Performing filtered asset searches

When dealing with networks of large numbers of assets, you may find it necessary or helpful to concentrate on a specific subset. The filtered asset search feature allows you to search for assets based on criteria that can include IP address, site, operating system, software, services, vulnerabilities, and asset name. You can then save the results as a dynamic asset group for tracking, scanning, and reporting purposes. See Using the search feature.

Using search filters, you can find assets of immediate interest to you. This helps you to focus your remediation efforts and to manage the sheer quantity of assets running on a large network.

To start a filtered asset search:

Click the Asset Filter icon i_asset_filtered_search.jpg, which appears below and to the right of the Search box in the Web interface.
OR
Click the Create tab at the top of the page and then select Dynamic Asset Group from the drop-down list.

The Filtered asset search page appears.

OR

Click the Administration icon to go to the Administration page, and then click the dynamic link next to Asset Groups.

OR

Note:  Performing a filtered asset search is the first step in creating a dynamic asset group

Click New Dynamic Asset Group if you are on the Asset Groups page.

Configuring asset search filters

A search filter allows you to choose the attributes of the assets that you are interested in. You can add multiple filters for more precise searches. For example, you could create filters for a given IP address range, a particular operating system, and a particular site, and then combine these filters to return a list of all the assets that simultaneously meet all the specified criteria. Using fewer filters typically increases the number of search results.

You can combine filters so that the search result set contains only the assets that meet all of the criteria in all of the filters (leading to a smaller result set). Or you can combine filters so that the search result set contains any asset that meets all of the criteria in any given filter (leading to a larger result set). See Combining filters.

The following asset search filters are available:

Filtering by asset name

Filtering by CVE ID

Filtering by host type

Filtering by IP address page 1 Filtering by IP address

Filtering by IP address

Filtering by IP address type

Filtering by last scan date

Filtering by mobile device last sync time

Filtering by other IP address type

Filtering by operating system name

Filtering by PCI compliance status

Filtering by service name

Filtering by open port numbers

Filtering by operating system name

Filtering by software name

Filtering by presence of validated vulnerabilities

Filtering by user-added criticality level

Filtering by user-added custom tag

Filtering by user-added tag (location)

Filtering by user-added tag (owner)

Filtering by vAsset cluster

Filtering by vAsset datacenter

Filtering by vAsset host

Filtering by vAsset power state

Filtering by vAsset resource pool path

Filtering by CVSS risk vectors

Filtering by vulnerabilities assessed

Filtering by vulnerability category

Filtering by vulnerability CVSS score

Filtering by vulnerability exposures

Filtering by vulnerability risk scores

Filtering by vulnerability title

To select filters in the Filtered asset search panel take the following steps:

  1. Use the first drop-down list.

When you select a filter, the configuration options, operators, for that filter dynamically become available.

  1. Select the appropriate operator. Note: Some operators allow text searches. You can use the * wildcard in any of the text searches.
  2. Use the + button to add filters.
  3. Use the - button to remove filters.
  4. Click Reset to remove all filters.

s_DAG_search.jpg

Asset search filters

Filtering by asset name

The asset name filter lets you search for assets based on the asset name. The filter applies a search string to the asset names, so that the search returns assets that meet the specified criteria. It works with the following operators:

After you select an operator, you type a search string for the asset name in the blank field.

You can search using regex (regular expressions) to match or filter assets based on the particular regex entered using the options of like or not like from the drop-down list. For more information on using regex, see Using regular expressions.

Filtering by CVE ID

The CVE ID filter lets you search for assets based on the CVE ID. The CVE identifiers (IDs) are unique, common identifiers for publicly known information security vulnerabilities. For more information, see https://cve.mitre.org/cve/identifiers/index.html. The filter applies a search string to the CVE IDs, so that the search returns assets that meet the specified criteria. It works with the following operators:

After you select an operator, you type a search string for the CVE ID in the blank field.

Filtering by host type

The Host type filter lets you search for assets based on the type of host system, where assets can be any one or more of the following types:

You can use this filter to track, and report on, security issues that are specific to host types. For example, a hypervisor may be considered especially sensitive because if it is compromised then any guest of that hypervisor is also at risk.

The filter applies a search string to host types, so that the search returns a list of assets that either match, or do not match, the selected host types.

It works with the following operators:

You can combine multiple host types in your criteria to search for assets that meet multiple criteria. For example, you can create a filter for “is Hypervisor” and another for “is virtual machine” to find all-software hypervisors.

Filtering by IP address type

If your environment includes IPv4 and IPv6 addresses, you can find assets with either address format. This allows you to track and report on specific security issues in these different segments of your network. The IP address type filter works with the following operators:

After selecting the filter and desired operator, select the desired format: IPv4 or IPv6.

