---
title: "Vulnerability instance inventory"
---

When viewing ((vulnerability instances)) on assets, you can use the following keywords to ((search|search vulnerabilities)) and filter information.

## Vulnerability ID {#vulnerability-ID}

The ID field is the unique identifier for a given vulnerability, written as a UUID. Use the syntax `id:<uuid>` to filter by the ID field.

```plaintext
id:a124a141-e518-4735-9878-8e89c575b1d2
```

## Source {#vulnerability-source}

The source reporting the vulnerability detected can be searched or filtered by name using the syntax `source:<name>`. 

```plaintext
source:tenable
```

## Severity {#vulnerability-severity}

The severity field can be searched using the syntax `severity:<term>`.

```plaintext
severity:info
```
```plaintext
severity:medium
```

## Severity score {#vulnerability-severityScore}

The severity score can be searched using the syntax `severity_score:<term>`. The term supports numerical comparison operators (`>`, `>=`, `<`, `<=`, `=`).

```plaintext
severity_score:<5.0
```
```plaintext
severity_score:>=9.0
```

## Risk {#vulnerability-risk}

The risk field can be searched using the syntax `risk:<term>`.

```plaintext
risk:none
```
```plaintext
risk:critical
```

## Risk score {#vulnerability-riskScore}

The risk score can be searched using the syntax `risk_score:<term>`. The term supports numerical comparison operators (`>`, `>=`, `<`, `<=`, `=`).

```plaintext
risk_score:>7.0
```
```plaintext
risk_score:=10.0
```

## Modified risk {#vulnerability-modifiedRisk}

Vulnerabilities whose risk has been modified, either manually or by way of alert rule trigger `has_modified_risk:<boolean>`.

The term is a boolean value:

- `true`, `t`, `1`, and `yes` represent _true_
- `false`, `f`, `0`, and `no` represent _false_

```plaintext
has_modified_risk:true
```
```plaintext
has_modified_risk:1
```
```plaintext
has_modified_risk:no
```

## Category {#vulnerability-category}

The category field can be searched using the syntax `category:<term>`.

```plaintext
category:Local
```
```plaintext
category:Remote
```

## Name {#vulnerability-name}

The name field can be searched using the syntax `name:<term>`.

```plaintext
name:"Cisco IOS Software DHCP Remote Code Execution Vulnerability"
```
```plaintext
name:"PHP < 5.3.12 / 5.4.2 CGI Query String Code Execution"
```

## Description {#vulnerability-description}

The description field can be searched using the syntax `description:<term>`.

```plaintext
description:"The remote device is missing a vendor-supplied security patch."
```
```plaintext
description:"remote code execution"
```

## Solution {#vulnerability-solution}

The solution field can be searched using the syntax `solution:<term>`.

```plaintext
solution:patch
```
```plaintext
solution:upgrade
```

## CVE {#vulnerability-CVE}

The CVE field can be searched using the syntax `cve:<term>`.

```plaintext
cve:CVE-2021-44228
```
```plaintext
cve:CVE-2016-2183
```

## KEV {#vulnerability-KEV}

Membership in a Known Exploited Vulnerability (KEV) list can be searched using the syntax `kev:<term>`.

```plaintext
kev:t
```

will search for vulnerabilities that appear on a KEV list.

Specific KEV lists can be searched by name.

- `kev:cisa` will search for vulnerabilities listed as actively exploited in the [CISA Known Exploited Vulnerabilities Catalog](https://www.cisa.gov/known-exploited-vulnerabilities-catalog).

- `kev:vulncheck` will search for vulnerabilities listed as actively exploited in the [VulnCheck Catalog](https://vulncheck.com/kev).

- `kev:true` will search for vulnerabilities in either of the above lists.

## Exploitable {#vulnerability-exploitable}

Vulnerabilities that are exploitable can be searched using the syntax `exploitable:<boolean>`.

The term is a boolean value:

- `true`, `t`, `1`, and `yes` represent _true_
- `false`, `f`, `0`, and `no` represent _false_

```plaintext
exploitable:true
```
```plaintext
exploitable:1
```
```plaintext
exploitable:no
```

## CVSSv2 score {#vulnerability-CVSSv2}

The CVSSv2 fields, `cvss2_base_score` and `cvss2_temporal_score`, can be searched using the syntax `cvss2_base_score:<term>` and `cvss2_temporal_score:<term>`. The term supports numerical comparison operators (`>`, `>=`, `<`, `<=`, `=`).

```plaintext
cvss2_base_score:>6.5
```
```plaintext
cvss2_base_score:<=3.0
```
```plaintext
cvss2_temporal_score:=10.0
```
```plaintext
cvss2_temporal_score:<5.0
```

