* [Blog](https://origin-researchcenter.paloaltonetworks.com/blog) * [Security Operations](https://origin-researchcenter.paloaltonetworks.com/blog/security-operations/) * [Playbook of the Week](https://origin-researchcenter.paloaltonetworks.com/blog/security-operations/category/playbook-of-the-week/) * Playbook of the Week: Usi... # Playbook of the Week: Using CVEs in Incident Investigation [](https://www.facebook.com/sharer/sharer.php?u=https%3A%2F%2Forigin-researchcenter.paloaltonetworks.com%2Fblog%2Fsecurity-operations%2Fplaybook-of-the-week-using-cves-in-incident-investigation%2F) [](https://twitter.com/share?text=Playbook+of+the+Week%3A+Using+CVEs+in+Incident+Investigation&url=https%3A%2F%2Forigin-researchcenter.paloaltonetworks.com%2Fblog%2Fsecurity-operations%2Fplaybook-of-the-week-using-cves-in-incident-investigation%2F) [](https://www.linkedin.com/shareArticle?mini=true&url=https%3A%2F%2Forigin-researchcenter.paloaltonetworks.com%2Fblog%2Fsecurity-operations%2Fplaybook-of-the-week-using-cves-in-incident-investigation%2F&title=Playbook+of+the+Week%3A+Using+CVEs+in+Incident+Investigation&summary=&source=) [](https://www.paloaltonetworks.com//www.reddit.com/submit?url=https://origin-researchcenter.paloaltonetworks.com/blog/security-operations/playbook-of-the-week-using-cves-in-incident-investigation/&ts=markdown) \[\](mailto:?subject=Playbook of the Week: Using CVEs in Incident Investigation) Link copied By [Dror Avrahami](https://www.paloaltonetworks.com/blog/author/dror-avrahami/?ts=markdown "Posts by Dror Avrahami") Aug 03, 2023 6 minutes [Playbook of the Week](https://www.paloaltonetworks.com/blog/security-operations/category/playbook-of-the-week/?ts=markdown) [Cortex XSOAR](https://www.paloaltonetworks.com/blog/tag/cortex-xsoar/?ts=markdown) [playbook of the week](https://www.paloaltonetworks.com/blog/tag/playbook-of-the-week/?ts=markdown) [Security Orchestration Automation and Response](https://www.paloaltonetworks.com/blog/tag/security-orchestration-automation-and-response/?ts=markdown) [SOAR](https://www.paloaltonetworks.com/blog/tag/soar-2/?ts=markdown) [XSOAR playbook](https://www.paloaltonetworks.com/blog/tag/xsoar-playbook/?ts=markdown) The Common Vulnerabilities and Exposures (CVE) repository is designed to provide a reference for a publicly known information security vulnerability. CVE identifiers, or CVEs, are formatted with the prefix "CVE" followed by the year and unique identifier - for example, the "log4j" vulnerability is referenced as CVE-2021-44228. CVEs are assigned by a CVE Numbering Authority (CNA). It should be noted that assigning a CVE does not automatically make it an official CVE entry, in order to avoid duplicating a previously reported CVE. We have significantly revamped the way CVEs are displayed and stored as indicators within Cortex XSOAR Threat Intelligence Management (TIM). Our main goal was to store and make available as much data as possible to help you query and use CVEs whether in your incident investigations or as a tool aiding in vulnerability management in your system. In this blog, we will go over the changes made in XSOAR TIM and modifications to the CVE indicator layout to present data in a more intuitive way. We will also cover how to install these changes to your TIM module. ## **Layout Changes** ![Fig 1: New CVE display layout in XSOAR TIM](https://www.paloaltonetworks.com/blog/wp-content/uploads/2023/08/word-image-300087-1.png) Fig 1: New CVE display layout in XSOAR TIM The new layout presents an analyst with detailed information about a CVE and the system(s) it affects, making it easy to build queries and playbooks with rich CVE data. ### **CVSS Score** The CVSS score is now displayed in its own section and is color coordinated according to the CVE CVSS score. The score will display the CVE indicator verdict and will adjust its icon accordingly. This will now be the case across all CVE indicators in XSOAR thanks to an updated reputation script (CveReputationV2) which sets the correct XSOAR score according to the CVSS score. ![Fig 2: CVE score display in XSOAR TIM](https://www.paloaltonetworks.com/blog/wp-content/uploads/2023/08/Blog-shot-1.png) Fig 2: CVE score display in XSOAR TIM When a CVE has no CVSS score, it will display