article Playbook of the Week: Using CVEs in Incident Investigation in Cortex XSOAR Articles

article Playbook of the Week: Using CVEs in Incident Investigation in Cortex XSOAR Articles https://live.paloaltonetworks.com/t5/cortex-xsoar-articles/playbook-of-the-week-using-cves-in-incident-investigation/ta-p/552669 <DIV class="lia-message-template-content-zone"> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Playbook of the Week Using CVEs in Incident Investigation_palo-alto-networks.jpg" style="width: 960px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/52566i7B331BE332299FFF/image-size/large?v=v2&px=999" role="button" title="Playbook of the Week Using CVEs in Incident Investigation_palo-alto-networks.jpg" alt="Playbook of the Week Using CVEs in Incident Investigation_palo-alto-networks.jpg" /></span></P> <P><STRONG><EM>This blog written by Dror Avrahami</EM></STRONG></P> <P> </P> <P>The Common Vulnerabilities and Exposures (CVE) repository is designed to provide a reference for a publicly known information security vulnerability. CVE identifiers, or CVEs, are formatted with the prefix “CVE” followed by the year and unique identifier - for example, the “log4j” vulnerability is referenced as CVE-2021-44228. CVEs are assigned by a CVE Numbering Authority (CNA). It should be noted that assigning a CVE does not automatically make it an official CVE entry, in order to avoid duplicating a previously reported CVE.</P> <P> </P> <P>We have significantly revamped the way CVEs are displayed and stored as indicators within Cortex XSOAR Threat Intelligence Management (TIM). Our main goal was to store and make available as much data as possible to help you query and use CVEs whether in your incident investigations or as a tool aiding in vulnerability management in your system. In this blog, we will go over the changes made in XSOAR TIM and modifications to the CVE indicator layout to present data in a more intuitive way. We will also cover how to install these changes to your TIM module.</P> <P> </P> <H2><A id="post-300087-_psucv4hi54ww" target="_blank"></A><STRONG><FONT size="5" color="#FF6600">Layout Changes</FONT></STRONG></H2> <FIGURE id="attachment_300088" class="wp-caption aligncenter" aria-describedby="caption-attachment-300088"> <DIV> <P> </P> </DIV> <FIGCAPTION id="caption-attachment-300088" class="wp-caption-text"><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Fig 1: New CVE display layout in XSOAR TIM" style="width: 999px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/52555i6901B447E017B1F4/image-size/large?v=v2&px=999" role="button" title="Fig 1-New-CVE-display-layout-in-XSOAR-TIM_palo-alto-networks.png" alt="Fig 1: New CVE display layout in XSOAR TIM" /><span class="lia-inline-image-caption" onclick="event.preventDefault();">Fig 1: New CVE display layout in XSOAR TIM</span></span></FIGCAPTION> </FIGURE> <P> </P> <P>The new layout presents an analyst with detailed information about a CVE and the system(s) it affects, making it easy to build queries and playbooks with rich CVE data.</P> <P> </P> <H3><A id="post-300087-_36lro1tn95w0" target="_blank"></A><STRONG><FONT size="5" color="#FF6600">CVSS Score</FONT></STRONG></H3> <P> </P> <P>The CVSS score is now displayed in its own section and is color coordinated according to the CVE CVSS score. The score will display the CVE indicator verdict and will adjust its icon accordingly. This will now be the case across all CVE indicators in XSOAR thanks to an updated reputation script (CveReputationV2) which sets the correct XSOAR score according to the CVSS score.