Technical documentation of Elasticsearch indexes

Cyberwatch ships an Elasticsearch and Kibana module to ease the analysis and creation of visualizations on the data generated by the software.

Cyberwatch publishes its data daily into the Elasticsearch indexes described below. This data is used to query or produce visualizations in Kibana.

The same data is also available as JSON exports.

Content of the asset index

The computers index represents the list of supervised assets with the following information for each:

FieldTypeDescriptionExamples of possible values
_idIntegerAsset ID in Cyberwatch388
agent_versionTextAgent version used for supervision in case of agent supervision. Empty for agentless connections4.2
compliance_rules_countIntegerNumber of compliance rules affected to the asset72
compliance_rules_failed_countIntegerNumber of compliance rules who failed affected to the asset32
compliance_rules_succeed_countIntegerNumber of compliance rules who succeed affected to the asset40
computer_categoryTextDifferentiates assets categoryserver, desktop, hypervisor, network_device...
computer_descriptionTextDescription of the asset as defined in CyberwatchProduction server for ticketing platform
computer_environmentTextCriticality of the asset as defined in CyberwatchMedium
computer_nameTextHostname of the assetserver01
computer_osTextUnique key of the operating systemdebian_9_64, windows_2008...
computer_os_archTextArchitecture of the operating systemAMD64, x86_64, i3686...
computer_os_buildTextKernel version of the operating system
computer_os_nameTextName of the operating systemDebian GNU/Linux 9 (stretch), Microsoft® Windows Server® 2008 Standard...
computer_statusTextGlobal asset status for Cyberwatchserver_vulnerable, server_compliant...
computer_status_complianceTextStatus of the asset regarding Cyberwatch compliance modulecbw_compliance_server_compliant, cbw_compliance_server_not_compliant...
created_atDateCreation date of the asset in Cyberwatch01/01/2018
critical_cve_announcements_countIntegerNumber of prioritized vulnerabilities on the asset0
cve_announcements_countIntegerNumber of active vulnerabilities on the asset0
groupsTable of text elementsLists of asset groupsproduction, Paris
has_exploitsBooleanIndicates the detection public exploits for at least one of the asset's active vulnerabilitiestrue
hostTextDomain name or IP address of the assetserver01.example.com, 192.168.0.1...
last_communicationDateLast communication of the asset with Cyberwatch07/08/18
max_cve_epssFloatMaximum EPSS score of vulnerabilities detected on this asset0.93672
max_cve_levelTextMaximum level of vulnerabilities detected on this assetlevel_medium
need_rebootBooleanIndicates the need for the asset to reboottrue
repositoriesTable of text elementsRepositories associated to the assetCIS_Benchmark, CIS_Benchmark_level_1
remote_ipTextIP of the asset192.168.0.1
scan_onlyBooleanIndicates the asset is in supervision only modefalse
updated_atDateLast update of the asset07/08/18
updates_countIntegerNumber of available patches22

Content of the computers_cves index

The computers_cves index represents a list of asset/vulnerability pairs with the following information:

