Simple and Complex Search Query Examples

This article contains a number of example searches, based on Cisco Vulnerability Management supported search terms.

To use any example, copy the entire search string from a cell in one of the tables below and paste it into the "CUSTOM QUERY STRING" text bar located below the Risk Meter on your Explore page.

Advanced Search Notes

Advanced Search Notes

  • Logical operators must be in complete uppercase. For example:
    • AND, OR are valid.
    • And, and, Or, or are not valid.
  • The AND operator means that an item must match both conditions for results to be returned.  For example:
    • os:("Windows 10" AND "Windows 11") returns results associated with Windows 10 AND Windows 11.
    • os:"Windows" AND scanner_score:>6 returns results associated with Windows AND scanner score that is greater than 6.

  • Complex searches that cross Asset and Vulnerability terms with OR condition statements are not supported in the UI search box.
  • If searching across more than a single search term, only AND is supported.  For example:
    • cve:2020-2718 AND vulnerability_score:>80 is valid.
    • cve:2020-2718 OR vulnerability_score:>80 is not valid.
  • While asset search and custom field terms support negated search terms (terms preceded with a minus “-”), vulnerability definition terms do not.  If you try to negate (“-”) a vulnerability definition search term it might not produce an error, but the results may not be what you would expect.
  • It is preformant to search for terms when you nest the values together:  For example:
    • os:("Windows 10" OR "Windows 11") speeds up the search.
    • os:"Windows 10" OR os:"Windows 11" will be slower.

General Tips

Use an asterisk (*) for any number of characters or as a wildcard for a string used within double quotes. This will generate a case and location sensitive search. For boarder results follow Tokenized formatting. 

tag:"Location-US-*" 

Use a question mark (?) in strings to represent a single space of any value.

cve_description:"TLS?SSL*"
To negate an asset search term or custom field use a minus sign (-). -os:"*Windows*" AND -os:"*Server*"
Using terms within parentheses will assume an "OR" between terms.   tag:("Alpha" "Bank" "RDP")
To search for a grouping of terms, use the plus sign (+) or (AND). In this case, a tag that contains both the word "Java" and the phrase "app portfolio". 

tag:("Java" AND "app portfolio")

Exclusive range queries are denoted by curly brackets ({}). This will exclude the beginning and ending 'values' within the curly brackets, so in this example it will return values of 2-9.

Range queries using square brackets ([]) will include the beginning and ending values, so in this example it will return values of 1-10. 

scanner_score:{1 TO 10}

 

scanner_score:[1 TO 10]

To search for assets that have or do not have data for a specific attribute, use the _exists_ parameter. Valid attributes are: tag, os, ip, hostname, url, mac_address, netbios, fqdn, file, fix, and application.  _exists_:netbios

or for does not exist

-_exists_:netbios

To escape the following characters, use the backslash (\) before the character. + - & |! ( ) { } [ ] ^ " ~ * ? : \
For dates, the formatting is year, month, day. due_date:2019-4-30
Use d, M, y to indicate day, month, or year. due_date:>now-7d
For search terms using time frames relative to now, think of the syntax as reading "prior to 7 days ago" (<now-7d) or "after 7 days ago" (>now-7d) helps to remember the correct syntax and order.

vulnerability_found:<now-7d

vulnerability_found:>now-7d

When searching more than one subnet, you need to put the subnets in square brackets ([]), separated by OR, and the whole search in parenthesis '()'.

You can also use CIDR block formatting for subnets. 

To exclude a few IPs, use the -ip: as shown. 

ip:([10.33.254.1 TO 10.33.254.255] OR [10.51.7.1 TO 10.51.7.255] OR [10.9.7.1 TO 10.9.7.255] OR [10.48.4.1 TO 10.48.4.255]) AND -ip:(10.9.7.22 OR 10.45.254.15)

Brackets are not needed for CIDR ranges:

ip:(10.43.60.1/22 OR 10.43.140.1/22) AND -os:(Cisco) 

 

Searches Supporting Cisco Vulnerability Management Research

These searches illustrate why using the Cisco Security Risk Score over Scanner Score or CVSS helps prioritize remediation and reduce workload. CVSS v3 scores includes both CVSS 3.0 and 3.1.

Vulnerabilities with a low scanner score, but a high risk score scanner_score:<=3 AND vulnerability_score:>75
Vulnerabilities with a high scanner score, but a low risk score scanner_score:>=4 AND vulnerability_score:<50
Vulnerabilities with a high risk score, but a low CVSS score vulnerability_score:>=80 AND cvss_v3_score:<=3
Vulnerabilities with a low risk score, but a high CVSS score vulnerability_score:<80 AND cvss_v3_score:>=7
Vulnerabilities with a high CVSS v2 score

cvss_v2_score:>=7 AND -_exists_: cvss_v3_score

Note: CVSS_v3_score includes both CVSS v3.0 and v3.1

 

Searches on Vulnerabilities

Vulnerabilities with Active Internet Breaches active_internet_breach:true
Vulnerabilities marked easily exploitable easily_exploitable:true
Vulnerabilities with Predicted Exploits predicted_exploitable:true
Vulnerabilities which have changed from one status to another (open, closed, false_positive, risk_accepted) in the last 36 hours. status_changed_at:>now-36h
Vulnerabilities closed in the past 7 days closed_at:>now-7d
Vulnerabilities which have not been closed by their due date. not_closed_by_due_date:true
Vulnerabilities by due date due_date=2018-08-01
Overdue vulnerabilities as of now

due_date:<now

OR

not_closed_by_due_date:true

Vulnerabilities past a certain due date due_date:<[ENTER PAST DATE]
Vulnerabilities coming due at a future date due_date:>[ENTER TODAY'S DATE OR FUTURE DATE]
Vulnerabilities by due date range due_date:[2019-01-01 TO 2019-09-20]
Vulnerabilities due in the next 30 days due_date:<now+30d AND due_date:>=now
Vulnerabilities with high risk scores vulnerability_score:>=66
Vulnerabilities with medium risk scores vulnerability_score:>33 AND vulnerability_score:<=66
Vulnerabilities with low risk scores vulnerability_score:<=33

