Define Vulnerability

  • Release version: Zurich
  • Updated March 25, 2026
  • 10 minutes to read

    • A vulnerability is a weakness or flaw in a software or hardware component that can be exploited by attackers to compromise confidentiality, integrity, or availability.

    Before you begin

    Role required: sn_sec_tisc.analyst

    Procedure

    1. Navigate to Workspaces > Threat Intelligence Security Center.
    2. Select Threat Intel Library icon on the workspace.
    3. Go to Vulnerability object.
    4. Select New.
      Note:

      When you create a record for an observable, indicator, entity, or object, a corresponding source record is automatically generated. A confirmation message is displayed to indicate that the new object record is created, and you're then redirected to the aggregated record.

    5. On the form, fill in the fields.
      Table 1. Vulnerabilities Details view
      Field Description
      Name Name used to identify the vulnerability.
      Description Details and context about the vulnerability, potentially including its purpose and key characteristics.
      CVE ID Common Vulnerabilities and Exposures identifier for this vulnerability.
      CVE Published Date Date when the vulnerability is published.
      Note:
      This field can only be set if there is a CVE ID field value set.
      CNA (CVE Naming Authority) CVE Naming Authority responsible for assigning the CVE ID.
      CNA Last Modified Date when the record was last modified.
      Risk Rating Normalized degree of severity of this vulnerability.
      • Critical
      • High
      • Medium
      • Low
      Vulnerability Class The classification category identifies the type of vulnerability and serves as a reference field for organizing vulnerabilities.

      The available options for this field are managed in the sn_sec_tisc_vulnerability_class table, enabling you to define and maintain vulnerability class selections as required.
      Threat Level The purpose of this field is to help security teams assess and prioritize observables. This assessment is based on their importance and potential impact.
      Note:
      The value in this field is automatically populated only if the threat intelligence source supports threat level. For example, if Threat Level = High, then the threat occurrence is widespread and a persistent threat.
      Threat Severity The purpose of this field is to help security teams assess and prioritize observables. This assessment is based on their importance and potential impact.
      Note:
      The value in this field is automatically populated only if the threat intelligence source supports threat severity. For example, if Threat Severity = Critical, then it could cause immediate harm.
      TLP TLP is used to verify that sensitive information is shared with the appropriate audience.
      The following are the TLP values:
      • AMBER
      • AMBER+STRICT
      • CLEAR
      • GREEN
      • RED
      Confidence Confidence for this observable record.

      The confidence property identifies the confidence that the creator has in their data correctness. The confidence value must be a number in the range of 0-100.
      Affected Software Affected software associated with the vulnerability.
      Severity Normalized degree of severity of this vulnerability
      Table 2. Risk & Scoring
      Field Description
      CVSS 2.0 Base Score CVSS v2.0 base score for this vulnerability.
      CVSS 3.x Base Score CVSS v3.0 / v3.1 base score for this vulnerability.
      CVSS 4.0 Base Score CVSS v4.0 base score for this vulnerability.
      CVSS 2.0 Vector CVSS v2.0 vector string representing the vulnerability characteristics.
      CVSS 3.x Vector CVSS v3.x vector string representing the vulnerability characteristics.
      CVSS 4.0 Vector CVSS v4.0 vector string representing the vulnerability characteristics.
      EPSS Score Exploit Prediction Scoring System (EPSS) score indicating the probability of exploitation.
      EPSS Percentile Percentile ranking of the EPSS score compared to all vulnerabilities.
      Table 3. Exploitation Details
      Field Description
      Is Zero Day Whether this is a zero day vulnerability.
      PoC exists Whether a Proof of Concept exploits exists.
      The following options are the options:
      • Yes
      • No
      • Unknown (default)
      PoC State State or availability of the Proof of Concept exploits code. Following are the options:
      • Private: PoC exists but isn't publicly available and is held privately
      • Vendor-only: PoC is available only to the vendor for testing and remediation purposes
      • Public: PoC is publicly available and can be accessed by anyone
      • Partial: Only partial PoC code or information is available, not a complete working exploit
      • Reliable: PoC is proven to work reliably and consistently
      • Automated: PoC has been automated and can be executed with minimal manual intervention.
      Exploitation Status Exploit status associated with this vulnerability. Options are:
      • Active Exploitation
      • Patched/Resolved
      • Exploit Available
      • Under Investigation
      First Known Exploit Date Date when exploitation of this vulnerability was first observed or reported.

