This article contains a number of example searches, based on Cisco Vulnerability Management supported search terms.
To use any example, copy the entire search string from a cell in one of the tables below and paste it into the "CUSTOM QUERY STRING" text bar located below the Risk Meter on your Explore page.
Advanced Search Notes
Advanced Search Notes
-
Logical operators must be in complete uppercase. For example:
- AND, OR are valid.
- And, and, Or, or are not valid.
-
The AND operator means that an item must match both conditions for results to be returned. For example:
- os:("Windows 10" AND "Windows 11") returns results associated with Windows 10 AND Windows 11.
-
os:"Windows" AND scanner_score:>6 returns results associated with Windows AND scanner score that is greater than 6.
- Complex searches that cross Asset and Vulnerability terms with OR condition statements are not supported in the UI search box.
-
If searching across more than a single search term, only AND is supported. For example:
- cve:2020-2718 AND vulnerability_score:>80 is valid.
- cve:2020-2718 OR vulnerability_score:>80 is not valid.
- While asset search and custom field terms support negated search terms (terms preceded with a minus “-”), vulnerability definition terms do not. If you try to negate (“-”) a vulnerability definition search term it might not produce an error, but the results may not be what you would expect.
-
It is preformant to search for terms when you nest the values together: For example:
- os:("Windows 10" OR "Windows 11") speeds up the search.
- os:"Windows 10" OR os:"Windows 11" will be slower.
General Tips
|
Use an asterisk (*) for any number of characters or as a wildcard for a string used within double quotes. This will generate a case and location sensitive search. For boarder results follow Tokenized formatting. |
tag:"Location-US-*" |
|
Use a question mark (?) in strings to represent a single space of any value. |
cve_description:"TLS?SSL*" |
| To negate an asset search term or custom field use a minus sign (-). | -os:"*Windows*" AND -os:"*Server*" |
| Using terms within parentheses will assume an "OR" between terms. | tag:("Alpha" "Bank" "RDP") |
| To search for a grouping of terms, use the plus sign (+) or (AND). In this case, a tag that contains both the word "Java" and the phrase "app portfolio". |
tag:("Java" AND "app portfolio") |
|
Exclusive range queries are denoted by curly brackets ({}). This will exclude the beginning and ending 'values' within the curly brackets, so in this example it will return values of 2-9. Range queries using square brackets ([]) will include the beginning and ending values, so in this example it will return values of 1-10. |
scanner_score:{1 TO 10}
scanner_score:[1 TO 10] |
| To search for assets that have or do not have data for a specific attribute, use the _exists_ parameter. Valid attributes are: tag, os, ip, hostname, url, mac_address, netbios, fqdn, file, fix, and application. | _exists_:netbios
or for does not exist -_exists_:netbios |
| To escape the following characters, use the backslash (\) before the character. | + - & |! ( ) { } [ ] ^ " ~ * ? : \ |
| For dates, the formatting is year, month, day. | due_date:2019-4-30 |
| Use d, M, y to indicate day, month, or year. | due_date:>now-7d |
| For search terms using time frames relative to now, think of the syntax as reading "prior to 7 days ago" (<now-7d) or "after 7 days ago" (>now-7d) helps to remember the correct syntax and order. |
vulnerability_found:<now-7d vulnerability_found:>now-7d |
| When searching more than one subnet, you need to put the subnets in square brackets ([]), separated by OR, and the whole search in parenthesis '()'. You can also use CIDR block formatting for subnets. To exclude a few IPs, use the -ip: as shown. |
ip:([10.33.254.1 TO 10.33.254.255] OR [10.51.7.1 TO 10.51.7.255] OR [10.9.7.1 TO 10.9.7.255] OR [10.48.4.1 TO 10.48.4.255]) AND -ip:(10.9.7.22 OR 10.45.254.15) Brackets are not needed for CIDR ranges: ip:(10.43.60.1/22 OR 10.43.140.1/22) AND -os:(Cisco) |
Searches Supporting Cisco Vulnerability Management Research
These searches illustrate why using the Cisco Security Risk Score over Scanner Score or CVSS helps prioritize remediation and reduce workload. CVSS v3 scores includes both CVSS 3.0 and 3.1.
