Advanced Search Queries
This article reviews how to use the search grammar in the search fields in order to find assets, vulnerabilities, or activity log events.
Search Grammar ⫘
Secureworks® Taegis™ VDR allows you to pass custom search queries to refine current view results using the following operators. Query examples for each context are provided.
Minus Sign ⫘
Use the minus sign in order to find items that exclude a particular word or words.
The minus sign can prefix any query.
For instance, if you want to include "example" but exclude ".net", use the following query:
example -.net
Double Quotes ⫘
Use double quotes in order to find items that contain an exact word or phrase.
Quotes may be used to match items with multiple words.
"example.com"
"some phrases to match"
Custom Query Structure ⫘
Filter items with the custom query with the following syntax: <OPERATOR>:<OPERAND>
Operator can be anything valid for the current context.
Operand contains the word or words to search for.
For instance, you can find all the servers that have the 22/tcp port open but not matching a specific tag:
port:22/tcp -tag:"My Tag"
Comparators ⫘
Use query operator with the following structure <OPERATOR>:<OPERAND><COMPARATOR><VALUE>
Supported operators are: =, >, <, >= and <=.
A comparator must follow an operator value.
Value may be a word or words with quotes.
For instance, you can look for specific software versions using comparators:
software:nginx>1.0
software:"Microsoft Windows"<10
software:ssh="2.0-OpenSSH_7.2p2"
Logical Operators ⫘
Use logical operators while doing a search such as AND, OR, NOT with or without the combination of parentheses.
For instance, you can look for any banner that mentions "ssh" for machines of two specific OSes:
(os:Ubuntu OR os:windows) AND banner:ssh
Or combine these operators to look for new vulnerabilities excluding certain network segments:
is:new AND NOT (192.168.10.0/24 OR 192.168.20.0/24)
Search Operators in Their Specific View Context ⫘
Some search queries only apply to a specific view in VDR. The following are examples of the supported search queries in their context.
Each of the following query examples can be combined to refine your results.
Find Servers running nginx greater than 1.0 with the "production" tag and using the Edge Service named Office:
software:nginx>1.0 tag:production edge:Office
Find Vulnerabilities related to a specific CVE number but excluding a certain IP range:
CVE-2017-1020 -192.168.0.0/24
Find Vulnerabilities related to a specific CVE number but excluding a certain OS name:
cve:CVE-2017-7679 -os:"Debian Linux 8.0"
Find Servers with port 4422 open, that run a specific OpenSSH version, with the "PROD" tag and not running nginx later than 1.11:
port:4422/tcp=open software:ssh="2.0-OpenSSH_7.4p1" tag:PROD -software:nginx>1.11
Find Websites with an IP ending in 240 that run OpenSSL later than 1.0.1:
ip:*.*.*.240 software:OpenSSL>=1.0.1
Vulnerabilities ⫘
| Query | Output |
|---|---|
| wordpress | Vulnerabilities containing the wordpress token |
| -XSS | Vulnerabilities not containing XSS |
| score:10.00 (alternatively cps:) | Vulnerabilities greater OR equal to a certain Contextual Prioritization Score (>=) |
| -score:8 (alternatively -cps:) | Vulnerabilities lower than a certain Contextual Prioritization Score (<) |
| cvss:10.0 | Vulnerabilities greater OR equal to a certain CVSS Score (>=) |
| -cvss:8 | Vulnerabilities lower than a certain CVSS Score (<) |
| cve:CVE-2017-1020 | Vulnerabilities associated to a CVE number |
| -CVE-2017-1020 | Vulnerabilities not associated to a CVE number |
| os:"Debian Linux 8.0" | Vulnerabilities affecting assets with "Debian Linux 8.0" as OS name |
| tag:production | Vulnerabilities tagged "production" |
| edge:"Office" | Vulnerabilities related to the Edge Service "Office" |
| cip:192.*.10.* | Vulnerabilities affecting assets with IP parts p1= 192 and p3 = 10 |
| 192.168.0.0/24 | Vulnerabilities related to a range |
| 192.168.10.127 | Vulnerabilities related to a server |
| example.com | Vulnerabilities related to a website |
| firstdiscovery:date>2020-01-02 | Vulnerabilities discovered after specific date |
| firstdiscovery:date>2020-01firstdiscovery:date<2020-02 | Vulnerabilities discovered for January 2020 |
Websites ⫘
| Query | Output |
|---|---|
| example.com | Websites containing example.com |
| tag:production | Websites tagged "production" |
| -scheme:https | Websites for which NO HTTPS version is available (HTTP only) |
| edge:Office | Websites related to the Edge Service named "Office" |
| 192.168.10.0/24 | Websites related to the 192.168.10.0/24 IP network |
