Articles in this section

See more

Unified VRM Instant Search

Support
  • Updated
Follow

Available January 21, 2020

InstantSearch, powered by ElasticSearch, provides Unified VRM users with expanded search capabilities and faster results when accessing their vulnerability data. The types of searches and search language rules below allow for more targeted searches to return results fast, even as vulnerability data scales. 

 

Types of Searches:

There are two ways to easily search using InstantSearch:

  • Key:value
    • Key:value search must contain a valid key (e.g. asset-group, vuln-name, os) with a paired value that belongs to the key. Examples are:
      • asset-group:DMZ
      • asset-grade:A
      • vuln-name:Oracle
      • age<45
    • **A list of accepted key:value searches can be found in the Search Terms chart below.
  • Keyword search
    • Keyword search will search across relevant fields and filter out any results that do not contain the keyword. Keyword search can only be used to search across the following attributes:
      • asset ip address
      • asset group name
      • asset os
      • asset hostname
      • asset service
      • vuln name
      • cve

 

Search Language Rules:

Following the search language rules will prevent incorrect or undesirable search results when querying the vulnerability data. If an invalid key or value is searched for, suggestions for the correct query will be provided. 

  • Use quotes for “Multiple Words” 
    • Space in between text acts as a separator and begins a new search term. Do not add spaces in between values, strings, field names, etc., as this may return undesirable results. 
      • Correct search example:   asset-group:”New York”  would return all asset groups with “New York” in the name.
      • Incorrect search example:  asset-group:New York  would only return asset groups with “New” in the name, and would include results from a separate keyword search for “York”.
  • All search terms and values are case insensitive.
    • Example: asset-group-name:”New York”  and   Asset-Group-Name:”new york”  would return the same results
  • All queries will return results that contain a partial match unless the query is specified as an exact match using the “:=” operator.
    • Contains example: asset-group-name:”New York” will return all asset groups containing New York in any part of the name. I.e. asset-group-name:”New York” would return the “New York Desktops”, “New York Servers”, and “New York Windows” asset groups.
      • Exact match example: asset-group-name:=”New York”  will only return the “New York” asset group (if it exists).
  • All key:value (filter) searches are combined using AND logic. 
    • For example: vulnerability-grade:critical   age<45  will return all vulnerabilities with a critical grade AND that are less than 45 days old.
    • NOTE: users will not be able to enter their own logical operators.
      • Incorrect search example: age<90  OR  age>45  
      • Incorrect search example: vulnerability-grade:critical  AND  age<45
    • **Accepted operators listed below.
  • Operators: 
    • :  contains
    • :=  exact match
    • >, >=  greater than 
    • <, <= less than
    • <> ranges with multiple values (e.g. age>30 age<60


Search Terms Table

The Search Terms Table below provides the accepted keys used for asset and vulnerability filtering.  

 

Keys

Description

Value

Example

Asset Keys

asset-grade

Asset risk grade

A,B,C,D

asset-grade:A

asset-grade:C,D

asset-group

Asset group name

exact or partial string

asset-group:DMZ

asset-group:"New York"

asset-group-grade

Asset group risk grade

A,B,C,D

asset-group-grade:A

asset-group-grade:C,D

asset-uid

NopSec unique asset id

valid NopSec UID

asset-uid:144214

asset-value

Asset criticality

Integer: 1-5

asset-value:1 asset-value<3

hostname

Asset host name

exact or partial string

host-name:nopsec.com

host-name:=usgasis4.phx.nopsec.net

ip

IP address or CIDR

valid IP or CIDR

ip:=10.10.10.1 ip:10.10.10.0/24

os

Asset operating system

string

os:Oracle

os:="Windows XP"

Vulnerability Keys

age

Days since vuln was first detected

Integer: 0-N

age:45 age<45 age<=45 age>60

cve

CVE associated with vuln

exact or partial CVE number

cve:CVE-2019-9957

cvss

CVSS score

Number: 0.0-10.0

cvss>7.0

date-detected

First date of detection

mm/dd/yy

date-detected>06/01/19

date-detected<01/01/20

date-reopened

Date vuln was reopened

mm/dd/yy

date-reopened:06/01/19

false-positive

Vuln is marked as false positive

true | false

false-positive:true

last-date-detected

Most recent date of detection

mm/dd/yy

last-date-detected>01/01/20

vuln-name

Vuln title

exact or partial string

vuln-name:"Red Hat"

vuln-name:Oracle

port

Port associated with vuln

port number

port:8080

plugin-id

Scanner unique id

valid scanner id

plugin-id:300011

plugin-id:suse-cve-2019-3690

risk-accepted

Vuln is risk accepted

true | false

risk-accepted:true

status

Status of vuln

open | closed

status:open

threat

Vuln is associated with a known threat

true | false

threat:true

ticketed

Whether or not a service ticket has been created for this vuln

true | false

ticketed:true

vuln-instance-grade

Vuln instance risk grade

A,B,C,D

vuln-instance-grade:A or vuln-instance-grade:C,D

vulnerability-grade

Vulnerability risk grade

critical, high, medium, low

vulnerability-grade:critical vulnerability-grade:low,medium

vuln-uid

NopSec unique vuln id

valid NopSec UID

vuln-uid:4568,5321

 

Contact info:

For any questions about how to search or filter using InstantSearch, reach out to your NopSec technical account manager or email support@nopsec.com.

Related articles

Comments

0 comments

Please sign in to leave a comment.