Sightings#

Presentation#

Users have the possibility to add observations to vulnerabilities with different types of sightings, such as: seen, exploited, not exploited, confirmed, not confirmed, patched, and not patched.

Type	Description	Negative/Opposite
seen	The vulnerability was mentioned, discussed, or seen somewhere by the user.
confirmed	The vulnerability is confirmed from an analyst perspective.	X
exploited	This vulnerability was exploited and seen by the user reporting the sighting.	X
patched	This vulnerability was successfully patched by the user reporting the sighting.	X

You can find the corresponding definition of the MISP taxonomy here.

Color code#

Color code used in the application:

Sighting Type	Color Code
`exploited`	`hsl(0, 70%, 35%)` (Darker Red)
`published-proof-of-concept`	`hsl(0, 70%, 42%)` (Darker Red)
`confirmed`	`hsl(0, 70%, 50%)` (Medium Red)
`seen`	`hsl(0, 70%, 65%)` (Lighter Red)
`patched`	`hsl(120, 50%, 50%)` (Green)
`not-confirmed`	`hsl(0, 0%, 35%)` (Darker Grey)
`not-exploited`	`hsl(0, 0%, 50%)` (Medium Grey)
`not-patched`	`hsl(0, 0%, 65%)` (Lighter Grey)

Example#

Example of a sighting object:

{
    "uuid": "f6ed692b-2656-4ce0-bcf1-eaf12dfe281d",
    "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd",
    "author": "8dfa6142-8c6d-4072-953e-71c85404aefb",
    "type": "seen",
    "source": "https://infosec.exchange/users/cve/statuses/113389560858828548",
    "vulnerability": "CVE-2024-10312",
    "creation_timestamp": "2024-10-29T08:36:31.492184Z"
}

A source is not necessary an URL. It can be any string, for example the UUID of a MISP event. Examples: https://vulnerability.circl.lu/sightings/?query=MISP

Automation and tools#

Realistically, sightings are more likely to be created programmatically, for instance, based on observations gathered from social networks, network captures, etc.

Our sighting tools are available in the user manual.

If you want to create your own sigthing tool, it’s recommended to use PyVulnerabilityLookup, a Python library to access Vulnerability-Lookup via its REST API.

PyVulnerabilityLookup usage example#

Initalize a PyVulnerabilityLookup object:

from pyvulnerabilitylookup import PyVulnerabilityLookup
vuln_lookup = PyVulnerabilityLookup("https://vulnerability.circl.lu/", token="<YOUR-API-TOKEN>")

Retrieve sightings for a specific vulnerability:

sighting_cve_list = vuln_lookup.get_sightings(vuln_id='CVE-2024-9474')
print(sighting_cve_list)

Output:

{
    "metadata": {
        "count": 104,
        "page": 1,
        "per_page": 1000
    },
    "data": [
        {
            "uuid": "b804f360-9d9f-4326-a1ae-e32fb82e268b",
            "creation_timestamp": "2024-11-18T22:19:16.087185+00:00",
            "type": "seen",
            "source": "https://feedsin.space/feed/CISAKevBot/items/2704494",
            "vulnerability": "CVE-2024-9474",
            "author": {
                "login": "automation",
                "name": "Automation user",
                "uuid": "9f56dd64-161d-43a6-b9c3-555944290a09"
            }
        }
    ]
}

Create a sew sighting:

sighting = {"type": "exploited", "source": "<source-of-the-sighting>", "vulnerability": 'CVE-2024-9474'}
created_sighting = vuln_lookup.create_sighting(sighting=sighting)
print(created_sighting)

Output:

Listing 1 Example of Sighting#

{
    "metadata": {
        "count": 1,
        "page": 1,
        "per_page": 1000
    },
    "data": [
        {
            "uuid": "b498cb64-9cbc-423a-aea0-bf58d740c024",
            "creation_timestamp": "2024-11-19T10:45:45.634635+01:00",
            "type": "exploited",
            "source": "<source-of-the-sighting>",
            "vulnerability": "CVE-2024-9474",
            "author": {
                "login": "cedric",
                "name": "Cédric",
                "uuid": "8dfa6142-8c6d-4072-953e-71c85404aefb"
            }
        }
    ]
}

PyVulnerabilityLookup supports various object types within the VulnerabilityLookup framework. Refer to the tests for detailed examples and usage.

Sightings

Contents