Searching for Vulnerabilities by product

Is it possible to use CTI Butler to filter results that only contain a certain product?

For example, only show CVEs that impact Cisco devices.

Yep it’s possible.

Here’s how vulnerabilities are modelled in CTI Butler.

The Indicator objects created for the vulnerability contain a pattern property, which in turn lists the CPEs impacted by the vulnerability.

Here’s an example;

FOR doc IN nvd_cve_vertex_collection
FILTER doc.type == "indicator"
AND CONTAINS(doc.pattern, "a:cisco")
LET keys = ATTRIBUTES(doc)
LET filteredKeys = keys[* FILTER !STARTS_WITH(CURRENT, "_")]
RETURN KEEP(doc, filteredKeys)
[
  {
    "created": "2002-07-23T04:00:00.000Z",
    "created_by_ref": "identity--562918ee-d5da-5579-b6a1-fae50cc6bad3",
    "description": "Pingtel xpressa SIP-based voice-over-IP phone 1.2.5 through 1.2.7.4 allows attackers with physical access to restore the phone to factory defaults without authentication via a menu option, which sets the administrator password to null.",
    "external_references": [
      {
        "source_name": "cve",
        "url": "https://nvd.nist.gov/vuln/detail/CVE-2002-0672",
        "external_id": "CVE-2002-0672"
      }
    ],
    "id": "indicator--adb149cb-dac4-5e81-b6c3-f7354477a1df",
    "indicator_types": [
      "compromised"
    ],
    "modified": "2008-09-05T20:28:38.523Z",
    "name": "CVE-2002-0672",
    "object_marking_refs": [
      "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487",
      "marking-definition--562918ee-d5da-5579-b6a1-fae50cc6bad3"
    ],
    "pattern": "([(software:cpe='cpe:2.3:h:pingtel:xpressa:1.2.5:*:*:*:*:*:*:*') OR (software:cpe='cpe:2.3:h:pingtel:xpressa:1.2.7.4:*:*:*:*:*:*:*')])",
    "pattern_type": "stix",
    "pattern_version": "2.1",
    "spec_version": "2.1",
    "type": "indicator",
    "valid_from": "2002-07-23T04:00:00Z"
  },

It’s important to note here that the pattern property contains a logical rule. In many cases, just b/c a CPE appears in the pattern on its own does not mean it is vulnerable. For example, some software is only vulnerable if it is running on a certain OS.

To filter the results, you can use a CONTAINS operator on the pattern field

FOR doc IN nvd_cve_vertex_collection
FILTER doc.type == "indicator"
AND CONTAINS(doc.pattern, "a:cisco")
LET keys = ATTRIBUTES(doc)
LET filteredKeys = keys[* FILTER !STARTS_WITH(CURRENT, "_")]
RETURN KEEP(doc, filteredKeys)

Note, here I use a:cisco. This is searching for CPE strings that contain this pattern (where a = application, and cisco = vendor).

Read this post to understand CPE string structures if you’re new to them, it will help you write more advanced queries in CTI Butler.

For example, I could include specific product names too (really useful if you keep a SBOM of CPEs):

FOR doc IN nvd_cve_vertex_collection
FILTER doc.type == "indicator"
AND CONTAINS(doc.pattern, "a:cisco:secure_network_analytics")
LET keys = ATTRIBUTES(doc)
LET filteredKeys = keys[* FILTER !STARTS_WITH(CURRENT, "_")]
RETURN KEEP(doc, filteredKeys)