886
Views
1
Helpful
0
Comments
Options
- Subscribe to RSS Feed
- Mark as New
- Mark as Read
- Bookmark
- Subscribe
- Printer Friendly Page
- Report Inappropriate Content
on 01-19-2024 06:22 AM
Cisco Vulnerability Management has the ability to identify & filter vulnerabilities by their classification like OS & Application. Full working process on how this can be done using the custom field option can be found below:
Summary of steps:
-
Create Custom Field within your Cisco Vulnerability Management Platform's (formerly Kenna) Vulnerabilities table.
-
Run the NVD_OS_vs_APP script on GitHub
1. Create Custom Field within your Kenna (CVM) Vulnerabilities table
A default feature of Cisco Vulnerability Management (formerly Kenna.VM) is the ability to create and use custom fields. Custom fields allow you to track values that are specific to your vulnerability use case. For this example, we can create a custom field named “Vuln Type” with Data Type: String (Long) and Faceted Search option enabled to see the values available as filter option.
Upon saving, you can see that the custom field was created with an ID:
2. Run the NVD_OS_vs_APP script on Github
The script taps into the NVD database to get the CVEs classified as OS, Application, Hardware or Network using the CPE information. Also, this script accesses customer’s environment to get the CVEs pertaining to their environment which need to get tagged/classified.
NVD database was referenced to get this information by following the steps below:
-
Access the CVE API of NVD to get the details - https://nvd.nist.gov/developers/vulnerabilities
-
For each CVE entry, check the 'criteria' field in the 'configurations' section. This field contains a URI that identifies the affected product and version. (explained below in CPE section)
-
The 'criteria' URI is composed of several components, each separated by a colon. The second component indicates the product type - an application ('a') or an operating system ('o').
-
By examining this component, categorize the CVE either as application-related or OS-related.
Types of 'product type':
-
a: (Application): This is used to denote that the component is an application. An example would be cpe:2.3:a:microsoft:internet_explorer:8.0.7600.16385:::::::*.
-
o: (Operating System): This is used to denote that the component is an operating system. An example would be cpe:2.3:o:microsoft:windows_7:-:::::::*.
-
h: (Hardware): This is used to denote that the component is a piece of hardware. An example would be cpe:2.3:h:dell:poweredge_2950:-:::::::*.
-
n: (Network): This is used to denote that the component is network. An example would be cpe:2.3:n:tls:example_tls:-:::::::*.
The script will tag all the CVEs with the ‘Type’ classification using the custom field created in step#1.
The custom field can then be used as a faceted search in UI and then can also be used in the API to export related data out from Cisco Vulnerability Management Platform:
UI:
API: https://apidocs.kennasecurity.com/reference/request-data-export
Useful links:
-
https://help.kennasecurity.com/hc/en-us/articles/17308899475988-Admin-Settings-Menu-Custom-Fields-Video-
-
https://help.kennasecurity.com/hc/en-us/articles/201921738-Creating-a-Custom-Field
-
https://help.kennasecurity.com/hc/en-us/articles/201921758-Managing-a-Custom-Field