Define Vulnerability

Rversion finale: Australia

Mis à jour 12 mars 2026

11 minutes de lecture

A vulnerability is a weakness or flaw in a software or hardware component that can be exploited by attackers to compromise confidentiality, integrity, or availability.

Avant de commencer

Role required: sn_sec_tisc.analyst

Procédure

Navigate to Workspaces > Threat Intelligence Security Center.
Select Threat Intel Library icon on the workspace.
Go to Vulnerability object.
Select New.

Remarque :

When you create a record for an observable, indicator, entity, or object, a corresponding source record is automatically generated. A confirmation message is displayed to indicate that the new object record is created, and you’re then redirected to the aggregated record.

On the form, fill in the fields.

Tableau 1. Vulnerabilities Details view
Field	Description
Name	A name used to identify the Vulnerability.
Description	A description that provides more details and context about the vulnerability, potentially including its purpose and its key characteristics.
CVE ID	The Common Vulnerabilities and Exposures identifier for this vulnerability.
CVE Published Date	Indicates when the vulnerability is published. Remarque : This field can only be set if there is a CVE ID field value set.
CNA (CVE Naming Authority)	The CVE Naming Authority responsible for assigning the CVE ID.
CNA Last Modified	Indicates when the record was last modified.
Risk Rating	Indicates the normalized degree of severity of this vulnerability. Critical High Medium Low
Vulnerability Class	The classification category identifies the type of vulnerability and serves as a reference field for organizing vulnerabilities. The available options for this field are managed in the `sn_sec_tisc_vulnerability_class` table, enabling you to define and maintain vulnerability class selections as required.
Threat Level	Threat level refers to the probability of a threat occurring. The purpose of this field is to help the security teams assess and prioritize the observables based on their importance and potential impact. Remarque : The value in this field is automatically populated only if the threat intelligence source supports the threat level. For example, if Threat Level = High (then the threat occurrence is widespread and a persistent threat).
Threat Severity	Threat severity refers to the impact that the threat would have if it did occur. The purpose of this field is to help the security teams assess and prioritize the observables based on their importance and potential impact. Remarque : The value in this field is automatically populated only if the threat intelligence source supports the threat severity. For example, if Threat Severity = Critical (then it could cause immediate harm).
TLP	TLP is used to confirm that sensitive information is shared with the appropriate audience. The following are the TLP values: AMBER AMBER+STRICT CLEAR GREEN RED
Confidence	Enter the confidence for this observable record. The confidence property identifies the confidence that the creator has in the correctness of their data. The confidence value must be a number in the range of 0-100.
Affected Software	Lists the affected software associated with the vulnerability.
Severity	Indicates the normalized degree of severity of this vulnerability

Tableau 2. Risk & Scoring
Field	Description
CVSS 2.0 Base Score	The CVSS v2.0 base score for this vulnerability.
CVSS 3.x Base Score	The CVSS v3.0 / v3.1 base score for this vulnerability.
CVSS 4.0 Base Score	The CVSS v4.0 base score for this vulnerability.
CVSS 2.0 Vector	The CVSS v2.0 vector string representing the vulnerability characteristics.
CVSS 3.x Vector	The CVSS v3.x vector string representing the vulnerability characteristics.
CVSS 4.0 Vector	The CVSS v4.0 vector string representing the vulnerability characteristics.
EPSS Score	Exploit Prediction Scoring System (EPSS) score indicating the probability of exploitation.
EPSS Percentile	The percentile ranking of the EPSS score compared to all vulnerabilities.

