VulnCheck
Threat Intelligence- Overview
- Setup
- Data & mappings
- Operations & API
- Changelog
The VulnCheck Connector integrates with the VulnCheck threat-intelligence platform and synchronizes vulnerability and exploit intelligence into Brinqa. It downloads VulnCheck's data export ("backup") indices over HTTPS and maps them to Brinqa UDM models, including:
- CVE records enriched with NVD data, EPSS scores, CISA KEV / VulnCheck KEV details, exploit/weaponization signals, Microsoft KB threat data, and MITRE ATT&CK technique references.
- CWE weaknesses from the MITRE CWE catalog.
- CPE records from the VulnCheck CPE dictionary and the NVD CPE-match index.
- EOL advisories describing end-of-life product releases.
- MITRE ATT&CK techniques correlated to CVEs.
- Vendor security advisories from more than twenty publishers (Adobe, Chrome, Cisco, Citrix, Dell, Fedora, GCP, GitHub, HP, IBM, Intel, Kubernetes, Linux, Microsoft, MongoDB, Mozilla, Netgear, Oracle, Palo Alto, PostgreSQL, Red Hat, SUSE, Ubuntu).
Each VulnCheck index is fetched as a ZIP archive, decompressed (some entries are further GZIP-compressed), parsed as JSON, and mapped to connector objects.
Data retrieved from VulnCheck
| Connector Object | Required | Maps to Data Model |
|---|---|---|
| CVE | Yes | CVE |
| CWE | Yes | CWE |
| CPE | Yes | CPE |
| CPE Match | Yes | CPE Match |
| EOL Advisory | Yes | EOL Advisory |
| MITRE ATT&CK CVE | Yes | MITRE ATT&CK CVE |
Model relationships
For detailed steps on how to view the data retrieved from VulnCheck in the Brinqa Platform, see How to view your data.
Connection settings
When setting up a data integration, select VulnCheck from the Connector dropdown and provide the following:
| Setting | Required | Default | Description |
|---|---|---|---|
| Api URL | No | — | VulnCheck api url |
| Api token | No | — | VulnCheck api token |
| Preferred CVSS V3 source | No | — | Select which CVSS v3 authority should be used when multiple scores are available (NIST or CISA-ADP) |
Authentication
The connector authenticates to the VulnCheck API using a Bearer token (API token). The token is supplied as a configuration property and sent on every request in the Authorization header.
Endpoints
| Method | URL | Purpose |
|---|---|---|
| GET | {Api URL}/v3/index | Connection test (used by the connector's test operation). |
| GET | {Api URL}/v3/backup/{index} | Retrieve the download URL(s) for a data export index (e.g. vulncheck-nvd2, cwe, exploits, adobe). |
| GET | {download URL} | Download the ZIP export referenced by the backup index response. |
The default Api URL is https://api.vulncheck.com.
Request Headers
| Header | Value |
|---|---|
Authorization | Bearer {API token} |
User-Agent | Integration/1.0 (Brinqa; VulnCheck Connector; Build/{version}) |
X-Requested-With | brinqa (sent on export download requests) |
Sample Request
GET /v3/backup/vulncheck-nvd2 HTTP/1.1
Host: api.vulncheck.com
Authorization: Bearer <api-token>
Sample Response
The backup index response returns one or more time-stamped download URLs for the requested export:
{
"_benchmark": 0.123,
"_meta": { "timestamp": "2024-04-12T12:51:59Z" },
"data": [
{
"url": "https://storage.googleapis.com/vulncheck-backups/vulncheck-nvd2-2024-04-12.zip",
"date_added": "2024-04-12T00:00:00Z"
}
]
}
Response Fields
| Field | Description |
|---|---|
data | List of available export files for the index. |
data[].url | Signed URL of the ZIP export to download. |
data[].date_added | Timestamp the export file was produced. |
Using the Token
The API token is configured once and is automatically attached to every outgoing request as Authorization: Bearer {token}. The same token is used both for retrieving the backup index URLs and for downloading the referenced export archives.
How to obtain VulnCheck credentials
Obtain the required credentials (Api URL, Api token) from your VulnCheck administrator or the VulnCheck admin console, then enter them in the connection settings above.
