Cisco Vulnerability Management Search Terms

Cisco Vulnerability Management supports a number of specific terms that can be used to search through certain data in your platform. For search examples, refer to Simple search examples based on our supported search terms.

Below is a list of all currently supported search terms.

Asset Terms - combine together using any logical connectors


Syntax Description
Asset Locator Terms  
asset_id:32716281 Search for an asset by its ID.
file:"project/dev/file.js"  Search for an asset by its file locator.
application:"TestApp" Search for an assets by application locator value. For more information, refer to Tokenized Search Tips.
fqdn:"internal.foo.com" Search for an asset by fully-qualified domain name.
hostname:
"internal.foo.com"
Search for an asset by hostname. For more information, refer to Tokenized Search Tips.
ip:10.172.15.5 Search for an individual IP.
ip:[10.0.0.1 TO 10.0.0.22] Search for a network range.
mac_address:
"4a:03:4c:73:12:96"
Search for an asset by physical MAC address.
netbios:"INTERNAL" Search for an asset by netbios name.
os:"Windows" Search for assets by operating system. This is a wildcard search, which will match any OS strings containing "Windows". For more information, refer to Tokenized Search Tips.
owner:"Lee Johnson" Search for assets by asset owner.
priority:>5 Search for assets by priority. The search can be an exact score search (priority:6), or may use >, < >=, or <= quantifiers.
tag:"Web Servers" Search for assets by tag name. This is an explicit search that requires an exact tag match. Wildcard characters (* and ?) can also be used for partial matches.
url:
"https://external.foo.com"
Search for an asset by its URL.
external_id:1243443 Search for an asset by the scanner assigned asset id
container_id:abc123456... Search for a container asset by its full 64-character SHA256 container id. Wildcard characters (* and ?) can also be used for partial matches.
image_id:"sha256:abc123456 Search for a image asset by its full 64-character SHA256 image id. Wildcard characters (* and ?) can also be used for partial matches.
Asset Scoring Terms  
asset_score:>610 This will search assets based on their Cisco Security Risk Score (0 - 1000). The search can be an exact score search (asset_score:610), or may use >, < >=, or <= quantifiers.
Asset Date Terms  
asset_created:<2023-11-01 Search for assets based on when they were created by a connector. The search can be an exact date search (asset_created:2023-11-01), or may use >, < >=, or <= quantifiers.
asset_last_seen:<2022-11-01 Search for assets based on the last date/time they were seen by a connector. The search can be an exact date search (asset_last_seen:2023-11-01), or may use >, < >=, or <= quantifiers.

Vulnerability Terms - Combine together using any logical connectors

Syntax Description
Vuln Detail Terms  
cve:2014-0160

Search vulnerabilities by specific CVE identifier.

Note: Passing multiple CVE IDs surrounded by double quotes uses OR logic in the blank spaces.

For example: cve:("2014-0160" "2014-0161" "2014-0162") translates to cve:("2014-0160" OR "2014-0161" OR "2014-0162").

If you pass multiple CVE IDs without double quotes, AND will be used in between. The search will return any assets that have all of the identifiers associated.

For example: cve:(2014-0160 2014-0161 2014-0162) translates to cve:(2014-0160 AND 2014-0161 AND 2014-0162).

cve_description:"adobe" Search vulnerabilities by their description fields. This is a wildcard search, which will match any part of the description (for example, any vulnerabilities containing the string "adobe"). For more information, refer to Tokenized Search Tips
cwe:CWE-319 Search vulnerabilities by specific CWE identifier.
exact_vulnerability_name:
"*Adobe*"
Search vulnerabilities by raw vulnerability name field. Wildcard characters (* and ?) can also be used for partial matches.
fix_id:"VendorAdvisory:
20491"
Search vulnerabilities by fix id usually formatted as a Vendor Advisory.
fix_product:windows Search vulnerabilities where fix applies to Windows.
fix_title_keyword:"Java" Search vulnerabilities by fix title keywords that are case insensitive. No wildcards needed. For more information, refer to Tokenized Search Tips
fix_title:"MS??-*" Search vulnerabilities by fix title with a fixed number of wildcarded characters. This is case sensitive.
fix_category:Database Vulnerabilities with a fix that has the category Database. This is case sensitive.
fix_vendor:openbsd

