New vulnerabilities index, software index complete
08 December 2025
Almost all software detection has moved to the new software index. If you want to have a look, use this query:
index=software
It has separate fields for
vendor,
product,
version and
patch (name of the patch), and shows when specific software was
first_seen and
last_seen. This will allow you to check what software you had running in the past. Sometimes a new vulnerability is published and it turns out it has been used for months already. Your current software version might not be vulnerable, but the one last month might have been. You can check that now.
The magic query
$software_vulnerabilities_report and other software queries are now replaced with a fully functional software index. There are fields for
software,
assets,
ip,
url,
cve,
cvss_score,
cvss_severity and, like with the software index,
first_seen and
last_seen fields for every cve seen on every asset. Here are some example queries:
Show all recent vulnerabilities with a cvss_score above 8:
index=vulnerabilities last_seen>-7d cvss_score>8
Show all recent criticals:
index=vulnerabilities last_seen>-7d cvss_severity=critical
Check if you where vulnerable to CVE-2025-23048 last month:
index=vulnerabilities first_seen<-1m cve=CVE-2025-23048
Note that the old magic $software queries will still be supported, so don't worry about migrating any queries/reports you have.
