Splunk

VulnCheck Exploit Intelligence App For Splunk

Overview

The VulnCheck Exploit Intelligence App for Splunk empowers security teams to enrich CVE data with real-world exploitation intelligence directly inside Splunk. By integrating VulnCheck's comprehensive APIs, the app delivers enriched vulnerability insights, SBOM-driven risk analytics, and threat actor correlation, enabling customers to prioritize vulnerabilities based on active exploitation and real risk, not just static CVSS scores.

Application Features

CVE Enrichment Engine - Comprehensive CVE enrichment with VulnCheck's exploitation intelligence
SBOM Risk Analysis - Upload and analyze SPDX/CycloneDX SBOM files for vulnerability assessment
Interactive Dashboards - Executive Overview, CVE Explorer, SBOM Risk Analyzer, and Reporting dashboards
Custom Visualizations - Vulnerability priority pyramids, exploitation timelines, and threat intelligence displays
Notable Event Integration - Automatic enrichment of Splunk ES notable events with CVE intelligence
Adaptive Response Actions - Enrich IP addresses and CVEs from notable events with VulnCheck Intelligence data

Compatibility Matrix

Component	Version/Support
Splunk Enterprise	10.0.x, 9.4.x, 9.3.x, 9.2.x
Python Version	Python 3
Operating System	Platform Independent
Browser Support	Google Chrome, Mozilla Firefox
Deployment Types	Standalone, Distributed, Search Head Clustering, Splunk Cloud

Configuration Instructions

Pre-Requisites

Standard Splunk Enterprise configuration of Search Head, Indexer and Forwarder.

Installation

The VulnCheck Exploit Intelligence App for Splunk can be installed in the following ways:

Install from Splunk App Browser:
1. From your splunk UI, navigate to Find More Apps in top left corner.
2. Search for VulnCheck Exploit Intelligence App for Splunk.
3. Click Install and follow the prompts.
4. Restart Splunk if required.
Install from File (Manual Installation)
1. Login to the Splunkbase and search for the VulnCheck Exploit Intelligence App for Splunk.
2. Alternatively, navigate to the URL: https://splunkbase.splunk.com/app/8225
3. Download the latest version. SPL file will be downloaded.
4. Log in to Splunk Web and navigate to Apps > Manage Apps.
5. Click Install app from file.
6. Click Choose file and select the VulnCheck Exploit Intelligence App for Splunk installation file.
7. Click on Upload.
8. Restart Splunk if prompted.
- Alternative: The .tar or .spl file can also be extracted directly into the $SPLUNK_HOME/etc/apps/ directory.

Deployment Topologies

1. Standalone Mode

Install the VulnCheck app on the Splunk instance
Configure API key and start enrichment processes
All functionality available on single instance

2. Distributed Environment

Search Head: Install app and configure dashboards, correlation searches
Indexers: Install app for custom commands and data processing
Heavy Forwarders: Install app for data collection and enrichment
Configure KV store settings on forwarders
Configure correlation settings on search heads only

3. Cloud Environment

Install app on Splunk Cloud search heads
For data collection, install on IDM instance or on-premise heavy forwarders
Work with Splunk support team for IDM configuration

Configuration

Prerequisites

Before configuring the VulnCheck app, ensure you have:

VulnCheck API Key - Obtain from your VulnCheck account
Splunk Admin Access - Required for app configuration
KV Store Enabled - Verify KV store is enabled in Splunk
Network Connectivity - Access to api.vulncheck.com (configure proxy if needed)

Optional:

Splunk Enterprise Security - For notable event enrichment and adaptive response actions
Splunk Common Information Model (CIM) - For CIM-based vulnerability data enrichment

Account Configuration

Parameter	Required	Description
API Key	Yes	Your VulnCheck API key for accessing threat intelligence APIs

To Configure:

Navigate to VulnCheck App > Configuration
Enter your VulnCheck API Key
Click Save

Proxy Configuration

Configure proxy settings if your environment requires proxy access to external APIs.