Search vulnerabilities by fix vendor.

port:8031 Search vulnerabilities affecting the specified port number.
scanner_id:12345

Search vulnerabilities by scanner-specific finding identifier, for example, Qualys QID, Nessus plugin ID. Note that text searches must match the case seen in Cisco Vulnerability Management as this is a case sensitive field.

scanner_unique_id:12345

Search vulnerabilities by scanner-specific generic identifier, for example, Qualys QID for Qualys WAS. Note that text searches must match the case seen in Cisco Vulnerability Management as this is a case sensitive field.   

vulnerability_id:3217887122 Search for a vulnerability by its ID.
vulnerability_name:
"Explorer"
Search analyzed vulnerabilities by keyword. No wildcards needed.
wasc:WASC-19 Search vulnerabilities by specific WASC identifier.
Vulnerability Scoring Terms  
scanner_score:>=3 Search vulnerabilities based on the score as determined by the scanner. Values are only populated/supported for Nexpose, Nessus, Qualys, and Security Center. You can also search exactly, for example, scanner_score:5
vulnerability_score:>55 Search vulnerabilities by their Cisco Security Risk Score (0-100 — note that this differs from the asset score, based on 0-1000). You can also search exactly, for example, vulnerability_score:60
Vulnerability CVSS Terms  

cvss_v2_exploit_subscore:
4.9

Search on vulnerabilities based on their CVSS version 2 exploit subscore (0.0-10.0).  The search can be an exact score search (cvss_v2_exploit_subscore:4.9), or you can use >, < >=, or <= quantifiers.

cvss_v2_impact_subscore:>
4.9

Search on vulnerabilities based on their CVSS version 2 impact subscore (0.0-10.0). The search can be an exact score search (cvss_v2_impact_subscore:4.9), or you can use >, < >=, or <= quantifiers.

cvss_v2_score:>=7.9

Search on vulnerabilities based on their CVSS version 2 score (0.0-10.0). The search can be an exact score search (cvss_v2_score:7.9), or can also use >, < >=, or <= quantifiers.

cvss_v2_temporal_score:<7.9

Search on vulnerabilities based on their CVSS version 2 temporal subscore (0.0-10.0). The search can be an exact score search (cvss_v2_temporal_subscore:7.9), or you can use >, < >=, or <= quantifiers.

cvss_v3_exploit_subscore:
3.9

Search on vulnerabilities based on their CVSS version 3 exploit subscore (0.0-10.0). The search can be an exact score search (cvss_v3_exploit_subscore:3.9), or you can use >, < >=, or <= quantifiers.  Includes CVSS both v3.0 and v3.1.

cvss_v3_score:>=7.9

Search on vulnerabilities based on their CVSS version 3 score (0.0-10.0).  The search can be an exact score search (cvss_v3_score:7.9), or you can use >, < >=, or <= quantifiers.  Includes CVSS both v3.0 and v3.1.

cvss_v3_temporal_score:<7.9

Search on vulnerabilities based on their CVSS version 3 temporal subscore (0.0-10.0).  The search can be an exact score search (cvss_v3_temporal_subscore:7.9), or you can use >, < >=, or <= quantifiers.  Includes CVSS both v3.0 and v3.1.

cvss_v3_impact_subscore:
>=7.9

Search on vulnerabilities based on their CVSS version 3 impact subscore (0.0-10.0).  The search can be an exact score search (cvss_v3_impact_subscore:7.9), or you can use >, < >=, or <= quantifiers.  Includes CVSS both v3.0 and v3.1.

