV | 07/08/18 |
| computers_count | Integer | Number of assets affected | 1 |
| cve_code | Text | Unique identifier of the vulnerability | CVE-2016-6321 |
| cve_level | Text | Severity level of the vulnerability as configured in Cyberwatch | level_medium |
| cve_published_at | Date | CVE publication date | 07/08/18 |
| cve_score | Float | Severity score of the vulnerability | 7.6 |
| cvss_v3_access_complexity | Text | Vulnerability exploitability metric: access complexity | access_complexity_medium |
| cvss_v3_access_vector | Text | Vulnerability exploitability metric: access vector | access_vector_network |
| cvss_v3_availability_impact | Text | Vulnerability impact metric: availability | availability_impact_partial |
| cvss_v3_confidentiality_impact | Text | Vulnerability impact metric: confidentiality | confidentiality_impact_partial |
| cvss_v3_integrity_impact | Text | Vulnerability impact metric: integrity | integrity_impact_partial |
| cvss_v3_privileges_required | Text | Vulnerability impact metric: privileges required | privileges_required_none |
| cvss_v3_scope | Text | Vulnerability exploitability metric: scope | scope_unchanged |
| cvss_v3_user_interaction | Text | Vulnerability exploitability metric: user interaction | user_interaction_required |
| cwe_code | Text | CWE code of the vulnerability | CWE-327 |
| attack_patterns | List of text elements | List of attack patterns | [CAPEC-10, CAPEC-101] |
| attack_techniques | List of text elements | List of attack techniques | [T1027, T1539] |
| epss | Float | EPSS score of the vulnerability | 0.93672 |
| exploit_code_maturity | Text | Available public exploits maturity for the vulnerability | functional |
| first_detected_at | Date | First detection date | 01/01/18 |
| last_modified | Date | Last modification date | 20/07/23 |
| note_custom | Text | Comment | Important CVE |
Content of the rules_server index
The rules_server index represents a list of assets/rules pairs with the following information:
| field | Type | Description | Examples of possible values |
|---|---|---|---|
| _id | Integer | ID of the pair asset/rule in Cyberwatch | 73 |
| computer_category | Text | Differentiates servers and workstations | server, desktop |
| computer_description | Text | Description of the asset as defined in Cyberwatch | Production server for ticketing platform |
| computer_environment | Text | Criticality of the asset as defined in Cyberwatch | Medium |
| project | Text | Name of the project | my-project |
| computers_groups | Table of text elements | Lists of asset groups | production, Paris |
| computer_id | Integer | Asset Id in Cyberwatch | 255 |
| computer_name | Text | Hostname of the asset | server01 |
| computer_os | Text | Unique key of the operating system | debian_9_64, windows_2008... |
| computer_os_arch | Text | Architecture of the operating system | AMD64, x86_64, i3686 ... |
| computer_os_name | Text | Name of the operating system | Debian GNU/Linux 9 (stretch), Microsoft® Windows Server® 2008 Standard... |
| created_at | Date | Creation of the rule_server in Cyberwatch | 20/03/2019 |
| rule_code | Text | Code of the rule in Cyberwatch's Rule Encyclopedia | linux-007 |
| repositories | Table of text elements | Repositories associated to the rule in Cyberwatch | CIS_Benchmark, CIS_Benchmark_level_1 |
| rule_level | Text | Level of the compliance rule | minimal, medium... |
| status | Text | Status of the rule on the asset | cbw_compliance_script_success, cbw_compliance_script_failed... |
| updated_at | Date | Rule last update date | 26/03/21 |
Content of the computers_packages index
Index computers_packages lists the occurrences of the detected technologies in your IT infrastructure. Each entry represents a technology on one specific asset, so if a technology affects 3 assets, the index will have 3 entries.
