Vulnerability

Information about vulnerabilities

🚧

Special privileges required

Vulnerabilities are only available to users with the Google Threat Intelligence (Google TI) Enterprise or Enterprise Plus licenses.

Vulnerabilities objects provide curated information to help with patching prioritization and vulnerability mitigation, reducing companies exposure.

Object Attributes

A vulnerability object contains the following attributes:

  • aggregations: <dictionary> dictionary of commonalities between the different IoCs associated with the vulnerability, grouped by IoC type (files, URLs, domains, IP addresses).
    • domains: <dictionary> technical commonalities among all domains tied to the vulnerability.
    • files: <dictionary> technical commonalities among all files tied to the vulnerability.
    • ip_addresses: <dictionary> technical commonalities among all IP addresses tied to the vulnerability.
    • urls: <dictionary> technical commonalities among all URLs tied to the vulnerability.
  • alt_names_details: <list of dictionaries> dictionary of alternative names / aliases by which the vulnerability could be known, including additional data such as the confidence of the information.
    • confidence: <string> confidence on the information or the attribution of the alternative name to the vulnerability.
    • description: <string> additional information related to the alternative name.
    • first_seen: <integer> the first time that alternative name was attributed to the vulnerability (UTC timestamp).
    • last_seen: <integer> the last time that alternative name was attributed to the vulnerability (UTC timestamp).
    • value: <string> alternative name / alias.
  • analysis: <string> comment made by the analyst on the vulnerability.
  • available_mitigation: <list of strings> list of available ways to reduce / mitigate the vulnerability.
  • cve_id: <string> vulnerability CVE standard identifier.
  • cvss: <dictionary> vulnerability's CVSS 2.0 impact score.
    • cvssv2_0: <dictionary> CVSS v2.0 object
      • temporal_score: <float> temporal score of CVSS2.0
      • base_score: <float> base score of CVSS2.0
      • vector: <string> full vector of CVSS2.0
    • cvssv3_x: <dictionary> vulnerability's CVSS v3.x vector object.
      ...
    • cvssv3_x_translated:<dictionary> CVSS v3.x vector object, automatically translated from CVSSv4
      ...
    • cvssv4_x: <dictionary> vulnerability's CVSS 4.x object.
      • score: <float> CVSSv4-BT score.
      • vector: <string> full vector of CVSS 4
      • supplemental: <dictionary> CVSS 4.x supplemental object.
        • automatable: <string> CVSSv4 "Automatable" metric.
        • provider_urgency: <string> CVSSV4 "Provider Urgency" metric.
        • recovery: <string> CVSSv4 "Recovery" metric.
        • response_effort: <string> CVSSv4 "Vulnerability Response Effort" metric.
        • safety: <string> CVSSv4 "Safety" metric.
        • value_density: <string> CVSSv4 "Value Density" metric.
      • threat: <dictionary> CVSS 4.x threat object.
        • exploit_maturity: <string> CVSSv4 "Exploit Maturity" metric.
  • cisa_known_exploited: <dictionary> vulnerability information from CISA Known Exploited Vulnerabilities (CISA KEV).
    • added_date: <integer> the date when the vulnerability was added to KEV (UTC timestamp).
    • due_date: <integer> required remediation date of the vulnerability (UTC timestamp).
    • ransomware_use:<string> whether the vulnerability has been used in a ransomware campaign or not.
  • collection_type: <string> identifies the type of the object. For vulnerabilities the value of this attribute is vulnerability.
  • counters: <dictionary> dictionary of counters of related objects.
    • attack_techniques: <integer> number of MITRE ATT&CK techniques associated with the vulnerability.
    • domains: <integer> number of domains related to the vulnerability.
    • files: <integer> number of files related to the vulnerability.
    • iocs: <integer> number of IoCs (files + URLs + domains + IP addresses) related to the vulnerability.
    • ip_addresses: <integer> number of IP addresses related to the vulnerability.
    • subscribers: <integer> number of users subscribed to the vulnerability.
    • urls: <integer> number of URLs related to the vulnerability.
  • creation_date: <integer> vulnerability object creation date (UTC timestamp).
  • cwe: <dictionary> vulnerability information from Common Weakness Enumeration (CWE) .
    • id: <string> CWE identifier of the vulnerability.
    • title: <string>CWE title / name of the vulnerability.
  • date_of_disclosure: <integer> vulnerability disclosure date (UTC timestamp).
  • days_to_report: <integer> number of days between the date of disclosure and publication.
  • description: <string> description / context about the vulnerability.
  • cpes: <list of dictionaries> list of Common Platform Enumeration (CPE) objects referring to the products affected by the vulnerability.
    • start_rel: operator representing the relationship to start.
    • end_rel: operator representing the relationship to end.
    • start_cpe: CPE object representing the start of the range.
      • product: <string> product's name.
      • uri: <string> CPE URI.
      • vendor: <string> vendor's name.
      • version: <string> version.
    • end_cpe: <dictionary> CPE object representing the end of the range.
      ...
  • epss: <dictionary> Exploit Prediction Scoring System.
    • score: <float> probability of the exploitation of the vulnerability in the next 30 days.
    • percentile: <float> percentile of that score in the data.
  • executive_summary: <string> summary of the available information around the vulnerability.
  • exploitation: <dictionary> details on vulnerability exploitation.
    • exploit_release_date: <integer> first publicly available exploit / PoC release date (UTC timestamp).
    • tech_details_release_date: <integer> first technical details release date. This date is the published date of the earliest source tagged as "techinical-details" (UTC timestamp).
    • first_exploitation: <integer> earliest known exploitation date (UTC timestamp).
  • exploit_availability: <string> vulnerability exploit availability. Possible values: Known, None, Publicly Available, Trivial.
  • exploitation_consequence: <string> consequences of exploiting the vulnerability.
  • exploitation_state: <string> the exploitation status of the vulnerability. Possible values: Available, Wide, No Known, Confirmed.
  • exploitation_vectors: <list of strings> list of ways in which the vulnerabilities can be exploited.
  • field_sources: <list of dictionaries> objects containing the sources (bread crumbs) for aggregated fields of a vulnerability object.
    • field: <string> field value such as the "description" of the vulnerability, the "date_of_disclosure" or the "cwe".
    • source: <dictionary> information's supplier.
      • field_type: <string> the type of aggregation performed on field. Possible values: Ranked, Computed, Merged, Severity.
      • source_name: <string> the name of the organization that provided the field information.
      • source_url: <string> URL from where that field information was extracted.
      • sources:<list of dictionary> information supplier's URLs and names for each index of a merged field.
        • source_names: <list of strings> list of organizations names that provided the information at the corresponding index for a field.
        • source_urls: <list of strings> list of urls from where the information at the corresponding index for a field was extracted.
  • first_seen_details: <list of dictionaries> dictionaries with additional information related to the vulnerability's first activity, differentiating between confirmed and unconfirmed activity.
    • confidence: <string> confidence on the information or the attribution of the first activity seen related to the vulnerability.
