From ff73f6a81a27c713586f79a8f72d14dd021bcadb Mon Sep 17 00:00:00 2001 From: moxarth-rathod Date: Tue, 30 Dec 2025 14:38:37 +0530 Subject: [PATCH 1/2] [Qualys] Update the asset_host_detection data stream API to v5, and the knowledge_base data stream API to v4 --- .../_dev/deploy/docker/files/config.yml | 20 ++--- packages/qualys_vmdr/changelog.yml | 5 ++ .../agent/stream/input.yml.hbs | 8 +- .../asset_host_detection/sample_event.json | 24 +++--- .../knowledge_base/agent/stream/input.yml.hbs | 6 +- .../knowledge_base/sample_event.json | 55 +++++++++---- packages/qualys_vmdr/docs/README.md | 77 +++++++++++++------ .../latest_cdr_vulnerabilities/fields/ecs.yml | 10 +++ .../fields/fields.yml | 4 + packages/qualys_vmdr/manifest.yml | 2 +- 10 files changed, 144 insertions(+), 67 deletions(-) diff --git a/packages/qualys_vmdr/_dev/deploy/docker/files/config.yml b/packages/qualys_vmdr/_dev/deploy/docker/files/config.yml index 8c86f8fc71f..2f4386aa94d 100644 --- a/packages/qualys_vmdr/_dev/deploy/docker/files/config.yml +++ b/packages/qualys_vmdr/_dev/deploy/docker/files/config.yml @@ -391,7 +391,7 @@ rules: body: "" # handling empty XML response # Request knowledge_base with QID from Asset Host QID. # QID: 101,102,103 (3 unique QIDs for host ID: 1,2) - - path: /api/3.0/fo/knowledge_base/vuln/ + - path: /api/4.0/fo/knowledge_base/vuln/ methods: ['GET'] query_params: ids: 101,102,103 @@ -407,7 +407,7 @@ rules: x-ratelimit-remaining: ["299"] body: |- - + 2023-07-06T15:02:16Z @@ -578,7 +578,7 @@ rules: # Request knowledge_base with QID from Asset Host QID. # QID: 102,103 (2 unique QIDs for host ID: 3) - - path: /api/3.0/fo/knowledge_base/vuln/ + - path: /api/4.0/fo/knowledge_base/vuln/ methods: ['GET'] query_params: ids: 102,103 @@ -594,7 +594,7 @@ rules: x-ratelimit-remaining: ["299"] body: |- - + 2024-12-04T13:51:49Z @@ -720,7 +720,7 @@ rules: - - path: /api/3.0/fo/knowledge_base/vuln/ + - path: /api/4.0/fo/knowledge_base/vuln/ methods: ['GET'] query_params: ids: 123 @@ -736,7 +736,7 @@ rules: x-ratelimit-remaining: ["299"] body: |- - + 2023-07-06T15:02:16Z @@ -797,7 +797,7 @@ rules: # Two objects with: # 1. Containing BUGTRAQ_LIST, SOFTWARE_LIST, VENDOR_REFERENCE_LIST, and CHANGE_LOG_LIST containing multiple elements. # 2. Containing BUGTRAQ_LIST, SOFTWARE_LIST, VENDOR_REFERENCE_LIST, and CHANGE_LOG_LIST containing single elements. - - path: /api/3.0/fo/knowledge_base/vuln/ + - path: /api/4.0/fo/knowledge_base/vuln/ methods: ['GET'] query_params: ids: 1,2 @@ -813,7 +813,7 @@ rules: x-ratelimit-remaining: ["299"] body: |- - + 2024-11-26T08:40:21Z @@ -1001,7 +1001,7 @@ rules: - - path: /api/3.0/fo/knowledge_base/vuln/ + - path: /api/4.0/fo/knowledge_base/vuln/ methods: ['GET'] query_params: last_modified_after: '{last_modified_after:\d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2}}Z' @@ -1016,7 +1016,7 @@ rules: x-ratelimit-remaining: ["299"] body: |- - + 2023-10-26T09:47:22Z diff --git a/packages/qualys_vmdr/changelog.yml b/packages/qualys_vmdr/changelog.yml index 3051c6a4d08..46c338bc284 100644 --- a/packages/qualys_vmdr/changelog.yml +++ b/packages/qualys_vmdr/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "6.15.0" + changes: + - description: Update knowledge base API to v4 for asset_host_detection and knowledge_base data streams. + type: enhancement + link: https://github.com/elastic/integrations/pull/1 - version: "6.14.1" changes: - description: Update XSD schema name to match Host Detection API v5.0 response. diff --git a/packages/qualys_vmdr/data_stream/asset_host_detection/agent/stream/input.yml.hbs b/packages/qualys_vmdr/data_stream/asset_host_detection/agent/stream/input.yml.hbs index bbf2fe5a767..d03f5d876d3 100644 --- a/packages/qualys_vmdr/data_stream/asset_host_detection/agent/stream/input.yml.hbs +++ b/packages/qualys_vmdr/data_stream/asset_host_detection/agent/stream/input.yml.hbs @@ -178,7 +178,7 @@ program: | ).as(state, state.with( !has(state.worklist) ? state : has(state.worklist.HOST_QID_LIST) && size(state.worklist.HOST_QID_LIST) > 0 ? - request("GET", state.url.trim_right("/") + "/api/3.0/fo/knowledge_base/vuln/?" + + request("GET", state.url.trim_right("/") + "/api/4.0/fo/knowledge_base/vuln/?" + { "ids": [front(state.worklist.HOST_QID_LIST, int(state.query_limit)).join(",")], "action": ["list"], @@ -189,7 +189,7 @@ program: | "Authorization": ["Basic "+(state.user+":"+state.password).base64()], } }).do_request().as(resp, (resp.StatusCode == 200 ? - resp.Body.as(xml, try(xml.decode_xml('qualys_api_3_0_kb'), "decode_xml_error_kb").as(kb_body, + resp.Body.as(xml, try(xml.decode_xml('qualys_api_4_0_kb'), "decode_xml_error_kb").as(kb_body, !has(kb_body.decode_xml_error_kb) ? ( @@ -280,7 +280,7 @@ program: | "error": { "code": string(resp.StatusCode), "id": string(resp.Status), - "message": "GET "+state.url.trim_right("/") + "/api/3.0/fo/knowledge_base/vuln/: "+( + "message": "GET "+state.url.trim_right("/") + "/api/4.0/fo/knowledge_base/vuln/: "+( size(resp.Body) != 0 ? string(resp.Body) : @@ -879,7 +879,7 @@ xsd: - qualys_api_3_0_kb: | + qualys_api_4_0_kb: | diff --git a/packages/qualys_vmdr/data_stream/asset_host_detection/sample_event.json b/packages/qualys_vmdr/data_stream/asset_host_detection/sample_event.json index f055bced64d..947cb49fba8 100644 --- a/packages/qualys_vmdr/data_stream/asset_host_detection/sample_event.json +++ b/packages/qualys_vmdr/data_stream/asset_host_detection/sample_event.json @@ -1,11 +1,11 @@ { - "@timestamp": "2025-12-09T13:06:00.619Z", + "@timestamp": "2025-12-30T06:25:12.497Z", "agent": { - "ephemeral_id": "5eb4618e-1fb2-4db3-a80a-a1c9d60ddf79", - "id": "c25772f1-99b1-43d4-9ac3-8941538fa406", - "name": "elastic-agent-11567", + "ephemeral_id": "83655e80-2729-4332-8ace-457dd3a0bcef", + "id": "12042b44-811d-4c3e-b827-11cfb8074c86", + "name": "elastic-agent-48916", "type": "filebeat", - "version": "8.19.4" + "version": "8.19.0" }, "cloud": { "instance": { @@ -14,16 +14,16 @@ }, "data_stream": { "dataset": "qualys_vmdr.asset_host_detection", - "namespace": "88746", + "namespace": "83470", "type": "logs" }, "ecs": { "version": "8.11.0" }, "elastic_agent": { - "id": "c25772f1-99b1-43d4-9ac3-8941538fa406", + "id": "12042b44-811d-4c3e-b827-11cfb8074c86", "snapshot": false, - "version": "8.19.4" + "version": "8.19.0" }, "event": { "agent_id_status": "verified", @@ -32,9 +32,9 @@ ], "dataset": "qualys_vmdr.asset_host_detection", "id": "11111111", - "ingested": "2025-12-09T13:06:03Z", + "ingested": "2025-12-30T06:25:15Z", "kind": "alert", - "original": "{\"DETECTION_LIST\":{\"AFFECT_RUNNING_KERNEL\":\"0\",\"CVE\":\"CVE-2023-48161,CVE-2024-21208,CVE-2024-21210,CVE-2024-21217,CVE-2024-21235\",\"FIRST_FOUND_DATETIME\":\"2021-02-05T04:50:45Z\",\"IS_DISABLED\":\"0\",\"IS_IGNORED\":\"0\",\"LAST_FIXED_DATETIME\":\"2022-12-14T06:52:57Z\",\"LAST_FOUND_DATETIME\":\"2024-03-08T20:15:41Z\",\"LAST_PROCESSED_DATETIME\":\"2024-03-08T20:15:41Z\",\"LAST_TEST_DATETIME\":\"2024-03-08T20:15:41Z\",\"LAST_UPDATE_DATETIME\":\"2024-03-08T20:15:41Z\",\"LATEST_VULNERABILITY_DETECTION_SOURCE\":\"Cloud Agent\",\"MITRE_TACTIC_ID\":\"TA0008, TA0004\",\"MITRE_TACTIC_NAME\":\"lateral-movement, privilege-escalation\",\"MITRE_TECHNIQUE_ID\":\"T1210, T1068\",\"MITRE_TECHNIQUE_NAME\":\"Exploitation of Remote Services, Exploitation for Privilege Escalation\",\"QDS\":{\"#text\":\"35\",\"severity\":\"LOW\"},\"QDS_FACTORS\":{\"QDS_FACTOR\":[{\"#text\":\"7.7\",\"name\":\"CVSS\"},{\"#text\":\"v3.x\",\"name\":\"CVSS_version\"},{\"#text\":\"0.00232\",\"name\":\"epss\"},{\"#text\":\"AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H\",\"name\":\"CVSS_vector\"}]},\"QID\":\"101\",\"RESULTS\":\"Package\\tInstalled Version\\tRequired Version\\nlinux-cloud-tools-4.4.0\\t1074-aws_4.4.0-1074.84\\t1092\\nlinux-aws-tools-4.4.0\\t1074_4.4.0-1074.84\\t1092\\nlinux-aws-headers-4.4.0\\t1074_4.15.0-1126.135\\t1092\\nlinux-tools-4.4.0\\t1074-aws_4.4.0-1074.84\\t1092\\nlinux-aws-cloud-tools-4.4.0\\t1074_4.4.0-1074.84\\t1092\",\"SEVERITY\":\"3\",\"SSL\":\"0\",\"STATUS\":\"Active\",\"TIMES_FOUND\":\"5393\",\"TRURISK_ELIMINATION_STATUS\":\"FIXED\",\"TYPE\":\"Confirmed\",\"UNIQUE_VULN_ID\":\"11111111\",\"VULNERABILITY_DETECTION_SOURCES\":\"Cloud Agent,Internal Scanner\"},\"DNS\":\"adfssrvr.adfs.local\",\"DNS_DATA\":{\"DOMAIN\":\"adfs.local\",\"FQDN\":\"adfssrvr.adfs.local\",\"HOSTNAME\":\"adfssrvr\"},\"ID\":\"1\",\"IP\":\"10.50.2.111\",\"KNOWLEDGE_BASE\":{\"CATEGORY\":\"CGI\",\"CONSEQUENCE\":\"Depending on the vulnerability being exploited, an unauthenticated remote attacker could conduct cross-site scripting, clickjacking or MIME-type sniffing attacks.