Axonius Documentation
  1. Asset Cloud
  2. Exposures
  3. Vulnerability Enrichment

Axonius Threat Intelligence

Axonius Threat Intelligence enriches vulnerability data with additional exploit and threat context, helping you understand which CVEs are more likely to represent real-world risk. Instead of relying only on scanner severity or CVSS, you can see whether a vulnerability is known to be exploited, weaponized, trending, associated with threat actors, ransomware, botnets, or included in KEV sources. This gives your security teams better context for prioritization and helps them focus on vulnerabilities that are more likely to be actively used by attackers.

The data also improves investigation and decision-making by adding exploit timelines, references, affected CPEs, MITRE ATT&CK mappings, targeted industries/countries, and related threat activity directly into Axonius. As a result, your security teams can prioritize faster, reduce noise, and make more informed remediation decisions inside their existing exposure management workflows.

📘

Notes

  1. This capability is available only for Exposures customers.
  2. Data received from Axonius Threat Intelligence is available on the Aggregated Security Findings page and on the Vulnerability Repository.

Field Mapping

Axonius Threat Intelligence retrieves and displays the following fields.

📘

Note

Some fields are Complex Fields or Tables. See Asset Profile Page - Complex Fields for more information on table fields.

Field Name

Description

In KEV

Whether the CVE is a Known Exploited Vulnerability

Vendor

The vendor or organization that owns the affected product

Product

The specific product affected by the vulnerability

Short Description

A brief summary of the vulnerability

Vulnerability Name

The common name assigned to the vulnerability

CISA Date Added

The date when CISA added the vulnerability to their KEV catalog

KEV Date Added

The date when Axonius first detected this vulnerability in the KEV catalog

Days Before CISA

The number of days between the Axonius detection and the addition to CISA, calculated as (CISA Date Added - KEV Date Added) in days (when both dates are present)

CWE ID

Common Weakness Enumeration identifiers associated with this vulnerability

Honeypot Detected

Whether Axonius detected exploitation attempts through the Honeypot network

Exploit References

Links to public exploit code repositories, converted from SSH clone URLs to HTTPS format

Citations

A complex field (table) that references to exploitation reports with source URL and date added fields
Stores the following object fields: Source, Date Added

Public Exploit

Whether a publicly available exploit exists for this vulnerability

Weaponized Exploit Found

Whether a weaponized (ready-to-use) exploit was discovered

Exploit Maturity

The highest maturity level of available exploits (e.g., Proof of Concept, Functional, High)

First Weaponized Exploit

The date when the first weaponized or higher-maturity exploit was published

Exploits Count

Number of exploit instances associated with this CVE

Threat Actors Count

Number of threat actor groups associated with exploiting this CVE

Botnets Count

Number of botnet families associated with exploiting this CVE

Ransomware Families Count

Number of ransomware families associated with exploiting this CVE

Most Recent Exploitation

The most recent date of observed exploitation from Shadowserver or Honeypot sources

First Exploitation

The earliest date of observed exploitation

First Exploit Published

The date when the first exploit (on any maturity level) was published

Most Recent Exploit Published

The date when the most recent exploit was published

Associated Threat Actors

Names of threat actor groups known to exploit this CVE

Targeted Countries

Countries targeted by threat actors exploiting this vulnerability, aggregated across all associated actors

Targeted Industries

Industry sectors targeted by threat actors exploiting this vulnerability, aggregated across all associated actors

Botnets

Names of botnet families exploiting this CVE

Ransomware Families

Names of ransomware families exploiting this CVE

NVD Published

Whether the CVE has been officially published on NVD

CAPEC Mappings

A complex field (table) that displays common Attack Pattern Enumeration and Classification mappings that describe attack methods
Stores the following object fields: CAPEC ID, Name, URL, Language

MITRE ATT&CK Techniques

A complex field (table) that displays MITRE ATT&CK framework techniques associated with exploiting this vulnerability
Stores the following object fields: ID, Name, URL, Domain, Tactics, Sub-Techniques

MITRE ATT&CK Mitigations

A complex field (table) that displays recommended mitigations for each associated ATT&CK technique
Stores the following object fields: ID, Technique ID, Mitigation URL, Description

MITRE ATT&CK Detections

A complex field (table) that displays detection methods for each associated ATT&CK technique
Stores the following object fields: ID, Technique ID, Data Source, Data Components, Detects

MITRE D3FEND Mappings

MITRE D3FEND defensive countermeasure mappings for each associated ATT&CK technique

CVE ID

The unique Common Vulnerabilities and Exposures identifier (e.g., CVE-2024-1234).

CVE Description

Detailed description of the vulnerability and its potential impact

First Found Date

The date when this vulnerability was first discovered

Affected CPEs

Common Platform Enumeration identifiers specifying affected software/hardware configurations

CVE References

URLs to external references about the vulnerability, filtered for relevant exploit information

CVSS Version

The version of the CVSS scoring system used (e.g., 4.0, 3.1)

CVSS Vector

The complete CVSS vector string representing all scoring metrics

CVE Vector: Attack Vector

How the vulnerability can be exploited (Network, Adjacent, Local, Physical)

CVE Vector: Access Complexity

The complexity required to exploit the vulnerability

CVE Vector: Privileges Required

The level of privileges an attacker needs before exploitation

CVE Vector: User Interaction

Whether exploitation requires user action

Commercial Exploit Found

Whether commercial exploit tools or frameworks include this vulnerability

First Threat Actor Report Date

The earliest date when a threat actor was reported exploiting this CVE

Most Recent Threat Actor Report Date

The most recent date when a threat actor was reported exploiting this CVE

First Ransomware Report Date

The earliest date when ransomware was reported exploiting this CVE

Most Recent Ransomware Report Date

The most recent date when ransomware was reported exploiting this CVE

First Botnet Report Date

The earliest date when a botnet was reported exploiting this CVE

Most Recent Botnet Report Date

The most recent date when a botnet was reported exploiting this CVE

Trending on GitHub

Whether exploit-related repositories for this CVE are trending on GitHub.

Exploits

Detailed records of individual exploits

Viewing Data

Data retrieved by Axonius Threat Intelligence is marked by a dedicated icon under the Adapter Connections column:

To add data from this source:

  1. From the Aggregated Security Findings page or the Vulnerability Repository, click the Query Wizard.

  2. Select Axonius Threat Intelligence from the Source dropdown.

  3. Select the required fields from the Field dropdown and apply any additional filters according to your needs. You can also add columns from Edit Columns > Edit Table.

    Example data:

Select an asset from the table to explore it on its Profile page, then select Axonius Threat Intelligence under Adapter Connections to view the relevant data.

Clickable field names are tables and appear under the Asset Profile's Tables section. For example, see the CVE References table:


Updated 1 day ago