Cisco Vulnerability Management supports a number of specific terms that can be used to search through certain data in your platform. For search examples, refer to Simple and Complex Search Query Examples article.
Note: Keyword search terms look for an exact match, while text search terms return inexact (fuzzy) matches.
Below is a list of all currently supported search terms.
Asset Terms - combine together using any logical connectors
Syntax | Description |
Asset Locator Terms | |
asset_id:32716281 |
Search for an asset by its ID. |
file:"project/dev/file.js"
|
Search for an asset by its file locator. |
application:"TestApp" |
Search for an assets by application locator value. For more information, refer to Tokenized Search Tips. |
fqdn:"internal.foo.com" |
Search for an asset by fully-qualified domain name. |
hostname: "internal.foo.com"
|
Search for an asset by hostname. For more information, refer to Tokenized Search Tips. |
ip:10.172.15.5 |
Search for an individual IP. |
ip:[10.0.0.1 TO 10.0.0.22] |
Search for a network range. |
mac_address: "4a:03:4c:73:12:96"
|
Search for an asset by physical MAC address. |
netbios:"INTERNAL" |
Search for an asset by netBIOS name. |
os:"Windows" |
Search for assets by operating system. This is a wildcard search, which will match any OS strings containing "Windows". For more information, refer to Tokenized Search Tips. |
owner:"Lee Johnson" |
Search for assets by asset owner. |
priority:>5 |
Search for assets by priority. The search can be an exact score search (priority:6), or may use >, < >=, or <= quantifiers. |
tag:"Web Servers" |
Search for assets by tag name. This is an explicit search that requires an exact tag match. Wildcard characters (* and ?) can also be used for partial matches. |
url: "https://external.foo.com"
|
Search for an asset by its URL. |
external_id:1243443 |
Search for an asset by the scanner assigned asset ID. |
container_id:abc123456...
|
Search for a container asset by its full 64-character SHA256 container ID. Wildcard characters (* and ?) can also be used for partial matches. |
image_id:"sha256:abc123456
|
Search for a image asset by its full 64-character SHA256 image ID. Wildcard characters (* and ?) can also be used for partial matches. |
Asset Scoring Terms | |
asset_score:>610 |
This will search assets based on their Cisco Security Risk Score (0 - 1000). The search can be an exact score search (such as, asset_score:610), or may use >, < >=, or <= quantifiers. |
Asset Date Terms | |
asset_created:<2024-08-02 |
Search for assets based on when they were created by a connector. The search can be an exact date search (asset_created:2024-08-02), or may use >, < >=, or <= quantifiers. |
asset_last_seen:<2024-08-02 |
Search for assets based on the last date/time they were seen by a connector. The search can be an exact date search (asset_last_seen:2024-08-02), or may use >, < >=, or <= quantifiers. |
Vulnerability Terms - Combine together using any logical connectors
Syntax | Description |
Vulnerability Detail Terms | |
cve:2014-0160 |
Search vulnerabilities by specific CVE identifier. Note: Passing multiple CVE IDs surrounded by double quotes uses OR logic in the blank spaces. For example: cve:("2014-0160" "2014-0161" "2014-0162") translates to cve:("2014-0160" OR "2014-0161" OR "2014-0162"). If you pass multiple CVE IDs without double quotes, AND will be used in between. The search will return any assets that have all of the identifiers associated. For example: cve:(2014-0160 2014-0161 2014-0162) translates to cve:(2014-0160 AND 2014-0161 AND 2014-0162). |
cve_description:"adobe" |
Search vulnerabilities by their description fields. This is a wildcard search, which will match any part of the description (for example, any vulnerabilities containing the string "adobe"). For more information, refer to Tokenized Search Tips |
cwe:CWE-319 |
Search vulnerabilities by specific CWE identifier. |
exact_vulnerability_name: "*Adobe*"
|
Search vulnerabilities by raw vulnerability name field. Wildcard characters (* and ?) can also be used for partial matches. |
fix_id:"VendorAdvisory: 20491"
|
Search vulnerabilities by fix ID usually formatted as a Vendor Advisory. |
fix_product:windows* |
Search vulnerabilities where fix applies to Windows. |
fix_title_keyword:"Java" |
Search vulnerabilities by fix title keywords that are case insensitive. No wildcards needed. For more information, refer to Tokenized Search Tips |
fix_title:"MS??-*" |
Search vulnerabilities by fix title with a fixed number of wildcarded characters. This is case sensitive. |
fix_category:Database |
Vulnerabilities with a fix that has the category Database. This is case sensitive. |
fix_vendor:openbsd |
Search vulnerabilities by fix vendor. |
port:8031 |
Search vulnerabilities affecting the specified port number. |
scanner_id:12345 |
Search vulnerabilities by scanner-specific finding identifier, for example, Qualys QID, Nessus plugin ID. Note that text searches must match the case seen in Cisco Vulnerability Management as this is a case sensitive field. |
scanner_unique_id:12345 |
Search vulnerabilities by scanner-specific generic identifier, for example, Qualys QID for Qualys WAS. Note that text searches must match the case seen in Cisco Vulnerability Management as this is a case sensitive field. |
vulnerability_id:3217887122
|
Search for a vulnerability by its ID. |
vulnerability_name: "Explorer"
|
Search analyzed vulnerabilities by keyword. No wildcards needed. |
wasc:WASC-19 |
Search vulnerabilities by specific WASC identifier. |
Vulnerability Scoring Terms | |
scanner_score:>=3 |
Search vulnerabilities based on the score as determined by the scanner. Values are only populated/supported for Nexpose, Nessus, Qualys, and Security Center. You can also search exactly, for example, scanner_score:5 |
vulnerability_score:>55 |
Search vulnerabilities by their Cisco Security Risk Score (0-100 — note that this differs from the asset score, based on 0-1000). You can also search exactly, for example, vulnerability_score:60 |
Vulnerability CVSS Terms | |
cvss_v2_exploit_subscore: 4.9
|
Search on vulnerabilities based on their CVSS version 2 exploit subscore (0.0-10.0). The search can be an exact score search (cvss_v2_exploit_subscore:4.9), or you can use >, < >=, or <= quantifiers. |
cvss_v2_impact_subscore:> 4.9
|
Search on vulnerabilities based on their CVSS version 2 impact subscore (0.0-10.0). The search can be an exact score search (cvss_v2_impact_subscore:4.9), or you can use >, < >=, or <= quantifiers. |
cvss_v2_score:>=7.9 |
Search on vulnerabilities based on their CVSS version 2 score (0.0-10.0). The search can be an exact score search (cvss_v2_score:7.9), or can also use >, < >=, or <= quantifiers. |
cvss_v2_temporal_score:<7.9 |
Search on vulnerabilities based on their CVSS version 2 temporal subscore (0.0-10.0). The search can be an exact score search (cvss_v2_temporal_subscore:7.9), or you can use >, < >=, or <= quantifiers. |
cvss_v3_exploit_subscore: 3.9
|
Search on vulnerabilities based on their CVSS version 3 exploit subscore (0.0-10.0). The search can be an exact score search (cvss_v3_exploit_subscore:3.9), or you can use >, < >=, or <= quantifiers. Includes CVSS both v3.0 and v3.1. |
cvss_v3_score:>=7.9 |
Search on vulnerabilities based on their CVSS version 3 score (0.0-10.0). The search can be an exact score search (cvss_v3_score:7.9), or you can use >, < >=, or <= quantifiers. Includes CVSS both v3.0 and v3.1. |
cvss_v3_temporal_score:<7.9
|
Search on vulnerabilities based on their CVSS version 3 temporal subscore (0.0-10.0). The search can be an exact score search (cvss_v3_temporal_subscore:7.9), or you can use >, < >=, or <= quantifiers. Includes CVSS both v3.0 and v3.1. |
cvss_v3_impact_subscore: >=7.9
|
Search on vulnerabilities based on their CVSS version 3 impact subscore (0.0-10.0). The search can be an exact score search (cvss_v3_impact_subscore:7.9), or you can use >, < >=, or <= quantifiers. Includes CVSS both v3.0 and v3.1. |
Vulnerability Date Terms | |
closed_at:>now-1d |
Search for vulnerabilities closed within a certain timeframe. You must also select a vulnerability status of closed. |
due_date:<2023-08-09 |
Search for vulnerabilities based on a configured Due Date. The search can be an exact date search (due_date:2023-08-09), or you can use >, < >=, or <= quantifiers. |
fix_published:>now-90d |