as "N\\A" and the text color will be adjusted according to the color scheme set by the user: ![](https://www.paloaltonetworks.com/blog/wp-content/uploads/2023/08/word-image-300087-8.png) ![](https://www.paloaltonetworks.com/blog/wp-content/uploads/2023/08/word-image-300087-9.png) The CVSS score is stored in two different fields: 1. Cvssscore (searchable) 2. cvss.Score (JSON format) *Fig 3: CVE score display with no score is defined* ### **CPEs Tags and Relationships** Another enhancement includes the **Vulnerable Products** section which is dedicated to [Common Platform Enumerations](https://en.wikipedia.org/wiki/Common_Platform_Enumeration)(CPEs). In this section, the analyst can now find a full list of all the CPEs relevant to the CVE. ![Fig 4: List of CPEs relevant to CVE](https://www.paloaltonetworks.com/blog/wp-content/uploads/2023/08/word-image-300087-10.png) Fig 4: List of CPEs relevant to CVE The CPEs are parsed according to the their format: cpe:\:\:\:\:\:\:\:\:\:\:\:\ The following sections are parsed and exported: 1. **Part**- Tagged as Operating-System, Hardware, or Software accordingly. 2. **Vendor** - Will be *tagged* and a *relationship* created to an **Identity**type indicator. 3. **Product** - Will be *tagged* and a *relationship* created to a **Software**type indicator. The extraction will remove escape characters and capitalize the results. ![Fig 5: Extracted text from CPE display in XSOAR TIM](https://www.paloaltonetworks.com/blog/wp-content/uploads/2023/08/word-image-300087-11.png) Fig 5: Extracted text from CPE display in XSOAR TIM ![Fig 6: Vulnerability tags](https://www.paloaltonetworks.com/blog/wp-content/uploads/2023/08/word-image-300087-12.png) Fig 6: Vulnerability tags ### **CWE-ID** Those of you with a keen sense of sight will notice that the CVE also has a tag named **NVD-CWE-Other.** This tag is created when no [Common Weakness Enumeration](https://en.wikipedia.org/wiki/Common_Weakness_Enumeration) (CWE) is found. When a CWE is found, the tag will point to the correct CWE ID. The CWE provides additional details about the type of vulnerability in that specific CVE, including its name, description, likelihood of exploit, examples of vulnerabilities in which the weakness is used, detection methods, and more. For example, in the picture below we can see CWE-416 which is the ID of the vulnerability known as "[Use After Free](https://cwe.mitre.org/data/definitions/416.html)". ![Fig 7: CWE vulnerability details](https://www.paloaltonetworks.com/blog/wp-content/uploads/2023/08/word-image-300087-13.png) Fig 7: CWE vulnerability details ### **CVSS Table** Another section that got a small facelift is the **CVSS Table** . The section will now display the *CVSS Version* that was used to calculate the score, the full *CVSS Vector* and a table of the values used to calculate the score. ![Fig 8: CVSS Table](https://www.paloaltonetworks.com/blog/wp-content/uploads/2023/08/word-image-300087-14.png) Fig 8: CVSS Table The CVSS version is extracted according to the specific vector in order to avoid mistakes in the data. The table is flexible and contextual, so version changes such as CVSS 3.0, 3.1, and 4.0 changes will not affect what is displayed for CVSS 2.0. Relevant publications can now be properly exported and these are available in the **Additional Details** tab under **Publications**. ![Fig 9: Relevant publications](https://www.paloaltonetworks.com/blog/wp-content/uploads/2023/08/word-image-300087-15.png) Fig 9: Relevant publications These changes will allow you to better incorporate CVE data into your various playbooks and workflow jobs. The additional data allows for better visibility into CVEs impacting your organization and provides more info for threat hunting and security updates. ## **Installing the New Content Packs** As this is a big change, there are multiple content packs that need to be updated. Most can automatically be updated but the Common Type content packs need additional steps as described below. 