Performing filtered asset searches

When dealing with networks of large numbers of assets, you may find it necessary or helpful to concentrate on a specific subset. The filtered asset search feature allows you to search for assets based on criteria that can include IP address, site, operating system, software, services, vulnerabilities, and asset name. You can then save the results as a dynamic asset group for tracking, scanning, and reporting purposes.

Using search filters, you can find assets of immediate interest to you. This helps you to focus your remediation efforts and to manage the sheer quantity of assets running on a large network.

To start a filtered asset search:

Click the Asset Filter icon Alt, which appears below and to the right of the Search box in the Web interface. OR Click the Create tab at the top of the page and then select Dynamic Asset Group from the drop-down list. The Filtered asset search page appears. OR Click the Administration icon to go to the Administration page, and then click the dynamic link next to Asset Groups. OR

Performing a filtered asset search is the first step in creating a dynamic asset group

Click New Dynamic Asset Group if you are on the Asset Groups page.

Configuring asset search filters

A search filter allows you to choose the attributes of the assets that you are interested in. You can add multiple filters for more precise searches. For example, you could create filters for a given IP address range, a particular operating system, and a particular site, and then combine these filters to return a list of all the assets that simultaneously meet all the specified criteria. Using fewer filters typically increases the number of search results.

You can combine filters so that the search result set contains only the assets that meet all of the criteria in all of the filters (leading to a smaller result set). Or you can combine filters so that the search result set contains any asset that meets all of the criteria in any given filter (leading to a larger result set). See Combining filters.

The following asset search filters are available:

Filtering by asset name

Filtering by container image

Filtering by container status

Filtering by containers

Filtering by CVE ID

Filtering by host type

Filtering by IP address

Filtering by IP address type

Filtering by last scan date

Filtering by mobile device last sync time

Filtering by other IP address type

Filtering by operating system name

Filtering by PCI compliance status

Filtering by service name

Filtering by open port numbers

Filtering by operating system name

Filtering by software name

Filtering by presence of validated vulnerabilities

Filtering by user-added criticality level

Filtering by user-added custom tag

Filtering by user-added tag (location)

Filtering by user-added tag (owner)

Filtering by vAsset cluster

Filtering by vAsset datacenter

Filtering by vAsset host

Filtering by vAsset power state

Filtering by vAsset resource pool path

Filtering by CVSS risk vectors

Filtering by vulnerabilities assessed

Filtering by vulnerability category

Filtering by vulnerability CVSS score

Filtering by vulnerability exposures

Filtering by vulnerability risk scores

Filtering by vulnerability title

To select filters in the Filtered asset search panel take the following steps:

  1. Use the first drop-down list. When you select a filter, the configuration options, operators, for that filter dynamically become available.
  2. Select the appropriate operator. Note: Some operators allow text searches. You can use the * wildcard in any of the text searches.
  3. Use the + button to add filters.
  4. Use the - button to remove filters.
  5. Click Reset to remove all filters.

Filtering by asset name

The asset name filter lets you search for assets based on the asset name. The filter applies a search string to the asset names, so that the search returns assets that meet the specified criteria. It works with the following operators:

  • is returns all assets whose names match the search string exactly.
  • is not returns all assets whose names do not match the search string.
  • starts with returns all assets whose names begin with the same characters as the search string.
  • ends with returns all assets whose names end with the same characters as the search string.
  • contains returns all assets whose names contain the search string anywhere in the name.
  • does not contain returns all assets whose names do not contain the search string.

After you select an operator, you type a search string for the asset name in the blank field.

You can search using regex (regular expressions) to match or filter assets based on the particular regex entered using the options of LIKE or IS NOT from the drop-down list. For more information on using regex, see Using regular expressions.

Filtering by container image

The container image filter lets you search for assets by a container image name. The filter applies a search string to the container image name, so that the search returns assets that meet the specified criteria. It works with the following operators:

  • is returns all assets whose image names match the search string exactly.
  • is not returns all assets whose image names do not match the search string.
  • starts with returns all assets whose image names begin with the same characters as the search string.
  • ends with returns all assets whose image names contain the search string anywhere in the name.
  • contains returns all assets whose image names contain the search string anywhere in the name.
  • does not contain returns all assets whose image names do not contain the search string.

