Query examples

There are endless ways to combine terms and operators into effective queries, and the examples below can be used as-is OR adjusted to meet your needs.

Network configurations and access

  • Multihomed assets with public AND private IP addresses:
alive:t AND has_public:t AND has_private:t
  • Default SSH configuration using passwords for authentication:
alive:t AND protocol:"ssh" AND ssh.authMethods:"=password"
  • Microsoft FTP servers:
alive:t AND protocol:"ftp" AND banner:"=%Microsoft FTP%"
  • Remote access services/protocols:
protocol:rdp OR protocol:vnc OR protocol:teamviewer
  • Assets with public IPs running remote access services:
has_public:t OR has_public:t AND alive:t AND (protocol:rdp OR protocol:vnc OR protocol:teamviewer)
  • Less secure ports open:
port:21 OR port:23 OR port:80 OR port:443 OR port:139 OR port:445 OR port:3306 OR port:1433 OR port:161 OR port:8080 OR port:3389 OR port:5900
  • Telnet on nondefault ports:
protocol:telnet AND NOT port:23

Asset lifecycle and legacy hardware

  • End of Life assets:
os_eol:<now
  • Asset serial numbers:
protocol:snmp has:snmp.serialNumbers
  • Older Windows OSes:
os:"Windows Server 2012" OR os:"Windows 7"
  • Older Linux OSes:
OS:linux AND os_eol:<now

Miconfigurations

  • SMBv1:
protocol:"smb1"
  • Remote access with common services:
protocol:rdp OR protocol:vnc OR protocol:teamviewer OR protocol:spice OR protocol:pca
  • Switches with default configurations for web access:
type:switch AND (_asset.protocol:http AND NOT _asset.protocol:tls) AND ( html.inputs:"password:" OR last.html.inputs:"password:" OR has:http.head.wwwAuthenticate OR has:last.http.head.wwwAuthenticate )
  • Default SSH configurations using passwords for authentication:
alive:t AND protocol:"ssh" AND ssh.authMethods:"=password"
  • Switches using Telnet or HTTP for remote access:
type:switch AND protocol:telnet OR protocol:http
  • Microsoft FTP servers:
alive:t AND protocol:"ftp" AND banner:"=%Microsoft FTP%"
  • Virtual machines that are not syncing time with the host:
@vmware.vm.config.tools.syncTimeWithHost:"False"

Weak configurations

  • Telnet (vs. SSH):
protocol:telnet
  • FTP on ports 10-21 (vs. FTPS on port 990):
protocol:ftp
  • FTP on ports 20-21 (vs. SCP on port 22):
protocol:ftp
  • HTTP on port 80 (vs. HTTPS on port 443):
protocol:http
  • SSH versions < 2.0:
protocol:ssh AND NOT banner:"SSH-2.0"
  • TLS:
tls.versionName:"=TLSv1.3" OR tls.versionName:"=TLSv1.2" OR tls.versionName:"=TLSv1.1" OR tls.versionName:"=TLSv1.0"
  • LDAP on port 389 (vs. LDAPS on port 636):
protocol:ldap OR port:389
  • Wireless access points without WPA authentication:
not authentication:WPA

EDM / MDM

  • CrowdStrike coverage gaps:
not edr.name:Crowdstrike AND (type:server OR type:desktop OR type:laptop)
  • SentinelOne coverage gaps:
not edr.name:Sentinelone AND (type:server OR type:desktop OR type:laptop)
  • Miradore coverage gaps:
not source:Miradore AND (os:google android OR os:apple ios) AND type:mobile
  • Find mobile devices on the network:
(os:google ANDroid OR os:apple ios) AND type:mobile
  • Known FCC security threats, like Kaspersky:
alive:t AND edr.name:Kaspersky

Virtual machine configurations

  • Virtual machines with less than 8 GB of memory:
@vmware.vm.config.hardware.memoryMB:<"8192"
  • Virtual machines that are NOT syncing time with the host:
@vmware.vm.config.tools.syncTimeWithHost:"False"
  • Virtual machines that are configured with floppy drives:
@vmware.vm.config.extra.floppy0.autodetect:"true"
  • Virtual machines running VMware tools:
@vmware.vm.config.extra.guestinfo.vmtools.versionString:"_"
  • Virtual machines running Windows:
source:VMware AND os:Windows
  • Virtual machines running Linux:
source:VMware AND os:Linux
  • Microsoft Defender coverage gaps:
not edr.name:"Defender" AND os:Windows