Perform a search

Cyberwatch allows you to filter information based on several criteria.

It is possible to define couples in the form keyword:value which will be used to filter the results before displaying them.

Cyberwatch compares the value of the filters with the information contained in the database via ‘SQL Like’. Any string containing the provided value is retained. Thus a search on “cve:2019” will return all CVE whose CVE code contains “2019”, meaning CVE-2019-0001 but also CVE-2017-2019.

Search for an asset

The search bar in the upper right corner allows you to view a list of assets according to the characters contained in their names.

When the search returns only one result, it redirects to the page containing the details of the asset concerned. When several assets can match the criterion, the search redirects to the details of this asset.

Search for assets from the Dashboard

Click on the Dashboard tab.

Searching with no keyword filters assets according to their hostname.

The search bar offers an auto-completion of usable keywords.

Here are all available keywords:

  • Group: filters assets that are part of the provided group;
  • Criticality: filters assets based on their criticality;
  • Category: filters assets based on their category;
  • Analysis status: filters assets based on their analysis status (planned analysis / analysis not planned);
  • Scan mode: filters assets based on their scan mode or “connector”;
  • Communication status: filters assets based on their communication status with Cyberwatch (communication failure / communicating);
  • Security issue: filters assets affected by the security issue;
  • Public exploit:Available: filters assets affected by at least one CVE with public exploit available;
  • Scanning policy: filters assets based on their associated scanning policy;
  • Repository: filters assets who have this compliance repository affected;
  • Rule name: filters assets on which the compliance rule selected by its name has been tested;
  • Rule reference: filters assets on which the compliance rule selected by its reference has been tested;
  • Application:name[:version]: filters assets based on the name and version of an application detected on the asset (the “version” field is optional);
  • Port: filters assets based on open ports found by the scans;
  • Metadata:key[:value]: filters assets based on the presence of a key and value of a metadata found on the asset (the “value” field is optional);
  • Service: filters assets based on their detected services;
  • Address: filters assets with this network address (requires a full IP address, it is not possible to search by IP range);
  • Operating System: filters assets based on their operating system;
  • Deploying policy: filters assets based on their affected deploying policy;
  • Rebooting policy: filters assets based on their affected rebooting policy;
  • Ignoring policy: filters assets based on their affected ignoring policy;
  • Patch status: filters assets based on the deployment status of their patches (planned patches / patches not planned);
  • Reboot status: filters assets based on their need to be restarted (reboot required / no reboot required).

To view the list of assets, part of server_asia group, where apache 2.1 has been detected, with port 80 detected as open and whose hostname contains “dsi”, type in the search bar:

dsi Group:server_asia Application:apache:2.1 Port:80

Search for assets from the Inventory

Searches that can be performed from the assets Inventory are similar to those that can be done from the Dashboard.

The inventory search bar offers complementary keywords and still supports former keywords historically used in the application.

Here are keywords proposed by the search bar through an auto-completion to filter the assets display:

  • Group: returns assets that are part of the provided group;
  • Criticality: returns assets based on their criticality;
  • Category: returns assets based on their category;
  • Analysis status: returns assets based on their analysis status (planned analysis / analysis not planned);
  • Scan mode: returns assets based on their scan mode or “connector”;
  • Communication status: returns assets based on their communication status with Cyberwatch (communication failure / communicating);
  • Security issue: returns assets affected by the security issue;
  • Public exploit:Available: returns assets affected by at least one CVE with public exploit available;
  • Scanning policy: returns assets based on their associated scanning policy;
  • CVE: returns assets affected by the given CVE;
  • Vulnerabilities status: returns assets based on the presence of vulnerabilities (present vulnerabilities / high-priority vulnerabilities / no CVE detected);
  • Repository: returns assets who have this compliance repository affected;
  • Rule name: returns assets on which the compliance rule selected by its name has been tested;
  • Rule reference: returns assets on which the compliance rule selected by its reference has been tested;
  • Application:name[:version]: returns assets based on the name and version of an application detected on the asset (the “version” field is optional);
  • Port: return assets based on open ports found by the scans;
  • Metadata:key[:value]: returns assets based on the presence of a key and value of a metadata found on the asset (the “value” field is optional);
  • Service:name:status: returns assets based on their detected services name and their status (the “status” field is optional);
  • Address: returns assets with this network address (requires a full IP address, it is not possible to search by IP range);
  • Operating System: returns assets based on their operating system;
  • Deploying policy: returns assets based on their affected deploying policy;
  • Rebooting policy: returns assets based on their affected rebooting policy;
  • Ignoring policy: returns assets based on their affected ignoring policy;
  • Patch status: returns assets based on the deployment status of their patches (planned patches / patches not planned);
  • Reboot status: returns assets based on their need to be restarted (reboot required / no reboot required).