Vulnerability Date Terms  
closed_at:>now-1d Search for vulnerabilities closed within a certain timeframe. You must also select a vulnerability status of closed.
due_date:<2023-08-09 Search for vulnerabilities based on a configured Due Date. The search can be an exact date search (due_date:2023-11-01), or you can use >, < >=, or <= quantifiers.
fix_published:>now-90d Search for vulnerabilities with a fix published in the last 90 days. The search can be an exact date search (fix_published:2023-11-01), or you can use >, < >=, or <= quantifiers.
vulnerability_created:<2023-08-09 Search for vulnerabilities based on when they were created by a connector. The search can be an exact date search (vulnerability_created:2023-11-01), or you can use >, < >=, or <= quantifiers.
vulnerability_found:>now-90d Search for vulnerabilities found within the last 90 days. This time will be based on when a scanner found the vulnerability, if the scanner supports that information. If a 'found' time is not reported by a scanner, this time will be based on when the vulnerability was created in Cisco Vulnerability Management. The search can be an exact date search (vulnerability_found:2023-08-09), or you can use >, < >=, or <= quantifiers.
vulnerability_last_indexed_at:>2023-08-09 Search for vulnerabilities based on when they were last re-indexed. The search can be an exact date search (vulnerability_last_index_at:2023-11-02), or may use >, < >=, or <= quantifiers.  This example is vulnerability_last_indexed_at after August 9th, 2023.
vulnerability_last_seen:<2023-08-09 Search for vulnerabilities based on the last date/time they were seen by a connector. The search can be an exact date search (vulnerability_last_seen:2023-08-09), or you can use >, < >=, or <= quantifiers.
status_changed_at:>now-36h Search for vulnerabilities based on when their status changes from one to another (open, closed, false_positive, risk_accepted).
not_closed_by_due_date:true With vulnerability status = closed selected, find which items were delivered late.
Vulnerability Threat Terms  
active_internet_breach:true Search for vulnerabilities that match the Active Internet Breaches filter. This can also be a negative search (active_internet_breach:false).
easily_exploitable:true Search for vulnerabilities that match the Easily Exploitable filter. This can also be a negative search (easily_exploitable:false).
malware_exploitable:true Search for Active Internet Breaches that are exploited specifically by malware. This can also be a negative search (malware_exploitable:false).
popular_target:true Search for vulnerabilities that match the Popular Targets filter. This can also be a negative search (popular_target:false).
top_priority:true Search for vulnerabilities that match the Top Priority filter. This can also be a negative search (top_priority:false).
zero_day:true

Search for vulnerabilities that match the Zero Day filter. This can also be a negative search (zero_day:false)

Important: The Zero-Day vulnerability number is visible for all users. Only users with a Zero-Day add-on are able to view the specific Zero-Day vulnerabilities.

Ticketing Terms  

service_ticket_id:"12345"

If you are using a Ticketing Connector, you can search for a previously created ticket by using the external ticket id saved on the vulnerability record.

 


Term Existence Checks

Syntax Description
_exists_:netbios Searches for assets that have data for a specific attribute. Valid attributes are: tag, os, ip, hostname, url, mac_address, netbios, fqdn, file, fix, and application.
‑_exists_:netbios Searches for assets that do not have data for a specific attribute. Valid attributes are: tag, os, ip, hostname, url, mac_address, netbios, fqdn, file, fix, and application.
_exists_:cvss_v2_score Searches for vulnerabilities that have data for a specific attribute. Valid attributes are: cvss_v3_score, cvss_v2_score, scanner_score, due_date, notes, wasc, and cwe.
‑_exists_:cvss_v2_score Searches for vulnerabilities that do not have data for a specific attribute. Valid attributes are: cvss_v3_score, cvss_v2_score, scanner_score, due_date, notes, wasc, and cwe.

 


Wildcards

Syntax Description
* Use asterisk for any number of characters - avoid if possible see  Tokenized Search Tips 
? Use question mark for single characters.

