CISA Known Exploited Vulnerabilities CDF
The web format of this guide reflects the most current release. Guides for older iterations are available in PDF format.
Integration Details
ThreatQuotient provides the following details for this integration:
| Current Integration Version | 1.0.0 |
| Compatible with ThreatQ Versions | >= 4.35.0 |
| Support Tier | ThreatQ Supported |
Introduction
The Cybersecurity and Infrastructure Security Agency (CISA) is a United States federal agency, an operational component under Department of Homeland Security (DHS) oversight. Its activities are a continuation of the National Protection and Programs Directorate (NPPD).
CISA Known Exploited Vulnerabilities CDF consists of one feed:
- CISA Known Exploited Vulnerabilities - ingests Vulnerabilities and Indicators as well as their attributes.
CISA Known Exploited Vulnerabilities CDF ingests the following object types:
- Vulnerabilities
- Vulnerability Attributes
- Indicators
- Indicators Attributes
Installation
This integration can be installed in the My Integration section of your ThreatQ instance. See the Adding an Integration topic for more details.
Configuration
ThreatQuotient does not issue API keys for third-party vendors. Contact the specific vendor to obtain API keys and other integration-related credentials.
To configure the integration:
- Navigate to your integrations management page in ThreatQ.
- Select the OSINT option from the Category dropdown (optional).
If you are installing the integration for the first time, it will be located under the Disabled tab.
- Click on the integration entry to open its details page.
- Enter the following parameters under the Configuration tab:
Parameter Description Apply Tags List of tags to add to the ingested vulnerabilities. Save CVE Data As Select whether to ingest CVEs as ThreatQ Vulnerability objects, Indicator objects, or both. Defaults to ingesting only Indicator objects. - Indicators
- Vulnerabilities
- Review any additional settings, make any changes if needed, and click on Save.
- Click on the toggle switch, located above the Additional Information section, to enable it.
ThreatQ Mapping
CISA Known Exploited Vulnerabilities
The CISA Known Exploited Vulnerabilities feed ingests Vulnerabilities and Indicators as well as their attributes.
GET https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json
Sample Response:
{
{
"title": "CISA Catalog of Known Exploited Vulnerabilities",
"catalogVersion": "2022.04.06",
"dateReleased": "2022-04-06T14:23:03.033Z",
"count": 616,
"vulnerabilities": [
{
"cveID": "CVE-2021-27104",
"vendorProject": "Accellion",
"product": "FTA",
"vulnerabilityName": "Accellion FTA OS Command Injection Vulnerability",
"dateAdded": "2021-11-03",
"shortDescription": "Accellion FTA 9_12_370 and earlier is affected by OS command execution via a crafted POST request to various admin endpoints.",
"requiredAction": "Apply updates per vendor instructions.",
"dueDate": "2021-11-17"
},
{
"cveID": "CVE-2021-27102",
"vendorProject": "Accellion",
"product": "FTA",
"vulnerabilityName": "Accellion FTA OS Command Injection Vulnerability",
"dateAdded": "2021-11-03",
"shortDescription": "Accellion FTA 9_12_411 and earlier is affected by OS command execution via a local web service call.",
"requiredAction": "Apply updates per vendor instructions.",
"dueDate": "2021-11-17"
}
]
ThreatQuotient provides the following default mapping for this feed:
| Feed Data Path | ThreatQ Entity | ThreatQ Object Type or Attribute Key | Published Date | Examples | Notes |
|---|---|---|---|---|---|
| data[].cveID | Related Vulnerability.Value/ Related Indicator.Value | N/A/ CVE | .data[].dateAdded | CVE-2021-27104 | N/A |
| .data[].vendorProject | Vulnerability.Attribute/ Indicator.Attribute | Affected Vendor | .data[].dateAdded | Accellion | N/A |
| .data[].shortDescription | Vulnerability.Attribute/ Indicator.Attribute | Description | .data[].dateAdded | Accellion FTA 9_12_370 and earlier is(...) | N/A |
| .data[].product | Vulnerability.Attribute/ Indicator.Attribute | Affected Product | .data[].dateAdded | FTA | N/A |
| .data[].requiredAction | Vulnerability.Attribute/ Indicator.Attribute | Action Required | .data[].dateAdded | Apply updates per vendor instructions. | N/A |
| .data[].vulnerabilityName | Vulnerability.Attribute/ Indicator.Attribute | Vulnerability Name | .data[].dateAdded | Accellion FTA OS Command Injection Vulnerability | N/A |
Average Feed Run
Object counts and Feed runtime are supplied as generalities only - objects returned by a provider can differ based on credential configurations and Feed runtime may vary based on system resources and load.
CISA Known Exploited Vulnerabilities
| Metric | Result |
|---|---|
| Run Time | 2 minutes |
| Vulnerabilities | 616 |
| Vulnerability Attributes | 2,457 |
| Indicators | 616 |
| Indicators Attributes | 2,457 |
Change Log
- Version 1.0.0
- Initial release
PDF Guides
| Document | ThreatQ Version |
|---|---|
| CISA Known Exploited Vulnerabilities CDF Guide v1.0.0 | 4.35.0 or Greater |