After you select an operator, enter a search string for the container image name in the blank field.

NOTE

Assets that run Docker services are considered container hosts. This can include assets with no images or containers.

You can search using regex (regular expressions) to match or filter assets based on the particular regex entered using the options of like or not like from the drop-down list. For more information on using regex, see Using regular expressions.

Filtering by container status

The container status filter lets you search for assets based on the current condition of its containers. Containers can be queried based on the following statuses:

  • created
  • running
  • paused
  • restarted
  • exited
  • dead

Two operators can be used for checking against these statuses:

  • is will return all assets with containers that match the specified status.
  • is not will return all assets with containers that DO NOT match the specified status.

Filtering by containers

The containers filter lets you search for assets based on whether or not they are hosting containers. The are operator can be used with the following conditions:

  • present will return all assets that are hosting containers.
  • not present will return all assets that are NOT hosting containers.

NOTE

Assets with containers in a dead status are still considered container hosts, and as a result, will be returned by the present condition.

Filtering by CVE ID

The CVE ID filter lets you search for assets based on the CVE ID. The CVE identifiers (IDs) are unique, common identifiers for publicly known information security vulnerabilities. For more information, see https://cve.mitre.org/cve/identifiers/index.html. The filter applies a search string to the CVE IDs, so that the search returns assets that meet the specified criteria. It works with the following operators:

  • is returns all assets whose CVE IDs match the search string exactly.
  • is not returns all assets whose CVE IDs do not match the search string.
  • contains returns all assets whose CVE IDs contain the search string anywhere in the name.
  • does not contain returns all assets whose CVE IDs do not contain the search string.

After you select an operator, you type a search string for the CVE ID in the blank field.

Filtering by host type

The Host type filter lets you search for assets based on the type of host system, where assets can be any one or more of the following types:

  • Bare metal is physical hardware.
  • Hypervisor is a host of one or more virtual machines.
  • Virtual machine is an all-software guest of another computer.
  • Unknown is a host of an indeterminate type.

You can use this filter to track, and report on, security issues that are specific to host types. For example, a hypervisor may be considered especially sensitive because if it is compromised then any guest of that hypervisor is also at risk.

The filter applies a search string to host types, so that the search returns a list of assets that either match, or do not match, the selected host types.

It works with the following operators:

  • is returns all assets that match the host type that you select from the adjacent drop-down list.
  • is not returns all assets that do not match the host type that you select from the adjacent drop-down list.

You can combine multiple host types in your criteria to search for assets that meet multiple criteria. For example, you can create a filter for “is Hypervisor” and another for “is virtual machine” to find all-software hypervisors.

Filtering by IP address type

If your environment includes IPv4 and IPv6 addresses, you can find assets with either address format. This allows you to track and report on specific security issues in these different segments of your network. The IP address type filter works with the following operators:

  • is returns all assets that have the specified address format.
  • is not returns all assets that do not have the specified address formats.

After selecting the filter and desired operator, select the desired format: IPv4 or IPv6.

Filtering by IP address

With the IP address filter, you can discover assets that match or do not have a specific IP address, or that have IP addresses, or do not have IP addresses, within a specific range. This filter works with the following operators:

  • is returns an asset with the specified IP address.
  • is not returns all assets that do not have the specified IP address.
  • is in the range of returns all assets with IP addresses that fall within the IP address range.
  • is not in the range of returns all assets whose IP addresses do not fall into the IP address range.
  • like returns all assets whose IP addresses match the specified IP address.
  • not like returns all assets whose IP addresses do not match the specified IP address.

When you select the is in the range of or is not in the range of filters, you will see two blank fields separated by the word to. You use the left field to enter the start of the IP address range, and use the right to enter the end of the range.

The format for IPv4 addresses is a “dotted quad.” Example:

1
192.168.2.1 to 192.168.2.254

You can combine multiple search types in your query to focus on very specific assets. For instance, you can search for IP addresses in the range 192.168.2.1 to 192.168.2.254, but exclude 192.168.2.7 and 192.168.2.199.

