Cisco Vulnerability Management has the ability to identify & filter vulnerabilities by their classification like OS & Application. Full working process on how this can be done using the custom field option can be found below:
Summary of steps:
Create Custom Field within your Cisco Vulnerability Management Platform's (formerly Kenna) Vulnerabilities table.
1. Create Custom Field within your Kenna (CVM) Vulnerabilities table
A default feature of Cisco Vulnerability Management (formerly Kenna.VM) is the ability to create and use custom fields. Custom fields allow you to track values that are specific to your vulnerability use case. For this example, we can create a custom field named “Vuln Type” with Data Type: String (Long) and Faceted Search option enabled to see the values available as filter option.
Upon saving, you can see that the custom field was created with an ID:
The script taps into the NVD database to get the CVEs classified as OS, Application, Hardware or Network using the CPE information. Also, this script accesses customer’s environment to get the CVEs pertaining to their environment which need to get tagged/classified.
NVD database was referenced to get this information by following the steps below:
For each CVE entry, check the 'criteria' field in the 'configurations' section. This field contains a URI that identifies the affected product and version. (explained below in CPE section)
The 'criteria' URI is composed of several components, each separated by a colon. The second component indicates the product type - an application ('a') or an operating system ('o').
By examining this component, categorize the CVE either as application-related or OS-related.
Types of 'product type':
a: (Application): This is used to denote that the component is an application. An example would be cpe:2.3:a:microsoft:internet_explorer:8.0.7600.16385:::::::*.
o: (Operating System): This is used to denote that the component is an operating system. An example would be cpe:2.3:o:microsoft:windows_7:-:::::::*.
h: (Hardware): This is used to denote that the component is a piece of hardware. An example would be cpe:2.3:h:dell:poweredge_2950:-:::::::*.
n: (Network): This is used to denote that the component is network. An example would be cpe:2.3:n:tls:example_tls:-:::::::*.
The script will tag all the CVEs with the ‘Type’ classification using the custom field created in step#1.
The custom field can then be used as a faceted search in UI and then can also be used in the API to export related data out from Cisco Vulnerability Management Platform:
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: