Skip to main content

Cyware Threat Intelligence eXchange

NVD

Connector Category: API Feed Source

About Integration

The National Vulnerability Database (NVD) is the U.S. government repository of standards-based vulnerability management data represented using the security content automation protocol. CTIX integrates with NVD enabling security analysts to automate vulnerability management. Analysts can determine the impact of potential threats and prioritize threats accordingly.

Use Cases 

  • Fetch Common Vulnerabilities and Exposures (CVEs) and Known Exploited Vulnerabilities (KEVs) feeds in CTIX for analysts to analyze and track potential vulnerabilities.

  • Integrate with Vulnerability Response to map potential vulnerabilities with impacted assets based on the criticality score suggested by NVD.

Benefits 

  • Prioritize critical vulnerabilities coming from various sources in the platform based on their score and allocate resources accordingly.

  • Effectively plan your patches for vulnerabilities and avoid unplanned downtime for your system.

Configure NVD as an API Feed Source

NVD acts as an API feed source for Intel Exchange. Configure NVD to enable the security analysts to fetch CVE and KEV vulnerabilities.

Before you Start 

You must have the View API Feed, View Feed Source, Create Feed Source, and Update Feed Source permissions.

Steps 

  1. Sign in to the CTIX application.

  2. Navigate to Administration, open Integration Management, and select APIs under FEED SOURCES.

  3. Click Add API Source.

  4. Search for NVD and click on the app.

  5. Click Add Instance.

  6. Enter a unique name to identify the instance, such as Prod-NVD.

  7. Enter the base URL to directly connect to the application server, such as https://services.nvd.nist.gov/rest/json/cves/2.0.

  8. Select Verify SSL to verify and secure the connection between the Intel Exchange and NVD servers. By default, Verify SSL is selected.

    Note

    Cyware recommends you select Verify SSL. If you disable this option, Intel Exchange may configure an instance of an expired SSL certificate. This may not establish the connection properly and Intel Exchange will not be able to notify you in case of a broken or improper connection.

  9. Click Save.

You can configure multiple instances of this integration by clicking Manage > Add More.

Configure NVD Feed Channels

Configure the feed channels to retrieve threat data feeds from NVD and store the feeds in a collection.

Steps 

To configure NVD feed channels, do the following:

  1. Go to Administration > Integration Management > Feed Sources > APIs.

  2. Search and select the NVD app.

  3. Click the ellipsis on the top right corner and select Manage.

  4. Click Manage Feed Channels.

  5. Select the CHANNEL NAME and enable the toggle.

  6. Enter the date and time to start polling feeds. Select a date within 15 days from the current date.

  7. Enter the name of the collection to group the feed data. For example, NVD Feeds. Intel Exchange creates the collection and stores all the feeds from the feed channel.

  8. Select from one of the following Polling Cron Schedule types to define when to poll the data: Manual: Allows you to manually poll from the source collection. Auto: Allows you to automatically poll for threat intel from sources at specific time intervals. The default polling cron schedule is Auto. Enter a frequency in minutes between 60 and 10080 minutes in Polling Time. The default polling time is 240 minutes.

  9. Set a default TLP and confidence score to assign to the feeds that do not have a TLP and confidence score already assigned. By default, the default TLP and confidence score are set to Amber and 100 respectively.

  10. Select any tags to identify and categorize the feeds.

  11. Click Save.

The feed channel is configured and you can poll feeds from the channel. You can enable the other feed channels, poll feeds, and view the feeds. For more information, see API Integrations.

Test Feed Channel Connectivity

Test the connectivity of the NVD API feed channels to ensure that the connection with the correct API endpoint is established and that you have permission to poll feeds.

Before you Start 

  • Ensure that the Hunt.io API integration is enabled.

  • Ensure that the feed channel for which you want to test connectivity is enabled.

Steps 

To test the connectivity of a feed channel, follow these steps:

  1. Go to Administration > Integration Management. In Feed Sources, click APIs.

  2. Search and select the NVD app.

  3. On a feed channel, click the vertical ellipses and select View Details.

  4. In the Working Status section, click Test Connectivity.

If the connection is established, then the working status shows Running. If the connectivity is broken, then the working status shows a Connection Error. Hover over the tooltip next to Connection Error to view the error code.

Note

When a feed channel loses connectivity, it is automatically disabled, and the system attempts to restore connectivity three times per hour. If the connectivity is successfully restored, the feed channel is automatically re-enabled.

To understand the error code and troubleshoot broken connectivity, see Troubleshoot Integrations.

Feed Channels

Intel Exchange provides multiple channels to poll feeds from NVD. The following table lists all the feed channels and the NVD API endpoints used for each feed channel.

Feed Channel

API URL

Fetch CVE Vulnerability

{base_url}

Fetch KEV Vulnerability

{base_url}&hasKev=