Search for vulnerabilities with a fix published in the last 90 days. The search can be an exact date search (fix_published:2024-05-03), or you can use >, < >=, or <= quantifiers. |
vulnerability_created:<2023-08-09 |
Search for vulnerabilities based on when they were created by a connector. The search can be an exact date search (vulnerability_created:2023-11-01), or you can use >, < >=, or <= quantifiers. |
vulnerability_found:>now-90d |
Search for vulnerabilities found within the last 90 days. This time will be based on when a scanner found the vulnerability, if the scanner supports that information. If a 'found' time is not reported by a scanner, this time will be based on when the vulnerability was created in Cisco Vulnerability Management. The search can be an exact date search (vulnerability_found:2023-08-09), or you can use >, < >=, or <= quantifiers. |
vulnerability_last_indexed_at:>2023-08-09 |
Search for vulnerabilities based on when they were last re-indexed. The search can be an exact date search (vulnerability_last_index_at:2023-11-02), or may use >, < >=, or <= quantifiers. This example is vulnerability_last_indexed_at after August 9th, 2023. |
vulnerability_last_seen:<2023-08-09 |
Search for vulnerabilities based on the last date/time they were seen by a connector. The search can be an exact date search (vulnerability_last_seen:2023-08-09), or you can use >, < >=, or <= quantifiers. |
status_changed_at:>now-36h |
Search for vulnerabilities based on when their status changes from one to another (open, closed, false_positive, risk_accepted). |
not_closed_by_due_date:true
|
With vulnerability status = closed selected, find which items were delivered late. |
Vulnerability Threat Terms | |
active_internet_breach:true |
Search for vulnerabilities that match the Active Internet Breaches filter. This can also be a negative search (active_internet_breach:false). |
easily_exploitable:true |
Search for vulnerabilities that match the Easily Exploitable filter. This can also be a negative search (easily_exploitable:false). |
malware_exploitable:true |
Search for Active Internet Breaches that are exploited specifically by malware. This can also be a negative search (malware_exploitable:false). |
popular_target:true |
Search for vulnerabilities that match the Popular Targets filter. This can also be a negative search (popular_target:false). |
top_priority:true |
Search for vulnerabilities that match the Top Priority filter. This can also be a negative search (top_priority:false). |
zero_day:true |
Search for vulnerabilities that match the Zero Day filter. This can also be a negative search (zero_day:false) Important: The Zero-Day vulnerability number is visible for all users. Only users with a Zero-Day add-on are able to view the specific Zero-Day vulnerabilities. |
Ticketing Terms | |
service_ticket_id:"12345" |
If you are using a Ticketing Connector, you can search for a previously created ticket by using the external ticket id saved on the vulnerability record. |
Term Existence Checks
Syntax | Description |
_exists_:netbios |
Searches for assets that have data for a specific attribute. Valid attributes are: tag, os, ip, hostname, url, mac_address, netbios, fqdn, file, fix, and application. |
‑_exists_:netbios |
Searches for assets that do not have data for a specific attribute. Valid attributes are: tag, os, ip, hostname, url, mac_address, netbios, fqdn, file, fix, and application. |
_exists_:cvss_v2_score |
Searches for vulnerabilities that have data for a specific attribute. Valid attributes are: cvss_v3_score, cvss_v2_score, scanner_score, due_date, notes, wasc, and cwe. |
‑_exists_:cvss_v2_score |
Searches for vulnerabilities that do not have data for a specific attribute. Valid attributes are: cvss_v3_score, cvss_v2_score, scanner_score, due_date, notes, wasc, and cwe. |
Wildcards
Syntax | Description |
* |
Use asterisk for any number of characters - avoid if possible see Tokenized Search Tips |
? |
Use question mark for single characters. |
Date Operators
Syntax | Description |
now |
Current date/time (for example, "now-30d" would be 30 days ago) |
#y |
years (2y = 2 years) |
#M |
months (2M = 2 months) |
#w |
weeks (2w = 2 weeks) |
#d |
