This article contains a number of example searches, based on our supported search terms.
To use any example, copy the entire search string from a box below and paste it into the "SEARCH" text bar located below the Risk Meter on your Kenna Explore page.
Our search engine uses Lucene. More information on Lucene can be found here.
Note: Complex searches that cross Asset and Vulnerability terms with OR condition statements are not supported in the UI search box. If you are having issues building the search you want, contact Support for assistance. Some queries can be implemented on the back end to support more complex queries.
General Tips
|
Use an asterisk (*) for any number of characters or as a wildcard for a string used within double quotes. |
os:"*Windows*" |
|
Use a question mark (?) in strings to represent a single space of any value. |
cve_description:"*TLS?SSL*" |
| To negate a search parameter use a minus sign (-). | -os:"*Windows*" AND -os:"*Server*" |
| Using terms within parentheses will assume an "OR" between terms. | tag:("Alpha" "Bank" "RDP") |
| To search for a grouping of terms, use the plus sign (+). In this case, a tag that contains both the word "Java" and the phrase "app portfolio". | tag:("Java" +"app portfolio") |
| Exclusive range queries are denoted by curly brackets ({}). This will exclude the beginning and ending 'values' within the curly brackets, so in this example it will return values of 1-9. | scanner_score:{0 TO 10} |
| To search for assets that have or do not have data for a specific attribute, use the _exits_ parameter. Valid attributes are: tag, os, ip, hostname, url, mac_address, netbios, fqdn, file, fix, port, and application. | _exists_:netbios
or for does not exist -_exists_:netbios |
| To escape the following characters, use the backslash (\) before the character. | + - & |! ( ) { } [ ] ^ " ~ * ? : \ |
| For dates, the formatting is year, month, day. | due_date:2019-4-30 |
| Use d, m, y to indicate day, month, or year. | due_date:>now-7d |
| For search terms using time frames relative to now, think of the syntax as reading "prior to 7 days ago" (>now-7d) or "after 7 days ago" (<now-7d) helps to remember the correct syntax and order. |
vulnerability_found:>now-7d vulnerability_found:<now-7d |
| When searching more than one subnet, you need to put the subnets in square brackets ([]), separated by OR, and the whole search in parenthesis '()'. You can also use CIDR block formatting for subnets. To exclude a few IPs, use the -ip: as shown. |
ip:([10.33.254.1 TO 10.33.254.255] OR [10.51.7.1 TO 10.51.7.255] OR [10.9.7.1 TO 10.9.7.255] OR [10.48.4.1 TO 10.48.4.255] OR [10.38.23.1 TO 10.38.23.255] OR [10.57.7.1 TO 10.57.7.255] OR [10.45.254.1 TO 10.45.254.255] OR [10.20.7.1 TO 10.20.7.255] OR [10.0.7.1 TO 10.0.7.255]) AND -ip:(10.9.7.22 OR 10.45.254.15) |
Searches Supporting Kenna Research
These searches illustrate why using the Kenna Vulnerability Score over Scanner Score or CVSS helps prioritize remediation and reduce workload.
| Vulnerabilities with a low scanner score, but a high Kenna score | scanner_score:<=3 AND vulnerability_score:>75 |
| Vulnerabilities with a high scanner score, but a low Kenna score | scanner_score:>=4 AND vulnerability_score:<50 |
| Vulnerabilities with a high Kenna score, but a low CVSS score | vulnerability_score:>=80 AND cvss_severity:<=5 |
| Vulnerabilities with a low Kenna score, but a high CVSS score | vulnerability_score:<80 AND cvss_severity:>=5 |
Searches on Vulnerabilities
| Vulnerabilities with Active Internet Breaches | active_internet_breach:true |
| Vulnerabilities marked easily exploitable | easily_exploitable:true |
| Vulnerabilities which have changed from one status to another (open, closed, false_positive, risk_accepted) in the last 36 hours. | status_changed_at:>now-36h |
| Vulnerabilities closed in the past 7 days | closed_at:>now-7d |
| Vulnerabilities which have not been closed by their due date. | not_closed_by_due_date:true |
| Vulnerabilities by due date | due_date=2018-08-01 |
| Overdue vulnerabilities as of now |
due_date:<now OR not_closed_by_due_date:true |
| Vulnerabilities past a certain due date | due_date:<[ENTER PAST DATE] |
| Vulnerabilities coming due at a future date | due_date:>[ENTER TODAY'S DATE OR FUTURE DATE] |
| Vulnerabilities by due date range | due_date:[2019-01-01 TO 2019-09-20] |
| Vulnerabilities due in the next 30 days | due_date:<now+30d AND due_date:>=now |
| Vulnerabilities with high risk scores | vulnerability_score:>=66 |
| Vulnerabilities with medium risk scores | vulnerability_score:>33 AND vulnerability_score:<=66 |
| Vulnerabilities with low risk scores | vulnerability_score:<=33 |
