New vulnerabilities index, software index complete

Almost all software detection has moved to the new software index. If you want to have a look, use this query:

    index=software

It has separate fields for vendor, product, version and patch (name of the patch), and shows when specific software was first_seen and last_seen. This will allow you to check what software you had running in the past. Sometimes a new vulnerability is published and it turns out it has been used for months already. Your current software version might not be vulnerable, but the one last month might have been. You can check that now.

The magic query $software_vulnerabilities_report and other software queries are now replaced with a fully functional software index. There are fields for software, assets, ip, url, cve, cvss_score, cvss_severity and, like with the software index, first_seen and last_seen fields for every cve seen on every asset. Here are some example queries:

Show all recent vulnerabilities with a cvss_score above 8:

    index=vulnerabilities last_seen>-7d cvss_score>8

Show all recent criticals:

    index=vulnerabilities last_seen>-7d cvss_severity=critical

Check if you where vulnerable to CVE-2025-23048 last month:

    index=vulnerabilities first_seen<-1m cve=CVE-2025-23048

Note that the old magic $software queries will still be supported, so don't worry about migrating any queries/reports you have.

New software index, with more detections

This week the new software index has moved to production. All older, decentralized data is being migrated or re-indexed and this might result in temporary issues like counts not matching in different overviews. By the end of the week all should be fine again. The data in today's weekly report is still based on the old indexes.

The new index allows for easier development of detection rules, more software detections, faster lookups and automatic false positive marking. That last one is very interesting. Under certain specific circumstances we can detect that the exposed software is actually a patched version for which the version number has not changed. If we see this, we'll automatically create a false positive entry for you and you can keep track of what is happening.

More supplier detections, more software detection rules

This week n bunch of new and improved detection rules have gone live, and more suppliers are detected. You can check out the suppliers yourself in the new suppliers index.

For now, it remains undocumented. When the software suppliers are added it's complete enough to be used, and it will be available as a report in the report library.