---
title: "Query examples"
---

There are endless ways to combine terms and operators into effective queries, and the ((examples|example queries)) below can be used as-is or adjusted to meet your needs.

## Network configurations and access
* Multihomed assets with public and private IP addresses: 
```plaintext
alive:t AND has_public:t AND has_private:t
```
* Multihomed assets connected only to private networks
```plaintext
multi_home:t AND has_public:f
```
* Default SSH configuration using passwords for authentication: 
```plaintext
alive:t AND protocol:"ssh" AND ssh.authMethods:"=password"
```
* Microsoft FTP servers:
```plaintext
alive:t AND protocol:"ftp" AND banner:"=%Microsoft FTP%"
```
* Remote access services/protocols:
```plaintext
protocol:rdp OR protocol:vnc OR protocol:teamviewer
```
* Assets with public IPs running remote access services:
```plaintext
has_public:t OR has_public:t AND alive:t AND (protocol:rdp OR protocol:vnc OR protocol:teamviewer)
```
* Open ports associated with cleartext protocols:
```plaintext
port:21 OR port:23 OR port:80 OR port:443 OR port:139 OR port:445 OR port:3306 OR port:1433 OR port:161 OR 
port:8080 OR port:3389 OR port:5900
```
* Telnet on nondefault ports:
```plaintext
protocol:telnet AND NOT port:23
```
* Windows assets offering SMB services:
```plaintext
os:windows AND protocol:smb1 OR protocol:smb2
```
* Switch assets accepting Username and Password authentication: 
```plaintext
type:switch AND (_asset.protocol:http AND NOT _asset.protocol:tls) AND ( html.inputs:"password:" OR 
last.html.inputs:"password:" OR has:http.head.wwwAuthenticate OR has:last.http.head.wwwAuthenticate )
```
* Assets more than 8 hops away:
```plaintext
attribute:"ip.ttl.hops" AND ip.ttl.hops:>"8
```

## Asset lifecycle and hardware
* Assets created as a result of arbitrary responses:
```plaintext
has_mac:f AND has_name:f AND os:= AND hardware:= AND detected_by:icmp AND service_count:<2
```
* End of Life assets:
```plaintext
os_eol:<now
```
* Assets where both OS support and extended support are expired:
```plaintext
os_eol:<now AND os_eol_extended:<now
```
* Assets where OS support is EOL but still covered by extended support:
```plaintext
os_eol:<now AND os_eol_extended:>now
```
* EOL Linux operating systems:
```plaintext
os:linux AND os_eol:<now
```
* EOL Windows operating systems:
```plaintext
os:windows AND os_eol:<now
```
* Assets discovered within the past two weeks:
```plaintext
first_seen:"<2weeks"
```
* All available serial number sources
```plaintext
protocol:snmp has:snmp.serialNumbers OR hw.serialNumber:t OR ilo.serialNumber:t
```
* Asset serial numbers from SNMP:
```plaintext
protocol:snmp has:snmp.serialNumbers
```
* Older Windows OSes:
```plaintext
os:"Windows Server 2012" OR os:"Windows 7"
```
* Older Linux OSes:
```plaintext
OS:linux AND os_eol:<now
```
* BACnet devices:
```plaintext
type:bacnet
```
* Hikvision DVRs:
```plaintext
type:dvr AND os:hikvision
```
* IoT Devices:
```plaintext
type:"IP Camera" OR type:"thermostat" OR type:"Amazon Device" OR hw:"Google Chromecast" OR 
type:"Game Console" OR type:"Robotic Cleaner" OR type:"Nest Device" OR type:"Network Audio" OR 
type:"Smart TV" OR type:"VR Headset" OR type:"Voice Assistant""
```
* Video-related assets:
```plaintext
type:"IP Camera" OR type:"DVR" OR type:"Video Encoder"
```

## Misconfigurations
* SMBv1:
```plaintext
protocol:"smb1"
```
* Remote access with common services:
```plaintext
protocol:rdp OR protocol:vnc OR protocol:teamviewer OR protocol:spice OR protocol:pca
```
* Switches with default configurations for web access:
```plaintext
type:switch AND (_asset.protocol:http AND NOT _asset.protocol:tls) AND ( html.inputs:"password:" OR 
last.html.inputs:"password:" OR has:http.head.wwwAuthenticate OR has:last.http.head.wwwAuthenticate )
```
* Default SSH configurations using passwords for authentication:
```plaintext
alive:t AND protocol:"ssh" AND ssh.authMethods:"=password"
```
* Switches using Telnet or HTTP for remote access:
```plaintext
type:switch AND protocol:telnet OR protocol:http
```
* Microsoft FTP servers:
```plaintext
alive:t AND protocol:"ftp" AND banner:"=%Microsoft FTP%"
```
* Virtual machines that are not syncing time with the host:
```plaintext
@vmware.vm.config.tools.syncTimeWithHost:"False"
```