Parameter	Required	Description
Enable	Optional	Check to enable proxy configuration
Proxy Type	Optional	HTTP proxy type (default: http)
Host	Optional	Proxy server hostname or IP address
Port	Optional	Proxy server port
Username	Optional	Proxy authentication username
Password	Optional	Proxy authentication password

To Configure:

Navigate to VulnCheck App > Configuration > Proxy
Check Enable checkbox
Enter proxy details
Click Save

Logging Configuration

Configure logging levels for troubleshooting and monitoring.

To Configure:

Navigate to VulnCheck App > Configuration > Logging
Select desired log level from dropdown (DEBUG, INFO, WARNING, ERROR)
Click Save

Enrichment Configuration

Configure automated enrichment of vulnerability data from various sources.

Parameter	Required	Description
Enable	Optional	Enable/disable enrichment process
Enrich Data For	Yes	Select data type (CVEs, PURLs, CPEs)
Data Source	Yes	Source type (Index, Lookup, CIM)
Index	Conditional	Splunk index for data source
Sourcetype	Conditional	Sourcetype for index-based enrichment
Field	Conditional	Field containing values to enrich
Other Fields	Optional	Additional fields user wants to include in the enriched data from the source.
Lookup	Conditional	Lookup to be used for enrichment
Column Name	Conditional	Column Name having values to enrich
Other Column Names	Optional	Other column names user wants to add in the enriched data from the source
Data Model	Static Value	Data model from which the data will be searched and enriched
Data Model Field	Static Value	Data Model field that contains the values to enrich
Store enrichment details to Index	Optional	Should data be saved in an index?
Index	Conditional	The index to save the enriched data
Interval	Yes	Enrichment frequency (1H, 4H, 6H, 12H, 24H)
Enrich Historical Data	Conditional	Enable to collect historical vulnerability data from a specific timestamp
Start Date	Conditional	Date and time from which you want to fetch events. Enter the value in 'YYYY-MM-DDThh:mm:ss' format e.g. 2025-04-17T09:12:36. Time zone will be set to UTC

To Configure:

Navigate to VulnCheck App > Configuration > Enrichment
Configure enrichment parameters
Click Save

SBOM Risk Analysis Configuration

Upload and analyze Software Bill of Materials files for vulnerability assessment.

Parameter	Required	Description
SBOM File	Yes	Upload SPDX or CycloneDX format file
SBOM File Identifier	Yes	Unique identifier for the SBOM file
Overwrite existing enriched data for this file	Optional	Replace existing data for same identifier
Store enrichment details to Index	Optional	Save enriched data to Splunk index
Index	Conditional	The index to save the enriched data

To Configure:

Navigate to VulnCheck App > Configuration > SBOM Risk Analysis
Upload SBOM file and configure parameters
Click Save

Ad Hoc Enrichment

Perform one-time enrichment of specific CVEs, PURLs, or CPEs.

Parameter	Required	Description
Enrich Data For	Yes	Data type (CVEs, PURLs, CPEs)
Ad hoc Input Type	Yes	Upload CSV or Add manually
CSV File	Conditional	Upload the CSV File here
Column Name	Conditional	The Column Name having values to enrich
Other Column Name	Conditional	Other columns you want to add in the enriched data from the source
Values	Conditional	Comma-separated list of identifiers
Store enrichment details to lookup	Optional	Save results to lookup table
Store enrichment details to Index	Optional	Save results to Splunk index
Index	Conditional	The index to save the enriched data

To Configure:

Navigate to VulnCheck App > Configuration > Ad hoc Enrichment
Select input method and provide values
Click Save

Dashboards

The VulnCheck Exploit Intelligence App For Splunk provides the following dashboards:

1. Executive Overview

Users can access this dashboard by going to VulnCheck Exploit Intelligence App For Splunk > Executive Overview.

