Cisco Vulnerability Management Search Terms

Cisco Vulnerability Management supports a number of specific terms that can be used to search through certain data in your platform.

Below is a list of all currently supported search terms.

Simple search examples based on our supported search terms.

Asset Terms - combine together using any logical connectors


Syntax Description
Asset Locator Terms  
asset_id:32716281 Search for an asset by its ID.
file:"project/dev/file.js"  Search for an asset by its file locator.
application:"TestApp" Search for an assets by application locator value. Tokenized Search Tips
fqdn:"internal.foo.com" Search for an asset by fully-qualified domain name.
hostname:"internal.foo.com" Search for an asset by hostname. Tokenized Search Tips
ip:10.172.15.5 Search for an individual IP.
ip:[10.0.0.1 TO 10.0.0.22] Search for a network range.
mac_address:"4a:03:4c:73:12:96" Search for an asset by physical MAC address.
netbios:"INTERNAL" Search for an asset by netbios name.
os:"Windows" Search for assets by operating system. This is a wildcard search, which will match any OS strings containing "Windows". Tokenized Search Tips
owner:"Lee Johnson" Search for assets by asset owner.
priority:>5 Search for assets by priority. The search can be an exact score search (priority:6), or may use >, < >=, or <= quantifiers.
tag:"Web Servers" Search for assets by tag name. This is an explicit search that requires an exact tag match. Wildcard characters (* and ?) can also be used for partial matches.
url:"https://external.foo.com" Search for an asset by its URL.
external_id:1243443 Search for an asset by the scanner assigned asset id
container_id:abc123456... Search for a container asset by its full 64-character SHA256 container id. Wildcard characters (* and ?) can also be used for partial matches.
image_id:"sha256:abc123456... Search for a image asset by its full 64-character SHA256 image id. Wildcard characters (* and ?) can also be used for partial matches.
Asset Scoring Terms  
asset_score:>610 This will search assets based on their Kenna Risk Score (0 - 1000). The search can be an exact score search (asset_score:610), or may use >, < >=, or <= quantifiers.
Asset Date Terms  
asset_created:<2022-11-01 Search for assets based on when they were created by a connector. The search can be an exact date search (asset_created:2015-11-01), or may use >, < >=, or <= quantifiers.
asset_last_seen:<2022-11-01 Search for assets based on the last date/time they were seen by a connector. The search can be an exact date search (asset_last_seen:2015-11-01), or may use >, < >=, or <= quantifiers.

 

Vulnerability Terms - Combine together using any logical connectors

Syntax Description
Vuln Detail Terms  
cve:2014-0160

Search vulnerabilities by specific CVE identifier.

Note: Passing multiple CVE IDs surrounded by double quotes uses OR logic in the blank spaces.

For example: cve:("2014-0160" "2014-0161" "2014-0162") translates to cve:("2014-0160" OR "2014-0161" OR "2014-0162").

If you pass multiple CVE IDs without double quotes, AND will be used in between. The search will return any assets that have all of the identifiers associated.

For example: cve:(2014-0160 2014-0161 2014-0162) translates to cve:(2014-0160 AND 2014-0161 AND 2014-0162).

cve_description:"adobe" Search vulnerabilities by their description fields. This is a wildcard search, which will match any part of the description (for example, any vulnerabilities containing the string "adobe"). Tokenized Search Tips
cwe:CWE-319 Search vulnerabilities by specific CWE identifier.
exact_vulnerability_name:"*Adobe*" Search vulnerabilities by raw vulnerability name field. Wildcard characters (* and ?) can also be used for partial matches.
fix_id:"VendorAdvisory:20491" Search vulnerabilities by fix id usually formatted as a Vendor Advisory.
fix_product:windows Search vulnerabilities where fix applies to Windows.
fix_title_keyword:"Java" Search vulnerabilities by fix title keywords that are case insensitive. No wildcards needed. Tokenized Search Tips
fix_title:"MS??-*" Search vulnerabilities by fix title with a fixed number of wildcarded characters. This is case sensitive.
fix_category:Database Vulnerabilities with a fix that has the category Database. This is case sensitive.
fix_vendor:openbsd