\",\"CVE_LIST\":[\"CVE-2022-31629\",\"CVE-2022-31628\"],\"CVSS\":{\"BASE\":{\"#text\":\"7.7\",\"source\":\"service\"},\"TEMPORAL\":\"4.0\",\"VECTOR_STRING\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H\"},\"DIAGNOSIS\":\"This QID reports the absence of the following\",\"DISCOVERY\":{\"REMOTE\":\"1\"},\"LAST_SERVICE_MODIFICATION_DATETIME\":\"2023-06-29T12:20:46Z\",\"PATCHABLE\":\"0\",\"PCI_FLAG\":\"1\",\"PUBLISHED_DATETIME\":\"2017-06-05T21:34:49Z\",\"QID\":\"101\",\"SEVERITY_LEVEL\":\"2\",\"SOFTWARE_LIST\":{\"SOFTWARE\":[{\"PRODUCT\":\"None\",\"VENDOR\":\"multi-vendor\"}]},\"SOLUTION\":\"\\u003cB\\u003eNote:\\u003c/B\\u003e To better debug the results of this QID\",\"THREAT_INTELLIGENCE\":{\"THREAT_INTEL\":[{\"id\":\"8\"}]},\"TITLE\":\"HTTP Security Header Not Detected\",\"VULN_TYPE\":\"Vulnerability\"},\"LAST_PC_SCANNED_DATE\":\"2023-06-28T09:58:12Z\",\"LAST_SCAN_DATETIME\":\"2023-07-03T06:25:17Z\",\"LAST_VM_SCANNED_DATE\":\"2023-07-03T06:23:47Z\",\"LAST_VM_SCANNED_DURATION\":\"1113\",\"NETBIOS\":\"ADFSSRVR\",\"OS\":\"Windows 2016/2019/10\",\"TRACKING_METHOD\":\"IP\",\"interval_id\":\"040d4ccd-718d-43bb-8f0e-92a685dcd3e0\",\"interval_start\":\"2025-12-09T13:06:00.615439086Z\"}", + "original": "{\"DETECTION_LIST\":{\"AFFECT_RUNNING_KERNEL\":\"0\",\"CVE\":\"CVE-2023-48161,CVE-2024-21208,CVE-2024-21210,CVE-2024-21217,CVE-2024-21235\",\"FIRST_FOUND_DATETIME\":\"2021-02-05T04:50:45Z\",\"IS_DISABLED\":\"0\",\"IS_IGNORED\":\"0\",\"LAST_FIXED_DATETIME\":\"2022-12-14T06:52:57Z\",\"LAST_FOUND_DATETIME\":\"2024-03-08T20:15:41Z\",\"LAST_PROCESSED_DATETIME\":\"2024-03-08T20:15:41Z\",\"LAST_TEST_DATETIME\":\"2024-03-08T20:15:41Z\",\"LAST_UPDATE_DATETIME\":\"2024-03-08T20:15:41Z\",\"LATEST_VULNERABILITY_DETECTION_SOURCE\":\"Cloud Agent\",\"MITRE_TACTIC_ID\":\"TA0008, TA0004\",\"MITRE_TACTIC_NAME\":\"lateral-movement, privilege-escalation\",\"MITRE_TECHNIQUE_ID\":\"T1210, T1068\",\"MITRE_TECHNIQUE_NAME\":\"Exploitation of Remote Services, Exploitation for Privilege Escalation\",\"QDS\":{\"#text\":\"35\",\"severity\":\"LOW\"},\"QDS_FACTORS\":{\"QDS_FACTOR\":[{\"#text\":\"7.7\",\"name\":\"CVSS\"},{\"#text\":\"v3.x\",\"name\":\"CVSS_version\"},{\"#text\":\"0.00232\",\"name\":\"epss\"},{\"#text\":\"AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H\",\"name\":\"CVSS_vector\"}]},\"QID\":\"101\",\"RESULTS\":\"Package\\tInstalled Version\\tRequired Version\\nlinux-cloud-tools-4.4.0\\t1074-aws_4.4.0-1074.84\\t1092\\nlinux-aws-tools-4.4.0\\t1074_4.4.0-1074.84\\t1092\\nlinux-aws-headers-4.4.0\\t1074_4.15.0-1126.135\\t1092\\nlinux-tools-4.4.0\\t1074-aws_4.4.0-1074.84\\t1092\\nlinux-aws-cloud-tools-4.4.0\\t1074_4.4.0-1074.84\\t1092\",\"SEVERITY\":\"3\",\"SSL\":\"0\",\"STATUS\":\"Active\",\"TIMES_FOUND\":\"5393\",\"TRURISK_ELIMINATION_STATUS\":\"FIXED\",\"TYPE\":\"Confirmed\",\"UNIQUE_VULN_ID\":\"11111111\",\"VULNERABILITY_DETECTION_SOURCES\":\"Cloud Agent,Internal Scanner\"},\"DNS\":\"adfssrvr.adfs.local\",\"DNS_DATA\":{\"DOMAIN\":\"adfs.local\",\"FQDN\":\"adfssrvr.adfs.local\",\"HOSTNAME\":\"adfssrvr\"},\"ID\":\"1\",\"IP\":\"10.50.2.111\",\"KNOWLEDGE_BASE\":{\"CATEGORY\":\"CGI\",\"CONSEQUENCE\":\"Depending on the vulnerability being exploited, an unauthenticated remote attacker could conduct cross-site scripting, clickjacking or MIME-type sniffing attacks.\",\"CVE_LIST\":[\"CVE-2022-31629\",\"CVE-2022-31628\"],\"CVSS\":{\"BASE\":{\"#text\":\"7.7\",\"source\":\"service\"},\"TEMPORAL\":\"4.0\",\"VECTOR_STRING\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H\"},\"DIAGNOSIS\":\"This QID reports the absence of the following\",\"DISCOVERY\":{\"REMOTE\":\"1\"},\"LAST_SERVICE_MODIFICATION_DATETIME\":\"2023-06-29T12:20:46Z\",\"PATCHABLE\":\"0\",\"PCI_FLAG\":\"1\",\"PUBLISHED_DATETIME\":\"2017-06-05T21:34:49Z\",\"QID\":\"101\",\"SEVERITY_LEVEL\":\"2\",\"SOFTWARE_LIST\":{\"SOFTWARE\":[{\"PRODUCT\":\"None\",\"VENDOR\":\"multi-vendor\"}]},\"SOLUTION\":\"\\u003cB\\u003eNote:\\u003c/B\\u003e To better debug the results of this QID\",\"THREAT_INTELLIGENCE\":{\"THREAT_INTEL\":[{\"id\":\"8\"}]},\"TITLE\":\"HTTP Security Header Not Detected\",\"VULN_TYPE\":\"Vulnerability\"},\"LAST_PC_SCANNED_DATE\":\"2023-06-28T09:58:12Z\",\"LAST_SCAN_DATETIME\":\"2023-07-03T06:25:17Z\",\"LAST_VM_SCANNED_DATE\":\"2023-07-03T06:23:47Z\",\"LAST_VM_SCANNED_DURATION\":\"1113\",\"NETBIOS\":\"ADFSSRVR\",\"OS\":\"Windows 