</P> <FIGURE id="attachment_300624" class="wp-caption aligncenter" aria-describedby="caption-attachment-300624"> <DIV> <P> </P> </DIV> <FIGCAPTION id="caption-attachment-300624" class="wp-caption-text"><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Fig 2: CVE score display in XSOAR TIM" style="width: 886px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/52556i2DECC3AA9A2EB2E5/image-dimensions/886x314?v=v2" width="886" height="314" role="button" title="Fig 2-CVE-score-display-in-XSOAR-TIM_palo-alto-networks.png" alt="Fig 2: CVE score display in XSOAR TIM" /><span class="lia-inline-image-caption" onclick="event.preventDefault();">Fig 2: CVE score display in XSOAR TIM</span></span></FIGCAPTION> </FIGURE> <P> </P> <P>When a CVE has no CVSS score, it will display as “N\A” and the text color will be adjusted according to the color scheme set by the user:</P> <P> </P> <DIV> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="CVE-has-no-CVSS-score_palo-alto-networks.png" style="width: 770px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/52557iD7AAA8113147DD24/image-size/large?v=v2&px=999" role="button" title="CVE-has-no-CVSS-score_palo-alto-networks.png" alt="CVE-has-no-CVSS-score_palo-alto-networks.png" /></span></P> </DIV> <DIV> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Fig 3: CVE score display with no score is defined" style="width: 278px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/52558iC420E3FD8421691D/image-size/large?v=v2&px=999" role="button" title="Fig 3-CVE-score-display-with-no-score-is-defined_palo-alto-networks.png" alt="Fig 3: CVE score display with no score is defined" /><span class="lia-inline-image-caption" onclick="event.preventDefault();">Fig 3: CVE score display with no score is defined</span></span></P> </DIV> <P> </P> <P>The CVSS score is stored in two different fields:</P> <OL> <LI>Cvssscore (searchable)</LI> <LI>cvss.Score (JSON format)</LI> </OL> <P> </P> <H3><A id="post-300087-_8vvrq668pph2" target="_blank"></A><STRONG><FONT size="5" color="#FF6600">CPEs Tags and Relationships</FONT></STRONG></H3> <P> </P> <P>Another enhancement includes the<SPAN> </SPAN><STRONG>Vulnerable Products</STRONG><SPAN> </SPAN>section which is dedicated to<SPAN> </SPAN><A href="https://en.wikipedia.org/wiki/Common_Platform_Enumeration" target="_blank" rel="nofollow,noopener">Common Platform Enumerations<SPAN> </SPAN></A>(CPEs). In this section, the analyst can now find a full list of all the CPEs relevant to the CVE.</P> <FIGURE id="attachment_300214" class="wp-caption aligncenter" aria-describedby="caption-attachment-300214"> <DIV> <P> </P> </DIV> <FIGCAPTION id="caption-attachment-300214" class="wp-caption-text"><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Fig 4: List of CPEs relevant to CVE" style="width: 883px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/52559i21ED8267075A52D2/image-dimensions/883x637?v=v2" width="883" height="637" role="button" title="Fig 4-List-of-CPEs-relevant-to-CVE_palo-alto-networks.png" alt="Fig 4: List of CPEs relevant to CVE" /><span class="lia-inline-image-caption" onclick="event.preventDefault();">Fig 4: List of CPEs relevant to CVE</span></span></FIGCAPTION> </FIGURE> <P> </P> <P>The CPEs are parsed according to the their format:</P> <P>cpe:<cpe_version>:<part>:<vendor>:<product>:<version>:<update>:<edition>:<language>:<sw_edition>:<target_sw>:<target_hw>:<other></P> <P> </P> <P>The following sections are parsed and exported:</P> <OL> <LI><STRONG>Part<SPAN> </SPAN></STRONG>- Tagged as Operating-System, Hardware, or Software accordingly.</LI> <LI><STRONG>Vendor<SPAN> </SPAN></STRONG>- Will be<SPAN> </SPAN><EM>tagged<SPAN> </SPAN></EM>and a<SPAN> </SPAN><EM>relationship<SPAN> </SPAN></EM>created to an<SPAN> </SPAN><STRONG>Identity<SPAN> </SPAN></STRONG>type indicator.</LI> <LI><STRONG>Product<SPAN> </SPAN></STRONG>- Will be<SPAN> </SPAN><EM>tagged</EM><SPAN> </SPAN>and a<SPAN> </SPAN><EM>relationship<SPAN> </SPAN></EM>created to a<SPAN> </SPAN><STRONG>Software<SPAN> </SPAN></STRONG>type indicator.</LI> </OL> <P>The extraction will remove escape characters and capitalize the results.