User Guide

Synapse-MITRE-CVE User Guide

Note

The Synapse-MITRE-CVE Power-Up is being deprecated and will no longer be available after 20240301. This is due to the underlying CSV data source being phased out, and the introduction of the synapse-nist-nvd Power-Up which allows for ingesting CVEs using a RESTful API. Customers that still need CVE data are encouraged to move their workflows over to the synapse-nist-nvd Power-Up.

Synapse-MITRE-CVE adds new Storm commands to allow you to ingest the MITRE CVE list.

Getting Started

Check with your Admin to enable permissions.

Use the mitre.cve.sync command to populate the risk:vuln nodes in the desired view. If the --size argument is not used, this command ingests all of the available records each time it is run.

Examples

Create it:sec:cve nodes from the MITRE CVE list

This example shows using the --size argument to limit the number of records to ingest.

> mitre.cve.sync --yield --size 2
WARNING: Synapse-MITRE-CVE is now deprecated. Please refer to the user guide for more information.
risk:vuln=85131df2523db5cc6898ac968fff5ec1
        .created = 2024/04/26 16:03:01.428
        :cve = cve-1999-0001
        :cve:desc = ip_input.c in BSD-derived TCP/IP implementations allows remote attackers to cause a denial of service (crash or hang) via crafted packets.
        :cve:references = ['http://www.openbsd.org/errata23.html#tcpfix', 'http://www.osvdb.org/5707']
        :cve:url = https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0001
risk:vuln=e504c25f7834ce70a67cb7d654304158
        .created = 2024/04/26 16:03:01.516
        :cve = cve-1999-0002
        :cve:desc = Buffer overflow in NFS mountd gives root access to remote attackers, mostly in Linux systems.
        :cve:references = ['ftp://patches.sgi.com/support/free/security/advisories/19981006-01-I', 'http://www.ciac.org/ciac/bulletins/j-006.shtml', 'http://www.securityfocus.com/bid/121']
        :cve:url = https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0002

Use of meta:source nodes

Synapse-MITRE-CVE uses a meta:source node and -(seen)> light weight edges to track nodes observed from the MITRE-CVE API.

> meta:source=de7dfa295bb2c2cbb62b2e2c7a3beefa
meta:source=de7dfa295bb2c2cbb62b2e2c7a3beefa
        .created = 2024/04/26 16:02:58.395
        :name = mitre-cve

Storm can be used to filter nodes to include/exclude nodes which have been observed by Synapse-MITRE-CVE. The following example shows how to filter the results of a query to include only results observed by Synapse-MITRE-CVE:

> risk:vuln:cve:desc~="root access" +{ <(seen)- meta:source=de7dfa295bb2c2cbb62b2e2c7a3beefa }
risk:vuln=e504c25f7834ce70a67cb7d654304158
        .created = 2024/04/26 16:03:01.516
        :cve = cve-1999-0002
        :cve:desc = Buffer overflow in NFS mountd gives root access to remote attackers, mostly in Linux systems.
        :cve:references = ['ftp://patches.sgi.com/support/free/security/advisories/19981006-01-I', 'http://www.ciac.org/ciac/bulletins/j-006.shtml', 'http://www.securityfocus.com/bid/121']
        :cve:url = https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0002