Sightings#
Presentation#
Users have the possibility to add observations to vulnerabilities with different types of sightings, such as: seen, exploited, not exploited, confirmed, not confirmed, patched, and not patched.
Type |
Description |
Negative/Opposite |
|---|---|---|
seen |
The vulnerability was mentioned, discussed, or observed by the user. |
No |
confirmed |
The vulnerability has been validated from an analyst’s perspective. |
Yes |
published-proof-of-concept |
A public proof of concept is available for this vulnerability. |
No |
exploited |
The vulnerability was observed as exploited by the user who reported the sighting. |
Yes |
patched |
The vulnerability was observed as successfully patched by the user who reported the sighting. |
Yes |
You can find the corresponding definition of the MISP taxonomy here.
Color code#
Color code used in the application:
Sighting Type |
Color Code |
|---|---|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Example#
Example of a sighting object:
{
"uuid": "f6ed692b-2656-4ce0-bcf1-eaf12dfe281d",
"vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd",
"author": "8dfa6142-8c6d-4072-953e-71c85404aefb",
"type": "seen",
"source": "https://infosec.exchange/users/cve/statuses/113389560858828548",
"vulnerability": "CVE-2024-10312",
"creation_timestamp": "2024-10-29T08:36:31.492184Z"
}
A source is not necessary an URL. It can be any string, for example the UUID of a MISP event. Examples: https://vulnerability.circl.lu/sightings/?query=MISP
Automation and tools#
Realistically, sightings are more likely to be created programmatically, for instance, based on observations gathered from social networks, network captures, etc.
Our sighting tools are available in the user manual.
If you want to create your own sigthing tool, it’s recommended to use PyVulnerabilityLookup, a Python library to access Vulnerability-Lookup via its REST API.
PyVulnerabilityLookup usage example#
Initalize a PyVulnerabilityLookup object:
from pyvulnerabilitylookup import PyVulnerabilityLookup
vuln_lookup = PyVulnerabilityLookup("https://vulnerability.circl.lu/", token="<YOUR-API-TOKEN>")
Retrieve sightings for a specific vulnerability:
sighting_cve_list = vuln_lookup.get_sightings(vuln_id='CVE-2024-9474')
print(sighting_cve_list)
Output:
{
"metadata": {
"count": 104,
"page": 1,
"per_page": 1000
},
"data": [
{
"uuid": "b804f360-9d9f-4326-a1ae-e32fb82e268b",
"creation_timestamp": "2024-11-18T22:19:16.087185+00:00",
"type": "seen",
"source": "https://feedsin.space/feed/CISAKevBot/items/2704494",
"vulnerability": "CVE-2024-9474",
"author": {
"login": "automation",
"name": "Automation user",
"uuid": "9f56dd64-161d-43a6-b9c3-555944290a09"
}
}
]
}
Create a sew sighting:
sighting = {"type": "exploited", "source": "<source-of-the-sighting>", "vulnerability": 'CVE-2024-9474'}
created_sighting = vuln_lookup.create_sighting(sighting=sighting)
print(created_sighting)
Output:
{
"metadata": {
"count": 1,
"page": 1,
"per_page": 1000
},
"data": [
{
"uuid": "b498cb64-9cbc-423a-aea0-bf58d740c024",
"creation_timestamp": "2024-11-19T10:45:45.634635+01:00",
"type": "exploited",
"source": "<source-of-the-sighting>",
"vulnerability": "CVE-2024-9474",
"author": {
"login": "cedric",
"name": "Cédric",
"uuid": "8dfa6142-8c6d-4072-953e-71c85404aefb"
}
}
]
}
PyVulnerabilityLookup supports various object types within the VulnerabilityLookup framework. Refer to the tests for detailed examples and usage.