Tableau 3. Exploitation Details
Field	Description
Is Zero Day	Indicates whether this is a zero-day vulnerability.
PoC exists	Indicates whether a Proof of Concept exploits exists. The following options are the options: Yes No Unknown (default)
PoC State	The state or availability of the Proof of Concept exploits code. Following are the options: Private: PoC exists but isn’t publicly available and is held privately Vendor-only: PoC is available only to the vendor for testing and remediation purposes Public: PoC is publicly available and can be accessed by anyone Partial: Only partial PoC code or information is available, not a complete working exploit Reliable: PoC is proven to work reliably and consistently Automated: PoC has been automated and can be executed with minimal manual intervention.
Exploitation Status	Indicates the exploit status that is associated with this vulnerability. Options are: Active Exploitation Patched/Resolved Exploit Available Under Investigation
First Known Exploit Date	The date when exploitation of this vulnerability was first observed or reported. This field can only be set if Exploitation Status is set to one of the following options: Active Exploitation Exploit Available Patched/Resolved
Exploit skill level	The technical skill level required to exploit this vulnerability. Options are: Novice Intermediate Expert
Exploit attack vector	The attack vector through which the vulnerability can be exploited. Options are: Remote Local
Known Ransomware Campaign Use	Indicates if this vulnerability has been used in known ransomware campaigns.
KEV Date Added	The date this vulnerability was added to CISA's Known Exploited Vulnerabilities (KEV) catalog.
KEV Action Due Date	The due date for required actions as specified in the KEV catalog.
KEV Vendor Project	The vendor and project name associated with the KEV entry.
KEV Required Action	The required remediation action specified in the KEV catalog.
Dark Web Mentions	Information about mentions or discussions of this vulnerability on dark web forums.
Social Media Mentions	Information about mentions or discussions of this vulnerability on social media platforms.

Tableau 4. Mitigation & Remediation
Field	Description
Vulnerability Remediation Status	The current status of remediation efforts. The following are the options: Open In Review Mitigated/Patched Closed

Tableau 5. Additional Information
Field	Description
Technical Details	Additional technical information about the vulnerability.
Additional Context	Add any additional context for this vulnerability.
Revoked	Indicates whether this vulnerability record has been revoked and is no longer considered valid or accurate.
Revoked Date	The date when this vulnerability record was revoked. Remarque : This field may be set only if the Revoked check box is selected.
Revoked Reason	The reason why this vulnerability record was revoked. Remarque : This field may be set only if the Revoked check box is selected.
Status	The current status of the vulnerability in TISC. Options are: Active (default) Inactive
Expiration Time	The date and time when this vulnerability record will expire and should no longer be considered active.

Select Save.
After you save, a prompt message is displayed indicating that A new observable record is created. Select Continue to edit the record and create new relationships.

Select Continue.

you will be taken to the form view of the aggregated vulnerability record.

Important :

Zero Day Status Toggle: You can toggle the Zero Day status directly from the status pill in the header of the vulnerability record form. TISC supports zero-day vulnerabilities which are newly discovered security flaws without an assigned CVE identifier or remediation. These records may include an internal organizational identifier. As a zero-day vulnerability evolves, it can transition to a known CVE once an official identifier is assigned and remediation guidance is published.
These records can include an internal organizational identifier. Over time, a zero-day vulnerability can transition to a known CVE after official identifier is assigned and remediation guidance is published.
- By default, fields such as CVE ID and CVE Published Date remain empty.
- An internal organizational identifier can be added in the Identifiers related records.
- To enable or disable zero-day status, use the Zero-Day toggle button on the vulnerability record page, which marks or unmarks the vulnerability as a zero-day.
- For manually created vulnerability source records, a dedicated Zero Day field is also available on the source record form.
Remediations Count: The form includes a Remediations Count field, which indicates the total number of remediations linked to the vulnerability. To view or manage these remediations, go to the Related Records tab and select the Remediations section.
Prevent System Updates: The form includes a Prevent System Updates check box. By selecting this option, you ensure that any updates made by analysts are retained, while system-generated updates are prevented.

Tableau 6. TISC Tags & Taxonomies
Field	Description
TISC Tags
Select Tags	Select the tags that are associated with the vulnerability.
Add Tags	Add new tags.
Taxonomies
Select Taxonomy	Select a Taxonomy that is associated with this vulnerability.
Add Taxonomy Values	Add Taxonomy values that are associated with this vulnerability.

Remarque :

TISC Tags & Taxonomies appears after you save the vulnerability record. You can add tags and taxonomies for an existing record.

Add TISC tags to a Vulnerability record from the list view:

Select Add TISC Tags to associate the tags to the vulnerability record from the list view.
Search and select the desired tag.
Select Submit to add the tag.
A confirmation displays indicating that the tags are applied successfully.

Add Vulnerability record to a case from the list view:

Select Add to Case to add the vulnerability record to a case.
Select the case(s).
Select Add to add the case to the vulnerability record.
The record is added to case(s) successfully.

If you want to delete any record then, select Delete to delete the aggregated record.

When you select this action, then it will remove all the related records, except the original source data, and trigger re aggregation.

Remarque :

A confirmation message appears to verify that you want to delete the aggregated record. To also delete the associated source records and prevent re-aggregation, select the Delete Source Records check box. This action permanently removes all the related source records.

