Export - Vuln Intel

Vulnerability Intelligence Export Models Documentation

Version: 2.0.0 Description: Vulnerability Intelligence Export Models Documentation

Version History

  • 2.0.0: Initial public release. Adjusted configuration fields to be snake cased on each vulnerability

  • 1.1.0: Adjusted 'nvd_references' field on each vulnerability to 'upstream_references'

  • 1.0.0: Internal release of the vulnerability intelligence export

Additional Materials

For additional materials including the complete JSON schema, API documentation, and integration examples, please contact [email protected].


Table of Contents

  • Export Record Format

  • Export Models

    • Vulnerability

    • Exploit

    • Exploitation

    • Detection Signature

    • Mention

    • Vulnerable Configuration

  • Enums

  • Examples

Export Record Format

The main export format for vulnerability intelligence data.

Export Name: vuln_intel_record Version: 2.0.0 Description: Complete vulnerability intelligence record with all related entities

Each line in the JSONL export contains a complete vulnerability record with all related entities:

{"uuid": "...", "vulnerability": {...}, "exploits": [...], "mentions": [...]}
{"uuid": "...", "vulnerability": {...}, "exploits": [...], "mentions": [...]}

Export Record Fields

Field
Type
Required
Description

uuid

string

Unique identifier for this record

created_at

string

When this record was first created in the system

updated_at

string

When this record was last updated in the system

vulnerability

object

Core vulnerability intelligence data

exploits

array[object]

List of known exploits for this vulnerability

exploitations

array[object]

List of recorded exploitations of this vulnerability

mentions

array[object]

List of mentions/references for this vulnerability

detection_signatures

array[object]

List of detection signatures for this vulnerability

vulnerable_configurations

array[object]

List of vulnerable product configurations for this vulnerability

Export Models

The following models represent the individual components that make up the complete export record:

Vulnerability

Export Name: vuln_intel_vulnerability Version: 1.0.0 Description: Vulnerability intelligence export with core vulnerability data and related entities

Fields

Field
Type
Required
Description

uuid

string

Unique identifier for this record

created_at

string

When this record was first created in the system

updated_at

string

When this record was last updated in the system

cve_id

string

CVE identifier (e.g., CVE-2023-1234)

state

string

Vulnerability state from MITRE (e.g., PUBLISHED, RESERVED)

description

string

Official vulnerability description

gen_description

string

Mallory-generated enhanced description

gen_display_name

string

Mallory-generated display name for the vulnerability

gen_cwe_id

string

Mallory-generated CWE identifier

gen_impact

string

Mallory-generated impact assessment

gen_mitigations

string

Mallory-generated mitigation recommendations

gen_remediation

string

Mallory-generated remediation guidance

cvss_base_score

number

CVSS base score (0.0-10.0)

cvss_version

number

CVSS version (e.g., 3.1, 4.0)

cvss_vector

string

CVSS vector string

cvss_source

string

Source of CVSS data (e.g., NVD, vendor)

cvss_type

string

Type of CVSS score (e.g., Primary, Secondary)

cvss_data

array[object]

Complete CVSS vector data as array of dictionaries

epss_score

number

EPSS score (0.0-1.0) indicating probability of exploitation

epss_percentile

number

EPSS percentile ranking (0.0-1.0)

cisa_kev_added_at

string

Date when added to CISA Known Exploited Vulnerabilities (KEV) catalog

reserved_at

string

CVE reservation date

published_at

string

CVE publication date

upstream_references

array[object]

Upstream reference links from NVD and other sources

raw_mitre_cvelist_v5_cves_adp

array[object]

Raw MITRE CVE ADP (Authorized Data Publisher) data

weaknesses

array[string]

