Simple and Complex Search Query Examples

This article contains a number of example searches, based on our supported search terms.

To use any example, copy the entire search string from a box below and paste it into the "SEARCH" text bar located below the Risk Meter on your Kenna Explore page.

Our search engine uses Lucene. More information on Lucene can be found here

Note: Complex searches that cross Asset and Vulnerability terms with OR condition statements are not supported in the UI search box. If you are having issues building the search you want, contact Support for assistance. Some queries can be implemented on the back end to support more complex queries.

General Tips

Use an asterisk (*) for any number of characters or as a wildcard for a string used within double quotes.

os:"*Windows*" 

Use a question mark (?) in strings to represent a single space of any value.

cve_description:"*TLS?SSL*"
To negate a search parameter use a minus sign (-). -os:"*Windows*" AND -os:"*Server*"
Using terms within parentheses will assume an "OR" between terms.   tag:("Alpha" "Bank" "RDP")
To search for a grouping of terms, use the plus sign (+). In this case, a tag that contains both the word "Java" and the phrase "app portfolio".  tag:("Java" +"app portfolio")
Exclusive range queries are denoted by curly brackets ({}). This will exclude the beginning and ending 'values' within the curly brackets, so in this example it will return values of 1-9. scanner_score:{0 TO 10}
To search for assets that have or do not have data for a specific attribute, use the _exits_ parameter. Valid attributes are: tag, os, ip, hostname, url, mac_address, netbios, fqdn, file, fix, port, and application.  _exists_:netbios

or for does not exist

-_exists_:netbios

To escape the following characters, use the backslash (\) before the character. + - & |! ( ) { } [ ] ^ " ~ * ? : \
For dates, the formatting is year, month, day. due_date:2019-4-30
Use d, m, y to indicate day, month, or year. due_date:>now-7d
For search terms using time frames relative to now, think of the syntax as reading "prior to 7 days ago" (>now-7d) or "after 7 days ago" (<now-7d) helps to remember the correct syntax and order.

vulnerability_found:>now-7d

vulnerability_found:<now-7d

When searching more than one subnet, you need to put the subnets in square brackets ([]), separated by OR, and the whole search in parenthesis '()'.

You can also use CIDR block formatting for subnets. 

To exclude a few IPs, use the -ip: as shown. 

ip:([10.33.254.1 TO 10.33.254.255] OR [10.51.7.1 TO 10.51.7.255] OR [10.9.7.1 TO 10.9.7.255] OR [10.48.4.1 TO 10.48.4.255] OR [10.38.23.1 TO 10.38.23.255] OR [10.57.7.1 TO 10.57.7.255] OR [10.45.254.1 TO 10.45.254.255] OR [10.20.7.1 TO 10.20.7.255] OR [10.0.7.1 TO 10.0.7.255]) AND -ip:(10.9.7.22 OR 10.45.254.15)

 

Searches Supporting Kenna Research

These searches illustrate why using the Kenna Vulnerability Score over Scanner Score or CVSS helps prioritize remediation and reduce workload.

Vulnerabilities with a low scanner score, but a high Kenna score scanner_score:<=3 AND vulnerability_score:>75
Vulnerabilities with a high scanner score, but a low Kenna score scanner_score:>=4 AND vulnerability_score:<50
Vulnerabilities with a high Kenna score, but a low CVSS score vulnerability_score:>=80 AND cvss_severity:<=5
Vulnerabilities with a low Kenna score, but a high CVSS score vulnerability_score:<80 AND cvss_severity:>=5

Searches on Vulnerabilities

Vulnerabilities with Active Internet Breaches active_internet_breach:true
Vulnerabilities marked easily exploitable easily_exploitable:true
Vulnerabilities which have changed from one status to another (open, closed, false_positive, risk_accepted) in the last 36 hours. status_changed_at:>now-36h
Vulnerabilities closed in the past 7 days closed_at:>now-7d
Vulnerabilities which have not been closed by their due date. not_closed_by_due_date:true
Vulnerabilities by due date due_date=2018-08-01
Overdue vulnerabilities as of now

due_date:<now

OR

not_closed_by_due_date:true

Vulnerabilities past a certain due date due_date:<[ENTER PAST DATE]
Vulnerabilities coming due at a future date due_date:>[ENTER TODAY'S DATE OR FUTURE DATE]
Vulnerabilities by due date range due_date:[2019-01-01 TO 2019-09-20]
Vulnerabilities due in the next 30 days due_date:<now+30d AND due_date:>=now
Vulnerabilities with high risk scores vulnerability_score:>=66
Vulnerabilities with medium risk scores vulnerability_score:>33 AND vulnerability_score:<=66
Vulnerabilities with low risk scores vulnerability_score:<=33

