Vulnerability inventory

When viewing the Vulnerabilities inventory, you can use the following keywords to search and filter information.

Vulnerability ID

The ID field is the unique identifier for a given vulnerability, written as a UUID. Use the syntax id:<uuid> to filter by the ID field.

id:a124a141-e518-4735-9878-8e89c575b1d2

Source

The source reporting the vulnerability detected can be searched or filtered by name using the syntax source:<name>.

source:tenable

Severity

The severity field can be searched using the syntax severity:<term>.

severity:info
severity:medium

Severity score

The severity score can be searched using the syntax severity_score:<term>. The term supports numerical comparison operators (>, >=, <, <=, =).

severity_score:<5.0
severity_score:>=9.0

Risk

The risk field can be searched using the syntax risk:<term>.

risk:none
risk:critical

Risk score

The risk score can be searched using the syntax risk_score:<term>. The term supports numerical comparison operators (>, >=, <, <=, =).

risk_score:>7.0
risk_score:=10.0

Category

The category field can be searched using the syntax category:<term>.

category:Local
category:Remote

Name

The name field can be searched using the syntax name:<term>.

name:"Cisco IOS Software DHCP Remote Code Execution Vulnerability"
name:"PHP < 5.3.12 / 5.4.2 CGI Query String Code Execution"

Description

The description field can be searched using the syntax description:<term>.

description:"The remote device is missing a vendor-supplied security patch."
description:"remote code execution"

Solution

The solution field can be searched using the syntax solution:<term>.

solution:patch
solution:upgrade

CVE

The CVE field can be searched using the syntax cve:<term>.

cve:CVE-2021-44228
cve:CVE-2016-2183

KEV

Membership in a Known Exploited Vulnerability (KEV) list can searched for using the syntax kev:<term>:

kev:t

will search for vulnerabilities that appear on a KEV list.

Specific KEV lists can be searched by name.

CVSSv2 score

The CVSSv2 fields, cvss2_base_score and cvss2_temporal_score, can be searched using the syntax cvss2_base_score:<term> and cvss2_temporal_score:<term>. The term supports numerical comparison operators (>, >=, <, <=, =).

cvss2_base_score:>6.5
cvss2_base_score:<=3.0
cvss2_temporal_score:=10.0
cvss2_temporal_score:<5.0

CVSSv3 score

The CVSSv3 fields, cvss3_base_score and cvss3_temporal_score, can be searched using the syntax cvss3_base_score:<term> and cvss3_temporal_score:<term>. The term supports numerical comparison operators (>, >=, <, <=, =).

cvss3_base_score:>6.5
cvss3_base_score:<=3.0
cvss3_temporal_score:=10.0
cvss3_temporal_score:<5.0

Address

The address field can be searched using the syntax address:<term>.

address:192.168.0.1

Transport

The transport field can be searched using the syntax transport:<term>.

transport:tcp
transport:udp

Port

The port can be searched using the syntax port:<term>. The term supports numerical comparison operators (>, >=, <, <=, =).

port:22
port:443

Operating system support status

The syntax os_eol_expired:<boolean> can be used to find identify vulnerabilities on assets based on whether their operating systems are End of Life (EOL). This field evaluates both the os_eol and os_eol_extended values to only return vulnerabilities on assets with expired coverage.

The term is a boolean value:

  • true, t, 1, and yes represent true
  • false, f, 0, and no represent false
os_eol_expired:t
os_eol_expired:1
os_eol_expired:no

Detection timestamps (first detected at, last detected at)

The timestamp fields, first_detected_at and last_detected_at, can be searched using the syntax first_detected_at:<term> and last_detected_at:<term>. The term supports the standard runZero [time comparison syntax][time].

first_detected_at:>2weeks
first_detected_at:<30minutes
last_detected_at:>1month
last_detected_at:2hours

Publication timestamps (published at)

The timestamp field, published_at, can be searched using the syntax published_at:<term>. The term supports the standard runZero [time comparison syntax][time].

published_at:>2weeks
published_at:<30minutes

Timestamps (created at, updated at)

The timestamp fields, created_at and updated_at, can be searched using the syntax created_at:<term> and updated_at:<term>. The term supports the standard runZero [time comparison syntax][time].

created_at:>2weeks
created_at:<30minutes
updated_at:>1month
updated_at:2hours

Attributes

You can search all vulnerability attributes with the syntax <attribute>:<term>. This search term supports numerical comparison operators (>, >=, <, <=, =).

If the attribute name conflicts with an existing term, the prefix _vulnerability. can be added to disambiguate the query.

plugin.hasPatch:true
severityID:3
_vulnerability.state:REOPENED

To determine if a vulnerability has any attribute defined, use the has:<term> keyword. The has keyword can be inverted to find missing fields with not has:<term>.

has:plugin.vpr.score
not has:output
Updated