Available January 21, 2020
InstantSearch, powered by ElasticSearch, provides Unified VRM users with expanded search capabilities and faster results when accessing their vulnerability data. The types of searches and search language rules below allow for more targeted searches to return results fast, even as vulnerability data scales.
The video below shows how to search for vulnerabilities in Unified VRM that NopSec's machine learning algorithm has prioritized as critical.
Types of Searches:
There are two ways to easily search using InstantSearch:
- Key:value:
- Key:value search must contain a valid key (e.g. asset-group, vuln-name, os) with a paired value that belongs to the key. Examples are:
- asset-group:DMZ
- asset-grade:A
- vuln-name:Oracle
- age<45
- **A list of accepted key:value searches can be found in the Search Terms chart below.
- Key:value search must contain a valid key (e.g. asset-group, vuln-name, os) with a paired value that belongs to the key. Examples are:
- Keyword search:
- Keyword search will search across relevant fields and filter out any results that do not contain the keyword. Keyword search can only be used to search across the following attributes:
- asset ip address
- asset group name
- asset os
- asset hostname
- asset service
- vuln name
- cve
- Keyword search will search across relevant fields and filter out any results that do not contain the keyword. Keyword search can only be used to search across the following attributes:
Search Language Rules:
Following the search language rules will prevent incorrect or undesirable search results when querying the vulnerability data. If an invalid key or value is searched for, suggestions for the correct query will be provided.
- Use quotes for “Multiple Words”.
- Space in between text acts as a separator and begins a new search term. Do not add spaces in between values, strings, field names, etc., as this may return undesirable results.
- Correct search example: asset-group:”New York” would return all asset groups with “New York” in the name.
- Incorrect search example: asset-group:New York would only return asset groups with “New” in the name, and would include results from a separate keyword search for “York”.
- Space in between text acts as a separator and begins a new search term. Do not add spaces in between values, strings, field names, etc., as this may return undesirable results.
- All search terms and values are case insensitive.
- Example: asset-group-name:”New York” and Asset-Group-Name:”new york” would return the same results
- All queries will return results that contain a partial match unless the query is specified as an exact match using the “:=” operator.
- Contains example: asset-group-name:”New York” will return all asset groups containing New York in any part of the name. I.e. asset-group-name:”New York” would return the “New York Desktops”, “New York Servers”, and “New York Windows” asset groups.
- Exact match example: asset-group-name:=”New York” will only return the “New York” asset group (if it exists).
- Contains example: asset-group-name:”New York” will return all asset groups containing New York in any part of the name. I.e. asset-group-name:”New York” would return the “New York Desktops”, “New York Servers”, and “New York Windows” asset groups.
- All key:value (filter) searches are combined using AND logic.
- For example: vulnerability-grade:critical age<45 will return all vulnerabilities with a critical grade AND that are less than 45 days old.
- NOTE: users will not be able to enter their own logical operators.
- Incorrect search example: age<90 OR age>45
- Incorrect search example: vulnerability-grade:critical AND age<45
- **Accepted operators listed below.
- Operators:
- : contains
- := exact match
- >, >= greater than
- <, <= less than
- <> ranges with multiple values (e.g. age>30 age<60)
Search Terms Table
The Search Terms Table below provides the accepted keys used for asset and vulnerability filtering.
Keys |
Description |
Value |
Example |
---|---|---|---|
Asset Keys |
|||
asset-grade |
Asset risk grade |
A,B,C,D |
asset-grade:A asset-grade:C,D |
asset-group |
Asset group name |
exact or partial string |
asset-group:DMZ asset-group:"New York" |
asset-group-grade |
Asset group risk grade |
A,B,C,D |
asset-group-grade:A asset-group-grade:C,D |
asset-group-uid |
NopSec unique asset group id |
valid NopSec group UID |
asset-group-grade-uid:574 |
asset-uid |
NopSec unique asset id |
valid NopSec UID |
asset-uid:144214 |
asset-value |
Asset criticality |
Integer: 1-5 |
asset-value:1 asset-value<3 |
hostname |
Asset host name |
exact or partial string |
host-name:nopsec.com host-name:=usgasis4.phx.nopsec.net |
ip |
IP address or CIDR |
valid IP or CIDR |
ip:=10.10.10.1 ip:10.10.10.0/24 |
os |
Asset operating system |
string |
os:Oracle os:="Windows XP" |
Vulnerability Keys |
|||
age |
Days since vuln was first detected |
Integer: 0-N |
age:45 age<45 age<=45 age>60 |
cve |
CVE associated with vuln |
exact or partial CVE number |
cve:CVE-2019-9957 |
cvss |
CVSS score |
Number: 0.0-10.0 |
cvss>7.0 |
cvssv3 |
CVSSV3 score |
Number: 0.0-10.0 |
cvssv3>7.0 |
date-detected |
First date of detection |
mm/dd/yy |
date-detected>06/01/19 date-detected<01/01/20 |
date-remediated |
Date vuln was remediated |
mm/dd/yy |
date-remediated>06/01/19 date-remediated<01/01/20 |
date-reopened |
Date vuln was reopened |
mm/dd/yy |
date-reopened:06/01/19 |
false-positive |
Vuln is marked as false positive |
true | false |
false-positive:true |
fixed |
Vuln is marked as fixed |
true | false |
fixed:true |
is-duplicated |
Vuln is marked as duplicated by Nopsec |
true | false |
is-duplicated:true |
last-date-detected |
Most recent date of detection |
mm/dd/yy |
last-date-detected>01/01/20 |
vuln-name |
Vuln title |
exact or partial string |
vuln-name:"Red Hat" vuln-name:Oracle |
port |
Port associated with vuln |
port number |
port:8080 |
plugin-id |
Scanner unique id |
valid scanner id |
plugin-id:300011 plugin-id:suse-cve-2019-3690 |
plugin-uid |
Nopsec Scanner plugin uid |
valid scanner uid |
plugin-uid:300011 |
risk-accepted |
Vuln is risk accepted |
true | false |
risk-accepted:true |
status |
Status of vuln |
open | closed |
status:open |
threat |
Vuln is associated with a known threat |
true | false |
threat:true |
ticket-number |
ITSM Ticket Number |
valid ticket number |
ticket-number:TASK0011414 |
ticketed |
Whether or not a service ticket has been created for this vuln |
true | false |
ticketed:true |
vuln-instance-grade |
Vuln instance risk grade |
A,B,C,D |
vuln-instance-grade:A or vuln-instance-grade:C,D |
vuln-name |
Vulnerability title |
*vulnerability title* |
vuln-name:"adobe" |
vulnerability-grade |
Vulnerability risk grade |
critical, high, medium, low |
vulnerability-grade:critical vulnerability-grade:low,medium |
vuln-uid |
NopSec unique vuln id |
valid NopSec UID |
vuln-uid:4568,5321 |
Contact info:
For any questions about how to search or filter using InstantSearch, reach out to your NopSec technical account manager or email support@nopsec.com.
Comments
0 comments
Please sign in to leave a comment.