First EPSS
<div class="condensed-table">
| | |
| --- | --- |
| Version | 0.3.1 [beta] (View all) |
| Compatible Kibana version(s) | 8.14.0 or higher |
| Supported Serverless project types
What’s this? | Security
Observability |
| Subscription level
What’s this? | Basic |
| Level of support
What’s this? | Community |
</div>
The First EPSS integration allows users to retrieve EPSS score from First EPSS API.
The Exploit Prediction Scoring System (EPSS) is a data-driven effort for estimating the likelihood (probability) that a software vulnerability (CVE) will be exploited in the wild.
The First EPSS integration collects one type of data stream: vulnerability
EPSS scores are retrieved via the First EPSS API (https://api.first.org/data/v1/epss).
This integration has been tested against the EPSS API v1.
You need Elasticsearch for storing and searching your data and Kibana for visualizing and managing it. You can use our hosted Elasticsearch Service on Elastic Cloud, which is recommended, or self-manage the Elastic Stack on your own hardware.
For step-by-step instructions on how to set up an integration, see the Getting started guide.
This is the vulnerability dataset.
**Example**
An example event for vulnerability looks as following:
{
"@timestamp": "2024-09-05T14:49:59.197Z",
"agent": {
"ephemeral_id": "76bea870-a841-4313-939f-8ac1e976e0f9",
"id": "7acf9ae7-fa00-4807-86c6-5ddf0681ffbb",
"name": "elastic-agent-50065",
"type": "filebeat",
"version": "8.15.0"
},
"data_stream": {
"dataset": "first_epss.vulnerability",
"namespace": "53064",
"type": "logs"
},
"ecs": {
"version": "8.11.0"
},
"elastic_agent": {
"id": "7acf9ae7-fa00-4807-86c6-5ddf0681ffbb",
"snapshot": false,
"version": "8.15.0"
},
"event": {
"agent_id_status": "verified",
"category": [
"vulnerability"
],
"dataset": "first_epss.vulnerability",
"ingested": "2024-09-05T14:50:00Z",
"kind": "enrichment",
"type": [
"info"
]
},
"first_epss": {
"vulnerability": {
"cve": "CVE-2024-8418",
"date": "2024-09-05T00:00:00.000Z",
"epss": 0.00045,
"percentile": 0.16342
}
},
"host": {
"architecture": "aarch64",
"containerized": false,
"hostname": "elastic-agent-50065",
"id": "1e6dd5e4f8a3409dbea97e40111e935a",
"ip": [
"172.24.0.2",
"172.23.0.4"
],
"mac": [
"02-42-AC-17-00-04",
"02-42-AC-18-00-02"
],
"name": "elastic-agent-50065",
"os": {
"codename": "focal",
"family": "debian",
"kernel": "6.10.4-linuxkit",
"name": "Ubuntu",
"platform": "ubuntu",
"type": "linux",
"version": "20.04.6 LTS (Focal Fossa)"
}
},
"input": {
"type": "cel"
},
"tags": [
"preserve_original_event"
],
"vulnerability": {
"id": "CVE-2024-8418",
"reference": "https://api.first.org/data/v1/epss?pretty=true&cve=CVE-2024-8418"
}
}
**Exported fields**
| Field | Description | Type |
|---|---|---|
| @timestamp | Event timestamp. | date |
| data_stream.dataset | Data stream dataset. | constant_keyword |
| data_stream.namespace | Data stream namespace. | constant_keyword |
| data_stream.type | Data stream type. | constant_keyword |
| event.dataset | Event dataset. | constant_keyword |
| event.module | Event module. | constant_keyword |
| first_epss.vulnerability.cve | CVE number. | keyword |
| first_epss.vulnerability.date | Exploit Prediction Scoring System score calculation date. | date |
| first_epss.vulnerability.epss | Exploit Prediction Scoring System score value. | float |
| first_epss.vulnerability.percentile | Exploit Prediction Scoring System percentile value. | float |
| input.type | Type of filebeat input. | keyword |
**Changelog**
| Version | Details | Kibana version(s) |
|---|---|---|
| 0.3.1 | pass:[] Bug fix (View pull request) Update links to getting started docs |
— |
| 0.3.0 | pass:[] Enhancement (View pull request) Add First logo |
— |
| 0.2.0 | pass:[] Enhancement (View pull request) Add "preserve_original_event" tag to documents with event.kind set to "pipeline_error". |
— |
| 0.1.0 | pass:[] Enhancement (View pull request) Initial release of the package |
— |