Turbine Schema Reference (VRM)

turbine schema was formerly known as turbine extensible data schema, or teds this document describes the turbine schema objects used by the vulnerability response management (vrm) solution for general concepts, best practices, and troubleshooting, see docid\ tojmk0bspocoe9u12tt5m for vrm interface contracts, see docid 2uzi3jfnbojho1ql0ovpi for general information about how interfaces work, see docid\ sgosywgianmcsfqtqch n vulnerability finding object the vulnerability finding object captures vulnerability scan results from vulnerability management tools (such as tenable, qualys, and rapid7) it includes fields for vulnerability identification, severity scoring, exploit intelligence, asset context, and remediation tracking name key type description vulnerability id vulnerability id string cve or vendor specific vulnerability identifier vulnerability description vulnerability description string description of the vulnerability vulnerability status vulnerability status string current status of the vulnerability (such as open, fixed, or accepted) vulnerability references vulnerability references string external references and advisories related to the vulnerability vulnerability published date vulnerability published date string date the vulnerability was first published vulnerability last modified date vulnerability last modified date string date the vulnerability record was last modified cvss base score vulnerability cvss base score integer common vulnerability scoring system base score cvss temporal/threat score vulnerability cvss temporal threat score integer cvss temporal or threat score reflecting current exploit activity cvss version vulnerability cvss version string cvss specification version used for scoring (such as 3 1 or 4 0) cvss vector string vulnerability cvss vector string string full cvss vector string describing the vulnerability characteristics epss score vulnerability epss score integer exploit prediction scoring system probability score epss percentile vulnerability epss percentile integer epss percentile ranking relative to all scored vulnerabilities weaknesses (cwes) vulnerability weaknesses (cwes) string common weakness enumeration identifiers associated with the vulnerability vulnerable cpes vulnerability vulnerable cpes string common platform enumeration identifiers for affected products related attack patterns vulnerability related attack patterns string known attack patterns associated with the vulnerability exploits vulnerability exploits string known exploit details for the vulnerability exploits trending on github vulnerability exploits trending on github string whether exploit code is currently trending on github first exploit published vulnerability first exploit published string date the first public exploit was published max exploit maturity vulnerability max exploit maturity string highest maturity level among known exploits (such as proof of concept, functional, or weaponized) public exploit found vulnerability public exploit found string whether a public exploit exists commercial exploit found vulnerability commercial exploit found string whether a commercial exploit tool is available weaponized exploit found vulnerability weaponized exploit found string whether a weaponized exploit exists reported exploited vulnerability reported exploited string whether the vulnerability has been reported as actively exploited reported exploitation vulnerability reported exploitation string details of reported exploitation activity reported exploited by ransomware vulnerability reported exploited by ransomware string whether ransomware campaigns are exploiting this vulnerability reported exploited by botnets vulnerability reported exploited by botnets string whether botnets are exploiting this vulnerability reported exploited by threat actors vulnerability reported exploited by threat actors string whether known threat actor groups are exploiting this vulnerability in known exploited vulnerabilities vulnerability in known exploited vulnerabilities string whether the vulnerability is in cisa known exploited vulnerabilities catalog mitre att\&ck techniques vulnerability finding mitre attack techniques string mitre att\&ck techniques associated with the vulnerability finding finding unique id vulnerability finding unique id string unique identifier for this specific vulnerability finding instance finding grouping id vulnerability finding grouping id string identifier used to group related findings across scans finding summary vulnerability finding summary string summary description of the finding finding primary asset identifier vulnerability finding primary asset identifier string primary identifier for the asset where the vulnerability was found finding primary asset type vulnerability finding primary asset type string type of asset (such as server, workstation, or network device) finding hostnames vulnerability finding hostnames string array hostnames associated with the finding finding ip addresses vulnerability finding ip addresses string array ip addresses associated with the finding finding mac addresses vulnerability finding mac addresses string array mac addresses associated with the finding finding sources vulnerability finding sources