Skip to main content Link Menu Expand (external link) Document Search Copy Copied

Technical documentation of Elasticsearch indexes

Cyberwatch ships an Elasticsearch and Kibana module to ease the analysis and creation of visualizations on the data generated by the software.

Cyberwatch publishes its data daily into the Elasticsearch indexes described below. This data is used to query or produce visualizations in Kibana.

The same data is also available as JSON exports.

Content of the asset index

The computers index represents the list of supervised assets with the following information for each:

Field Type Description Examples of possible values
_id Integer Asset ID in Cyberwatch 388
agent_version Text Agent version used for supervision in case of agent supervision. Empty for agentless connections 4.2
compliance_rules_count Integer Number of compliance rules affected to the asset 72
computer_category Text Differentiates assets category server, desktop, hypervisor, network_device...
computer_description Text Description of the asset as defined in Cyberwatch Production server for ticketing platform
computer_environment Text Criticality of the asset as defined in Cyberwatch Medium
computer_name Text Hostname of the asset server01
computer_os Text Unique key of the operating system debian_9_64, windows_2008...
computer_os_arch Text Architecture of the operating system AMD64, x86_64, i3686...
computer_os_build Text Kernel version of the operating system
computer_os_name Text Name of the operating system Debian GNU/Linux 9 (stretch), Microsoft® Windows Server® 2008 Standard...
computer_status Text Global asset status for Cyberwatch server_vulnerable, server_compliant...
computer_status_compliance Text Status of the asset regarding Cyberwatch compliance module cbw_compliance_server_compliant, cbw_compliance_server_not_compliant...
created_at Date Creation date of the asset in Cyberwatch 01/01/2018
critical_cve_announcements_count Integer Number of prioritized vulnerabilities on the asset 0
cve_announcements_count Integer Number of active vulnerabilities on the asset 0
groups Table of text elements Lists of asset groups production, Paris
has_exploits Boolean Indicates the detection public exploits for at least one of the asset's active vulnerabilities true
host Text Domain name or IP address of the asset server01.example.com, 192.168.0.1...
last_communication Date Last communication of the asset with Cyberwatch 07/08/18
max_cve_epss Float Maximum EPSS score of vulnerabilities detected on this asset 0.93672
max_cve_level Text Maximum level of vulnerabilities detected on this asset level_medium
need_reboot Boolean Indicates the need for the asset to reboot true
repositories Table of text elements Repositories associated to the asset CIS_Benchmark, CIS_Benchmark_level_1
remote_ip Text IP of the asset 192.168.0.1
scan_only Boolean Indicates the asset is in supervision only mode false
updated_at Date Last update of the asset 07/08/18
updates_count Integer Number of available patches 22

Content of the computers_cves index

The computers_cves index represents a list of asset/vulnerability pairs with the following information:

field Type Description Examples of possible values
_id Integer Asset/vulnerability pair ID in Cyberwatch 5153
active Boolean Indicates the current presence of the vulnerability on the asset true
certfr_exploit_added_at Date Date of addition into CERTFR-ALE 01/01/18
cisa_exploit_added_at Date Date of addition into CISA KEV 07/08/18
computer_category Text Differentiates servers and workstations server, desktop, hypervisor, network_device...
computer_description Text Description of the asset as defined in Cyberwatch Production server for ticketing platform
computer_environment Text Criticality of the asset as defined in Cyberwatch Medium
computer_id Integer Asset ID in Cyberwatch 255
computer_name Text Hostname of the asset server01
computer_os Text Unique key of the operating system debian_9_64, windows_2008...
computer_os_arch Text Architecture of the operating system AMD64, x86_64, i3686...
computer_os_build Text Kernel version of the operating system
computer_os_name Text Name of the operating system Debian GNU/Linux 9 (stretch), Microsoft® Windows Server® 2008 Standard...
created_at Date Creation date of the asset in Cyberwatch 01/01/2018
critical Boolean Indicates whether the vulnerability is to be prioritized on the asset false
cve_code Text Unique identifier of the vulnerability CVE-2016-6321
cve_epss Float EPSS score of the vulnerability 0.93672
cve_level Text Severity level of the vulnerability as configured in Cyberwatch medium
cve_published_at Date CVE Publication Date 07/08/18
cve_score Float Severity score of the vulnerability 7.6
cve_status Text Vulnerability status on the affected asset active, active_with_exploits, fixed, ignored
environmental_score Float Environmental score of the vulnerability 7.6
cvss_v3_access_complexity Text Vulnerability exploitability metric: access complexity access_complexity_medium
cvss_v3_access_vector Text Vulnerability exploitability metric: access vector access_vector_network
cvss_v3_availability_impact Text Vulnerability impact metric: availability availability_impact_partial
cvss_v3_confidentiality_impact Text Vulnerability impact metric: confidentiality confidentiality_impact_partial
cvss_v3_integrity_impact Text Vulnerability impact metric: integrity integrity_impact_partial
cvss_v3_privileges_required Text Vulnerability impact metric: privileges required privileges_required_none
cvss_v3_scope Text Vulnerability exploitability metric: scope scope_unchanged
cvss_v3_user_interaction Text Vulnerability exploitability metric: user interaction user_interaction_required
exploit_code_maturity Text Available public exploits maturity for the vulnerability functional
fixed_at Date Correction date of the vulnerability on the asset 07/08/18
groups Table of text elements Lists of groups production, Paris
ignored Boolean Indicates whether the vulnerability has been ignored on the asset or not false
most_regularly_used_cve Boolean Indicates whether the vulnerability is one of the most regularly used cve or not 7.6
updated_at Date Last update 07/08/18

