Advanced Search Queries

How to use the search grammar in the search fields in order to find assets, vulnerabilities or activity log events.

Search Grammar

Delve allows you to pass custom search queries to refine current view results using the following operators. Query examples for each context are provided.

Minus Sign

Use the minus sign in order to find items that exclude a particular word or words.
Minus sign can prefix any query. 
For instance, if you want "example" but exclude ".net" you can use the following query:

example -.net

Double Quotes

Use double quotes in order to find items that contain an exact word or phrase.
Quotes may be used to match items with multiple words.

"example.com"
"some phrases to match"

Custom query structure

You can filter items with the custom query with the following syntax <OPERATOR>:<OPERAND>
Operators can be anything valid for the current context.
Operand contain the word or words to search for.

For instance, you can find all the servers that have the 22/tcp port open but not matching a specific tag:

port:22/tcp -tag:"My Tag"

Comparators

You can use query operator with the following structure <OPERATOR>:<OPERAND><COMPARATOR><VALUE>
Supported operators are: =, >, <, >= and <=.
A comparator must follow an operator value. 
Value may be a word or words with quotes.

For instance, you can look for specific software versions using comparators:

software:nginx>1.0
software:"Microsoft Windows"<10
software:ssh="2.0-OpenSSH_7.2p2"

Logical operators

You can use logical operators while doing a search such as AND, OR, NOT with or without the combination of parentheses.

For instance, you can look for any banner that mentions "ssh" for machines of two specific OSes:

(os:Ubuntu OR os:windows) AND banner:ssh

Or combine these operators to look for new vulnerabilities excluding certain network segments:

is:new AND NOT (192.168.10.0/24 OR 192.168.20.0/24)

Search Operators in their specific view context

Some search queries only apply to a specific view in Delve, here are examples of the supported search queries in their context.

Each of the following query example can be combined to refine your results.

Find Servers running nginx greater than 1.0 with the "production" tag and using the Edge Service named Office:

software:nginx>1.0 tag:production edge:Office

 

Find Vulnerabilities related to a specific CVE number but excluding a certain IP range.

CVE-2017-1020 -192.168.0.0/24

 

Find Vulnerabilities related to a specific CVE number but excluding a certain OS name.

cve:CVE-2017-7679 -os:"Debian Linux 8.0"

 

Find Servers with port 4422 open, that run a specific OpenSSH version, with the "PROD" tag and not running nginx later than 1.11:

port:4422/tcp=open software:ssh="2.0-OpenSSH_7.4p1" tag:PROD -software:nginx>1.11

 

Find Websites with an IP ending in 240 that run OpenSSL later than 1.0.1:

ip:*.*.*.240 software:OpenSSL>=1.0.1

Vulnerabilities

 

Query Output
wordpress Vulnerabilities containing the wordpress token
-XSS Vulnerabilities not containing XSS
score:10.00 Vulnerabilities greater OR equal to a certain Contextual Prioritization Score (>=)
-score:8 Vulnerabilities lower than a certain Contextual Prioritization Score (<)
cvss:10.0 Vulnerabilities greater OR equal to a certain CVSS Score (>=)
-cvss:8 Vulnerabilities lower than a certain CVSS Score (<)
cve:CVE-2017-1020 Vulnerabilities associated to a CVE number
-CVE-2017-1020 Vulnerabilities not associated to a CVE number
os:"Debian Linux 8.0" Vulnerabilities affecting assets with "Debian Linux 8.0" as OS name
tag:production Vulnerabilities tagged "production"
edge:"Office" Vulnerabilities related to the Edge Service "Office"
cip:192.*.10.* Vulnerabilities affecting assets with IP parts p1= 192 and p3 = 10
192.168.0.0/24 Vulnerabilities related to a range
192.168.10.127 Vulnerabilities related to a server
example.com Vulnerabilities related to a website
firstdiscovery:date>2020-01-02 Vulnerabilities discovered after specific date
firstdiscovery:date>2020-01firstdiscovery:date<2020-02 Vulnerabilities discovered for January 2020

 

Websites

 

Query Output
example.com Websites containing example.com
tag:production Websites tagged "production"
-scheme:https Websites for which NO HTTPS version is available (HTTP only).
edge:Office Websites related to the Edge Service named "Office"
192.168.10.0/24 Websites related to the 192.168.10.0/24 IP network
software:wordpress<4.8 Websites with detected "wordpress" software version lower then 4.8
has:loginform Websites for which Delve has detected a login form in a page.
has:lastscanfailed Websites for which the last scan could not complete successfully (might be temporary).
cve:CVE-2017-1020 Websites affected by a CVE number
-CVE-2017-1020 Websites not affected by a CVE number
ip:192.*.10.* Websites for which the last known hosting IP had IP parts p1= 192 and p3 = 10 
lastfailure:offline Websites for which the last failure reason included the word "offline". Last failure reason is identified in the scan log by a big red dot.
   

 

Servers

 

Query Output
192.168.1.1 Servers that match the 192.168.1.1 IP address
-192.168.1.0/24 Servers not related to 192.168.10.0/24 IP network
tag:production Servers tagged "production"
edge:Office Servers related to the Edge Service named "Office"
cve:CVE-2017-1020 Servers affected by that CVE number
-CVE-2017-1020 Servers not affected by that CVE number
software:nginx Servers with detected "nginx" software
software:ssh="2.0-OpenSSH_7.2p2" Servers with detected "ssh" software with version "2.0-OpenSSH_7.2p2"
port:22=open Servers with detected port 22 open
port:22/tcp=filtered Servers with detected port 22 open with protocol tcp and state is filtered
ip:192.*.10.* Servers with IP parts p1 = 192 and p3 = 10
service:ssh Servers that have a port exposing a confirmed SSH service
banner:"7.2p2" Servers with a banner containing the 7.2p2 string
has:lastscanfailed Servers for which the last scan could not complete successfully (might be temporary).
lastfailure:offline Servers for which the last failure reason included the word "offline". Last failure reason is identified in the scan log by a big red dot.
   

 

Auto Discovery

The query will be applied for each asset type: ranges, servers and websites. Some operators may be ignored if it's not supported for this specific asset type.

 

Query Output
www Assets containing "www" term
cve:CVE-2017-1020 Servers and websites affected by that CVE number
edge:Office Assets related to the Edge Service named "Office"
tag:production Assets tagged "Production"
software:nginx Assets with detected "nginx" software
192.168.1.0/24 Assets related to 192.168.10.0/24 IP network
ip:192.*.10.* All assets with ip parts p1= 192 and p3 = 10

 

Schedule

 

Query Output
www Schedule entries containing "www" term
192.168.1.0/24 Schedule entries related to 192.168.10.0/24 IP network
cve:CVE-2017-1020 Schedule entries related to the cve number
tag:production Schedule entries related to the "production" tag
edge:Office Schedule entries related to the Edge Service named "Office"
ip:192.*.10.* Schedule entries related to assets with ip parts p1= 192 and p3 = 10

Activity Log

 

Query Quote
user@example.com Log entries containing the term "user@example.com" in the message, type, first name, last name and email fields
192.168.1.0/24 Log entries related to 192.168.10.0/24 IP network
cve:CVE-2017-1020 Log entries related to the cve number
edge:Office Log entries related to the Edge Service named "Office"
tag:production Log entries related to the "production" tag
ip:192.*.10.* Log entries related to assets with ip parts p1= 192 and p3 = 10
user:user@example.com any logs related to user@example.com user
user:john any logs related to user that has John as first or last name.