The following article exclusively pertains to a Graylog Security feature or functionality. Graylog Security is a part of the Graylog centralized log management platform and requires a separate license. Contact the Graylog Sales team for more information on this product.
Graylog enables you to connect to third-party vulnerability scanners so that you can add vulnerability data to your machine assets. This data is used to further enhance your risk scores for any related assets or events.
Vulnerability data typically includes information such as the severity of the detected issue, what systems are or potentially could be affected, and remediation steps. In most cases, vulnerability scan data is based on industry standard sources, particularly the Common Vulnerabilities and Exposures (CVE), which is a list of publicly disclosed vulnerabilities.
Vulnerability scanning is part of asset enrichment in Graylog. In the Security interface, you can access the Vulnerability Scanners tab on the Assets page. See Manage Scanners for more information.
Prerequisites
-
A valid Graylog Security license is required. Contact the Graylog Sales team for more information on obtaining the required license.
-
The "Illuminate 5.2.0:Assets" content pack is recommended.
-
A configured and running vulnerability scanner connected to Graylog.
Graylog Integrations with Vulnerability Scanning
Vulnerability scan data applied to machine assets helps provide a more complete view of potential threats in your environment. Vulnerability data can be useful in the following areas:
-
Asset enrichment: Vulnerability scanning data provides asset enrichment so that you have more information attached to your machine assets, including relevant security vulnerabilities. See Asset Enrichment for more information.
-
Illuminate: The "Illuminate 5.2.0:Assets" content pack, although optional, is highly recommended. This content pack associates your assets with incoming logs related to those assets. This content pack is required for risk scores and security event integrations, described below.
-
Risk scores: Machine assets can have their own asset risk scores. When an event is triggered that has an associated machine asset, that asset is assigned an asset risk score independent of the event, and vulnerability scan data is a factor in that risk score. See Asset Risk Scores for more information.
-
Security events: Events with machine assets factor in vulnerability scan data for the overall asset risk score calculated for the event. Therefore, you can better prioritize these events, giving attention to those with the highest risk scores. See Security Events for more information.
For examples of this integration, see the documentation on risk scoring use cases.
Set Up Vulnerability Scanning
Before you can include vulnerability scan data in Graylog, you must have your own third-party scanner set up and connected to Graylog. Graylog does not perform scans but instead imports scan data from your configured scanner or scanners.
You can use the following types of vulnerability scanners with Graylog:
You can add multiple scanners for each type so that you can have scan data focused on different areas of your network or types of scans. See the setup information for each scanner type for complete details.
Manage Scanners
The Vulnerability Scanners tab on the Assets page lists all the vulnerability scanners you have defined for your environment. Click a scanner to view its detail page that displays the scanner's settings and connection information.
From the detail screen, click Import Scans to perform a manual import of new scan data for the selected scanner. To update scanner settings, click Edit Connection.
If you select the check boxes for one or more scanners, the Bulk Actions menu becomes available with the following actions:
-
Import: Performs a manual import of new scan data for all selected scanners.
-
Delete: Removes all selected scanners from the list.