Content of the computers_groups index

The computers_groups index represents a list of groups/assets pairs with the following information:

field Type Description Examples of possible values
_id Integer ID of the group in Cyberwatch 15
average_exploitable_vulns Integer Average number of vulnerabilities with public exploits on each asset of the group 58
average_high_vulns Integer Average number of high severity vulnerabilities on each asset of the group 63
average_low_or_med_vulns Integer Average number of low or medium severity vulnerabilities on each asset of the group 85
computers_count Integer Number of assets in the group 73
groups Text Name of the group admin_group

Content of the computers_security_issues index

Index computers_security_issues lists the occurrences of the detected security issues in your IT infrastructure. Each entry represents a security issue on one specific asset, so if a security issue affects 3 assets, the index will have 3 entries.

Field Type Description Examples of possible values
_id Integer ID of the occurrence of the security issue. 123
computer_category Text Category of the affected asset. server, desktop, hypervisor, network_device, network_target_or_website, docker_image, industrial_device
computer_description Text User description of the affected asset.
computer_environment Text Criticality of the affected asset. low, medium, high
computer_id Integer ID of the affected asset. 80
computer_name Text Name of the affected asset. DESKTOP-1234
computer_os Text Unique key of the operating system ubuntu_2104_64, windows_10_21h1_64
computer_os_arch Text Architecture of the operating system i386, x86, x86_64, AMD64
computer_os_build Text Kernel version of the operating system
computer_os_name Text Name of the operating system Ubuntu 21.04, Microsoft Windows 10
created_at Date Date of the first detection of the security issue.
groups List of text elements Lists of asset groups. production, Paris
security_issue_code Text Reference of the type of the security issue. WSTG-INPV-01
security_issue_level Text Criticality of the security issue. info, low, medium, high, critical
status Text Status of the security issue. active, fixed, ignored
updated_at Date Date of the last update of the security issue.

Content of the cve_announcements index

The cve_announcements index represents the list of vulnerabilities that have been detected by Cyberwatch with the following information:

field Type Description Examples of possible values
_id Integer Id of the vulnerability in Cyberwatch 102783
certfr_exploit_added_at Date Date of addition into CERTFR-ALE 01/01/18
cisa_exploit_added_at Date Date of addition into CISA KEV 07/08/18
computers_count Integer Number of assets affected 1
cve_code Text Unique identifier of the vulnerability CVE-2016-6321
cve_level Text Severity level of the vulnerability as configured in Cyberwatch level_medium
cve_published_at Date CVE publication date 07/08/18
cve_score Float Severity score of the vulnerability 7.6
cvss_v3_access_complexity Text Vulnerability exploitability metric: access complexity access_complexity_medium
cvss_v3_access_vector Text Vulnerability exploitability metric: access vector access_vector_network
cvss_v3_availability_impact Text Vulnerability impact metric: availability availability_impact_partial
cvss_v3_confidentiality_impact Text Vulnerability impact metric: confidentiality confidentiality_impact_partial
cvss_v3_integrity_impact Text Vulnerability impact metric: integrity integrity_impact_partial
cvss_v3_privileges_required Text Vulnerability impact metric: privileges required privileges_required_none
cvss_v3_scope Text Vulnerability exploitability metric: scope scope_unchanged
cvss_v3_user_interaction Text Vulnerability exploitability metric: user interaction user_interaction_required
cwe_code Text CWE code of the vulnerability CWE-327
epss Float EPSS score of the vulnerability 0.93672
exploit_code_maturity Text Available public exploits maturity for the vulnerability functional
first_detected_at Date First detection date 01/01/18

Content of the rules_server index

The rules_server index represents a list of assets/rules pairs with the following information:

field Type Description Examples of possible values
_id Integer ID of the pair asset/rule in Cyberwatch 73
computer_category Text Differentiates servers and workstations server, desktop
computer_description Text Description of the asset as defined in Cyberwatch Production server for ticketing platform
computer_environment Text Criticality of the asset as defined in Cyberwatch Medium
computers_groups Table of text elements Lists of asset groups production, Paris
computer_id Integer Asset Id in Cyberwatch 255
computer_name Text Hostname of the asset server01
computer_os Text Unique key of the operating system debian_9_64, windows_2008...
computer_os_arch Text Architecture of the operating system AMD64, x86_64, i3686 ...
computer_os_name Text Name of the operating system Debian GNU/Linux 9 (stretch), Microsoft® Windows Server® 2008 Standard...
created_at Date Creation of the rule_server in Cyberwatch 20/03/2019
rule_code Text Code of the rule in Cyberwatch's Rule Encyclopedia linux-007
repositories Table of text elements Repositories associated to the rule in Cyberwatch CIS_Benchmark, CIS_Benchmark_level_1
rule_level Text Level of the compliance rule minimal, medium...
status Text Status of the rule on the asset cbw_compliance_script_success, cbw_compliance_script_failed...
updated_at Date Rule last update date 26/03/21

Content of the computers_packages index

Index computers_packages lists the occurrences of the detected technologies in your IT infrastructure. Each entry represents a technology on one specific asset, so if a technology affects 3 assets, the index will have 3 entries.

