Querying your data

runZero provides many ways to query your data. Generally, queries can be broken into two concepts:

• Filters or parameters used in the search bars on pages across the console, or
• System and custom queries for which match metrics are calculated as tasks complete.

Both allow you to leverage the extensive query language to quickly find the information you’re looking for.

Filtering and searching data

The various inventory pages are likely the main place you’d look to use these queries, but many other pages include the same type of search bar that can be used to filter results. The following documentation pages will help you craft a query that meets your needs:

• Syntax for crafting compound queries
• Examples to guide query development
• Keywords that can be used across the inventory pages
• Keywords that can be used across other components of the console

System and custom queries

The Queries page serves as an inventory of all your saved queries. Saved queries can either be system queries published by runZero or custom queries created by you or your team.

Standard query attributes

Queries have the following standard attributes:

• Name: A name for the saved query.
• Description: A description of the saved query.
• Search query: The query or parameters to search for matches to.
• Search live assets only: When toggled to Yes (default), alive:t is added to the search query to only include assets marked alive.
• Type: The inventory the query will search.
• Category: The category the query falls under.
• Severity: A severity level for the query.
• Automatically track query results on the dashboard: When toggled to Yes, the query and count of matches will be included in a component on the dashboard.

Vulnerability record attributes

Professional Community Platform

System and custom queries can also be used to create and associate vulnerability records with matching assets. This will be enabled by default on some system queries. To have a query create vulnerability records, switch the Apply a vulnerability record to matching assets toggle to Yes, then complete the following fields:

• Vulnerability ID: Choose a unique ID to track this vulnerability within runZero.
• CVEs: Include a list of CVEs relevant to this vulnerability record (optional).
• Solution: Provide context for how this vulnerability could be remediated on assets (optional).
• Risk: Select a risk level to associate with the vulnerability. This impacts the asset risk.
• Exploitable: Specify whether an exploit is available for the vulnerability.
• CVSS v3 base score: The CVSS v3 base score (0.00 to 10.00).
• CVSS v3 temporal score: The CVSS v3 temporal score (0.00 to 10.00).
• CVSS v2 base score: The CVSS v2 base score (0.00 to 10.00).
• CVSS v2 temporal score: The CVSS v2 temporal score (0.00 to 10.00).
• CPE 2.3 identifier: Specify a relevant Common Platform Enumeration identifier in URI format (v2.3) to associate with the reported vulnerability (optional).

Creating and editing queries

Custom queries can be created by users with the default role of administrator or higher from the Queries page by clicking the New query button. Once created, custom queries can be edited and copied. System queries cannot be edited directly, but can be copied if you wish to make changes.