First EPSS
editFirst EPSS
editVersion |
0.2.0 [beta] This functionality is in beta and is subject to change. The design and code is less mature than official GA features and is being provided as-is with no warranties. Beta features are not subject to the support SLA of official GA features. (View all) |
Compatible Kibana version(s) |
8.14.0 or higher |
Supported Serverless project types |
Security |
Subscription level |
Basic |
Level of support |
Community |
Overview
editThe First EPSS integration allows users to retrieve EPSS score from First EPSS API.
The Exploit Prediction Scoring System (EPSS) is a data-driven effort for estimating the likelihood (probability) that a software vulnerability (CVE) will be exploited in the wild.
Data streams
editThe First EPSS integration collects one type of data stream: vulnerability
EPSS
editEPSS scores are retrieved via the First EPSS API (https://api.first.org/data/v1/epss).
Compatibility
editThis integration has been tested against the EPSS API v1.
Requirements
editYou need Elasticsearch for storing and searching your data and Kibana for visualizing and managing it. You can use our hosted Elasticsearch Service on Elastic Cloud, which is recommended, or self-manage the Elastic Stack on your own hardware.
Setup
editFor step-by-step instructions on how to set up an integration, see the Getting started guide.
Data reference
editVulnerability
editThis is the vulnerability dataset.
Example
An example event for vulnerability looks as following:
{
"@timestamp": "2024-09-05T14:49:59.197Z",
"agent": {
"ephemeral_id": "76bea870-a841-4313-939f-8ac1e976e0f9",
"id": "7acf9ae7-fa00-4807-86c6-5ddf0681ffbb",
"name": "elastic-agent-50065",
"type": "filebeat",
"version": "8.15.0"
},
"data_stream": {
"dataset": "first_epss.vulnerability",
"namespace": "53064",
"type": "logs"
},
"ecs": {
"version": "8.11.0"
},
"elastic_agent": {
"id": "7acf9ae7-fa00-4807-86c6-5ddf0681ffbb",
"snapshot": false,
"version": "8.15.0"
},
"event": {
"agent_id_status": "verified",
"category": [
"vulnerability"
],
"dataset": "first_epss.vulnerability",
"ingested": "2024-09-05T14:50:00Z",
"kind": "enrichment",
"type": [
"info"
]
},
"first_epss": {
"vulnerability": {
"cve": "CVE-2024-8418",
"date": "2024-09-05T00:00:00.000Z",
"epss": 0.00045,
"percentile": 0.16342
}
},
"host": {
"architecture": "aarch64",
"containerized": false,
"hostname": "elastic-agent-50065",
"id": "1e6dd5e4f8a3409dbea97e40111e935a",
"ip": [
"172.24.0.2",
"172.23.0.4"
],
"mac": [
"02-42-AC-17-00-04",
"02-42-AC-18-00-02"
],
"name": "elastic-agent-50065",
"os": {
"codename": "focal",
"family": "debian",
"kernel": "6.10.4-linuxkit",
"name": "Ubuntu",
"platform": "ubuntu",
"type": "linux",
"version": "20.04.6 LTS (Focal Fossa)"
}
},
"input": {
"type": "cel"
},
"tags": [
"preserve_original_event"
],
"vulnerability": {
"id": "CVE-2024-8418",
"reference": "https://api.first.org/data/v1/epss?pretty=true&cve=CVE-2024-8418"
}
}
Exported fields
| Field | Description | Type |
|---|---|---|
@timestamp |
Event timestamp. |
date |
data_stream.dataset |
Data stream dataset. |
constant_keyword |
data_stream.namespace |
Data stream namespace. |
constant_keyword |
data_stream.type |
Data stream type. |
constant_keyword |
event.dataset |
Event dataset. |
constant_keyword |
event.module |
Event module. |
constant_keyword |
first_epss.vulnerability.cve |
CVE number. |
keyword |
first_epss.vulnerability.date |
Exploit Prediction Scoring System score calculation date. |
date |
first_epss.vulnerability.epss |
Exploit Prediction Scoring System score value. |
float |
first_epss.vulnerability.percentile |
Exploit Prediction Scoring System percentile value. |
float |
input.type |
Type of filebeat input. |
keyword |
Changelog
editChangelog
| Version | Details | Kibana version(s) |
|---|---|---|
0.2.0 |
Enhancement (View pull request) |
— |
0.1.0 |
Enhancement (View pull request) |
— |