Field Type Description Examples of possible values
id Integer ID of the occurrence of the technology. 123
computer_category Text Category of the affected asset. server, desktop, hypervisor, network_device, network_target_or_website, docker_image, industrial_device
computer_description Text User description of the affected asset.
computer_environment Text Criticality of the affected asset. low, medium, high
computer_id Integer ID of the affected asset. 80
computer_name Text Name of the affected asset. DESKTOP-1234
computer_os Text Unique key of the operating system ubuntu_2104_64, windows_10_21h1_64
computer_os_arch Text Architecture of the operating system i386, x86, x86_64, AMD64
computer_os_build Text Kernel version of the operating system
computer_os_name Text Name of the operating system Ubuntu 21.04, Microsoft Windows 10
computer_os_type Text Type of the operating system Linux, Windows
groups List of text elements Lists of asset groups. production, Paris
package_vendor Text Vendor name of the technology. Mozilla
package_product Text Product name of the technology. Firefox
package_version Text Version of the technology. 66.0.3
package_type Text Type of the technology. Application
package_eol Date End of Life date of the technology.
package_updated_at Date Last update date of the occurrence of the technology.

Content of the computers_metadata index

Index computers_metadata lists the occurrences of the detected metadata in your IT infrastructure. Each entry represents a metadatum on one specific asset, so if a metadatum affects 3 assets, the index will have 3 entries.

Field Type Description Examples of possible values
id Integer ID of the occurrence of the metadatum. 123
computer_category Text Category of the affected asset. server, desktop, hypervisor, network_device, network_target_or_website, docker_image, industrial_device
computer_description Text User description of the affected asset.
computer_environment Text Criticality of the affected asset. low, medium, high
computer_id Integer ID of the affected asset. 80
computer_name Text Name of the affected asset. DESKTOP-1234
computer_os Text Unique key of the operating system ubuntu_2104_64, windows_10_21h1_64
computer_os_arch Text Architecture of the operating system i386, x86, x86_64, AMD64
computer_os_build Text Kernel version of the operating system
computer_os_name Text Name of the operating system Ubuntu 21.04, Microsoft Windows 10
computer_os_type Text Type of the operating system Linux, Windows
groups List of text elements Lists of asset groups. production, Paris
metadatum_key Text Key of the metadatum. processor-version
metadatum_value Text Value of the metadatum. Intel(R) Core(TM) i7-10700 CPU @ 2.90GHz

Content of the computers_updates index

Index computers_updates lists the available updates for the detected assets in your IT infrastructure. Each entry represents an update for one specific asset, so if an update affects 3 assets, the index will have 3 entries.

Field Type Description Examples of possible values
id Integer ID of the update. 123
computer_category Text Category of the affected asset. server, desktop, hypervisor, network_device, network_target_or_website, docker_image, industrial_device, ...
computer_environment Text Criticality of the affected asset. low, medium, high, ...
computer_id Integer ID of the affected asset. 80
computer_name Text Name of the affected asset. DESKTOP-1234
computer_os Text Unique key of the operating system ubuntu_2104_64, windows_10_21h1_64
computer_os_arch Text Architecture of the operating system i386, x86, x86_64, AMD64
computer_os_build Text Kernel version of the operating system
computer_os_name Text Name of the operating system Ubuntu 21.04, Microsoft Windows 10
computer_os_type Text Type of the operating system Linux, Windows
critical_cve_announcements_count Integer The number of critical CVE fixed 0, 1, 2, 3 ...
cve_announcements_count Integer The number of CVE fixed 0, 1, 2, 3 ...
cve_code List of text elements List of unique identifiers for the CVEs fixed ["CVE-2019-0759", "CVE-2019-0836"]
max_cve_epss Float Maximum EPSS score of vulnerabilities fixed 0.93672
max_cve_level Text Maximum level of vulnerabilities fixed level_medium
max_cve_score Float Maximum cvss score of vulnerabilities fixed. 9.8
max_exploit_code_maturity Text Maximum maturity of code exploit available unproven, high, proof_of_concept
update_current.product Text Current product name curl.x86_64
update_current.vendor Text Current product vendor elastic, cisco
update_current.version Text Current version of the product 7.0.27-0+deb9u1
update_ignored Boolean Is the update ignored False
update_patchable Boolean Is the update patchable True
update_target.product Text Target product name curl.x86_64
update_target.vendor Text Target product vendor elastic, cisco
update_target.version Text Target version of the product 7.0.27-0+deb9u1
update_type Text Type of the update DEB, RPM, ...