Search Syntax

score

Search against a CVE’s current score. The scores associated with the currently selected model will be used.

Syntax for specifying score constraints (all scores are specified on a 0-100 scale and may contain decimals):

• >N
• >=N
• <N
• <=N
• [N M] Alias for score:>=N score:<=M

If multiple score terms are given for a constraint, the final term is used. For example, score:>80 score:>60 is equivalent to score:>60.

cvss_score

Search against a CVE’s CVSS score across any version. Scores are specified on a 0-10 scale and may contain decimals.

• >N
• >=N
• <N
• <=N
• [N M] Alias for cvss_score:>=N cvss_score:<=M

cvss_v3_score

Same syntax as cvss_score, but filters to CVSS v3.1 scores only.

cvss_v4_score

Same syntax as cvss_score, but filters to CVSS v4.0 scores only.

published_at

Search against a CVE’s publication date.

Syntax for specifying publication date constraints (should be in the format YYYY-MM-DD):

• >N
• >=N
• <N
• <=N
• [N M] Alias for published_at:>=N published_at:<=M

If multiple published_at terms are given for a constraint, the final term is used. For example, published_at:>2025-01-01 published_at:>2025-02-01 is equivalent to published_at:>2025-02-01.

exp_activity

Alias for exploitation_activity

exploitation_activity

One of the following values:

• true Return CVEs for which Empirical has observed exploitation activity at any time.
• new Return CVEs for which Empirical has observed exploitation activity for the first time in the past 7 days (i.e., activity in the 0-7 day bucket only, with no prior activity).
• cisa_kev Return CVEs that appear in the CISA Known Exploited Vulnerabilities list.
• 0-7 Return CVEs for which Empirical has observed exploitation activity 0 to 7 days ago.
• last_7_days Alias for 0-7.
• 8-30 Return CVEs for which Empirical has observed exploitation activity 8 to 30 days ago.
• 31-90 Return CVEs for which Empirical has observed exploitation activity 31 to 90 days ago.
• 91-365 Return CVEs for which Empirical has observed exploitation activity 91 to 365 days ago.
• 366+ Return CVEs for which Empirical has observed exploitation activity over 365 days ago.

vendor

The name of the software vendor responsible for the affected software. Spaces in vendor names should be replaced with underscores, for example: trend_micro

product

The name of the affected software product. Spaces in product names should be replaced with underscores, for example: airflow_hive_provider

tag

Filter by a searchable tag name. For example: tag:remote_code_execution

exploit_code

• true Return CVEs for which public exploit code is available.
• false Return CVEs for which no public exploit code is available.

recently_updated

• past_day Return CVEs which Empirical has updated in the past 24 hours.
• past_week Return CVEs which Empirical has updated in the past 7 days.
• past_month Return CVEs which Empirical has updated in the past 1 month.

malware

• true Return CVEs for which Empirical has associated malware hashes.

asset_type

Exact match on the asset type. For example: asset_type:server

ipv4

Match assets containing the specified IPv4 addresses. Supports three forms:

• Exact match: ipv4:192.168.1.1
• CIDR range (all IPs within the subnet): ipv4:192.168.1.0/24
• Bracket range (all IPs between start and end, inclusive): ipv4:[10.0.0.1 10.0.0.50]

ipv6

Match assets containing the specified IPv6 addresses. Supports three forms:

• Exact match: ipv6:2001:db8::1
• CIDR range (all IPs within the subnet): ipv6:2001:db8::/32
• Bracket range (all IPs between start and end, inclusive): ipv6:[2001:db8::1 2001:db8::ff]

fqdn

Match assets containing the specified fully qualified domain name. For example: fqdn:example.com

hostname

Match assets containing the specified hostname. For example: hostname:web-01

os_version

Match assets containing the specified operating system version. For example: os_version:ubuntu

platform

Exact match on the asset platform. For example: platform:mac, platform:linux, platform:windows

mac_address

Match assets containing the specified MAC address. For example: mac_address:00:1A:2B:3C:4D:5E

first_seen

Search against the date an asset was first seen by a scanner. Dates should be in the format YYYY-MM-DD.

