---
title: "Findings"
---

When viewing ((findings)), you can use the keywords in this section to search and filter.

## Finding code {#finding-code}

The ((finding code)) field is the unique identifier for a given finding. Use the syntax `finding_code:<uuid>` to filter by the code field.
```plaintext
finding_code:rz-finding-internet-exposed-database
```

## Name {#finding-name}

Use the syntax `name:<text>` to search by finding name.
```plaintext
name:"Internet Exposed Database"
```

## Description {#finding-description}

The `Description` field can be searched using the syntax `description:<text>`.
```plaintext
description:"indicated databases"
```

## Solution {#finding-solution}

The `Solution` field can be searched using the syntax `solution:<text>`.
```plaintext
solution:"indicated databases"
```

## Risk {#finding-risk}

The `Risk` / `Risk Rank` value can be searched using either numeric or keyword values.
((Risk rank)) is an integer from zero through four, where `0` is Info level risk and `4` indicates Critical risk.
```plaintext
risk:"Critical"
```
```plaintext
risk_rank:>2
```

## Category {#finding-category}

The finding `Category` field can be searched using the syntax `category:<text>`.
```plaintext
category:"End-of-Life"
```

## Vulnerability instance count
The `Instance` field can be searched using the syntax `vulnerability_count:<text>`.
```plaintext
vulnerability_count:>0
```

## Organization and site names {#finding-org-site-names}

The names of organizations or sites affected can be searched using the following search terms:

- `organization_name:<text>`
- `site_name:<text>`

The IDs are unique and are written as UUIDs.
```plaintext
organization_id:0eacf412-6e69-11ec-88b9-f875a414a63a
```

## Organization and site IDs {#finding-IDs}

The IDs of organizations or sites affected can be searched using the following search terms:

- `organization_id:<uuid>`
- `site_id:<uuid>`

The IDs are unique and are written as UUIDs.
```plaintext
organization_id:0eacf412-6e69-11ec-88b9-f875a414a63a
```

## Timestamps {#finding-timestamps}

Use the following syntaxes to search the finding timestamp fields (`last_detected_at`, `created_at`, `updated_at`, `suppressed_at`):

* `created_at:<term>`
* `updated_at:<term>`
* `last_detected_at:<term>`
* `suppressed_at:<term>`

The term supports the standard runZero [time comparison syntax][time].

```plaintext
last_detected_at:>2weeks
```
```plaintext
created_at:<30minutes
```
```plaintext
updated_at:>1year
```
```plaintext
updated_at:<12hours
```
```plaintext
suppressed_at:<1day
```

## Suppression {#suppressed}

The current suppressed or unsuppressed state of findings can be searched using the syntax `suppressed:<term>`.

```plaintext
suppressed:t
```

will search for findings that are suppressed. Inversely,

```plaintext
suppressed:f
```

will search for findings that are not suppressed.

A special value of `any` can be used to display all records, regardless of suppression settings:

```plaintext
suppressed:any
```

will display both suppressed and unsuppressed findings.

Additionally, the user who performed the suppression can be found using the following syntaxes:
```plaintext
suppressed_by:<username>
```