Integration Details

ThreatQuotient provides the following details for this integration:

Introduction

The National Vulnerability Database (NVD) CVE action submits a ThreatQ data collection, consisting of CVEs and Vulnerabilities, to NVD for enrichment.  NVD returns detailed information that is then ingested back into ThreatQ.  

The integration provides the following action:

• NVD CVE - submits CVEs and Vulnerabilities to be enriched.

The action is compatible with the following system objects:

• CVEs (indicators)
• Vulnerabilities  

The action returns the following enriched system objects:

• Indicators
  • Indicator attributes
• Vulnerabilities
  • Vulnerability Attributes  

This action is intended for use with ThreatQ TDR Orchestrator (TQO). An active TQO license is required for this feature.

Prerequisites

• An active ThreatQ TDR Orchestrator (TQO) license.
• A data collection containing at least of the of the following object types:
  • CVE (indicator)
  • Vulnerability

Installation

Perform the following steps to install the integration:

The same steps can be used to upgrade the integration to a new version.

1. Log into https://marketplace.threatq.com/.
2. Locate and download the action zip file.
3. Navigate to the integrations management page on your ThreatQ instance.
4. Click on the Add New Integration button.
5. Upload the action file using one of the following methods:
   • Drag and drop the file into the dialog box
   • Select Click to Browse to locate the integration file on your local machine

   ThreatQ will inform you if the action already exists on the platform and will require user confirmation before proceeding. ThreatQ will also inform you if the new version of the action contains changes to the user configuration. The new user configurations will overwrite the existing ones for the action and will require user confirmation before proceeding.

You will still need to configure the action.

Configuration

ThreatQuotient does not issue API keys for third-party vendors. Contact the specific vendor to obtain API keys and other integration-related credentials.
 

To configure the integration:

1. Navigate to your integrations management page in ThreatQ.
2. Select the Actions option from the Category dropdown (optional).
3. Click on the action entry to open its details page.
4. Enter the following parameters under the Configuration tab:

   The configurations set on this page will be used as the default settings when inserting this action into a new workflow. Updating the configurations on this page will not update any instances of this action that have already been deployed to a workflow. In that scenario, you must update the action’s configurations within the workflow itself.

   Parameter	Description
   API Key	Optional - Enter your NVD API Key.  Using an API Key will increase your rate limit.
   Input Object Type	Select the type of objects to be enriched.   Options include: Indicator Vulnerability
   Save CVE Data As	Select how the enriched objects should be saved.  Options include: Indicator Vulnerability
   For Each Vulnerability Found Return the Following	Select the data that will be returned with each vulnerability.  Options include: CVSS V3 Score (default) CWE Description (default) Reference Information Severity (default)
   Verify SSL	If enabled, the action will verify SSL connections with the provider.
   Objects per Run	The max number of objects to submit per action.

   
   
5. Review any additional settings, make any changes if needed, and click on Save.

Actions

The following action is available with the integration:

{
    "resultsPerPage": 1,
    "startIndex": 0,
    "totalResults": 1,
    "format": "NVD_CVE",
    "version": "2.0",
    "timestamp": "2023-04-27T13:17:35.310",
    "vulnerabilities": [
        {
            "cve": {
                "id": "CVE-2002-1949",
                "sourceIdentifier": "cve@mitre.org",
                "published": "2002-12-31T05:00:00.000",
                "lastModified": "2008-09-05T20:31:55.997",
                "vulnStatus": "Analyzed",
                "descriptions": [
                    {
                        "lang": "en",
                        "value": "The Network Attached Storage (NAS) Administration Web Page for Iomega NAS A300U transmits passwords in cleartext, which allows remote attackers to sniff the administrative password."
                    }
                ],
                "metrics": {
                    "cvssMetricV2": [
                        {
                            "source": "nvd@nist.gov",
                            "type": "Primary",
                            "cvssData": {
                                "version": "2.0",
                                "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
                                "accessVector": "NETWORK",
                                "accessComplexity": "LOW",
                                "authentication": "NONE",
                                "confidentialityImpact": "PARTIAL",
                                "integrityImpact": "NONE",
                                "availabilityImpact": "NONE",
                                "baseScore": 5.0
                            },
                            "baseSeverity": "MEDIUM",
                            "exploitabilityScore": 10.0,
                            "impactScore": 2.9,
                            "acInsufInfo": false,
                            "obtainAllPrivilege": false,
                            "obtainUserPrivilege": false,
                            "obtainOtherPrivilege": false,
                            "userInteractionRequired": false
                        }
                    ]
                },
                "weaknesses": [
                    {
                        "source": "nvd@nist.gov",
                        "type": "Primary",
                        "description": [
                            {
                                "lang": "en",
                                "value": "NVD-CWE-Other"
                            }
                        ]
                    }
                ],
                "configurations": [
                    {
                        "nodes": [
                            {
                                "operator": "OR",
                                "negate": false,
                                "cpeMatch": [
                                    {
                                        "vulnerable": true,
                                        "criteria": "cpe:2.3:h:iomega:nas:a300u:*:*:*:*:*:*:*",
                                        "matchCriteriaId": "DA964A81-948D-4E38-8991-B72B9302A6D5"
                                    }
                                ]
                            }
                        ]
                    }
                ],
                "references": [
                    {
                        "url": "http://www.securityfocus.com/bid/6092",
                        "source": "cve@mitre.org"
                    }
                ]
            }
        }
    ]
}

Enriched Data

Object counts and action runtime are supplied as generalities only - objects returned by a provider can differ based on credential configurations and action runtime may vary based on system resources and load.

Known Issues / Limitations

• A 7-second delay has been applied to the action to avoid the NIST rate limit.  This will prevent the NIST firewall rules rejecting requests.   You can use the optional API Key configuration option to increase the rate limit.  

Change Log

• Version 1.0.4
  • Resolved an issue where Base, Impact and Exploitability Scores with 0.0 values were not being ingested.
  • The integration will now ingest CVSSv3 attributes only from the primary key source.  If there is not a value labeled as the primary, the first value in the list will be selected. 
• Version 1.0.3
  • The action no longer ingests CVSSv2 attributes.
  • The action now updates CVSS attributes instead of creating new ones in the event that the attribute has been updated.
• Version 1.0.2
  • Added the option to call the API using an API Key.  This will allow you to increase your rate limit.
  • Added a new optional configuration parameter: API Key.  
  • Increased the default Number of Objects Per Run to 5000.
• Version 1.0.1
  • Added support for Vulnerabilities to be sent for enrichment.
  • Added three new configuration fields: Input Object Type, Save CVE Data As, and For Each Vulnerability Found Return the Following.  
• Version 1.0.0
  • Initial release