Kenna Simple Search Syntax Examples

This contains a number of example searches, based on our supported search terms.

To use any examples, copy the entire "Example" search string below and paste it into the "SEARCH" text bar, immediately below the Risk Meter on your Kenna Home page.

Note: Complex searches that cross Asset and Vulnerability terms with OR condition statements are not supported in the UI search box. If you are having issues building the search you want, contact Support for assistance. Some queries can be implemented on the back end to support more complex queries.

General Tips

  • To search for multiple values under a single search term use parenthesis - ip:(10.0.1.43 OR 172.3.45.6) / fix_title:("*Java*" AND "*Script*") 
  • Use ? sign in strings to represent a single space of any value.
    • Find SSL/TSL - cve_description:"*TLS?SSL*"
  • To "not" a search parameter use a - sign. To find non-server windows devices - os:"*Windows*" AND -os:"*Server*"

Asset Search Samples

Asset Locators


Example Description
-ip:([10.0.0.0 TO 10.255.255.255] OR [172.16.0.0 TO 172.31.255.255] OR [192.168.0.0 TO 192.168.255.255]) AND _exists_:ip Assets with externally-routable IP addresses.
ip:([10.0.0.0 TO 10.255.255.255] OR [172.16.0.0 TO 172.31.255.255] OR [192.168.0.0 TO 192.168.255.255]) Assets with internally-routable IP addresses.
ip:(10.0.0.1 OR 10.0.9.12 OR 10.0.23.6) Search for multiple distinct IP addresses.

Asset Scores

Example Description
asset_score:>660 Assets with high risk scores.
asset_score:>330 AND asset_score:<=660 Assets with medium risk scores.
asset_score:<=330 Assets with low risk scores.
vulnerability_score:>66 Vulnerabilities with high risk scores.
vulnerability_score:>33 AND vulnerability_score:<=66 Vulnerabilities with medium risk scores.
vulnerability_score:<=33 Vulnerabilities with low risk scores.

Asset Dates

Example Description
asset_last_seen:<now-30d Assets that haven't been seen in the last 30 days.

Combined Asset Elements

Example Description
tag:"*Windows*" AND asset_score:>660 Assets that are high risk and having a tag containing "Windows"
os:("*Linux*" OR "*Ubuntu*") AND asset_last_seen:>now-30d Linux or Ubuntu assets seen in the last 30 days 
tag:"Corporate External Network" AND -os:"Windows*"  Assets tagged "Corporate External Network" that do not have an OS string starting with "Windows".

 


 

 

Vulnerability Search Samples

Vulnerability Scores

Example Description
asset_score:>660 Assets with high risk scores.
asset_score:>330 AND asset_score:<=660 Assets with medium risk scores.
asset_score:<=330 Assets with low risk scores.
vulnerability_score:>66 Vulnerabilities with high risk scores.
vulnerability_score:>33 AND vulnerability_score:<=66 Vulnerabilities with medium risk scores.
vulnerability_score:<=33 Vulnerabilities with low risk scores.

 

Vulnerability Dates

Example Description
due_date:<now+30d AND due_date:>=now Vulnerabilities due in the next 30 days.
due_date:<now Vulnerabilities past due.

 

Vulnerability Fixes

Example Description
fix_title:"*MS20??-*" Vulnerabilities with a MS patch issued in 2000 and after.

 

Combined Vulnerability Elements

Example Description
vulnerability_score:>66 AND fix_published:>now-30d High risk vulnerabilities with fixes published in the last 30 days
vulnerability_score:<67 AND vulnerability_score:>33 AND cve_description:"java" Medium risk java vulnerabilities 
due_date:<now AND cve:2010-0842 Open vulnerabilities for CVE-2010-0842 that are past due

 

Powered by Zendesk