Export - Vuln Intel
Vulnerability Intelligence Export Models Documentation
Version: 2.0.0 Description: Vulnerability Intelligence Export Models Documentation
Version History
2.0.0: Initial public release. Adjusted configuration fields to be snake cased on each vulnerability
1.1.0: Adjusted 'nvd_references' field on each vulnerability to 'upstream_references'
1.0.0: Internal release of the vulnerability intelligence export
Additional Materials
For additional materials including the complete JSON schema, API documentation, and integration examples, please contact [email protected].
Table of Contents
Export Record Format
Export Models
Vulnerability
Exploit
Exploitation
Detection Signature
Mention
Vulnerable Configuration
Enums
Examples
Export Record Format
The main export format for vulnerability intelligence data.
Export Name: vuln_intel_record
Version: 2.0.0
Description: Complete vulnerability intelligence record with all related entities
Each line in the JSONL export contains a complete vulnerability record with all related entities:
{"uuid": "...", "vulnerability": {...}, "exploits": [...], "mentions": [...]}
{"uuid": "...", "vulnerability": {...}, "exploits": [...], "mentions": [...]}
Export Record Fields
uuid
string
✅
Unique identifier for this record
created_at
string
✅
When this record was first created in the system
updated_at
string
✅
When this record was last updated in the system
vulnerability
object
✅
Core vulnerability intelligence data
exploits
array[object]
List of known exploits for this vulnerability
exploitations
array[object]
List of recorded exploitations of this vulnerability
mentions
array[object]
List of mentions/references for this vulnerability
detection_signatures
array[object]
List of detection signatures for this vulnerability
vulnerable_configurations
array[object]
List of vulnerable product configurations for this vulnerability
Export Models
The following models represent the individual components that make up the complete export record:
Vulnerability
Export Name: vuln_intel_vulnerability
Version: 1.0.0
Description: Vulnerability intelligence export with core vulnerability data and related entities
Fields
uuid
string
✅
Unique identifier for this record
created_at
string
✅
When this record was first created in the system
updated_at
string
✅
When this record was last updated in the system
cve_id
string
CVE identifier (e.g., CVE-2023-1234)
state
string
Vulnerability state from MITRE (e.g., PUBLISHED, RESERVED)
description
string
Official vulnerability description
gen_description
string
Mallory-generated enhanced description
gen_display_name
string
Mallory-generated display name for the vulnerability
gen_cwe_id
string
Mallory-generated CWE identifier
gen_impact
string
Mallory-generated impact assessment
gen_mitigations
string
Mallory-generated mitigation recommendations
gen_remediation
string
Mallory-generated remediation guidance
cvss_base_score
number
CVSS base score (0.0-10.0)
cvss_version
number
CVSS version (e.g., 3.1, 4.0)
cvss_vector
string
CVSS vector string
cvss_source
string
Source of CVSS data (e.g., NVD, vendor)
cvss_type
string
Type of CVSS score (e.g., Primary, Secondary)
cvss_data
array[object]
Complete CVSS vector data as array of dictionaries
epss_score
number
EPSS score (0.0-1.0) indicating probability of exploitation
epss_percentile
number
EPSS percentile ranking (0.0-1.0)
cisa_kev_added_at
string
Date when added to CISA Known Exploited Vulnerabilities (KEV) catalog
reserved_at
string
CVE reservation date
published_at
string
CVE publication date
upstream_references
array[object]
Upstream reference links from NVD and other sources
raw_mitre_cvelist_v5_cves_adp
array[object]
Raw MITRE CVE ADP (Authorized Data Publisher) data
weaknesses
array[string]
List of CWE identifiers associated with this vulnerability
mentions_count
integer
Number of mentions/references found for this vulnerability
detection_signatures_count
integer
Number of detection signatures available for this vulnerability
exploits_count
integer
Number of known exploits for this vulnerability
exploitations_count
integer
Number of recorded exploitations of this vulnerability
vulnerable_configurations_count
integer
Number of vulnerable product configurations for this vulnerability
Summary
Total Fields: 31
Required Fields: 3
Optional Fields: 28
Exploit
Export Name: vuln_intel_exploit
Version: 1.0.0
Description: Exploit intelligence export with core exploit data and CVE relationships
Fields
uuid
string
✅
Unique identifier for this record
created_at
string
✅
When this record was first created in the system
updated_at
string
✅
When this record was last updated in the system
url
string
✅
URL to the exploit code or proof-of-concept
name
string
Name or title of the exploit
description
string
Description of the exploit and what it does
maturity
string
Maturity level of the exploit (UNKNOWN, POC, OPERATIONAL, WEAPONIZED)
disclosed_at
string
Date when the exploit was first disclosed or published
authors
string
Authors or researchers who discovered/published the exploit
cve_ids
array[string]
List of CVE identifiers that this exploit targets
Summary
Total Fields: 10
Required Fields: 4
Optional Fields: 6
Exploitation
Export Name: vuln_intel_exploitation
Version: 1.0
Description: Vulnerability exploitation incident data for export
Fields
uuid
string
✅
Unique identifier for this record
created_at
string
✅
When this record was first created in the system
updated_at
string
✅
When this record was last updated in the system
begins_at
string
When the exploitation period began
ends_at
string
When the exploitation period ended
count
integer
Number of exploitation incidents recorded
detection_signature_uuid
string
UUID of the associated detection signature
detection_signature_name
string
Name of the associated detection signature
detection_signature_source
string
Source of the detection signature
detection_signature_method
string
Detection method used by the signature
Summary
Total Fields: 10
Required Fields: 3
Optional Fields: 7
Detection Signature
Export Name: vuln_intel_detection_signature
Version: 1.0
Description: Detection signature intelligence data for export
Fields
uuid
string
✅
Unique identifier for this record
created_at
string
✅
When this record was first created in the system
updated_at
string
✅
When this record was last updated in the system
upstream_id
string
Upstream identifier for the detection signature
source
string
Source of the detection signature (e.g., vendor, organization)
method
string
Detection method used (e.g., IPS, EDR, Malware)
name
string
Name of the detection signature
description
string
Description of what the detection signature identifies
Summary
Total Fields: 8
Required Fields: 3
Optional Fields: 5
Mention
Export Name: vuln_intel_mention
Version: 1.0
Description: Vulnerability mention intelligence data for export
Fields
uuid
string
✅
Unique identifier for this record
created_at
string
✅
When this record was first created in the system
updated_at
string
✅
When this record was last updated in the system
published_at
string
Date when the mention was published
overview
string
Brief overview or summary of the mention
context
string
Context or detailed content of the mention
reference_uuid
string
UUID of the reference document/source
reference_url
string
URL of the reference document/source
reference_source
string
Source of the reference (e.g., vendor, publication)
reference_user_generated_content
boolean
Whether the reference is user-generated content
reference_topic
string
Topic or category of the reference
vulnerability_uuid
string
UUID of the related vulnerability
cve_id
string
CVE identifier of the related vulnerability
vulnerability_gen_display_name
string
Mallory-generated display name for the related vulnerability
Summary
Total Fields: 14
Required Fields: 3
Optional Fields: 11
Vulnerable Configuration
Export Name: vuln_intel_vulnerable_configuration
Version: 1.0
Description: Vulnerable configuration intelligence data for export
Fields
uuid
string
✅
Unique identifier for this record
created_at
string
✅
When this record was first created in the system
updated_at
string
✅
When this record was last updated in the system
cpe_id
string
✅
Common Platform Enumeration identifier for this configuration
set_id
string
✅
Group identifier for related configurations
cpe23_uri
string
CPE 2.3 URI format string
edition
string
Edition component of the CPE
language
string
Language component of the CPE
sw_edition
string
Software edition component of the CPE
target_sw
string
Target software environment
target_hw
string
Target hardware environment
other
string
Other CPE component information
version_start_excluding
string
Starting version (exclusive) of vulnerable range
version_start_including
string
Starting version (inclusive) of vulnerable range
version_end_excluding
string
Ending version (exclusive) of vulnerable range
version_end_including
string
Ending version (inclusive) of vulnerable range
update_start_including
string
Starting update (inclusive) of vulnerable range
update_end_including
string
