Query announces the CISA Known Exploited Vulnerabilities (KEV) Catalog Connector!
The United States Cyber and Infrastructure Security Agency (CISA) Known Exploited Vulnerabilities (KEV) Catalog is a collection of Common Vulnerability and Enumerations (CVEs) that are observed to have been actively exploitable by a variety of threat actors by CISA. Each of these vulnerabilities contain basic information such as commentary from CISA, reporting details, and a naming convention. The concept of the KEV Catalog is to use these vulnerabilities as an input to your vulnerability and patch management program’s prioritization workflow(s).
To provide more useable details as enrichment to each CVE listed in the KEV, Query additionally enriches the final normalized record with metadata about the CVE from Mitre’s AWG CVE API. This ensures that potentially important metadata such as the descriptions, titles, Common Platforms and Enumerations (CPEs), semantic version data for impacted software packages, potential remediation detail, and scoring (e.g., CVSS 3.1 and CVSS 4.0) details are provided.
Usage
All federated searches have their searches and results expressed in the terms of the Query Data Model (QDM), which is based on the Open Cybersecurity Schema Framework (OCSF). Each API source is normalized into a specific QDM/OCSF Event Class to standardize and normalize the data for increased situational awareness, ease of aggregation of filtering, and easy pivoting.
| API Name | QDM/OCSF Event Class | Entities/Observables |
| CISA KEV MITRE AWG CVE | OSINT Inventory Info | CVE ID CWE ID |
By searching for CVEs or CWEs with Query, if a match is found in the KEV, the fully enriched record from the combination of both data sources will be returned as a collated record. The intended usage is if searching for a specific CVE or CWE within Query Federated Search — either prompted by an external tool, or as a pivot. The details will be brought back if there is a match in the KEV Catalog. Analysts can then examine the metadata and make decisions around countermeasures, patching, remediation, and otherwise.
The CISA KEV only contains a modicum of details; a name & short description from CISA, CVE ID, and CWE ID(s). To bring forward CVE-specific details as well as Common Packages & Enumerations (CPE), semantic version details, publish details, and other metadata, the Mitre AWG CVE API is used. That data is combined into the final normalized Event Class.
This is ONLY done if the CVE is in the KEV Catalog, if there is not a match, this enrichment will not happen automatically.
For more information, refer to our documentation here.