| Field | Type | Description | Examples of possible values |
|---|---|---|---|
| id | Integer | ID of the occurrence of the technology. | 123 |
| computer_category | Text | Category of the affected asset. | server, desktop, hypervisor, network_device, network_target_or_website, docker_image, industrial_device |
| computer_description | Text | User description of the affected asset. | Production server for ticketing platform |
| computer_environment | Text | Criticality of the affected asset. | low, medium, high |
| computer_id | Integer | ID of the affected asset. | 80 |
| computer_name | Text | Name of the affected asset. | DESKTOP-1234 |
| computer_os | Text | Unique key of the operating system | ubuntu_2104_64, windows_10_21h1_64 |
| computer_os_arch | Text | Architecture of the operating system | i386, x86, x86_64, AMD64 |
| computer_os_build | Text | Kernel version of the operating system | oracle_8_64, windows_10_21h1_64 |
| computer_os_name | Text | Name of the operating system | Ubuntu 21.04, Microsoft Windows 10 |
| computer_os_type | Text | Type of the operating system | Linux, Windows |
| project | Text | Name of the project | my-project |
| groups | List of text elements | Lists of asset groups. | production, Paris |
| package_vendor | Text | Vendor name of the technology. | Mozilla |
| package_product | Text | Product name of the technology. | Firefox |
| package_version | Text | Version of the technology. | 66.0.3 |
| package_type | Text | Type of the technology. | Application |
| package_eol | Date | End of Life date of the technology. | 26/03/21 |
| package_detected_at | Date | Date of the first detection of the technology. | 26/03/21 |
| package_updated_at | Date | Date of the last detection of the technology. | 26/03/21 |
Content of the computers_metadata index
Index computers_metadata lists the occurrences of the detected metadata in your IT infrastructure. Each entry represents a metadatum on one specific asset, so if a metadatum affects 3 assets, the index will have 3 entries.
| Field | Type | Description | Examples of possible values |
|---|---|---|---|
| id | Integer | ID of the occurrence of the metadatum. | 123 |
| computer_category | Text | Category of the affected asset. | server, desktop, hypervisor, network_device, network_target_or_website, docker_image, industrial_device |
| computer_description | Text | User description of the affected asset. | Production server for ticketing platform |
| computer_environment | Text | Criticality of the affected asset. | low, medium, high |
| computer_id | Integer | ID of the affected asset. | 80 |
| computer_name | Text | Name of the affected asset. | DESKTOP-1234 |
| computer_os | Text | Unique key of the operating system | ubuntu_2104_64, windows_10_21h1_64 |
| computer_os_arch | Text | Architecture of the operating system | i386, x86, x86_64, AMD64 |
| computer_os_build | Text | Kernel version of the operating system | oracle_8_64, windows_10_21h1_64 |
| computer_os_name | Text | Name of the operating system | Ubuntu 21.04, Microsoft Windows 10 |
| computer_os_type | Text | Type of the operating system | Linux, Windows |
| project | Text | Name of the project | my-project |
| groups | List of text elements | Lists of asset groups. | production, Paris |
| metadatum_key | Text | Key of the metadatum. | processor-version |
| metadatum_value | Text | Value of the metadatum. | Intel(R) Core(TM) i7-10700 CPU @ 2.90GHz |
Content of the computers_updates index
Index computers_updates lists the available updates for the detected assets in your IT infrastructure. Each entry represents an update for one specific asset, so if an update affects 3 assets, the index will have 3 entries.
| Field | Type | Description | Examples of possible values |
|---|---|---|---|
| id | Integer | ID of the update. | 123 |
| computer_category | Text | Category of the affected asset. | server, desktop, hypervisor, network_device, network_target_or_website, docker_image, industrial_device, ... |
| computer_environment | Text | Criticality of the affected asset. | low, medium, high, ... |
| computer_id | Integer | ID of the affected asset. | 80 |
| computer_name | Text | Name of the affected asset. | DESKTOP-1234 |
| computer_os | Text | Unique key of the operating system | ubuntu_2104_64, windows_10_21h1_64 |
| computer_os_arch | Text | Architecture of the operating system | i386, x86, x86_64, AMD64 |
| computer_os_build | Text | Kernel version of the operating system | oracle_8_64, windows_10_21h1_64 |
| computer_os_name | Text | Name of the operating system | Ubuntu 21.04, Microsoft Windows 10 |
| computer_os_type | Text | Type of the operating system | Linux, Windows |
| critical_cve_announcements_count | Integer | The number of critical CVE fixed | 0, 1, 2, 3 ... |
| cve_announcements_count | Integer | The number of CVE fixed | 0, 1, 2, 3 ... |
| project | Text | Name of the project | my-project |
| groups | List of text elements | Lists of asset groups. | production, Paris |
| max_cve_epss | Float | Maximum EPSS score of vulnerabilities fixed | 0.93672 |
| max_cve_level | Text | Maximum level of vulnerabilities fixed | level_medium |
| max_cve_score | Float | Maximum cvss score of vulnerabilities fixed. | 9.8 |
| max_exploit_code_maturity | Text | Maximum maturity of code exploit available | unproven, high, proof_of_concept |
| update_current.product | Text | Current product name | curl.x86_64 |
| update_current.vendor | Text | Current product vendor | elastic, cisco |
| update_current.version | Text | Current version of the product | 7.0.27-0+deb9u1 |
| update_ignored | Boolean | Is the update ignored | False |
| update_patchable | Boolean | Is the update patchable | True |
| update_target.product | Text | Target product name | curl.x86_64 |
| update_target.vendor | Text | Target product vendor | elastic, cisco |
| update_target.version | Text | Target version of the product | 7.0.27-0+deb9u1 |
| update_type | Text | Type of the update | DEB, RPM, ... |
Content of the computers_ports index
Index computers_ports list every information related to available ports in your IT infrastructure. Each entry represents a specific port, so if it affects 3 assets, the index will have 3 entries.