    • description: <string> description / additional information about the first activity seen related to the vulnerability.
    • first_seen: <integer> the first time this first activity date has been attributed to the malware family (UTC timestamp).
    • last_seen: <integer> the last time this first activity date has been attributed to the vulnerability (UTC timestamp).
    • value: <string> date when the first observation about that vulnerability was made ("YYYY-MM-DDTHH:mm:ssZ" format).
  • last_modification_date: <integer> last time when the vulnerability's information was updated (UTC timestamp).
  • last_seen_details: <list of dictionaries> dictionaries with additional information related to the vulnerability's last activity, differentiating between confirmed and unconfirmed activity.
    • confidence: <string> confidence on the information or the attribution of the last activity seen related to the vulnerability.
    • description: <string> description / additional information about the last activity seen related to the vulnerability.
    • first_seen: <integer> the first time this last activity date has been attributed to the vulnerability (UTC timestamp).
    • last_seen: <integer> the last time this last activity date has been attributed to the vulnerability (UTC timestamp).
    • value: <string> date when the last observation about that vulnerability was made ("YYYY-MM-DDTHH:mm:ssZ" format).
  • mve_id: <string> internal Mandiant Vulnerability and Exposure ID.
  • name: <string> vulnerability's name.
  • origin: <string> identifies the source of the information. Google Threat Intelligence for curated objects from our Google TI experts.
  • predicted_risk_rating: <string> vulnerability's predicted risk rating. Possible values: Low, Medium, High, None.
  • private: <boolean> whether the vulnerability object is private or not.
  • recent_activity_relative_change: <float> ratio of change between the last two "recent activity" periods. Note: "recent activity" refers to a period of 14 days.
  • recent_activity_summary: <list of integers> time series representing the activity of the IoCs related to the vulnerability. (2 weeks)
  • risk_factors: <list of strings> list of factors that impacted the vulnerability's risk_rating (positively or negative).
  • risk_rating: <string> risk rating of the vulnerability. Possible values: Low, Medium, High, Critical, Unrated.
  • sources: <list of dictionries> list of information's suppliers.
    • name <string> supplier's name.
    • unique_id: <string> unique identifier provided by the supplier.
    • md5: <string> md5 of url / pdf of the source of the information when it was collected.
    • title: <string> the title of the url / pdf from where the information was collected.
    • source_description: <string> the description of the url / pdf from where the information was collected.
    • published_date: <integer> datetime when the information was first published (UTC timestamp).
    • url: <string> the URL of the source of the information.
    • cvss: <dictionary>
      • cvssv2_0:<dictionary> CVSS v2.0 base score and vector.
        • base_score: <float> CVSS2.0 base score provided by the supplier.
        • vector: <string> full vector of CVSS2.0 provided by the supplier.
      • cvssv3_x: <dictionary> CVSS v3.x base score and vector.
        ...
      • cvssv4_x : <dictionary> CVSS 4.xx score and vector.
        • score: <float> CVSS 4 Base Score provided by the supplier.
        • vector:<string> full vector of CVSS 4 provided by the supplier.
  • source_regions_hierarchy: <list of dictionaries> country or region from which the vulnerability is known to originate.
    • confidence: <string> confidence on the information related to the source region of the vulnerability.
    • country: <string> country from which vulnerability is known to originate.
    • country_iso2: <string> source country in ISO 3166 Alpha2 - code format.
    • description: <string> description / additional information about the source region of the vulnerability.
    • first_seen: <integer> the first time this source region was attributed to the vulnerability (UTC timestamp).
    • last_seen:<integer> the last time this source region was attributed to the vulnerability (UTC timestamp).
    • region: <string> region from which the vulnerability is known to originate.
    • source: <string> information's supplier.
    • sub_region: <string> subregion from which the vulnerability is known to originate.
  • status: <string> indicates if the object has attributes pending to be computed again (e.g. top_icon_md5 after making changes). The possible values are PENDING_RECOMPUTE and COMPUTED.
  • tags_details: <list of dictionaries> dictionaries of tags associated with the vulnerability with additional context.
    • confidence: <string> confidence on the information or the tag association to the vulnerability.
    • description: <string> description / additional information related to the tag associated to the vulnerability.
    • first_seen: <integer> the first time this tag was attributed to the vulnerability (UTC timestamp).
    • last_seen: <integer> the last time this tag was attributed to the vulnerability (UTC timestamp).
    • value: <string> value of the tag.
  • targeted_industries_tree: <list of dictionaries> list of industries and industry groups known to be targeted by the vulnerability's exploits.
    • confidence: <string> confidence on the information related to the industry targeted by the vulnerability's exploits.
    • description: <string> description / additional information about the industry targeted by the vulnerability's exploits.
    • first_seen: <integer> the first time this targeted industry was associated with the vulnerability (UTC timestamp).
    • last_seen: <integer> the last time this targeted industry was associated with the vulnerability (UTC timestamp).
    • source: <string> information's supplier.
    • industry: <string> sub-industry targeted by the vulnerability's exploits.
    • industry_group: <string> industry group targeted by the vulnerability's exploits.
  • targeted_regions_hierarchy: <list of dictionaries> list of regions and countries known to be targeted by the vulnerability.
    • confidence: <string> confidence on the information related to the region targeted by the vulnerability.
    • country: <string> country targeted by the vulnerability.
    • country_iso2: <string> targeted country in ISO 3166 Alpha2 - code format.
    • description: <string> description / additional information about the region targeted by the vulnerability.
    • first_seen: <integer> the first time this targeted region was associated with the vulnerability (UTC timestamp).
    • last_seen:<integer> : the last time this targeted region was associated with the vulnerability (UTC timestamp).
    • region: <string> region targeted by the vulnerability.
    • sub_region: <string> sub-region targeted by the vulnerability.
    • source: <string> information's supplier.
  • vendor_fix_references: <list of dictionaries> list of available fixes for the vulnerability.
    • cvss: <string> vulnerability's associated cvss.
    • md5: <string> the md5 hash of the file fix.
    • name: <string> name of the supplier of the fix.
    • published_date: <integer> publication date of the fix (UTC timestamp).
    • source_description: <string> description of the fix.
    • title: <string> title of the fix's publication website.
    • unique_id: <string> unique identifier of the fix.
    • url: <string> URL of the web site with the fix publication.
  • version_history: <list of dictionaries> the history of updates or new information added to the vulnerability.
    • version_notes: <list of strings> new information around the vulnerability.
    • date: <integer> the date when the new information was added to the vulnerability object (UTC timestamp).
  • workarounds: <list of strings> list of strings explaining vulnerability's workaround / alternative fixes.

