One of the great features in Wazuh is the vulnerabilities module. Both comparing installed programs against NISTs vulnerability database as well as comparing the installed hot fixes against Microsoft’s update catalog. It isn’t perfect but can help you identify devices in your network which drop below the average.
Vulnerabilities List
The list is gathered from https://nvd.nist.gov/cpe and gets imported into a sqlite db usually located /var/ossec/queue/vulnerabilities/cve.db. The data is imported into two tables called VULNERABILITIES and VULNERABILITIES_INFO.
Vulnerability Mapping Table
Often the name and vendor of a product shown in Add/Remove programs does not match the nvd.nist.gov data so a mapping dictionary exists in a json file called /var/ossec/queue/vulnerabilities/dictionaries/cpe_helper.json.
Be aware that upgrading Wazuh on the server will overwrite cpe_helper.json as the vendors progressively identify new matches so save your own additions to this file in a backup copy so you can readd your site specific applications after the file gets updated.
Microsoft Update List
Wazuh sources needed and superseded updates from a Microsoft API. This data goes into /var/ossec/queue/vulnerabilities/dictionaries/msu.json.gz which then gets imported into the same sqlite db as above, namely /var/ossec/queue/vulnerabilities/cve.db. This time the data goes into two tables MSU and MSU_SUPERSEDENCE.
This file is yet to be auto updated and I believe it will come in a later version of Wazuh and likely be sourced from feed.wazuh.com so the above feed will lack recent updated windows updates although if you were really desperate you could edit the json file manually to have them imported into the Wazuh database.
Again upgrading Wazuh on the server will overwrite msu.json.gz so save your own additions to a copy of this file.
