Kenna Search Terms

Kenna's text search supports a number of specific field keywords that can be used to explicitly search through certain data in your platform.

Below is a list of all currently supported search keywords.

Simple search examples based on our supported search terms. 


Asset Terms - combine together using any logical connectors

Syntax Description
Asset Locator Terms  
ip:10.172.15.5 Search for an individual IP.
ip:[192.168.36.0 TO 192.168.36.255] Search for a network range.
hostname:"internal.foo.com" Search for an asset by hostname.
mac_address:"4a:03:4c:73:12:96" Search for an asset by physical MAC address.
netbios:"INTERNAL" Search for an asset by netbios name.
fqdn:"internal.foo.com" Search for an asset by fully-qualified domain name.
file:"project/dev/file.js" Search for an asset by its file locator.
url:"https://external.foo.com" Search for an asset by its URL.
os:"Windows" Search for assets by operating system. This is a wildcard search, which will match any OS strings containing "Windows".
tag:"Web Servers" Search for assets by tag name. This is an explicit search that requires an exact tag match. Wildcard characters (*) can also be used to perform partial matches.
priority:>5 Search for assets by priority. The search can be an exact score search (priority:6), or may use >, < >=, or <= quantifiers.
owner:"Bob*" Search for assets by asset owner
 Asset Scoring Terms  
asset_score:>610  This will search assets based on their Kenna asset risk score (0 - 1000). The search can be an exact score search (asset_score:610), or may use >, < >=, or <= quantifiers.
 Asset Date Terms  
asset_created:<2015-11-01  Search for assets based on when they were created by a Kenna connector. The search can be an exact date search (asset_created:2015-11-01), or may use >, < >=, or <= quantifiers.
asset_last_seen:<2015-11-01  Search for assets based on the last date/time they were seen by a Kenna connector. The search can be an exact date search (asset_last_seen:2015-11-01), or may use >, < >=, or <= quantifiers.

 

 

Vulnerability Terms - Combine together using any logical connectors

Syntax Description
Vuln Detail Terms  
cve:2014-0160 Search vulnerabilities by specific CVE identifier.
cwe:CWE-319 Search vulnerabilities by specific CWE identifier. 
wasc:WASC-19 Search vulnerabilities by specific WASC identifier.
vulnerability_name:"Explorer" Search analyzed vulnerabilities by keyword. No wildcards needed.
exact_vulnerability_name:"*Adobe*" Search raw vulnerability name field. Wildcards needed for inexact search. 
cve_description:"adobe" Search vulnerabilities by their description fields. This is a wildcard search, which will match any part of the description (eg any vulnerabilities containing the string "adobe").
scanner_id:12345 Search vulnerabilities by scanner-specific identifier (eg Qualys QID).
fix_id:"VendorAdvisory:20491" Search vulnerabilities by fix id usually formatted as a Vendor Advisory
fix_title:"*Adobe*" Search vulnerabilities by fix title - case sensitive
fix_title:"MS20??-*" Search vulnerabilities by fix title with a fixed number of wildcarded characters. 
Vuln Scoring Terms  
vulnerability_score:>55  This will search vulnerabilities based on their Kenna vulnerability risk score (0 - 100 - note that this differs from the asset score, based on 0 - 1000). The search can be an exact score search (vulnerability_score:55), or may use >, < >=, or <= quantifiers.
 cvss_score:>10  This will search vulnerabilities based on their CVSS-based total score (CVSS base + CVSS temporal + Kenna asset priority, 0 - 30). The search can be an exact score search (cvss_score:10), or may use >, < >=, or <= quantifiers.
cvss_severity:>5  This will search vulnerabilities based on their CVSS severity score (or CVSS base, 0 - 10). The search can be an exact score search (cvss_severity:10), or may use >, < >=, or <= quantifiers.
 cvss_threat:>6  This will search vulnerabilities based on their CVSS threat score (or CVSS temporal, 0 - 10). The search can be an exact score search (cvss_threat:10), or may use >, < >=, or <= quantifiers.
scanner_score:>=3 This will search vulnerabilities based on the score as determined by the scanner. Values are only populated/supported for Nexpose, Nessus, Qualys, and Security Center.
port:8031 This search will show all vulnerabilities tied to the listed port. 
Vuln Date Terms  
vulnerability_created:<2015-11-01 Search for vulnerabilities based on when they were created by a Kenna connector. The search can be an exact date search (vulnerability_created:2015-11-01), or may use >, < >=, or <= quantifiers.
 vulnerability_last_seen:<2015-11-01  Search for vulnerabilities based on the last date/time they were seen by a Kenna connector. The search can be an exact date search (vulnerability_last_seen:2015-11-01), or may use >, < >=, or <= quantifiers.
due_date:<2015-11-01  Search for vulnerabilities based on a configured Due Date. The search can be an exact date search (due_date:2015-11-01), or may use >, < >=, or <= quantifiers.
 fix_published:>now-90d  Search for vulnerabilities with a fix published in the last 90 days. The search can be an exact date search (fix_published:2015-11-01), or may use >, < >=, or <= quantifiers.
vulnerability_found:>now-90d  Search for vulnerabilities found within the last 90 days. This time will be based on when a scanner found the vulnerability, if the scanner supports that information. If a 'found' time is not reported by a scanner, this time will be based on when the vulnerability was created in Kenna. The search can be an exact date search (vulnerability_found:2015-11-01), or may use >, < >=, or <= quantifiers.
closed_at:>now-1d Search for vulnerabilities closed within a certain timeframe, must also select vulnerability status of closed.
Vuln Threat Terms  
 top_priority:true  Search for vulnerabilities that match the Top Priority filter. This can also be a negative search (top_priority:false)
 active_internet_breach:true  Search for vulnerabilities that match the Active Internet Breaches filter. This can also be a negative search (active_internet_breach:false)
 easily_exploitable:true  Search for vulnerabilities that match the Easily Exploitable filter. This can also be a negative search (easily_exploitable:false)
malware_exploitable:true Search for active internet breaches that are exploited specifically by malware. This can also be a negative search (malware_exploitable:false)
 popular_target:true  Search for vulnerabilities that match the Popular Targets filter. This can also be a negative search (popular_target:false)
 zero_day:true  Search for vulnerabilities that match the Zero Day filter. This can also be a negative search (zero_day:false)
Ticketing Terms  

service_ticket_id:"12345"

If using a Kenna Ticketing Connector, you can search for a previously created ticket by using the external ticket id saved on the vulnerability record.

 


Term Existence Checks

Syntax Description
_exists_:netbios Searches for assets that have data for a specific attribute. Valid attributes are: tag, os, ip, hostname, url, mac_address, netbios, fqdn, file, fix, port and application.
-_exists_:netbios Searches for assets that do not have data for a specific attribute. Valid attributes are: tag, os, ip, hostname, url, mac_address, netbios, fqdn, file, fix, port and application.

 


Wildcards

Syntax Description
* Use asterisk for any number of characters
? Use question mark for single characters

 

Powered by Zendesk