Search vulnerabilities by fix vendor.

port:8031 Search vulnerabilities affecting the specified port number.
scanner_id:12345

Search vulnerabilities by scanner-specific finding identifier, for example, Qualys QID, Nessus plugin ID. Note that text searches must match the case seen in Cisco Vulnerability Management as this is a case sensitive field.

scanner_unique_id:12345

Search vulnerabilities by scanner-specific generic identifier, for example, Qualys QID for Qualys WAS. Note that text searches must match the case seen in Cisco Vulnerability Management as this is a case sensitive field.   

vulnerability_id:3217887122 Search for a vulnerability by its ID.
vulnerability_name:"Explorer" Search analyzed vulnerabilities by keyword. No wildcards needed.
wasc:WASC-19 Search vulnerabilities by specific WASC identifier.
Vulnerability Scoring Terms  
scanner_score:>=3 Search vulnerabilities based on the score as determined by the scanner. Values are only populated/supported for Nexpose, Nessus, Qualys, and Security Center. You can also search exactly, for example, scanner_score:5
vulnerability_score:>55 Search vulnerabilities by their Kenna Risk Score (0-100 — note that this differs from the asset score, based on 0-1000). You can also search exactly, for example, vulnerability_score:60
Vulnerability CVSS Terms
 

cvss_v2_exploit_subscore:4.9

Search on vulnerabilities based on their CVSS version 2 exploit subscore (0.0-10.0).  The search can be an exact score search (cvss_v2_exploit_subscore:4.9), or you can use >, < >=, or <= quantifiers.

cvss_v2_impact_subscore:>4.9

Search on vulnerabilities based on their CVSS version 2 impact subscore (0.0-10.0). The search can be an exact score search (cvss_v2_impact_subscore:4.9), or you can use >, < >=, or <= quantifiers.

cvss_v2_score:>=7.9

Search on vulnerabilities based on their CVSS version 2 score (0.0-10.0). The search can be an exact score search (cvss_v2_score:7.9), or can also use >, < >=, or <= quantifiers.

cvss_v2_temporal_score:<7.9

Search on vulnerabilities based on their CVSS version 2 temporal subscore (0.0-10.0). The search can be an exact score search (cvss_v2_temporal_subscore:7.9), or you can use >, < >=, or <= quantifiers.

cvss_v3_exploit_subscore:3.9

Search on vulnerabilities based on their CVSS version 3 exploit subscore (0.0-10.0). The search can be an exact score search (cvss_v3_exploit_subscore:3.9), or you can use >, < >=, or <= quantifiers.  Includes CVSS both v3.0 and v3.1

cvss_v3_score:>=7.9

Search on vulnerabilities based on their CVSS version 3 score (0.0-10.0).  The search can be an exact score search (cvss_v3_score:7.9), or you can use >, < >=, or <= quantifiers.  Includes CVSS both v3.0 and v3.1

cvss_v3_temporal_score:<7.9

Search on vulnerabilities based on their CVSS version 3 temporal subscore (0.0-10.0).  The search can be an exact score search (cvss_v3_temporal_subscore:7.9), or you can use >, < >=, or <= quantifiers.  Includes CVSS both v3.0 and v3.1

cvss_v3_impact_subscore:>=7.9

Search on vulnerabilities based on their CVSS version 3 impact subscore (0.0-10.0).  The search can be an exact score search (cvss_v3_impact_subscore:7.9), or you can use >, < >=, or <= quantifiers.  Includes CVSS both v3.0 and v3.1

