Sightings
Presentation
Users have the possibility to add observations to vulnerabilities with different types of sightings, such as: seen, exploited, not exploited, confirmed, not confirmed, patched, and not patched.
| Type | Description | Negative/Opposite |
|---|---|---|
| seen | The vulnerability was mentioned, discussed, or observed by the user. | No |
| confirmed | The vulnerability has been validated from an analyst’s perspective | Yes |
| published-proof-of-concept | A public proof of concept is available for this vulnerability. | No |
| exploited | The vulnerability was observed as exploited by the user who reported the sighting. | Yes |
| patched | The vulnerability was observed as successfully patched by the user who reported the sighting. | Yes |
You can find the corresponding definition of this MISP taxonomy here.
Automation tools
Realistically, sightings are more likely to be created programmatically, for instance, based on observations gathered from social networks, network captures, etc.
Our tools on the Python Package Index (PyPI):
| Tool | Description |
|---|---|
| ShadowSight | A client that retrieves vulnerability observations from the The Shadowserver Foundation and pushes them to a Vulnerability-Lookup instance. |
| FediVuln | A client to gather vulnerability-related information from the Fediverse. |
| BlueSkySight | A client to gather vulnerability-related information from Bluesky. |
| MISPSight | A client that retrieves vulnerability observations from a MISP server and pushes them to a Vulnerability-Lookup instance. |
| NucleiVuln | A client designed to retrieve vulnerability-related observations from the Nuclei Git repository of templates and pushes them to a Vulnerability-Lookup instance. |
| ExploitDBSighting | A client that retrieves vulnerability observations from Exploit-DB and pushes them to a Vulnerability-Lookup instance. |
| KEVSight | A client to generate sightings for Vulnerability-Lookup from the Known Exploited Vulnerabilities (KEV) catalog. |
| GistSight | A client for gathering vulnerability-related information from GitHub Gists. |
| MetasploitSight | A client designed to retrieve vulnerability-related information from the modules available in Metasploit. |
If you want to create your own sighting tool, it’s recommended to use PyVulnerabilityLookup, a Python library to access Vulnerability-Lookup via its REST API.
Examples
Structure of a sighting object
{
"uuid": "f6ed692b-2656-4ce0-bcf1-eaf12dfe281d",
"vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd",
"author": "8dfa6142-8c6d-4072-953e-71c85404aefb",
"type": "seen",
"source": "https://infosec.exchange/users/cve/statuses/113389560858828548",
"vulnerability": "CVE-2024-10312",
"creation_timestamp": "2024-10-29T08:36:31.492184Z"
}A source is not necessarily a URL — it can be any string, including a MISP event UUID. Examples: https://vulnerability.circl.lu/sightings/?query=MISP
Initalization of a PyVulnerabilityLookup object
from pyvulnerabilitylookup import PyVulnerabilityLookup
vuln_lookup = PyVulnerabilityLookup("https://vulnerability.circl.lu/", token="<YOUR-API-TOKEN>")Retrieve sightings for a specific vulnerability
sighting_cve_list = vuln_lookup.get_sightings(vuln_id='CVE-2024-9474')
print(sighting_cve_list)Example output:
{
"metadata": {
"count": 104,
"page": 1,
"per_page": 1000
},
"data": [
{
"uuid": "b804f360-9d9f-4326-a1ae-e32fb82e268b",
"creation_timestamp": "2024-11-18T22:19:16.087185+00:00",
"type": "seen",
"source": "https://feedsin.space/feed/CISAKevBot/items/2704494",
"vulnerability": "CVE-2024-9474",
"author": {
"login": "automation",
"name": "Automation user",
"uuid": "9f56dd64-161d-43a6-b9c3-555944290a09"
}
}
]
}Create a new sighting
sighting = {"type": "exploited", "source": "<source-of-the-sighting>", "vulnerability": 'CVE-2024-9474'}
created_sighting = vuln_lookup.create_sighting(sighting=sighting)
print(created_sighting)Example output:
{
"metadata": {
"count": 1,
"page": 1,
"per_page": 1000
},
"data": [
{
"uuid": "b498cb64-9cbc-423a-aea0-bf58d740c024",
"creation_timestamp": "2024-11-19T10:45:45.634635+01:00",
"type": "exploited",
"source": "<source-of-the-sighting>",
"vulnerability": "CVE-2024-9474",
"author": {
"login": "cedric",
"name": "Cédric",
"uuid": "8dfa6142-8c6d-4072-953e-71c85404aefb"
}
}
]
}PyVulnerabilityLookup supports multiple object types within the Vulnerability-Lookup ecosystem.
For more examples, refer to the test suite:
tests <https://github.com/vulnerability-lookup/vulnerability-lookup/blob/main/tests/test_web.py>_.