Attribute mappings
Expand the sections below to view the mappings between the source and the Brinqa data model attributes:
CVE
| Source Field Name | SDM Attribute |
|---|---|
alias | ALIAS |
categorization.tags | TAGS |
| cisa_date_added | CISA_KEV_DATE |
cisaActionDue | CISA_DUE_DATE |
cisaRequiredAction | CISA_REQUIRED_ACTION |
| commercial_exploit_found | COMMERCIAL_EXPLOIT |
| date_added | SOURCE_CREATED_DATE |
| derived from cisa_date_added | IN_CISA_KEV |
| derived from selected CVSS v2/v3/v4 vector strings | (CVSS base/temporal metrics) |
descriptions[lang=en].value | DESCRIPTION |
id | NAME |
id (vulncheck-nvd2) | UID |
inKEV | CISA_EXPLOITED |
inVCKEV | IN_VCKEV |
knownRansomwareCampaignUse (vulncheck-kev) | KNOWN_ACTIVE_RANSOMWARE_CAMPAIGN |
lastModified | SOURCE_LAST_MODIFIED |
| max_exploit_maturity | EXPLOIT_MATURITY |
metrics.cvssMetricV2[].source | CVSS_V2_BASE_VECTOR_SOURCE |
metrics.cvssMetricV31[].source | CVSS_V3_BASE_VECTOR_SOURCE |
metrics.cvssMetricV31[].source | CVSS_V3_TEMPORAL_VECTOR_SOURCE |
metrics.cvssMetricV40[].source | CVSS_V4_VECTOR_SOURCE |
metrics.epss.epss_percentile | EPSS_PERCENTILE |
metrics.epss.epss_score | EPSS_SCORE |
metrics.epss.last_modified | EPSS_LAST_MODIFIED |
metrics.temporalCvssV2Secondary[].source | CVSS_V2_TEMPORAL_VECTOR_SOURCE |
mitreAttackTechniques[].id | ATTACK_TECHNIQUES |
public_exploit_found (exploits) | PUBLIC_EXPLOIT |
published | PUBLISHED_DATE |
references[] | REFERENCES |
relatedAttackPatterns[].capec_id | ATTACK_PATTERNS |
| reported_exploited | REPORTED_EXPLOITED |
| reported_exploited_by_botnets | USED_BY_BOTNETS |
| reported_exploited_by_ransomware | USED_BY_RANSOMWARE |
| reported_exploited_by_threat_actors | USED_BY_THREAT_ACTORS |
| required_action | RECOMMENDATION |
shortDescription | SUMMARY |
sourceIdentifier | SOURCE_IDENTIFIER |
threat.dos | DOS |
threat.exploited | THREAT_EXPLOITED |
threat.latest_software_release | THREAT_LATEST_SOFTWARE_RELEASE |
threat.level | THREAT_LEVEL |
threat.older_software_release | THREAT_OLDER_SOFTWARE_RELEASE |
threat.publicly_disclosed | THREAT_PUBLICLY_DISCLOSED |
threat.type (microsoft-kb) | THREAT_TYPE |
timeline.first_reported_threat_actor | FIRST_REPORTED_THREAT_ACTOR |
timeline.most_recent_reported_threat_actor | LAST_REPORTED_THREAT_ACTOR |
trending.github | GITHUB_TRENDING |
| vulncheckKEVExploitAdd / cisaExploitAdd | CISA_ADDED_DATE |
vulnerableCPEs | AFFECTED / CPE_RECORDS |
vulnStatus | SOURCE_STATUS |
weaknesses[].description[lang=en].value | CWE_IDS / WEAKNESSES |
| weaponized_exploit_found | WEAPONIZED_EXPLOIT |
CWE
| Source Field Name | SDM Attribute |
|---|---|
abstraction | ABSTRACTION |
| CWE- + weakness_id | UID |
description | DESCRIPTION |
| kev_count | KEV_COUNT |
status | STATUS / SOURCE_STATUS |
structure | STRUCTURE |
| vulncheck_nvd_count | VULN_CHECK_NVD_COUNT |
weakness_name (falls back to UID) | NAME |
| weighted_score | WEIGHTED_SCORE |
CPE
| Source Field Name | SDM Attribute |
|---|---|
baseCPE | UID / NAME / BASE_CPE_NAME |
| parsed from CPE | VERSION |
| parsed from CPE | PART |
| parsed from CPE | VENDOR |
| parsed from CPE | PRODUCT |
| parsed from CPE | EDITION |
| parsed from CPE | LANG |
| parsed from CPE | OTHER |
| parsed from CPE | SOFTWARE_EDITION |
| parsed from CPE | TARGET_HARDWARE |
| parsed from CPE | TARGET_SOFTWARE |
| parsed from CPE | UPDATE |
CPE Match
| Source Field Name | SDM Attribute |
|---|---|
created | SOURCE_CREATED_DATE |
criteria | UID / NAME |
| lastModified / cpeLastModified | SOURCE_LAST_MODIFIED |
matchCriteriaId | MATCH_CRITERIA_ID |
| parsed from criteria | PART |
| parsed from criteria | VENDOR |
| parsed from criteria | PRODUCT |
| parsed from criteria | VERSION |
| parsed from criteria | UPDATE |
| parsed from criteria | EDITION |
| parsed from criteria | LANG |
| parsed from criteria | SOFTWARE_EDITION |
| parsed from criteria | TARGET_SOFTWARE |
| parsed from criteria | TARGET_HARDWARE |
| parsed from criteria | OTHER |
status | SOURCE_STATUS / STATUS |
EOL Advisory
| Source Field Name | SDM Attribute |
|---|---|
| already_eol | IS_EOL |
cpe | CPE_RECORDS |
| eol_date | EOL_DATE |
product | PRODUCT |
| release_date | RELEASE_DATE |
| release_name | NAME |
| source_url | UID |
| source_url | URL |
