Skip to main content

National Vulnerability Database Feed v2

This Integration is part of the NVD Feed 2.0 Pack.#

Supported versions

Supported Cortex XSOAR versions: 6.10.0 and later.

CVE feed from the National Vulnerability Database.

This integration was built and tested with version 2.0 of National Vulnerability Database API. See the NVD Developer API documentation for more information.

An API key for this feed can be obtained at the NIST NVD Developer Website

Configure National Vulnerability Database on Cortex XSOAR#

  1. Navigate to Settings > Integrations > Data Enrichment & Threat Intelligence.

  2. Search for National Vulnerability Database.

  3. Click Add instance to create and configure a new integration instance.

    API KeyAPI Key from the NIST NVD Website (see above).True
    Start_dateStart date for the integration to begin fetching CVEs from (YYYY-MM-DD).True
    Return only CVEs that have a KEVCheck this box to only retrieve CVEs in the given date range that have a known exploited vulnerability (KEV) associated with them. Default: FALSE.False
    Source ReliabilityReliability of the source providing the intelligence data.True
    Indicator ReputationIndicators from this integration instance will be marked with this reputation.True
    Indicator Expiration MethodThe method to be used to expire indicators from this feed. Default: Never.True
    Feed Fetch IntervalInterval at which this feed will check for new CVE data. Default: 4 Hours.True
    Bypass exclusion listAllow this feed to bypass the Cortex XSOAR integrated exclusion list.False
    Trust any certificate (not secure)Should the feed trust self-signed certificates.False
    Use system proxy settingsUse the proxy settings configured on the Cortex XSOAR server.False
    TagsTag CVE indicators from this instance of the feed with the provided tag.False
    Traffic Light Protocol ColorThe Traffic Light Protocol (TLP) designation to apply to indicators fetched from the feed.False
    Log LevelIMPORTANT When performing a long initial fetch, it is recommended to set this to DEBUG. This will append output to /var/log/demisto/integration_instance.log so you can verify the feed is fetching data from NIST NVD. It is recommended to leave this log setting to OFF after the initial fetch. See NOTE ONE below for a sample of the debug output.False
  4. Click Test to validate the URLs, token, and connection.

NOTE ONE - Sample Debug Output - /var/log/demisto/integration_instance.log#

lastModStartDateDATE/TIME UTCThe start date for the current CVE fetch cycle.
lastModEndDateDATE/TIME UTCThe end date for the current CVE fetch cycle.
Fetch I terationIntegerCurrent iteration of the overall fetch from NIST NVD.
Iteration CountIntegerIteration round through the current fetch cycle. NVD breaks up fetches into chunks to alleviate server load. This is the current count through one of the chunks of CVE data.
Total Results for IterationIntegerTotal results returned for this fetch cycle chunk.
Current Total Fetched Indicator CountIntegerTotal number of CVEs fetched overall.
lastModStartDate: 2008-09-11T00:00:00.000
lastModEndDate: 2009-01-09T00:00:00.000
Fetch Iteration: 5
Iteration Count: 0
Total Results for Iteration: 1
Current Total Fetched Indicator Count: 4184


You can execute these commands from the Cortex XSOAR CLI, as part of an automation, or in a playbook.


Manually retrieve CVEs from NVD using the history parameter for the duration back to fetch.

Base Command#

!nvd-get-indicators history="7 days"


Argument NameDescriptionRequired
HistoryTime back to retrieve CVEs, e.g. 7 daysTrue