Manually create CVEs with Global Exploit Activity playbooks

Procedure

1. Go to Workflow and Automation → Security Playbooks.
2. On the Playbooks tab, choose Add → Build manually.
3. On the Playbook Settings panel, select the Vulnerability type, specify a unique name for the playbook, and click Apply.
4. On the Trigger Settings panel, select the trigger type and click Apply.
   • Manual: Allows you to start the playbook execution by clicking the Run icon ()
   • Scheduled: Allows you to schedule the playbook to run daily, weekly, or monthly
5. On the Target Settings panel, select and configure the Target for the playbook and click Apply.
   If you need to mitigate risks for more than one target type, use the add node () on the right of the Trigger node.
6. If you need to take actions when specific conditions are met, configure the Condition node.
   1. Click the add node () on the right of the Target node and click Condition.
   2. Create a condition setting by specifying the Parameter, Operator, and Value.

      Setting	Description
      Parameter	For more information about the parameters, see the Highly-Exploitable CVEs widget in the Threat and Exposure Management app.
      Operator	IS: The condition is triggered if any of the values is matched IS NOT: The condition is triggered if none of the values is matched
      Value	For more information about the values for each parameter, see the Highly-Exploitable CVEs widget in the Threat and Exposure Management app.

   3. If you need to configure multiple sets of condition settings, click Add.
      The condition operator is evaluated using a logical AND.
   4. Click Apply.
   5. If you need to add more than one parallel Condition node, click the add node () on the right of the Target node.
   6. If you need to configure action settings for the Condition node, add an Action node by clicking the add node () on the right.
      For details, see Step 7.
   7. If you need to configure else-if conditions or else actions, add an Else-If Condition or Else Action node by clicking the add node () under the Condition node.
      For details, see Step 9.
7. Configure actions by adding an Action node.
   1. Click the add node () on the right of the Condition node and click Action.
   2. On the Action Settings panel, select an Action.

      Category	Available actions
      Case Management	Open new case: Creates a new case for the playbook execution results Update existing case: Updates an existing case with the playbook execution results
      General	Generate CSV file: Consolidates detected CVEs and generates CSV files that contain information about the CVEs and the affected assets
      Notification	Send email notification of results: Notifies specified recipients of the playbook results Send ticket notification of results: Sends a ServiceNow ticket notification of the playbook results Send webhook notification of results: Sends specified channels a webhook notification of the playbook results
      Response Management	Mitigate vulnerabilities in internal assets: Creates response actions to mitigate detected vulnerabilities on internal assets

   3. If you selected Generate CSV file, configure the CSV file settings.
      Select Generate separate files for each CVE to generate individual CSV files per CVE. By selecting this option, Security Playbooks generated multiple CSV files corresponding to the detected CVEs.

      The generated CSV files contain the following information:

      CVE file field	Description
      cveId	The CVE identifier
      globalExploitActivity	The global exploit activity level of the CVE
      CVSS score	The Common Vulnerability Scoring System score
      publishedTime	The date and time the CVE was published
      exploitAttemptCount	The number of exploit attempts detected
      hostCount	The number of affected hosts
      references	Reference links for the CVE
      preventionRules	Available prevention rules for the CVE
      firstSeenTime	The date and time the CVE was first detected
      status	The current status of the CVE

      For internet-facing assets, the CSV file also contains the following host information:

      Internet-facing host file field	Description
      host	The host name of the internet-facing asset
      riskScore	The risk score of the host
      cveCount	The number of CVEs detected on the host
      cveList	The list of CVE identifiers detected on the host
      ipList	The IP addresses associated with the host
      hostProviderList	The hosting providers for the asset
      serviceList	The services running on the host
      portList	The open ports on the host
      detectionTime	The date and time the CVE was detected on the host

   4. If you selected a notification action, configure the notification settings.
      The settings vary depending on the notification type:

      • Send email notification of results: Configure the subject prefix and specify the email addresses of recipients.
      • Send webhook notification of results: Configure the subject prefix and select the webhook channels to receive notifications.

        Tip To add a webhook connection, click Create channel.

      • Send ticket notification of results: Select the ServiceNow ticket profile and configure the ticket profile settings, including the assignment group, assigned user, and short description.

        Tip If you need to add a ticket profile, click Create ticket profile.

   5. Select whether to send a notification to request manual approval to create general actions, and then configure the notification settings if you require manual approval.

      Note Actions pending manual approval for over 24 hours expire and cannot be performed.

      Setting	Description
      Notification method	Email: Sends an email notification to specified recipients Webhook: Sends a notification to specified webhook channels
      Subject prefix	The prefix that appears at the start of the notification subject line
      Recipients	The email addresses of recipients The field only appears if you select Email for Notification method.
      Webhook	The webhook channels to receive notifications The field only appears if you select Webhook for Notification method. Tip To add a webhook connection, click Create channel.

   6. Click Apply.
   7. If you need to add more than one parallel action, click on the right of the Target or Condition node.
8. If you need to configure additional actions, add more Action nodes.
   You can add multiple action nodes to a playbook. For example, you can configure a Generate CSV file action followed by a Send email notification of results action to generate CSV files and then notify recipients of the results.

   Note Multiple Action nodes configured in a serial mode are taken sequentially.

   1. Click the add node () on the right of the preceding node and click Action.
   2. Select an action from the Action drop-down list and configure the action settings.
      For details about the available actions and their settings, see Step 7.
   3. Click Apply.
9. Configure Else-If Conditions or Else Actions if necessary.
   1. Click the add node () below the Condition node and click Else-If Condition or Else Action.
   2. Configure a Condition node by following Step 6 or an Action node by following Step 7.
   • Which nodes you can add () varies depending on the preceding node. For example, an Action node can only be possibly followed by another Action node; a Condition node can be followed by an Action node or have an Else-If Condition or Else Action attached to it.
   • When a condition is false, the playbook performs the Else Action or checks if its Else-If Condition is met. If the Else-If Condition is met, the playbook continues to perform the corresponding Else Action.
   • Multiple Action nodes configured in a serial mode are taken sequentially.
10. Enable the playbook by toggling the Enable control on.
11. Click Save.
    The playbook appears on the Playbooks tab in the Security Playbooks app.