The LogSentinel collector supports running vulnerability detection with a dedicated vulnerability connector. The connector supports two types of vulnerability assessment:
- web vulnerability scanning - the connector regularly tests a set of configured web pages (internal or externally-facing)
- vulnerability probing - the connector probes all discovered assets in order to detect known services and their respecetive versions and match them against CVE known vulnerabilities.
Below is a sample configuration:
vulnerabilityDetection: # there needs to be a designated "vulnerabilities" data source at the SIEM dataSourceId: 123e4567-e89b-12d3-a456-426614174000 web: urls: - https://hr.internal - https://company.com probe: enabled: true
Additionally, through the Wazuh-based agent, we support agent-based vulnerability detection. It is handled by the ossec connector.
You can check the full configuration reference here.