API Reference

Vulnerability

🚧

Special privileges required

Vulnerabilities are only available to users with the Google Threat Intelligence (Google TI) Enterprise or Enterprise plus license.

Vulnerabilities objects provide curated information to help with patching prioritization and vulnerability mitigation, reducing companies exposure.

Object Attributes

A vulnerability object contains the following attributes:

  • aggregations: <dictionary> dictionary of commonalities between the different IoCs associated with the vulnerability, grouped by IoC type (files, URLs, domains, IP addresses).
    • files: <dictionary> technical commonalities among all files tied to the vulnerability.
    • urls: <dictionary> technical commonalities among all URLs tied to the vulnerability.
    • domains: <dictionary> technical commonalities among all domains tied to the vulnerability.
    • ip_addresses: <dictionary> technical commonalities among all IP addresses tied to the vulnerability.
  • alt_names_details: <list of dictionaries> dictionary of alternative names / aliases by which the vulnerability could be known, including additional information such as the confidence of the information.
    • confidence: <string> confidence on the information or the attribution of the alternative name to the vulnerability.
    • description: <string> additional information related to the alternative name.
    • first_seen: <integer> the first time that alternative name was attributed to the vulnerability (UTC timestamp).
    • last_seen: <integer> the last time that alternative name was attributed to the vulnerability (UTC timestamp).
    • value: <string> alternative name / alias.
  • analysis: <string> comment made by the analyst on the vulnerability.
  • autogenerated_tags: <list of strings> relevant tags automatically generated by AI.
  • available_mitigation: <list of strings> list of available ways to reduce / mitigate the vulnerability.
  • cve_id: <string> vulnerability CVE standard identifier.
  • cvss: <dictionary> vulnerability's CVSS 2.0 impact score.
    • cvssv2_0: <dictionary> CVSS v2.0 object
      • temporal_score: <float> temporal score of CVSS2.0
      • base_score: <float> base score of CVSS2.0
      • vector: <string> full vector of CVSS2.0
    • cvssv3_x: <dictionary> vulnerability's CVSS v3.x vector object.
      ...
    • cvssv3_x_translated:<dictionary> CVSS v3.x vector object, automatically translated from CVSSv4
      ...
    • cvssv4_x: <dictionary> vulnerability's CVSS 4.x object.
      • score: <float> CVSSv4-BT score.
      • vector: <string> full vector of CVSS 4
      • supplemental: <dictionary> CVSS 4.x supplemental object.
        • automatable: <string> CVSSv4 "Automatable" metric.
        • provider_urgency: <string> CVSSV4 "Provider Urgency" metric.
        • recovery: <string> CVSSv4 "Recovery" metric.
        • response_effort: <string> CVSSv4 "Vulnerability Response Effort" metric.
        • safety: <string> CVSSv4 "Safety" metric.
        • value_density: <string> CVSSv4 "Value Density" metric.
      • threat: <dictionary> CVSS 4.x threat object.
        • exploit_maturity: <string> CVSSv4 "Exploit Maturity" metric.
  • cisa_known_exploited: <dictionary> vulnerability information from CISA Known Exploited Vulnerabilities (CISA KEV).
    • added_date: <integer> the date when the vulnerability was added to KEV (UTC timestamp).
    • due_date: <integer> required remediation date of the vulnerability (UTC timestamp).
    • ransomware_use:<string> whether the vulnerability has been used in a ransomware campaign or not.
  • collection_type: <string> identifies the type of the object. For vulnerabilities the value of this attribute is vulnerability.
  • counters: <dictionary> dictionary of counters of related objects.
    • attack_techniques: <integer> number of MITRE ATT&CK techniques associated with the vulnerability.
    • domains: <integer> number of domains related to the vulnerability.
    • files: <integer> number of files related to the vulnerability.
    • iocs: <integer> number of IoCs (files + URLs + domains + IP addresses) related to the vulnerability.
    • ip_addresses: <integer> number of IP addresses related to the vulnerability.
    • subscribers: <integer> number of users subscribed to the vulnerability.
    • urls: <integer> number of URLs related to the vulnerability.
  • creation_date: <integer> vulnerability object creation date (UTC timestamp).
  • cwe: <dictionary> vulnerability information from Common Weakness Enumeration (CWE) .
    • id: <string> CWE identifier of the vulnerability.
    • title: <string>CWE title / name of the vulnerability.