Ending update (inclusive) of vulnerable range
is_vulnerable
boolean
✅
Whether this configuration is vulnerable
vendor
string
Vendor name for the technology product
vendor_display_name
string
Display name for the vendor
product_type
string
Type of the technology product (e.g., application, operating_system)
product_name
string
Name of the technology product
product_display_name
string
Display name for the technology product
cve_id
string
CVE identifier of the associated vulnerability
Summary
Total Fields: 25
Required Fields: 6
Optional Fields: 19
Enums
MaturityLevel
Description: Exploit maturity levels
Values:
UNKNOWN
POC
OPERATIONAL
WEAPONIZED
Examples
Below are complete example records showing the structure and content of each export model:
Complete Export Record
A complete vulnerability intelligence record with all related entities:
{
"uuid": "cfbf89e4-eae2-46d8-817a-546f832380b2",
"created_at": "2024-10-06T16:15:50.989983+00:00",
"updated_at": "2025-07-22T05:02:10.567667+00:00",
"vulnerability": {
"uuid": "cfbf89e4-eae2-46d8-817a-546f832380b2",
"created_at": "2024-10-06T16:15:50.989983+00:00",
"updated_at": "2025-07-22T05:02:10.567667+00:00",
"cve_id": "CVE-2021-28474",
"state": "PUBLISHED",
"description": "Microsoft SharePoint Server Remote Code Execution Vulnerability",
"gen_description": "CVE-2021-28474 is a critical remote code execution vulnerability in Microsoft SharePoint Server, arising from unsafe deserialization of untrusted data.",
"gen_display_name": null,
"gen_cwe_id": null,
"gen_impact": null,
"gen_mitigations": null,
"gen_remediation": null,
"cvss_base_score": 8.8,
"cvss_version": 3.1,
"cvss_vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"cvss_source": null,
"cvss_type": null,
"cvss_data": null,
"epss_score": 0.11384,
"epss_percentile": 0.9324,
"cisa_kev_added_at": null,
"reserved_at": null,
"published_at": "2021-05-11T19:11:16+00:00",
"upstream_references": null,
"raw_mitre_cvelist_v5_cves_adp": null,
"weaknesses": [
"CWE-436"
],
"mentions_count": 3,
"detection_signatures_count": 0,
"exploits_count": 0,
"exploitations_count": 0,
"vulnerable_configurations_count": 6
},
"exploits": [
{
"uuid": "660e8400-e29b-41d4-a716-446655440001",
"created_at": "2024-10-06T16:15:50.989983+00:00",
"updated_at": "2025-07-22T05:02:10.567667+00:00",
"url": "https://github.com/security-research/CVE-2021-28474-poc",
"name": "SharePoint RCE Deserialization Exploit",
"description": null,
"maturity": "POC",
"disclosed_at": null,
"authors": null,
"cve_ids": []
}
],
"exploitations": [],
"mentions": [
{
"uuid": "ac3b509f-1743-4bb3-9f32-53616fbd5cf9",
"created_at": "2025-07-21T04:41:31.120081+00:00",
"updated_at": "2025-07-21T04:41:31.120081+00:00",
"published_at": "2021-05-12T10:30:00+00:00",
"overview": "Critical SharePoint vulnerability being actively exploited",
"context": null,
"reference_uuid": null,
"reference_url": null,
"reference_source": null,
"reference_user_generated_content": null,
"reference_topic": null,
"vulnerability_uuid": null,
"cve_id": "CVE-2021-28474",
"vulnerability_gen_display_name": null
}
],
"detection_signatures": [],
"vulnerable_configurations": [
{
"uuid": "f23172c2-c564-4972-8dad-c6590382a260",
"created_at": "2025-01-27T00:52:32.701076+00:00",
"updated_at": "2025-01-27T00:52:32.701076+00:00",
"cpe_id": "3d0c0d15e95decc6c4e1ec0d362bb2695b85094e",
"set_id": "fe23f2cee114772e9cef90d8d2802914ba619e0b3bba813acc2880d79914761d",
"cpe23_uri": "cpe:2.3:a:microsoft:sharepoint_foundation:2013:sp1:*:*:*:*:*:*",
"edition": null,
"language": null,
"sw_edition": null,
"target_sw": null,
"target_hw": null,
"other": null,
"version_start_excluding": null,
"version_start_including": null,
"version_end_excluding": null,
"version_end_including": null,
"update_start_including": null,
"update_end_including": null,
"is_vulnerable": true,
"vendor": null,
"vendor_display_name": "Microsoft",
"product_type": null,
"product_name": null,
"product_display_name": "Sharepoint Foundation",
"cve_id": "CVE-2021-28474"
}
]
}
Vulnerability Example
{
"uuid": "cfbf89e4-eae2-46d8-817a-546f832380b2",
"created_at": "2024-10-06T16:15:50.989983+00:00",
"updated_at": "2025-07-22T05:02:10.567667+00:00",
"cve_id": "CVE-2021-28474",
"state": "PUBLISHED",
"description": "Microsoft SharePoint Server Remote Code Execution Vulnerability",
"gen_description": "CVE-2021-28474 is a critical remote code execution vulnerability in Microsoft SharePoint Server, arising from unsafe deserialization of untrusted data. The vulnerability allows unauthenticated attackers to execute arbitrary code on the server by sending specially crafted requests that exploit the deserialization process.",