      This field can only be set if Exploitation Status is set to one of the following options:

      • Active Exploitation
      • Exploit Available
      • Patched/Resolved
      Exploit skill level Technical skill level required to exploit this vulnerability. Options are:
      • Novice
      • Intermediate
      • Expert
      Exploit attack vector Attack vector through which the vulnerability can be exploited. Options are:
      • Remote
      • Local
      Known Ransomware Campaign Use Whether this vulnerability has been used in known ransomware campaigns.
      KEV Date Added Date this vulnerability was added to CISA's Known Exploited Vulnerabilities (KEV) catalog.
      KEV Action Due Date Due date for required actions as specified in the KEV catalog.
      KEV Vendor Project Vendor and project name associated with the KEV entry.
      KEV Required Action Required remediation action specified in the KEV catalog.
      Dark Web Mentions Mentions or discussions of this vulnerability on dark web forums.
      Social Media Mentions Mentions or discussions of this vulnerability on social media platforms.
      Table 4. Mitigation & Remediation
      Field Description
      Vulnerability Remediation Status Current status of remediation efforts.
      The following are the options:
      • Open
      • In Review
      • Mitigated/Patched
      • Closed
      Table 5. Additional Information
      Field Description
      Technical Details Additional technical information about the vulnerability.
      Additional Context Additional context for this vulnerability.
      Revoked Whether this vulnerability record has been revoked and is no longer considered valid or accurate.
      Revoked Date Date when this vulnerability record was revoked.
      Note:
      This field may be set only if the Revoked check box is selected.
      Revoked Reason Reason why this vulnerability record was revoked.
      Note:
      This field may be set only if the Revoked check box is selected.
      Status Current status of the vulnerability in TISC. Options are:
      • Active (default)
      • Inactive
      Expiration Time Date and time when this vulnerability record will expire and should no longer be considered active.
    6. Select Save.
      After you save, a prompt message is displayed. The message indicates that a new observable record is created. Select Continue to edit the record and create relationships.
    7. Select Continue.

      You're taken to the form view of the aggregated vulnerability record.

      Important:
      • Zero Day Status Toggle: You can toggle the Zero Day status directly from the status pill. The status pill is in the header of the vulnerability record form. TISC supports zero-day vulnerabilities which are newly discovered security flaws. These flaws have no assigned CVE identifier or remediation. These records may include an internal organizational identifier. As a zero-day vulnerability evolves, it can transition to a known CVE. This happens once an official identifier is assigned and remediation guidance is published.
        These records can include an internal organizational identifier. Over time, a zero-day vulnerability can transition to a known CVE. This transition occurs after an official identifier is assigned and remediation guidance is published.
        • By default, fields such as CVE ID and CVE Published Date remain empty.
        • An internal organizational identifier can be added in the Identifiers related records.
        • To enable or disable zero-day status, use the Zero-Day toggle button on the vulnerability record page. This button marks or unmarks the vulnerability as a zero-day.
        • For manually created vulnerability source records, a dedicated Zero Day field is available. This field appears on the source record form.
      • Remediations Count: The form includes a Remediations Count field, which indicates the total number of remediations linked to the vulnerability. To view or manage these remediations, go to the Related Records tab. Then select the Remediations section.
      • Prevent System Updates: The form includes a Prevent System Updates check box. By selecting this option, you retain any updates made by analysts. System-generated updates are prevented.
      Table 6. TISC Tags & Taxonomies
      Field Description
      TISC Tags
      Select Tags Tags associated with the vulnerability.
      Add Tags New tags.
      Taxonomies
      Select Taxonomy Taxonomy associated with this vulnerability.
      Add Taxonomy Values Taxonomy values associated with this vulnerability.
      Note:
      TISC Tags & Taxonomies appears after you save the vulnerability record. You can add tags and taxonomies for an existing record.

      Add TISC tags to a Vulnerability record from the list view:

      • Select Add TISC Tags to associate the tags to the vulnerability record from the list view.
      • Search and select the desired tag.
      • Select Submit to add the tag.

        A confirmation displays indicating that the tags are applied successfully.

      Add Vulnerability record to a case from the list view:

      • Select Add to Case to add the vulnerability record to a case.
      • Select the case(s).
      • Select Add to add the case to the vulnerability record.

        The record is added to case(s) successfully.

    8. If you want to delete any record, select Delete to delete the aggregated record.

      When you select this action, it removes all related records except the original source data. It also triggers re-aggregation.