string array vulnerability scanners or tools that reported this finding finding scan id vulnerability finding scan id string identifier of the scan that produced this finding finding scan type vulnerability finding scan type string type of scan performed (such as authenticated, unauthenticated, or agent) finding raw risk score vulnerability finding raw risk score integer risk score as reported by the source scanner finding turbine risk score vulnerability finding turbine risk score integer normalized risk score calculated by turbine merged risk scores merged risk scores string combined risk scores from multiple scanners finding raw json vulnerability finding raw json string raw json data from the source vulnerability scanner finding remediation vulnerability finding remediation string recommended remediation action for the vulnerability finding remediation status vulnerability finding remediation status string current status of remediation efforts finding remediation owner vulnerability finding remediation owner string party responsible for remediating the vulnerability finding last ingested vulnerability finding last ingested string timestamp when the finding was last ingested into turbine finding last enriched vulnerability finding last enriched string timestamp when the finding was last enriched with threat intelligence finding exception reason vulnerability finding exception reason string reason for any exception applied to this finding finding exception reference vulnerability finding exception reference string array references to exception records asset zone asset zone string network zone where the affected asset resides asset reference asset reference string array references to asset records in the asset inventory enriched vulnerability finding object the enriched vulnerability finding extends the base vulnerability finding with additional asset context fields populated during the enrichment phase it includes all fields from the vulnerability finding object plus the following name key type description finding asset criticality vulnerability finding asset criticality integer business criticality rating of the asset where the vulnerability was found finding asset zone criticality vulnerability finding asset zone criticality integer criticality rating of the network zone where the asset resides finding asset remediation channel vulnerability finding asset remedation channel string communication channel for reaching the remediation owner finding asset remediation owner vulnerability finding asset remedation owner string party responsible for vulnerability remediation on the asset finding asset reference vulnerability finding asset reference array references to the asset record in the asset inventory finding asset zone vulnerability finding asset zone string network zone of the asset finding unique id type vulnerability finding unique id type string type or scheme of the unique identifier asset object the asset object represents a managed asset in the asset inventory it is used by the asset to tracking id interface to look up or create remediation tracking records for assets name key type description primary asset identifier primary asset identifier string primary identifier for the asset hostnames hostnames string array hostnames associated with the asset ip addresses ip addresses string array ip addresses associated with the asset mac addresses mac addresses string array mac addresses associated with the asset operating system operating system string operating system installed on the asset asset owner asset owner string email of the asset owner asset stakeholders asset stakeholders string array emails of all stakeholders responsible for the asset asset criticality asset criticality number business criticality rating of the asset asset zone asset zone string network zone where the asset resides asset zone criticality assset zone criticality number criticality rating of the asset network zone remediation owner remediation owner string email of the party responsible for vulnerability remediation on this asset compensating controls asset compensating controls string compensating controls applied to the asset risk scores asset risk scores object aggregate risk scores for the asset sbom asset sbom string array software bill of materials present on the asset highest risk vulnerability finding highest risk vulnerability finding string the vulnerability finding attached to the asset with the highest risk score remediation item object the remediation item object provides the input data for itsm ticket creation and status checking two interfaces use this object remediation item to ticket (ticket creation) name key type description remediation owner remediation owner string party responsible for remediating the findings remediation channel remediation channel string communication channel for reaching the remediation owner remediation item tracking id remediation item tracking id string tracking id of the remediation item record outbound message outbound message string message to attach to the itsm ticket remediation item check (ticket status checking) name key type description remediation owner remediation owner string party responsible for remediating the findings remediation channel remediation