</P> <P> </P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Fig 5: Extracted text from CPE display in XSOAR TIM" style="width: 999px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/52560i70E0A1E86C2AD2D1/image-size/large?v=v2&px=999" role="button" title="Fig 5-Extracted-text-from-CPE-display-in-XSOAR-TIM_palo-alto-networks.png" alt="Fig 5: Extracted text from CPE display in XSOAR TIM" /><span class="lia-inline-image-caption" onclick="event.preventDefault();">Fig 5: Extracted text from CPE display in XSOAR TIM</span></span></P> <FIGURE id="attachment_300242" class="wp-caption aligncenter" aria-describedby="caption-attachment-300242"> <DIV> <P> </P> </DIV> <FIGCAPTION id="caption-attachment-300242" class="wp-caption-text"><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Fig 6: Vulnerability tags" style="width: 888px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/52561iAFC7C09964236428/image-dimensions/888x281?v=v2" width="888" height="281" role="button" title="Fig 6-Vulnerability-tags_palo-alto-networks.png" alt="Fig 6: Vulnerability tags" /><span class="lia-inline-image-caption" onclick="event.preventDefault();">Fig 6: Vulnerability tags</span></span></FIGCAPTION> </FIGURE> <P> </P> <H3><A id="post-300087-_jidgxp69zir5" target="_blank"></A><STRONG><FONT size="5" color="#FF6600">CWE-ID</FONT></STRONG></H3> <P> </P> <P>Those of you with a keen sense of sight will notice that the CVE also has a tag named<SPAN> </SPAN><STRONG>NVD-CWE-Other.</STRONG><SPAN> </SPAN>This tag is created when no<SPAN> </SPAN><A href="https://en.wikipedia.org/wiki/Common_Weakness_Enumeration" target="_blank" rel="nofollow,noopener">Common Weakness Enumeration</A><SPAN> </SPAN>(CWE) is found. When a CWE is found, the tag will point to the correct CWE ID. The CWE provides additional details about the type of vulnerability in that specific CVE, including its name, description, likelihood of exploit, examples of vulnerabilities in which the weakness is used, detection methods, and more. For example, in the picture below we can see CWE-416 which is the ID of the vulnerability known as “<A href="https://cwe.mitre.org/data/definitions/416.html" target="_blank" rel="nofollow,noopener">Use After Free</A>”.</P> <FIGURE id="attachment_300256" class="wp-caption aligncenter" aria-describedby="caption-attachment-300256"> <DIV> <P> </P> </DIV> <FIGCAPTION id="caption-attachment-300256" class="wp-caption-text"><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Fig 7: CWE vulnerability details" style="width: 892px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/52562i557FC8CD46490A3B/image-dimensions/892x288?v=v2" width="892" height="288" role="button" title="Fig 7-CWE-vulnerability-details_palo-alto-networks.png" alt="Fig 7: CWE vulnerability details" /><span class="lia-inline-image-caption" onclick="event.preventDefault();">Fig 7: CWE vulnerability details</span></span></FIGCAPTION> </FIGURE> <P> </P> <H3><A id="post-300087-_6mx36ylc83dh" target="_blank"></A><STRONG><FONT size="5" color="#FF6600">CVSS Table</FONT></STRONG></H3> <P> </P> <P>Another section that got a small facelift is the<SPAN> </SPAN><STRONG>CVSS Table</STRONG>. The section will now display the<SPAN> </SPAN><EM>CVSS Version</EM><SPAN> </SPAN>that was used to calculate the score, the full<SPAN> </SPAN><EM>CVSS Vector</EM><SPAN> </SPAN>and a table of the values used to calculate the score.