Searches on Assets

Assets seen within the last 15 days asset_last_seen:>now-15d
Assets NOT seen within the last 21 days -asset_last_seen:>now-21d
Assets with low risk scores in the green asset_score:<=330
Assets with medium risk scores in the yellow asset_score:>330 AND asset_score:<=660
Assets with high risk scores in the red asset_score:>660
Assets with high risk scores between 849 and 1000 asset_score:{849 TO 1000}
Identify printers os:("*printer*"OR "JetDirect"OR "Laserjet")
High priority assets priority:>7
Assets with "Internal" RFC1918 IP addresses ip:([10.0.0.0 TO 10.255.255.255] OR [172.16.0.0 TO 172.31.255.255] OR [192.168.0.0 TO 192.168.255.255])
Assets with externally-routable IP addresses -ip:([10.0.0.0 TO 10.255.255.255] OR [172.16.0.0 TO 172.31.255.255] OR [192.168.0.0 TO 192.168.255.255]) AND _exists_:ip
Search for multiple distinct IP addresses ip:(10.0.0.1 OR 10.0.9.12 OR 10.0.23.6)
Windows Server 2016 OS os:"Microsoft Windows Server 2016*"
Assets that haven't been seen in the last 30 days asset_last_seen:>now-30d

Assets that became inactive in the last 30 days. (Assuming a 30 day or less inactivity limit.)

Change the time frame to match up with your asset inactivity limit.

*must select the inactive asset filter first

asset_last_seen:>now-30d

also can be done like this

asset_last_seen:<now-15d AND asset_last_seen:>now-30d

Searches on Fix Category 

Vulnerabilities with a particular fix category
*Based on Qualys fix category
fix_category:Hardware
fix_category:"CGI"
fix_category:"DNS and BIND"
fix_category:"Database"
fix_category:"Firewall"
fix_category:"General remote services"
fix_category:"Information gathering"
fix_category:"Internet Explorer"
fix_category:"Office Application"
fix_category:"RPC"
fix_category:"Security Policy"
fix_category:"SMB / NETBIOS"
fix_category:"SNMP"
fix_category:"TCP/IP"
fix_category:"Web server"
fix_category:"Windows" 

Vulnerabilities by fix title keyword "Java" that are case insensitive and do not need any wildcards

For case sensitive, use quotes

fix_title:Java
Vulnerabilities with an MS patch issued in 2000 and after fix_title:"*MS20??-*"
Vulnerabilities closed within the last 16 days 

*must select the closed vulnerability filter checkbox first

closed_at:>now-16d

Vulnerabilities closed between two dates

*must select the closed vulnerability filter checkbox first

closed_at:>2019-02-01 AND closed_at:<=2019-02-25

Complex Search Queries

Complex searches that cross Asset and Vulnerability terms with OR condition statements are not supported in the UI search box. If you are having issues building the search you want, contact Support for assistance. Some queries can be implemented on the back end to support more complex queries.

Windows fixes for easily exploitable active internet breaches fix_category:"Windows" AND active_internet_breach:true AND easily_exploitable:true
Vulnerability scores above 60 for Windows workstations, which have been seen in the last 7 days asset_last_seen:>now-7d AND os: “Windows” AND vulnerability_score:>60
Assets tagged "Corporate External Network" that do not have an OS string starting with Windows  tag:"Corporate External Network" AND -os:"Windows*"
Database servers with asset priority of 8 or above  tag:"Database servers" AND priority:>=8
Java on Desktops os: ("Windows 10*" OR "Windows 7*" OR "*Windows 8*" OR "Windows CE*" OR "Windows XP*" OR "*FreeBSD*" OR "*MacOS*") AND fix_title: "*Java*"
 Java on Windows Servers fix_title: "*Java*" AND os: ("Windows Server" OR "Windows Web Server 2008" OR "Windows 2000*" OR "Windows 2003*" OR "Windows 2008*" OR "Windows 2012*" OR "Windows 2016*" OR "Windows Embedded*")
IP address range AND wildcard hostname example ip:[10.0.0.0 TO 10.255.255.255] AND hostname:("xv*" "zk*")
Searching on Microsoft Patches for Critical Vulnerabilities fix_title:"MS??-*" AND vulnerability_score:>90
High scored vulnerabilities seen in the last week vulnerability_score:>66 AND fix_published:>now-30d
High scored vulnerabilities with fixes published in the last 30 days vulnerability_score:>66 AND fix_published:>now-30d
Medium risk java vulnerabilities  vulnerability_score:<67 AND vulnerability_score:>33 AND cve_description:"java"
Open vulnerabilities for CVE-2010-0842 that are past due due_date:<now AND cve:2010-0842
Risks that were marked accepted more than/prior to 30 days ago due_date:<now-30d AND status:"risk accepted"
IP address range AND wildcard hostname ip:[10.0.0.0 TO 10.255.255.255] AND hostname:("xv*" "zk*")

 

Powered by Zendesk