1. [Common Types](https://cortex.marketplace.pan.dev/marketplace/details/CommonTypes/) 2. [Base](https://cortex.marketplace.pan.dev/marketplace/details/Base/) 3. [Common Scripts](https://cortex.marketplace.pan.dev/marketplace/details/CommonScripts/) 4. [CIRCL](https://cortex.marketplace.pan.dev/marketplace/details/CIRCL/) (We will use CIRCL CVE Search integration) ### **Common Types Content Pack installation** When updating layouts and indicators in TIM, we have to update the **Common Types**content pack (where the indicator types and layouts are configured). #### **Automated Update** **Be careful, do not use this method if you have configured custom mapping for any of your indicators!** The easiest way to update this pack is to delete the existing pack on your XSOAR instance and reinstall the latest version. This will automatically rebuild the mapping from the context to the correct indicator fields. #### **Manual Update** **Use this method if you have changed indicators mappings in the past** Update your **Common Types** content pack and go to **Settings** \\ **Object Setup** \\ **Indicators** and select **CVE** . Press the **Edit** button and move to the second tab called **Custom Fields**. Now we will have to set the mapping manually, so TIM will be able to pull the enriched data from the CVE context in XSOAR: ![Fig 10: Series of screenshot of the XSOAR UI](https://www.paloaltonetworks.com/blog/wp-content/uploads/2023/08/Blog-shot-2.png) Fig 10: Series of screenshot of the XSOAR UI After configuring these fields press **Save**. ### **Base Content Pack Installation** As some new fields were added to the CVE class **Base**needs to be updated to accommodate those. As this is just new content, go ahead and update the pack, No special care is needed here. ### **Common Scripts Content Pack Installation** Since we are integrating a few new scripts (dynamic ones and a reputation script for CVEs), we must also update this pack. As this is new content, just go ahead and update the pack. No special care is needed here. ### **CIRCL Integration Content Pack Installation** The only integration that supports all of these new features at the moment is **CIRCL CVE Search** (formerly known as CVE Search). You can download the pack and install the integration, no API Key is needed, this is a free [**Plug \& Enrich** enricher](https://cortex.marketplace.pan.dev/marketplace/details/FreeEnrichers/) available as part of the TIM module. *** ** * ** *** ## Related Blogs ### [Playbook of the Week](https://www.paloaltonetworks.com/blog/security-operations/category/playbook-of-the-week/?ts=markdown) [#### An Automated Response to Malicious Pod Activity](https://origin-researchcenter.paloaltonetworks.com/blog/security-operations/an-automated-response-to-malicious-pod-activity/) ### [Playbook of the Week](https://www.paloaltonetworks.com/blog/security-operations/category/playbook-of-the-week/?ts=markdown) [#### Rapid Response for Fighting Ursa Phishing Campaign](https://origin-researchcenter.paloaltonetworks.com/blog/security-operations/rapid-response-for-fighting-ursa-phishing-campaign/) ### [Playbook of the Week](https://www.paloaltonetworks.com/blog/security-operations/category/playbook-of-the-week/?ts=markdown), [Uncategorized](https://www.paloaltonetworks.com/blog/category/uncategorized/?ts=markdown) [#### Playbook of the Week: Automating Response to Living-Off-the-Land (LOTL) Attacks](https://origin-researchcenter.paloaltonetworks.com/blog/security-operations/playbook-of-the-week-automating-response-to-living-off-the-land-lotl-attacks/) ### [Playbook of the Week](https://www.paloaltonetworks.com/blog/security-operations/category/playbook-of-the-week/?ts=markdown) [#### Playbook of the Week: Prisma Cloud Compute - Compliance Alert v2](https://origin-researchcenter.paloaltonetworks.com/blog/security-operations/playbook-of-the-week-prisma-cloud-compute-compliance-alert-v2/) ### [Playbook of the Week](https://www.paloaltonetworks.com/blog/security-operations/category/playbook-of-the-week/?ts=markdown) [#### Playbook of the Week: Streamlining Suspicious Data Upload Alert Investigations](https://origin-researchcenter.paloaltonetworks.com/blog/security-operations/playbook-of-the-week-streamlining-suspicious-data-upload-alert-investigations/) ### [Playbook of the Week](https://www.paloaltonetworks.com/blog/security-operations/category/playbook-of-the-week/?ts=markdown), [Uncategorized](https://www.paloaltonetworks.com/blog/category/uncategorized/?ts=markdown) [#### Playbook