 

Searches on Assets

Assets seen within the last 15 days asset_last_seen:>now-15d
Assets NOT seen within the last 21 days asset_last_seen:<now-21d
Assets with low risk scores in the green asset_score:<=330
Assets with medium risk scores in the yellow asset_score:>330 AND asset_score:<=660
Assets with high risk scores in the red asset_score:>660
Assets with high risk scores between 849 and 1000 asset_score:{849 TO 1000}
Identify printers os:(printer JetDirect Laserjet)
High priority assets priority:>7
Assets with "Internal" RFC1918 IP addresses ip:([10.0.0.0 TO 10.255.255.255] OR [172.16.0.0 TO 172.31.255.255] OR [192.168.0.0 TO 192.168.255.255])
Assets with externally-routable IP addresses -ip:([10.0.0.0 TO 10.255.255.255] OR [172.16.0.0 TO 172.31.255.255] OR [192.168.0.0 TO 192.168.255.255]) AND _exists_:ip
Search for multiple distinct IP addresses ip:(10.0.0.1 OR 10.0.9.12 OR 10.0.23.6)
Windows Server 2016 OS os:"Microsoft Windows Server 2016*"
Assets that haven't been seen in the last 30 days asset_last_seen:>now-30d

Assets that became inactive in the last 30 days. (Assuming a 30 day or less inactivity limit.)

Change the time frame to match up with your asset inactivity limit.

*must select the inactive asset filter first

asset_last_seen:>now-30d

also can be done like this

asset_last_seen:<now-15d AND asset_last_seen:>now-30d

 

Searches on Fix Category 

Vulnerabilities with a particular fix category
*Based on Qualys fix category
fix_category:Hardware
fix_category:"CGI"
fix_category:"DNS and BIND"
fix_category:"Database"
fix_category:"Firewall"
fix_category:"General remote services"
fix_category:"Information gathering"
fix_category:"Internet Explorer"
fix_category:"Office Application"
fix_category:"RPC"
fix_category:"Security Policy"
fix_category:"SMB / NETBIOS"
fix_category:"SNMP"
fix_category:"TCP/IP"
fix_category:"Web server"
fix_category:"Windows" 

Vulnerabilities by fix title keyword "Java" that are case insensitive and do not need any wildcards

For case sensitive, use quotes

fix_title_keyword:Java

fix_title_keyword:(java (microsoft AND excel) (adobe AND flash) explorer chrome)

Vulnerabilities with an MS patch issued in 2000 and after fix_title:"*MS20??-*"
Vulnerabilities closed within the last 16 days 

select the closed vulnerability filter checkbox first

closed_at:>now-16d

Vulnerabilities closed between two dates

select the closed vulnerability filter checkbox first

closed_at:>2019-02-01 AND closed_at:<=2019-02-25

 

Complex Search Queries

Important: Complex searches that cross Asset and Vulnerability terms with OR condition statements are not supported in the UI search box. 

Windows fixes for easily exploitable active internet breaches fix_category:"Windows" AND active_internet_breach:true AND easily_exploitable:true
Vulnerability scores above 60 for Windows workstations, which have been seen in the last 7 days asset_last_seen:>now-7d AND os:(Windows) AND vulnerability_score:>60
Assets tagged "Corporate External Network" that do not have an OS string starting with Windows  tag:"Corporate External Network" AND -os:(windows)
Database servers with asset priority of 8 or above  tag:"Database servers" AND priority:>=8

Java on Desktops.

For os and fix_title_keyword tips see Tokenized examples.

os:((Windows AND (10 OR 7 OR 8 OR CE OR XP) AND -server) OR FreeBSD OR MacOS) AND fix_title_keyword:(Java)

Java on Windows Servers.

For os and fix_title_keyword tips see Tokenized examples.

fix_title_keyword: (Java) AND os: ((Windows AND Server) OR (Windows AND (2000 2003 2008 2012 2016 Embedded)))

IP address range AND wildcard hostname example.

For hostname tips see Tokenized examples.

ip:[10.0.0.0 TO 10.255.255.255] AND hostname:("xv*" "zk*")
Searching on Microsoft Patches for Critical Vulnerabilities.  fix_title:"MS??-*" AND vulnerability_score:>90
High scored vulnerabilities seen in the last week vulnerability_score:>66 AND fix_published:>now-30d
High scored vulnerabilities with fixes published in the last 30 days vulnerability_score:>66 AND fix_published:>now-30d

Medium risk java vulnerabilities. 

For cve_description tips see Tokenized examples.

vulnerability_score:<67 AND vulnerability_score:>33 AND cve_description:"java"
Open vulnerabilities for CVE-2010-0842 that are past due due_date:<now AND cve:2010-0842
Risk accepted vulnerabilities that were due more than 30 days ago

select the risk accepted vulnerability status filter checkbox first

due_date:<now-30d

 

Was this article helpful?
0 out of 0 found this helpful
Have more questions? Submit a request

Comments

0 comments

Please sign in to leave a comment.