- Cyware Threat Intelligence eXchange
- Integrations
- API Feed Sources
- VulnCheck
- VulnCheck Premium
VulnCheck Premium
Connector Category: API Feed Source
About VulnCheck Premium
VulnCheck Premium provides intelligence about exploits and vulnerabilities, enabling security analysts to make informed decisions to remediate vulnerabilities. Intel Exchange (CTIX) integrates with VulnCheck to receive feeds related to vulnerabilities and related exploits. This integration also retrieves the usage details of the vulnerabilities and exploits by threat actors, ransomware, and botnets.
Use Cases
Ingest new Common Vulnerabilities and Exposures (CVE)
Retrieve vulnerability intelligence that predicts avenues of attack with speed and accuracy
Correlate with other sources to get better intelligence
Benefits
Utilize the vulnerability intelligence to proactively remediate vulnerabilities.
Configure VulnCheck as an API Feed Source
Configure VulnCheck as an API feed source in Intel Exchange (CTIX) to retrieve vulnerability and exploit data feeds.
Before you Start
Ensure that you have View API Feed, View Feed Source, Create Feed Source, and Update Feed Source permissions in Intel Exchange.
Ensure that you have the base URL and API token of your VulnCheck account.
Important
Ensure that the API token includes the permissions to retrieve vulnerability and exploit data feeds. If the API token does not include permission to retrieve data from a specific feed type, then the feed channel is disabled automatically and connection error.
Steps
To configure a VulnCheck as an API feed source in Intel Exchange, follow these steps:
Go to Administration > Integration Management > FEED SOURCES > APIs.
Click Add API Source.
Search and select the VulnCheck app.
Click Add Instance.
Enter a unique name to identify the instance. For example, Prod-VulnCheck.
Enter the base URL of your VulnCheck instance. The default base URL is
https://api.vulncheck.com/v3/index/
.Enter the API token to authenticate communication between the Intel Exchange and VulnCheck servers.
Select Verify SSL to verify the SSL certificate and secure the connection between the Intel Exchange and VulnCheck servers. By default, Verify SSL is selected.
Note
Cyware recommends you select Verify SSL. If you disable this option, Intel Exchange may configure an instance for an expired SSL certificate. This may not establish the connection properly and Intel Exchange will not be able to notify you in case of a broken or improper connection.
Click Save.
After the VulnCheck instance is configured successfully, you can view the VulnCheck feed channels. You can configure multiple instances by clicking Manage > Add More.
Configure VulnCheck Feed Channels
Configure the feed channels to retrieve threat data feeds from VulnCheck and store the feeds in a collection in Intel Exchange.
Steps
To configure a feed channel, follow these steps:
Go to Administration > Integration Management > FEED SOURCES > APIs.
Search and select the VulnCheck app.
Click the ellipsis on the top right corner and select Manage.
Click Manage Feed Channels.
Select a feed channel, and turn on the Enable toggle to enable the feed channel.
Enter the date and time to start polling feeds. Select a date within 15 days from the current date.
Enter the name of the collection to store the feed data. For example, Fetch Expliots Feeds. Intel Exchange creates a collection with the specified name and stores all the feeds from the feed channel.
Select from one of the following Polling Cron Schedule types to define when to poll the data:
Manual: Allows you to poll from the source collection manually.
Auto: Allows you to automatically poll for threat intel from sources at specific time intervals. The default polling cron schedule is Auto. Enter a frequency in minutes between 60 and 10080 minutes in Polling Time. The default polling time is 240 minutes.
Note
We recommend you to define an hourly polling schedule for vulnerability feeds and a daily schedule for other feeds.
Set a default TLP and confidence score to assign to the feeds that do not have a TLP and confidence score already assigned. By default, the default TLP and confidence score are set to Amber and 100 respectively.
Select the tags to identify and categorize the feeds.
Click Save.
The feed channel is configured and you can poll feeds from the channel. You can enable the other feed channels, poll feeds, and view the feeds. For more information, see API Integrations.
Test VulnCheck Feed Channel Connectivity
Test the connectivity of the VulnCheck API feed channels to ensure that the connection with the correct API endpoint is established and that you have permission to poll feeds.
Before you Start
Ensure that the VulnCheck API integration is enabled.
Ensure that the feed channel is enabled to test the feed channel connectivity.
Steps
To test the connectivity of a feed channel, follow these steps:
Go to Administration > Integration Management > FEED SOURCES > APIs.
Search and select the VulnCheck app.
On a feed channel, click the vertical ellipses and select View Details.
Click Test Connectivity under Working Status.
If the connection is established, then the working status shows Working. If the connectivity testing results in an error, the working status shows a Connection Error. Hover over the tooltip next to Connection Error to view the error code.
Note
When the connectivity of a feed channel breaks, Intel Exchange disables the channel and re-attempts to restore the connectivity three times every hour. After a successful re-attempt to restore the connectivity, Intel Exchange enables the feed channel automatically.
To understand the error code and troubleshoot broken connectivity, see Troubleshoot Integrations.
VulnCheck Feed Channels
The following table lists all the feed channels and the VulnCheck API endpoints used for each feed channel.
Feed Channel | API URL |
---|---|
VulnCheck National Vulnerability Database (NVD) 2 |
|
Fetch Exploits Feeds |
|