of the Week: Automating Management of XDR Identity Analytics Alerts](https://origin-researchcenter.paloaltonetworks.com/blog/security-operations/playbook-of-the-week-automating-management-of-xdr-identity-analytics-alerts/) ### Subscribe to Security Operations Blogs! Sign up to receive must-read articles, Playbooks of the Week, new feature announcements, and more. ![spinner](https://origin-researchcenter.paloaltonetworks.com/blog/wp-content/themes/panwblog2023/dist/images/ajax-loader.gif) Sign up Please enter a valid email. By submitting this form, you agree to our [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown) and acknowledge our [Privacy Statement](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown). Please look for a confirmation email from us. If you don't receive it in the next 10 minutes, please check your spam folder. This site is protected by reCAPTCHA and the Google [Privacy Policy](https://policies.google.com/privacy) and [Terms of Service](https://policies.google.com/terms) apply. {#footer} {#footer} ## Products and Services * [AI-Powered Network Security Platform](https://www.paloaltonetworks.com/network-security?ts=markdown) * [Secure AI by Design](https://www.paloaltonetworks.com/precision-ai-security/secure-ai-by-design?ts=markdown) * [Prisma AIRS](https://www.paloaltonetworks.com/prisma/prisma-ai-runtime-security?ts=markdown) * [AI Access Security](https://www.paloaltonetworks.com/sase/ai-access-security?ts=markdown) * [Cloud Delivered Security Services](https://www.paloaltonetworks.com/network-security/security-subscriptions?ts=markdown) * [Advanced Threat Prevention](https://www.paloaltonetworks.com/network-security/advanced-threat-prevention?ts=markdown) * [Advanced URL Filtering](https://www.paloaltonetworks.com/network-security/advanced-url-filtering?ts=markdown) * [Advanced WildFire](https://www.paloaltonetworks.com/network-security/advanced-wildfire?ts=markdown) * [Advanced DNS Security](https://www.paloaltonetworks.com/network-security/advanced-dns-security?ts=markdown) * [Enterprise Data Loss Prevention](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown) * [Enterprise IoT Security](https://www.paloaltonetworks.com/network-security/enterprise-device-security?ts=markdown) * [Medical IoT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown) * [Industrial OT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown) * [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown) * [Next-Generation Firewalls](https://www.paloaltonetworks.com/network-security/next-generation-firewall?ts=markdown) * [Hardware Firewalls](https://www.paloaltonetworks.com/network-security/hardware-firewall-innovations?ts=markdown) * [Software Firewalls](https://www.paloaltonetworks.com/network-security/software-firewalls?ts=markdown) * [Strata Cloud Manager](https://www.paloaltonetworks.com/network-security/strata-cloud-manager?ts=markdown) * [SD-WAN for NGFW](https://www.paloaltonetworks.com/network-security/sd-wan-subscription?ts=markdown) * [PAN-OS](https://www.paloaltonetworks.com/network-security/pan-os?ts=markdown) * [Panorama](https://www.paloaltonetworks.com/network-security/panorama?ts=markdown) * [Secure Access Service Edge](https://www.paloaltonetworks.com/sase?ts=markdown) * [Prisma SASE](https://www.paloaltonetworks.com/sase?ts=markdown) * [Application Acceleration](https://www.paloaltonetworks.com/sase/app-acceleration?ts=markdown) * [Autonomous Digital Experience Management](https://www.paloaltonetworks.com/sase/adem?ts=markdown) * [Enterprise DLP](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown) * [Prisma Access](https://www.paloaltonetworks.com/sase/access?ts=markdown) * [Prisma Browser](https://www.paloaltonetworks.com/sase/prisma-browser?ts=markdown) * [Prisma SD-WAN](https://www.paloaltonetworks.com/sase/sd-wan?ts=markdown) * [Remote Browser Isolation](https://www.paloaltonetworks.com/sase/remote-browser-isolation?ts=markdown) * [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown) * [AI-Driven Security Operations Platform](https://www.paloaltonetworks.com/cortex?ts=markdown) * [Cloud Security](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown) * [Cortex Cloud](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown) * [Application