Hi, i have the following enrichmentpolicy that i cant get to work.
The targetfield cveintel from the enrichmentpolicy is never created.
Any help is appreciated.
> PUT _enrich/policy/cve_enrichment_policy
> {
> "match": {
> "indices": "logstash-knowncves*",
> "match_field": "cveID",
> "enrich_fields": ["event.original"]
> }
> }
> POST _enrich/policy/cve_enrichment_policy/_execute
PUT _ingest/pipeline/openvas_enrichment
{
"processors": [
{
"enrich": {
"field": "nvt.refs.ref.@id.keyword",
"policy_name": "cve_enrichment_policy",
"target_field": "cveintel",
"ignore_missing": true,
"max_matches": 128
}
}
]
}
Mapping of destination index that should get enriched:
PUT /logstash-jsonfiles-2022.09.29/_mapping
{
"dynamic_templates": [
{
"message_field": {
"path_match": "message",
"match_mapping_type": "string",
"mapping": {
"norms": false,
"type": "text"
}
}
},
{
"string_fields": {
"match": "*",
"match_mapping_type": "string",
"mapping": {
"fields": {
"keyword": {
"ignore_above": 256,
"type": "keyword"
}
},
"norms": false,
"type": "text"
}
}
}
],
"properties": {
"refs": {
"properties": {
"ref": {
"properties": {
"@id": {
"type": "text",
"norms": false
},
"@type": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"norms": false
}
}
}
}
}
}
}
}
}
Posting my document against this pipeline does not enrich the target field.
> POST /_ingest/pipeline/openvas_enrichment/_simulate?verbose=true
> {
> "docs": [
> {
> "_index": "logstash-jsonfiles-2022.09.29",
> "_id": "n7tHioMBzhwZrgzjzCmt",
> "_score": 1,
> "_ignored": [
> "nvt.tags.keyword",
> "event.original.keyword"
> ],
> "_source": {
> "owner": {
> "name": "redacted"
> },
> "creation_time": "2022-07-10T23:08:11Z",
> "severity": "9.8",
> "original_severity": "9.8",
> "log": {
> "file": {
> "path": "/usr/share/jsonfiles/sfsfd.ndjson"
> }
> },
> "qod": {
> "type": null,
> "value": "80"
> },
> "description": """Installed version: 99.2.2.1
> Fixed version: Contact vendor""",
> "scan_nvt_version": "2021-09-29T10:01:38Z",
> "nvt": {
> "@oid": "1.3.6.1.4.1.25623.1.0.146309",
> "solution": {
> "#text": "Contact the vendor for a solution.",
> "@type": "VendorFix"
> },
> "refs": {
> "ref": [
> {
> "@type": "cve",
> "@id": "CVE-2013-6282"
> },
> {
> "@type": "cve",
> "@id": "CVE-2018-12326"
> },
> {
> "@type": "cve",
> "@id": "CVE-2018-11218"
> },
> {
> "@type": "cve",
> "@id": "CVE-2020-4670"
> },
> {
> "@type": "cve",
> "@id": "CVE-2018-8014"
> },
> {
> "@type": "cve",
> "@id": "CVE-2021-33020"
> },
> {
> "@type": "cve",
> "@id": "CVE-2018-10115"
> },
> {
> "@type": "cve",
> "@id": "CVE-2021-27501"
> },
> {
> "@type": "cve",
> "@id": "CVE-2021-33018"
> },
> {
> "@type": "cve",
> "@id": "CVE-2021-27497"
> },
> {
> "@type": "cve",
> "@id": "CVE-2012-1708"
> },
> {
> "@type": "cve",
> "@id": "CVE-2015-9251"
> },
> {
> "@type": "cve",
> "@id": "CVE-2021-27493"
> },
> {
> "@type": "cve",
> "@id": "CVE-2019-9636"
> },
> {
> "@type": "cve",
> "@id": "CVE-2021-33024"
> },
> {
> "@type": "cve",
> "@id": "CVE-2021-33022"
> },
> {
> "@type": "cisa",
> "@id": "Known Exploited Vulnerability (KEV) catalog"
> },
> {
> "@type": "url",
> "@id": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog"
> },
> {
> "@type": "url",
> "@id": "https://us-cert.cisa.gov/ics/advisories/icsma-21-187-01"
