This contains a number of example searches, based on our supported search terms.
To use any examples, copy the entire "Example" search string below and paste it into the "SEARCH" text bar, immediately below the Risk Meter on your Kenna Explore page.
Note: Complex searches that cross Asset and Vulnerability terms with OR condition statements are not supported in the UI search box. If you are having issues building the search you want, contact Support for assistance. Some queries can be implemented on the back end to support more complex queries.
General Tips
- To search for multiple values under a single search term use parenthesis - ip:(10.0.1.43 OR 172.3.45.6) / fix_title:("*Java*" AND "*Script*")
- Use ? sign in strings to represent a single space of any value.
- Find SSL/TLS - cve_description:"*TLS?SSL*"
- To "not" a search parameter use a - sign. To find non-server windows devices - os:"*Windows*" AND -os:"*Server*"
Asset Search Samples
Asset Locators
| Example | Description |
|---|---|
-ip:([10.0.0.0 TO 10.255.255.255] OR [172.16.0.0 TO 172.31.255.255] OR [192.168.0.0 TO 192.168.255.255]) AND _exists_:ip |
Assets with externally-routable IP addresses. |
ip:([10.0.0.0 TO 10.255.255.255] OR [172.16.0.0 TO 172.31.255.255] OR [192.168.0.0 TO 192.168.255.255]) |
Assets with internally-routable IP addresses. |
| ip:(10.0.0.1 OR 10.0.9.12 OR 10.0.23.6) | Search for multiple distinct IP addresses. |
Asset Scores
| Example | Description |
|---|---|
asset_score:>660 |
Assets with high risk scores. |
asset_score:>330 AND asset_score:<=660 |
Assets with medium risk scores. |
asset_score:<=330 |
Assets with low risk scores. |
vulnerability_score:>66 |
Vulnerabilities with high risk scores. |
vulnerability_score:>33 AND vulnerability_score:<=66 |
Vulnerabilities with medium risk scores. |
vulnerability_score:<=33 |
Vulnerabilities with low risk scores. |
Asset Dates
| Example | Description |
|---|---|
| asset_last_seen:<now-30d | Assets that haven't been seen in the last 30 days. |
|
First select the inactive assets filter asset_last_seen:>now-7d |
To monitor assets that recently went inactive. Change the time frame to match up with your asset inactivity limit. (must check the inactive asset filter) |
Combined Asset Elements
| Example | Description |
|---|---|
| tag:"*Windows*" AND asset_score:>660 | Assets that are high risk and having a tag containing "Windows" |
| os:("*Linux*" OR "*Ubuntu*") AND asset_last_seen:>now-30d | Linux or Ubuntu assets seen in the last 30 days |
| tag:"Corporate External Network" AND -os:"Windows*" | Assets tagged "Corporate External Network" that do not have an OS string starting with "Windows". |
Vulnerability Search Samples
Vulnerability Scores
| Example | Description |
|---|---|
asset_score:>660 |
Assets with high risk scores. |
asset_score:>330 AND asset_score:<=660 |
Assets with medium risk scores. |
asset_score:<=330 |
Assets with low risk scores. |
vulnerability_score:>66 |
Vulnerabilities with high risk scores. |
vulnerability_score:>33 AND vulnerability_score:<=66 |
Vulnerabilities with medium risk scores. |
vulnerability_score:<=33 |
Vulnerabilities with low risk scores. |
Vulnerability Dates
| Example | Description |
|---|---|
due_date:<now+30d AND due_date:>=now |
Vulnerabilities due in the next 30 days. |
due_date:<now |
Vulnerabilities past due. |
|
not_closed_by_due_date:true |
Vulnerabilities past due. |
Vulnerability Fixes
| Example | Description |
|---|---|
fix_title:Java |
Search vulnerabilities by fix title keywords that are case insensitive and do not need any wildcards. |
fix_title:"*MS20??-*" |
Vulnerabilities with a MS patch issued in 2000 and after. |
fix_category:Database |
Vulnerabilities with a fix that has the category Database |
Combined Vulnerability Elements
| Example | Description |
|---|---|
| vulnerability_score:>66 AND fix_published:>now-30d | High risk vulnerabilities with fixes published in the last 30 days |
| vulnerability_score:<67 AND vulnerability_score:>33 AND cve_description:"java" | Medium risk java vulnerabilities |
| due_date:<now AND cve:2010-0842 | Open vulnerabilities for CVE-2010-0842 that are past due |
|
asset_last_seen:>now-7d AND os: “Windows” AND vulnerability_score:>60 |
Vulnerability scores above 60 for Windows workstations which have been seen in the last 7 days |
|
due_date:<now-30d AND status:"risk accepted" |
Risks that were marked accepted more than/prior to 30 days ago |
|
Select the Closed Vulnerability filter checkbox first closed_at:>now-16d |
Vulnerabilities closed within the last 16 days (must selected closed vuln filter first) |
|
Select the Closed Vulnerability filter checkbox first closed_at:>2019-02-01 AND closed_at:<=2019-02-25 |
Vulnerabilities closed between two dates (must selected closed vuln filter first) |
|
fix_title:"MS??-*" AND vulnerability_score:>90 |
Searching on Microsoft Patches for Critical Vulns |
|
High scored vulnerabilities seen in the last week |
vulnerability_last_seen:>now-7d AND vulnerability_score:>66 |