New report options

There have been some additions to the data and query language that allow better searching, reports and alerts.

The first is that you can and a url, with wildcard, to all of the magic software queries. A magic query is one that starts with a $, and it is magic because it gathers data in a way that is not possible in the query language in ShadowTrackr. Here's an example:

$software_vulnerabilities_report last_seen>-7d url="*.com"

This will create a report of all vulnerable software found, with a list of assets with vulnerabilities that are found in the last week, but only for all your .com domains.

The second change is that you can use asset as a column in the assets and cves_assets indexes. Asset can be an ip address or a url/domain and it supports wildcards. Example:

index=cves_assets asset="*.nl"

This will list all vulnerabilities (one per line) found on your .nl domains. Note that this index contains older (patched) vulnerabilities too, so if you only want the recents ones do:

index=cves_assets last_seen>-7d asset="*.nl"

The third and last addition is the days column in the certificates index. It shows how long a certificate is valid in days. This allows you to make types of new reports, like this overview that groups certificates and issuers per how long the certificates are valid.

index=certificates last_seen>-7d by days | table days issuer