Incoming feed - NVD - Vulnerability Intelligence Feed#
Note
This article describes how to configure incoming feeds for a particular feed source. To see how to configure incoming feeds in general, see Create and configure incoming feeds.
Specifications |
|
|---|---|
Transport types |
NVD - Vulnerability Intelligence Feed |
Content type |
NVD JSON |
Endpoint(s) |
|
Processed data |
See Data mapping. |
Overview#
The NVD (National Vulnerability Database) Vulnerability Intelligence Feed retrieves CVEs (Common Vulnerability and Exploits) from the NVD CVE API.
NVD API 1.0 removed#
NVD has retired API 1.0 on 15 December 2023. This extension now uses API 2.0.
NVD API key#
Enter your API key when configuring this extension to raise API rate limits.
For more information on NVD’s rate limits, see https://nvd.nist.gov/developers/start-here
Request an API key from NVD here: https://nvd.nist.gov/developers/request-an-api-key
NVD timeout errors#
The feed may sometimes fail with this error message:
"NVD CVE API service temporarily unavailable. Please try again in 20 minutes.
This means that the platform cannot contact the NVD CVE API service, and must wait for the service to become available again.
When this happens:
Wait for the service to become available again.
Manually run the feed.
The feed will start retrieving records published since the last time packages were successfully downloaded from the API service.
Configure the incoming feed#
Create or edit an incoming feed.
Under Transport and content, fill out these fields:
Note
Required fields are marked with an asterisk (*).
Field
Description
Transport type*
Select NVD - Vulnerability Intelligence Feed from the drop-down menu.
Content type*
Select NVD JSON from the drop-down menu.
API URL*
Set to
https://services.nvd.nist.gov/rest/json/cves/2.0by default.API Key
Enter your NVD API key. See NVD API key.
SSL verification
Selected by default. Select this option to enable SSL for this feed.
Path to SSL certificate file.
Used when connecting to a feed source that uses a custom CA. Set this as the path to the SSL certificate to use when authenticating the feed source.
For more information, see SSL certificates.
Store your changes by selecting Save.
SSL certificates#
To use an SSL certificate, it must be:
Accessible on the EclecticIQ Intelligence Center host.
Placed in a location that can be accessed by the
eclecticiquser.Owned by
eclecticiq:eclecticiq.
To make sure that EclecticIQ Intelligence Center can access the SSL certificate:
Upload the SSL certificate to a location on the EclecticIQ Intelligence Center host.
On the EclecticIQ Intelligence Center host, open the terminal.
Change ownership of the SSL certificate by running as root in the terminal:
chown eclecticiq:eclecticiq /path/to/cert.pem
Where
/path/to/cert.pemis the location of the SSL certificate EclecticIQ Intelligence Center needs to access.
x_nvd custom field#
This extension creates Exploit Target entities
with a data.x_nvd custom field that allows you
to query these Exploit Targets via additional fields.
Example queries#
Search for Exploit Targets that represent vulnerabilities that contain:
Note
You must query version numbers and number values with regular expression queries. For more information, see “Numbers” cannot be used with comparison operators for search.
a CPE name with a version section matching
20.xy.a CPE with
versionStartIncludingorversionStartExcludingfield that matches a version20.xy.a CPE with
versionEndIncludingorversionEndExcludingfield that matches a version20.xy.
( data.x_nvd.cpeMatches.version_criteria_match: /20\.[0-9]{2}/ OR ( (data.x_nvd.cpeMatches.version_start_including: /20\.[0-9]{2}/ OR data.x_nvd.cpeMatches.version_start_excluding: /20\.[0-9]{2}/) AND (data.x_nvd.cpeMatches.version_end_including: /20\.[0-9]{2}/ OR data.x_nvd.cpeMatches.version_end_excluding: /20\.[0-9]{2}/) ) )Search for Exploit Targets that represent vulnerabilitites that contain:
a CVSS 3.1 base score of more than
7.0, ora CVSS 3.0 base score of more than
7.0
data.x_nvd.cvssMetricV31.cvssData.baseScore: /[7-9].[0-9]{2}/ OR data.x_nvd.cvssMetricV30.cvssData.baseScore: /[7-9].[0-9]{2}/
x_nvd fields#
data.x_nvd contains the following fields.
These fields can be searched in EclecticIQ Intelligence Center.
@dataclasses.dataclass
class NVD_CUSTOM_FIELD:
"""x_nvd schema.
"""
cvssMetricV30: List[dict] = dataclasses.field(default_factory=list)
cvssMetricV31: List[dict] = dataclasses.field(default_factory=list)
cpeMatches: List[CPEMatchItem] = dataclasses.field(default_factory=list)
@dataclasses.dataclass
class CPEMatchItem:
"""A cpeMatch entry in NVD CVE API response.
"""
vendor: str
product: str
version_criteria_match: str
versionEndIncluding: Optional[str] = None
versionEndExcluding: Optional[str] = None
versionStartIncluding: Optional[str] = None
versionStartExcluding: Optional[str] = None
Known issues with querying x_nvd field#
Only displays 1 affected software in Vulnerability characteristic#
Exploit Target entities only display one Affected Software property per Vulnerability characteristic, while API response contains multiple affected software objects.
This only affects the UI. The affected software objects are ingested and retained as part of the resulting Exploit Target entity.
“Numbers” cannot be used with comparison operators for search#
“Number” values cannot be queried with comparison operators like
> (more than) or <= (less than equals to),
because these values are indexed as strings.