Panel Name	Visualization	Description	Drilldown
Vulnerability Priority Pyramid	Custom Visualization	Visual pyramid showing CVE distribution across threat stages (Ransomware, Botnet, etc.).	No
Exploited CVEs	Single Value	Number of CVEs with new exploit activity in the selected time range.	No
Ransomware-Linked CVEs	Single Value	Number of CVEs newly associated with ransomware activity.	No
Botnets-Linked CVEs	Single Value	Number of CVEs newly associated with botnet activity.	No
Threat Actor-Linked CVEs	Single Value	Number of CVEs with new threat actor activity.	No
Proof of Concept-Linked CVEs	Single Value	Number of CVEs with new public proof-of-concept exploits.	No
Weaponized-Linked CVEs	Single Value	Number of CVEs with new weaponized exploit activity.	No
Top 5 Most Exploited CVEs	Table	Table of the top 5 CVEs with the highest exploit counts with extra information.	Yes (Clicking on any CVE redirects to CVE Explorer dashboard with the clicked CVE's details)
Top 10 Exploited CVEs	Pie chart	Pie chart of the top 10 most exploited CVEs.	No
Severity Breakdown	Pie chart	Pie chart showing the distribution of CVEs by severity (Critical, High, etc.).	No
20 Most Recent Exploit References	Table	Table of the 20 most recently added exploit references.	Yes (Clicking on any CVE redirects to CVE Explorer dashboard with the clicked CVE's details)
3 day trending CVEs	Table	Table of CVEs trending in the last 3 days and their reference count.	Yes (Clicking on any CVE redirects to CVE Explorer dashboard with the clicked CVE's details)
Top 10 Vulnerability Categories by Exploits	Line Chart	Top 10 Vulnerability Categories by Exploits.	No
Top 10 Weakness (CWE) Distribution	Area Chart	Top 10 CWE (weakness) types by count.	No
Exploit Publication Trend of Last Year	Line Chart	Timechart showing the number of CVEs with new exploits over time.	No
Recent VulnCheck KEVs Not in CISA KEV	Table	CVEs in VulnCheck KEV but not in CISA KEV, with risk and exploit details.	Yes (Clicking on any CVE redirects to CVE Explorer dashboard with the clicked CVE's details)
CVSS and VulnCheck KEV Discrepancies	Table	CVEs with low/medium CVSS but in VulnCheck KEV, highlighting risk discrepancies.	Yes (Clicking on any CVE redirects to CVE Explorer dashboard with the clicked CVE's details)
Top 10 Threat Actors by CVE Volume	Bar Chart	Top 10 threat actors associated with the most CVEs.	No
Top 10 Ransomware by CVE Volume	Bar Chart	Top 10 ransomware families by CVE association.	No
Top 10 Botnets by CVE Volume	Bar Chart	Top 10 botnets by CVE association.	No
MITRE ATT&CK Details	Custom Visualization	MITRE ATT&CK heatmap showing technique coverage by CVE count.	No

2. CVE Explorer

Users can access this dashboard by going to VulnCheck Exploit Intelligence App For Splunk > CVE Explorer.

Panel Name	Visualization	Description	Drilldown
CVE Threat Pyramid	Custom Visualization	Single-CVE pyramid showing threat stage classification.	No
Description	Table	Table showing the description of the selected CVE.	No
Exploit Information	Table	Table of key attributes: KEV status, status, exploit count, threat associations, etc.	No
EPSS	Table	EPSS score, percentile, and last modified date for the CVE.	No
CVSS-B	Table	CVSS base metrics (version, vector, impact, etc.) for the CVE.	No
CVSS-BT	Table	Temporal metrics for the CVE.	No
SSVC	Table	Stakeholder-Specific Vulnerability Categorization (CISA/VulnCheck) for the CVE.	No
Exploits Maturity	Pie Chart	Distribution of exploit maturity levels for the CVE.	No
Top 10 Exploits Sources	Bar Chart	Top sources of exploit references for the CVE.	No
Exploits Availability	Bar Chart	Types of exploit availability for the CVE.	No
Exploitation Lifecycle Timeline	Custom Visualization	Interactive timeline of key exploitation events for the CVE.	No
CVE Age (Days)	Single Value	Days since the CVE was published.	No
CVE Weakness Details	Column Chart	Distribution of CWE (weakness) types for the CVE.	No
Categorization tags	Pie Chart	Distribution of categorization tags for the CVE.	No
Exploits	Table	Table of known exploits for the CVE, with type, maturity, and date.	No
References	Table	Table of reference URLs and tags for the CVE.	No