channel string communication channel for reaching the remediation owner remediation item tracking id remediation item tracking id string tracking id of the remediation item record itsm ticket id itsm ticket id string ticket id in the remote or internal itsm ticket object the ticket object represents the itsm ticket data returned by remediation interfaces remediation item to ticket output name key type description ticket id ticket id string ticket id from the itsm system ticket status ticket status string status of the ticket (open, closed, or error) ticket opened ticket opened string timestamp when the ticket was opened ticket status updated ticket status updated string timestamp when the ticket status was last updated ticket status message ticket status message string message about the status of ticket creation remediation item check output name key type description ticket status ticket status string current status of the ticket ticket status updated ticket status updated string timestamp when the ticket status was last checked and updated inbound messages inbound messages string replies or other inbound messages from the itsm example vulnerability finding object { "vulnerability finding" { "vulnerability id" "cve 2024 3400", "vulnerability description" "pan os os command injection vulnerability in globalprotect gateway", "vulnerability status" "open", "vulnerability published date" "2024 04 12", "vulnerability last modified date" "2024 04 15", "vulnerability cvss base score" 10, "vulnerability cvss temporal threat score" 9, "vulnerability cvss version" "3 1", "vulnerability cvss vector string" "cvss 3 1/av\ n/ac\ l/pr\ n/ui\ n/s\ c/c\ h/i\ h/a\ h", "vulnerability epss score" 97, "vulnerability epss percentile" 99, "vulnerability weaknesses (cwes)" "cwe 77", "vulnerability vulnerable cpes" "cpe 2 3\ o paloaltonetworks\ pan os 11 1 2\ h3 ", "vulnerability max exploit maturity" "weaponized", "vulnerability public exploit found" "yes", "vulnerability weaponized exploit found" "yes", "vulnerability reported exploited" "yes", "vulnerability reported exploited by threat actors" "uta0218", "vulnerability in known exploited vulnerabilities" "yes", "vulnerability finding unique id" "vuln finding 001", "vulnerability finding primary asset identifier" "fw gw prod 01 example com", "vulnerability finding primary asset type" "network device", "vulnerability finding hostnames" \["fw gw prod 01 example com"], "vulnerability finding ip addresses" \["10 0 1 1"], "vulnerability finding sources" \["tenable io"], "vulnerability finding scan type" "authenticated", "vulnerability finding raw risk score" 100, "vulnerability finding turbine risk score" 98, "vulnerability finding remediation" "upgrade pan os to 11 1 2 h3 or apply the hotfix", "vulnerability finding remediation status" "in progress", "vulnerability finding remediation owner" "network ops\@example com", "vulnerability finding last ingested" "2026 03 29t10 00 00z", "vulnerability finding last enriched" "2026 03 29t10 05 00z", "asset zone" "dmz", "asset reference" \["asset fw gw prod 01"] } } example enriched vulnerability finding object { "finding" { "vulnerability id" "cve 2024 3400", "vulnerability description" "pan os os command injection vulnerability in globalprotect gateway", "vulnerability cvss base score" 10, "vulnerability epss score" 97, "vulnerability finding unique id" "vuln finding 001", "vulnerability finding primary asset identifier" "fw gw prod 01 example com", "vulnerability finding turbine risk score" 98, "vulnerability finding remediation status" "in progress", "vulnerability finding asset criticality" 10, "vulnerability finding asset zone criticality" 9, "vulnerability finding asset remedation owner" "network ops\@example com", "vulnerability finding asset remedation channel" "jira", "vulnerability finding asset zone" "dmz", "vulnerability finding asset reference" \["asset fw gw prod 01"] } } example remediation ticket workflow // step 1 create a ticket (remediation item to ticket input) { "remediation owner" "network ops\@example com", "remediation channel" "jira", "remediation item tracking id" "ri 2026 0042", "outbound message" "critical vulnerability cve 2024 3400 on fw gw prod 01 upgrade pan os to 11 1 2 h3 " } // step 2 ticket creation response (remediation item to ticket output) { "ticket id" "vuln 1234", "ticket status" "open", "ticket opened" "2026 03 29t10 15 00z", "ticket status updated" "2026 03 29t10 15 00z", "ticket status message" "ticket created successfully" } // step 3 check ticket status (remediation item check input) { "remediation owner" "network ops\@example com", "remediation channel" "jira", "remediation item tracking id" "ri 2026 0042", "itsm ticket id" "vuln 1234" } // step 4 status check response (remediation item check output) { "ticket status" "closed", "ticket status updated" "2026 03 30t14 30 00z", "inbound messages" "patch applied and verified vulnerability remediated " } references https //docs swimlane com/solutions/vulnerability finding data model https //docs swimlane com/solutions/itsm response data model ticket creation and updating https //attack mitre org/ https //nvd nist gov/ https //www cisa gov/known exploited vulnerabilities catalog https //www first org/epss/ https //json schema org/