NIST National Vulnerability Database v1.0.1

About the connector

The NIST National Vulnerability Database (NVD) is the U.S. government repository of standards-based vulnerability management data represented using the Security Content Automation Protocol (SCAP). This data enables the automation of vulnerability management, security measurement, and compliance. The NVD includes databases of security checklist references, security-related software flaws, misconfigurations, product names, and impact metrics.

This document provides information about the NIST National Vulnerability Database Connector, which facilitates automated interactions, with a NIST National Vulnerability Database server using FortiSOAR™ playbooks. Add the NIST National Vulnerability Database Connector as a step in FortiSOAR™ playbooks and perform automated operations with NIST National Vulnerability Database.

Version information

Connector Version: 1.0.1

Authored By: Fortinet

Certified: No

Release Notes for version 1.0.1

Following enhancements have been made to the NIST National Vulnerability Database Connector in version 1.0.1:

• Renamed operation Get Specific CVE Details to Get Specific CVE ID Details
• Made following changes in Advance CVE Search operation:
  • Added new parameter Filter by CVE ID
  • The Use Search Flags option has following parameters as multiselect instead of checkbox:
    • Has KEV
    • Has Technical Alerts
    • Has Cert Notes
    • Has Oval

Installing the connector

Use the Connector Store to install the connector. For the detailed procedure to install a connector, click here.
You can also use the yum command as a root user to install the connector:

yum install cyops-connector-nist-nvd

Prerequisites to configuring the connector

• You must have the URL of the NIST National Vulnerability Database server to which you will connect and perform automated operations and credentials to access that server.
• The FortiSOAR™ server should have outbound connectivity to port 443 on the NIST National Vulnerability Database server.

Minimum Permissions Required

• Not applicable

Configuring the connector

For the procedure to configure a connector, click here

Configuration parameters

In FortiSOAR™, on the Connectors page, click the NIST National Vulnerability Database connector row (if you are in the Grid view on the Connectors page) and in the Configurations tab enter the required configuration details:

Parameter	Description
Server URL	The URL of the NIST NVD server to which you will connect and perform the automated operations.
API Key	The API key used to access the NIST NVD server to which you will connect and perform the automated operations.
Verify SSL	Specifies whether the SSL certificate for the server is to be verified or not. By default, this option is set to True.

Actions supported by the connector

The following automated operations can be included in playbooks and you can also use the annotations to access operations from FortiSOAR™:

Function	Description	Annotation and Category
Get Specific CVE ID Details	Retrieves the details of a specific vulnerability based on the Common Vulnerabilities and Exposures Identifier (CVE ID) you have specified.	get_specific_cve_details Investigation
Advance CVE Search	Retrieves a list of CVE IDs based on the filter criteria you have specified.	advance_cve_search Investigation
CVE Search by Keywords	Retrieves CVEs from the National Vulnerability Database (NVD) based on the keywords you have specified.	cve_search_by_keywords Investigation
Get CVE Change History	Retrieves information on changes made to a CVE based on the CVE ID and Change Event type you have specified.	get_cve_change_history Investigation
CPE Search	Retrieves information about the Common Platform Enumeration(CPE) records from the official CPE Dictionary in National Vulnerability Database(NVD) based on the CPE Name ID you have specified.	cpe_search Investigation

operation: Get Specific CVE ID Details

Input parameters

Parameter	Description
CVE ID	Specify the CVE ID to retrieve its details from National Vulnerability Database(NVD).

