New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
tenable_sc: add tenable_sc.vulnerability.age field #7210
Conversation
Retain a calculated vulnerability age in days from the first and last seen dates.
🌐 Coverage report
|
Pinging @elastic/security-external-integrations (Team:Security-External Integrations) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks good!
For me it is counterintuitive that a vulnerability doesn't "age" unless it continues to be seen. I might have called it "exposure_duration" or "days_observed" or something. However, "age" was requested by someone who knows Tenable SC and the domain better than I do so I assume it'll be fine. Also the field description is clear.
Probably when this event arises it is because the vulnerability was detected in the last scan performed, so in theory it would still exist. |
@jgreene-TrappTech Are you able to comment on the concerns above? |
Certainly. We have no attachment to Typically, Vulnerability SLA's mandate that after a vulnerability is discovered, the product owner has Currently we are using Hope that helps. |
Thanks, the second part of the concern is whether events ever come through without a last seen, but with a first seen. Is this ever the case? For the language and unit choice, I think days is the best given that it matches other fields in the tenable documents. |
First time seen and last time seen appear to be in every Here is an example: |
Thanks |
Package tenable_sc - 1.13.0 containing this change is available at https://epr.elastic.co/search?package=tenable_sc |
1 similar comment
Package tenable_sc - 1.13.0 containing this change is available at https://epr.elastic.co/search?package=tenable_sc |
Retain a calculated vulnerability age in days calculated from the first and last seen dates.
What does this PR do?
Retains a calculated vulnerability age in days from the first and last seen dates.
Checklist
changelog.yml
file.Author's Checklist
How to test this PR locally
Related issues
Screenshots