Filtering by last scan date

The last scan date filter lets you search for assets based on when they were last scanned. You may want, for example, to run a report on the most recently scanned assets. Or, you may want to find assets that have not been scanned in a long time and then delete them from the database because they are no longer be considered important for tracking purposes. The filter works with the following operators:

  • on or before returns all assets that were last scanned on or before a particular date. After selecting this operator, click the calendar icon to select the date.
  • on or after returns all assets that were last scanned on or after a particular date. After selecting this operator, click the calendar icon to select the date.
  • between and including returns all assets that were last scanned between, and including, two dates. After selecting this operator, click the calendar icon next to the left field to select the first date in the range. Then click the calendar icon next to the right field to select the last date in the range.
  • earlier than returns all assets that were last scanned earlier than a specified number of days preceding the date on which you initiate the search. After selecting this operator, enter a number in the days ago field. The starting point of the search is midnight of the day that the search is performed. For example, you initiate a search at 3 p.m. on January 23. You select this operator and enter 3 in the days ago field. The search returns all assets that were last scanned prior to midnight on January 20.
  • within the last returns all assets that were last scanned within a specified number of preceding days. After selecting this operator, enter a number in the days field. The starting point of the search is midnight of the day that the search is performed. For example: You initiate the search at 3 p.m. on January 23. You select this operator and enter 1 in the days field. The search returns all assets that were last scanned since midnight on January 22.

Keep several things in mind when using this filter:

  • The search only returns last scan dates. If an asset was scanned within the time frame specified in the filter, and if that scan was not the most recent scan, it will not appear in the search results.
  • Dynamic asset group membership can change as new scans are run.
  • Dynamic asset group membership is recalculated daily at midnight. If you create a dynamic asset group based on searches with the relative-day operators (earlier than or within the last), the asset membership will change accordingly.
  • This filter returns results for all types of scans - e.g. discovery, vulnerability, or policy scans. If you are specifically interested in vulnerability scans, you should look into Filtering by vulnerabilities assessed.

Filtering by mobile device last sync time

This filter is only available with WinRM/PowerShell and WinRM/Office 365 Dynamic Discovery connections.

With the Last Synch Time filter, you can track mobile devices based on the most recent time they synchronized with the Exchange server. This filter can be useful if you do not want your reports to include data from old devices that are no longer in use on the network. It works with the following operators.

  • earlier than returns all mobile devices that synchronized earlier than a number of preceding days that you enter in a text box.
  • within the last returns all mobile devices that synchronized within a number of preceding days that you enter in a text box.

Filtering by open port numbers

Having certain ports open may violate configuration policies. The open port number filter lets you search for assets with a specified port open. By isolating assets with open ports, you can then close those ports and then re-scan them to verify that they are closed. Select an operator, and then enter your port or port range. Depending on your criteria, search results will return assets that have open ports, assets that do not have open ports, and assets with a range of open ports.

The filter works with the following operators:

  • is returns all assets with that port open.
  • is not returns all assets that do not have that port open.
  • is in the range of returns all assets within a range of designated ports.

Filtering by operating system name

The operating system name filter lets you search for assets based on their hosted operating systems. Depending on the search, you choose from a list of operating systems, or enter a search string. The filter returns a list of assets that meet the specified criteria.

It works with the following operators:

  • contains returns all assets running on the operating system whose name contains the characters specified in the search string. You enter the search string in the adjacent field. You can use an asterisk (*) as a wildcard character.
  • does not contain returns all assets running on the operating system whose name does not contain the characters specified in the search string. You enter the search string in the adjacent field. You can use an asterisk (*) as a wildcard character.
  • is empty returns all assets that do not have an operating system identified in their scan results. If an operating system is not listed for a scanned asset in the Web interface or reports, this means that the asset may not have been fingerprinted. If the asset was scanned with credentials, failure to fingerprint indicates that the credentials were not authenticated on the target asset. Therefore, this operator is useful for finding assets that were scanned with failed credentials or without credentials.
  • is not empty returns all assets that have an operating system identified in their scan results. This operator is useful for finding assets that were scanned with authenticated credentials and fingerprinted.

Filtering by other IP address type

This filter allows you to find assets that have other IPv4 or IPv6 addresses in addition to the address(es) that you are aware of. When the application scans an IP address that has been included in a site configuration, it discovers any other addresses for that asset. This may include addresses that have not been scanned. For example: A given asset may have an IPv4 address and an IPv6 address. When configuring scan targets for your site, you may have only been aware of the IPv4 address, so you included only that address to be scanned in the site configuration. When you run the scan, the application discovers the IPv6 address. By using this asset search filter, you can search for all assets to which this scenario applies. You can add the discovered address to a site for a future scan to increase your security coverage.

