KEV's in Service-Now?

Adam Peterson · ‎04-04-2022

Hey experts,

Is anyone bringing in or ingesting KEV's(Known Exploited Vulnerability) in their Service-Now? We have been tasked to bring this data in so we know which Vulnerabilities have a KEV attached to them.

This is the website where they all reside: https://www.cisa.gov/known-exploited-vulnerabilities-catalog

There is no easy API on that website.

Another big question is when I ingest these KVE's, where is the best place to put it? There are so many Vuln tables, where is the best location?

Any help or guidance is greatly appreciated!

-Adam

Michael297 · ‎04-05-2022

I don't think this is the same thing. The KEVs reference by the OP are a list originated from CISA via a government directive to resolve these items within two weeks of being added to the catalog. Shodan may have additional exploit information, but at the end of the day the known exploit catalog isn't adding much more than what the NVD already provides. What I don't get is why CISA hasn't integrated this into the NVD. It's kind of odd, and the NVD has come out to say that theirs very little coordination between the two groups.

Randy Ritzer · ‎04-06-2022

For Tenable this information comes over in the Third Party Vulnerabilities table. I'm struggling with trying to use it for useful things like remediation efforts but it's there under Vulnerability Entry -> Vulnerability References as CISA-KNOWN-EXPLOITED-Due Date. What makes it less useful in particular is it's tied to the Tenable Plugin not the CVE directly. That due date tied to the CVE would be very useful if it could easily be surfaced to a VIT.