Here are the keywords historically used and still supported at the date of redaction of this documentation:

  • target_package:name:version: returns assets based on the name and version of an available patch for the asset;

These keywords must be fully typed in the search bar, no auto-completion is provided.

Search from an asset page

Search for vulnerabilities

From the Vulnerabilities tab of an asset view, searching with no keyword returns vulnerabilities according to the CVE code.

The keyword techno returns vulnerabilities affecting the concerned technology.

To reach CVE-2019-1365 directly, type in the search bar:

CVE-2019-1365

To view the list of CVE whose code contains “2019”, corrected by the patch whose title contains the term “forticlient”, type in the search bar:

2019 techno:forticlient

Search for an application

This search can be performed from the “Technologies” tab of an asset view.

To view the list of all java applications, type in the search bar:

java

Search for fixes

This search can be performed from the “Patch management” tab of an asset view.

Searching with no keyword returns patches according to the name of the technology corrected by the patch.

The keyword cve returns patches according to the CVE they fix.

To find patches correcting the CVE 2019-1365, that applies to technologies containing “libsqlite” in their name, type in the search bar:

libsqlite cve:2019-1365

Search for metadata

This search can be performed from the “Metadata” tab of an asset view.

Searching with no keyword returns metadata according to the key of the metadata.

The keyword “value” returns metadata according to the value of the metadata.

As an example, to find a specific version of the bios, type in the search bar:

bios-version value:6

Search for services

This search can be performed from the “Services” tab of an asset view.

Searching with no keyword returns services according to their name.

The keyword “status” returns services based on their startup type.

Example, to find the Cyberwatch agent service with an automatic startup type, type in the search bar:

CyberwatchService status:auto

Look for vulnerabilities in the encyclopedia

Searching from the Vulnerability Encyclopedia works the same way as it does in the Inventory.

Searching with no keyword returns vulnerabilities according to the CVE code.

Here is the list of available keywords through auto-completion:

  • Severity: returns vulnerabilities based on their severity;
  • Exploit level: returns vulnerabilities based on their exploit level;
  • Attack Vector: returns vulnerabilities based on their attack vector (Physical / Local / Adjacent network / Network);
  • Status: returns vulnerabilities based on their presence on assets (Present vulnerabilities / High-priority vulnerabilities);
  • Asset: returns vulnerabilities based on the name of an asset they affect;
  • CVE: returns vulnerabilities based on their CVE code (same as search with no keyword);
  • CWE: returns vulnerabilities based on their CWE;
  • Group: returns vulnerabilities affecting the assets in the specified group. (To be used with the “Status:Present vulnerabilities” filter);
  • Technology: returns vulnerabilities based on the technology or vendor technology impacted;
  • Attack technique: returns vulnerabilities linked to an attack technique;
  • Attack pattern: returns vulnerabilities linked to an attack pattern (CAPEC);
  • Attack software: returns vulnerabilities linked to an attack software;
  • Reference: returns vulnerabilities related to the reference (more details in the “Search by reference” section of this page).
  • Catalog: returns vulnerabilities linked to a catalog like the CISA KEV;

To view the list of CVE affecting assets whose names contain “win” and are part of the group ‘production’, concerning SMB provided by Microsoft and are related to a security bulletin whose code contains “MS17-010”, select in the search bar:

Technology:microsoft:server_message_block Status:Present vulnerabilities Asset:win Group:production Reference:MS17-010

In the same way as it is done for the Inventory, some former keywords are still supported and can be used to perform searches with no auto-completion:

  • days_from:N: returns vulnerabilities that were published less than N days ago;
  • days_to:N: returns vulnerabilities that were published more than N days ago.