2016/2019/10\",\"TRACKING_METHOD\":\"IP\",\"interval_id\":\"47a80f3f-ccfb-45ac-b90e-c0a618bb5bb8\",\"interval_start\":\"2025-12-30T06:25:12.491602751Z\"}", "type": [ "info" ] @@ -91,8 +91,8 @@ "hostname": "adfssrvr" }, "id": "1", - "interval_id": "040d4ccd-718d-43bb-8f0e-92a685dcd3e0", - "interval_start": "2025-12-09T13:06:00.615Z", + "interval_id": "47a80f3f-ccfb-45ac-b90e-c0a618bb5bb8", + "interval_start": "2025-12-30T06:25:12.491Z", "ip": "10.50.2.111", "knowledge_base": { "category": "CGI", diff --git a/packages/qualys_vmdr/data_stream/knowledge_base/agent/stream/input.yml.hbs b/packages/qualys_vmdr/data_stream/knowledge_base/agent/stream/input.yml.hbs index cf619f6b279..7f14bd2aa58 100644 --- a/packages/qualys_vmdr/data_stream/knowledge_base/agent/stream/input.yml.hbs +++ b/packages/qualys_vmdr/data_stream/knowledge_base/agent/stream/input.yml.hbs @@ -26,7 +26,7 @@ redact: - password program: | state.with( - request("GET", state.url.trim_right("/") + "/api/3.0/fo/knowledge_base/vuln/?" + + request("GET", state.url.trim_right("/") + "/api/4.0/fo/knowledge_base/vuln/?" + state.?params.orValue("").parse_query().with({ "action": ["list"], "last_modified_after": [state.?cursor.last_modified.orValue((now - duration(state.initial_interval)).format(time_layout.RFC3339))], @@ -38,7 +38,7 @@ program: | } }).do_request().as(resp, ( resp.StatusCode == 200 ? - resp.Body.as(xml, bytes(xml).decode_xml('qualys_api_3_0').as(body, { + resp.Body.as(xml, bytes(xml).decode_xml('qualys_api_4_0').as(body, { "events": ( has(body.doc.KNOWLEDGE_BASE_VULN_LIST_OUTPUT.RESPONSE.VULN_LIST) ? @@ -138,7 +138,7 @@ processors: {{processors}} {{/if}} xsd: - qualys_api_3_0: | + qualys_api_4_0: | diff --git a/packages/qualys_vmdr/data_stream/knowledge_base/sample_event.json b/packages/qualys_vmdr/data_stream/knowledge_base/sample_event.json index 5eed5c6351b..ed0d0c2cccb 100644 --- a/packages/qualys_vmdr/data_stream/knowledge_base/sample_event.json +++ b/packages/qualys_vmdr/data_stream/knowledge_base/sample_event.json @@ -1,24 +1,24 @@ { "@timestamp": "2023-06-29T12:20:46.000Z", "agent": { - "ephemeral_id": "4e6d92f6-8a28-471c-a03f-8c2685171b7b", - "id": "dc86e78e-6670-441f-acdd-99309474050f", - "name": "elastic-agent-65730", + "ephemeral_id": "98b85997-99e2-41ee-bb02-6532fae2b357", + "id": "706ea693-7cbe-44f8-902f-ee169e228005", + "name": "elastic-agent-80703", "type": "filebeat", - "version": "8.13.0" + "version": "8.19.0" }, "data_stream": { "dataset": "qualys_vmdr.knowledge_base", - "namespace": "47901", + "namespace": "60071", "type": "logs" }, "ecs": { "version": "8.11.0" }, "elastic_agent": { - "id": "dc86e78e-6670-441f-acdd-99309474050f", + "id": "706ea693-7cbe-44f8-902f-ee169e228005", "snapshot": false, - "version": "8.13.0" + "version": "8.19.0" }, "event": { "agent_id_status": "verified", @@ -26,10 +26,10 @@ "vulnerability" ], "dataset": "qualys_vmdr.knowledge_base", - "id": "11830", - "ingested": "2024-09-25T21:49:31Z", + "id": "2", + "ingested": "2025-12-29T10:51:56Z", "kind": "alert", - "original": "{\"CATEGORY\":\"CGI\",\"CONSEQUENCE\":\"\",\"CVE_LIST\":[\"CVE-2022-31629\",\"CVE-2022-31628\"],\"DIAGNOSIS\":\"\",\"DISCOVERY\":{\"REMOTE\":\"1\"},\"LAST_SERVICE_MODIFICATION_DATETIME\":\"2023-06-29T12:20:46Z\",\"PATCHABLE\":\"0\",\"PCI_FLAG\":\"1\",\"PUBLISHED_DATETIME\":\"2017-06-05T21:34:49Z\",\"QID\":\"11830\",\"SEVERITY_LEVEL\":\"2\",\"SOFTWARE_LIST\":{\"SOFTWARE\":[{\"PRODUCT\":\"\",\"VENDOR\":\"\"}]},\"SOLUTION\":\"\",\"THREAT_INTELLIGENCE\":{\"THREAT_INTEL\":[{\"id\":\"8\"}]},\"TITLE\":\"\",\"VULN_TYPE\":\"Vulnerability\"}", + "original": "{\"BUGTRAQ_LIST\":{\"BUGTRAQ\":[{\"ID\":\"9821\",\"URL\":\"https://url.com/bid/9821\"}]},\"CATEGORY\":\"CGI\",\"CONSEQUENCE\":\"Depending on the vulnerability being exploited, an unauthenticated remote attacker could conduct cross-site scripting, clickjacking or MIME-type sniffing attacks.