      Note:

      A confirmation message appears to verify that you want to delete the aggregated record. To also delete the associated source records and prevent re-aggregation, select the Delete Source Records check box. This action permanently removes all the related source records.

    What to do next

    Use the Related Records section to view detailed information about objects associated with the vulnerability. Select any of related list to explore the linked records.
    Table 7. Related Records
    Related Record Description
    MITRE Techniques MITRE techniques related to this vulnerability.
    Timeline Events Timeline events related to this vulnerability.
    Attack Patterns Attack patterns related to this vulnerability.
    Campaigns Campaigns related to this vulnerability.
    Courses of Action Courses of action related to this vulnerability.
    Data Sources Data sources related to this vulnerability.
    Data Components Data components related to this vulnerability.
    Identities Identities related to this vulnerability.
    Indicators Indicators related to this vulnerability.
    Infrastructure Infrastructure such as systems, software services, and any associated physical or virtual resources related to this vulnerability.
    Intrusion Set Intrusion sets such as a set of adversarial behaviors and resources with common properties related to this vulnerability.
    Locations Geographical locations associated with this vulnerability.
    Malware Malware source records related to this vulnerability.
    Malware Analysis Metadata and results of a particular static or dynamic analysis performed on a malware instance associated with this vulnerability.
    Observables Observables related to this vulnerability.
    Observed Data Observed data that are cyber security related entities such as files, systems, and networks associated with this vulnerability.
    Sightings Sightings source records associated with this vulnerability.
    Threat Actors Threat actors related to this vulnerability.
    Threat Events Threat events related to this vulnerability.
    Threat Groupings Threat groupings as objects that have a shared context with this vulnerability.
    Threat Notes Threat notes that convey information to provide further context or analysis associated with this vulnerability.
    Threat Opinions Threat opinions as an assessment of the accuracy of the information associated with this vulnerability.
    Threat Reports Threat reports associated with this vulnerability.
    Tools Tools associated with this vulnerability.
    Vulnerabilities If the observable is an IP address, this list shows any resources (configuration items) with a matching IP address. These resources are related to this vulnerability.
    Vulnerability Attributes Custom attributes and their qualitative or quantitative values associated with this vulnerability. Attributes provide additional metadata and characteristics specific to the vulnerability.

    Attributes can be configured in the sn_sec_tisc_intel_attribute table, allowing administrators to define and manage custom attributes.
    CWEs Common Weakness Enumeration (CWE) entries associated with this vulnerability. CWEs categorize software and hardware weaknesses that can lead to vulnerabilities.
    Identifiers Alternative identifiers for this vulnerability from various sources. Each identifier includes the identifier value and the organization that assigned it.
    Vulnerability Products Software or hardware products affected by this vulnerability, along with their status (for example, known affected, fixed, under investigation, recommended). This mapping helps identify which product versions are impacted.
    Note:

    The Vulnerability Products related records section displays Vulnerability Product Mapping records. It does not display Product records.

    Each entry represents a mapping between the vulnerability and a product, along with its current status.
    Remediations Available remediation actions for this vulnerability, including workarounds, mitigation, vendor fixes, and patches. Each remediation includes a description, type, prerequisites, and applicable products.
    Vendor Comments Comments and statements from vendors regarding this vulnerability. Each comment includes the vendor name, comment text, and the date the comment was made.
    RSS Feeds Related RSS feeds associated with this vulnerability.
    Related Cases Related cases associated with this vulnerability.
    Related Case Tasks Related case tasks associated with this vulnerability.
    Related Canvases External References External reference sources that provide additional details of the vulnerability.

    Related Records Actions

    Each related list supports specific actions based on how the records are associated with the vulnerability record.

    • Use Add and Remove when records are created from or deleted within the related list.
    • Use Link and Unlink when associating or disassociating existing records. This applies when you don't create records. For more information, see Link Threat Intel Related Records.

      The available actions vary depending on the relationship type.

    • The various SDOs in the Threat Intel Library contain potential relationships with other objects. To review and confirm these relationships, use the Potential Relationships link in the Threat Intel Library. For more information, see Confirm object-object potential relationships.
    • You can also confirm relationships from the object's form view by using the Related Records section. Select the available entries under Potential Relationships. For more information, see Confirm Potential Relationships from Related Records.
    • You can add objects to cases. For more information, see Add to Case.