Security](https://www.paloaltonetworks.com/cortex/cloud/application-security?ts=markdown) * [Cloud Posture Security](https://www.paloaltonetworks.com/cortex/cloud/cloud-posture-security?ts=markdown) * [Cloud Runtime Security](https://www.paloaltonetworks.com/cortex/cloud/runtime-security?ts=markdown) * [Prisma Cloud](https://www.paloaltonetworks.com/prisma/cloud?ts=markdown) * [AI-Driven SOC](https://www.paloaltonetworks.com/cortex?ts=markdown) * [Cortex XSIAM](https://www.paloaltonetworks.com/cortex/cortex-xsiam?ts=markdown) * [Cortex XDR](https://www.paloaltonetworks.com/cortex/cortex-xdr?ts=markdown) * [Cortex XSOAR](https://www.paloaltonetworks.com/cortex/cortex-xsoar?ts=markdown) * [Cortex Xpanse](https://www.paloaltonetworks.com/cortex/cortex-xpanse?ts=markdown) * [Unit 42 Managed Detection \& Response](https://www.paloaltonetworks.com/cortex/managed-detection-and-response?ts=markdown) * [Managed XSIAM](https://www.paloaltonetworks.com/cortex/managed-xsiam?ts=markdown) * [Threat Intel and Incident Response Services](https://www.paloaltonetworks.com/unit42?ts=markdown) * [Proactive Assessments](https://www.paloaltonetworks.com/unit42/assess?ts=markdown) * [Incident Response](https://www.paloaltonetworks.com/unit42/respond?ts=markdown) * [Transform Your Security Strategy](https://www.paloaltonetworks.com/unit42/transform?ts=markdown) * [Discover Threat Intelligence](https://www.paloaltonetworks.com/unit42/threat-intelligence-partners?ts=markdown) ## Company * [About Us](https://www.paloaltonetworks.com/about-us?ts=markdown) * [Careers](https://jobs.paloaltonetworks.com/en/) * [Contact Us](https://www.paloaltonetworks.com/company/contact-sales?ts=markdown) * [Corporate Responsibility](https://www.paloaltonetworks.com/about-us/corporate-responsibility?ts=markdown) * [Customers](https://www.paloaltonetworks.com/customers?ts=markdown) * [Investor Relations](https://investors.paloaltonetworks.com/) * [Location](https://www.paloaltonetworks.com/about-us/locations?ts=markdown) * [Newsroom](https://www.paloaltonetworks.com/company/newsroom?ts=markdown) ## Popular Links * [Blog](https://www.paloaltonetworks.com/blog/?ts=markdown) * [Communities](https://www.paloaltonetworks.com/communities?ts=markdown) * [Content Library](https://www.paloaltonetworks.com/resources?ts=markdown) * [Cyberpedia](https://www.paloaltonetworks.com/cyberpedia?ts=markdown) * [Event Center](https://events.paloaltonetworks.com/) * [Manage Email Preferences](https://start.paloaltonetworks.com/preference-center) * [Products A-Z](https://www.paloaltonetworks.com/products/products-a-z?ts=markdown) * [Product Certifications](https://www.paloaltonetworks.com/legal-notices/trust-center/compliance?ts=markdown) * [Report a Vulnerability](https://www.paloaltonetworks.com/security-disclosure?ts=markdown) * [Sitemap](https://www.paloaltonetworks.com/sitemap?ts=markdown) * [Tech Docs](https://docs.paloaltonetworks.com/) * [Unit 42](https://unit42.paloaltonetworks.com/) * [Do Not Sell or Share My Personal Information](https://panwedd.exterro.net/portal/dsar.htm?target=panwedd) ![PAN logo](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/pan-logo-dark.svg) * [Privacy](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown) * [Trust Center](https://www.paloaltonetworks.com/legal-notices/trust-center?ts=markdown) * [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown) * [Documents](https://www.paloaltonetworks.com/legal?ts=markdown) Copyright © 2026 Palo Alto Networks. All Rights Reserved * [![Youtube](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/youtube-black.svg)](https://www.youtube.com/user/paloaltonetworks) * [![Podcast](https://www.paloaltonetworks.com/content/dam/pan/en_US/images/icons/podcast.svg)](https://www.paloaltonetworks.com/podcasts/threat-vector?ts=markdown) * [![Facebook](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/facebook-black.svg)](https://www.facebook.com/PaloAltoNetworks/) * [![LinkedIn](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/linkedin-black.svg)](https://www.linkedin.com/company/palo-alto-networks) * [![Twitter](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/twitter-x-black.svg)](https://twitter.com/PaloAltoNtwks) * EN Select your language