> },
> {
> "@type": "cert-bund",
> "@id": "CB-K22/0045"
> },
> {
> "@type": "cert-bund",
> "@id": "CB-K20/1030"
> },
> {
> "@type": "cert-bund",
> "@id": "CB-K20/0711"
> },
> {
> "@type": "cert-bund",
> "@id": "CB-K20/0705"
> },
> {
> "@type": "cert-bund",
> "@id": "CB-K20/0693"
> },
> {
> "@type": "cert-bund",
> "@id": "CB-K20/0555"
> },
> {
> "@type": "cert-bund",
> "@id": "CB-K20/0543"
> },
> {
> "@type": "cert-bund",
> "@id": "CB-K20/0309"
> },
> {
> "@type": "cert-bund",
> "@id": "CB-K20/0154"
> },
> {
> "@type": "cert-bund",
> "@id": "CB-K20/0041"
> },
> {
> "@type": "cert-bund",
> "@id": "CB-K19/0911"
> },
> {
> "@type": "cert-bund",
> "@id": "CB-K19/0909"
> },
> {
> "@type": "cert-bund",
> "@id": "CB-K19/0615"
> },
> {
> "@type": "cert-bund",
> "@id": "CB-K19/0321"
> },
> {
> "@type": "cert-bund",
> "@id": "CB-K19/0313"
> },
> {
> "@type": "cert-bund",
> "@id": "CB-K19/0054"
> },
> {
> "@type": "cert-bund",
> "@id": "CB-K19/0052"
> },
> {
> "@type": "cert-bund",
> "@id": "CB-K19/0049"
> },
> {
> "@type": "cert-bund",
> "@id": "CB-K19/0048"
> },
> {
> "@type": "cert-bund",
> "@id": "CB-K19/0046"
> },
> {
> "@type": "cert-bund",
> "@id": "CB-K18/1006"
> },
> {
> "@type": "cert-bund",
> "@id": "CB-K18/1005"
> },
> {
> "@type": "cert-bund",
> "@id": "CB-K18/0680"
> },
> {
> "@type": "cert-bund",
> "@id": "CB-K18/0647"
> },
> {
> "@type": "dfn-cert",
> "@id": "DFN-CERT-2021-1736"
> },
> {
> "@type": "dfn-cert",
> "@id": "DFN-CERT-2020-2423"
> },
> {
> "@type": "dfn-cert",
> "@id": "DFN-CERT-2020-2130"
> },
> {
> "@type": "dfn-cert",
> "@id": "DFN-CERT-2020-1839"
> },
> {
> "@type": "dfn-cert",
> "@id": "DFN-CERT-2020-1540"
> },
> {
> "@type": "dfn-cert",
> "@id": "DFN-CERT-2020-1508"
> },
> {
> "@type": "dfn-cert",
> "@id": "DFN-CERT-2020-1413"
> },
> {
> "@type": "dfn-cert",
> "@id": "DFN-CERT-2020-1276"
> },
> {
> "@type": "dfn-cert",
> "@id": "DFN-CERT-2020-1134"
> },
> {
> "@type": "dfn-cert",
> "@id": "DFN-CERT-2020-1078"
> },
> {
> "@type": "dfn-cert",
> "@id": "DFN-CERT-2020-0850"
> },
> {
> "@type": "dfn-cert",
> "@id": "DFN-CERT-2020-0835"
> },
> {
> "@type": "dfn-cert",
> "@id": "DFN-CERT-2020-0821"
> },
> {
> "@type": "dfn-cert",
> "@id": "DFN-CERT-2020-0630"
> },
> {
> "@type": "dfn-cert",
> "@id": "DFN-CERT-2020-0590"
> },
> {
> "@type": "dfn-cert",
> "@id": "DFN-CERT-2020-0569"
> },
> {
> "@type": "dfn-cert",
> "@id": "DFN-CERT-2020-0557"
> },
> {
> "@type": "dfn-cert",
> "@id": "DFN-CERT-2020-0501"
> },
> {
> "@type": "dfn-cert",
> "@id": "DFN-CERT-2020-0381"
> },
> {
> "@type": "dfn-cert",
> "@id": "DFN-CERT-2020-0318"
> },
> {
> "@type": "dfn-cert",
> "@id": "DFN-CERT-2020-0231"
> },
> {
> "@type": "dfn-cert",
> "@id": "DFN-CERT-2020-0177"
> },
> {
> "@type": "dfn-cert",
> "@id": "DFN-CERT-2020-0111"
> },
> {
> "@type": "dfn-cert",
> "@id": "DFN-CERT-2020-0102"
> },
> {
> "@type": "dfn-cert",
> "@id": "DFN-CERT-2020-0048"
> },
> {
> "@type": "dfn-cert",
> "@id": "DFN-CERT-2019-2710"
> },
> {
> "@type": "dfn-cert",
> "@id": "DFN-CERT-2019-2252"
> },
> {
> "@type": "dfn-cert",
> "@id": "DFN-CERT-2019-2158"
> },
> {
> "@type": "dfn-cert",
> "@id": "DFN-CERT-2019-2078"
> },
> {
> "@type": "dfn-cert",
> "@id": "DFN-CERT-2019-1877"
> },
> {
> "@type": "dfn-cert",