After you select the filter and operators, you select either IPv4 or IPv6 from the drop-down list.

The filter works with one operator:

  • is returns all assets that have other IP addresses that are either IPv4 or IPv6.

Filtering by PCI compliance status

The PCI status filter lets you search for assets based on whether they return Pass or Fail results when scanned with the PCI audit template. Finding assets that fail compliance scans can help you determine at a glance which require remediation in advance of an official PCI audit.

It works with two operators:

  • is returns all assets that have a Pass or Fail status.
  • is not returns all assets that do not have a Pass or Fail status.

After you select an operator, select the Pass or Fail option from the drop-down list.

Filtering by service name

The service name filter lets you search for assets based on the services running on them. The filter applies a search string to service names, so that the search returns a list of assets that either have or do not have the specified service.

It works with the following operators:

  • contains returns all assets running a service whose name contains the search string. You can use an asterisk (*) as a wildcard character.
  • does not contain returns all assets that do not run a service whose name contains the search string. You can use an asterisk (*) as a wildcard character.

After you select an operator, you type a search string for the service name in the blank field.

Filtering by site name

The site name filter lets you search for assets based on the name of the site to which the assets belong.

This is an important filter to use if you want to control users’ access to newly discovered assets in sites to which users do not have access. See the note in Using dynamic asset groups .

The filter applies a search string to site names, so that the search returns a list of assets that either belong to, or do not belong to, the specified sites.

It works with the following operators:

  • is returns all assets that belong to the selected sites. You select one or more sites from the adjacent list.
  • is not returns all assets that do not belong to the selected sites. You select one or more sites from the adjacent list.

Filtering by software name

The _software name filter lets you search for assets based on software installed on them. The filter applies a search string to software names, so that the search returns a list of assets that either runs or does not run the specified software.

It works with the following operators:

  • contains returns all assets with software installed such that the software’s name contains the search string. You can use an asterisk (*) as a wildcard character.
  • does not contain returns all assets that do not have software installed such that the software’s name does not contain the search string. You can use an asterisk (*) as a wildcard character.

After you select an operator, you enter the search string for the software name in the blank field.

Filtering by presence of validated vulnerabilities

The Validated vulnerabilities filter lets you search for assets with vulnerabilities that have been validated with exploits through Metasploit integration. By using this filter, you can isolate assets with vulnerabilities that have been proven to exist with a high degree of certainty. For more information, see Working with validated vulnerabilities.

The filter works with one operator:

  • The are operator, combined with the present drop-down list option, returns all assets with validated vulnerabilities.
  • The are operator, combined with the not present drop-down list option, returns all assets without validated vulnerabilities.

Filtering by user-added criticality level

The user-added criticality level filter lets you search for assets based on the criticality tags that you and your users have applied to them. For example, a user may set all assets belonging to company executives to be of a “Very High” criticality in their organization. Using this filter, you could identify assets with that criticality set, regardless of their sites or other associations. You can search for assets with or without a specific criticality level, assets whose criticality is above or below a specific level, or assets with or without any criticality set. For more information on criticality levels, see Applying RealContext with tags.

The filter works with the following operators:

  • is returns all assets that are set to a specified criticality level.
  • is not returns all assets are not set to a specified criticality level.
  • is higher than returns all assets whose criticality level is higher than the specified level.
  • is lower than returns all assets whose criticality level is lower than the specified level.
  • is applied returns all assets that have any criticality set.
  • is not applied returns all assets that have no criticality set.

After you select an operator, you select a criticality level from the drop-down menu. Available criticality levels are Very High, High, Medium, Low, and Very Low.

Filtering by user-added custom tag

The user-added custom tag filter lets you search for assets based on the custom tags that users have applied to them. For example, your company may have assets involved in an online banking process distributed throughout various locations and subnets, and a user may have tagged the involved assets with a custom “Online Banking” tag. Using this filter, you could identify assets with that tag, regardless of their sites or other associations. You can search for assets with or without a specific tag, assets whose custom tags meet certain criteria, or assets with or without any user-added custom tags. For more information on user-added custom tags, see Applying RealContext with tags.