\",\"CVE_LIST\":[\"CVE-2022-31629\",\"CVE-2022-31628\"],\"DIAGNOSIS\":\"This QID reports the absence of the following\",\"DISCOVERY\":{\"REMOTE\":\"1\"},\"LAST_SERVICE_MODIFICATION_DATETIME\":\"2023-06-29T12:20:46Z\",\"PATCHABLE\":\"0\",\"PCI_FLAG\":\"1\",\"PUBLISHED_DATETIME\":\"2017-06-05T21:34:49Z\",\"QID\":\"2\",\"SEVERITY_LEVEL\":\"2\",\"SOFTWARE_LIST\":{\"SOFTWARE\":[{\"PRODUCT\":\"fusion\",\"VENDOR\":\"vmware\"}]},\"SOLUTION\":\"\\u003cB\\u003eNote:\\u003c/B\\u003e To better debug the results of this QID\",\"THREAT_INTELLIGENCE\":{\"THREAT_INTEL\":[{\"#text\":\"No_Patch\",\"id\":\"8\"}]},\"TITLE\":\"HTTP Security Header Not Detected\",\"VENDOR_REFERENCE_LIST\":{\"VENDOR_REFERENCE\":[{\"ID\":\"VMSA-2024-0010\",\"URL\":\"https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/24280\"}]},\"VULN_TYPE\":\"Vulnerability\"}", "type": [ "info" ] @@ -39,11 +39,23 @@ }, "qualys_vmdr": { "knowledge_base": { + "bugtraq_list": [ + { + "id": "9821", + "url": "https://url.com/bid/9821" + } + ], "category": "CGI", + "consequence": { + "value": "Depending on the vulnerability being exploited, an unauthenticated remote attacker could conduct cross-site scripting, clickjacking or MIME-type sniffing attacks." + }, "cve_list": [ "CVE-2022-31629", "CVE-2022-31628" ], + "diagnosis": { + "value": "This QID reports the absence of the following" + }, "discovery": { "remote": 1 }, @@ -53,15 +65,32 @@ "patchable": false, "pci_flag": true, "published_datetime": "2017-06-05T21:34:49.000Z", - "qid": "11830", + "qid": "2", "severity_level": "2", + "software_list": [ + { + "product": "fusion", + "vendor": "vmware" + } + ], + "solution": { + "value": "Note: To better debug the results of this QID" + }, "threat_intelligence": { "intel": [ { - "id": "8" + "id": "8", + "text": "No_Patch" } ] }, + "title": "HTTP Security Header Not Detected", + "vendor_reference_list": [ + { + "id": "VMSA-2024-0010", + "url": "https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/24280" + } + ], "vuln_type": "Vulnerability" } }, @@ -81,4 +110,4 @@ ], "severity": "Medium" } -} \ No newline at end of file +} diff --git a/packages/qualys_vmdr/docs/README.md b/packages/qualys_vmdr/docs/README.md index c6680e51a3b..ec6e2f5a3e0 100644 --- a/packages/qualys_vmdr/docs/README.md +++ b/packages/qualys_vmdr/docs/README.md @@ -107,13 +107,13 @@ An example event for `asset_host_detection` looks as following: ```json { - "@timestamp": "2025-12-09T13:06:00.619Z", + "@timestamp": "2025-12-30T06:25:12.497Z", "agent": { - "ephemeral_id": "5eb4618e-1fb2-4db3-a80a-a1c9d60ddf79", - "id": "c25772f1-99b1-43d4-9ac3-8941538fa406", - "name": "elastic-agent-11567", + "ephemeral_id": "83655e80-2729-4332-8ace-457dd3a0bcef", + "id": "12042b44-811d-4c3e-b827-11cfb8074c86", + "name": "elastic-agent-48916", "type": "filebeat", - "version": "8.19.4" + "version": "8.19.0" }, "cloud": { "instance": { @@ -122,16 +122,16 @@ An example event for `asset_host_detection` looks as following: }, "data_stream": { "dataset": "qualys_vmdr.asset_host_detection", - "namespace": "88746", + "namespace": "83470", "type": "logs" }, "ecs": { "version": "8.11.0" }, "elastic_agent": { - "id": "c25772f1-99b1-43d4-9ac3-8941538fa406", + "id": "12042b44-811d-4c3e-b827-11cfb8074c86", "snapshot": false, - "version": "8.19.4" + "version": "8.19.0" }, "event": { "agent_id_status": "verified", @@ -140,9 +140,9 @@ An example event for `asset_host_detection` looks as following: ], "dataset": "qualys_vmdr.asset_host_detection", "id": "11111111", - "ingested": "2025-12-09T13:06:03Z", + "ingested": "2025-12-30T06:25:15Z", "kind": "alert", - "original": "{\"DETECTION_LIST\":{\"AFFECT_RUNNING_KERNEL\":\"0\",\"CVE\":\"CVE-2023-48161,CVE-2024-21208,CVE-2024-21210,CVE-2024-21217,CVE-2024-21235\",\"FIRST_FOUND_DATETIME\":\"2021-02-05T04:50:45Z\",\"IS_DISABLED\":\"0\",\"IS_IGNORED\":\"0\",\"LAST_FIXED_DATETIME\":\"2022-12-14T06:52:57Z\",\"LAST_FOUND_DATETIME\":\"2024-03-08T20:15:41Z\",\"LAST_PROCESSED_DATETIME\":\"2024-03-08T20:15:41Z\",\"LAST_TEST_DATETIME\":\"2024-03-08T20:15:41Z\",\"LAST_UPDATE_DATETIME\":\"2024-03-08T20:15:41Z\",\"LATEST_VULNERABILITY_DETECTION_SOURCE\":\"Cloud Agent\",\"MITRE_TACTIC_ID\":\"TA0008, TA0004\",\"MITRE_TACTIC_NAME\":\"lateral-movement, privilege-escalation\",\"MITRE_TECHNIQUE_ID\":\"T1210, T1068\",\"MITRE_TECHNIQUE_NAME\":\"Exploitation of Remote Services, Exploitation for Privilege Escalation\",\"QDS\":{\"#text\":\"35\",\"severity\":\"LOW\"},\"QDS_FACTORS\":{\"QDS_FACTOR\":[{\"#text\":\"7.7\",\"name\":\"CVSS\"},{\"#text\":\"v3.x\",\"name\":\"CVSS_version\"},{\"#text\":\"0.00232\",\"name\":\"epss\"},{\"#text\":\"AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H\",\"name\":\"CVSS_vector\"}]},\"QID\":\"101\",\"RESULTS\":\"Package\\tInstalled