 


Date Operators

Syntax Description
now Current date/time (for example, "now-30d" would be 30 days ago)
#y years  (2y = 2 years)
#M months (2M = 2 months)
#w weeks (2w = 2 weeks)
#d days (2d = 2 days)
#h hours (2h = 2 hours)

Tips and Tricks tab

Invalid Syntax and Queries

  • Phrases (tag names, operating systems, etc.) must be contained in quotation marks. For example: tag:"High Priority"
  • Searches must be written with a supported search term (such as os for operating system). For example: os:"Windows 7"

Logical  Operators (AND/OR)

  • Logical operators must be in complete uppercase. For example: tag:(priority AND production
  • AND means that an item must match both conditions in order to be returned in the results.. For example: os:("Windows 10" OR "Windows 11")
  • If searching via different search terms, only AND is supported. For example: cve:2020-1234 AND vulnerability_score:<80
  • It is more performant to search for terms when you nest the values together. For example: os:("Windows 10" OR "Windows 11")

Application Security Module Search Terms

Finding Detail Terms

Syntax Purpose
cve:CVE-123

Search findings by specific CVE identifier.

cwe:CWE-456

Search findings by specific CWE identifier.

wasc:WASC-789

Search findings by specific WASC identifier.

finding_description:"SQLite mishandles certain SQL commands"

Use wildcards (* and ?) for a partial word, or quotes ("…") for phrases

Search findings by contents of description field.

finding_name:*Cross-site* AND finding_name:*Scripting*

Use wildcards (* and ?) for partial matches, or quotes ("…") for punctuation and more exact matches

Search findings by raw finding name field.

Finding  Scoring Terms

Syntax Purpose
severity:>5 Search for findings by scanner severity score.

Finding Date Terms

Syntax Purpose
closed_at:>=2020-01-01

Search findings closed on or after January 1st, 2020.

due_date:<now

Search findings due before now.

finding_created:>2010-03-15

Search findings created after March 15th, 2010.

finding_found:<2020-12-15

Search findings discovered before December 15th, 2020.

finding_last_seen:<2023-12-13

You may also search exactly, for example, finding_last_seen:2023-12-13

Search for findings based on when they were seen by a connector.

status_changed_at:>2019-06-08

Search findings whose status was last changed after June 8th, 2019.

Finding Detail Terms

Syntax Purpose
application:*Windows*

Use wildcards (* and ?) for partial matches, or quotes ("…") for punctuation and more exact matches

Search findings by application's name field.

file:*libpng*

Use wildcards (* and ?) for partial matches, or quotes ("…") for punctuation and more exact matches

Search findings by application's file locator.

url:*example.com*

Use wildcards (* and ?) for partial matches, or quotes ("…") for punctuation and more exact matches

Search findings by application's URL locator.

Advanced Syntax

Syntax Purpose
_exists_:netbios

Searches for assets that have data for a specific attribute. Valid attributes are: tag, os, ip, hostname, url, mac_address, netbios, fqdn, file, fix, and application

‑_exists_:netbios

Searches for assets that do not have data for a specific attribute. Valid attributes are: tag, os, ip, hostname, url, mac_address, netbios, fqdn, file, fix, and application

 

Wildcards

Syntax Description
* Use asterisk for any number of characters.
? Use question mark for single characters.

Date Operators

Syntax Description
now Current date/time (for example, "now-30d" would be 30 days ago)
#y years  (2y = 2 years)
#M months (2M = 2 months)
#w weeks (2w = 2 weeks)
#d days (2d = 2 days)
#h hours (2h = 2 hours)

Tips and Tricks tab

Invalid Syntax and Queries

  • Phrases (tag names, operating systems, etc.) must be contained in quotation marks. For example: tag:"High Priority"
  • Searches must be written with a supported search term (such as os for operating system). For example: os:"Windows 7"

Logical  Operators (AND/OR)

  • Logical operators must be in complete uppercase. For example: tag:(priority AND production
  • AND means that an item must match both conditions in order to be returned in the results.. For example: os:("Windows 10" OR "Windows 11")
  • If searching via different search terms, only AND is supported. For example: cve:2020-1234 AND vulnerability_score:<80
  • It is more performant to search for terms when you nest the values together. For example: os:("Windows 10" OR "Windows 11")

 

 

 

Was this article helpful?
0 out of 0 found this helpful
Have more questions? Submit a request

Comments

0 comments

Please sign in to leave a comment.