| Vulnerabilities with a low scanner score, but a high risk score | scanner_score:<=3 AND vulnerability_score:>75 |
| Vulnerabilities with a high scanner score, but a low risk score | scanner_score:>=4 AND vulnerability_score:<50 |
| Vulnerabilities with a high risk score, but a low CVSS score | vulnerability_score:>=80 AND cvss_v3_score:<=3 |
| Vulnerabilities with a low risk score, but a high CVSS score | vulnerability_score:<80 AND cvss_v3_score:>=7 |
| Vulnerabilities with a high CVSS v2 score |
cvss_v2_score:>=7 AND -_exists_: cvss_v3_score |
Note: CVSS_v3_score includes both CVSS v3.0 and v3.1
Searches on Vulnerabilities
| Vulnerabilities with Active Internet Breaches | active_internet_breach:true |
| Vulnerabilities marked easily exploitable | easily_exploitable:true |
| Vulnerabilities with Predicted Exploits | predicted_exploitable:true |
| Vulnerabilities which have changed from one status to another (open, closed, false_positive, risk_accepted) in the last 36 hours. | status_changed_at:>now-36h |
| Vulnerabilities closed in the past 7 days | closed_at:>now-7d |
| Vulnerabilities which have not been closed by their due date. | not_closed_by_due_date:true |
| Vulnerabilities by due date | due_date=2018-08-01 |
| Overdue vulnerabilities as of now |
due_date:<now OR not_closed_by_due_date:true |
| Vulnerabilities past a certain due date | due_date:<[ENTER PAST DATE] |
| Vulnerabilities coming due at a future date | due_date:>[ENTER TODAY'S DATE OR FUTURE DATE] |
| Vulnerabilities by due date range | due_date:[2019-01-01 TO 2019-09-20] |
| Vulnerabilities due in the next 30 days | due_date:<now+30d AND due_date:>=now |
| Vulnerabilities with high risk scores | vulnerability_score:>=66 |
| Vulnerabilities with medium risk scores | vulnerability_score:>33 AND vulnerability_score:<=66 |
| Vulnerabilities with low risk scores | vulnerability_score:<=33 |
Searches on Assets
| Assets seen within the last 15 days | asset_last_seen:>now-15d |
| Assets NOT seen within the last 21 days | asset_last_seen:<now-21d |
| Assets with low risk scores in the green | asset_score:<=330 |
| Assets with medium risk scores in the yellow | asset_score:>330 AND asset_score:<=660 |
| Assets with high risk scores in the red | asset_score:>660 |
| Assets with high risk scores between 849 and 1000 | asset_score:{849 TO 1000} |
| Identify printers | os:(printer JetDirect Laserjet) |
| High priority assets | priority:>7 |
| Assets with "Internal" RFC1918 IP addresses | ip:([10.0.0.0 TO 10.255.255.255] OR [172.16.0.0 TO 172.31.255.255] OR [192.168.0.0 TO 192.168.255.255]) |
| Assets with externally-routable IP addresses | -ip:([10.0.0.0 TO 10.255.255.255] OR [172.16.0.0 TO 172.31.255.255] OR [192.168.0.0 TO 192.168.255.255]) AND _exists_:ip |
| Search for multiple distinct IP addresses | ip:(10.0.0.1 OR 10.0.9.12 OR 10.0.23.6) |
| Windows Server 2016 OS | os:"Microsoft Windows Server 2016*" |
| Assets that haven't been seen in the last 30 days | asset_last_seen:>now-30d |
|
Assets that became inactive in the last 30 days. (Assuming a 30 day or less inactivity limit.) Change the time frame to match up with your asset inactivity limit. |
*must select the inactive asset filter first asset_last_seen:>now-30d also can be done like this asset_last_seen:<now-15d AND asset_last_seen:>now-30d |
Searches on Fix Category
| Vulnerabilities with a particular fix category *Based on Qualys fix category |
fix_category:Hardware fix_category:"CGI" fix_category:"DNS and BIND" fix_category:"Database" fix_category:"Firewall" fix_category:"General remote services" fix_category:"Information gathering" fix_category:"Internet Explorer" fix_category:"Office Application" fix_category:"RPC" fix_category:"Security Policy" fix_category:"SMB / NETBIOS" fix_category:"SNMP" fix_category:"TCP/IP" fix_category:"Web server" fix_category:"Windows" |
|
Vulnerabilities by fix title keyword "Java" that are case insensitive and do not need any wildcards For case sensitive, use quotes |
fix_title_keyword:Java fix_title_keyword:(java (microsoft AND excel) (adobe AND flash) explorer chrome) |
| Vulnerabilities with an MS patch issued in 2000 and after | fix_title:"*MS20??-*" |
| Vulnerabilities closed within the last 16 days |
select the closed vulnerability filter checkbox first closed_at:>now-16d |
| Vulnerabilities closed between two dates |
select the closed vulnerability filter checkbox first closed_at:>2019-02-01 AND closed_at:<=2019-02-25 |
Complex Search Queries
Important: Complex searches that cross Asset and Vulnerability terms with OR condition statements are not supported in the UI search box.
| Windows fixes for easily exploitable active internet breaches | fix_category:"Windows" AND active_internet_breach:true AND easily_exploitable:true |
| Vulnerability scores above 60 for Windows workstations, which have been seen in the last 7 days | asset_last_seen:>now-7d AND os:(Windows) AND vulnerability_score:>60 |
| Assets tagged "Corporate External Network" that do not have an OS string starting with Windows | tag:"Corporate External Network" AND -os:(windows) |
| Database servers with asset priority of 8 or above | tag:"Database servers" AND priority:>=8 |
|
Java on Desktops. For os and fix_title_keyword tips see Tokenized examples. |
os:((Windows AND (10 OR 7 OR 8 OR CE OR XP) AND -server) OR FreeBSD OR MacOS) AND fix_title_keyword:(Java) |
|
Java on Windows Servers. For os and fix_title_keyword tips see Tokenized examples. |
fix_title_keyword: (Java) AND os: ((Windows AND Server) OR (Windows AND (2000 2003 2008 2012 2016 Embedded))) |
|
IP address range AND wildcard hostname example. For hostname tips see Tokenized examples. |
ip:[10.0.0.0 TO 10.255.255.255] AND hostname:("xv*" "zk*") |
| Searching on Microsoft Patches for Critical Vulnerabilities. | fix_title:"MS??-*" AND vulnerability_score:>90 |
| High scored vulnerabilities seen in the last week | vulnerability_score:>66 AND fix_published:>now-30d |
| High scored vulnerabilities with fixes published in the last 30 days | vulnerability_score:>66 AND fix_published:>now-30d |
|
Medium risk java vulnerabilities. For cve_description tips see Tokenized examples. |
vulnerability_score:<67 AND vulnerability_score:>33 AND cve_description:"java" |
| Open vulnerabilities for CVE-2010-0842 that are past due | due_date:<now AND cve:2010-0842 |
| Risk accepted vulnerabilities that were due more than 30 days ago |
select the risk accepted vulnerability status filter checkbox first due_date:<now-30d |
Comments
Please sign in to leave a comment.