Perform a search
Cyberwatch allows you to filter information based on several criteria.
It is possible to define couples in the form keyword:value
which will be used to filter the results before displaying them.
Cyberwatch compares the value of the filters with the information contained in the database via ‘SQL Like’. Any string containing the provided value is retained. Thus a search on “cve:2019” will return all CVE whose CVE code contains “2019”, meaning CVE-2019-0001 but also CVE-2017-2019.
Search for an asset
The search bar in the upper right corner allows you to view a list of assets according to the characters contained in their names.
When the search returns only one result, it redirects to the page containing the details of the asset concerned. When several assets can match the criterion, the search redirects to the details of this asset.
Search for assets from the Dashboard
Click on the Dashboard tab.
Searching with no keyword filters assets according to their hostname.
The search bar offers an auto-completion of usable keywords.
Here are all available keywords:
- Group: filters assets that are part of the provided group
- Criticality: filters assets based on their criticality
- Category: filters assets based on their category
- Discovery: filters assets belonging to a discovery
- Analysis status: filters assets based on their analysis status (planned analysis / analysis not planned)
- Scan mode: filters assets based on their scan mode or “connector”
- Communication status: filters assets based on their communication status with Cyberwatch (communication failure / communicating)
- Security issue: filters assets affected by the security issue
- Public exploit:Available: filters assets affected by at least one CVE with public exploit available
- Scanning policy: filters assets based on their associated scanning policy
- Repository: filters assets who have this compliance repository affected
- Rule name: filters assets on which the compliance rule selected by its name has been tested
- Rule reference: filters assets on which the compliance rule selected by its reference has been tested
- Application:name[:version]: filters assets based on the name and version of an application detected on the asset (the “version” field is optional)
- Port: filters assets based on open ports found by the scans
- Metadata:key[:value]: filters assets based on the presence of a key and value of a metadata found on the asset (the “value” field is optional)
- Service: filters assets based on their detected services
- Address: filters assets with this network address (requires a full IP address)
- IP address range: filters assets with an IP address belonging to the IP address range (requires an IP address range in the format
127.0.0.0/8
) - Operating System: filters assets based on their operating system
- Deploying policy: filters assets based on their affected deploying policy
- Rebooting policy: filters assets based on their affected rebooting policy
- Ignoring policy: filters assets based on their affected ignoring policy
- Patch status: filters assets based on the deployment status of their patches (planned patches / patches not planned)
- Reboot status: filters assets based on their need to be restarted (reboot required / no reboot required)
To view the list of assets, part of server_asia group, where apache 2.1 has been detected, with port 80 detected as open and whose hostname contains “dsi”, type in the search bar:
dsi Group:server_asia Application:apache:2.1 Port:80
Search for assets from the Inventory
Searches that can be performed from the assets Inventory are similar to those that can be done from the Dashboard.
The inventory search bar offers complementary keywords and still supports former keywords historically used in the application.
Here are keywords proposed by the search bar through an auto-completion to filter the assets display:
- Group: returns assets that are part of the provided group
Combinatorial filters are possible with the Group keyword. By selecting the Group filter, operators are available:
- ||: returns assets with at least one of the specified groups
- =: returns assets with at least all the specified groups
- !=: returns assets that do not have the specified groups
For example, this search:
(Group || Windows) (Group || Ubuntu) (Group = Admin) (Group = Web) (Group != Up_To_Date)
will display assets that necessarily have the Admin and Web groups, that at least have the Windows or Ubuntu group but don’t have the Up_To_Date group.