| software:wordpress<4.8 | Websites with detected "wordpress" software version lower then 4.8 |
| has:loginform | Websites for which VDR has detected a login form in a page |
| has:lastscanfailed | Websites for which the last scan could not complete successfully (might be temporary) |
| cve:CVE-2017-1020 | Websites affected by a CVE number |
| -CVE-2017-1020 | Websites not affected by a CVE number |
| ip:192.*.10.* | Websites for which the last known hosting IP had IP parts p1= 192 and p3 = 10 |
| lastfailure:offline | Websites for which the last failure reason included the word "offline"; last failure reason identified in the scan log by a big red dot |
| score:10.00 (alternatively cps:) | Websites with at least one vulnerability greater OR equal to a certain Contextual Prioritization Score (>=) |
| -score:8 (alternatively -cps:) | Websites with NO vulnerabilities higher than a certain Contextual Prioritization Score (<) |
| cvss:10.0 | Websites with at least one vulnerability greater OR equal to a certain CVSS Score (>=) |
| -cvss:8 | Websites with NO vulnerabilities higher than a certain CVSS Score (<) |
Servers ⫘
| Query | Output |
|---|---|
| 192.168.1.1 | Servers that match the 192.168.1.1 IP address |
| -192.168.1.0/24 | Servers not related to 192.168.10.0/24 IP network |
| tag:production | Servers tagged "production" |
| edge:Office | Servers related to the Edge Service named "Office" |
| cve:CVE-2017-1020 | Servers affected by that CVE number |
| -CVE-2017-1020 | Servers not affected by that CVE number |
| software:nginx | Servers with detected "nginx" software |
| software:ssh="2.0-OpenSSH_7.2p2" | Servers with detected "ssh" software with version "2.0-OpenSSH_7.2p2" |
| port:22=open | Servers with detected port 22 open |
| port:22/tcp=filtered | Servers with detected port 22 open with protocol tcp and state is filtered |
| ip:192.*.10.* | Servers with IP parts p1 = 192 and p3 = 10 |
| service:ssh | Servers that have a port exposing a confirmed SSH service |
| banner:"7.2p2" | Servers with a banner containing the 7.2p2 string |
| has:lastscanfailed | Servers for which the last scan could not complete successfully (might be temporary) |
| lastfailure:offline | Servers for which the last failure reason included the word "offline"; last failure reason identified in the scan log by a big red dot |
| score:10.00 (alternatively cps:) | Servers with at least one vulnerability greater OR equal to a certain Contextual Prioritization Score (>=) |
| -score:8 (alternatively -cps:) | Servers with NO vulnerabilities higher than a certain Contextual Prioritization Score (<) |
| cvss:10.0 | Servers with at least one vulnerability greater OR equal to a certain CVSS Score (>=) |
| -cvss:8 | Servers with NO vulnerabilities higher than a certain CVSS Score (<) |
Auto Discovery ⫘
The query will be applied for each asset type: ranges, servers, and websites. Some operators may be ignored if they are not supported for the specific asset type.
| Query | Output |
|---|---|
| www | Assets containing "www" term |
| cve:CVE-2017-1020 | Servers and websites affected by that CVE number |
| edge:Office | Assets related to the Edge Service named "Office" |
| tag:production | Assets tagged "Production" |
| software:nginx | Assets with detected "nginx" software |
| 192.168.1.0/24 | Assets related to 192.168.10.0/24 IP network |
| ip:192.*.10.* | All assets with ip parts p1= 192 and p3 = 10 |
Schedule ⫘
| Query | Output |
|---|---|
| www | Schedule entries containing "www" term |
| 192.168.1.0/24 | Schedule entries related to 192.168.10.0/24 IP network |
| cve:CVE-2017-1020 | Schedule entries related to the cve number |
| tag:production | Schedule entries related to the "production" tag |
| edge:Office | Schedule entries related to the Edge Service named "Office" |
| ip:192.*.10.* | Schedule entries related to assets with ip parts p1= 192 and p3 = 10 |
Activity Log ⫘
| Query | Output |
|---|---|
| user@example.com | Log entries containing the term "user@example.com" in the message, type, first name, last name and email fields |
| 192.168.1.0/24 | Log entries related to 192.168.10.0/24 IP network |
| cve:CVE-2017-1020 | Log entries related to the cve number |
| edge:Office | Log entries related to the Edge Service named "Office" |
| tag:production | Log entries related to the "production" tag |
| ip:192.*.10.* | Log entries related to assets with ip parts p1= 192 and p3 = 10 |
| user:user@example.com | any logs related to user@example.com user |
| user:john | any logs related to user that has John as first or last name |