  • date_of_disclosure: <integer> vulnerability disclosure date (UTC timestamp).
  • days_to_report: <integet> number of days between the date of disclosure and publication.
  • description: <string> description / context about the vulnerability.
  • cpes: <list of dictionatries> list of Common Platform Enumeration (CPE) objects referring to the products affected by the vulnerability.
    • start_rel: operator representing the relationship to start.
    • end_rel: operator representing the relationship to end.
    • start_cpe: CPE object representing the start of the range.
      • product: <string> product's name.
      • uri: <string> CPE URI.
      • vendor: <string> vendor's name.
      • version: <string> version.
    • end_cpe: <dictionary> CPE object representing the end of the range.
      ...
  • epss: <dictionary> Exploit Prediction Scoring System.
    • score: <float> probability of the exploitation of the vulnerability in the next 30 days.
    • percentile: <float> percentile of that score in the data.
  • executive_summary: <string> summary of the available information around the vulnerability.
  • exploitation: <dictionary> details on vulnerability exploitation.
    • exploit_release_date: <integet> first publicly available exploit / PoC release date (UTC timestamp).
    • tech_details_release_date: <integet> first technical details release date. This date is the published date of the earliest source tagged as "techinical-details" (UTC timestamp).
    • first_exploitation: <integet> earliest known exploitation date (UTC timestamp).
  • exploit_availability: <string> vulnerability exploit availability. Possible values: Known, None, Publicly Available, Trivial.
  • exploitation_consequence: <string> consequences of exploiting the vulnerability.
  • exploitation_state: <string> the exploitation status of the vulnerability. Possible values: Available, Wide, No Known, Confirmed.
  • exploitation_vectors: <list of strings> list of ways in which the vulnerabilities can be exploited.
  • field_sources: <list of dictionaries> objects containing the sources (bread crumbs) for aggregated fields of a vulnerability object.
    • field: <string> field value such as the "description" of the vulnerability, the "date_of_disclosure" or the "cwe".
    • source: <dictionary> information's supplier.
      • field_type: <string> the type of aggregation performed on field. Possible values: Ranked, Computed, Merged, Severity.
      • source_name: <string> the name of the organization that provided the field information.
      • source_url: <string> URL from where that field information was extracted.
      • sources:<list of dictionary> information supplier's URLs and names for each index of a merged field.
        • source_names: <list of strings> list of organizations names that provided the information at the corresponding index for a field.
        • source_urls: <list of strings> list of urls from where the information at the corresponding index for a field was extracted.
  • last_modification_date: <integer> last time when the vulnerability's information was updated (UTC timestamp).
  • mve_id: <string> internal Mandiant Vulnerability and Exposure ID.
  • name: <string> vulnerability's name.
  • origin: <string> identifies the source of the information. Google Threat Intelligence for curated objects from our Google TI experts.
  • predicted_risk_rating: <string> vulnerability's predicted risk rating. Possible values: Low, Medium, High, None.
  • private: <boolean> whether the vulnerability object is private or not.
  • recent_activity_relative_change: <float> ratio of change between the last two "recent activity" periods. Note: "recent activity" refers to a period of 14 days.
  • recent_activity_summary: <list of integers> time series representing the activity of the IoCs related to the vulnerability. (2 weeks)
  • risk_factors: <list of strings> list of factors that impacted the vulnerability's risk_rating (positively or negative).
  • risk_rating: <string> risk rating of the vulnerability. Possible values: Low, Medium, High, Critical, Unrated.
  • sources: <list of dictionries> list of information's suppliers.
    • name <string> supplier's name.
    • unique_id: <string> unique identifier provided by the supplier.
    • md5: <string> md5 of url / pdf of the source of the information when it was collected.
    • title: <string> the title of the url / pdf from where the information was collected.
    • source_description: <string> the description of the url / pdf from where the information was collected.
    • published_date: <integer> datetime when the information was first published (UTC timestamp).
