How to use the search grammar in the search fields in order to find assets, vulnerabilities or activity log events.
Search Grammar
Delve allows you to pass custom search queries to refine current view results using the following operators. Query examples for each context are provided.
Minus Sign
Use the minus sign in order to find items that exclude a particular word or words.
Minus sign can prefix any query.
For instance, if you want "example" but exclude ".net" you can use the following query:
example -.net
Double Quotes
Use double quotes in order to find items that contain an exact word or phrase.
Quotes may be used to match items with multiple words.
"example.com"
"some phrases to match"
Custom query structure
You can filter items with the custom query with the following syntax <OPERATOR>:<OPERAND>
Operators can be anything valid for the current context.
Operand contain the word or words to search for.
For instance, you can find all the servers that have the 22/tcp port open but not matching a specific tag:
port:22/tcp -tag:"My Tag"
Comparators
You can use query operator with the following structure <OPERATOR>:<OPERAND><COMPARATOR><VALUE>
Supported operators are: =, >, <, >= and <=.
A comparator must follow an operator value.
Value may be a word or words with quotes.
For instance, you can look for specific software versions using comparators:
software:nginx>1.0
software:"Microsoft Windows"<10
software:ssh="2.0-OpenSSH_7.2p2"
Logical operators
You can use logical operators while doing a search such as AND, OR, NOT with or without the combination of parentheses.
For instance, you can look for any banner that mentions "ssh" for machines of two specific OSes:
(os:Ubuntu OR os:windows) AND banner:ssh
Or combine these operators to look for new vulnerabilities excluding certain network segments:
is:new AND NOT (192.168.10.0/24 OR 192.168.20.0/24)
Search Operators in their specific view context
Some search queries only apply to a specific view in Delve, here are examples of the supported search queries in their context.
Each of the following query example can be combined to refine your results.
Find Servers running nginx greater than 1.0 with the "production" tag and using the Edge Service named Office:
software:nginx>1.0 tag:production edge:Office
Find Vulnerabilities related to a specific CVE number but excluding a certain IP range.
CVE-2017-1020 -192.168.0.0/24
Find Vulnerabilities related to a specific CVE number but excluding a certain OS name.
cve:CVE-2017-7679 -os:"Debian Linux 8.0"
Find Servers with port 4422 open, that run a specific OpenSSH version, with the "PROD" tag and not running nginx later than 1.11:
port:4422/tcp=open software:ssh="2.0-OpenSSH_7.4p1" tag:PROD -software:nginx>1.11
Find Websites with an IP ending in 240 that run OpenSSL later than 1.0.1:
ip:*.*.*.240 software:OpenSSL>=1.0.1
Vulnerabilities
| Query | Output |
| wordpress | Vulnerabilities containing the wordpress token |
| -XSS | Vulnerabilities not containing XSS |
| score:10.00 | Vulnerabilities greater OR equal to a certain Contextual Prioritization Score (>=) |
| -score:8 | Vulnerabilities lower than a certain Contextual Prioritization Score (<) |
| cvss:10.0 | Vulnerabilities greater OR equal to a certain CVSS Score (>=) |
| -cvss:8 | Vulnerabilities lower than a certain CVSS Score (<) |
| cve:CVE-2017-1020 | Vulnerabilities associated to a CVE number |
| -CVE-2017-1020 | Vulnerabilities not associated to a CVE number |
| os:"Debian Linux 8.0" | Vulnerabilities affecting assets with "Debian Linux 8.0" as OS name |
| tag:production | Vulnerabilities tagged "production" |
| edge:"Office" | Vulnerabilities related to the Edge Service "Office" |
| cip:192.*.10.* | Vulnerabilities affecting assets with IP parts p1= 192 and p3 = 10 |
| 192.168.0.0/24 | Vulnerabilities related to a range |
| 192.168.10.127 | Vulnerabilities related to a server |
| example.com | Vulnerabilities related to a website |
Websites
| Query | Output |
| example.com | Websites containing example.com |
| tag:production | Websites tagged "production" |
| -scheme:https | Websites for which NO HTTPS version is available (HTTP only). |
| edge:Office | Websites related to the Edge Service named "Office" |
| 192.168.10.0/24 | Websites related to the 192.168.10.0/24 IP network |
| software:wordpress<4.8 | Websites with detected "wordpress" software version lower then 4.8 |
| has:loginform | Websites for which Delve has detected a login form in a page. |
| cve:CVE-2017-1020 | Websites affected by a CVE number |
| -CVE-2017-1020 | Websites not affected by a CVE number |
| ip:192.*.10.* | Websites for which the last known hosting IP had IP parts p1= 192 and p3 = 10 |
Servers
| Query | Output |
| 192.168.1.1 | Servers that match the 192.168.1.1 IP address |
| -192.168.1.0/24 | Servers not related to 192.168.10.0/24 IP network |
| tag:production | Servers tagged "production" |
| edge:Office | Servers related to the Edge Service named "Office" |
| cve:CVE-2017-1020 | Servers affected by that CVE number |
| -CVE-2017-1020 | Servers not affected by that CVE number |
| software:nginx | Servers with detected "nginx" software |
| software:ssh="2.0-OpenSSH_7.2p2" | Servers with detected "ssh" software with version "2.0-OpenSSH_7.2p2" |
| port:22=open | Servers with detected port 22 open |
| port:22/tcp=filtered | Servers with detected port 22 open with protocol tcp and state is filtered |
| ip:192.*.10.* | Servers with IP parts p1 = 192 and p3 = 10 |
| service:ssh | Servers that have a port exposing a confirmed SSH service |
| banner:"7.2p2" | Servers with a banner containing the 7.2p2 string |
Auto Discovery
The query will be applied for each asset type: ranges, servers and websites. Some operators may be ignored if it's not supported for this specific asset type.
| Query | Output |
| www | Assets containing "www" term |
| cve:CVE-2017-1020 | Servers and websites affected by that CVE number |
| edge:Office | Assets related to the Edge Service named "Office" |
| tag:production | Assets tagged "Production" |
| software:nginx | Assets with detected "nginx" software |
| 192.168.1.0/24 | Assets related to 192.168.10.0/24 IP network |
| ip:192.*.10.* | All assets with ip parts p1= 192 and p3 = 10 |
Schedule
| Query | Output |
| www | Schedule entries containing "www" term |
| 192.168.1.0/24 | Schedule entries related to 192.168.10.0/24 IP network |
| cve:CVE-2017-1020 | Schedule entries related to the cve number |
| tag:production | Schedule entries related to the "production" tag |
| edge:Office | Schedule entries related to the Edge Service named "Office" |
| ip:192.*.10.* | Schedule entries related to assets with ip parts p1= 192 and p3 = 10 |
Activity Log
| Query | Quote |
| user@example.com | Log entries containing the term "user@example.com" in the message, type, first name, last name and email fields |
| 192.168.1.0/24 | Log entries related to 192.168.10.0/24 IP network |
| cve:CVE-2017-1020 | Log entries related to the cve number |
| edge:Office | Log entries related to the Edge Service named "Office" |
| tag:production | Log entries related to the "production" tag |
| ip:192.*.10.* | Log entries related to assets with ip parts p1= 192 and p3 = 10 |
| user:user@example.com | any logs related to user@example.com user |
| user:john | any logs related to user that has John as first or last name. |