DigitalRiskProt-02-CVE-Analysis
DigitalRiskProt-02-CVE-Analysis
Overview
This workflow automates comprehensive CVE vulnerability analysis by querying multiple data sources including CVE databases, technology-specific lookups, and manual CVE inputs. It merges and deduplicates results using AI-powered scripting agents, maps critical vulnerabilities to MITRE ATT&CK TTPs and D3FEND countermeasures, and delivers enriched HTML reports via email for both complete and critical-only CVE summaries.
How It Works
-
Multi-Source CVE Input Collection: Three parallel Input Nodes accept CVE data from different sources: a technology-based query (e.g., FortiOS), a list of manually specified CVE identifiers, and email configuration parameters for report distribution.
-
Input Preparation: Scripting Agent Nodes format the technology list and manual CVE identifiers into structured JSON payloads suitable for API consumption, validating CVE ID formats and organizing technology entries.
-
CVE Data Retrieval: Integration Nodes query the CVEs API service using three parallel approaches: searching by technology stack, searching by manual CVE IDs, and performing a general database search to ensure comprehensive coverage.
-
Result Merging and Deduplication: A Scripting Agent Node compares results across all three sources, matching CVE IDs between the database and technology searches, then merges additional CVEs from the manual input while eliminating duplicates to produce a unified CVE dataset.
-
Parallel Report Generation: The workflow branches into two concurrent paths:
Branch A - Complete CVE Report:
- An HTML report generator creates a detailed styled report with all analyzed CVEs, including CVSS scores, EPSS percentages, descriptions, NIST URLs, patch status, and publication dates sorted by severity
- The report is assembled with email configuration and sent via the mail-reporting Operation Node
Branch B - Critical CVE Analysis:
- A filtering agent extracts CVEs with CVSS scores equal to or greater than 9.0
- The critical CVEs are processed through the cve2capec Operation Node to map them through the CVE-to-CWE-to-CAPEC-to-ATT&CK chain
- A CAPEC analysis agent extracts all ATT&CK techniques (TTPs) and D3FEND defensive controls for each critical CVE
- A dedicated HTML report generator creates a critical-only report displaying CVEs with their associated TTPs and defensive countermeasures
- The critical report is assembled with email configuration and sent via a separate mail-reporting Operation Node
Who is this for?
- Vulnerability management teams tracking CVEs across specific technology stacks and manual watchlists
- Security operations teams requiring automated CVE enrichment with MITRE ATT&CK and D3FEND mappings
- Threat intelligence analysts performing bulk CVE analysis with severity-based prioritization
- CISOs and security leadership needing automated executive-level reports on critical vulnerabilities
- Incident response teams correlating CVE disclosures with attack techniques and defensive measures
What problem does this workflow solve?
- Eliminates manual CVE lookup across multiple sources by automating parallel queries against databases, technology filters, and manual lists with intelligent deduplication
- Provides dual-tier reporting with both comprehensive and critical-severity views, enabling teams to prioritize remediation based on CVSS thresholds
- Automates the mapping of critical CVEs to ATT&CK TTPs and D3FEND countermeasures, reducing the time required for threat-informed vulnerability prioritization
- Delivers formatted email reports with enriched metadata including EPSS exploitation probability, NIST references, and patch status for immediate actionability
- Supports technology-specific monitoring by allowing targeted queries against vendor products, ensuring relevant CVEs are captured as they are published Updated: 2026-03-19