</P> <FIGURE id="attachment_300270" class="wp-caption aligncenter" aria-describedby="caption-attachment-300270"> <DIV> <P> </P> </DIV> <FIGCAPTION id="caption-attachment-300270" class="wp-caption-text"><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Fig 8: CVSS Table" style="width: 892px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/52563i7B29149BAC533E29/image-dimensions/892x425?v=v2" width="892" height="425" role="button" title="Fig 8-CVSS-Table_palo-alto-networks.png" alt="Fig 8: CVSS Table" /><span class="lia-inline-image-caption" onclick="event.preventDefault();">Fig 8: CVSS Table</span></span></FIGCAPTION> </FIGURE> <P> </P> <P>The CVSS version is extracted according to the specific vector in order to avoid mistakes in the data. The table is flexible and contextual, so version changes such as CVSS 3.0, 3.1, and 4.0 changes will not affect what is displayed for CVSS 2.0.</P> <P> </P> <P>Relevant publications can now be properly exported and these are available in the<SPAN> </SPAN><STRONG>Additional Details</STRONG><SPAN> </SPAN>tab under<SPAN> </SPAN><STRONG>Publications</STRONG>.</P> <FIGURE id="attachment_300284" class="wp-caption aligncenter" aria-describedby="caption-attachment-300284"> <DIV> <P> </P> </DIV> <FIGCAPTION id="caption-attachment-300284" class="wp-caption-text"><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Fig 9: Relevant publications" style="width: 893px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/52564iBB05097F9DE8AC93/image-dimensions/893x344?v=v2" width="893" height="344" role="button" title="Fig 9-Relevant-publications_palo-alto-networks.png" alt="Fig 9: Relevant publications" /><span class="lia-inline-image-caption" onclick="event.preventDefault();">Fig 9: Relevant publications</span></span></FIGCAPTION> </FIGURE> <P> </P> <P>These changes will allow you to better incorporate CVE data into your various playbooks and workflow jobs. The additional data allows for better visibility into CVEs impacting your organization and provides more info for threat hunting and security updates.</P> <P> </P> <H2><A id="post-300087-_lhvcq2z8i34v" target="_blank"></A><STRONG><FONT size="5" color="#FF6600">Installing the New Content Packs</FONT></STRONG></H2> <P> </P> <P>As this is a big change, there are multiple content packs that need to be updated. Most can automatically be updated but the Common Type content packs need additional steps as described below.</P> <OL> <LI><A href="https://cortex.marketplace.pan.dev/marketplace/details/CommonTypes/" target="_blank" rel="nofollow,noopener">Common Types</A></LI> <LI><A href="https://cortex.marketplace.pan.dev/marketplace/details/Base/" target="_blank" rel="nofollow,noopener">Base</A></LI> <LI><A href="https://cortex.marketplace.pan.dev/marketplace/details/CommonScripts/" target="_blank" rel="nofollow,noopener">Common Scripts</A></LI> <LI><A href="https://cortex.marketplace.pan.dev/marketplace/details/CIRCL/" target="_blank" rel="nofollow,noopener">CIRCL</A><SPAN> </SPAN>(We will use CIRCL CVE Search integration)</LI> </OL> <P> </P> <H3><A id="post-300087-_b2xb60upqhrb" target="_blank"></A><STRONG><FONT size="5" color="#FF6600">Common Types Content Pack installation</FONT></STRONG></H3> <P> </P> <P>When updating layouts and indicators in TIM, we have to update the<SPAN> </SPAN><STRONG>Common Types<SPAN> </SPAN></STRONG>content pack (where the indicator types and layouts are configured).</P> <P> </P> <H4><A id="post-300087-_ttx5aw7zgwb9" target="_blank"></A><STRONG>Automated Update</STRONG></H4> <P><STRONG>Be careful, do not use this method if you have configured custom mapping for any of your indicators!</STRONG></P> <P>The easiest way to update this pack is to delete the existing pack on your XSOAR instance and reinstall the latest version. This will automatically rebuild the mapping from the context to the correct indicator fields.