Output

The output contains the following populated JSON schema:
{
"format": "",
"version": "",
"timestamp": "",
"startIndex": "",
"totalResults": "",
"resultsPerPage": "",
"vulnerabilities": [
{
"cve": {
"id": "",
"metrics": {
"cvssMetricV2": [
{
"type": "",
"source": "",
"cvssData": {
"version": "",
"baseScore": "",
"accessVector": "",
"vectorString": "",
"authentication": "",
"integrityImpact": "",
"accessComplexity": "",
"availabilityImpact": "",
"confidentialityImpact": ""
},
"acInsufInfo": "",
"impactScore": "",
"baseSeverity": "",
"obtainAllPrivilege": "",
"exploitabilityScore": "",
"obtainUserPrivilege": "",
"obtainOtherPrivilege": "",
"userInteractionRequired": ""
}
],
"cvssMetricV31": [
{
"type": "",
"source": "",
"cvssData": {
"scope": "",
"version": "",
"baseScore": "",
"attackVector": "",
"baseSeverity": "",
"vectorString": "",
"integrityImpact": "",
"userInteraction": "",
"attackComplexity": "",
"availabilityImpact": "",
"privilegesRequired": "",
"confidentialityImpact": ""
},
"impactScore": "",
"exploitabilityScore": ""
}
]
},
"published": "",
"references": [
{
"url": "",
"tags": [],
"source": ""
}
],
"vulnStatus": "",
"weaknesses": [
{
"type": "",
"source": "",
"description": [
{
"lang": "",
"value": ""
}
]
}
],
"descriptions": [
{
"lang": "",
"value": ""
}
],
"lastModified": "",
"configurations": [
{
"nodes": [
{
"negate": "",
"cpeMatch": [
{
"criteria": "",
"vulnerable": "",
"matchCriteriaId": "",
"versionEndExcluding": ""
}
],
"operator": ""
}
]
}
],
"sourceIdentifier": ""
}
}
]
}

operation: Advance CVE Search

Input parameters

Parameter	Description
Filter By CVE ID	Select this checkbox to retrieve CVEs associated with a specific Common Vulnerabilities and Exposures Identifier (CVE ID) from the National Vulnerability Database(NVD). Specify the following details after selecting this checkbox: CVE ID: Specify the CVE ID to retrieve its details from National Vulnerability Database(NVD).
Filter by CPE Name	Select this checkbox to retrieve CVEs associated with a specific Common Platform Enumeration(CPE) from the National Vulnerability Database(NVD). Specify the following details after selecting this checkbox: CPE Name: Specify the CPE name to filter the search results so that the results contain only the specified CPE name. Is Vulnerable: Select the checkbox to filter the search results so that they contain only the vulnerable CPEs.
Filter By CWE ID	Select this checkbox to retrieve CVEs associated with a specific Common Weakness Enumeration (CWE) ID from the National Vulnerability Database(NVD). Specify the CWE ID after selecting this checkbox: CWE ID: Specify the CPE name to filter the search results so that the results contain only the specified CWE ID.
Filter By CVSSv2 Metrics	Select this checkbox to retrieve CVEs associated with a specified CVSSv2 string from the National Vulnerability Database(NVD). Specify the following details after selecting this checkbox: CVSSv2 Vector String: Specify the CVSSv2 vector string to filter the results so that they contain only the specified CVSSv2 vector string. CVSSv2 Severity: Select a severity rating, to return only the results that match the CVSSv2 qualitative severity rating, from the following options: LOW MEDIUM HIGH
Filter By CVSSv3 Metrics	Select this checkbox to retrieve CVEs associated with a specified CVSSv3 string from the National Vulnerability Database(NVD). Specify the following details after selecting this checkbox: CVSSv3 Vector String: Specify the CVSSv3 vector string to filter the results so that they contain only the specified CVSSv3 vector string. CVSSv3 Severity: Select a severity rating, to return only the results that match the CVSSv3 qualitative severity rating, from the following options: LOW MEDIUM HIGH
Use Search Flags	Select from the following available options to retrieve CVEs associated with the selected search flags: Has KEV: Select this option to retrieve CVEs that appear in CISA's Known Exploited Vulnerabilities (KEV) Catalog. Has Technical Alerts: Select this option to retrieve CVEs that contain a technical alert from US-CERT. Has Cert Notes: Select this option to retrieve CVEs that contain a vulnerability note from CERT/CC. Has Oval: Select this option to retrieve CVEs that contain information from MITRE's Open Vulnerability and Assessment Language (OVAL) before OVAL transitioned to the Center for Internet Security (CIS).
Filter By Publish Date	Select this checkbox to retrieve a CVE list that was published to the NVD during the specified period. Start Date: Specify the start date and time of the period when the CVEs were published. End Date: Specify the end date and time of the period when the CVEs were published.
Filter By Last Modified Date	Select this checkbox to retrieve a CVE list that was modified in the NVD during the specified period. If you choose 'true' Start Date: Specify the start date and time of the period when the CVEs were modified. End Date: Specify the end date and time of the period when the CVEs were modified.
Page Index	(Optional) Specify the count of the first few records to skip while retrieving the response.
Page Size	(Optional) Specify the maximum number of results to get in the resulting output. By default, this is set to 10.

