securin-cve-enrichment

CVE Enrichment (Securin Core)

Purpose

Produce a complete global intelligence picture for a specific CVE or vulnerability — sourced from Securin Core's vulnerability & threat intelligence indices. This skill is about the vulnerability itself (severity, exploitation, threat actor attribution, affected products) and does not query the user's environment.

Pair skills:

• "Am I affected by this?" → use securin-threat-correlation.
• "How do I fix it?" → use securin-remediation-guidance.

When to use

• "Enrich CVE-2024-3400"
• "Tell me everything about this CVE"
• "Is this vulnerability being exploited?"
• "What's the CISA KEV status of…"
• "Who's exploiting CVE-XXXX?" (via searchThreatActorData + riskIndex.contributingFactors[])
• "What ransomware families use this CVE?" (via riskIndex.contributingFactors[] commentary + web search)

Pre-flight

Step 0 — Account preflight (CC-1)

See _shared/account-preflight.md. Even though this skill queries the global Core indices (not account-scoped data), the preflight still runs so that deep links (CC-2) and any cross-referenced environment data use the correct account context.

Before using this skill, read every file in the references folder, including the shared references/_shared/ docs.

Suggested tools

Pre-flight (CC-1, see shared doc)

• getUserProfile / listAccount — resolve accessible accounts
• getEffectiveAccess / getEffectiveAccessWorkspaces — validate per-resource access (hasActorAccessToResource is only for Views/Dashboards/Tags/Widgets)
• getAccountDetails — enrich account-ids for the picker

Core intelligence

• searchVulnerabilityData — core CVE record (CVSS, EPSS, Securin Risk Index/SVRS, CISA KEV, published/modified dates, CWE, affected products, exploit counts)
• searchThreatActorData — threat actors exploiting this CVE. Actor records are flat (top-level name, description, associatedGroups, vulnerabilities, …) — do NOT pass fields: ['threatActor']; that prefix doesn't match the actual shape and the call returns empty rows silently. Omit fields to get the full record, or list specific top-level keys.
• searchWeaknessData — CWE context, root-cause classification
• searchComponentData — affected software components / package versions
• getApiFields with entityType: ["VULNERABILITY"] — field discovery
• createDeepLink / getDeepLink — platform URLs (see _shared/deep-links.md)
• Web search (built-in) — vendor advisory, PoC status, security news

Workflow

Step 1 — Normalize the subject

• CVE ID format: CVE-YYYY-NNNNN. Normalize case, strip whitespace.
• Vulnerability name (no CVE): use it as a text query to searchVulnerabilityData via the name/alias fields; ask the user to confirm the match.

Step 2 — Parallel Core queries

Run these in parallel for latency:

Query	Purpose
searchVulnerabilityData filter: vulnerabilityId = 'CVE-XXXX'	Primary vuln record — also surfaces riskIndex.contributingFactors[] and riskIndex.changeLog[] with threat/ransomware commentary
searchThreatActorData filter: bare-path FQL on the actor record (e.g., vulnerabilities like 'CVE-XXXX-NNNNN' or associatedGroups like '<group>' — confirm the exact field via getApiFields(entityType=['THREATACTOR'])). Do NOT pass fields: ['threatActor'] — actor records are flat, so that prefix returns empty silently.	Actor attribution
searchWeaknessData filter: joined on CWE from vuln record	CWE context (run after step 2 primary completes, or parallel if CWE is known)
Web search	Ransomware / malware / campaign linkage via riskIndex.contributingFactors[] and web search

Namespace note: no vulnerabilities. prefix inside searchVulnerabilityData — use bare field paths (vulnerabilityId, not vulnerabilities.id). See _shared/fql-grammar.md.

Step 3 — Enrich affected products

From the vuln record's top-level products[] and vendors[] arrays (plus affectedSoftwareConfigurations for CPE-level detail and affectedProductCount for the rollup), call getProducts / searchComponentData to expand product names and versions into human-readable rows.