| Field | Type | Description | Examples of possible values |
|---|---|---|---|
| computer_category | Text | Category of the affected asset. | server, desktop, hypervisor, network_device, network_target_or_website, docker_image, industrial_device, ... |
| computer_description | Text | Description of the asset as defined in Cyberwatch | Production server for ticketing platform |
| computer_environment | Text | Criticality of the affected asset. | low, medium, high, ... |
| computer_id | Integer | ID of the affected asset. | 80 |
| computer_name | Text | Name of the affected asset. | DESKTOP-1234 |
| computer_os | Text | Unique key of the operating system | ubuntu_2104_64, windows_10_21h1_64 |
| computer_os_arch | Text | Architecture of the operating system | i386, x86, x86_64, AMD64 |
| computer_os_build | Text | Kernel version of the operating system | oracle_8_64, windows_10_21h1_64 |
| computer_os_name | Text | Name of the operating system | Ubuntu 21.04, Microsoft Windows 10 |
| computer_os_type | Text | Type of the operating system | Linux, Windows |
| created_at | Date | Creation of the rule_server in Cyberwatch | 20/03/2019 |
| project | Text | Name of the project | my-project |
| groups | List of text elements | Lists of asset groups. | production, Paris |
| port_number | Integer | Port number | 80, 443 |
| port_product | Text | Name of the service using the port | openssh-server, apache2-bin |
| port_protocol | Text | Protocol use by the port | UDP, TCP |
| port_vendor | Text | Vendor's port name | sap |
| port_version | Text | Service's port version | 4.4.1-2.3ubuntu2.3 |
Content of the computers_services index
Index computers_services list every information related to available services in your IT infrastructure. Each entry represents a specific service, so if it affects 3 assets, the index will have 3 entries.
| Field | Type | Description | Examples of possible values |
|---|---|---|---|
| computer_category | Text | Category of the affected asset. | server, desktop, hypervisor, network_device, network_target_or_website, docker_image, industrial_device, ... |
| computer_description | Text | Description of the asset as defined in Cyberwatch | Production server for ticketing platform |
| computer_environment | Text | Criticality of the affected asset. | low, medium, high, ... |
| computer_id | Integer | ID of the affected asset. | 80 |
| computer_name | Text | Name of the affected asset. | DESKTOP-1234 |
| computer_os | Text | Unique key of the operating system | ubuntu_2104_64, windows_10_21h1_64 |
| computer_os_arch | Text | Architecture of the operating system | i386, x86, x86_64, AMD64 |
| computer_os_build | Text | Kernel version of the operating system | oracle_8_64, windows_10_21h1_64 |
| computer_os_name | Text | Name of the operating system | Ubuntu 21.04, Microsoft Windows 10 |
| computer_os_type | Text | Type of the operating system | Linux, Windows |
| groups | List of text elements | Lists of asset groups. | production, Paris |
| service_name | Text | Service's name | nginx, cyberwatch-agent |
| service_status | Text | Service's status | Auto, Manual, static, disabled |
| service_updated_at | Date | Last updated date of service's status | 26/03/21 |