User Guide
Synapse-MITRE-CVE User Guide
Note
The Synapse-MITRE-CVE Power-Up is being deprecated and will no longer be
available after 20240301. This is due to the underlying CSV data source
being phased out, and the introduction of the synapse-nist-nvd
Power-Up
which allows for ingesting CVEs using a RESTful API. Customers that still
need CVE data are encouraged to move their workflows over to the
synapse-nist-nvd
Power-Up.
Synapse-MITRE-CVE adds new Storm commands to allow you to ingest the MITRE CVE list.
Getting Started
Check with your Admin to enable permissions.
Use the mitre.cve.sync
command to populate the risk:vuln
nodes in the desired view.
If the --size
argument is not used, this command ingests all of the available records each time it is run.
Examples
Create it:sec:cve
nodes from the MITRE CVE list
This example shows using the --size
argument to limit the number of records to ingest.
> mitre.cve.sync --yield --size 2
WARNING: Synapse-MITRE-CVE is now deprecated. Please refer to the user guide for more information.
risk:vuln=85131df2523db5cc6898ac968fff5ec1
.created = 2024/12/20 18:10:57.683
:cve = cve-1999-0001
:cve:desc = ip_input.c in BSD-derived TCP/IP implementations allows remote attackers to cause a denial of service (crash or hang) via crafted packets.
:cve:references = ['http://www.openbsd.org/errata23.html#tcpfix', 'http://www.osvdb.org/5707']
:cve:url = https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0001
risk:vuln=e504c25f7834ce70a67cb7d654304158
.created = 2024/12/20 18:10:57.777
:cve = cve-1999-0002
:cve:desc = Buffer overflow in NFS mountd gives root access to remote attackers, mostly in Linux systems.
:cve:references = ['ftp://patches.sgi.com/support/free/security/advisories/19981006-01-I', 'http://www.ciac.org/ciac/bulletins/j-006.shtml', 'http://www.securityfocus.com/bid/121']
:cve:url = https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0002
Use of meta:source
nodes
Synapse-MITRE-CVE uses a meta:source
node and -(seen)>
light
weight edges to track nodes observed from the MITRE-CVE API.
> meta:source=de7dfa295bb2c2cbb62b2e2c7a3beefa
meta:source=de7dfa295bb2c2cbb62b2e2c7a3beefa
.created = 2024/12/20 18:10:54.385
:name = mitre-cve
Storm can be used to filter nodes to include/exclude nodes which have been observed by Synapse-MITRE-CVE. The following example shows how to filter the results of a query to include only results observed by Synapse-MITRE-CVE:
> risk:vuln:cve:desc~="root access" +{ <(seen)- meta:source=de7dfa295bb2c2cbb62b2e2c7a3beefa }
risk:vuln=e504c25f7834ce70a67cb7d654304158
.created = 2024/12/20 18:10:57.777
:cve = cve-1999-0002
:cve:desc = Buffer overflow in NFS mountd gives root access to remote attackers, mostly in Linux systems.
:cve:references = ['ftp://patches.sgi.com/support/free/security/advisories/19981006-01-I', 'http://www.ciac.org/ciac/bulletins/j-006.shtml', 'http://www.securityfocus.com/bid/121']
:cve:url = https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0002