Swimlane Intelligence Native Action

9 min

overview the swimlane intelligence native action queries the swimlane intelligence service, a repository of cybersecurity information the service currently provides cve metadata and exploit information, with more data sources planned for the future the action retrieves and returns detailed information about the specified cve or vulnerability identifier, facilitating efficient vulnerability analysis key features cve search supports searching for a single cve using its unique id (e g , cve 2023 12345) multiple data categories query different types of vulnerability intelligence data detailed output returns comprehensive information about vulnerabilities, including severity scores, descriptions, exploit information, and related metadata simple configuration easy to use inputs for quick vulnerability lookups requirements the security intelligence feature must be enabled for your account this action is not available in air gapped environments how to use open your playbook in the turbine canvas from the add panel, drag and drop the swimlane intelligence action into your canvas click on the action block to configure it provide a unique title and key for the action title the display name for the action (for example, get cve data) key a system generated unique identifier for the action (editable but must follow the naming convention alphanumeric and underscores only) configure inputs click configure to open the configuration panel select data category (required) use the select data category dropdown to choose the type of data to query available options include vulnerability exploits (dataset exploits ) provides exploit related information about the cve, including public, commercial, and weaponized exploit availability exploit maturity levels reported exploitation by threat actors, ransomware, or botnets kev (known exploited vulnerabilities) status epss (exploit prediction scoring system) scores exploit timeline and trending information vulnerability metadata (dataset vulncheck nvd2 ) retrieves comprehensive metadata and analysis from the national vulnerability database (nvd), including cvss (common vulnerability scoring system) scores and severity ratings vulnerability descriptions and impact details affected systems and configurations (cpe) cisa (cybersecurity and infrastructure security agency) information mitre att\&ck techniques references and links to additional information inputs section id (required) type string description enter a single cve id (for example, cve 2023 12345) to retrieve details about the vulnerability this is the unique identifier for the document to retrieve from the selected dataset input methods manual entry playbook property selection expression using dot notation (e g , $event data cveid ) apply configuration click apply to save your settings and activate the action within the workflow run the query execute the action to retrieve detailed information about the specified cve or vulnerability identifier inputs the action requires two inputs dataset (required) the name of the data set to query available values exploits vulnerability exploits dataset vulncheck nvd2 vulnerability metadata dataset id (required) the unique identifier for the cve or vulnerability document to retrieve this supports only a single id at a time for cves, use the standard format (e g , cve 2023 12345 ) outputs the action returns detailed information about the queried vulnerability the output structure varies based on the selected dataset vulnerability exploits dataset output when using the exploits dataset, the output includes exploit availability public exploit found boolean indicating if public exploits exist commercial exploit found boolean indicating if commercial exploits exist weaponized exploit found boolean indicating if weaponized exploits exist max exploit maturity maximum exploit maturity level reported exploited boolean indicating if exploitation has been reported reported exploited by threat actors boolean indicating threat actor exploitation reported exploited by ransomware boolean indicating ransomware exploitation reported exploited by botnets boolean indicating botnet exploitation kev status inkev boolean indicating if cve is in cisa kev catalog invckev boolean indicating if cve is in vulncheck kev catalog scoring and metrics epss epss (exploit prediction scoring system) data including score and percentile timeline exploit timeline information trending trending information counts various exploit count metrics vulnerability metadata dataset output when using the vulncheck nvd2 dataset, the output includes cve information id cve identifier descriptions vulnerability descriptions in multiple languages status cve status alias cve aliases cvss scores metrics cvss metrics including cvssmetricv2 cvss v2 0 scores and vectors cvssmetricv31 cvss v3 1 scores and vectors temporalcvssv2 temporal cvss v2 0 scores temporalcvssv31 temporal cvss v3 1 scores basescore , baseseverity base severity scores exploitabilityscore , impactscore component scores cisa information cisaactiondue cisa action due date cisaexploitadd cisa exploit addition date cisarequiredaction required action from cisa cisavulnerabilityname cisa vulnerability name configuration and impact configurations affected system configurations cpematch common platform enumeration matches nodes configuration nodes additional metadata mitreattacktechniques associated mitre att\&ck techniques tags vulnerability tags categorization vulnerability categorization references external references and links accessing output data you can access the output data in subsequent actions using expressions $actions actionname result result access the root result object $actions actionname result result propertyname access specific properties $actions actionname result result metrics cvssmetricv31 basescore access nested properties note if the cve or vulnerability identifier is not found in the dataset, the action will complete successfully but return an empty or null result example use cases example 1 query vulnerability exploits scenario check if a cve has known exploits and assess exploit maturity add the swimlane intelligence action to your playbook select vulnerability exploits as the data category enter the cve id (e g , cve 2023 12345 ) or use an expression like $event data cveid access exploit information in subsequent actions $actions getexploitinfo result result public exploit found check if public exploits exist $actions getexploitinfo result result max exploit maturity get exploit maturity level $actions getexploitinfo result result epss epss score access epss score example 2 query vulnerability metadata scenario retrieve comprehensive cve metadata including cvss scores and cisa information add the swimlane intelligence action to your playbook select vulnerability metadata as the data category enter the cve id (e g , cve 2023 12345 ) access metadata in subsequent actions $actions getcvemetadata result result metrics cvssmetricv31 basescore get cvss v3 1 base score $actions getcvemetadata result result metrics cvssmetricv31 baseseverity get severity rating $actions getcvemetadata result result cisarequiredaction get cisa required action example 3 conditional logic based on exploit availability scenario use conditional logic to prioritize vulnerabilities with known exploits query the vulnerability exploits dataset for a cve use a condition action to check if public exploit found is true if true, trigger high priority remediation actions if false, proceed with standard vulnerability management workflow troubleshooting action fails with feature not enabled ensure the security intelligence feature is enabled for your account contact support if you believe this is an error action not available this action is not available in air gapped environments use alternative methods to query vulnerability data in air gapped deployments empty result returned if the action completes successfully but returns an empty result, the cve or vulnerability identifier may not exist in the selected dataset verify the cve id format is correct (e g , cve 2023 12345 ) the cve exists in the selected dataset the dataset name is spelled correctly dataset not found ensure you have selected a valid data category available datasets are exploits for vulnerability exploits vulncheck nvd2 for vulnerability metadata invalid cve id format ensure the cve id follows the standard format cve yyyy nnnnn where yyyy is the year and nnnnn is the identifier number best practices choose the right dataset select the dataset that provides the information you need use vulnerability exploits when you need exploit availability and maturity information use vulnerability metadata when you need comprehensive cve details, cvss scores, and cisa information handle missing results always check if the result is empty or null before accessing nested properties to avoid errors in your playbook use expressions for dynamic cve ids instead of hardcoding cve ids, use expressions to reference cve ids from upstream actions, events, or variables (e g , $event data cveid , $variables cveid ) cache results when possible if querying the same cve multiple times, consider storing the result in a variable to avoid redundant api calls combine datasets for comprehensive vulnerability analysis, consider querying both datasets for the same cve to get both exploit intelligence and detailed metadata