## CVSSv3 score {#vulnerability-CVSSv3}

The CVSSv3 fields, `cvss3_base_score` and `cvss3_temporal_score`, can be searched using the syntax `cvss3_base_score:<term>` and `cvss3_temporal_score:<term>`. The term supports numerical comparison operators (`>`, `>=`, `<`, `<=`, `=`).

```plaintext
cvss3_base_score:>6.5
```
```plaintext
cvss3_base_score:<=3.0
```
```plaintext
cvss3_temporal_score:=10.0
```
```plaintext
cvss3_temporal_score:<5.0
```

## EPSS score {#vulnerability-EPSS}

The EPSS score can be searched using the syntax `epss_score:<term>`. The term supports numerical comparison operators (`>`, `>=`, `<`, `<=`, `=`).

```plaintext
epss_score:>0.5
```

```plaintext
epss_score:<=0.1
```

```plaintext
epss_score:=0.9
```

## Address {#vulnerability-address}

The address field can be searched using the syntax `address:<term>`.

```plaintext
address:192.168.0.1
```

## Transport {#vulnerability-transport}

The transport field can be searched using the syntax `transport:<term>`.

```plaintext
transport:tcp
```
```plaintext
transport:udp
```

## Port {#vulnerability-port}

The port can be searched using the syntax `port:<term>`. The term supports numerical comparison operators (`>`, `>=`, `<`, `<=`, `=`).

```plaintext
port:22
```
```plaintext
port:443
```

## Operating system support status {#vulnerability-os-eol}

The syntax `os_eol_expired:<boolean>` can be used to find identify vulnerabilities on assets based on whether their operating systems are End of Life (EOL). This field evaluates both the `os_eol` and `os_eol_extended` values to only return vulnerabilities on assets with expired coverage.

The term is a boolean value: 

 - `true`, `t`, `1`, and `yes` represent _true_
 - `false`, `f`, `0`, and `no` represent _false_

```plaintext
os_eol_expired:t
```
```plaintext
os_eol_expired:1
```
```plaintext
os_eol_expired:no
```

## Finding code {#vulnerability-finding-code}

The finding code field is the unique identifier for a given finding. Use the syntax `finding_code:<term>` to filter by the code field.
```plaintext
finding_code:rz-finding-internet-exposed-database
```

## Finding name {#vulnerability-finding-name}

Use the syntax `finding_name:<text>` to search by finding name.
```plaintext
finding_name:"Internet Exposed Database"
```

## Finding risk {#vulnerability-finding-risk}

The `Finding Risk` and `Finding Risk Score` fields can be searched using either numeric or keyword values.
Risk score is an integer from zero through four, where `0` is Info level risk and `4` indicates Critical risk.
```plaintext
finding_risk:"Critical"
```
```plaintext
finding_risk:2
```

## Detection timestamps (first detected at, last detected at) {#vulnerability-detection}

The timestamp fields, `first_detected_at` and `last_detected_at`, can be searched using the syntax `first_detected_at:<term>` and `last_detected_at:<term>`. The term supports the standard runZero [time comparison syntax][time].

```plaintext
first_detected_at:>2weeks
```
```plaintext
first_detected_at:<30minutes
```
```plaintext
last_detected_at:>1month
```
```plaintext
last_detected_at:2hours
```

## Publication timestamps (published at) {#vulnerability-publication}

The timestamp field, `published_at`, can be searched using the syntax `published_at:<term>`. The term supports the standard runZero [time comparison syntax][time].

```plaintext
published_at:>2weeks
```
```plaintext
published_at:<30minutes
```

## Timestamps (created at, updated at) {#vulnerability-timestamps}

Use the following syntaxes to search the vulnerability timestamp fields (`created_at`, `updated_at`, `suppressed_at`):

* `created_at:<term>`
* `updated_at:<term>`
* `suppressed_at:<term>`

The term supports the standard runZero [time comparison syntax][time].

```plaintext
created_at:>2weeks
```
```plaintext
created_at:<30minutes
```
```plaintext
updated_at:>1month
```
```plaintext
updated_at:2hours
```
```plaintext
suppressed_at:<1day
```

## Attributes {#vulnerability-attributes}

You can search all vulnerability attributes with the syntax `<attribute>:<term>`. This search term supports numerical comparison operators (`>`, `>=`, `<`, `<=`, `=`).

