Vulnerability instance inventory

When viewing vulnerability instances on assets, you can use the following keywords to search and filter information.

Vulnerability ID

The ID field is the unique identifier for a given vulnerability, written as a UUID. Use the syntax id:<uuid> to filter by the ID field.

id:a124a141-e518-4735-9878-8e89c575b1d2

Source

The source reporting the vulnerability detected can be searched or filtered by name using the syntax source:<name>.

source:tenable

Severity

The severity field can be searched using the syntax severity:<term>.

severity:info

severity:medium

Severity score

The severity score can be searched using the syntax severity_score:<term>. The term supports numerical comparison operators (>, >=, <, <=, =).

severity_score:<5.0

severity_score:>=9.0

Risk

The risk field can be searched using the syntax risk:<term>.

risk:none

risk:critical

Risk score

The risk score can be searched using the syntax risk_score:<term>. The term supports numerical comparison operators (>, >=, <, <=, =).

risk_score:>7.0

risk_score:=10.0

Modified risk

Vulnerabilities whose risk has been modified, either manually or by way of alert rule trigger has_modified_risk:<boolean>.

The term is a boolean value:

• true, t, 1, and yes represent true
• false, f, 0, and no represent false

has_modified_risk:true

has_modified_risk:1

has_modified_risk:no

Category

The category field can be searched using the syntax category:<term>.

category:Local

category:Remote

Name

The name field can be searched using the syntax name:<term>.

name:"Cisco IOS Software DHCP Remote Code Execution Vulnerability"

name:"PHP < 5.3.12 / 5.4.2 CGI Query String Code Execution"

Description

The description field can be searched using the syntax description:<term>.

description:"The remote device is missing a vendor-supplied security patch."

description:"remote code execution"

Solution

The solution field can be searched using the syntax solution:<term>.

solution:patch

solution:upgrade

CVE

The CVE field can be searched using the syntax cve:<term>.

cve:CVE-2021-44228

cve:CVE-2016-2183

KEV

Membership in a Known Exploited Vulnerability (KEV) list can be searched using the syntax kev:<term>.

kev:t

will search for vulnerabilities that appear on a KEV list.

Specific KEV lists can be searched by name.

• kev:cisa will search for vulnerabilities listed as actively exploited in the CISA Known Exploited Vulnerabilities Catalog.

• kev:vulncheck will search for vulnerabilities listed as actively exploited in the VulnCheck Catalog.

• kev:true will search for vulnerabilities in either of the above lists.

Exploitable

Vulnerabilities that are exploitable can be searched using the syntax exploitable:<boolean>.

The term is a boolean value:

• true, t, 1, and yes represent true
• false, f, 0, and no represent false

exploitable:true

exploitable:1

exploitable:no

CVSSv2 score

The CVSSv2 fields, cvss2_base_score and cvss2_temporal_score, can be searched using the syntax cvss2_base_score:<term> and cvss2_temporal_score:<term>. The term supports numerical comparison operators (>, >=, <, <=, =).

cvss2_base_score:>6.5

cvss2_base_score:<=3.0

cvss2_temporal_score:=10.0

cvss2_temporal_score:<5.0

CVSSv3 score

The CVSSv3 fields, cvss3_base_score and cvss3_temporal_score, can be searched using the syntax cvss3_base_score:<term> and cvss3_temporal_score:<term>. The term supports numerical comparison operators (>, >=, <, <=, =).

cvss3_base_score:>6.5

cvss3_base_score:<=3.0

cvss3_temporal_score:=10.0

cvss3_temporal_score:<5.0

EPSS score

The EPSS score can be searched using the syntax epss_score:<term>. The term supports numerical comparison operators (>, >=, <, <=, =).

epss_score:>0.5

epss_score:<=0.1

epss_score:=0.9

Address

The address field can be searched using the syntax address:<term>.

address:192.168.0.1

Transport

The transport field can be searched using the syntax transport:<term>.

transport:tcp

transport:udp

Port

The port can be searched using the syntax port:<term>. The term supports numerical comparison operators (>, >=, <, <=, =).

port:22

port:443

Operating system support status

The syntax os_eol_expired:<boolean> can be used to find identify vulnerabilities on assets based on whether their operating systems are End of Life (EOL). This field evaluates both the os_eol and os_eol_extended values to only return vulnerabilities on assets with expired coverage.

The term is a boolean value:

• true, t, 1, and yes represent true
• false, f, 0, and no represent false

os_eol_expired:t

os_eol_expired:1

os_eol_expired:no

Finding code

The finding code field is the unique identifier for a given finding. Use the syntax finding_code:<term> to filter by the code field.

finding_code:rz-finding-internet-exposed-database

Finding name

Use the syntax finding_name:<text> to search by finding name.

finding_name:"Internet Exposed Database"

Finding risk

The Finding Risk and Finding Risk Score fields can be searched using either numeric or keyword values. Risk score is an integer from zero through four, where 0 is Info level risk and 4 indicates Critical risk.

finding_risk:"Critical"

finding_risk:2

Detection timestamps (first detected at, last detected at)

The timestamp fields, first_detected_at and last_detected_at, can be searched using the syntax first_detected_at:<term> and last_detected_at:<term>. The term supports the standard runZero [time comparison syntax][time].

first_detected_at:>2weeks

first_detected_at:<30minutes

last_detected_at:>1month

last_detected_at:2hours

Publication timestamps (published at)

The timestamp field, published_at, can be searched using the syntax published_at:<term>. The term supports the standard runZero [time comparison syntax][time].

published_at:>2weeks

published_at:<30minutes

Timestamps (created at, updated at)

The timestamp fields, created_at and updated_at, can be searched using the syntax created_at:<term> and updated_at:<term>. The term supports the standard runZero [time comparison syntax][time].

created_at:>2weeks

created_at:<30minutes

updated_at:>1month

updated_at:2hours

Attributes

You can search all vulnerability attributes with the syntax <attribute>:<term>. This search term supports numerical comparison operators (>, >=, <, <=, =).

If the attribute name conflicts with an existing term, the prefix _vulnerability. can be added to disambiguate the query.

plugin.hasPatch:true

severityID:3

_vulnerability.state:REOPENED

To determine if a vulnerability has any attribute defined, use the has:<term> keyword. The has keyword can be inverted to find missing fields with not has:<term>.

has:plugin.vpr.score

not has:output