fieldTypeDescriptionExamples of possible values
_idIntegerAsset/vulnerability pair ID in Cyberwatch5153
activeBooleanIndicates the current presence of the vulnerability on the assettrue
certfr_exploit_added_atDateDate of addition into CERTFR-ALE01/01/18
cisa_exploit_added_atDateDate of addition into CISA KEV07/08/18
computer_categoryTextDifferentiates servers and workstationsserver, desktop, hypervisor, network_device...
computer_descriptionTextDescription of the asset as defined in CyberwatchProduction server for ticketing platform
computer_environmentTextCriticality of the asset as defined in CyberwatchMedium
computer_idIntegerAsset ID in Cyberwatch255
computer_nameTextHostname of the assetserver01
computer_osTextUnique key of the operating systemdebian_9_64, windows_2008...
computer_os_archTextArchitecture of the operating systemAMD64, x86_64, i3686...
computer_os_buildTextKernel version of the operating system
computer_os_nameTextName of the operating systemDebian GNU/Linux 9 (stretch), Microsoft® Windows Server® 2008 Standard...
created_atDateCreation date of the asset in Cyberwatch01/01/2018
criticalBooleanIndicates whether the vulnerability is to be prioritized on the assetfalse
cve_codeTextUnique identifier of the vulnerabilityCVE-2016-6321
cve_epssFloatEPSS score of the vulnerability0.93672
cve_levelTextSeverity level of the vulnerability as configured in Cyberwatchmedium
cve_published_atDateCVE Publication Date07/08/18
cve_scoreFloatSeverity score of the vulnerability7.6
cve_statusTextVulnerability status on the affected assetactive, active_with_exploits, fixed, ignored
environmental_scoreFloatEnvironmental score of the vulnerability7.6
cvss_v3_access_complexityTextVulnerability exploitability metric: access complexityaccess_complexity_medium
cvss_v3_access_vectorTextVulnerability exploitability metric: access vectoraccess_vector_network
cvss_v3_availability_impactTextVulnerability impact metric: availabilityavailability_impact_partial
cvss_v3_confidentiality_impactTextVulnerability impact metric: confidentialityconfidentiality_impact_partial
cvss_v3_integrity_impactTextVulnerability impact metric: integrityintegrity_impact_partial
cvss_v3_privileges_requiredTextVulnerability impact metric: privileges requiredprivileges_required_none
cvss_v3_scopeTextVulnerability exploitability metric: scopescope_unchanged
cvss_v3_user_interactionTextVulnerability exploitability metric: user interactionuser_interaction_required
exploit_code_maturityTextAvailable public exploits maturity for the vulnerabilityfunctional
fixed_atDateCorrection date of the vulnerability on the asset07/08/18
groupsTable of text elementsLists of groupsproduction, Paris
ignoredBooleanIndicates whether the vulnerability has been ignored on the asset or notfalse
most_regularly_used_cveBooleanIndicates whether the vulnerability is one of the most regularly used cve or not7.6
updated_atDateLast update07/08/18

Content of the computers_groups index

The computers_groups index represents a list of groups/assets pairs with the following information:

fieldTypeDescriptionExamples of possible values
_idIntegerID of the group in Cyberwatch15
average_exploitable_vulnsIntegerAverage number of vulnerabilities with public exploits on each asset of the group58
average_high_vulnsIntegerAverage number of high severity vulnerabilities on each asset of the group63
average_low_or_med_vulnsIntegerAverage number of low or medium severity vulnerabilities on each asset of the group85
computers_countIntegerNumber of assets in the group73
groupsTextName of the groupadmin_group

Content of the computers_security_issues index

Index computers_security_issues lists the occurrences of the detected security issues in your IT infrastructure. Each entry represents a security issue on one specific asset, so if a security issue affects 3 assets, the index will have 3 entries.

FieldTypeDescriptionExamples of possible values
_idIntegerID of the occurrence of the security issue.123
computer_categoryTextCategory of the affected asset.server, desktop, hypervisor, network_device, network_target_or_website, docker_image, industrial_device
computer_descriptionTextUser description of the affected asset.
computer_environmentTextCriticality of the affected asset.low, medium, high
computer_idIntegerID of the affected asset.80
computer_nameTextName of the affected asset.DESKTOP-1234
computer_osTextUnique key of the operating systemubuntu_2104_64, windows_10_21h1_64
computer_os_archTextArchitecture of the operating systemi386, x86, x86_64, AMD64
computer_os_buildTextKernel version of the operating system
computer_os_nameTextName of the operating systemUbuntu 21.04, Microsoft Windows 10
created_atDateDate of the first detection of the security issue.
groupsList of text elementsLists of asset groups.production, Paris
payloadTextContent of the payload.X-Frame-Options is not set
security_issue_codeTextReference of the type of the security issue.WSTG-INPV-01
security_issue_levelTextCriticality of the security issue.info, low, medium, high, critical
security_issue_titleTextDenomination of the security issue.HTTP Strict Transport Security
statusTextStatus of the security issue.active, fixed, ignored
updated_atDateDate of the last update of the security issue.

Content of the cve_announcements index

The cve_announcements index represents the list of vulnerabilities that have been detected by Cyberwatch with the following information:

fieldTypeDescriptionExamples of possible values
_idIntegerId of the vulnerability in Cyberwatch102783
certfr_exploit_added_atDateDate of addition into CERTFR-ALE01/01/18
cisa_exploit_added_atDateDate of addition into CISA KEV07/08/18
computers_countIntegerNumber of assets affected1
cve_codeTextUnique identifier of the vulnerabilityCVE-2016-6321
cve_levelTextSeverity level of the vulnerability as configured in Cyberwatchlevel_medium
cve_published_atDateCVE publication date07/08/18
cve_scoreFloatSeverity score of the vulnerability7.6
cvss_v3_access_complexityTextVulnerability exploitability metric: access complexityaccess_complexity_medium
cvss_v3_access_vectorTextVulnerability exploitability metric: access vectoraccess_vector_network
cvss_v3_availability_impactTextVulnerability impact metric: availabilityavailability_impact_partial
cvss_v3_confidentiality_impactTextVulnerability impact metric: confidentialityconfidentiality_impact_partial
cvss_v3_integrity_impactTextVulnerability impact metric: integrityintegrity_impact_partial
cvss_v3_privileges_requiredTextVulnerability impact metric: privileges requiredprivileges_required_none
cvss_v3_scopeTextVulnerability exploitability metric: scopescope_unchanged
cvss_v3_user_interactionTextVulnerability exploitability metric: user interactionuser_interaction_required
cwe_codeTextCWE code of the vulnerabilityCWE-327
epssFloatEPSS score of the vulnerability0.93672
exploit_code_maturityTextAvailable public exploits maturity for the vulnerabilityfunctional
first_detected_atDateFirst detection date01/01/18
last_modifiedDateLast modification date20/07/23

Content of the rules_server index

The rules_server index represents a list of assets/rules pairs with the following information:

fieldTypeDescriptionExamples of possible values
_idIntegerID of the pair asset/rule in Cyberwatch73
computer_categoryTextDifferentiates servers and workstationsserver, desktop
computer_descriptionTextDescription of the asset as defined in CyberwatchProduction server for ticketing platform
computer_environmentTextCriticality of the asset as defined in CyberwatchMedium
computers_groupsTable of text elementsLists of asset groupsproduction, Paris
computer_idIntegerAsset Id in Cyberwatch255
computer_nameTextHostname of the assetserver01
computer_osTextUnique key of the operating systemdebian_9_64, windows_2008...
computer_os_archTextArchitecture of the operating systemAMD64, x86_64, i3686 ...
computer_os_nameTextName of the operating systemDebian GNU/Linux 9 (stretch), Microsoft® Windows Server® 2008 Standard...
created_atDateCreation of the rule_server in Cyberwatch20/03/2019
rule_codeTextCode of the rule in Cyberwatch's Rule Encyclopedialinux-007
repositoriesTable of text elementsRepositories associated to the rule in CyberwatchCIS_Benchmark, CIS_Benchmark_level_1
rule_levelTextLevel of the compliance ruleminimal, medium...
statusTextStatus of the rule on the assetcbw_compliance_script_success, cbw_compliance_script_failed...
updated_atDateRule last update date26/03/21

Content of the computers_packages index

Index computers_packages lists the occurrences of the detected technologies in your IT infrastructure. Each entry represents a technology on one specific asset, so if a technology affects 3 assets, the index will have 3 entries.

FieldTypeDescriptionExamples of possible values
idIntegerID of the occurrence of the technology.123
computer_categoryTextCategory of the affected asset.server, desktop, hypervisor, network_device, network_target_or_website, docker_image, industrial_device
computer_descriptionTextUser description of the affected asset.
computer_environmentTextCriticality of the affected asset.low, medium, high
computer_idIntegerID of the affected asset.80
computer_nameTextName of the affected asset.DESKTOP-1234
computer_osTextUnique key of the operating systemubuntu_2104_64, windows_10_21h1_64
computer_os_archTextArchitecture of the operating systemi386, x86, x86_64, AMD64
computer_os_buildTextKernel version of the operating system
computer_os_nameTextName of the operating systemUbuntu 21.04, Microsoft Windows 10
computer_os_typeTextType of the operating systemLinux, Windows
groupsList of text elementsLists of asset groups.production, Paris
package_vendorTextVendor name of the technology.Mozilla
package_productTextProduct name of the technology.Firefox
package_versionTextVersion of the technology.66.0.3
package_typeTextType of the technology.Application
package_eolDateEnd of Life date of the technology.
package_updated_atDateLast update date of the occurrence of the technology.

Content of the computers_metadata index

Index computers_metadata lists the occurrences of the detected metadata in your IT infrastructure. Each entry represents a metadatum on one specific asset, so if a metadatum affects 3 assets, the index will have 3 entries.