Output

The output contains the following populated JSON schema:
{
"format": "",
"version": "",
"timestamp": "",
"startIndex": "",
"totalResults": "",
"resultsPerPage": "",
"vulnerabilities": [
{
"cve": {
"id": "",
"metrics": {
"cvssMetricV2": [
{
"type": "",
"source": "",
"cvssData": {
"version": "",
"baseScore": "",
"accessVector": "",
"vectorString": "",
"authentication": "",
"integrityImpact": "",
"accessComplexity": "",
"availabilityImpact": "",
"confidentialityImpact": ""
},
"acInsufInfo": "",
"impactScore": "",
"baseSeverity": "",
"obtainAllPrivilege": "",
"exploitabilityScore": "",
"obtainUserPrivilege": "",
"obtainOtherPrivilege": "",
"userInteractionRequired": ""
}
],
"cvssMetricV31": [
{
"type": "",
"source": "",
"cvssData": {
"scope": "",
"version": "",
"baseScore": "",
"attackVector": "",
"baseSeverity": "",
"vectorString": "",
"integrityImpact": "",
"userInteraction": "",
"attackComplexity": "",
"availabilityImpact": "",
"privilegesRequired": "",
"confidentialityImpact": ""
},
"impactScore": "",
"exploitabilityScore": ""
}
]
},
"published": "",
"references": [
{
"url": "",
"tags": [],
"source": ""
}
],
"vulnStatus": "",
"weaknesses": [
{
"type": "",
"source": "",
"description": [
{
"lang": "",
"value": ""
}
]
}
],
"descriptions": [
{
"lang": "",
"value": ""
}
],
"lastModified": "",
"configurations": [
{
"nodes": [
{
"negate": "",
"cpeMatch": [
{
"criteria": "",
"vulnerable": "",
"matchCriteriaId": "",
"versionEndExcluding": ""
}
],
"operator": ""
}
]
}
],
"sourceIdentifier": ""
}
}
]
}

operation: CVE Search by Keywords

Input parameters

Parameter	Description
Keyword(s)	Specify the keywords to search for in the CVE's description and return the CVEs that match all the keywords specified.
Page Index	(Optional) Specify the count of the first few records to skip while retrieving the response.
Page Size	(Optional) Specify the maximum number of results to get in the resulting output. By default, this is set to 10.

Output

The output contains the following populated JSON schema:
{
"format": "",
"version": "",
"timestamp": "",
"startIndex": "",
"totalResults": "",
"resultsPerPage": "",
"vulnerabilities": [
{
"cve": {
"id": "",
"metrics": {
"cvssMetricV2": [
{
"type": "",
"source": "",
"cvssData": {
"version": "",
"baseScore": "",
"accessVector": "",
"vectorString": "",
"authentication": "",
"integrityImpact": "",
"accessComplexity": "",
"availabilityImpact": "",
"confidentialityImpact": ""
},
"acInsufInfo": "",
"impactScore": "",
"baseSeverity": "",
"obtainAllPrivilege": "",
"exploitabilityScore": "",
"obtainUserPrivilege": "",
"obtainOtherPrivilege": "",
"userInteractionRequired": ""
}
]
},
"published": "",
"references": [
{
"url": "",
"tags": [],
"source": ""
}
],
"vulnStatus": "",
"weaknesses": [
{
"type": "",
"source": "",
"description": [
{
"lang": "",
"value": ""
}
]
}
],
"descriptions": [
{
"lang": "",
"value": ""
}
],
"lastModified": "",
"configurations": [
{
"nodes": [
{
"negate": "",
"cpeMatch": [
{
"criteria": "",
"vulnerable": "",
"matchCriteriaId": ""
}
],
"operator": ""
}
]
}
],
"sourceIdentifier": ""
}
}
]
}