Relationships

In addition to the previously described attributes, vulnerability objects contain relationships with other objects in our dataset that can be retrieved as explained in the Relationships section.

The following table shows a summary of available relationships.

RelationshipReturn object type
associationsList of all objects (Reports, Campaigns, IoC collections, Malware families, Software and Toolkits, Vulnerabilities, Threat Actors) associated with the current vulnerability, without filtering by the object type.
attack_techniquesList of MITRE ATT&CK techniques.
campaignsList of associated Campaign objects.
collectionsList of associated IoC collection objects.
commentsList of Comments.
domainsList of Domains associated with the vulnerability.
editorsList of users, groups and data connectors that can edit this threat actor (only available to the owner or editor of the entity).
filesList of Files associated with the vulnerability.
hunting_rulesetsList of curated YARA rulesets assigned by the entity owner.
ip_addressesList of IP addresses associated with the vulnerability.
malware_familiesList of associated Malware family objects.
ownerUser who created the object.
related_collectionsList of objects (Reports, Campaigns, IoC collections, Malware families, Software and Toolkits, Vulnerabilities, Threat Actors) containing IoCs associated with this entity.
reportsList of associated Report objects.
sigma_rulesList of crowdsourced SIGMA rulesets matching at least one file associated with this malware family.
software_toolkitsList of associated Software or Toolkit objects.
threat_actorsList of other threat actors associated to the current vulnerability.
urlsList of URLs associated with the vulnerability.
viewersList of users, groups and data connectors that can view the entity (only available to the owner or editor of the entity).
vulnerabilitiesList of associated Vulnerability objects.
yara_rulesetsList of crowdsourced YARA rulesets matching at least one file associated with this malware family.