FieldTypeDescriptionExamples of possible values
idIntegerID of the occurrence of the metadatum.123
computer_categoryTextCategory of the affected asset.server, desktop, hypervisor, network_device, network_target_or_website, docker_image, industrial_device
computer_descriptionTextUser description of the affected asset.
computer_environmentTextCriticality of the affected asset.low, medium, high
computer_idIntegerID of the affected asset.80
computer_nameTextName of the affected asset.DESKTOP-1234
computer_osTextUnique key of the operating systemubuntu_2104_64, windows_10_21h1_64
computer_os_archTextArchitecture of the operating systemi386, x86, x86_64, AMD64
computer_os_buildTextKernel version of the operating system
computer_os_nameTextName of the operating systemUbuntu 21.04, Microsoft Windows 10
computer_os_typeTextType of the operating systemLinux, Windows
groupsList of text elementsLists of asset groups.production, Paris
metadatum_keyTextKey of the metadatum.processor-version
metadatum_valueTextValue of the metadatum.Intel(R) Core(TM) i7-10700 CPU @ 2.90GHz

Content of the computers_updates index

Index computers_updates lists the available updates for the detected assets in your IT infrastructure. Each entry represents an update for one specific asset, so if an update affects 3 assets, the index will have 3 entries.

FieldTypeDescriptionExamples of possible values
idIntegerID of the update.123
computer_categoryTextCategory of the affected asset.server, desktop, hypervisor, network_device, network_target_or_website, docker_image, industrial_device, ...
computer_environmentTextCriticality of the affected asset.low, medium, high, ...
computer_idIntegerID of the affected asset.80
computer_nameTextName of the affected asset.DESKTOP-1234
computer_osTextUnique key of the operating systemubuntu_2104_64, windows_10_21h1_64
computer_os_archTextArchitecture of the operating systemi386, x86, x86_64, AMD64
computer_os_buildTextKernel version of the operating system
computer_os_nameTextName of the operating systemUbuntu 21.04, Microsoft Windows 10
computer_os_typeTextType of the operating systemLinux, Windows
critical_cve_announcements_countIntegerThe number of critical CVE fixed0, 1, 2, 3 ...
cve_announcements_countIntegerThe number of CVE fixed0, 1, 2, 3 ...
cve_codeList of text elementsList of unique identifiers for the CVEs fixed["CVE-2019-0759", "CVE-2019-0836"]
groupsList of text elementsLists of asset groups.production, Paris
max_cve_epssFloatMaximum EPSS score of vulnerabilities fixed0.93672
max_cve_levelTextMaximum level of vulnerabilities fixedlevel_medium
max_cve_scoreFloatMaximum cvss score of vulnerabilities fixed.9.8
max_exploit_code_maturityTextMaximum maturity of code exploit availableunproven, high, proof_of_concept
update_current.productTextCurrent product namecurl.x86_64
update_current.vendorTextCurrent product vendorelastic, cisco
update_current.versionTextCurrent version of the product7.0.27-0+deb9u1
update_ignoredBooleanIs the update ignoredFalse
update_patchableBooleanIs the update patchableTrue
update_target.productTextTarget product namecurl.x86_64
update_target.vendorTextTarget product vendorelastic, cisco
update_target.versionTextTarget version of the product7.0.27-0+deb9u1
update_typeTextType of the updateDEB, RPM, ...

Content of the computers_ports index

Index computers_ports list every information related to available ports in your IT infrastructure. Each entry represents a specific port, so if it affects 3 assets, the index will have 3 entries.

FieldTypeDescriptionExamples of possible values
computer_categoryTextCategory of the affected asset.server, desktop, hypervisor, network_device, network_target_or_website, docker_image, industrial_device, ...
computer_descriptionTextDescription of the asset as defined in CyberwatchProduction server for ticketing platform
computer_environmentTextCriticality of the affected asset.low, medium, high, ...
computer_idIntegerID of the affected asset.80
computer_nameTextName of the affected asset.DESKTOP-1234
computer_osTextUnique key of the operating systemubuntu_2104_64, windows_10_21h1_64
computer_os_archTextArchitecture of the operating systemi386, x86, x86_64, AMD64
computer_os_buildTextKernel version of the operating system
computer_os_nameTextName of the operating systemUbuntu 21.04, Microsoft Windows 10
computer_os_typeTextType of the operating systemLinux, Windows
created_atDateCreation of the rule_server in Cyberwatch20/03/2019
groupsList of text elementsLists of asset groups.production, Paris
port_numberIntegerPort number80, 443
port_productTextName of the service using the portopenssh-server, apache2-bin
port_protocolTextProtocol use by the portUDP, TCP
port_vendorTextVendor's port namesap
port_versionTextService's port version4.4.1-2.3ubuntu2.3