Kenna supports a number of specific terms that can be used to search through certain data in your platform.
Below is a list of all currently supported search terms.
Simple search examples based on our supported search terms.
Asset Terms - combine together using any logical connectors
| Syntax | Description |
|---|---|
| Asset Locator Terms | |
asset_id:32716281
|
Search for an asset by its ID. |
file:"project/dev/file.js" |
Search for an asset by its file locator. |
application:"TestApp" |
Search for an assets by application locator value. Tokenized Search Tips |
fqdn:"internal.foo.com"
|
Search for an asset by fully-qualified domain name. |
hostname:"internal.foo.com"
|
Search for an asset by hostname. Tokenized Search Tips |
ip:10.172.15.5
|
Search for an individual IP. |
ip:[192.168.36.0 TO 192.168.36.255]
|
Search for a network range. |
mac_address:"4a:03:4c:73:12:96"
|
Search for an asset by physical MAC address. |
netbios:"INTERNAL"
|
Search for an asset by netbios name. |
os:"Windows"
|
Search for assets by operating system. Wiill match any OS strings containing "windows". Tokenized Search Tips |
owner:"Lee Johnson"
|
Search for assets by asset owner. |
priority:>5
|
Search for assets by priority. The search can be an exact score search (priority:6), or may use >, < >=, or <= quantifiers. |
tag:"Web Servers"
|
Search for assets by tag name. This is an explicit search that requires an exact tag match. Wildcard characters (*) can also be used to perform partial matches. |
url:"https://external.foo.com"
|
Search for an asset by its URL. |
external_id:1243443 |
Search for an asset by the scanner assigned asset id |
| Asset Scoring Terms | |
asset_score:>610
|
This will search assets based on their Kenna asset risk score (0 - 1000). The search can be an exact score search (asset_score:610), or may use >, < >=, or <= quantifiers. |
| Asset Date Terms | |
asset_created:<2015-11-01
|
Search for assets based on when they were created by a Kenna connector. The search can be an exact date search (asset_created:2015-11-01), or may use >, < >=, or <= quantifiers. |
asset_last_seen:<2015-11-01
|
Search for assets based on the last date/time they were seen by a Kenna connector. The search can be an exact date search (asset_last_seen:2015-11-01), or may use >, < >=, or <= quantifiers. |
Vulnerability Terms - Combine together using any logical connectors
| Syntax | Description |
|---|---|
| Vuln Detail Terms | |
cve:2014-0160
|
Search vulnerabilities by specific CVE identifier. |
cve_description:"adobe"
|
Search vulnerabilities by their description fields. This search will match any part of the description (eg any vulnerabilities containing the string "adobe"). Tokenized Search Tips |
cwe:CWE-319
|
Search vulnerabilities by specific CWE identifier. |
exact_vulnerability_name:"*Adobe*"
|
Search raw vulnerability name field. Wildcards needed for inexact search. |
fix_id:"VendorAdvisory:20491"
|
Search vulnerabilities by fix id usually formatted as a Vendor Advisory. |
fix_product:windows |
Search vulnerabilities where fix applies to Windows |
fix_title_keyword:"Java" |
Search vulnerabilities by fix title keywords that are case insensitive and location insensitive. Tokenized Search Tips |
fix_title:"MS??-*" |
Search vulnerabilities by fix title with a fixed number of wildcarded characters - case sensitive. |
fix_category:Database |
Vulnerabilities with a fix that has the category Database |
fix_vendor:openbsd |
Search vulnerabilities by fix vendor |
port:8031
|
This search will show all vulnerabilities tied to the listed port. |
scanner_id:12345
|
Search vulnerabilities by scanner-specific finding identifier, e.g., Qualys QID, Nessus plugin ID. Please note that text searches must match the case seen in Kenna as this is a case sensitive field. |
scanner_unique_id:12345
|
Search vulnerabilities by scanner-specific generic identifier, e.g., Qualys QID for Qualys WAS. Please note that text searches must match the case seen in Kenna as this is a case sensitive field. |
vulnerability_id:3217887122
|
Search for a vulnerability by its ID. |
vulnerability_name:"Explorer"
|
Search analyzed vulnerabilities by keyword. No wildcards needed. |
wasc:WASC-19
|
Search vulnerabilities by specific WASC identifier. |
| Vuln Score Terms | |
|
|
Search on vulnerabilities based on their CVSS version 2 exploit subscore (0.0-10.0). The search can be an exact score search (cvss_v2_exploit_subscore:10), or may use >, < >=, or <= quantifiers. |
|
|
Search on vulnerabilities based on their CVSS version 2 impact subscore (0.0-10.0). The search can be an exact score search (cvss_v2_impact_subscore:10), or may use >, < >=, or <= quantifiers. |
|
|
Search on vulnerabilities based on their CVSS version 2 score (0.0-10.0). The search can be an exact score search (cvss_v2_score:6.7), or may use >, < >=, or <= quantifiers. |
|
|
Search on vulnerabilities based on their CVSS version 2 temporal subscore (0.0-10.0). The search can be an exact score search (cvss_v2_temporal_subscore:10), or may use >, < >=, or <= quantifiers. |
|
|
Search on vulnerabilities based on their CVSS version 3 exploit subscore (0.0-10.0). The search can be an exact score search (cvss_v3_exploit_subscore:10), or may use >, < >=, or <= quantifiers. Includes CVSS both v3.0 and v3.1 |
|
|
Search on vulnerabilities based on their CVSS version 3 impact subscore (0.0-10.0). The search can be an exact score search (cvss_v3_impact_subscore:10), or may use >, < >=, or <= quantifiers. Includes CVSS both v3.0 and v3.1 |
|
|