- Criticality: returns assets based on their criticality
- Category: returns assets based on their category
- Discovery: filters assets belonging to a discovery
- Analysis status: returns assets based on their analysis status (planned analysis / analysis not planned)
- Scan mode: returns assets based on their scan mode or “connector”
- Communication status: returns assets based on their communication status with Cyberwatch (communication failure / communicating)
- Security issue: returns assets affected by the security issue
- Public exploit:Available: returns assets affected by at least one CVE with public exploit available
- Scanning policy: returns assets based on their associated scanning policy
- CVE: returns assets affected by the given CVE
- Vulnerabilities status: returns assets based on the presence of vulnerabilities (present vulnerabilities / high-priority vulnerabilities / no CVE detected)
- Repository: returns assets who have this compliance repository affected
- Rule name: returns assets on which the compliance rule selected by its name has been tested
- Rule reference: returns assets on which the compliance rule selected by its reference has been tested
- Application:name[:version]: returns assets based on the name and version of an application detected on the asset (the “version” field is optional)
- Port: return assets based on open ports found by the scans
- Metadata:key[:value]: returns assets based on the presence of a key and value of a metadata found on the asset (the “value” field is optional)
- Service:name:status: returns assets based on their detected services name and their status (the “status” field is optional)
- Address: returns assets with this network address (requires a full IP address it is not possible to search by IP range)
- Operating System: returns assets based on their operating system
- Deploying policy: returns assets based on their affected deploying policy
- Rebooting policy: returns assets based on their affected rebooting policy
- Ignoring policy: returns assets based on their affected ignoring policy
- Patch status: returns assets based on the deployment status of their patches (planned patches / patches not planned)
- Reboot status: returns assets based on their need to be restarted (reboot required / no reboot required)
Here are the keywords historically used and still supported at the date of redaction of this documentation:
- target_package:name:version: returns assets based on the name and version of an available patch for the asset
These keywords must be fully typed in the search bar, no auto-completion is provided.
Search from an asset page
Search for vulnerabilities
From the Vulnerabilities tab of an asset view, searching with no keyword returns vulnerabilities according to the CVE code.
The keyword techno returns vulnerabilities affecting the concerned technology.
To reach CVE-2019-1365 directly, type in the search bar:
CVE-2019-1365
To view the list of CVE whose code contains “2019”, corrected by the patch whose title contains the term “forticlient”, type in the search bar:
2019 techno:forticlient
Search for an application
This search can be performed from the “Technologies” tab of an asset view.
To view the list of all java applications, type in the search bar:
java
Search for fixes
This search can be performed from the “Patch management” tab of an asset view.
Searching with no keyword returns patches according to the name of the technology corrected by the patch.
The keyword cve returns patches according to the CVE they fix.
To find patches correcting the CVE 2019-1365, that applies to technologies containing “libsqlite” in their name, type in the search bar:
libsqlite cve:2019-1365
Search for metadata
This search can be performed from the “Metadata” tab of an asset view.
Searching with no keyword returns metadata according to the key of the metadata.
The keyword “value” returns metadata according to the value of the metadata.
As an example, to find a specific version of the bios, type in the search bar:
bios-version value:6
Search for services
This search can be performed from the “Services” tab of an asset view.
Searching with no keyword returns services according to their name.
The keyword “status” returns services based on their startup type.
Example, to find the Cyberwatch agent service with an automatic startup type, type in the search bar:
CyberwatchService status:auto
Look for vulnerabilities in the encyclopedia
Searching from the Vulnerability Encyclopedia works the same way as it does in the Inventory.
Searching with no keyword returns vulnerabilities according to the CVE code.
Here is the list of available keywords through auto-completion:
- Severity: returns vulnerabilities based on their severity
- Exploit level: returns vulnerabilities based on their exploit level
- Attack Vector: returns vulnerabilities based on their attack vector (Physical / Local / Adjacent network / Network)
- Status: returns vulnerabilities based on their presence on assets (Present vulnerabilities / High-priority vulnerabilities)
- Asset: returns vulnerabilities based on the name of an asset they affect
- CVE: returns vulnerabilities based on their CVE code (same as search with no keyword)
- CWE: returns vulnerabilities based on their CWE
- Group: returns vulnerabilities affecting the assets in the specified group (To be used with the “Status:Present vulnerabilities” filter)
- Technology: returns vulnerabilities based on the technology or vendor technology impacted
- Attack technique: returns vulnerabilities linked to an attack technique
- Attack pattern: returns vulnerabilities linked to an attack pattern (CAPEC)
- Attack software: returns vulnerabilities linked to an attack software
- Reference: returns vulnerabilities related to the reference (more details in the “Search by reference” section of this page)
- Catalog: returns vulnerabilities linked to a catalog like the CISA KEV
- SSVC: returns vulnerabilities with the specified SSVC decision on at least one asset
To view the list of CVE affecting assets whose names contain “win” and are part of the group ‘production’, concerning SMB provided by Microsoft and are related to a security bulletin whose code contains “MS17-010”, select in the search bar:
Technology:microsoft:server_message_block Status:Present vulnerabilities Asset:win Group:production Reference:MS17-010
In the same way as it is done for the Inventory, some former keywords are still supported and can be used to perform searches with no auto-completion:
- days_from:N: returns vulnerabilities that were published less than
N
days ago - days_to:N: returns vulnerabilities that were published more than
N
days ago
Search by Reference
The Reference
keyword returns CVEs related to security alerts or references whose unique identifiers are matching.