Vulnerability Date Terms  
closed_at:>now-1d Search for vulnerabilities closed within a certain timeframe. You must also select a vulnerability status of closed.
due_date:<2023-08-09 Search for vulnerabilities based on a configured Due Date. The search can be an exact date search (due_date:2015-11-01), or you can use >, < >=, or <= quantifiers.
fix_published:>now-90d Search for vulnerabilities with a fix published in the last 90 days. The search can be an exact date search (fix_published:2015-11-01), or you can use >, < >=, or <= quantifiers.
vulnerability_created:<2023-08-09 Search for vulnerabilities based on when they were created by a connector. The search can be an exact date search (vulnerability_created:2015-11-01), or you can use >, < >=, or <= quantifiers.
vulnerability_found:>now-90d Search for vulnerabilities found within the last 90 days. This time will be based on when a scanner found the vulnerability, if the scanner supports that information. If a 'found' time is not reported by a scanner, this time will be based on when the vulnerability was created in Cisco Vulnerability Management. The search can be an exact date search (vulnerability_found:2023-08-09), or you can use >, < >=, or <= quantifiers.
vulnerability_last_indexed_at:>2023-08-09 Search for vulnerabilities based on when they were last re-indexed. The search can be an exact date search (vulnerability_last_index_at:2022-11-02), or may use >, < >=, or <= quantifiers.  This example is vulnerability_last_indexed_at after August 9th, 2023.
vulnerability_last_seen:<2023-08-09 Search for vulnerabilities based on the last date/time they were seen by a connector. The search can be an exact date search (vulnerability_last_seen:2023-08-09), or you can use >, < >=, or <= quantifiers.
status_changed_at:>now-36h Search for vulnerabilities based on when their status changes from one to another (open, closed, false_positive, risk_accepted)
not_closed_by_due_date:true With vulnerability status = closed selected, find which items were delivered late.
Vulnerability Threat Terms  
active_internet_breach:true Search for vulnerabilities that match the Active Internet Breaches filter. This can also be a negative search (active_internet_breach:false).
easily_exploitable:true Search for vulnerabilities that match the Easily Exploitable filter. This can also be a negative search (easily_exploitable:false).
malware_exploitable:true Search for Active Internet Breaches that are exploited specifically by malware. This can also be a negative search (malware_exploitable:false).
popular_target:true Search for vulnerabilities that match the Popular Targets filter. This can also be a negative search (popular_target:false).
top_priority:true Search for vulnerabilities that match the Top Priority filter. This can also be a negative search (top_priority:false).
zero_day:true

Search for vulnerabilities that match the Zero Day filter. This can also be a negative search (zero_day:false).

Important: The Zero-Day vulnerability number is visible for all users. Only users with a Zero-Day add-on are able to view the specific Zero-Day vulnerabilities.

Ticketing Terms  

service_ticket_id:"12345"

If you are using a Ticketing Connector, you can search for a previously created ticket by using the external ticket id saved on the vulnerability record.

 


Term Existence Checks

Syntax Description
_exists_:netbios Searches for assets that have data for a specific attribute. Valid attributes are: tag, os, ip, hostname, url, mac_address, netbios, fqdn, file, fix, and application.
‑_exists_:netbios Searches for assets that do not have data for a specific attribute. Valid attributes are: tag, os, ip, hostname, url, mac_address, netbios, fqdn, file, fix, and application.
_exists_:cvss_v2_score Searches for vulnerabilities that have data for a specific attribute. Valid attributes are: cvss_v3_score, cvss_v2_score, scanner_score, due_date, notes, wasc, and cwe.
‑_exists_:cvss_v2_score Searches for vulnerabilities that do not have data for a specific attribute. Valid attributes are: cvss_v3_score, cvss_v2_score, scanner_score, due_date, notes, wasc, and cwe.

 


Wildcards

Syntax Description
* Use asterisk for any number of characters - avoid if possible see Tokenized Search Tips 
? Use question mark for single characters.

 


Date Operators

Syntax Description
now Current date/time (for example, "now-30d" would be 30 days ago)
#y years  (2y = 2 years)
#M months (2M = 2 months)
#w weeks (2w = 2 weeks)
#d days (2d = 2 days)
#h hours (2h = 2 hours)

 

 

Was this article helpful?
0 out of 0 found this helpful
Have more questions? Submit a request

Comments

0 comments

Please sign in to leave a comment.