3. SBOM Risk Analyzer

Users can access this dashboard by going to VulnCheck Exploit Intelligence App For Splunk > SBOM Risk Analyzer.

Panel Name	Visualization	Description	Drilldown
Top 10 Exploited SBOM Identifiers	Pie Chart	Top 10 SBOM file identifiers with the most exploited vulnerabilities.	No
Top 5 Most Exploited PURLs	Bar Chart	Top 5 package URLs (PURLs) in SBOM data by exploit count.	No
Top 5 Most Exploited CPEs	Bar Chart	Top 5 CPEs in SBOM data by exploit count.	No
Total SBOM CVEs	Single Value	Number of unique CVEs for the selected SBOM file identifier.	No
Vulnerable Components	Table	Table of vulnerable products (PURLs/CPEs) in the selected SBOM, with risk and exploit info.	Yes (Clicking on any CVE redirects to CVE Explorer dashboard with the clicked CVE's details)
Fixed Versions	Table	Table of affected and fixed versions for vulnerable PURLs in the SBOM.	Yes (Clicking on any CVE redirects to CVE Explorer dashboard with the clicked CVE's details)

4. Ad hoc Enriched Data

Users can access this dashboard by going to VulnCheck Exploit Intelligence App For Splunk > Ad hoc Enriched Data.

This dashboard displays the latest enriched data from ad hoc enrichment operations. It shows the most recent results after enrichment is completed, providing visibility into CVEs, PURLs, or CPEs that were processed through the ad hoc enrichment feature.

Panel Name	Visualization	Description	Drilldown
Latest Ad hoc Enriched Data	Table	Displays the most recent enriched vulnerability data from ad hoc operations, including CVEs, exploit information, EPSS scores, and associated data.	No

5. Reporting

Users can access this dashboard by going to VulnCheck Exploit Intelligence App For Splunk > Reporting.

This dashboard provides a capture button. When the user presses it, a PDF file of the dashboard will be generated containing the information of the CVEs provided in the filter.