Version\\tRequired Version\\nlinux-cloud-tools-4.4.0\\t1074-aws_4.4.0-1074.84\\t1092\\nlinux-aws-tools-4.4.0\\t1074_4.4.0-1074.84\\t1092\\nlinux-aws-headers-4.4.0\\t1074_4.15.0-1126.135\\t1092\\nlinux-tools-4.4.0\\t1074-aws_4.4.0-1074.84\\t1092\\nlinux-aws-cloud-tools-4.4.0\\t1074_4.4.0-1074.84\\t1092\",\"SEVERITY\":\"3\",\"SSL\":\"0\",\"STATUS\":\"Active\",\"TIMES_FOUND\":\"5393\",\"TRURISK_ELIMINATION_STATUS\":\"FIXED\",\"TYPE\":\"Confirmed\",\"UNIQUE_VULN_ID\":\"11111111\",\"VULNERABILITY_DETECTION_SOURCES\":\"Cloud Agent,Internal Scanner\"},\"DNS\":\"adfssrvr.adfs.local\",\"DNS_DATA\":{\"DOMAIN\":\"adfs.local\",\"FQDN\":\"adfssrvr.adfs.local\",\"HOSTNAME\":\"adfssrvr\"},\"ID\":\"1\",\"IP\":\"10.50.2.111\",\"KNOWLEDGE_BASE\":{\"CATEGORY\":\"CGI\",\"CONSEQUENCE\":\"Depending on the vulnerability being exploited, an unauthenticated remote attacker could conduct cross-site scripting, clickjacking or MIME-type sniffing attacks.\",\"CVE_LIST\":[\"CVE-2022-31629\",\"CVE-2022-31628\"],\"CVSS\":{\"BASE\":{\"#text\":\"7.7\",\"source\":\"service\"},\"TEMPORAL\":\"4.0\",\"VECTOR_STRING\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H\"},\"DIAGNOSIS\":\"This QID reports the absence of the following\",\"DISCOVERY\":{\"REMOTE\":\"1\"},\"LAST_SERVICE_MODIFICATION_DATETIME\":\"2023-06-29T12:20:46Z\",\"PATCHABLE\":\"0\",\"PCI_FLAG\":\"1\",\"PUBLISHED_DATETIME\":\"2017-06-05T21:34:49Z\",\"QID\":\"101\",\"SEVERITY_LEVEL\":\"2\",\"SOFTWARE_LIST\":{\"SOFTWARE\":[{\"PRODUCT\":\"None\",\"VENDOR\":\"multi-vendor\"}]},\"SOLUTION\":\"\\u003cB\\u003eNote:\\u003c/B\\u003e To better debug the results of this QID\",\"THREAT_INTELLIGENCE\":{\"THREAT_INTEL\":[{\"id\":\"8\"}]},\"TITLE\":\"HTTP Security Header Not Detected\",\"VULN_TYPE\":\"Vulnerability\"},\"LAST_PC_SCANNED_DATE\":\"2023-06-28T09:58:12Z\",\"LAST_SCAN_DATETIME\":\"2023-07-03T06:25:17Z\",\"LAST_VM_SCANNED_DATE\":\"2023-07-03T06:23:47Z\",\"LAST_VM_SCANNED_DURATION\":\"1113\",\"NETBIOS\":\"ADFSSRVR\",\"OS\":\"Windows 2016/2019/10\",\"TRACKING_METHOD\":\"IP\",\"interval_id\":\"040d4ccd-718d-43bb-8f0e-92a685dcd3e0\",\"interval_start\":\"2025-12-09T13:06:00.615439086Z\"}", + "original": "{\"DETECTION_LIST\":{\"AFFECT_RUNNING_KERNEL\":\"0\",\"CVE\":\"CVE-2023-48161,CVE-2024-21208,CVE-2024-21210,CVE-2024-21217,CVE-2024-21235\",\"FIRST_FOUND_DATETIME\":\"2021-02-05T04:50:45Z\",\"IS_DISABLED\":\"0\",\"IS_IGNORED\":\"0\",\"LAST_FIXED_DATETIME\":\"2022-12-14T06:52:57Z\",\"LAST_FOUND_DATETIME\":\"2024-03-08T20:15:41Z\",\"LAST_PROCESSED_DATETIME\":\"2024-03-08T20:15:41Z\",\"LAST_TEST_DATETIME\":\"2024-03-08T20:15:41Z\",\"LAST_UPDATE_DATETIME\":\"2024-03-08T20:15:41Z\",\"LATEST_VULNERABILITY_DETECTION_SOURCE\":\"Cloud Agent\",\"MITRE_TACTIC_ID\":\"TA0008, TA0004\",\"MITRE_TACTIC_NAME\":\"lateral-movement, privilege-escalation\",\"MITRE_TECHNIQUE_ID\":\"T1210, T1068\",\"MITRE_TECHNIQUE_NAME\":\"Exploitation of Remote Services, Exploitation for Privilege Escalation\",\"QDS\":{\"#text\":\"35\",\"severity\":\"LOW\"},\"QDS_FACTORS\":{\"QDS_FACTOR\":[{\"#text\":\"7.7\",\"name\":\"CVSS\"},{\"#text\":\"v3.x\",\"name\":\"CVSS_version\"},{\"#text\":\"0.00232\",\"name\":\"epss\"},{\"#text\":\"AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H\",\"name\":\"CVSS_vector\"}]},\"QID\":\"101\",\"RESULTS\":\"Package\\tInstalled Version\\tRequired Version\\nlinux-cloud-tools-4.4.0\\t1074-aws_4.4.0-1074.84\\t1092\\nlinux-aws-tools-4.4.0\\t1074_4.4.0-1074.84\\t1092\\nlinux-aws-headers-4.4.0\\t1074_4.15.0-1126.135\\t1092\\nlinux-tools-4.4.0\\t1074-aws_4.4.0-1074.84\\t1092\\nlinux-aws-cloud-tools-4.4.0\\t1074_4.4.0-1074.84\\t1092\",\"SEVERITY\":\"3\",\"SSL\":\"0\",\"STATUS\":\"Active\",\"TIMES_FOUND\":\"5393\",\"TRURISK_ELIMINATION_STATUS\":\"FIXED\",\"TYPE\":\"Confirmed\",\"UNIQUE_VULN_ID\":\"11111111\",\"VULNERABILITY_DETECTION_SOURCES\":\"Cloud Agent,Internal Scanner\"},\"DNS\":\"adfssrvr.adfs.local\",\"DNS_DATA\":{\"DOMAIN\":\"adfs.local\",\"FQDN\":\"adfssrvr.adfs.local\",\"HOSTNAME\":\"adfssrvr\"},\"ID\":\"1\",\"IP\":\"10.50.2.111\",\"KNOWLEDGE_BASE\":{\"CATEGORY\":\"CGI\",\"CONSEQUENCE\":\"Depending on the vulnerability being exploited, an unauthenticated remote attacker could conduct cross-site scripting, clickjacking or MIME-type sniffing attacks.