Query examples

There are endless ways to combine terms and operators into effective queries, and the examples below can be used as-is or adjusted to meet your needs.

Network configurations and access

  • Multihomed assets with public and private IP addresses:
alive:t AND has_public:t AND has_private:t
  • Multihomed assets connected only to private networks
multi_home:t AND has_public:f
  • Default SSH configuration using passwords for authentication:
alive:t AND protocol:"ssh" AND ssh.authMethods:"=password"
  • Microsoft FTP servers:
alive:t AND protocol:"ftp" AND banner:"=%Microsoft FTP%"
  • Remote access services/protocols:
protocol:rdp OR protocol:vnc OR protocol:teamviewer
  • Assets with public IPs running remote access services:
has_public:t OR has_public:t AND alive:t AND (protocol:rdp OR protocol:vnc OR protocol:teamviewer)
  • Open ports associated with cleartext protocols:
port:21 OR port:23 OR port:80 OR port:443 OR port:139 OR port:445 OR port:3306 OR port:1433 OR port:161 OR port:8080 OR port:3389 OR port:5900
  • Telnet on nondefault ports:
protocol:telnet AND NOT port:23
  • Windows assets offering SMB services:
os:windows AND protocol:smb1 OR protocol:smb2
  • Switch assets accepting Username and Password authentication:
type:switch AND (_asset.protocol:http AND NOT _asset.protocol:tls) AND ( html.inputs:"password:" OR last.html.inputs:"password:" OR has:http.head.wwwAuthenticate OR has:last.http.head.wwwAuthenticate )
  • Assets more than 8 hops away:
attribute:"ip.ttl.hops" AND ip.ttl.hops:>"8

Asset lifecycle and hardware

  • Assets created as a result of arbitrary responses:
has_mac:f AND has_name:f AND os:= AND hardware:= AND detected_by:icmp AND service_count:<2
  • End of Life assets:
os_eol:<now
  • Assets where both OS support and extended support are expired:
os_eol:<now AND os_eol_extended:<now
  • Assets where OS support is EOL but still covered by extended support:
os_eol:<now AND os_eol_extended:>now
  • EOL Linux operating systems:
os:linux AND os_eol:<now
  • EOL Windows operating systems:
os:windows AND os_eol:<now
  • Assets discovered within the past two weeks:
first_seen:"<2weeks"
  • All available serial number sources
protocol:snmp has:snmp.serialNumbers OR hw.serialNumber:t OR ilo.serialNumber:t
  • Asset serial numbers from SNMP:
protocol:snmp has:snmp.serialNumbers
  • Older Windows OSes:
os:"Windows Server 2012" OR os:"Windows 7"
  • Older Linux OSes:
OS:linux AND os_eol:<now
  • BACnet devices:
type:bacnet
  • Hikvision DVRs:
type:dvr AND os:hikvision
  • IoT Devices:
type:"IP Camera" OR type:"thermostat" OR type:"Amazon Device" OR hw:"Google Chromecast" OR type:"Game Console" OR type:"Robotic Cleaner" OR type:"Nest Device" OR type:"Network Audio" OR type:"Smart TV" OR type:"VR Headset" OR type:"Voice Assistant""
  • Video-related assets:
type:"IP Camera" OR type:"DVR" OR type:"Video Encoder"

Misconfigurations

  • SMBv1:
protocol:"smb1"
  • Remote access with common services:
protocol:rdp OR protocol:vnc OR protocol:teamviewer OR protocol:spice OR protocol:pca
  • Switches with default configurations for web access:
type:switch AND (_asset.protocol:http AND NOT _asset.protocol:tls) AND ( html.inputs:"password:" OR last.html.inputs:"password:" OR has:http.head.wwwAuthenticate OR has:last.http.head.wwwAuthenticate )
  • Default SSH configurations using passwords for authentication:
alive:t AND protocol:"ssh" AND ssh.authMethods:"=password"
  • Switches using Telnet or HTTP for remote access:
type:switch AND protocol:telnet OR protocol:http
  • Microsoft FTP servers:
alive:t AND protocol:"ftp" AND banner:"=%Microsoft FTP%"
  • Virtual machines that are not syncing time with the host:
@vmware.vm.config.tools.syncTimeWithHost:"False"