Filtering by IP address

With the IP address filter, you can discover assets that match or do not have a specific IP address, or that have IP addresses, or do not have IP addresses, within a specific range. This filter works with the following operators:

When you select the is in the range of or is not in the range of filters, you will see two blank fields separated by the word to. You use the left field to enter the start of the IP address range, and use the right to enter the end of the range.

The format for IPv4 addresses is a “dotted quad.” Example:

192.168.2.1 to 192.168.2.254

You can combine multiple search types in your query to focus on very specific assets. For instance, you can search for IP addresses in the range 192.168.2.1 to 192.168.2.254, but exclude 192.168.2.7 and 192.168.2.199.

Filtering by last scan date

The last scan date filter lets you search for assets based on when they were last scanned. You may want, for example, to run a report on the most recently scanned assets. Or, you may want to find assets that have not been scanned in a long time and then delete them from the database because they are no longer be considered important for tracking purposes. The filter works with the following operators:

Keep several things in mind when using this filter:

Filtering by mobile device last sync time

Note:  This filter is only available with WinRM/PowerShell and WinRM/Office 365 Dynamic Discovery connections.

With the Last Synch Time filter, you can track mobile devices based on the most recent time they synchronized with the Exchange server. This filter can be useful if you do not want your reports to include data from old devices that are no longer in use on the network. It works with the following operators.

Filtering by open port numbers

Having certain ports open may violate configuration policies. The open port number filter lets you search for assets with a specified port open. By isolating assets with open ports, you can then close those ports and then re-scan them to verify that they are closed. Select an operator, and then enter your port or port range. Depending on your criteria, search results will return assets that have open ports, assets that do not have open ports, and assets with a range of open ports.

The filter works with the following operators:

Filtering by operating system name

The operating system name filter lets you search for assets based on their hosted operating systems. Depending on the search, you choose from a list of operating systems, or enter a search string. The filter returns a list of assets that meet the specified criteria.

It works with the following operators:

Filtering by other IP address type

This filter allows you to find assets that have other IPv4 or IPv6 addresses in addition to the address(es) that you are aware of. When the application scans an IP address that has been included in a site configuration, it discovers any other addresses for that asset. This may include addresses that have not been scanned. For example: A given asset may have an IPv4 address and an IPv6 address. When configuring scan targets for your site, you may have only been aware of the IPv4 address, so you included only that address to be scanned in the site configuration. When you run the scan, the application discovers the IPv6 address. By using this asset search filter, you can search for all assets to which this scenario applies. You can add the discovered address to a site for a future scan to increase your security coverage.

After you select the filter and operators, you select either IPv4 or IPv6 from the drop-down list.

The filter works with one operator:

Filtering by PCI compliance status

The PCI status filter lets you search for assets based on whether they return Pass or Fail results when scanned with the PCI audit template. Finding assets that fail compliance scans can help you determine at a glance which require remediation in advance of an official PCI audit.

It works with two operators:

After you select an operator, select the Pass or Fail option from the drop-down list.

Filtering by service name

The service name filter lets you search for assets based on the services running on them. The filter applies a search string to service names, so that the search returns a list of assets that either have or do not have the specified service.

It works with the following operators:

After you select an operator, you type a search string for the service name in the blank field.

Filtering by site name

The site name filter lets you search for assets based on the name of the site to which the assets belong.

This is an important filter to use if you want to control users’ access to newly discovered assets in sites to which users do not have access. See the note in Using dynamic asset groups.

The filter applies a search string to site names, so that the search returns a list of assets that either belong to, or do not belong to, the specified sites.

It works with the following operators:

Filtering by software name

The software name filter lets you search for assets based on software installed on them. The filter applies a search string to software names, so that the search returns a list of assets that either runs or does not run the specified software.

It works with the following operators:

After you select an operator, you enter the search string for the software name in the blank field.

Filtering by presence of validated vulnerabilities

The Validated vulnerabilities filter lets you search for assets with vulnerabilities that have been validated with exploits through Metasploit integration. By using this filter, you can isolate assets with vulnerabilities that have been proven to exist with a high degree of certainty. For more information, see Working with validated vulnerabilities .

The filter works with one operator:

Filtering by user-added criticality level

The user-added criticality level filter lets you search for assets based on the criticality tags that you and your users have applied to them. For example, a user may set all assets belonging to company executives to be of a “Very High” criticality in their organization. Using this filter, you could identify assets with that criticality set, regardless of their sites or other associations. You can search for assets with or without a specific criticality level, assets whose criticality is above or below a specific level, or assets with or without any criticality set. For more information on criticality levels, see Applying RealContext with tags.