Search on vulnerabilities based on their CVSS version 3 score (0.0-10.0). The search can be an exact score search (cvss_v3_score:6.6), or may use >, < >=, or <= quantifiers. Includes CVSS both v3.0 and v3.1 |
|
|
Search on vulnerabilities based on their CVSS version 3 temporal subscore (0.0-10.0). The search can be an exact score search (cvss_v3_temporal_subscore:10), or may use >, < >=, or <= quantifiers. Includes CVSS both v3.0 and v3.1 |
scanner_score:>=3
|
This will search vulnerabilities based on the score as determined by the scanner. Values are only populated/supported for Nexpose, Nessus, Qualys, and Security Center. |
vulnerability_score:>55
|
This will search vulnerabilities based on their Kenna vulnerability risk score (0 - 100 - note that this differs from the asset score, based on 0 - 1000). The search can be an exact score search (vulnerability_score:55), or may use >, < >=, or <= quantifiers. |
| Vuln Date Terms | |
closed_at:>now-1d
|
Search for vulnerabilities closed within a certain timeframe, must also select vulnerability status of closed. |
due_date:<2015-11-01
|
Search for vulnerabilities based on a configured Due Date. The search can be an exact date search (due_date:2015-11-01), or may use >, < >=, or <= quantifiers. |
fix_published:>now-90d
|
Search for vulnerabilities with a fix published in the last 90 days. The search can be an exact date search (fix_published:2015-11-01), or may use >, < >=, or <= quantifiers. |
vulnerability_created:<2015-11-01
|
Search for vulnerabilities based on when they were created by a Kenna connector. The search can be an exact date search (vulnerability_created:2015-11-01), or may use >, < >=, or <= quantifiers. |
vulnerability_found:>now-90d
|
Search for vulnerabilities found within the last 90 days. This time will be based on when a scanner found the vulnerability, if the scanner supports that information. If a 'found' time is not reported by a scanner, this time will be based on when the vulnerability was created in Kenna. The search can be an exact date search (vulnerability_found:2015-11-01), or may use >, < >=, or <= quantifiers. |
vulnerability_last_indexed_at:>2022-07-04 |
Search for vulnerabilities based on when they were last re-indexed. The search can be an exact date search (vulnerability_last_index_at:2022-11-02), or may use >, < >=, or <= quantifiers. This is example is vulnerability_last_indexed_at after July 4th, 2022. |
vulnerability_last_seen:<2015-11-01
|
Search for vulnerabilities based on the last date/time they were seen by a Kenna connector. The search can be an exact date search (vulnerability_last_seen:2015-11-01), or may use >, < >=, or <= quantifiers. |
status_changed_at:>now-36h |
Search for vulnerabilities which have changed from one status to another (open, closed, false_positive, risk_accepted) |
not_closed_by_due_date:true |
With vulnerability status = closed selected, find which items were delivered late. |
| Vuln Threat Terms | |
active_internet_breach:true
|
Search for vulnerabilities that match the Active Internet Breaches filter. This can also be a negative search (active_internet_breach:false). |
easily_exploitable:true
|
Search for vulnerabilities that match the Easily Exploitable filter. This can also be a negative search (easily_exploitable:false). |
malware_exploitable:true
|
Search for active internet breaches that are exploited specifically by malware. This can also be a negative search (malware_exploitable:false). |
popular_target:true
|
Search for vulnerabilities that match the Popular Targets filter. This can also be a negative search (popular_target:false). |
top_priority:true
|
Search for vulnerabilities that match the Top Priority filter. This can also be a negative search (top_priority:false). |
zero_day:true
|
Search for vulnerabilities that match the Zero Day filter. This can also be a negative search (zero_day:false). Important: The Zero-Day vulnerability number is visible for all users. Only users with a Zero-Day add-on are able to view the specific Zero-Day vulnerabilities. |
| Ticketing Terms | |
|
|
If using a Kenna Ticketing Connector, you can search for a previously created ticket by using the external ticket id saved on the vulnerability record. |
Term Existence Checks
| Syntax | Description |
|---|---|
| Asset Existence Checks | |
_exists_:netbios
|
Searches for assets that have data for a specific attribute. Valid attributes are: tag, os, ip, hostname, url, mac_address, netbios, fqdn, file, fix, and application. |
‑_exists_:netbios
|
Searches for assets that do not have data for a specific attribute. Valid attributes are: tag, os, ip, hostname, url, mac_address, netbios, fqdn, file, fix, and application. |
| Vulnerability Existence Checks | |
_exists_:cvss_v2_score |
Searches for vulnerabilities that have data for a specific attribute. Valid attributes are: cvss_v2_score, cvss_v3_score, cwe, due_date, notes, scanner_score, and wasc. |
‑_exists_:cvss_v2_score |
Searches for vulnerabilities that do not have data for a specific attribute. Valid attributes are: cvss_v2_score, cvss_v3_score, cwe, due_date, notes, scanner_score, and wasc. |
Wildcards
| Syntax | Description |
|---|---|
*
|
Use asterisk for any number of characters - avoid if possible see Tokenized Search Tips |
?
|
Use question mark for single characters. |
Date Operators
| Syntax | Description |
|---|---|
now |
Current date/time (i.e. "now-30d") |
#y |
years (2y = 2 years) |
#m |
months (2m = 2 months) |
#w |
weeks (2w = 2 weeks) |
#d |
days (2d = 2 days) |
#h |
hours (2h = 2 hours) |
Comments
Please sign in to leave a comment.