Panel Name	Visualization	Description	Drilldown
Vulnerability Priority Pyramid	Custom Visualization	Visual pyramid showing CVE distribution across threat stages (Ransomware, Botnet, etc.).	No
Exploited CVEs	Single Value	Number of CVEs with new exploit activity in the selected time range.	No
Ransomware-Linked CVEs	Single Value	Number of CVEs newly associated with ransomware activity.	No
Botnets-Linked CVEs	Single Value	Number of CVEs newly associated with botnet activity.	No
Threat Actor-Linked CVEs	Single Value	Number of CVEs with new threat actor activity.	No
Proof of Concept-Linked CVEs	Single Value	Number of CVEs with new public proof-of-concept exploits.	No
Weaponized-Linked CVEs	Single Value	Number of CVEs with new weaponized exploit activity.	No
Top 5 Most Exploited CVEs	Table	Table of the top 5 CVEs with the highest exploit counts with extra information.	Yes (Clicking on any CVE redirects to CVE Explorer dashboard with the clicked CVE's details)
Top 10 Exploited CVEs	Pie chart	Pie chart of the top 10 most exploited CVEs.	No
Severity Breakdown	Pie chart	Pie chart showing the distribution of CVEs by severity (Critical, High, etc.).	No
20 Most Recent Exploit References	Table	Table of the 20 most recently added exploit references.	Yes (Clicking on any CVE redirects to CVE Explorer dashboard with the clicked CVE's details)
3 day trending CVEs	Table	Table of CVEs trending in the last 3 days and their reference count.	Yes (Clicking on any CVE redirects to CVE Explorer dashboard with the clicked CVE's details)
Top 10 Vulnerability Categories by Exploits	Line Chart	Top 10 Vulnerability Categories by Exploits.	No
Top 10 Weakness (CWE) Distribution	Area Chart	Top 10 CWE (weakness) types by count.	No
Exploit Publication Trend of Last Year	Line Chart	Timechart showing the number of CVEs with new exploits over time.	No
Recent VulnCheck KEVs Not in CISA KEV	Table	CVEs in VulnCheck KEV but not in CISA KEV, with risk and exploit details.	Yes (Clicking on any CVE redirects to CVE Explorer dashboard with the clicked CVE's details)
CVSS and VulnCheck KEV Discrepancies	Table	CVEs with low/medium CVSS but in VulnCheck KEV, highlighting risk discrepancies.	Yes (Clicking on any CVE redirects to CVE Explorer dashboard with the clicked CVE's details)
Top 10 Threat Actors by CVE Volume	Bar Chart	Top 10 threat actors associated with the most CVEs.	No
Top 10 Ransomware by CVE Volume	Bar Chart	Top 10 ransomware families by CVE association.	No
Top 10 Botnets by CVE Volume	Bar Chart	Top 10 botnets by CVE association.	No
MITRE ATT&CK Details	Custom Visualization	MITRE ATT&CK heatmap showing technique coverage by CVE count.	No

Customer Commands

The app provides eight custom commands for enrichment and data collection:

vulncheckexploitenrichmentalltimecommand

Description: Enriches all CVEs in the lookup with VulnCheck Exploit Intelligence data
Parameters:
- None (operates on all CVEs in input)

vulncheckexploitenrichmentindexcommand

Description: Enriches CVEs from index-based data sources using VulnCheck intelligence
Parameters:
- index: Splunk index to search
- field(s): Field(s) containing CVE identifiers

vulncheckexploitenrichmentlookupcommand

Description: Enriches CVEs from lookup-based data sources using VulnCheck intelligence
Parameters:
- lookup: Lookup table name
- field(s): Field(s) containing CVE identifiers

vulncheckexploitenrichmentcimcommand

Description: Enriches CVEs from the Splunk CIM Vulnerabilities data model using VulnCheck intelligence
Parameters:
- datamodel: Name of the CIM data model
- field(s): Field(s) containing CVE identifiers

vulnchecktrendingcvescommand

Description: Retrieves trending CVEs from VulnCheck based on recent exploit intelligence (e.g., 3-day trending)
Parameters:
- None (fetches trending CVEs)

vulncheckexploitadhocenrichmentcommand

Description: Performs ad hoc enrichment of user-specified CVEs, CPEs, or PURLs using VulnCheck intelligence
Parameters:
- cves: List of CVEs
- cpes: List of CPEs
- purls: List of PURLs

vulncheckexploitintelligencesbomriskanalysiscommand

Description: Takes SBOM Configuration and enriches data and stores it into the lookup
Parameters:
- SBOM Configuration

Note: Non-admin users require appropriate permissions to run custom commands.

Macros

enrichment_data_collection: Macro for full data collection search query string with index, sourcetype and source.
enrichment_indexes: Defines the Splunk index(es) to use for enrichment searches. Dynamically updated based on user configuration.
enrichment_sourcetype: Specifies the sourcetype(s) for enrichment. Dynamically updated.
enrichment_index_type_query: Macro containing the stats/aggregation logic for index-based enrichment.
enrichment_lookup_type_query: Macro containing the stats/aggregation logic for lookup-based enrichment.
enrichment_field: Field name used for enrichment (e.g., CVE, CPE, PURL).
enrichment_other_field: Additional fields to include in enrichment queries.
source_type_lookup: Macro for lookup name to be used for enrichment.
source_lookup_column: Macro for lookup column used for enrichment.
source_lookup_other_column: Macro for other lookup columns that are appended in enrichment data.
adhoc_index_search: Macro for ad hoc index search string. Used to specify which index ad hoc enriched data should be saved to.
sbom_index_search: Macro for SBOM index search string. Used to specify which index SBOM enriched data should be saved to.