The filter works with the following operators:

After you select an operator, you select a criticality level from the drop-down menu. Available criticality levels are Very High, High, Medium, Low, and Very Low.

Filtering by user-added custom tag

The user-added custom tag filter lets you search for assets based on the custom tags that users have applied to them. For example, your company may have assets involved in an online banking process distributed throughout various locations and subnets, and a user may have tagged the involved assets with a custom “Online Banking” tag. Using this filter, you could identify assets with that tag, regardless of their sites or other associations. You can search for assets with or without a specific tag, assets whose custom tags meet certain criteria, or assets with or without any user-added custom tags. For more information on user-added custom tags, see Applying RealContext with tags.

The filter works with the following operators:

After you select an operator, you type a search string for the custom tag in the blank field.

Filtering by user-added tag (location)

The user-added tag (location) filter lets you search for assets based on the location tags that users have applied to them. For example, a user may have created and applied tags for “Akron” and “Cincinnati” to clarify the physical location of assets in a user-friendly way. Using this filter, you could identify assets with that tag, regardless of their other associations. You can search for assets with or without a specific tag, assets whose location tags meet certain criteria, or assets with or without any user-added location tags. For more information on user-added location tags, see Applying RealContext with tags.

The filter works with the following operators:

After you select an operator, you type a search string for the location tag in the blank field.

Filtering by user-added tag (owner)

The user-added tag (owner) filter lets you search for assets based on the owner tags that users have applied to them. For example, a company may have different people responsible for different assets. A user can tag the assets each person is responsible for and use this information to track the risk level of those assets. You can search for assets with or without a specific tag, assets whose owner tags meet certain criteria, or assets with or without any user-added owner tags. For more information on user-added owner tags, see Applying RealContext with tags.

The filter works with the following operators:

After you select an operator, you type a search string for the location tag in the blank field.

Using vAsset filters

The following vAsset filters let you search for virtual assets that you track with vAsset discovery. Creating dynamic asset groups for virtual assets based on specific criteria can be useful for analyzing different segments of your virtual environment. For example, you may want to run reports or assess risk for all the virtual assets used by your accounting department, and they are all supported by a specific resource pool. For information about vAsset discovery, see Discovering virtual machines managed by VMware vCenter or ESX/ESXi.

Filtering by vAsset cluster

The vAsset cluster filter lets you search for virtual assets that belong, or don’t belong, to specific clusters. This filter works with the following operators:

After you select an operator, you enter the search string for the cluster in the blank field.

Filtering by vAsset datacenter

The vAsset datacenter filter lets you search for assets that are managed, or are not managed, by specific datacenters. This filter works with the following operators:

After you select an operator, you enter the search string for the datacenter name in the blank field.

Filtering by vAsset host

The vAsset host filter lets you search for assets that are guests, or are not guests, of specific host systems. This filter works with the following operators:

After you select an operator, you enter the search string for the host name in the blank field.

Filtering by vAsset power state

The vAsset power state filter lets you search for assets that are in, or are not in, a specific power state. This filter works with the following operators:

After you select an operator, you select a power state from the drop-down list. Power states include on, off, or suspended.

Filtering by vAsset resource pool path

The vAsset resource pool path filter lets you discover assets that belong, or do not belong, to specific resource pool paths. This filter works with the following operators:

You can specify any level of a path, or you can specify multiple levels, each separated by a hyphen and right arrow: ->. This is helpful if you have resource pool path levels with identical names.

For example, you may have two resource pool paths with the following levels:

Human Resources 

Management

              Workstations 

Advertising

Management 

                       Workstations

The virtual machines that belong to the Management and Workstations levels are different in each path. If you only specify Management in your filter, the search will return all virtual machines that belong to the Management and Workstations levels in both resource pool paths.

However, if you specify Advertising -> Management -> Workstations, the search will only return virtual assets that belong to the Workstations pool in the path with Advertising as the highest level.

After you select an operator, you enter the search string for the resource pool path in the blank field.

Filtering by CVSS risk vectors

The filters for the following Common Vulnerability Scoring System (CVSS) risk vectors let you search for assets based on vulnerabilities that pose different types or levels of risk to your organization’s security:

These filters refer to the industry-standard vectors used in calculating CVSS scores and PCI severity levels. They are also used in risk strategy calculations for risk scores. For detailed information about CVSS vectors, go to the National Vulnerability Database Web site at nvd.nist.gov/cvss.cfm.

Using these filters, you can find assets based on different exploitability attributes of the vulnerabilities found on them, or based on the different types and degrees of impact to the asset in the event of compromise through the vulnerabilities found on them. Isolating these assets can help you to make more informed decisions on remediation priorities or to prepare for a PCI audit.