vendor | VENDOR |
MITRE ATT&CK CVE
| Source Field Name | SDM Attribute |
|---|---|
| cve_list | CVE_RECORDS / CVE_IDS |
derived from technique_id.id | PARENT_TECHNIQUE |
technique_id.domain | DOMAIN |
technique_id.id | UID |
technique_id.name | NAME |
technique_id.subtechnique | SUB_TECHNIQUE |
technique_id.tactics | TACTICS |
technique_id.url | URL |
Operations & API
Expand each connector object to see its operation options, delta-sync behavior, and the API it uses. See connector operation options for how to apply operation options (keys and values are case-sensitive).
CVE
Operation options
This object does not support any operation options.
Delta sync
The connector README does not document sync behavior for this object.
API
- Type: REST endpoint (backup export) · Endpoint:
GET /v3/backup/vulncheck-nvd2
CWE
Operation options
This object does not support any operation options.
Delta sync
The connector README does not document sync behavior for this object.
API
- Type: REST endpoint (backup export) · Endpoint:
GET /v3/backup/cwe
CPE
Operation options
This object does not support any operation options.
Delta sync
The connector README does not document sync behavior for this object.
API
- Type: REST endpoint (backup export) · Endpoint:
GET /v3/backup/vc-cpe-dictionary
CPE Match
Operation options
This object does not support any operation options.
Delta sync
The connector README does not document sync behavior for this object.
API
- Type: REST endpoint (backup export) · Endpoint:
GET /v3/backup/nist-nvd2-cpematch
EOL Advisory
Operation options
This object does not support any operation options.
Delta sync
The connector README does not document sync behavior for this object.
API
- Type: REST endpoint (backup export) · Endpoint:
GET /v3/backup/eol
MITRE ATT&CK CVE
Operation options
This object does not support any operation options.
Delta sync
The connector README does not document sync behavior for this object.
API
- Type: REST endpoint (backup export) · Endpoint:
GET /v3/backup/mitre-attack-cve
Changelog
The VulnCheck connector has undergone the following changes:
| Version | Description | Migration Steps |
|---|---|---|
| 3.0.19 | Improvements Dependency Upgrades Upgraded internal framework and model libraries to the latest stable versions for improved reliability, security patches, and alignment with the rest of the connector platform. | N/A |
| 3.0.18 | New Features - Added a Preferred CVSS V3 source configuration property. When a CVE has CVSS v3 scores from multiple authorities, you can now choose which source (for example NIST or CISA-ADP) the connector uses, so the CVSS v3 vector, score, and severity reflect your preferred scoring authority. | • Cve: The selected CVSS v3 source now drives the stored CVSS v3 vector, score, and sub-metrics, so those values may change for CVEs that carry scores from more than one authority — Action: re-sync the VulnCheck connector to refresh CVSS v3 values. |
| 3.0.17 | New Features - Ubuntu advisories now include the source advisory URL, affected packages, and upstream/break/fix commit references, giving fuller context on each Ubuntu security notice. | • Ubuntu: The identifier for Ubuntu advisories is now derived from the advisory URL alone (the publish date is no longer part of the identifier), which changes the identity of existing Ubuntu records — Action: purge existing Ubuntu records and re-sync the VulnCheck connector. |
| 3.0.16 | Improvements - CVE records now carry the originating vendor. - Palo Alto advisories now include associated CWE identifiers and weakness descriptions. - CPE Match records now include a status value. | N/A |
| 3.0.15 | Improvements Dependency Upgrades Upgraded internal framework and model libraries to the latest stable versions for improved reliability, security patches, and alignment with the rest of the connector platform. | N/A |
| 3.0.14 | New Features - Added support for CVSS v4 metrics on CVE records, including the CVSS v4 vector source, so CVEs scored with CVSS v4 are now represented in Brinqa. Improvements - Hardened CVSS metric parsing so CVEs with missing or empty metric blocks are processed reliably. | N/A |