\",\"CVE_LIST\":[\"CVE-2022-31629\",\"CVE-2022-31628\"],\"CVSS\":{\"BASE\":{\"#text\":\"7.7\",\"source\":\"service\"},\"TEMPORAL\":\"4.0\",\"VECTOR_STRING\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H\"},\"DIAGNOSIS\":\"This QID reports the absence of the following\",\"DISCOVERY\":{\"REMOTE\":\"1\"},\"LAST_SERVICE_MODIFICATION_DATETIME\":\"2023-06-29T12:20:46Z\",\"PATCHABLE\":\"0\",\"PCI_FLAG\":\"1\",\"PUBLISHED_DATETIME\":\"2017-06-05T21:34:49Z\",\"QID\":\"101\",\"SEVERITY_LEVEL\":\"2\",\"SOFTWARE_LIST\":{\"SOFTWARE\":[{\"PRODUCT\":\"None\",\"VENDOR\":\"multi-vendor\"}]},\"SOLUTION\":\"\\u003cB\\u003eNote:\\u003c/B\\u003e To better debug the results of this QID\",\"THREAT_INTELLIGENCE\":{\"THREAT_INTEL\":[{\"id\":\"8\"}]},\"TITLE\":\"HTTP Security Header Not Detected\",\"VULN_TYPE\":\"Vulnerability\"},\"LAST_PC_SCANNED_DATE\":\"2023-06-28T09:58:12Z\",\"LAST_SCAN_DATETIME\":\"2023-07-03T06:25:17Z\",\"LAST_VM_SCANNED_DATE\":\"2023-07-03T06:23:47Z\",\"LAST_VM_SCANNED_DURATION\":\"1113\",\"NETBIOS\":\"ADFSSRVR\",\"OS\":\"Windows 2016/2019/10\",\"TRACKING_METHOD\":\"IP\",\"interval_id\":\"47a80f3f-ccfb-45ac-b90e-c0a618bb5bb8\",\"interval_start\":\"2025-12-30T06:25:12.491602751Z\"}", "type": [ "info" ] @@ -199,8 +199,8 @@ An example event for `asset_host_detection` looks as following: "hostname": "adfssrvr" }, "id": "1", - "interval_id": "040d4ccd-718d-43bb-8f0e-92a685dcd3e0", - "interval_start": "2025-12-09T13:06:00.615Z", + "interval_id": "47a80f3f-ccfb-45ac-b90e-c0a618bb5bb8", + "interval_start": "2025-12-30T06:25:12.491Z", "ip": "10.50.2.111", "knowledge_base": { "category": "CGI", @@ -649,24 +649,24 @@ An example event for `knowledge_base` looks as following: { "@timestamp": "2023-06-29T12:20:46.000Z", "agent": { - "ephemeral_id": "4e6d92f6-8a28-471c-a03f-8c2685171b7b", - "id": "dc86e78e-6670-441f-acdd-99309474050f", - "name": "elastic-agent-65730", + "ephemeral_id": "98b85997-99e2-41ee-bb02-6532fae2b357", + "id": "706ea693-7cbe-44f8-902f-ee169e228005", + "name": "elastic-agent-80703", "type": "filebeat", - "version": "8.13.0" + "version": "8.19.0" }, "data_stream": { "dataset": "qualys_vmdr.knowledge_base", - "namespace": "47901", + "namespace": "60071", "type": "logs" }, "ecs": { "version": "8.11.0" }, "elastic_agent": { - "id": "dc86e78e-6670-441f-acdd-99309474050f", + "id": "706ea693-7cbe-44f8-902f-ee169e228005", "snapshot": false, - "version": "8.13.0" + "version": "8.19.0" }, "event": { "agent_id_status": "verified", @@ -674,10 +674,10 @@ An example event for `knowledge_base` looks as following: "vulnerability" ], "dataset": "qualys_vmdr.knowledge_base", - "id": "11830", - "ingested": "2024-09-25T21:49:31Z", + "id": "2", + "ingested": "2025-12-29T10:51:56Z", "kind": "alert", - "original": "{\"CATEGORY\":\"CGI\",\"CONSEQUENCE\":\"\",\"CVE_LIST\":[\"CVE-2022-31629\",\"CVE-2022-31628\"],\"DIAGNOSIS\":\"\",\"DISCOVERY\":{\"REMOTE\":\"1\"},\"LAST_SERVICE_MODIFICATION_DATETIME\":\"2023-06-29T12:20:46Z\",\"PATCHABLE\":\"0\",\"PCI_FLAG\":\"1\",\"PUBLISHED_DATETIME\":\"2017-06-05T21:34:49Z\",\"QID\":\"11830\",\"SEVERITY_LEVEL\":\"2\",\"SOFTWARE_LIST\":{\"SOFTWARE\":[{\"PRODUCT\":\"\",\"VENDOR\":\"\"}]},\"SOLUTION\":\"\",\"THREAT_INTELLIGENCE\":{\"THREAT_INTEL\":[{\"id\":\"8\"}]},\"TITLE\":\"\",\"VULN_TYPE\":\"Vulnerability\"}", + "original": "{\"BUGTRAQ_LIST\":{\"BUGTRAQ\":[{\"ID\":\"9821\",\"URL\":\"https://url.com/bid/9821\"}]},\"CATEGORY\":\"CGI\",\"CONSEQUENCE\":\"Depending on the vulnerability being exploited, an unauthenticated remote attacker could conduct cross-site scripting, clickjacking or MIME-type sniffing attacks.