The filter works with the following operators:

  • is returns all assets with custom tags that match the search string exactly.
  • is not returns all assets that do not have a custom tag that matches the exact search string.
  • starts with returns all assets with custom tags that begin with the same characters as the search string.
  • ends with returns all assets with custom tags that end with the same characters as the search string.
  • contains returns all assets whose custom tags contain the search string anywhere in their names.
  • does not contain returns all assets whose custom tags do not contain the search string.
  • is applied returns all assets that have any custom tag applied.
  • is not applied returns all assets that have no custom tags applied.

After you select an operator, you type a search string for the custom tag in the blank field.

Filtering by user-added tag (location)

The user-added tag (location) filter lets you search for assets based on the location tags that users have applied to them. For example, a user may have created and applied tags for “Akron” and “Cincinnati” to clarify the physical location of assets in a user-friendly way. Using this filter, you could identify assets with that tag, regardless of their other associations. You can search for assets with or without a specific tag, assets whose location tags meet certain criteria, or assets with or without any user-added location tags. For more information on user-added location tags, see Applying RealContext with tags.

The filter works with the following operators:

  • is returns all assets with location tags that match the search string exactly.
  • is not returns all assets that do not have a location tag that matches the exact search string.
  • starts with returns all assets with location tags that begin with the same characters as the search string.
  • ends with returns all assets with location tags that end with the same characters as the search string.
  • contains returns all assets whose location tags contain the search string anywhere in their names.
  • does not contain returns all assets whose location tags do not contain the search string.
  • is applied returns all assets that have any location tag applied.
  • is not applied returns all assets that have no location tags applied.

After you select an operator, you type a search string for the location tag in the blank field.

Filtering by user-added tag (owner)

The user-added tag (owner) filter lets you search for assets based on the owner tags that users have applied to them. For example, a company may have different people responsible for different assets. A user can tag the assets each person is responsible for and use this information to track the risk level of those assets. You can search for assets with or without a specific tag, assets whose owner tags meet certain criteria, or assets with or without any user-added owner tags. For more information on user-added owner tags, see Applying RealContext with tags.

The filter works with the following operators:

  • is returns all assets with owner tags that match the search string exactly.
  • is not returns all assets that do not have an owner tag that matches the exact search string.
  • starts with returns all assets with owner tags that begin with the same characters as the search string.
  • ends with returns all assets with owner tags that end with the same characters as the search string.
  • contains returns all assets whose owner tags contain the search string anywhere in their names.
  • does not contain returns all assets whose owner tags do not contain the search string.
  • is applied returns all assets that have any owner tag applied.
  • is not applied returns all assets that have no owner tags applied.

After you select an operator, you type a search string for the location tag in the blank field.

Using vAsset filters

The following vAsset filters let you search for virtual assets that you track with vAsset discovery. Creating dynamic asset groups for virtual assets based on specific criteria can be useful for analyzing different segments of your virtual environment. For example, you may want to run reports or assess risk for all the virtual assets used by your accounting department, and they are all supported by a specific resource pool. For information about vAsset discovery, see Discovering virtual machines managed by VMware vCenter or ESX/ESXi .

Filtering by vAsset cluster

The vAsset cluster filter lets you search for virtual assets that belong, or don’t belong, to specific clusters. This filter works with the following operators:

  • is returns all assets that belong to clusters whose names match an entered string exactly.
  • is not returns all assets that belong to clusters whose names do not match an entered string.
  • contains returns all assets that belong to clusters whose names contain an entered string.
  • does not contain returns all assets that belong to clusters whose names do not contain an entered string.
  • starts with returns all assets that belong to clusters whose names begin with the same characters as an entered string.

After you select an operator, you enter the search string for the cluster in the blank field.

Filtering by vAsset datacenter

The vAsset datacenter filter lets you search for assets that are managed, or are not managed, by specific datacenters. This filter works with the following operators:

  • is returns all assets that are managed by datacenters whose names match an entered string exactly.
  • is not returns all assets that are managed by datacenters whose names do not match an entered string.

After you select an operator, you enter the search string for the datacenter name in the blank field.