Searches on Assets
| Assets seen within the last 15 days | asset_last_seen:>now-15d |
| Assets NOT seen within the last 21 days | -asset_last_seen:>now-21d |
| Assets with low risk scores in the green | asset_score:<=330 |
| Assets with medium risk scores in the yellow | asset_score:>330 AND asset_score:<=660 |
| Assets with high risk scores in the red | asset_score:>660 |
| Assets with high risk scores between 849 and 1000 | asset_score:{849 TO 1000} |
| Identify printers | os:("*printer*"OR "JetDirect"OR "Laserjet") |
| High priority assets | priority:>7 |
| Assets with "Internal" RFC1918 IP addresses | ip:([10.0.0.0 TO 10.255.255.255] OR [172.16.0.0 TO 172.31.255.255] OR [192.168.0.0 TO 192.168.255.255]) |
| Assets with externally-routable IP addresses | -ip:([10.0.0.0 TO 10.255.255.255] OR [172.16.0.0 TO 172.31.255.255] OR [192.168.0.0 TO 192.168.255.255]) AND _exists_:ip |
| Search for multiple distinct IP addresses | ip:(10.0.0.1 OR 10.0.9.12 OR 10.0.23.6) |
| Windows Server 2016 OS | os:"Microsoft Windows Server 2016*" |
| Assets that haven't been seen in the last 30 days | asset_last_seen:>now-30d |
|
Assets that became inactive in the last 30 days. (Assuming a 30 day or less inactivity limit.) Change the time frame to match up with your asset inactivity limit. |
*must select the inactive asset filter first asset_last_seen:>now-30d also can be done like this asset_last_seen:<now-15d AND asset_last_seen:>now-30d |
Searches on Fix Category
| Vulnerabilities with a particular fix category *Based on Qualys fix category |
fix_category:Hardware fix_category:"CGI" fix_category:"DNS and BIND" fix_category:"Database" fix_category:"Firewall" fix_category:"General remote services" fix_category:"Information gathering" fix_category:"Internet Explorer" fix_category:"Office Application" fix_category:"RPC" fix_category:"Security Policy" fix_category:"SMB / NETBIOS" fix_category:"SNMP" fix_category:"TCP/IP" fix_category:"Web server" fix_category:"Windows" |
|
Vulnerabilities by fix title keyword "Java" that are case insensitive and do not need any wildcards For case sensitive, use quotes |
fix_title:Java |
| Vulnerabilities with an MS patch issued in 2000 and after | fix_title:"*MS20??-*" |
| Vulnerabilities closed within the last 16 days |
*must select the closed vulnerability filter checkbox first closed_at:>now-16d |
| Vulnerabilities closed between two dates |
*must select the closed vulnerability filter checkbox first closed_at:>2019-02-01 AND closed_at:<=2019-02-25 |
Complex Search Queries
Complex searches that cross Asset and Vulnerability terms with OR condition statements are not supported in the UI search box. If you are having issues building the search you want, contact Support for assistance. Some queries can be implemented on the back end to support more complex queries.
| Windows fixes for easily exploitable active internet breaches | fix_category:"Windows" AND active_internet_breach:true AND easily_exploitable:true |
| Vulnerability scores above 60 for Windows workstations, which have been seen in the last 7 days | asset_last_seen:>now-7d AND os: “Windows” AND vulnerability_score:>60 |
| Assets tagged "Corporate External Network" that do not have an OS string starting with Windows | tag:"Corporate External Network" AND -os:"Windows*" |
| Database servers with asset priority of 8 or above | tag:"Database servers" AND priority:>=8 |
| Java on Desktops | os: ("Windows 10*" OR "Windows 7*" OR "*Windows 8*" OR "Windows CE*" OR "Windows XP*" OR "*FreeBSD*" OR "*MacOS*") AND fix_title: "*Java*" |
| Java on Windows Servers | fix_title: "*Java*" AND os: ("Windows Server" OR "Windows Web Server 2008" OR "Windows 2000*" OR "Windows 2003*" OR "Windows 2008*" OR "Windows 2012*" OR "Windows 2016*" OR "Windows Embedded*") |
| IP address range AND wildcard hostname example | ip:[10.0.0.0 TO 10.255.255.255] AND hostname:("xv*" "zk*") |
| Searching on Microsoft Patches for Critical Vulnerabilities | fix_title:"MS??-*" AND vulnerability_score:>90 |
| High scored vulnerabilities seen in the last week | vulnerability_score:>66 AND fix_published:>now-30d |
| High scored vulnerabilities with fixes published in the last 30 days | vulnerability_score:>66 AND fix_published:>now-30d |
| Medium risk java vulnerabilities | vulnerability_score:<67 AND vulnerability_score:>33 AND cve_description:"java" |
| Open vulnerabilities for CVE-2010-0842 that are past due | due_date:<now AND cve:2010-0842 |
| Risks that were marked accepted more than/prior to 30 days ago | due_date:<now-30d AND status:"risk accepted" |
| IP address range AND wildcard hostname | ip:[10.0.0.0 TO 10.255.255.255] AND hostname:("xv*" "zk*") |