To query such values, use regular expressions in your query string. Examples
# Match versions between ``20.00`` and ``20.99`` (inclusive)
data.x_nvd.cpeMatches.version_criteria_match: ``/20\.[0-9]{2}.*/``
# Match CVSS 3.1 base scores > 7.0
data.x_nvd.cvssMetricV31.cvssData.baseScore: /[7-9].[0-9]{2}/
Queries match more Exploit Target entities than expected#
Search queries always match the entire Exploit Target entity. This means that with a query like
data.x_nvd.cpeMatches.vendor: "canonical" AND data.x_nvd.cpeMatches.version_criteria_match: /20\.[0-9]{2}.*/
returns an Exploit Target entity as a match as long as at least one of its cpeMatches items matches this query.
To get a narrower set of results, exclude items with regular
expressions, or by excluding the keyword (-keyword).
For more information on search query syntax, see Search query syntax.
Data mapping#
Overview#
The NVD - Vulnerability Intelligence Feed ingests CVEs from the NVD CVE API as Exploit target entities.
Relationships:
Exploit target -> Observables
Map CVE to exploit target#
Exploit target field name |
Mapped from feed source |
Example value |
Description |
|---|---|---|---|
Title |
|
CVE-2020-29592 |
CVE ID of the vulnerability. |
Analysis |
|
An issue was discovered in Orchard before 1.10. A broken access control issue in Orchard components that use the TinyMCE HTML editor’s file upload allows an attacker to upload dangerous executables that bypass the file types allowed (regardless of the file types allowed list in Media settings). References: - https://burninatorsec.blogspot.com/2021/[…] - https://github.com/OrchardCMS/[…] CVSS Version 3.x: Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Attack Vector: NETWORK Attack Complexty: LOW Privileges Required: NONE User Interaction: NONE Scope: UNCHANGED Confidentiality Impact: HIGH Integrity Impact: HIGH Availability Impact: HIGH Base Severity: CRITICAL Base Score: 9.8 CVSS Version 2.0 Vector String: AV:N/AC:L/Au:N/C:P/I:P/A:P Authentication: NONE Confidentiality Impact: PARTIAL Integrity Impact: PARTIAL Availability Impact: PARTIAL Base Score: 7.5 Metrics V2: Severity: HIGH Exploitability Score: 10.0 Impact Score: 6.4 |
Where available for the CVE, the description field of the entity contains the following information ingested from the NVD:
For more information on ingested CVSS scores, see CVSS Score. |
Characteristics |
See Characteristics. |
||
Tags |
|
|
Individual CVSS 3.x and 2.0 vectors are added to the entity as tags. For more information on ingested CVSS scores, see CVSS Score. |
Estimated time |
|
Various |
See Map timestamps. |
Information source |
|
Various |
See Information source. |
Characteristics#
Weakness#
Tip
The Weakness section maps to WeaknessType object in the STIX 1.2 Exploit Target schema.
Weaknesses describe vulnerabilities in software as per the MITRE CWE (Common Weakness Enumeration Specification) and CAPEC (Common Attack Pattern Enumeration and Classification) frameworks.
Field name |
Mapped from NVD JSON |
Description |
|---|---|---|
CWE-ID |
|
The CWE ID of the weakness. Example: CWE- 434 |
Vulnerability#
Tip
The Vulnerability entity characteristic maps to the STIX 1.2 VulnerabilityType.
Field name |
Mapped from NVD JSON |
Description |
|---|---|---|
Title |
|
CVE ID of the vulnerability. |
Is known |
N/A |
Selected by default. All published CVEs are treated as ‘known’. |
Is publicly acknowledged. |
N/A |
Not selected by default. |
Description |
|
Description of the vulerability. |
Published date/time |
|
Date CVE was published on the NVD. |
CVE-ID |
|
CVE ID of the vulnerability. |
CVSS Score |
Various |
See CVSS Score table. |
Affected software |
Various |
See Affected software table. |
References |
|
References to advisories, solutions, and tools provided in the original CVE report on NVD. |
CVSS Score#
Tip
The CVSS Score section in entity characteristics maps to the CVSSVectorType object in the STIX 1.2, and only supports CVSS 2.0.
The NVD publishes both CVSS 3.x and CVSS 2.0 scores for each vulnerability. However, the Vulnerability characteristic only supports CVSS 2.0 properties, as per the STIX 1.2 specification.
To accomodate CVSS 3.x data, this extension ingests CVSS 3.x information and places it in the Analysis and Tags sections of the entity. For more information, see Map CVE to exploit target.
Field name |
Mapped from NVD JSON |
Description |
|---|---|---|
Overall score |
|
CVSS 2.0 base score for the CVE. |
Affected software#
Tip
The Affected Software section maps to AffectedSoftwareType object in the STIX 1.2 Exploit Target schema, and includes fields that are compatible with the CPE (Common Platform Enumeration) specification.
The following table describes the Affected software section of a Vulnerability characteristic in the entity builder.
Field name |
Mapped from NVD JSON |
Description |
|---|---|---|
Product |
|
orchard |
Vendor |
|
orchardproject |
Map timestamps#
The following table describes how NVD JSON timestamps are mapped to Indicator and Incident timestamps on the platform.
Indicator estimated time field |
NVD JSON field |
|---|---|
Estimated threat start time |
|
Estimated observed time |
|
Ingested |
Date and time ingested. |
Information source#
Producer (in Indicators) or Information Source (in Incidents or TTPs) sections contains information about the entity author.
Field name |
Mapped from <vendor> JSON |
Example value |
Description |
|---|---|---|---|
Identity |
N/A |
NVD |
Name of organization or person that created the information. |
References |
|
|
Sources of information for the CVE as published by NVD. |