"gen_display_name": "RCE via Deserialization in Microsoft SharePoint Server (CVE-2021-28474)",
"gen_cwe_id": "CWE-502",
"gen_impact": "Successful exploitation allows unauthenticated remote code execution, granting attackers full control over the affected SharePoint server.",
"gen_mitigations": "If immediate patching is not possible, disconnect vulnerable SharePoint servers from the Internet to prevent exploitation. Deploy endpoint detection and response (EDR) solutions, enable AMSI integration, and monitor for known indicators of compromise.",
"gen_remediation": "Apply the security updates provided by Microsoft for all affected SharePoint Server versions as soon as possible. Ensure that all cryptographic secrets are rotated after patching.",
"cvss_base_score": 8.8,
"cvss_version": 3.1,
"cvss_vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"cvss_source": "[email protected]",
"cvss_type": "Secondary",
"cvss_data": null,
"epss_score": 0.11384,
"epss_percentile": 0.9324,
"cisa_kev_added_at": null,
"reserved_at": "2021-03-15T00:00:00+00:00",
"published_at": "2021-05-11T19:11:16+00:00",
"upstream_references": null,
"raw_mitre_cvelist_v5_cves_adp": null,
"weaknesses": [
"CWE-436"
],
"mentions_count": 3,
"detection_signatures_count": 0,
"exploits_count": 0,
"exploitations_count": 0,
"vulnerable_configurations_count": 6
}
Exploit Example
{
"uuid": "660e8400-e29b-41d4-a716-446655440001",
"created_at": "2024-10-06T16:15:50.989983+00:00",
"updated_at": "2025-07-22T05:02:10.567667+00:00",
"url": "https://github.com/security-research/CVE-2021-28474-poc",
"name": "SharePoint RCE Deserialization Exploit",
"description": "Proof of concept exploit demonstrating remote code execution via unsafe deserialization in SharePoint Server",
"maturity": "POC",
"disclosed_at": null,
"authors": null,
"cve_ids": []
}
Exploitation Example
{
"uuid": "770e8400-e29b-41d4-a716-446655440002",
"created_at": "2024-10-06T16:15:50.989983+00:00",
"updated_at": "2025-07-22T05:02:10.567667+00:00",
"begins_at": "2021-06-15T00:00:00+00:00",
"ends_at": "2021-08-30T00:00:00+00:00",
"count": 42,
"detection_signature_uuid": "880e8400-e29b-41d4-a716-446655440003",
"detection_signature_name": "CVE_2021_28474_SharePoint_RCE",
"detection_signature_source": "custom_rules",
"detection_signature_method": "IPS"
}
Detection Signature Example
{
"uuid": "880e8400-e29b-41d4-a716-446655440003",
"created_at": "2024-10-06T16:15:50.989983+00:00",
"updated_at": "2025-07-22T05:02:10.567667+00:00",
"upstream_id": "SIG-2021-28474-001",
"source": "security_team",
"method": "IPS",
"name": "CVE_2021_28474_SharePoint_RCE",
"description": "IPS signature to detect exploitation attempts against CVE-2021-28474 SharePoint deserialization vulnerability"
}
Mention Example
{
"uuid": "ac3b509f-1743-4bb3-9f32-53616fbd5cf9",
"created_at": "2025-07-21T04:41:31.120081+00:00",
"updated_at": "2025-07-21T04:41:31.120081+00:00",
"published_at": "2021-05-12T10:30:00+00:00",
"overview": "Critical SharePoint vulnerability being actively exploited",
"context": "Security researchers have identified active exploitation of CVE-2021-28474 in the wild, targeting unpatched SharePoint servers with deserialization attacks",
"reference_uuid": null,
"reference_url": "https://threatpost.com/sharepoint-rce-attacks/166542/",
"reference_source": "threatpost.com",
"reference_user_generated_content": null,
"reference_topic": "SharePoint RCE Vulnerability",
"vulnerability_uuid": null,
"cve_id": "CVE-2021-28474",
"vulnerability_gen_display_name": null
}
Vulnerable Configuration Example
{
"uuid": "f23172c2-c564-4972-8dad-c6590382a260",
"created_at": "2025-01-27T00:52:32.701076+00:00",
"updated_at": "2025-01-27T00:52:32.701076+00:00",
"cpe_id": "3d0c0d15e95decc6c4e1ec0d362bb2695b85094e",
"set_id": "fe23f2cee114772e9cef90d8d2802914ba619e0b3bba813acc2880d79914761d",
"cpe23_uri": "cpe:2.3:a:microsoft:sharepoint_foundation:2013:sp1:*:*:*:*:*:*",
"edition": "ANY",
"language": "ANY",
"sw_edition": "ANY",
"target_sw": "ANY",
"target_hw": "ANY",
"other": "ANY",
"version_start_excluding": null,
"version_start_including": "2013",
"version_end_excluding": null,
"version_end_including": "2013",
"update_start_including": "sp1",
"update_end_including": "sp1",
"is_vulnerable": true,
"vendor": "microsoft",
"vendor_display_name": "Microsoft",
"product_type": "application",
"product_name": "sharepoint_foundation",
"product_display_name": "Sharepoint Foundation",
"cve_id": "CVE-2021-28474"
}
Last updated