Search by Reference

The Reference keyword returns CVEs related to security alerts or references whose unique identifiers are matching.

Here is a list of the security alerts prefix of these identifiers, depending on the issuer of the bulletin:

  • ADV: for Microsoft Security Advisory (example: ADV200002);
  • ALAS: for Amazon Linux AMI Security Advisory (example: ALAS-2020-1376);
  • APSB: Adobe Security Bulletin (example: APSB20-13);
  • ASA: for Arch Linux (example: ASA-202005-7);
  • CESA: for CentOS (example: CESA-2020: 2050);
  • CERTA: for ANSSI (example: CERTA-2013-AVI-198);
  • CERTFR: for ANSSI (example: CERTFR-2020-AVI-338);
  • CISCO-SA: for Cisco Security Advisory (example: cisco-sa-asr920-ABjcLmef);
  • CPU: for Oracle Critical Patch Update advisory (example: CPUApr2020_14);
  • DSA: for Debian (example: DSA-4683-1);
  • DLA: for Debian LTS (example: DLA-2233-1);
  • ELSA: for Oracle (example: ELSA-2020-2103);
  • FG-IR: for FortiGuard (example: FG-IR-18-230);
  • GPCON: for Cisco (example: GPCON-551);
  • HT: for Apple (example: HT211168);
  • HUAWEI-SA: for Huawei (example: huawei-sa-20200415-01-oob);
  • ICSMA: for CISA ICS (example: icsma-22-277-01);
  • MAU: for Microsoft Auto Update (example: MAU);
  • MFSA: for Mozilla (example: MFSA2020-15);
  • MS: for Microsoft (example: MS16-148);
  • PAN: for Cisco (example: PAN-100415);
  • PAN-SA: for Palo Alto Network Security Advisories (example: PAN-SA-2019-0038);
  • PHSA: for Photon OS (example: PHSA-2020-3.0-0089);
  • RHSA: for Red Hat (example: RHSA-2020: 2291);
  • SEVD: for Schneider Electric (example: SEVD-2021-222-01);
  • SSA: for Siemens (example: SSA-997732);
  • SUSE-SU: for SUSE Security Update (example: SUSE-SU-2020: 1289);
  • USN: for Ubuntu (example: USN-4371-1);
  • VDE: for VDE (example: VDE-2021-001);
  • VMSA: for VMware (example: VMSA-2020-0011_CVE-2020-3957);
  • VU#: for Carnegie Mellon University (example: VU#914124);
  • ZDI: for Zero Day Initiative Advisory Details (example: ZDI-20-675).

To list vulnerabilities mentioned in security bulletins issued by Arch Linux, select in the search bar:

Reference:ASA

These searches are performed on assets present in the “Related assets” of a vulnerability page.

Searching with no keyword returns assets according to their hostname.

Click on ‘Vulnerability Encyclopedia’, then click on a CVE code.

The keyword group allows you to filter assets based on an asset name’s group.

To view the list of all assets whose name contains the word “srv_prd”, type in the search bar:

srv_prd

Search from the list of security issues

From the list of security issues, searching with no keyword returns security issues according to their title.

The same way the vulnerability encyclopedia works, the search bar offers keywords through auto-completion:

  • Severity: returns security issues based on their severity rate;
  • Status: returns present security issues;
  • CVE: returns security issues based on their related CVEs;
  • Technology: returns security issues based on the technology affected to at least one CVE related to the security issue;
  • Group: returns security issues affecting assets that belong to the given group;
  • Rule reference: returns security issues by their reference, which is a unique key used to identify a security issue.

To list security issues whose title contains “POODLE”, related to the vulnerability “CVE-2014-3566”, on assets that belong to the group “production” and for which one of the technologies impacted by the related CVEs is “netbsd”, select in the search bar:

POODLE CVE:CVE-2014-3566 Group:production Technology:netbsd

Table of contents


Back to top