cve-enrichment

Enriches CVE indicators with reputation data from multiple integrations and outputs a consolidated CVEEnrichment object. This script exclusively supports indicators of type CVE and will automatically create the indicator in TIM if it is not already exists.

python · Aggregated Scripts

README

Enriches CVE indicators with reputation data from multiple integrations and outputs a consolidated CVEEnrichment object. This script exclusively supports indicators of type CVE and will automatically create the indicator in TIM if it is not already exists.
Note: This script is supported in Cortex XSOAR 8.0 and later, and in Cortex XSIAM.

Script Data


Name Description
Script Type python3
Tags basescript
Cortex XSOAR Version 8.0.0

Used In


This script is used in the following playbooks and scripts.

  • CVEEnrichment-Test

Inputs


Argument Name Description
cve_list A comma-separated list of CVEs to enrich.
external_enrichment Whether to call external integrations for enrichment.
- ‘true’: enrich using enabled external integrations (e.g., CIRCL CVE Search, CVE Search v2).
- ‘false’: use only existing TIM data; skip external integrations.
If the ‘brands’ argument is provided, this flag is ignored and enrichment is run only on the brands provided.
verbose Whether to retrieve a human-readable entry for every command; if false, only the final result is summarized and error entries are suppressed.
brands A list of integration brands to run enrichment against.
Example: `“CIRCL CVE Search, CVE Search v2”`.
- If provided, only the selected brands are used.
- If left empty, the script runs enrichment on all enabled integrations,
depending on the `external_enrichment` flag.
To see the available brands for the `cve` command, run: `!ProvidesCommand command=cve`.
additional_fields When set to true, the output will also include an `AdditionalFields` object
for each of the indicator result.
`AdditionalFields` contains all fields returned by TIM or the integrations
that are not part of the standard output keys: `ID`, `Brand`, `CVSS`,
`Description`, `Published`.
When set to false, only the standard keys are returned.

Outputs


Path Description Type
CVEEnrichment.Value The CVE. string
CVEEnrichment.MaxCVSS The max CVSS of the indicator. number
CVEEnrichment.MaxCVSSRating The max CVSS rating of the indicator. string
CVEEnrichment.Results List of all indicators found for the CVE. array
CVEEnrichment.Status The status of the indicator. string
CVEEnrichment.Results.ID The ID of the indicator. string
CVEEnrichment.Results.Brand The brand of the indicator. string
CVEEnrichment.Results.CVSS The CVSS of the indicator. number
CVEEnrichment.Results.Description The description of the indicator. string
CVEEnrichment.Results.Published The published date of the indicator. string
CVEEnrichment.Results.Status The status of the indicator: “Manual” if the score was changed manually, “Fresh” if modified within the last week, “Stale” if modified more than a week ago, and “None” if never modified. string
CVEEnrichment.Results.ModifiedTime The time the indicator was last modified. Date
CVEEnrichment.Results.AdditionalFields All fields extracted from the indicator other then the main keys (“ID”, “Brand”, “CVSS”, “Description”, “Published”, “CVSS”). Object
CVEEnrichment.Results.AdditionalFields.Relationships.EntityA The source of the relationship. string
CVEEnrichment.Results.AdditionalFields.Relationships.EntityB The destination of the relationship. string
CVEEnrichment.Results.AdditionalFields.Relationships.Relationship The name of the relationship. string
CVEEnrichment.Results.AdditionalFields.Relationships.EntityAType The type of the source of the relationship. string
CVEEnrichment.Results.AdditionalFields.Relationships.EntityBType The type of the destination of the relationship. string
CVEEnrichment.Results.AdditionalFields.Modified The timestamp of when the CVE was last modified. Date