List of CWE identifiers associated with this vulnerability

mentions_count

integer

Number of mentions/references found for this vulnerability

detection_signatures_count

integer

Number of detection signatures available for this vulnerability

exploits_count

integer

Number of known exploits for this vulnerability

exploitations_count

integer

Number of recorded exploitations of this vulnerability

vulnerable_configurations_count

integer

Number of vulnerable product configurations for this vulnerability

Summary

  • Total Fields: 31

  • Required Fields: 3

  • Optional Fields: 28

Exploit

Export Name: vuln_intel_exploit Version: 1.0.0 Description: Exploit intelligence export with core exploit data and CVE relationships

Fields

Field
Type
Required
Description

uuid

string

Unique identifier for this record

created_at

string

When this record was first created in the system

updated_at

string

When this record was last updated in the system

url

string

URL to the exploit code or proof-of-concept

name

string

Name or title of the exploit

description

string

Description of the exploit and what it does

maturity

string

Maturity level of the exploit (UNKNOWN, POC, OPERATIONAL, WEAPONIZED)

disclosed_at

string

Date when the exploit was first disclosed or published

authors

string

Authors or researchers who discovered/published the exploit

cve_ids

array[string]

List of CVE identifiers that this exploit targets

Summary

  • Total Fields: 10

  • Required Fields: 4

  • Optional Fields: 6

Exploitation

Export Name: vuln_intel_exploitation Version: 1.0 Description: Vulnerability exploitation incident data for export

Fields

Field
Type
Required
Description

uuid

string

Unique identifier for this record

created_at

string

When this record was first created in the system

updated_at

string

When this record was last updated in the system

begins_at

string

When the exploitation period began

ends_at

string

When the exploitation period ended

count

integer

Number of exploitation incidents recorded

detection_signature_uuid

string

UUID of the associated detection signature

detection_signature_name

string

Name of the associated detection signature

detection_signature_source

string

Source of the detection signature

detection_signature_method

string

Detection method used by the signature

Summary

  • Total Fields: 10

  • Required Fields: 3

  • Optional Fields: 7

Detection Signature

Export Name: vuln_intel_detection_signature Version: 1.0 Description: Detection signature intelligence data for export

Fields

Field
Type
Required
Description

uuid

string

Unique identifier for this record

created_at

string

When this record was first created in the system

updated_at

string

When this record was last updated in the system

upstream_id

string

Upstream identifier for the detection signature

source

string

Source of the detection signature (e.g., vendor, organization)

method

string

Detection method used (e.g., IPS, EDR, Malware)

name

string

Name of the detection signature

description

string

Description of what the detection signature identifies

Summary

  • Total Fields: 8

  • Required Fields: 3

  • Optional Fields: 5

Mention

Export Name: vuln_intel_mention Version: 1.0 Description: Vulnerability mention intelligence data for export

Fields

Field
Type
Required
Description

uuid

string

Unique identifier for this record

created_at

string

When this record was first created in the system

updated_at

string

When this record was last updated in the system

published_at

string

Date when the mention was published

overview

string

Brief overview or summary of the mention

context

string

Context or detailed content of the mention

reference_uuid

string

UUID of the reference document/source

reference_url

string

URL of the reference document/source

reference_source

string

Source of the reference (e.g., vendor, publication)

reference_user_generated_content

boolean

Whether the reference is user-generated content

reference_topic

string

Topic or category of the reference

vulnerability_uuid

string

UUID of the related vulnerability

cve_id

string

CVE identifier of the related vulnerability

vulnerability_gen_display_name

string

Mallory-generated display name for the related vulnerability

Summary

  • Total Fields: 14

  • Required Fields: 3

  • Optional Fields: 11

Vulnerable Configuration

Export Name: vuln_intel_vulnerable_configuration Version: 1.0 Description: Vulnerable configuration intelligence data for export