    • url: <string> the URL of the source of the information.
    • cvss: <dictionary>
      • cvssv2_0:<dictionary> CVSS v2.0 base score and vector.
        • base_score: <float> CVSS2.0 base score provided by the supplier.
        • vector: <string> full vector of CVSS2.0 provided by the supplier.
      • cvssv3_x: <dictionary> CVSS v3.x base score and vector.
        ...
      • cvssv4_x : <dictionary> CVSS 4.xx score and vector.
        • score: <float> CVSS 4 Base Score provided by the supplier.
        • vector:<string> full vector of CVSS 4 provided by the supplier.
  • status: <string> indicates if the object has attributes pending to be computed again (e.g. top_icon_md5 after making changes). The possible values are PENDING_RECOMPUTE and COMPUTED.
  • tags_details: <list of dictionaries> dictionaries of tags associated with the vulnerability with additional context.
    • confidence: <string> confidence on the information or the tag association to the vulnerability.
    • description: <string> description / additional information related to the tag associated to the vulnerability.
    • first_seen: <integer> the first time this tag was attributed to the vulnerability (UTC timestamp).
    • last_seen: <integer> the last time this tag was attributed to the vulnerability (UTC timestamp).
    • value: <string> value of the tag.
  • targeted_industries_tree: <list of dictionaries> list of industries and industry groups known to be targeted by the vulnerability's exploits.
    • confidence: <string> confidence on the information related to the industry targeted by the vulnerability's exploits.
    • description: <string> description / additional information about the industry targeted by the vulnerability's exploits.
    • first_seen: <integer> the first time this targeted industry was associated with the vulnerability (UTC timestamp).
    • last_seen: <integer> the last time this targeted industry was associated with the vulnerability (UTC timestamp).
    • source: <string> information's supplier.
    • industry: <string> sub-industry targeted by the vulnerability's exploits.
    • industry_group: <string> industry group targeted by the vulnerability's exploits.
  • vendor_fix_references: <list of dictionaries> list of available fixes for the vulnerability.
    • name: <string> name of the supplier of the fix.
    • cvss: <string> vulnerability's associated cvss.
    • md5: <string> the md5 hash of the file fix.
    • source_description: <string> description of the fix.
    • published_date: <integer> publication date of the fix (UTC timestamp).
    • unique_id: <string> unique identifier of the fix.
    • url: <string> URL of the web site with the fix publication.
    • title: <string> title of the fix's publication website.
  • version_history: <list of dictionaries> the history of updates or new information added to the vulnerability.
    • version_notes: <list of strings> new information around the vulnerability.
    • date: <integer> the date when the new information was added to the vulnerability object (UTC timestamp).
  • workarounds: <list of strings> list of strings explaining vulnerability's workaround / alternative fixes.

Relationships

In addition to the previously described attributes, vulnerability objects contain relationships with other objects in our dataset that can be retrieved as explained in the Relationships section.

The following table shows a summary of available relationships.

RelationshipReturn object type
associationsList of all associated objects (Reports, Campaigns, IoC collections, Malware families, Software and Toolkits, Vulnerabilities, Threat Actors) associated with the current threat actor, without filtering by the object type.
campaignsList of associated Campaign objects.
collectionsList of associated IoC collection objects.
commentsList of Comments.
editorsList of users, groups and data connectors that can edit this threat actor (only available to the owner or editor of the entity).
filesList of Files associated with the vulnerability.
malware_familiesList of associated Malware family objects.
ownerUser who created the object.
related_collectionsList of objects (Reports, Campaigns, IoC collections, Malware families, Software and Toolkits, Vulnerabilities, Threat Actors) containing IoCs associated with this entity.
reportsList of associated Report objects.
software_toolkitsList of associated Software or Toolkit objects.
statsLookups and submissions trends.
threat_actorsList of other threat actors associated to the current vulnerability.
viewersList of users, groups and data connectors that can view the entity.