| 3.0.13 | Improvements Dependency Upgrades Upgraded internal framework and model libraries to the latest stable versions for improved reliability, security patches, and alignment with the rest of the connector platform. | N/A |
| 3.0.12 | New Features - CVE records now indicate whether the vulnerability appears in the CISA Known Exploited Vulnerabilities (KEV) catalog and the date it was added. | N/A |
| 3.0.11 | Improvements - Mozilla advisories now present affected-component details (title, description, impact, reporter, and Bugzilla references) as readable, consolidated text. Bug Fixes - Corrected how the CWE weakness export is read so weaknesses are imported reliably. | N/A |
| 3.0.10 | Improvements - CPE dictionary records are now emitted per individual CPE entry and expanded into their full set of CPE 2.3 components (edition, language, software edition, target hardware, target software, update, vendor, and others), providing finer-grained and more complete CPE data. | • Cpe: CPE records are now keyed per individual CPE (rather than per base CPE) and the multi-valued PRODUCT_VERSIONS attribute was replaced by a single-valued PRODUCT_VERSION, changing both record identity and stored values — Action: purge existing CPE records and re-sync the VulnCheck connector. |
| 3.0.9 | New Features - Added a new CPE Match model that synchronizes CPE-match records from the NVD CPE-match index, broadening the CPE coverage available in Brinqa. | N/A |
| 3.0.8 | Bug Fixes - EPSS score and EPSS percentile on CVE records are now expressed as percentages (for example, 0.0038 is now stored as 0.38), making the values consistent with how EPSS is normally presented. | • Cve: EPSS score and EPSS percentile values are rescaled to percentages, so previously stored values will differ — Action: re-sync the VulnCheck connector to refresh EPSS values. |
| 3.0.7 | New Features - CVE records now include associated weakness descriptions and the CISA vulnerability name. Improvements - Clarified the CISA-exploited indicator on CVE records. | • Cve: The CISA-exploited indicator was renamed from IN_KEV to CISA_EXPLOITED, changing the attribute key for that value — Action: re-sync the VulnCheck connector to populate the renamed attribute. |
| 3.0.6 | Improvements Dependency Upgrades Upgraded internal framework and model libraries to the latest stable versions for improved reliability, security patches, and alignment with the rest of the connector platform. | N/A |
| 3.0.5 | Bug Fixes - Stopped populating the CVE alias field with the CISA required-action text, which had been incorrectly stored as an alias. | • Cve: The alias field no longer receives the CISA required-action text, so previously stored incorrect aliases should be cleared — Action: re-sync the VulnCheck connector to refresh CVE alias values. |
| 3.0.4 | Bug Fixes - Fixed parsing of Microsoft CVRF advisory identifiers so advisory IDs are read correctly. | N/A |
| 3.0.3 | Bug Fixes - Corrected the attack-techniques attribute mapping on CVE records so related MITRE ATT&CK technique references resolve to the proper target. | • Cve: The attack-techniques mapping target was corrected, changing how those references are stored — Action: re-sync the VulnCheck connector to refresh CVE attack-technique values. |
| 3.0.2 | Bug Fixes - Fixed the first-reported and last-reported threat-actor dates on CVE records, which were previously stored in an incorrect format. | • Cve: First-reported and last-reported threat-actor date values are corrected, so previously stored values will differ — Action: re-sync the VulnCheck connector to refresh these dates. |
| 3.0.1 | Improvements - CVE records now include the CVSS v3 temporal score. - CWE records now include a status value. - Dell advisories now include associated CVE identifiers. - GitHub advisories now include affected products. - Oracle advisories now include the publishing vendor. | N/A |
| 3.0.0 | Overview The VulnCheck connector integrates with the VulnCheck threat-intelligence platform to synchronize vulnerability, exploit, and security-advisory intelligence into Brinqa. It ingests VulnCheck's data exports — including enriched CVE records, CWE weaknesses, CPE records, end-of-life advisories, MITRE ATT&CK techniques, and security advisories from more than twenty vendors. Category: Threat Intelligence Models | N/A |