If the attribute name conflicts with an existing term, the prefix `_vulnerability.` can be added to disambiguate the query.

```plaintext
plugin.hasPatch:true
```
```plaintext
severityID:3
```
```plaintext
_vulnerability.state:REOPENED
```

To determine if a vulnerability has any attribute defined, use the `has:<term>` keyword. The `has` keyword can be inverted to find missing fields with `not has:<term>`.

```plaintext
has:plugin.vpr.score
```
```plaintext
not has:output
```

## Certificate fields {#vulnerability-certificates}

Certificate-related fields can be searched using the following keywords.

### Certificate ID {#vulnerability-certificate-id}

Use the syntax `certificate_id:<uuid>` to filter by certificate ID.

```plaintext
certificate_id:4e3a2b1c-5d6f-7a8b-9c0d-1e2f3a4b5c6d
```

### Certificate type {#vulnerability-certificate-type}

Use the syntax `certificate_type:<term>` to search by certificate type.

```plaintext
certificate_type:"x509"
```

### Certificate serial {#vulnerability-certificate-serial}

Use the syntax `certificate_serial:<term>` to search by certificate serial number.

```plaintext
certificate_serial:"01A23B45C"
```

### Certificate public key {#vulnerability-certificate-public-key}

Use the syntax `certificate_public_key:<term>` to search by certificate public key.

```plaintext
certificate_public_key:"MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A..."
```

### Certificate public key algorithm {#vulnerability-certificate-public-key-algorithm}

Use the syntax `certificate_public_key_algorithm:<term>` to search by certificate public key algorithm.

```plaintext
certificate_public_key_algorithm:"ecPublicKey"
```

### Certificate signature {#vulnerability-certificate-signature}

Use the syntax `certificate_signature:<term>` to search by certificate signature.

```plaintext
certificate_signature:"abcdef1234567890"
```

### Certificate signature algorithm {#vulnerability-certificate-signature-algorithm}

Use the syntax `certificate_signature_algorithm:<term>` to search by certificate signature algorithm.

```plaintext
certificate_signature_algorithm:"rsaEncryption"
```

### Certificate fingerprint (bkhash) {#vulnerability-certificate-bkhash}

Use the syntax `certificate_fp_bkhash:<term>` to search by certificate fingerprint (bkhash).

```plaintext
certificate_fp_bkhash:"d2c7e8f9..."
```

### Certificate fingerprint (SHA1) {#vulnerability-certificate-sha1}

Use the syntax `certificate_fp_sha1:<term>` to search by certificate SHA1 fingerprint.

```plaintext
certificate_fp_sha1:"349eb7db55bbad9d7deabc5effdfd5521ed984a0"
```

### Certificate fingerprint (SHA256) {#vulnerability-certificate-sha256}

Use the syntax `certificate_fp_sha256:<term>` to search by certificate SHA256 fingerprint.

```plaintext
certificate_fp_sha256:"SHA256:Sc0pLUCvlNaGtu4Xy2fOTe1A6cC+KyU3x7xuN8+aLtA="
```

### Certificate subject {#vulnerability-certificate-subject}

Use the syntax `certificate_subject:<term>` to search by certificate subject.

```plaintext
certificate_subject:"CN=example.com,O=ExampleCorp,C=US"
```

### Certificate common name (CN) {#vulnerability-certificate-cn}

Use the syntax `certificate_cn:<term>` to search by certificate common name.

```plaintext
certificate_cn:"example.com"
```

### Certificate issuer {#vulnerability-certificate-issuer}

Use the syntax `certificate_issuer:<term>` to search by certificate issuing authority.

```plaintext
certificate_issuer:"CN=Example CA,O=Example Corp,C=US"
```

### Certificate subject key ID {#vulnerability-certificate-subject-key-id}

Use the syntax `certificate_subject_key_id:<term>` to search by certificate subject key ID.

```plaintext
certificate_subject_key_id:"1234567890abcdef"
```

### Certificate authority key ID {#vulnerability-certificate-authority-key-id}

Use the syntax `certificate_authority_key_id:<term>` to search by certificate issuing authority key ID.

```plaintext
certificate_authority_key_id:"abcdef1234567890"
```

## Suppression {#suppressed-vuln}

The current suppressed or unsuppressed state of vulnerabilities can be searched using the syntax `suppressed:<term>`.

```plaintext
suppressed:t
```

will search for vulnerabilities that are suppressed. Inversely,

```plaintext
suppressed:f
```

will search for vulnerabilities that are not suppressed.

A special value of `any` can be used to display all records, regardless of suppression settings:

```plaintext
suppressed:any
```

will display both suppressed and unsuppressed vulnerabilities.

Additionally, the user who performed the suppression can be found using the following syntaxes:
```plaintext
suppressed_by:<username>
```