Fields

Field
Type
Required
Description

uuid

string

Unique identifier for this record

created_at

string

When this record was first created in the system

updated_at

string

When this record was last updated in the system

cpe_id

string

Common Platform Enumeration identifier for this configuration

set_id

string

Group identifier for related configurations

cpe23_uri

string

CPE 2.3 URI format string

edition

string

Edition component of the CPE

language

string

Language component of the CPE

sw_edition

string

Software edition component of the CPE

target_sw

string

Target software environment

target_hw

string

Target hardware environment

other

string

Other CPE component information

version_start_excluding

string

Starting version (exclusive) of vulnerable range

version_start_including

string

Starting version (inclusive) of vulnerable range

version_end_excluding

string

Ending version (exclusive) of vulnerable range

version_end_including

string

Ending version (inclusive) of vulnerable range

update_start_including

string

Starting update (inclusive) of vulnerable range

update_end_including

string

Ending update (inclusive) of vulnerable range

is_vulnerable

boolean

Whether this configuration is vulnerable

vendor

string

Vendor name for the technology product

vendor_display_name

string

Display name for the vendor

product_type

string

Type of the technology product (e.g., application, operating_system)

product_name

string

Name of the technology product

product_display_name

string

Display name for the technology product

cve_id

string

CVE identifier of the associated vulnerability

Summary

  • Total Fields: 25

  • Required Fields: 6

  • Optional Fields: 19

Enums

MaturityLevel

Description: Exploit maturity levels

Values:

  • UNKNOWN

  • POC

  • OPERATIONAL

  • WEAPONIZED

Examples

Below are complete example records showing the structure and content of each export model:

Complete Export Record

A complete vulnerability intelligence record with all related entities:

{
  "uuid": "cfbf89e4-eae2-46d8-817a-546f832380b2",
  "created_at": "2024-10-06T16:15:50.989983+00:00",
  "updated_at": "2025-07-22T05:02:10.567667+00:00",
  "vulnerability": {
    "uuid": "cfbf89e4-eae2-46d8-817a-546f832380b2",
    "created_at": "2024-10-06T16:15:50.989983+00:00",
    "updated_at": "2025-07-22T05:02:10.567667+00:00",
    "cve_id": "CVE-2021-28474",
    "state": "PUBLISHED",
    "description": "Microsoft SharePoint Server Remote Code Execution Vulnerability",
    "gen_description": "CVE-2021-28474 is a critical remote code execution vulnerability in Microsoft SharePoint Server, arising from unsafe deserialization of untrusted data.",
    "gen_display_name": null,
    "gen_cwe_id": null,
    "gen_impact": null,
    "gen_mitigations": null,
    "gen_remediation": null,
    "cvss_base_score": 8.8,
    "cvss_version": 3.1,
    "cvss_vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
    "cvss_source": null,
    "cvss_type": null,
    "cvss_data": null,
    "epss_score": 0.11384,
    "epss_percentile": 0.9324,
    "cisa_kev_added_at": null,
    "reserved_at": null,
    "published_at": "2021-05-11T19:11:16+00:00",
    "upstream_references": null,
    "raw_mitre_cvelist_v5_cves_adp": null,
    "weaknesses": [
      "CWE-436"
    ],
    "mentions_count": 3,
    "detection_signatures_count": 0,
    "exploits_count": 0,
    "exploitations_count": 0,
    "vulnerable_configurations_count": 6
  },
  "exploits": [
    {
      "uuid": "660e8400-e29b-41d4-a716-446655440001",
      "created_at": "2024-10-06T16:15:50.989983+00:00",
      "updated_at": "2025-07-22T05:02:10.567667+00:00",
      "url": "https://github.com/security-research/CVE-2021-28474-poc",
      "name": "SharePoint RCE Deserialization Exploit",
      "description": null,
      "maturity": "POC",
      "disclosed_at": null,
      "authors": null,
      "cve_ids": []
    }
  ],
  "exploitations": [],
  "mentions": [
    {
      "uuid": "ac3b509f-1743-4bb3-9f32-53616fbd5cf9",
      "created_at": "2025-07-21T04:41:31.120081+00:00",
      "updated_at": "2025-07-21T04:41:31.120081+00:00",
      "published_at": "2021-05-12T10:30:00+00:00",
      "overview": "Critical SharePoint vulnerability being actively exploited",
      "context": null,
      "reference_uuid": null,
      "reference_url": null,
      "reference_source": null,
      "reference_user_generated_content": null,
      "reference_topic": null,
      "vulnerability_uuid": null,
      "cve_id": "CVE-2021-28474",
      "vulnerability_gen_display_name": null
    }
  ],
  "detection_signatures": [],
  "vulnerable_configurations": [
    {
      "uuid": "f23172c2-c564-4972-8dad-c6590382a260",
      "created_at": "2025-01-27T00:52:32.701076+00:00",
      "updated_at": "2025-01-27T00:52:32.701076+00:00",
      "cpe_id": "3d0c0d15e95decc6c4e1ec0d362bb2695b85094e",
      "set_id": "fe23f2cee114772e9cef90d8d2802914ba619e0b3bba813acc2880d79914761d",
      "cpe23_uri": "cpe:2.3:a:microsoft:sharepoint_foundation:2013:sp1:*:*:*:*:*:*",
      "edition": null,
      "language": null,
      "sw_edition": null,
      "target_sw": null,
      "target_hw": null,
      "other": null,
      "version_start_excluding": null,
      "version_start_including": null,
      "version_end_excluding": null,
      "version_end_including": null,
      "update_start_including": null,
      "update_end_including": null,
      "is_vulnerable": true,
      "vendor": null,
      "vendor_display_name": "Microsoft",
      "product_type": null,
      "product_name": null,
      "product_display_name": "Sharepoint Foundation",
      "cve_id": "CVE-2021-28474"
    }
  ]
}