> "@id": "DFN-CERT-2019-1704"
> },
> {
> "@type": "dfn-cert",
> "@id": "DFN-CERT-2019-1627"
> },
> {
> "@type": "dfn-cert",
> "@id": "DFN-CERT-2019-1537"
> },
> {
> "@type": "dfn-cert",
> "@id": "DFN-CERT-2019-1455"
> },
> {
> "@type": "dfn-cert",
> "@id": "DFN-CERT-2019-1339"
> },
> {
> "@type": "dfn-cert",
> "@id": "DFN-CERT-2019-1288"
> },
> {
> "@type": "dfn-cert",
> "@id": "DFN-CERT-2019-1285"
> },
> {
> "@type": "dfn-cert",
> "@id": "DFN-CERT-2019-1237"
> },
> {
> "@type": "dfn-cert",
> "@id": "DFN-CERT-2019-1095"
> },
> {
> "@type": "dfn-cert",
> "@id": "DFN-CERT-2019-0941"
> },
> {
> "@type": "dfn-cert",
> "@id": "DFN-CERT-2019-0915"
> },
> {
> "@type": "dfn-cert",
> "@id": "DFN-CERT-2019-0912"
> },
> {
> "@type": "dfn-cert",
> "@id": "DFN-CERT-2019-0841"
> },
> {
> "@type": "dfn-cert",
> "@id": "DFN-CERT-2019-0777"
> },
> {
> "@type": "dfn-cert",
> "@id": "DFN-CERT-2019-0772"
> },
> {
> "@type": "dfn-cert",
> "@id": "DFN-CERT-2019-0770"
> },
> {
> "@type": "dfn-cert",
> "@id": "DFN-CERT-2019-0702"
> },
> {
> "@type": "dfn-cert",
> "@id": "DFN-CERT-2019-0565"
> },
> {
> "@type": "dfn-cert",
> "@id": "DFN-CERT-2019-0451"
> },
> {
> "@type": "dfn-cert",
> "@id": "DFN-CERT-2019-0119"
> },
> {
> "@type": "dfn-cert",
> "@id": "DFN-CERT-2019-0111"
> },
> {
> "@type": "dfn-cert",
> "@id": "DFN-CERT-2018-2474"
> },
> {
> "@type": "dfn-cert",
> "@id": "DFN-CERT-2018-2194"
> },
> {
> "@type": "dfn-cert",
> "@id": "DFN-CERT-2018-2165"
> },
> {
> "@type": "dfn-cert",
> "@id": "DFN-CERT-2018-2142"
> },
> {
> "@type": "dfn-cert",
> "@id": "DFN-CERT-2018-2110"
> },
> {
> "@type": "dfn-cert",
> "@id": "DFN-CERT-2018-2103"
> },
> {
> "@type": "dfn-cert",
> "@id": "DFN-CERT-2018-1674"
> },
> {
> "@type": "dfn-cert",
> "@id": "DFN-CERT-2018-1443"
> },
> {
> "@type": "dfn-cert",
> "@id": "DFN-CERT-2018-1416"
> },
> {
> "@type": "dfn-cert",
> "@id": "DFN-CERT-2018-1253"
> },
> {
> "@type": "dfn-cert",
> "@id": "DFN-CERT-2018-1163"
> },
> {
> "@type": "dfn-cert",
> "@id": "DFN-CERT-2018-1153"
> },
> {
> "@type": "dfn-cert",
> "@id": "DFN-CERT-2018-1038"
> },
> {
> "@type": "dfn-cert",
> "@id": "DFN-CERT-2018-0939"
> },
> {
> "@type": "dfn-cert",
> "@id": "DFN-CERT-2018-0853"
> }
> ]
> },
> "name": "Philips Vue PACS Multiple Vulnerabilities (Jul 2021)",
> "cvss_base": "9.8",
> "type": "nvt",
> "family": "General",
> "tags": """cvss_base_vector=CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H|summary=Philips Vue PACS is prone to multiple vulnerabilities.|insight=The following vulnerabilities exist:
>
> - CVE-2020-1938: The product receives input or data, but it does not validate or incorrectly
> validates that the input has the properties that are required to process the data safely and
> correctly.
>
> - CVE-2018-12326, CVE-2018-11218: The software performs operations on a memory buffer, but it can
> read from or write to a memory location that is outside of the intended boundary of the buffer.
> This vulnerability exists within a third party software component (Redis).
>
> - CVE-2020-4670: When an actor claims to have a given identity, the software does not prove or
> insufficiently proves that the claim is correct. This vulnerability exists within a third party
> software component (Redis).