All six filters work with two operators:

After you select a filter and an operator, select the desired impact level or likelihood attribute from the drop-down list:

Filtering by vulnerabilities assessed

The vulnerabilities assessed filter lets you search for assets based on when they were last scanned for vulnerabilities. In contrast to the last scan filter, this option lets you focus specifically on vulnerability assessments. You may want, for example, to run a report on the most recently scanned assets. Or, you may want to find assets that have not been scanned in a long time and then delete them from the database because they are no longer be considered important for tracking purposes. The filter works with the following operators:

Keep several things in mind when using this filter:

Filtering by vulnerability category

The vulnerability category filter lets you search for assets based on the categories of vulnerabilities that have been flagged on them during scans. This is a useful filter for finding out at a quick glance how many, and which, assets have a particular type of vulnerability, such as ones related to Adobe, Cisco, or Telnet. Lists of vulnerability categories can be found in the Vulnerability Checks section of the scan template configuration or the report configuration, where you can filter report scope based on vulnerabilities.

The filter applies a search string to vulnerability categories, so that the search returns a list of assets that either have or do not have vulnerabilities in categories that match that search string. It works with the following operators:

After you select an operator, you type a search string for the vulnerability category in the blank field.

Filtering by vulnerability CVSS score

The Vulnerability CVSS score filter lets you search for assets with vulnerabilities that have a specific CVSS score or fall within a range of scores. You may find it helpful to create asset groups according to CVSS score ranges that correspond to PCI severity levels: low (0.0-3.9), medium (4.0-6.9), and high (7.0-10). Doing so can help you prioritize assets for remediation.

The filter works with the following operators:

After you select an operator, type a score in the blank field. If you select the range operator, you would type a low score and a high score to create the range. Acceptable values include any numeral from 0.0 to 10. You can only enter one digit to the right of the decimal. If you enter more than one digit, the score is automatically rounded up. For example, if you enter a score of 2.25, the score is automatically rounded up to 2.3.

Filtering by vulnerability exposures

The vulnerability exposures filter lets you search for assets based on the following types of exposures known to be associated with vulnerabilities discovered on those assets:

This is a useful filter for isolating and prioritizing assets that have a higher likelihood of compromise due to these exposures.

The filter applies a search string to one or more of the vulnerability exposure types, so that the search returns a list of assets that either have or do not have vulnerabilities associated with the specified exposure types. It works with the following operators:

After you select an operator, select one or more exposure types in the drop-down list. To select multiple types, hold down the <Ctrl> key and click all desired types.

Filtering by vulnerability risk scores

The vulnerability risk score filter lets you search for assets with vulnerabilities that have a specific risk score or fall within a range of scores. Isolating and tracking assets with higher risk scores, for example, can help you prioritize remediation for those assets.

The filter works with the following operators:

After you select an operator, enter a score in the blank field. If you select the range operator, you would type a low score and a high score to create the range. Keep in mind your currently selected risk strategy when searching for assets based on risk scores. For example, if the currently selected strategy is Real Risk, you will not find assets with scores higher than 1,000. Refer to the risk scores in your vulnerability and asset tables for guidance.

Filtering by vulnerability title

The vulnerability title filter lets you search for assets based on the vulnerabilities that have been flagged on them during scans. This is a useful filter to use for verifying patch applications, or finding out at a quick glance how many, and which, assets have a particular high-risk vulnerability.

The filter applies a search string to vulnerability titles, so that the search returns a list of assets that either have or do not have the specified string in their titles. It works with the following operators:

After you select an operator, you type a search string for the vulnerability name in the blank field.

Combining filters

If you create multiple filters, you can have Nexpose return a list of assets that match all the criteria specified in the filters, or a list of assets that match any of the criteria specified in the filters. You can make this selection in a drop-down list at the bottom of the Search Criteria panel.

The difference between All and Any is that the All setting will only return assets that match the search criteria in all of the filters, whereas the Any setting will return assets that match any given filter. For this reason, a search with All selected typically returns fewer results than Any.

For example, suppose you are scanning a site with 10 assets. Five of the assets run Linux, and their names are linux01, linux02, linux03, linux04, and linux05. The other five run Windows, and their names are win01, win02, win03, win04, and win05.

Suppose you create two filters. The first filter is an operating system filter, and it returns a list of assets that run Windows. The second filter is an asset filter, and it returns a list of assets that have “linux” in their names.

If you perform a filtered asset search with the two filters using the All setting, the search will return a list of assets that run Windows and have “linux” in their asset names. Since no such assets exist, there will be no search results. However, if you use the same filters with the Any setting, the search will return a list of assets that run Windows or have “linux” in their names. Five of the assets run Windows, and the other five assets have “linux” in their names. Therefore, the result set will contain all of the assets.