About

Vulcan's Magic Search is designed to elevate the search and filtering experience with new and empowered capabilities. Use the new Filter capabilities to efficiently retrieve the information that matters most. Here's a glimpse of what you can expect.

Create Complex queries with groups of AND / OR combinations.
Save Searches to recall complex queries, ensuring you can quickly access valuable information whenever needed.
Apply exact and partial match Options using "Is" or "Is Not", or apply "Contains" and "Does Not Contain" criteria to zero in on the information that meets your requirements.
Search for empty or populated values by applying the "Is not empty" and "Is empty" parameters.
Perform relative comparison using "Greater Than" and "Less Than" options to isolate data points that fall within specific numeric ranges.

Availability and Support

Magic Search will be available on the following pages in the Vulcan Platform:

All Asset tabes (Hosts, Code Projects, Websites, Images, and Cloud Resources)
All Vulnerability tabs (Unique Vulnerabilities, Software Clusters, and CVE Clusters)

Query Examples

Single Queries

Single queries are your straightforward, go-to tool for refining search results. With the option to choose between "Or" or "And" conditions, single queries allow you to filter your results based on a single set of criteria.

Use the "Or" condition to broaden your search scope and retrieve results that meet any of the specified criteria
Use the "And" condition to create a narrower focus by demanding all criteria to be met. This option is ideal for quick, precise searches.

For example:

Grouped Queries (Complex Queries)

Complex or grouped queries let you navigate between multiple sets of criteria, using "And" and "Or" conditions within the same search scope.

Create query groups (AKA, several Single Queries), each with its own rules and conditions, to perform intricate searches.
Perform more nuanced searches, combining various factors to uncover specific insights.

Start by specifying your first condition.
Click the three dots next to the condition and select "Create Group." A visual group box is created. Within the box, click the "+Add Rule" button to add more rules and conditions to this specific group query.
Create your first group of conditions using either "And" or "Or". For example:
To create another group, click the "+Add Rule" outside of the first group box borders.
Create the second group of conditions. For example:
You can keep creating as many groups as you wish.

Differences between "And" and "Or" in Grouped Queries

By default, the "And" condition is automatically selected when creating a group, but you can change it to "Or" as needed. Each logic choice leads to different search results, as illustrated below:

Using the "And" Logic

When using "And" logic to combine results between different query groups, it means that each result must meet the conditions of every query group. For example, if we are searching for vulnerabilities that contain "2022" or "OpenSSL" in their name (Query Group A) and have a CVSS score greater than 9 (Query Group B), each search result must fulfill both conditions.

Using the "Or" Logic

When using the "Or" condition to combine results between different query groups, it means that each result must satisfy the conditions in either Query Group A or Query Group B (and so on). For instance, if we want to find vulnerabilities with an Exploitable threat tag and were last seen in the past 14 days (Group Query A), and also retrieve vulnerabilities with a CVSS score greater than 9 and are patchable using the "Or" condition, each result must meet at least one of these criteria.

Parameters, Operators, and Input Type

The following tables contain the supported parameters, operators, and input type per category.

Vulnerability Parameters

Parameter	Operator	Input type
Name	is is not contains does not contain	Free text
Source (Connector)	is is not	Free text autocomplete Multi-choice dropdown menu
CVE	is is not contains does not contain is empty is not empty	Free text autocomplete Single-choice dropdown menu
CWE	is is not contains does not contain is empty is not empty	Free text
CVSS	is is not greater than less than is empty is not empty	Free text
EPSS	is is not greater than less than is empty is not empty	Free text
Fix Type	is is not Any fix (is not empty) No Fix (is empty)	Free text autocomplete Multi-choice dropdown menu
Patchable	is true is false	NA
Published Date	between before after In the last	Calendar date range selector Specific date selector Numeric (number of days)
Last Seen	between before after In the last In less than	Calendar date range selector Specific date selector Numeric (number of days)
First Seen	between before after in the last in less than	Calendar date range selector Specific date selector Numeric (number of days)
Modified on	between before after in the last in less than	Calendar date range selector Specific date selector Numeric (number of days)
Fixed On (Fixed date as reported by the connector. Fallback: Vulcan's fix date)	between before after in the last	Calendar date range selector Specific date selector Numeric (number of days)
Threats Tag	is is not contains does not contain is empty is not empty	Free text autocomplete Multi-choice dropdown menu
Vulnerability Tag	is is not contains does not contain is empty is not empty	Free text autocomplete Multi-choice dropdown menu
Affected Package	is is not	Free text
Affected Vendor	is is not contains does not contain	Free text autocomplete Multi-choice dropdown menu
Status	is is not	Free text autocomplete Multi-choice dropdown menu

