Search Workflow Examples

Turn search filters into repeatable investigation paths.

Use these examples when you know a vendor, product, CVE, source, attack type, or signal, but need a practical route into validation, saved work, compare queues, handoffs, or leadership notes.

Review examples Sample investigation Open Search Saved

Search rule: a filtered result set is a starting point, not proof. Use Search to find candidate records, then validate source quality, affected versions, local exposure, patch state, owner evidence, and safe closure language before assigning work.

Startbroad term

CVE ID, vendor, product, source, attack type, exploit note, or workflow word.

Narrowsignal filters

KEV, exploited, public PoC, no patch, internet-facing, unauthenticated, confidence, or guidance.

Capturerepeat slice

Copy the search link, save the search locally, export CSV/JSON, or add important records to Saved.

Decidenext workflow

Open detail, compare close calls, validate affected versions, draft handoffs, or brief leaders.

Examples

Common search paths and what to do next.

Fresh CVE

Find one record fast

Search the CVE ID or product name. If results are broad, filter to CVEs and the right source, then open the detail page before saving or assigning.

Search CVEs Detail Walkthrough

KEV deadline

Build a known-exploited response slice

Filter for KEV-linked or exploited records, then prioritize by product owner, exposure, patch state, and business role before opening response work.

KEV Search CISA KEV Response

Vendor surge

Review one vendor or product family

Search the vendor or product family, then filter by source, confidence, or exploited status. Save the search if this vendor needs repeat review.

Vendor Search Advisory Guide

No-patch pressure

Find work that cannot simply patch

Filter no-patch or evolving guidance, then move candidates into mitigation, vendor clarification, exception, SOC monitoring, or not-affected validation.

No-Patch Search No-Patch Examples

False-positive review

Find noisy matches before assigning work

Use product, CPE-like terms, source filters, disputed or rejected filters, and confidence filters to find records needing validation before deadlines.

Disputed Search False Positives

SOC handoff

Collect hunt-relevant items

Search attack type, exploited status, public PoC, ransomware, identity, cloud, or appliance terms, then hand off only scoped behavior and telemetry asks.

PoC Search SOC Handoffs

Repeatable Workflow

Use saved searches and compare queues without losing caveats.

1SearchStart broad, then filter by type, signal, source, topic, attack type, confidence, or guidance. 2SaveSave repeat searches and important records when the same slice needs daily or weekly review. 3CompareLine up close calls when patch capacity, exploit pressure, or owner urgency conflicts. 4Hand offTurn the result set into owner asks, SOC checks, leadership notes, or closure evidence.

Search Recipes

Starter slices worth saving.

Daily exploited review

Filter exploited, KEV-linked, public PoC, and new-since-last-visit records. Save this as a recurring daily triage slice.

Exploited KEV New

External exposure review

Filter internet-facing, unauthenticated, remote, appliance, cloud, or identity terms when reachability matters more than score alone.

Internet-facing Unauthenticated Cloud

Patch planning review

Filter patch-available and concrete guidance records, then compare against no-patch, evolving, or advisory-led guidance before assigning work.

Patch available Concrete Evolving

Trust review

Filter low confidence, disputed, rejected, source-specific, or advisory-led records before using the result set in a ticket or leadership brief.

Low confidence Disputed Trust Review

Copy Template

Search handoff note

Search handoff note - [topic/vendor/CVE slice]
Search terms and filters: [query, type, signal, source, topic, attack, confidence, guidance]
Why this slice matters: [KEV / exploited / external / no patch / vendor surge / leadership request]
Records reviewed: [count and representative IDs]
Records selected for action: [IDs and reason]
Evidence still needed: [affected version, exposure, owner, patch state, SOC telemetry, vendor guidance]
Next workflow: [detail / saved / compare / owner handoff / SOC handoff / exception / brief]
Safe caveat: Search results identify candidates; they do not prove local exposure, compromise, or closure.
Owner and review trigger: [team/person/date/source update/retest/vendor answer]

Recommended next move: open Search, save one repeat slice, compare only the close calls, then turn selected results into evidence-backed owner asks.

Search Saved Compare Compare Tutorial Evidence Checklist Handoff Center Sample Investigation