Vulnerability Example

{
  "uuid": "cfbf89e4-eae2-46d8-817a-546f832380b2",
  "created_at": "2024-10-06T16:15:50.989983+00:00",
  "updated_at": "2025-07-22T05:02:10.567667+00:00",
  "cve_id": "CVE-2021-28474",
  "state": "PUBLISHED",
  "description": "Microsoft SharePoint Server Remote Code Execution Vulnerability",
  "gen_description": "CVE-2021-28474 is a critical remote code execution vulnerability in Microsoft SharePoint Server, arising from unsafe deserialization of untrusted data. The vulnerability allows unauthenticated attackers to execute arbitrary code on the server by sending specially crafted requests that exploit the deserialization process.",
  "gen_display_name": "RCE via Deserialization in Microsoft SharePoint Server (CVE-2021-28474)",
  "gen_cwe_id": "CWE-502",
  "gen_impact": "Successful exploitation allows unauthenticated remote code execution, granting attackers full control over the affected SharePoint server.",
  "gen_mitigations": "If immediate patching is not possible, disconnect vulnerable SharePoint servers from the Internet to prevent exploitation. Deploy endpoint detection and response (EDR) solutions, enable AMSI integration, and monitor for known indicators of compromise.",
  "gen_remediation": "Apply the security updates provided by Microsoft for all affected SharePoint Server versions as soon as possible. Ensure that all cryptographic secrets are rotated after patching.",
  "cvss_base_score": 8.8,
  "cvss_version": 3.1,
  "cvss_vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
  "cvss_source": "[email protected]",
  "cvss_type": "Secondary",
  "cvss_data": null,
  "epss_score": 0.11384,
  "epss_percentile": 0.9324,
  "cisa_kev_added_at": null,
  "reserved_at": "2021-03-15T00:00:00+00:00",
  "published_at": "2021-05-11T19:11:16+00:00",
  "upstream_references": null,
  "raw_mitre_cvelist_v5_cves_adp": null,
  "weaknesses": [
    "CWE-436"
  ],
  "mentions_count": 3,
  "detection_signatures_count": 0,
  "exploits_count": 0,
  "exploitations_count": 0,
  "vulnerable_configurations_count": 6
}