Asset Parameters

Parameter	Operator	Input type
Name	contains does not contain is is not is empty is not empty	Free text
Type	is is not	Free text autocomplete Multi-choice dropdown menu
Connector (Source)	is is not	Free text autocomplete Multi-choice dropdown menu
Business Group	is is not is empty is not empty	Free text autocomplete Multi-choice dropdown menu
Asset Tag	is is not is empty is not empty	Free text autocomplete Multi-choice dropdown menu
OS	is is not	Free text autocomplete Multi-choice dropdown menu
OS and Version	is is not contains does not contain	Free text autocomplete Multi-choice dropdown menu
OS End of Life	reached did not reach will reach within in more than	Numeric (number of days)
Cloud Instance ID	contains does not contain is is not is empty is not empty	Free text
Last Seen	between before after in the last in less than	Calendar date range selector Specific date selector Numeric (number of days)
First Seen	between before after in the last in less than	Calendar date range selector Specific date selector Numeric (number of days)
SLA	Exceeding Compliant [exceeded] in the last [exceeding] in less than [exceeding] in more than	Numeric (number of days)
IP	is is not contains does not contain	Numeric (IP format; x.x.x.x)
Port	is is not contains does not contain	Numeric (range: 0-65535)
Scan Coverage	is true is false	NA
Repo Name	contains does not contain is is not	Free text
Dynamic property (previously known as "Ownership Property")	is is not contains does not exist exists	Free text

Risk Parameters

Parameter	Operator	Input type
Score	is is not greater than less than	Numeric (range: 0-100)
Level	is is not	Free text autocomplete Multi-choice dropdown menu of risk levels (Critical, High, Medium, Low, and None)
SPR Threshold	above below	NA
SPR	Is Above Threshold - Identify instances where SPR exceeds your defined limits. Is Within Accepted Threshold - Filter for instances maintaining SPR within your acceptable range. Moved Above Threshold - Use the Date Picker to track when an SPR has exceeded the threshold. Moved to Within Accepted Threshold - Utilize the Date Picker to determine when an SPR has improved and fallen within the desired threshold.	Calendar date range selector (when relevant)

Connector-Specific Parameters

Connector-specific parameters allow you to refine your searches by utilizing a subset of each integrated connector’s native fields. This addition extends the capabilities of the out-of-the-box (OOB) parameters currently available in our Magic Search, providing you with more granular control and tailored results.

Parameter	Sub-Category	Operator	Input type
[Any integrated Connector Name]	At least one of the following: Instance Vulnerability Asset	is is not contains does not contain	Free text

Important Notes

Only integrated and connected connectors in your environment will be available for search.
Parameters are dynamically available based on the connectors integrated within your environment. For instance, if you connect with the Qualys or Tenable connectors, you’ll gain access to their unique parameter.
If a sub-category like 'Instance' does not appear as an option, it indicates that no respective data exists/is ingested for that connector.
The Vulcan Platform is pre-configured to ingest specific parameters from each connector. Parameters visible are those mapped and available within Vulcan, not necessarily all that a connector offers.
When searching, input is accepted as free-text only, even for parameters like dates or integers.

Integration and Syncing

When integrating a new connector, it may take up to 24 hours for all relevant data to appear in your search options.

FAQs

Can I search all fields I see on the Vulnerability Details page using Connector-Specific Parameters?

Not necessarily. Only the parameters ingested and mapped by Vulcan are searchable.

What happens if a connector is disabled or deleted?

Disabled connectors still display their parameters; however, deleted connectors will have their parameters removed from search options.

Can Connector-Specific Parameters be used in combination with other parameters?

Yes. They can also be saved as part of a saved search or a filter in playbooks. Tags based on saved searches will function if the search includes connector-specific parameters.

Vulcan ConnectX (Vulcan Report) Connector

Lacework Connector

CrowdStrike Connector

Checkmarx One Connector

November 2023 Product Update