• >N
• >=N
• <N
• <=N
• [N M] Alias for first_seen:>=N first_seen:<=M

last_seen

Search against the date an asset was last seen by a scanner. Dates should be in the format YYYY-MM-DD.

• >N
• >=N
• <N
• <=N
• [N M] Alias for last_seen:>=N last_seen:<=M

score

Search against an Asset’s own score. The scores associated with the currently selected model will be used.

Syntax for specifying score constraints (all scores are specified on a 0-100 scale and may contain decimals):

• >N
• >=N
• <N
• <=N
• [N M] Alias for score:>=N score:<=M

cve_score

Search against the score of CVEs associated with assets. The scores associated with the currently selected model will be used.

Syntax for specifying score constraints (all scores are specified on a 0-100 scale and may contain decimals):

• >N
• >=N
• <N
• <=N
• [N M] Alias for cve_score:>=N cve_score:<=M

finding_count

Filter assets by the number of associated findings.

• >N
• >=N
• <N
• <=N
• [N M] Alias for finding_count:>=N finding_count:<=M

cve_vendor

Filter assets by the vendor of associated CVEs on related findings. For example: cve_vendor:microsoft

cve_product

Filter assets by the product of associated CVEs on related findings. For example: cve_product:windows

cve_cvss_score

Filter assets by the CVSS score of associated CVEs across any version. Scores are specified on a 0-10 scale and may contain decimals.

• >N
• >=N
• <N
• <=N
• [N M] Alias for cve_cvss_score:>=N cve_cvss_score:<=M

cve_cvss_v3_score

Same syntax as cve_cvss_score, but filters to CVSS v3.1 scores only.

cve_cvss_v4_score

Same syntax as cve_cvss_score, but filters to CVSS v4.0 scores only.

vendor

The name of the scanner vendor associated with findings. For example: vendor:qualys

state

The finding state group. Valid values: open (includes reopened), closed, deleted, ignored. Use a single value (state:open) or multiple values in parentheses (state:(open closed)). Multiple values use OR logic (state:(open closed) returns findings that are open OR closed). For example: state:open, state:(open closed)

cve

A CVE identifier associated with the finding. Case-insensitive. For example: cve:CVE-2024-1234

first_seen

Search against the date a finding was first seen by a scanner. Dates should be in the format YYYY-MM-DD.

• >N
• >=N
• <N
• <=N
• [N M] Alias for first_seen:>=N first_seen:<=M

last_seen

Search against the date a finding was last seen by a scanner. Dates should be in the format YYYY-MM-DD.

• >N
• >=N
• <N
• <=N
• [N M] Alias for last_seen:>=N last_seen:<=M

score

Search against a Finding’s own score. The scores associated with the currently selected model will be used.

Syntax for specifying score constraints (all scores are specified on a 0-100 scale and may contain decimals):

• >N
• >=N
• <N
• <=N
• [N M] Alias for score:>=N score:<=M

cve_score

Search against the score of CVEs associated with findings. The scores associated with the currently selected model will be used.

Syntax for specifying score constraints (all scores are specified on a 0-100 scale and may contain decimals):

• >N
• >=N
• <N
• <=N
• [N M] Alias for cve_score:>=N cve_score:<=M

cve_vendor

Filter findings by the vendor of associated CVEs. For example: cve_vendor:microsoft

cve_product

Filter findings by the product of associated CVEs. For example: cve_product:windows

cve_cvss_score

Filter findings by the CVSS score of associated CVEs across any version. Scores are specified on a 0-10 scale and may contain decimals.

• >N
• >=N
• <N
• <=N
• [N M] Alias for cve_cvss_score:>=N cve_cvss_score:<=M

cve_cvss_v3_score

Same syntax as cve_cvss_score, but filters to CVSS v3.1 scores only.

cve_cvss_v4_score

Same syntax as cve_cvss_score, but filters to CVSS v4.0 scores only.