Adaptive Response Actions

vulncheck_exploit_intelligence_enrich_notable
- Enriches notable events containing CVE identifiers with comprehensive VulnCheck threat intelligence
- How to Use in Splunk ES
  - Manual Usage: Navigate to Mission Control ’ Select a notable ’ Click on 3 dots at top ’ Run Adaptive Response Action ’ VulnCheck - Enrich CVEs from Notables ’ Run
  - Automatic Usage: There is a SavedSearch (vulncheck_exploit_intelligence_notable_index_enrichment) that will automatically enrich all notable CVEs.
  - NOTE: This saved search will be disabled by default, and users can enable it if they want to automatically enrich the CVEs.
vulncheck_exploit_intelligence_ip_intelligence_enrich_notable
- Enriches notable events containing IP addresses with VulnCheck IP Intelligence threat data
- How to Use in Splunk ES
  - Manual Usage: Navigate to Mission Control ’ Select a notable ’ Click on 3 dots at top ’ Run Adaptive Response Action ’ VulnCheck - Enrich IPs from Notables ’ Run

Note: If a user wants to know how to create notable events, refer to this document

Lookups

The app maintains several lookup tables for persistent data storage:

vulncheck_enriched - Primary enriched vulnerability data
sbom_identifiers - SBOM file identifier tracking

Saved Searches

The app includes several automated saved searches:

vulncheck_exploit_intelligence_enrichment_all_time - This saved search will periodically enrich all existing CVEs in the enriched lookup file using VulnCheck data
vulncheck_exploit_intelligence_lookup_clean_up - This saved search cleans up old records from the vulncheck_enriched lookup to maintain data hygiene. By default this saved search will be disabled and users can enable and set the time, and records older than that time will be removed
vulncheck_exploit_intelligence_enrichment_index_search - This saved search will run at every configured interval and will populate the enrichment lookup with data derived from the specified index and sourcetype
vulncheck_exploit_intelligence_enrichment_lookup_search - This saved search will run at every configured interval and will update the enrichment lookup with data sourced from an existing lookup table
vulncheck_exploit_intelligence_enrichment_cim_search - This saved search will run at every configured interval and will fill the enrichment lookup with vulnerability data extracted from the Splunk Common Information Model (CIM)
vulncheck_exploit_intelligence_notable_index_enrichment - This saved search will run every 30 minutes to enrich notables containing CVEs from the notable index

Management: Settings > Searches, reports, and alerts (filter by VulnCheck app)

To Enable/Disable Saved Searches:

Go to Settings > Searches, reports, and alerts. Filter by VulnCheck app, and enable/disable as needed.

Sourcetypes

vulncheck:enrichment - All enriched data stored in indexes

Sources

vulncheck:adhoc:purls - This source will have data for all the enriched data from ad hoc purls stored in indexes
vulncheck:adhoc:cves - This source will have data for all the enriched data from ad hoc cves stored in indexes
vulncheck:adhoc:cpes - This source will have data for all the enriched data from ad hoc cpes stored in indexes
vulncheck:enrichment:cves - This source will have data for all the enriched data from enrichment cves stored in indexes
vulncheck:enrichment:cpes - This source will have data for all the enriched data from enrichment cpes stored in indexes
vulncheck:enrichment:purls - This source will have data for all the enriched data from enrichment purls stored in indexes
vulncheck:sbom - This source will have data for all the enriched data from SBOM stored in indexes

Troubleshooting

General Checking

To troubleshoot VulnCheck Exploit Intelligence App For Splunk, check $SPLUNK_HOME/var/log/splunk/vulncheck_exploit_intelligence*.log or use the search query index="_internal" source=*vulncheck_exploit_intelligence*.log* to see all logs in the UI. For ERROR logs specifically, use index="_internal" source=*vulncheck_exploit_intelligence*.log* ERROR query in the Splunk UI.