Exploit Example

{
  "uuid": "660e8400-e29b-41d4-a716-446655440001",
  "created_at": "2024-10-06T16:15:50.989983+00:00",
  "updated_at": "2025-07-22T05:02:10.567667+00:00",
  "url": "https://github.com/security-research/CVE-2021-28474-poc",
  "name": "SharePoint RCE Deserialization Exploit",
  "description": "Proof of concept exploit demonstrating remote code execution via unsafe deserialization in SharePoint Server",
  "maturity": "POC",
  "disclosed_at": null,
  "authors": null,
  "cve_ids": []
}

Exploitation Example

{
  "uuid": "770e8400-e29b-41d4-a716-446655440002",
  "created_at": "2024-10-06T16:15:50.989983+00:00",
  "updated_at": "2025-07-22T05:02:10.567667+00:00",
  "begins_at": "2021-06-15T00:00:00+00:00",
  "ends_at": "2021-08-30T00:00:00+00:00",
  "count": 42,
  "detection_signature_uuid": "880e8400-e29b-41d4-a716-446655440003",
  "detection_signature_name": "CVE_2021_28474_SharePoint_RCE",
  "detection_signature_source": "custom_rules",
  "detection_signature_method": "IPS"
}

Detection Signature Example

{
  "uuid": "880e8400-e29b-41d4-a716-446655440003",
  "created_at": "2024-10-06T16:15:50.989983+00:00",
  "updated_at": "2025-07-22T05:02:10.567667+00:00",
  "upstream_id": "SIG-2021-28474-001",
  "source": "security_team",
  "method": "IPS",
  "name": "CVE_2021_28474_SharePoint_RCE",
  "description": "IPS signature to detect exploitation attempts against CVE-2021-28474 SharePoint deserialization vulnerability"
}

Mention Example

{
  "uuid": "ac3b509f-1743-4bb3-9f32-53616fbd5cf9",
  "created_at": "2025-07-21T04:41:31.120081+00:00",
  "updated_at": "2025-07-21T04:41:31.120081+00:00",
  "published_at": "2021-05-12T10:30:00+00:00",
  "overview": "Critical SharePoint vulnerability being actively exploited",
  "context": "Security researchers have identified active exploitation of CVE-2021-28474 in the wild, targeting unpatched SharePoint servers with deserialization attacks",
  "reference_uuid": null,
  "reference_url": "https://threatpost.com/sharepoint-rce-attacks/166542/",
  "reference_source": "threatpost.com",
  "reference_user_generated_content": null,
  "reference_topic": "SharePoint RCE Vulnerability",
  "vulnerability_uuid": null,
  "cve_id": "CVE-2021-28474",
  "vulnerability_gen_display_name": null
}

Vulnerable Configuration Example

{
  "uuid": "f23172c2-c564-4972-8dad-c6590382a260",
  "created_at": "2025-01-27T00:52:32.701076+00:00",
  "updated_at": "2025-01-27T00:52:32.701076+00:00",
  "cpe_id": "3d0c0d15e95decc6c4e1ec0d362bb2695b85094e",
  "set_id": "fe23f2cee114772e9cef90d8d2802914ba619e0b3bba813acc2880d79914761d",
  "cpe23_uri": "cpe:2.3:a:microsoft:sharepoint_foundation:2013:sp1:*:*:*:*:*:*",
  "edition": "ANY",
  "language": "ANY",
  "sw_edition": "ANY",
  "target_sw": "ANY",
  "target_hw": "ANY",
  "other": "ANY",
  "version_start_excluding": null,
  "version_start_including": "2013",
  "version_end_excluding": null,
  "version_end_including": "2013",
  "update_start_including": "sp1",
  "update_end_including": "sp1",
  "is_vulnerable": true,
  "vendor": "microsoft",
  "vendor_display_name": "Microsoft",
  "product_type": "application",
  "product_name": "sharepoint_foundation",
  "product_display_name": "Sharepoint Foundation",
  "cve_id": "CVE-2021-28474"
}

Last updated