Vulnerability detection

ThreatLockDown uses the Vulnerability Detection module to identify vulnerabilities in applications and operating systems running on endpoints.

This use case shows how ThreatLockDown detects unpatched Common Vulnerabilities and Exposures (CVEs) in the monitored endpoint.

For more information on this capability, check the vulnerability detection section of the documentation.

Infrastructure

Endpoint	Description
Ubuntu 22.04	The vulnerability detection module checks for vulnerabilities in the operating system and installed applications in this Linux endpoint.
Windows 11	The vulnerability detection module checks for vulnerabilities in the operating system and installed applications in this Windows endpoint.

Configuration

The Vulnerability Detection module is enabled by default. You can perform the following steps on the ThreatLockDown server to ensure that the ThreatLockDown Vulnerability Detection module is enabled.

Open the /var/ossec/etc/ossec.conf file on the ThreatLockDown server. Check the Vulnerability Detection module is enabled:

<vulnerability-detection>
   <enabled>yes</enabled>
   <index-status>yes</index-status>
   <feed-update-interval>60m</feed-update-interval>
</vulnerability-detection>

<indexer>
   <enabled>yes</enabled>
   <hosts>
      <host>https://0.0.0.0:9200</host>
   </hosts>
   <username>admin</username>
   <password>admin</password>
   <ssl>
      <certificate_authorities>
      <ca>/etc/filebeat/certs/root-ca.pem</ca>
      </certificate_authorities>
      <certificate>/etc/filebeat/certs/filebeat.pem</certificate>
      <key>/etc/filebeat/certs/filebeat-key.pem</key>
   </ssl>
</indexer>

If you made changes to the configuration, restart the ThreatLockDown manager.
```
$ sudo systemctl restart wazuh-manager
```

Visualize the alerts

You can visualize the alert data in the ThreatLockDown dashboard. To do this, go to the Vulnerability Detection module, select Events, and click on any vulnerability to expand the document.