Documentation Index

Fetch the complete documentation index at: https://help.nucleussec.com/llms.txt

Use this file to discover all available pages before exploring further.

How to search in VIP

  • 2 minute(s) read
Prev Next

Overview

The Home page is where you will find the search engine. You can think of searching in VIP like asking questions of the intelligence database, thanks to the simple built-in query language.

The search uses a standard syntax including:

  • = (is) 

  • != (is not)

  • ~ (contains)

  • !~ (does not contain)

  • and

  • or

  • is empty

  • is not empty

  • > (greater than)

  • < (less than)

  • >= (greater than or equal)

  • <= (less than or equal)

  • order by

Autocomplete

Nucleus VIP provides autocomplete throughout the entire search query to assist you in getting to the right question. 

For some fields, there is a set of pre-determined possible values that VIP identifies, assisting you in maximizing each field.

Dynamic Fields for Dates

The search also includes dynamic fields which can allow you to write a search that monitors a date range, so you don't have to manually determine the day of a date field each time you want to use the search.

  • more than

  • within

Grouping Statements

Searching in VIP also supports the use of grouping statements with parentheses '()' so the search can get more drilled down to the exact question you are trying to ask.

With all of that in mind, let's run through some examples:

Question: What are all the vulnerabilities currently observed in CISA's Known Exploited Vulnerabilities Catalog?

cisa_due_date is not empty

Question: What are all the vulnerabilities currently observed in CISA's Known Exploited Vulnerabilities Catalog that are observed by Mandiant as being widely exploited OR are observed being actively scanned for by GreyNoise? Note: this search uses a grouped '()' statement.

cisa_due_date is not empty and (mandiant_exploit_rating ~ "Wide" or greynoise_total_count > 0)

Question: What are all CVEs added to the NVD in the last week that are identified by Mandiant as either High or Critical Risk? Note: this search uses the dynamic field within as well as a grouped '()' statement.

nvd_published_date within "7 days" and (mandiant_risk_rating ~ "HIGH" or mandiant_risk_rating ~ "CRITICAL")

Advanced Searching

Nucleus VIP allows for searching on multiple grouped statements to allow for searches to get ever-complex and drilled to the exact threshold of risk you would like to set.

Example: Show me all CVEs which are known to be currently exploited by Mandiant, or have observed scanning traffic by GreyNoise, or have a high probability of being exploited in the next 30 days based on EPSS score and Proof-of-Concept (PoC) code being found on hacker forums. 

(mandiant_exploit_rating ~ "Wide" or mandiant_risk_rating ~ "Confirmed" or greynoise_total_count is not empty) or (intel471_poc_observed = "True" and epss_score > .5)

Nucleus VIP Internal Fields

VIP includes fields in the search for actions that you can take within the platform tied to a CVE ID. Search on any vulnerabilities with a Note left on them, or any you have Favorited in the platform, or by what feed contains data.

Next Step

Now that we've covered how to ask questions of the database, let's look at how to save a search!