Step 4 — Web search for vendor advisory + PoC

Search the web for:

• The vendor advisory URL (e.g., site:paloaltonetworks.com CVE-2024-3400).
• Public PoC status (GitHub, Exploit-DB).
• Security news / exploitation timeline.

Read the content of the advisory — do not just link it. Extract: fixed version, disclosure timeline, known workarounds.

Step 5 — Generate deep links (CC-2)

Call createDeepLink for:

• The vulnerability detail view (platform's vulnerability page for this CVE).
• Filtered lists for any affected product / threat-actor / ransomware you mention.

See _shared/deep-links.md.

Step 6 — Synthesize report

Use the 7-section structure below. Every section that names an entity carries a deep link.

Response structure

## CVE-XXXX-YYYY — <title>

**Verdict:** <Critical / High / Medium / Low — KEV: yes/no — actively exploited: yes/no>

### 1. Identity
- CVE ID, published, modified, CWE, vendor
- [View on Securin Platform](<createDeepLink URL>)

### 2. Severity & Scoring
- CVSS v3: base / vector
- EPSS: probability
- Securin Risk Index / SVRS: score + severity band
- (interpretation — see references/risk-scoring.md)

### 3. Exploit Landscape
- CISA KEV: yes/no + date added
- Exploited in the wild: yes/no (source)
- Public PoCs: count + notable repos
- Exploit maturity: from the CVSS temporal/threat metric in `vulnerabilities.cvssv3.vector` (`E:F`/`E:P`/`E:U` → Functional / Proof-of-Concept / Unproven) or `vulnerabilities.cvssv4.vector` (`E:A`/`E:P`/`E:U` → Attacked / Proof-of-Concept / Unreported)

### 4. Threat Actor Attribution
| Actor | Motivation | Recent activity | Link |
|---|---|---|---|
| … | … | … | [View](<deep link>) |

### 5. Ransomware / Campaign Links
| Family / Campaign | First seen | Notes | Link |
|---|---|---|---|
| … | … | … | [View](<deep link>) |

### 6. Affected Products
| Vendor | Product | Affected versions | Fixed in | Link |
|---|---|---|---|---|
| … | … | … | … | [View](<deep link>) |

### 7. References
- Vendor advisory (quote the remediation steps)
- NVD entry
- CISA KEV entry (if applicable)
- Notable news / blog posts

### Next steps
- "Check if you're affected" → use **securin-threat-correlation**
- "Plan remediation" → use **securin-remediation-guidance**

Scope guard (CC-3)

If the user asks "am I affected" or "show me my exposures to this CVE", stop and hand off to securin-threat-correlation. This skill is strictly global intel.

If the user asks "how do I fix this", hand off to securin-remediation-guidance.

Edge cases

• CVE not found in Core: some very new CVEs may not be indexed yet. Tell the user, fall back to web search, and offer to re-run later.
• Reserved / rejected CVE: searchVulnerabilityData may return a record with minimal fields. Report what's available and flag status.
• Non-CVE vulnerability (vendor-specific ID): accept the vendor ID, query by name, surface the record but note no CVE mapping.
• Multiple matches on name search: ask the user to pick which CVE.

Visual output (CC-4)

When this skill produces aggregated or multi-row data (counts, trends, distributions, comparisons, single-CVE reports), emit a chart/graph/infographic in the Securin brand palette (#712880 / #453983 / #542ade / #987bf7 / #d7cbfb), Lato font, light theme, with the Securin logo. Default colormap uses the monotone gradient defined in _shared/brand.md. Offer customization after delivery; never default to a different brand.

References

• Risk Scoring Interpretation — how to read SVRS / EPSS / CISA KEV together.
• Shared: Account Preflight
• Shared: Deep Links
• Shared: FQL Grammar
• Shared: Sorting Rules
• Shared: Brand & Visual Communication