Note that all log files of this App will be generated in $SPLUNK_HOME/var/log/splunk/ directory.

If users are facing problems related to CVE data not being visible in dashboards, check the vulncheck_enriched lookup.

App icons are not showing up: The app does not require a restart after installation for functionalities to work. However, icons will be visible after one Splunk restart post-installation.

Troubleshooting API Configuration

If API calls are failing, ensure that:

VulnCheck API key is properly configured in the app setup
Internet connectivity is active (configure proxy settings if required)
KV store is enabled in Splunk
Check vulncheck_exploit_intelligence_api.log for API-related error messages

Troubleshooting Data Collection & Enrichment

If data collection is not working, ensure that the internet is active (on a proxy machine, if proxy is enabled) and also ensure that the KV store is enabled.

Check vulncheck_exploit_intelligence*.log* files for VulnCheck Exploit Intelligence App For Splunk data collection for any relevant error messages

Troubleshooting Custom Commands

vulncheckexploitenrichmentalltimecommand Check vulncheck_exploit_intelligence_enrichment_all_time.log file for further analysis.

vulncheckexploitenrichmentindexcommand Check vulncheck_exploit_intelligence_enrichment_index_command.log file for further analysis.

vulncheckexploitenrichmentlookupcommand Check vulncheck_exploit_intelligence_enrichment_lookup_command.log file for further analysis.

vulncheckexploitenrichmentcimcommand Check vulncheck_exploit_intelligence_enrichment_cim_command.log file for further analysis.

vulncheckexploitadhocenrichmentcommand Check vulncheck_exploit_intelligence_ad_hoc_command.log file for further analysis.

vulnchecktrendingcvescommand Check vulncheck_exploit_intelligence_trending_cves_command.log file for further analysis.

vulncheckexploitintelligencesbomriskanalysiscommand Check vulncheck_exploit_intelligence_sbom_risk_analysis_command.log file for further analysis.

If notable enrichment is failing:

Check vulncheck_exploit_intelligence_enrich_notable_modalert.log and vulncheck_exploit_intelligence_cve_enrich_notable_helper.log for processing errors
Verify CVE patterns are detected in notable event fields
Ensure VulnCheck API connectivity for new CVE data
Check that comments are being added to notable events

VulnCheck IP Intelligence (vulncheck_exploit_intelligence_ip_intelligence_enrich_notable)

If IP enrichment is failing:

Check vulncheck_exploit_intelligence_ip_intelligence_enrich_notable_modalert.log and vulncheck_exploit_intelligence_ip_intelligence_notable_helper.log for processing errors
Verify IP addresses are extracted from notable fields
Ensure IPs are not filtered out as private/reserved addresses
Check VulnCheck IP Intelligence API connectivity

NOTE: If a user wants to know how to create notable events, refer to this document.

Upgrading

General Upgrade Steps

Go to Apps > Manage Apps and click on the "Install app from file".
Click on "Choose File" and select the VulnCheck Exploit Intelligence App for Splunk installation file.
Check the Upgrade app checkbox and click on Upload.
Restart the Splunk instance.

Upgrade to v1.0.1

Follow the General upgrade steps section.

Uninstalling

Standalone Environment

Remove app directory: $SPLUNK_HOME/etc/apps/vulncheck_exploit_intelligence_app_for_splunk
Remove log files: $SPLUNK_HOME/var/log/splunk/vulncheck_exploit_intelligence*.log*
Restart Splunk Enterprise

Distributed Environment

Remove app from all Splunk instances (Search Heads, Indexers, Forwarders)
Clean up log files on all instances
Restart all Splunk instances

ServiceNow

Alerts (Email / Slack)