Weak configurations

  • Telnet (vs. SSH):
protocol:telnet
  • FTP on ports 10-21 (vs. FTPS on port 990):
protocol:ftp
  • FTP on ports 20-21 (vs. SCP on port 22):
protocol:ftp
  • HTTP on port 80 (vs. HTTPS on port 443):
protocol:http
  • SSH versions < 2.0:
protocol:ssh AND NOT banner:"SSH-2.0"
  • TLS:
tls.versionName:"=TLSv1.3" OR tls.versionName:"=TLSv1.2" OR tls.versionName:"=TLSv1.1" OR tls.versionName:"=TLSv1.0"
  • LDAP on port 389 (vs. LDAPS on port 636):
protocol:ldap OR port:389
  • Wireless access points without WPA authentication:
not authentication:WPA
  • Online assets with SSH accepting password authentication:
alive:t AND has:"ssh.authMethods" AND protocol:"ssh" AND (ssh.authMethods:"=password" OR ssh.authMethods:"=password%publickey"
  • Detect OpenSSL version 3.0 - 3.0.6:
product:openssl AND version:3.0

EDR / MDM

  • CrowdStrike coverage gaps:
not edr.name:crowdstrike AND (type:server OR type:desktop OR type:laptop)
  • Assets with CrowdStrike Agent status “Not Provisioned”:
@crowdstrike.dev.provisionStatus:"NotProvisioned"
  • Assets with CrowdStrike Agent mode “Reduced Functionality”:
@crowdstrike.dev.reducedFunctionalityMode:"yes"
  • Assets with CrowdStrike Agent status “Normal”:
@crowdstrike.dev.status:"normal"
  • SentinelOne coverage gaps:
not edr.name:Sentinelone AND (type:server OR type:desktop OR type:laptop)
  • Assets with SentinelOne Agent requiring patch:
(alive:t OR scanned:f) AND has:"@sentinelone.dev.appsVulnerabilityStatus" AND @sentinelone.dev.appsVulnerabilityStatus:"=patch_required"
  • Assets missing either CrowdStrike or SentinelOne EDR agents:
NOT edr.name:crowdstrike AND (type:server OR type:desktop OR type:laptop) OR NOT edr.name:sentinelone AND (type:server OR type:desktop OR type:laptop)
  • Miradore coverage gaps:
not source:Miradore AND (os:google android OR os:apple ios) AND type:mobile
  • Microsoft Defender coverage gaps:
not edr.name:"Defender" AND os:Windows
  • Assets not managed by a Microsoft product:
source:runzero AND NOT (source:ms365defender OR source:intune OR source:azuread)
  • Find mobile devices on the network:
(os:google ANDroid OR os:apple ios) AND type:mobile
  • Known FCC security threats, like Kaspersky:
alive:t AND edr.name:Kaspersky

Virtual machine configurations

  • Virtual machines with less than 8 GB of memory:
@vmware.vm.config.hardware.memoryMB:<"8192"
  • VMs with less than 16GB of memory:
@vmware.vm.runtime.maxMemoryUsage:"16384"
  • Virtual machines that are not syncing time with the host:
@vmware.vm.config.tools.syncTimeWithHost:"False"
  • Virtual machines that are configured with floppy drives:
@vmware.vm.config.extra.floppy0.autodetect:"true"
  • Virtual machines running VMware tools:
@vmware.vm.config.extra.guestinfo.vmtools.versionString:"_"
  • Virtual machines running Windows:
source:VMware AND os:Windows
  • Virtual machines running Linux:
source:VMware AND os:Linux

Vulnerability concerns

  • Rapid7 - fails PCI compliance:
test.pciComplianceStatus:"fail"
  • Tenable - High and Critical severity vulnerabilities that are on CISA’s Known Exploited list:
plugin.xrefs.type:"CISA-KNOWN-EXPLOITED" AND (severity:high OR severity:critical)
  • Tenable - Critical severity vulnerabilities where exploits are available:
plugin.exploitabilityEase:"Exploits are available" AND severity:critical
  • Tenable - High and Critical severity vulnerabilities where exploits are not required
plugin.exploitabilityEase:"No exploit is required" AND (severity:critical OR severity:high)

Wireless results

  • Search ESSID for authentication exceptions:
essid:"<ESSID>" AND NOT authentication:"wpa2-enterprise"
  • Find unknown BSSIDs broadcasting known ESSID (exclude known BSSIDs in query for gap analysis)
essid:="<ESSID>" AND NOT bssid:"<MAC address>"
Updated
Previous: Search query syntax Next: Inventory keywords