Title
#fleet
r

Ryan

08/26/2021, 4:54 PM
I'm trying out the vulnerability scanner, seems like a great feature. Can I ask what's the intended workflow here? I can see a couple of vulnerabilities showing up on a host's page in the "Software" section, but can I query for that in a Query Pack or similar? Is there a way to show all the known vulnerabilities across all your hosts? What's the intended way to use this feature? Thanks!
Noah Talerman

Noah Talerman

08/26/2021, 5:27 PM
Hey @Ryan. The current Vulnerability detection feature is intended to only surface vulnerable software on a per host basis in the Fleet UI (Host’s page) and Fleet API (
GET /api/v1/fleet/hosts/{id}
) The current vision if for later iterations of the feature to incorporate vulnerabilities across hosts and potentially the ability to prioritize and manage vulnerabilities. It would be extremely helpful to hear what your ideal workflow would be for viewing / managing vulnerable software so we can consider it in for later iterations.
5:28 PM
Mystery Incorporated

Mystery Incorporated

08/27/2021, 5:21 AM
@Noah Talerman do you know if discovered vulnerabilities get wrote to result.log?
Noah Talerman

Noah Talerman

08/27/2021, 1:06 PM
When you say “result.log” are you referring to the osquery result logs?
Mystery Incorporated

Mystery Incorporated

08/27/2021, 1:08 PM
@Noah Talerman the one wrote by fleet, it writes status.log and results.log, but it does have osquery results in it yes, but I'd also assume as it's wrote by fleet it would have fleet results when things like vulnerability scans are ran.
Noah Talerman

Noah Talerman

08/27/2021, 1:16 PM
Got it. Currently, discovered vulnerabilities are surfaced only in the Fleet UI (Host details page) and Fleet API (
GET /api/v1/fleet/hosts/{id}
route). Vulnerability information is not included in result logs.
I’d also assume as it’s wrote by fleet it would have fleet results when things like vulnerability scans are ran.
This makes sense. Please feel free to file a feature request that includes your use case for the above.
Mystery Incorporated

Mystery Incorporated

08/27/2021, 3:20 PM
r

Ryan

08/31/2021, 9:46 AM
Hi @Noah Talerman I'm not sure, but the way I'd envisage using it would be to surface all the known CVEs somewhere, grouped by host, so you can see in one place what actions are needed? I'd also like to see that data exposed as a virtual table so we can use it in queries, and have it logged so it can show up in our reporting too.
9:48 AM
@Noah Talerman We currently consume the fleet logs and send them to ELK where we can search them, and build dashboards for various things, for example we have one showing a breakdown of operating system versions everywhere. It would be good to be able to build a CVE dashboard that shows number of hosts with CVEs, ranked my criticality, grouped by host, and joining on other tables, like the operating system information.