New report options

There have been some additions to the data and query language that allow better searching, reports and alerts.

The first is that you can and a url, with wildcard, to all of the magic software queries. A magic query is one that starts with a $, and it is magic because it gathers data in a way that is not possible in the query language in ShadowTrackr. Here's an example:

$software_vulnerabilities_report last_seen>-7d url="*.com"

This will create a report of all vulnerable software found, with a list of assets with vulnerabilities that are found in the last week, but only for all your .com domains.

The second change is that you can use asset as a column in the assets and cves_assets indexes. Asset can be an ip address or a url/domain and it supports wildcards. Example:

index=cves_assets asset="*.nl"

This will list all vulnerabilities (one per line) found on your .nl domains. Note that this index contains older (patched) vulnerabilities too, so if you only want the recents ones do:

index=cves_assets last_seen>-7d asset="*.nl"

The third and last addition is the days column in the certificates index. It shows how long a certificate is valid in days. This allows you to make types of new reports, like this overview that groups certificates and issuers per how long the certificates are valid.

index=certificates last_seen>-7d by days | table days issuer

Better alert emails, improved group account

The email alerts should be more usable now. Before, you had to open the attachment to see the actuals results. Most results are just about a few assets and listing those in the email body itself would save a click. So that's what is done now. Some results are shown, up to a maximum of 10. If there are too many columns to show properly, the middle ones are cut out in the email body (but still all included in the attachment).

Another update is on group accounts. Some of you are responsible for multiple organisations that are not supposed to see each others data. This can be done with a groupaccount, where the subaccounts behave just like regular ShadowTrackr accounts but the groupaccount admins can see and search all data of all subaccounts.

As a groupaccount admin you can enter a subaccount and go back to the grouplevel, but it wasn't always very clear where exactly you were at a given moment. That is fixed now (it's shows in the bottom left, in bright yellow). Also some extra menu items are added to the groupadmin menu for better navigation.

In Beta: RPKI checks in internet standards report

The internet standards report has been in ShadowTrackr for quite some time, but so far the RPKI checks where skipped. They are now implemented and rolled out over all assets to verify if this new update works properly.

On most assets, it does. Sometimes multiple overlapping prefixes are found, with one of them resulting in an "invalid length" problem. These will be filtered out in the coming week.

The Internet standard report is by default enabled for all domains. You can add specific urls or subdomains if you want: Go to the url page and click "add to internet standards report" in the action menu (the three dots) in the upper right corner.