Filtering by vAsset host

The vAsset host filter lets you search for assets that are guests, or are not guests, of specific host systems. This filter works with the following operators:

  • is returns all assets that are guests of hosts whose names match an entered string exactly.
  • is not returns all assets that are guests of hosts whose names do not match an entered string.
  • contains returns all assets that are guests of hosts whose names contain an entered string.
  • does not contain returns all assets that are guests of hosts whose names do not contain an entered string.
  • starts with returns all assets that are guests of hosts whose names begin with the same characters as an entered string.

After you select an operator, you enter the search string for the host name in the blank field.

Filtering by vAsset power state

The vAsset power state filter lets you search for assets that are in, or are not in, a specific power state. This filter works with the following operators:

  • is returns all assets that are in a power state selected from a drop-down list.
  • is not returns all assets that not are in a power state selected from a drop-down list.

After you select an operator, you select a power state from the drop-down list. Power states include on, off, or suspended.

Filtering by vAsset resource pool path

The vAsset resource pool path filter lets you discover assets that belong, or do not belong, to specific resource pool paths. This filter works with the following operators:

  • contains returns all assets that are supported by resource pool paths whose names contain an entered string.
  • does not contain returns all assets that are supported by resource pool paths whose names do not contain an entered string.

You can specify any level of a path, or you can specify multiple levels, each separated by a hyphen and right arrow: ->. This is helpful if you have resource pool path levels with identical names.

For example, you may have two resource pool paths with the following levels: Human Resources

Management

Workstations

Advertising

Management

Workstations

The virtual machines that belong to the Management and Workstations levels are different in each path. If you only specify Management in your filter, the search will return all virtual machines that belong to the Management and Workstations levels in both resource pool paths.

However, if you specify Advertising -> Management -> Workstations, the search will only return virtual assets that belong to the Workstations pool in the path with Advertising as the highest level.

After you select an operator, you enter the search string for the resource pool path in the blank field.

Filtering by CVSS risk vectors

The filters for the following Common Vulnerability Scoring System (CVSS) risk vectors let you search for assets based on vulnerabilities that pose different types or levels of risk to your organization’s security:

  • CVSS Access Complexity (AC)
  • CVSS Access Vector (AV)
  • CVSS Authentication Required (Au)
  • CVSS Availability Impact (A)
  • CVSS Confidentiality Impact (C)
  • CVSS Integrity Impact (I)

You can also apply filters based on the newer CVSS Version 3 risk vectors:

  • CVSSV3 Attack Complexity (AC)
  • CVSSV3 Attack Vector (AV)
  • CVSSV3 Availability Impact (A)
  • CVSSV3 Confidentiality Impact (C)
  • CVSSV3 Integrity Impact (I)
  • CVSSV3 Privileges Required (PR)
  • CVSSV3 User Interaction (UI)

It is possible that a vulnerability might not have Version 3 data, so be mindful of this when applying Version 3 filters to an asset search. Assets excluded by a Version 3 filter may still be affected by Version 2 vectors.

These filters refer to the industry-standard vectors used in calculating CVSS scores and PCI severity levels. They are also used in risk strategy calculations for risk scores. For detailed information about CVSS vectors, go to the National Vulnerability Database Web site at https://nvd.nist.gov/.

Using these filters, you can find assets based on different exploitability attributes of the vulnerabilities found on them, or based on the different types and degrees of impact to the asset in the event of compromise through the vulnerabilities found on them. Isolating these assets can help you to make more informed decisions on remediation priorities or to prepare for a PCI audit.

All CVSS filters work with two operators:

  • is returns all assets that match a specific risk level or attribute associated with the CVSS vector.
  • is not returns all assets that do not match a specific risk level or attribute associated with the CVSS vector.

After you select a filter and an operator, select the desired impact level or likelihood attribute from the drop-down list. Version 2 attributes are as follows:

  • For each of the three impact vectors (Confidentiality, Integrity, and Availability), the options are Complete, Partial, or None.
  • For CVSS Access Vector, the options are Local (L), Adjacent (A), or Network (N).
  • For CVSS Access Complexity, the options are Low, Medium, or High.
  • For CVSS Authentication Required, the options are None, Single, or Multiple.

Version 3 attributes:

  • For each of the three impact vectors (Confidentiality, Integrity, and Availability), the options are None, Low, or High.
  • For CVSSV3 Attack Vector, the options are Network (N), Adjacent (A), Local (L), or Physical (P).
  • For CVSSV3 Attack Complexity, the options are Low or High.
  • For CVSSV3 Privileges Required, the options are None, Low, or High.
  • For CVSSV3 User Interaction, the options are None or Required.