</P> <P> </P> <H4><A id="post-300087-_1vc1vcxjl5m3" target="_blank"></A><STRONG>Manual Update</STRONG></H4> <P><STRONG>Use this method if you have changed indicators mappings in the past</STRONG></P> <P>Update your<SPAN> </SPAN><STRONG>Common Types<SPAN> </SPAN></STRONG>content pack and go to<SPAN> </SPAN><STRONG>Settings</STRONG><SPAN> </SPAN>\<SPAN> </SPAN><STRONG>Object Setup</STRONG><SPAN> </SPAN>\<SPAN> </SPAN><STRONG>Indicators</STRONG><SPAN> </SPAN>and select<SPAN> </SPAN><STRONG>CVE</STRONG>. Press the<SPAN> </SPAN><STRONG>Edit<SPAN> </SPAN></STRONG>button and move to the second tab called<SPAN> </SPAN><STRONG>Custom Fields</STRONG>. Now we will have to set the mapping manually, so TIM will be able to pull the enriched data from the CVE context in XSOAR:</P> <FIGURE id="attachment_300638" class="wp-caption aligncenter" aria-describedby="caption-attachment-300638"> <DIV> <P> </P> </DIV> <FIGCAPTION id="caption-attachment-300638" class="wp-caption-text"><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Fig 10: Series of screenshot of the XSOAR UI" style="width: 747px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/52565iEC955C2A10527843/image-dimensions/747x682?v=v2" width="747" height="682" role="button" title="Fig 10-Series-of-screenshot-of-the-XSOAR-UI_palo-alto-networks.png" alt="Fig 10: Series of screenshot of the XSOAR UI" /><span class="lia-inline-image-caption" onclick="event.preventDefault();">Fig 10: Series of screenshot of the XSOAR UI</span></span></FIGCAPTION> </FIGURE> <P> </P> <P>After configuring these fields press<SPAN> </SPAN><STRONG>Save</STRONG>.</P> <P> </P> <H3><A id="post-300087-_kq5evimb29ys" target="_blank"></A><STRONG><FONT size="5" color="#FF6600">Base Content Pack Installation</FONT></STRONG></H3> <P> </P> <P>As some new fields were added to the CVE class<SPAN> </SPAN><STRONG>Base<SPAN> </SPAN></STRONG>needs to be updated to accommodate those. As this is just new content, go ahead and update the pack, No special care is needed here.</P> <P> </P> <H3><A id="post-300087-_75nllm3og1n6" target="_blank"></A><STRONG><FONT size="5" color="#FF6600">Common Scripts Content Pack Installation</FONT></STRONG></H3> <P> </P> <P>Since we are integrating a few new scripts (dynamic ones and a reputation script for CVEs), we must also update this pack. As this is new content, just go ahead and update the pack. No special care is needed here.</P> <P> </P> <H3><A id="post-300087-_3idi37drlbtr" target="_blank"></A><STRONG><FONT size="5" color="#FF6600">CIRCL Integration Content Pack Installation</FONT></STRONG></H3> <P> </P> <P>The only integration that supports all of these new features at the moment is<SPAN> </SPAN><STRONG>CIRCL CVE Search</STRONG><SPAN> </SPAN>(formerly known as CVE Search). You can download the pack and install the integration, no API Key is needed, this is a free<SPAN> </SPAN><A href="https://cortex.marketplace.pan.dev/marketplace/details/FreeEnrichers/" target="_blank" rel="nofollow,noopener"><STRONG>Plug & Enrich</STRONG><SPAN> </SPAN>enricher</A><SPAN> </SPAN>available as part of the TIM module.</P> <P> </P> </DIV> Fri, 11 Apr 2025 01:53:01 GMT emgarcia 2025-04-11T01:53:01Z Playbook of the Week: Using CVEs in Incident Investigation https://live.paloaltonetworks.com/t5/cortex-xsoar-articles/playbook-of-the-week-using-cves-in-incident-investigation/ta-p/552669 <P><SPAN>The Common Vulnerabilities and Exposures (CVE) repository is designed to provide a reference for a publicly known information security vulnerability. </SPAN></P> <P> </P> <P><SPAN><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Playbook of the Week Using CVEs in Incident Investigation_palo-alto-networks.jpg" style="width: 960px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/52567i6D5D4ECAEC71E893/image-size/large?v=v2&px=999" role="button" title="Playbook of the Week Using CVEs in Incident Investigation_palo-alto-networks.jpg" alt="Playbook of the Week Using CVEs in Incident Investigation_palo-alto-networks.jpg" /></span></SPAN></P> Fri, 11 Apr 2025 01:53:01 GMT https://live.paloaltonetworks.com/t5/cortex-xsoar-articles/playbook-of-the-week-using-cves-in-incident-investigation/ta-p/552669 emgarcia 2025-04-11T01:53:01Z