## Weak configurations
* Telnet (vs. SSH):
```plaintext
protocol:telnet
```
* FTP on ports 10-21 (vs. FTPS on port 990):
```plaintext
protocol:ftp
```
* FTP on ports 20-21 (vs. SCP on port 22):
```plaintext
protocol:ftp
```
* HTTP on port 80 (vs. HTTPS on port 443):
```plaintext
protocol:http
```
* SSH versions < 2.0:
```plaintext
protocol:ssh AND NOT banner:"SSH-2.0"
```
* TLS:
```plaintext
tls.versionName:"=TLSv1.3" OR tls.versionName:"=TLSv1.2" OR tls.versionName:"=TLSv1.1" OR 
tls.versionName:"=TLSv1.0"
```
* LDAP on port 389 (vs. LDAPS on port 636):
```plaintext
protocol:ldap OR port:389
```
* Wireless access points without WPA authentication:
```plaintext
not authentication:WPA
```
* Online assets with SSH accepting password authentication:
```plaintext
alive:t AND has:"ssh.authMethods" AND protocol:"ssh" AND (ssh.authMethods:"=password" OR 
ssh.authMethods:"=password%publickey")
```
* Detect OpenSSL version 3.0 - 3.0.6:
```plaintext
product:openssl AND version:3.0
```

## EDR / MDM
* CrowdStrike coverage gaps:
```plaintext
not edr.name:crowdstrike AND (type:server OR type:desktop OR type:laptop)
```
* Assets with CrowdStrike Agent status "Not Provisioned":
```plaintext
@crowdstrike.dev.provisionStatus:"NotProvisioned"
```
* Assets with CrowdStrike Agent mode "Reduced Functionality":
```plaintext
@crowdstrike.dev.reducedFunctionalityMode:"yes"
```
* Assets with CrowdStrike Agent status "Normal":
```plaintext
@crowdstrike.dev.status:"normal"
```
* SentinelOne coverage gaps:
```plaintext
not edr.name:Sentinelone AND (type:server OR type:desktop OR type:laptop)
```
* Assets with SentinelOne Agent requiring patch:
```plaintext
(alive:t OR scanned:f) AND has:"@sentinelone.dev.appsVulnerabilityStatus" AND 
@sentinelone.dev.appsVulnerabilityStatus:"=patch_required"
```
* Assets missing either CrowdStrike or SentinelOne EDR agents:
```plaintext
NOT edr.name:crowdstrike AND (type:server OR type:desktop OR type:laptop) OR NOT edr.name:sentinelone AND
(type:server OR type:desktop OR type:laptop)
```
* Miradore coverage gaps:
```plaintext
not source:Miradore AND (os:google android OR os:apple ios) AND type:mobile
```
* Microsoft Defender coverage gaps:
```plaintext
not edr.name:"Defender" AND os:Windows
```
* Assets not managed by a Microsoft product:
```plaintext
source:runzero AND NOT (source:ms365defender OR source:intune OR source:azuread)
```
* Find mobile devices on the network:
```plaintext
(os:google ANDroid OR os:apple ios) AND type:mobile
```
* Known FCC security threats, like Kaspersky:
```plaintext
alive:t AND edr.name:Kaspersky
```

## Virtual machine configurations
* Virtual machines with less than 8 GB of memory:
```plaintext
@vmware.vm.config.hardware.memoryMB:<"8192"
```
* VMs with less than 16GB of memory:
```plaintext
@vmware.vm.runtime.maxMemoryUsage:"16384"
```
* Virtual machines that are not syncing time with the host:
```plaintext
@vmware.vm.config.tools.syncTimeWithHost:"False"
```
* Virtual machines that are configured with floppy drives:
```plaintext
@vmware.vm.config.extra.floppy0.autodetect:"true"
```
* Virtual machines running VMware tools:
```plaintext
@vmware.vm.config.extra.guestinfo.vmtools.versionString:"_"
```
* Virtual machines running Windows:
```plaintext
source:VMware AND os:Windows
```
* Virtual machines running Linux:
```plaintext
source:VMware AND os:Linux
```

## Vulnerability concerns
* Rapid7 - fails PCI compliance:
```plaintext
test.pciComplianceStatus:"fail"
```
* Tenable - High and Critical severity vulnerabilities that are on CISA's Known Exploited list:
```plaintext
plugin.xrefs.type:"CISA-KNOWN-EXPLOITED" AND (severity:high OR severity:critical)
```
* Tenable - Critical severity vulnerabilities where exploits are available:
```plaintext
plugin.exploitabilityEase:"Exploits are available" AND severity:critical
```
* Tenable - High and Critical severity vulnerabilities where exploits are not required
```plaintext
plugin.exploitabilityEase:"No exploit is required" AND (severity:critical OR severity:high)
```

## Wireless results
* Search ESSID for authentication exceptions:
```plaintext
essid:"<ESSID>" AND NOT authentication:"wpa2-enterprise"
```
* Find unknown BSSIDs broadcasting known ESSID (exclude known BSSIDs in query for gap analysis)
```plaintext
essid:="<ESSID>" AND NOT bssid:"<MAC address>"
```