Filtering by vulnerabilities assessed

The vulnerabilities assessed filter lets you search for assets based on when they were last scanned for vulnerabilities. In contrast to the last scan filter, this option lets you focus specifically on vulnerability assessments. You may want, for example, to run a report on the most recently scanned assets. Or, you may want to find assets that have not been scanned in a long time and then delete them from the database because they are no longer be considered important for tracking purposes. The filter works with the following operators:

  • on or before returns all assets that were last scanned for vulnerabilities on or before a particular date. After selecting this operator, click the calendar icon to select the date.
  • on or after returns all assets that were last scanned for vulnerabilities on or after a particular date. After selecting this operator, click the calendar icon to select the date.
  • between and including returns all assets that were last scanned for vulnerabilities between, and including, two dates. After selecting this operator, click the calendar icon next to the left field to select the first date in the range. Then click the calendar icon next to the right field to select the last date in the range.
  • earlier than returns all assets that were last scanned for vulnerabilities earlier than a specified number of days preceding the date on which you initiate the search. After selecting this operator, enter a number in the days ago field. The starting point of the search is midnight of the day that the search is performed. For example, you initiate a search at 3 p.m. on January 23. You select this operator and enter 3 in the days ago field. The search returns all assets that were last scanned prior to midnight on January 20.
  • within the last returns all assets that were last scanned for vulnerabilities within a specified number of preceding days. After selecting this operator, enter a number in the days field. The starting point of the search is midnight of the day that the search is performed. For example: You initiate the search at 3 p.m. on January 23. You select this operator and enter 1 in the days field. The search returns all assets that were last scanned since midnight on January 22.

Keep several things in mind when using this filter:

  • The search only returns last scan dates. If an asset was scanned within the time frame specified in the filter, and if that scan was not the most recent scan, it will not appear in the search results.
  • Dynamic asset group membership can change as new scans are run.
  • Dynamic asset group membership is recalculated daily at midnight. If you create a dynamic asset group based on searches with the relative-day operators (earlier than or within the last), the asset membership will change accordingly.

Filtering by vulnerability category

The vulnerability category filter lets you search for assets based on the categories of vulnerabilities that have been flagged on them during scans. This is a useful filter for finding out at a quick glance how many, and which, assets have a particular type of vulnerability, such as ones related to Adobe, Cisco, or Telnet. Lists of vulnerability categories can be found in the Vulnerability Checks section of the scan template configuration or the report configuration, where you can filter report scope based on vulnerabilities.

The filter applies a search string to vulnerability categories, so that the search returns a list of assets that either have or do not have vulnerabilities in categories that match that search string. It works with the following operators:

  • contains returns all assets with a vulnerability whose category contains the search string. You can use an asterisk (*) as a wildcard character.
  • does not contain returns all assets that do not have a vulnerability whose category contains the search string. You can use an asterisk (*) as a wildcard character.
  • is returns all assets with that have a vulnerability whose category matches the search string exactly.
  • is not returns all assets that do not have a vulnerability whose category matches the exact search string.
  • starts with returns all assets with vulnerabilities whose categories begin with the same characters as the search string.
  • ends with returns all assets with vulnerabilities whose categories end with the same characters as the search string.

After you select an operator, you type a search string for the vulnerability category in the blank field.

Filtering by vulnerability CVSS score

The Vulnerability CVSS score filter lets you search for assets with vulnerabilities that have a specific CVSS score or fall within a range of scores. You may find it helpful to create asset groups according to CVSS score ranges that correspond to PCI severity levels: low (0.0-3.9), medium (4.0-6.9), and high (7.0-10). Doing so can help you prioritize assets for remediation.

The filter works with the following operators:

  • is returns all assets with vulnerabilities that have a specified CVSS score.
  • is not returns all assets with vulnerabilities that do not have a specified CVSS score.
  • is in the range of returns all assets with vulnerabilities that fall within the range of two specified CVSS scores and include the high and low scores in the range.
  • is higher than returns all assets with vulnerabilities that have a CVSS score higher than a specified score.
  • is lower than returns all assets with vulnerabilities that have a CVSS score lower than a specified score.