days (2d = 2 days) |
#h
|
hours (2h = 2 hours) |
Tips and Tricks tab
Invalid Syntax and Queries
- Phrases (tag names, operating systems, etc.) must be contained in quotation marks. For example: tag:"High Priority"
- Searches must be written with a supported search term (such as
os
for operating system). For example: os:"Windows 7"
Logical Operators (AND/OR)
- Logical operators must be in complete uppercase. For example: tag:(priority AND production
- AND means that an item must match both conditions to be returned in the results.. For example: os:("Windows 10" OR "Windows 11")
- If searching via different search terms, only AND is supported. For example: cve:2020-1234 AND vulnerability_score:<80></80>
- It is more performant to search for terms when you nest the values together. For example: os:("Windows 10" OR "Windows 11")
Application Security Module Search Terms
Syntax | Description |
Finding Detail Terms | |
cve:CVE-123 |
Search findings by specific CVE identifier. |
cwe:CWE-456 |
Search findings by specific CWE identifier. |
wasc:WASC-789 |
Search findings by specific WASC identifier. |
Use wildcards (* and ?) for a partial word, or quotes ("…") for phrases |
Search findings by contents of description field. |
Use wildcards (* and ?) for partial matches, or quotes ("…") for punctuation and more exact matches |
Search findings by raw finding name field. |
Finding Scoring Terms | |
severity:>5 |
Search for findings by scanner severity score. |
Finding Date Terms | |
closed_at:>=2020-01-01 |
Search findings closed on or after January 1st, 2020. |
due_date:<now |
Search findings due before now. |
finding_created:>2023-03-15 |
Search findings created after March 15th, 2023. |
finding_found:<2023-12-15 |
Search findings discovered before December 15th, 2023. |
|
Search for findings based on when they were seen by a connector. You can also search exactly, for example, finding_last_seen:2023-12-13 |
status_changed_at:>2023-06-08
|
Search findings whose status was last changed after June 8th, 2023. |
Application Detail Terms
Syntax | Description |
|
Search findings by application's name field. Use wildcards (* and ?) for partial matches, or quotes ("…") for punctuation and more exact matches. |
|
Search findings by application's file locator. Use wildcards (* and ?) for partial matches, or quotes ("…") for punctuation and more exact matches. |
|
Search findings by application's URL locator. Use wildcards (* and ?) for partial matches, or quotes ("…") for punctuation and more exact matches. |
Advanced Syntax
Syntax | Description |
_exists_:netbios |
Searches for assets that have data for a specific attribute. Valid attributes are: tag, os, ip, hostname, url, mac_address, netbios, fqdn, file, fix, and application |
‑_exists_:netbios |
Searches for assets that do not have data for a specific attribute. Valid attributes are: tag, os, ip, hostname, url, mac_address, netbios, fqdn, file, fix, and application |
Wildcards
Syntax | Description |
* |
Use asterisk for any number of characters - avoid if possible see Tokenized Search Tips |
? |
Use question mark for single characters. |
Date Operators
Syntax | Description |
now |
Current date/time (for example, "now-30d" would be 30 days ago) |
#y |
years (2y = 2 years) |
#M |
months (2M = 2 months) |
#w |
weeks (2w = 2 weeks) |
#d |
days (2d = 2 days) |
#h
|
hours (2h = 2 hours) |
Tips and Tricks tab
Invalid Syntax and Queries
- Phrases (tag names, operating systems, etc.) must be contained in quotation marks. For example: tag:"High Priority"
- Searches must be written with a supported search term (such as
os
for operating system). For example: os:"Windows11"
Logical Operators (AND/OR)
- Logical operators must be in complete uppercase. For example: tag:(priority AND production
- AND means that an item must match both conditions in order to be returned in the results.. For example: os:("Windows 10" OR "Windows 11")
- If searching via different search terms, only AND is supported. For example: cve:2020-1234 AND vulnerability_score:<80></80>
- It is more performant to search for terms when you nest the values together. For example: os:("Windows 10" OR "Windows 11")
Comments
Please sign in to leave a comment.