Que faire ensuite

Use the Related Records section to view the detailed information about objects associated with the vulnerability. Select any of related list to explore the linked records.

Tableau 7. Related Records
Related Record	Description
MITRE Techniques	Lists the MITRE techniques related to this vulnerability.
Timeline Events	vulnerability.
Attack Patterns	List of attack patterns that are related to this vulnerability.
Campaigns	List the campaigns that are related to this vulnerability.
Courses of Action	Lists the courses of action related to this vulnerability.
Data Sources	Lists the data sources related to this vulnerability.
Data Components	Lists the data components related to this vulnerability.
Identities	Lists the identities that are related to this vulnerability.
Indicators	Lists the indicators that are related to this vulnerability.
Infrastructure	List the Infrastructure such as systems, software services, and any associated physical or virtual resources that are related to this vulnerability.
Intrusion Set	List the intrusion sets such as a set of adversarial behaviors and resources with common properties that are related to this vulnerability.
Locations	Lists the geographical locations associated with this vulnerability.
Malware	List the malware source records that are related to this vulnerability.
Malware Analysis	Lists the metadata and results of a particular static or dynamic analysis performed on a malware instance associated to this vulnerability.
Observables	List of observables related to this vulnerability.
Observed Data	Lists the observed data that are cyber security related entities such as files, systems, and networks and associated with this vulnerability.
Sightings	Lists sightings source records associated with this vulnerability.
Threat Actors	List the threat actors that are related to this vulnerability.
Threat Events	List the threat events that are related to this vulnerability.
Threat Groupings	Lists the threat groupings as objects that have a shared context with this vulnerability.
Threat Notes	Lists the threat notes that convey information to provide further context or analysis that are associated with this vulnerability.
Threat Opinions	Lists the threat opinions as an assessment of the accuracy of the information that are associated with this vulnerability.
Threat Reports	Lists the threat reports associated with this vulnerability.
Tools	Lists the tool associated with this vulnerability.
Vulnerabilities	If the observable is an IP address, this list shows any resources (configuration items) that have a matching IP address that are related to this vulnerability.
Vulnerability Attributes	Lists custom attributes and their qualitative or quantitative values associated with this vulnerability. Attributes provide additional metadata and characteristics specific to the vulnerability. Attributes can be configured in the `sn_sec_tisc_intel_attribute` table, allowing administrators to define and manage custom attributes.
CWEs	Lists the Common Weakness Enumeration (CWE) entries associated with this vulnerability. CWEs categorize software and hardware weaknesses that can lead to vulnerabilities.
Identifiers	Lists alternative identifiers for this vulnerability from various sources. Each identifier includes the identifier value and the organization that assigned it.
Vulnerability Products	Lists the software or hardware products affected by this vulnerability, along with their status (e.g., known affected, fixed, under investigation, recommended). This mapping helps identify which product versions are impacted. Remarque : The Vulnerability Products related records section displays Vulnerability Product Mapping records instead of Product records. Each entry represents a mapping between the vulnerability and a product, along with its current status.
Remediations	Lists available remediation actions for this vulnerability, including workarounds, mitigations, vendor fixes, and patches. Each remediation includes a description, type, prerequisites, and applicable products.
Vendor Comments	Lists comments and statements from vendors regarding this vulnerability. Each comment includes the vendor name, comment text, and the date the comment was made.
RSS Feeds	Lists the related RSS feeds that are associated with this vulnerability.
Related Cases	Lists the related cases that are associated with this vulnerability.
Related Case Tasks	Lists the related Case tasks that are associated with this vulnerability.
Related Canvases External References	List of external reference sources that provide additional details of the vulnerability.

Related Records Actions

Each related list supports specific actions based on how the records are associated with the vulnerability record.

Use Add and Remove when records are created from or deleted within the related list.
Use Link and Unlink when associating or disassociating existing records without creating new ones. For more information, see Link Threat Intel Related Records.
The available actions vary depending on the relationship type.

The various SDOs in the Threat Intel Library contain potential relationships with other objects. To review and confirm these relationships, use the Potential Relationships link in the Threat Intel Library. For more information, see Confirm object-object potential relationships.
You can also confirm relationships from the object’s form view by using the Related Records section and selecting the available entries under Potential Relationships. For more information on see, Confirm Potential Relationships from Related Records.
You can add objects to cases. For more information, see Add to Case.