After you select an operator, type a score in the blank field. If you select the range operator, you would type a low score and a high score to create the range. Acceptable values include any numeral from 0.0 to 10. You can only enter one digit to the right of the decimal. If you enter more than one digit, the score is automatically rounded up. For example, if you enter a score of 2.25, the score is automatically rounded up to 2.3.

Filtering by vulnerability exposures

The vulnerability exposures filter lets you search for assets based on the following types of exposures known to be associated with vulnerabilities discovered on those assets:

  • Malware kit exploits
  • Metasploit exploits
  • Exploit Database exploits

This is a useful filter for isolating and prioritizing assets that have a higher likelihood of compromise due to these exposures.

The filter applies a search string to one or more of the vulnerability exposure types, so that the search returns a list of assets that either have or do not have vulnerabilities associated with the specified exposure types. It works with the following operators:

  • includes returns all assets that have vulnerabilities associated with specified exposure types.
  • does not include returns all assets that do not have vulnerabilities associated with specified exposure types.

After you select an operator, select one or more exposure types in the drop-down list. To select multiple types, hold down the key and click all desired types.

Filtering by vulnerability risk scores

The vulnerability risk score filter lets you search for assets with vulnerabilities that have a specific risk score or fall within a range of scores. Isolating and tracking assets with higher risk scores, for example, can help you prioritize remediation for those assets.

The filter works with the following operators:

  • is in the range of returns all assets with vulnerabilities that fall within the range of two specified risk scores and include the high and low scores in the range.
  • is higher than returns all assets with vulnerabilities that have a risk score higher than a specified score.
  • is lower than returns all assets with vulnerabilities that have a risk score lower than a specified score.

After you select an operator, enter a score in the blank field. If you select the range operator, you would type a low score and a high score to create the range. Keep in mind your currently selected risk strategy when searching for assets based on risk scores. For example, if the currently selected strategy is Real Risk, you will not find assets with scores higher than 1,000. Refer to the risk scores in your vulnerability and asset tables for guidance.

Filtering by vulnerability title

The vulnerability title filter lets you search for assets based on the vulnerabilities that have been flagged on them during scans. This is a useful filter to use for verifying patch applications, or finding out at a quick glance how many, and which, assets have a particular high-risk vulnerability.

The filter applies a search string to vulnerability titles, so that the search returns a list of assets that either have or do not have the specified string in their titles. It works with the following operators:

  • contains returns all assets with a vulnerability whose name contains the search string. You can use an asterisk (*) as a wildcard character.
  • does not contain returns all assets that do not have a vulnerability whose name contains the search string. You can use an asterisk (*) as a wildcard character.
  • is returns all assets with that have a vulnerability whose name matches the search string exactly.
  • is not returns all assets that do not have a vulnerability whose name matches the exact search string.
  • starts with returns all assets with vulnerabilities whose names begin with the same characters as the search string.
  • ends with returns all assets with vulnerabilities whose names end with the same characters as the search string.

After you select an operator, you type a search string for the vulnerability name in the blank field.

Combining filters

If you create multiple filters, you can have Nexpose return a list of assets that match all the criteria specified in the filters, or a list of assets that match any of the criteria specified in the filters. You can make this selection in a drop-down list at the bottom of the Search Criteria panel.

The difference between All and Any is that the All setting will only return assets that match the search criteria in all of the filters, whereas the Any setting will return assets that match any given filter. For this reason, a search with All selected typically returns fewer results than Any.

For example, suppose you are scanning a site with 10 assets. Five of the assets run Linux, and their names are linux01, linux02, linux03, linux04, and linux05. The other five run Windows, and their names are win01, win02, win03, win04, and win05.

Suppose you create two filters. The first filter is an operating system filter, and it returns a list of assets that run Windows. The second filter is an asset filter, and it returns a list of assets that have “linux” in their names.

If you perform a filtered asset search with the two filters using the All setting, the search will return a list of assets that run Windows and have “linux” in their asset names. Since no such assets exist, there will be no search results. However, if you use the same filters with the Any setting, the search will return a list of assets that run Windows or have “linux” in their names. Five of the assets run Windows, and the other five assets have “linux” in their names. Therefore, the result set will contain all of the assets.