operation: Get CVE Change History

Input parameters

Parameter	Description
CVE ID	(Optional) Specify the CVE ID to get the complete change history for a specific vulnerability identified by its unique Common Vulnerabilities and Exposures identifier (CVE ID).
Change Event Type	Select one of the following options to retrieve all CVEs associated with the specified change event type. Initial Analysis: The NVD performs its initial analysis to enrich the CVE record with reference tags, CVSS base metrics, CWE, and CPE applicability statements. Reanalysis: The NVD performs further analysis resulting in some modification to the CVE record. CVE Modified: An approved source modifies a CVE record published in the NVD. The modification's source is identified on the details page in the event name and the API response by the value of the sourceIdentifer. Modified Analysis: After an approved source modified a previously analyzed CVE record, the NVD performs a further analysis. CVE Translated: An approved translator provides a non-English translation for the CVE record. Vendor Comment: The NVD updates the CVE record with additional information from the product vendor. CVE Source Update: The NVD updates the information on a source that contributed to the CVE record. CPE Deprecation Remap: The NVD updates the match criteria associated with the CVE record based on changes to the CPE dictionary. This event occurs separately from the analysis. CWE Remap: The NVD updates the weakness associated with the CVE record. This event occurs separately from the analysis. CVE Rejected:An approved source rejects a CVE record.Rejections occur for one or more reasons, including duplicate CVE entries, withdrawal by the original requester, incorrect assignment, or some other administrative reason. CVE Unrejected: An approved source re-published a CVE record previously marked rejected.
Filter By Change Date	Select this checkbox to retrieve a CVE list where CVEs were changed in the NVD during the specified period. If you choose 'true' Start Date: Specify the start date and time of the period when the CVEs were changed. End Date: Specify the end date and time of the period when the CVEs were changed.
Page Index	(Optional) Specify the count of the first few records to skip while retrieving the response.
Page Size	(Optional) Specify the maximum number of results to get in the resulting output. By default, this is set to 10.

Output

The output contains the following populated JSON schema:
{
"resultsPerPage": "",
"startIndex": "",
"totalResults": "",
"format": "",
"version": "",
"timestamp": "",
"cveChanges": [
{
"change": {
"cveId": "",
"eventName": "",
"cveChangeId": "",
"sourceIdentifier": "",
"created": "",
"details": [
{
"action": "",
"type": "",
"newValue": ""
}
]
}
}
]
}

operation: CPE Search

Input parameters

Parameter	Description
Filter By	Select an option from the following to filter the search information of a CPE record. Select an option and specify the value as described: CPE Name ID: Retrieves a specific CPE record identified by a Universal Unique Identifier (UUID) from National Vulnerability Database(NVD). CPE Match String: Retrieves CPE Names that exist in the Official CPE Dictionary, based on the value of provided match string from the National Vulnerability Database(NVD). Keywords: Retrieves only the CPE records where a word or phrase is found in the metadata title or reference links from National Vulnerability Database(NVD). Exact Keyword Match: Retrieves CPE records only when the provided keyword is an exact match in CPE. Match Criteria ID: Retrieves all CPE records associated with a match string identified by its UUID from National Vulnerability Database(NVD). CVE ID: Retrieves all non-deprecated CPE match strings in the availability statement of a specific vulnerability identified by its Common Vulnerabilities and Exposures identifier (the CVE ID)
Use Last Modified Date	Select this checkbox to retrieve any CPE where CPEs were last modified during the specified period. If you choose 'true' Start Date: Specify the start date and time of the period when the CPEs were last modified. End Date: Specify the end date and time of the period when the CVEs were last modified.
Page Index	(Optional) Specify the count of the first few records to skip while retrieving the response.
Page Size	(Optional) Specify the maximum number of results to get in the resulting output. By default, this is set to 10.

Output

The output contains the following populated JSON schema:
{
"format": "",
"version": "",
"products": [
{
"cpe": {
"refs": [
{
"ref": ""
}
],
"titles": [
{
"lang": "",
"title": ""
}
],
"cpeName": "",
"created": "",
"cpeNameId": "",
"deprecated": "",
"deprecatedBy": [
{
"cpeName": "",
"cpeNameId": ""
}
],
"lastModified": ""
}
}
],
"timestamp": "",
"startIndex": "",
"totalResults": "",
"resultsPerPage": ""
}

Included playbooks

The Sample - NIST National Vulnerability Database - 1.0.1 playbook collection comes bundled with the NIST National Vulnerability Database connector. These playbooks contain steps using which you can perform all supported actions. You can see bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the NIST National Vulnerability Database connector.

• Advance CVE Search
• CPE Search
• CVE Search by Keywords
• Get CVE Change History
• Get Specific CVE ID Details

Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection since the sample playbook collection gets deleted during connector upgrade and delete.