> ## Documentation Index
> Fetch the complete documentation index at: https://docs.socfortress.co/llms.txt
> Use this file to discover all available pages before exploring further.

# Vulnerability reports (Wazuh)

> Generate CSV reports from the Wazuh Vulnerability Detection module data in the Wazuh Indexer.

# Vulnerability reports (Wazuh)

**Menu:** Report Creation → Vulnerability Reports

Vulnerability reports pull data from the **Wazuh Vulnerability Detection** module.

Wazuh’s model (simplified):

* agents collect software inventory via **Syscollector**
* the manager correlates inventory with CTI feeds and flags CVEs
* results are indexed and queryable (inventory + alerts)

<img src="https://mintcdn.com/socfortressllc/LuvWosHJnQfOpi_O/assets/ui/report-vulnerability.png?fit=max&auto=format&n=LuvWosHJnQfOpi_O&q=85&s=f6c4cc6df3ce050f8e63abcecc4e7118" alt="Vulnerability Reports" width="938" height="672" data-path="assets/ui/report-vulnerability.png" />

***

## What you can generate

* A vulnerability report for a specific **customer/tenant**
* Filtered views by severity, agent, package, CVE, etc. (depending on UI/options)

***

## Step 1 — Filter what you want to report on

<img src="https://mintcdn.com/socfortressllc/LuvWosHJnQfOpi_O/assets/ui/report-vulnerability-filters.png?fit=max&auto=format&n=LuvWosHJnQfOpi_O&q=85&s=80a607e6d67ba8b3e76e7abc256f3d86" alt="Vulnerability filters (placeholder)" width="598" height="788" data-path="assets/ui/report-vulnerability-filters.png" />

Common operator filters:

* Customer
* Severity (Critical/High/Medium/Low)
* Agent/host
* Specific CVE (`CVE-…`)

***

## Step 2 — Generate and download

<img src="https://mintcdn.com/socfortressllc/LuvWosHJnQfOpi_O/assets/ui/report-vulnerability-generate.png?fit=max&auto=format&n=LuvWosHJnQfOpi_O&q=85&s=17c73748de0f515346ab54d48a341ab3" alt="Generate vulnerability report (placeholder)" width="1520" height="430" data-path="assets/ui/report-vulnerability-generate.png" />

When you generate a report, CoPilot produces a **CSV** and stores it for download.

Operator tips:

* Use “Critical + High” first for remediation prioritization.
* If you’re generating very large reports, prefer background generation if available.

***

## Common gotchas

### “The report is empty”

Common causes:

* the Wazuh vulnerability module isn’t enabled or isn’t indexing status
* the customer has no Syscollector inventory data
* filters are too narrow

### “Why do vulnerabilities exist even if we patched?”

Wazuh correlates inventory versions + hotfix data (Windows) against CVE ranges. Inventory and patch state need to be current.
