CVE

πŸ“˜

Go straight to the API reference.

From Wikipedia:

The Common Vulnerabilities and Exposures (CVE) system provides a reference-method for publicly known information-security vulnerabilities and exposures. The United States' National Cybersecurity FFRDC, operated by The Mitre Corporation, maintains the system, with funding from the US National Cyber Security Division of the US Department of Homeland Security.[1] The system was officially launched for the public in September 1999.[2]

In the context of this API, a "cve" refers to a specific vulnerability that we associate with a device profile, based on various factors such as operating system, brand, detected applications etc.

Supported properties

PropertyMeaningExample
idThe Common Vulnerabilities and Exposures (CVE) id as defined by NISTCVE-2020-1599
descriptionThe description of the CVE as defined by NISTWindows Spoofing Vulnerability
severityThe severity of the vulnerability (derived from the score)MEDIUM
scoreThe score of the vulnerability5.5
publishedThe date when the vulnerability was initially published2020-11-11
matchStatusThe status of the CVE matchOPEN
earlyWarningATI has detected this CVEtrue
earlyWarningDateAddedWhen ATI detected this CVE2024-06-20
weaponizedSpecifies whether the CVE has known exploits used by malicious actors in the wildtrue
hasRansomwareSpecifies whether the CVE has known exploits that are used by ransomware malwaretrue
reportedByGoogleZeroDaysSpecifies whether the CVE was documented by Google security researchers as having been exploited in the wildtrue
cisaDueDateThe date that was defined in the CISA known vulnerabilities catalog as the due date for resolution2020-11-11
numberOfReferencesThe number of exploits references that Armis found for the CVE3
numberOfThreatActorsThe number of known threat actors that are using exploits of the CVE3

Supported calculations

NameMeaning
distinctCvesThe number of CVEs matching the search criteria and grouping.
affectedDevicesThe ratio of the amount of devices affected by the CVE out of all devices matching the search criteria and grouping; Only available when grouping by the id field.
bucketHow many devices are in the current grouping, as buckets of order of magnitude

Related entities

The cve entity can be filtered not only by its own properties (described above), but also by the properties of its related entities.

Device

When filtering a CVE by its related devices, it means that we consider only CVEs that are affecting the matching devices.

πŸ“˜

To learn more about the device entity, see the documentation page.

Threat

When filtering a CVE by its related threats, it means that we consider only CVEs that were used as a basis for the matching threats.

πŸ“˜

To learn more about the threat entity, see the documentation page.

Explorer

You can play with the CVE API directly in the explorer page in the management console.

Example use-cases

  1. Which device types in the manufacturing industry are affected by the largest number of critical CVEs? (explore)
/api/v1/cve/_search?groupBy=device.type&severity[eq]=CRITICAL&device.industry[eq]=Manufacturing
[
    {
        "device.type": "Servers",
        "distinctCves": 777
    },
    {
        "device.type": "Virtual Machines",
        "distinctCves": 536
    },
    {
        "device.type": "Personal Computers",
        "distinctCves": 529
    },
    ...,
]
  1. Which industry is affected by the largest amount of pre-2019 CVEs? (explore)
/api/v1/cve/_search?groupBy=device.industry&published[lt]=2019-01-01
[
    {
        "device.industry": "Health Care and Social Assistance",
        "distinctCves": 11722
    },
    {
        "device.industry": "Manufacturing",
        "distinctCves": 6410
    },
    {
        "device.industry": "Professional, Scientific, and Technical Services",
        "distinctCves": 5702
    },
    ...,
]
  1. What is the share of Windows devices vulnerable to CVE-2022-44668 per industry? (explore)
/api/v1/cve/_search?groupBy=device.industry&groupBy=id&calculate=affectedDevices&device.osName[eq]=Windows&id[eq]=CVE-2022-44668
[
     {
        "device.industry": "Transportation and Warehousing",
        "id": "CVE-2022-44668",
        "affectedDevices": 0.4649
    },
    {
        "device.industry": "Management of Companies and Enterprises",
        "id": "CVE-2022-44668",
        "affectedDevices": 0.1607
    },
    {
        "device.industry": "Professional, Scientific, and Technical Services",
        "id": "CVE-2022-44668",
        "affectedDevices": 0.1061
    },
    ...,
]

Enums and lists

Some fields that are available for filtering and grouping the CVE entity are populated with a closed list of possible values, as described next:

severity: The severity of the vulnerability (derived from the `score`)
  • CRITICAL
  • HIGH
  • LOW
  • MEDIUM
  • NONE
matchStatus: The status of the CVE match
  • DISMISS
  • IGNORED
  • OPEN
  • RESOLVED
  • TICKETED
  • UNRESOLVED