>
> - CVE-2018-8014: The software initializes or sets a resource with a default that is intended to
> be changed by the administrator, but the default is not secure.
>
> - CVE-2021-33020: The product uses a cryptographic key or password past its expiration date,
> which diminishes its safety significantly by increasing the timing window for cracking attacks
> against that key.
>
> - CVE-2018-10115: The software does not initialize or incorrectly initializes a resource, which
> might leave the resource in an unexpected state when it is accessed or used. This vulnerability
> exists within a third party software component (7-Zip).
>
> - CVE-2021-27501: The software does not follow certain coding rules for development, which can
> lead to resultant weaknesses or increase the severity of the associated vulnerabilities.
>
> - CVE-2021-33018: The use of a broken or risky cryptographic algorithm is an unnecessary risk
> that may result in the exposure of sensitive information.
>
> - CVE-2021-27497: The product does not use or incorrectly uses a protection mechanism that
> provides sufficient defense against directed attacks against the product.
>
> - CVE-2012-1708: Weaknesses in this category is related to a software system's data integrity
> components. This vulnerability exists within a third party software component (Oracle Database).
>
> - CVE-2015-9251: The software does not neutralize or incorrectly neutralizes user-controllable
> input before it is placed in an output used as a webpage that is served to other users.
>
> - CVE-2021-27493: The product does not ensure or incorrectly ensures structured messages or data
> are well formed and that certain security properties are met before being read from an upstream
> component or sent to a downstream component.
>
> - CVE-2019-9636: The software does not properly handle when an input contains Unicode encoding.
>
> - CVE-2021-33024: The product transmits or stores authentication credentials, but it uses an
> insecure method susceptible to unauthorized interception and/or retrieval.
>
> - CVE-2021-33022: The software transmits sensitive or security-critical data in cleartext in a
> communication channel that can be sniffed by unauthorized actors.|affected=Philips Vue PACS version 12.2.x.x and prior.|impact=|solution=Contact the vendor for a solution.|vuldetect=Checks if a vulnerable version is present on the target host.|solution_type=VendorFix""",
> "severities": {
> "severity": {
> "date": "2021-02-24T12:15:00Z",
> "score": "9.8",
> "@type": "cvss_base_v3",
> "origin": "NVD",
> "value": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
> },
> "@score": "9.8"
> }
> },
> "original_threat": "High",
> "@timestamp": "2022-09-29T17:25:04.483591221Z",
> "port": "443/tcp",
> "@version": "1",
> "host": {
> "hostname": null,
> "#text": "172.16.15.31",
> "name": "logstash1",
> "asset": {
> "@asset_id": "64097e6b-1b81-47d5-b9d3-cea3e669b98e"
> }
> },
> "name": "Philips Vue PACS Multiple Vulnerabilities (Jul 2021)",
> "comment": null,
> "@id": "0f667a51-5e2b-4155-9639-45756asd",
> "threat": "High",
> "event": {
> "original": """{"@id": "0f667a51-5e2b-4155-9639-45756asd", "name": "Philips Vue PACS Multiple Vulnerabilities (Jul 2021)", "owner": {"name": "redacted"}, "modification_time": "2022-07-10T23:08:11Z", "comment": null, "creation_time": "2022-07-10T23:08:11Z", "host": {"asset": {"@asset_id": "64097e6b-1b81-47d5-b9d3-cea3e669basd"}, "hostname": null, "#text": "172.16.15.31"}, "port": "443/tcp", "nvt": {"@oid": "1.3.6.1.4.1.25623.1.0.146309", "type": "nvt", "name": "Philips Vue PACS Multiple Vulnerabilities (Jul 2021)", "family": "General", "cvss_base": "9.8", "severities": {"@score": "9.8", "severity": {"@type": "cvss_base_v3", "origin": "NVD", "date": "2021-02-24T12:15:00Z", "score": "9.8", "value": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}}, "tags": "cvss_base_vector=CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H|summary=Philips Vue PACS is prone to multiple vulnerabilities.|insight=The following vulnerabilities exist:\n\n - CVE-2020-1938: The product receives input or data, but it does not validate or incorrectly\n validates that the input has the properties that are required to process the data safely and\n correctly.\n\n - CVE-2018-12326, CVE-2018-11218: The software performs operations on a memory buffer, but it can\n read from or write to a memory location that is outside of the intended boundary of the buffer.\n This vulnerability exists within a third party software component (Redis).\n\n - CVE-2020-4670: When an actor claims to }"""
> },
> "modification_time": "2022-07-10T23:08:11Z"
> }
> }
> ]
> }
Blockquote
What am i doing wrong?