Here is a list of the security alerts prefix of these identifiers, depending on the issuer of the bulletin:
- ADV: for Microsoft Security Advisory (example: ADV200002)
- ALAS: for Amazon Linux AMI Security Advisory (example: ALAS-2020-1376)
- APSB: Adobe Security Bulletin (example: APSB20-13)
- ASA: for Arch Linux (example: ASA-202005-7)
- CESA: for CentOS (example: CESA-2020: 2050)
- CERTA: for ANSSI (example: CERTA-2013-AVI-198)
- CERTFR: for ANSSI (example: CERTFR-2020-AVI-338)
- CISCO-SA: for Cisco Security Advisory (example: cisco-sa-asr920-ABjcLmef)
- CPU: for Oracle Critical Patch Update advisory (example: CPUApr2020_14)
- DSA: for Debian (example: DSA-4683-1)
- DLA: for Debian LTS (example: DLA-2233-1)
- ELSA: for Oracle (example: ELSA-2020-2103)
- FG-IR: for FortiGuard (example: FG-IR-18-230)
- GPCON: for Cisco (example: GPCON-551)
- HT: for Apple (example: HT211168)
- HUAWEI-SA: for Huawei (example: huawei-sa-20200415-01-oob)
- ICSMA: for CISA ICS (example: icsma-22-277-01)
- MAU: for Microsoft Auto Update (example: MAU)
- MFSA: for Mozilla (example: MFSA2020-15)
- MS: for Microsoft (example: MS16-148)
- PAN: for Cisco (example: PAN-100415)
- PAN-SA: for Palo Alto Network Security Advisories (example: PAN-SA-2019-0038)
- PHSA: for Photon OS (example: PHSA-2020-3.0-0089)
- RHSA: for Red Hat (example: RHSA-2020: 2291)
- SEVD: for Schneider Electric (example: SEVD-2021-222-01)
- SSA: for Siemens (example: SSA-997732)
- SUSE-SU: for SUSE Security Update (example: SUSE-SU-2020: 1289)
- USN: for Ubuntu (example: USN-4371-1)
- VDE: for VDE (example: VDE-2021-001)
- VMSA: for VMware (example: VMSA-2020-0011_CVE-2020-3957)
- VU#: for Carnegie Mellon University (example: VU#914124)
- ZDI: for Zero Day Initiative Advisory Details (example: ZDI-20-675)
To list vulnerabilities mentioned in security bulletins issued by Arch Linux, select in the search bar:
Reference:ASA
Filter related assets from a vulnerability page
These searches are performed on assets present in the “Related assets” of a vulnerability page.
Searching with no keyword returns assets according to their hostname.
Click on ‘Vulnerability Encyclopedia’, then click on a CVE code.
The keyword group allows you to filter assets based on an asset name’s group.
To view the list of all assets whose name contains the word “srv_prd”, type in the search bar:
srv_prd
Search from the list of security issues
From the list of security issues, searching with no keyword returns security issues according to their title.
The same way the vulnerability encyclopedia works, the search bar offers keywords through auto-completion:
- Severity: returns security issues based on their severity rate
- Status: returns present security issues
- CVE: returns security issues based on their related CVEs
- Technology: returns security issues based on the technology affected to at least one CVE related to the security issue
- Group: returns security issues affecting assets that belong to the given group
- Rule reference: returns security issues by their reference which is a unique key used to identify a security issue
To list security issues whose title contains “POODLE”, related to the vulnerability “CVE-2014-3566”, on assets that belong to the group “production” and for which one of the technologies impacted by the related CVEs is “netbsd”, select in the search bar:
POODLE CVE:CVE-2014-3566 Group:production Technology:netbsd