\",\"CVE_LIST\":[\"CVE-2022-31629\",\"CVE-2022-31628\"],\"DIAGNOSIS\":\"This QID reports the absence of the following\",\"DISCOVERY\":{\"REMOTE\":\"1\"},\"LAST_SERVICE_MODIFICATION_DATETIME\":\"2023-06-29T12:20:46Z\",\"PATCHABLE\":\"0\",\"PCI_FLAG\":\"1\",\"PUBLISHED_DATETIME\":\"2017-06-05T21:34:49Z\",\"QID\":\"2\",\"SEVERITY_LEVEL\":\"2\",\"SOFTWARE_LIST\":{\"SOFTWARE\":[{\"PRODUCT\":\"fusion\",\"VENDOR\":\"vmware\"}]},\"SOLUTION\":\"\\u003cB\\u003eNote:\\u003c/B\\u003e To better debug the results of this QID\",\"THREAT_INTELLIGENCE\":{\"THREAT_INTEL\":[{\"#text\":\"No_Patch\",\"id\":\"8\"}]},\"TITLE\":\"HTTP Security Header Not Detected\",\"VENDOR_REFERENCE_LIST\":{\"VENDOR_REFERENCE\":[{\"ID\":\"VMSA-2024-0010\",\"URL\":\"https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/24280\"}]},\"VULN_TYPE\":\"Vulnerability\"}", "type": [ "info" ] @@ -687,11 +687,23 @@ An example event for `knowledge_base` looks as following: }, "qualys_vmdr": { "knowledge_base": { + "bugtraq_list": [ + { + "id": "9821", + "url": "https://url.com/bid/9821" + } + ], "category": "CGI", + "consequence": { + "value": "Depending on the vulnerability being exploited, an unauthenticated remote attacker could conduct cross-site scripting, clickjacking or MIME-type sniffing attacks." + }, "cve_list": [ "CVE-2022-31629", "CVE-2022-31628" ], + "diagnosis": { + "value": "This QID reports the absence of the following" + }, "discovery": { "remote": 1 }, @@ -701,15 +713,32 @@ An example event for `knowledge_base` looks as following: "patchable": false, "pci_flag": true, "published_datetime": "2017-06-05T21:34:49.000Z", - "qid": "11830", + "qid": "2", "severity_level": "2", + "software_list": [ + { + "product": "fusion", + "vendor": "vmware" + } + ], + "solution": { + "value": "Note: To better debug the results of this QID" + }, "threat_intelligence": { "intel": [ { - "id": "8" + "id": "8", + "text": "No_Patch" } ] }, + "title": "HTTP Security Header Not Detected", + "vendor_reference_list": [ + { + "id": "VMSA-2024-0010", + "url": "https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/24280" + } + ], "vuln_type": "Vulnerability" } }, diff --git a/packages/qualys_vmdr/elasticsearch/transform/latest_cdr_vulnerabilities/fields/ecs.yml b/packages/qualys_vmdr/elasticsearch/transform/latest_cdr_vulnerabilities/fields/ecs.yml index 541a3d588bf..f2ec54bf13f 100644 --- a/packages/qualys_vmdr/elasticsearch/transform/latest_cdr_vulnerabilities/fields/ecs.yml +++ b/packages/qualys_vmdr/elasticsearch/transform/latest_cdr_vulnerabilities/fields/ecs.yml @@ -78,6 +78,16 @@ external: ecs - name: tags external: ecs +- name: threat.framework + external: ecs +- name: threat.tactic.id + external: ecs +- name: threat.tactic.name + external: ecs +- name: threat.technique.id + external: ecs +- name: threat.technique.name + external: ecs - name: vulnerability.category external: ecs - name: vulnerability.classification diff --git a/packages/qualys_vmdr/elasticsearch/transform/latest_cdr_vulnerabilities/fields/fields.yml b/packages/qualys_vmdr/elasticsearch/transform/latest_cdr_vulnerabilities/fields/fields.yml index 8621c972fcb..d5224ca99ed 100644 --- a/packages/qualys_vmdr/elasticsearch/transform/latest_cdr_vulnerabilities/fields/fields.yml +++ b/packages/qualys_vmdr/elasticsearch/transform/latest_cdr_vulnerabilities/fields/fields.yml @@ -139,6 +139,8 @@ type: keyword - name: severity type: long + - name: source + type: keyword - name: ssl type: keyword - name: status @@ -147,6 +149,8 @@ type: long - name: times_reopened type: long + - name: trurisk_elimination_status + type: keyword - name: type type: keyword - name: trurisk_elimination_status diff --git a/packages/qualys_vmdr/manifest.yml b/packages/qualys_vmdr/manifest.yml index 900d6c2ab05..b23d1125b79 100644 --- a/packages/qualys_vmdr/manifest.yml +++ b/packages/qualys_vmdr/manifest.yml @@ -1,7 +1,7 @@ format_version: "3.4.0" name: qualys_vmdr title: Qualys VMDR -version: "6.14.1" +version: "6.15.0" description: Collect data from Qualys VMDR platform with Elastic Agent. type: integration categories: From 1955663b6a6247e00cbda09c4b9c57e16f28cdd1 Mon Sep 17 00:00:00 2001 From: moxarth-rathod Date: Tue, 30 Dec 2025 14:47:00 +0530 Subject: [PATCH 2/2] Add PR link to changelog --- packages/qualys_vmdr/changelog.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/packages/qualys_vmdr/changelog.yml b/packages/qualys_vmdr/changelog.yml index 46c338bc284..bf3c1fb397c 100644 --- a/packages/qualys_vmdr/changelog.yml +++ b/packages/qualys_vmdr/changelog.yml @@ -3,7 +3,7 @@ changes: - description: Update knowledge base API to v4 for asset_host_detection and knowledge_base data streams. type: enhancement - link: https://github.com/elastic/integrations/pull/1 + link: https://github.com/elastic/integrations/pull/16727 - version: "6.14.1" changes: - description: Update XSD schema name to match Host Detection API v5.0 response.