Search queries

Comments that have been set on an asset can be searched using the syntax comment:<text>.

comment:"contractor laptop"
comment:"imaging server"

Tags that have been set on an asset can be searched using the syntax tag:<term>. The term can be either the tag name, or tag name followed by an equal sign and the tag value. Tag value matches must be exact.

tag:"group"
tag:"group=production"

The site name or ID can be used as a filter with the syntax site:<term>

site:Primary
site:"Branch Office"
site:ad67d649-041b-439d-af59-f200053a8899

The explorer name or ID can be used as a filter with the syntax explorer:<term>

explorer:DESKTOP-AB451F
explorer:8b927a8e-d405-40e9-aa47-d6afc9bff237

The ID field is the unique identifier for a given asset, written as a UUID. This field is searched using the syntax id:<uuid>.

id:cdb084f9-4811-445c-8ea1-3ea9cf88d536

The operating system field is a string describing the detected operating system software. This field is searched using the syntax os:<text>. The OS version, if available, can be searched using os_version:<number>.

os:"Windows"
os:"Ubuntu Linux"
os_version:8

The type field is a string describing the detected system type, such as Desktop, Laptop, Server, BMC, or Mobile. This field is searched using the syntax type:<text>.

type:Desktop
type:BMC
type:"Game Console"

The hardware field is a string describing the detected physical hardware, such as macMini or Nintendo Switch. This field is searched using the syntax hardware:<text>.

hardware:Switch
hardware:macMini

The hostnames associated with an asset are obtained from DNS and exposed services. These names can be searched using the syntax name:<text>.

name:"www"
name:"TV"

The hostname count can be searched using the syntax name_count:<number>. This search term supports numerical comparison operators (>, >=, <, <=, =).

name_count:>1

The domains associated with an asset are obtained from DNS and exposed services. These domain names can be searched using the syntax domain:<domainname>.

domain:"amazon.com"
domain:"corp.lan"
domain:"WORKGROUP"

The domain count can be searched using the syntax domain_count:<number>. This search term supports numerical comparison operators (>, >=, <, <=, =).

domain_count:>1

The addresses (both primary and secondary) associated with an asset can be searched using the syntax address:<ip>. This keyword also allows for wildcard matches using ‘%’.

address:192.168.0.1
address:10.0.0
address:%.0.1
address:10.%.254

The address counts (both primary and secondary) can be searched using the syntax address_count:<term> and address_extra_count:<number>. This search term supports numerical comparison operators (>, >=, <, <=, =).

address_extra_count:0

The addresses (both primary and secondary) associated with an asset can be searched by CIDR mask using the syntax net:<cidr>.

net:192.168.0.0/24

The credentials for an asset can be searched using the syntax credentials:<text>. The credentials will be text searched for the term.

credentials:admin

The keyword has_public can be used to locate any asset with a non-reserved IPv4 address using the syntax has_public:<boolean>.

The term is a boolean value:

• true, t, 1, and yes represent true
• false, f, 0, and no represent false

has_public:true

The keyword has_private can be used to locate any asset with RFC1918 IPv4 address using the syntax has_private:<boolean>.

The term is a boolean value:

• true, t, 1, and yes represent true
• false, f, 0, and no represent false

has_private:false

The keyword has_ipv6 can be used to locate any asset with an identified IPv6 address using the syntax has_ipv6:<boolean>.

The term is a boolean value:

• true, t, 1, and yes represent true
• false, f, 0, and no represent false

has_ipv6:false

The keyword has_link_local can be used to locate any asset with an identified IPv6 link local (fe80::) address using the syntax has_link_local:<boolean>.

The term is a boolean value:

• true, t, 1, and yes represent true
• false, f, 0, and no represent false

has_link_local:true

The MAC addresses associated with an asset can be searched using the syntax mac:<term>.

mac:00:5c:04
mac:00:00:1c

The MAC address count can be searched using the syntax mac_count:<number>. This search term supports numerical comparison operators (>, >=, <, <=, =).

mac_count:>2

The vendor associated with the MAC addresses of an asset can be searched using the syntax mac_vendor:<text>.

mac_vendor:Apple
mac_vendor:"Intel Corporate"

The MAC address vendor count can be searched using the syntax mac_vendor_count:<number>. This search term supports numerical comparison operators (>, >=, <, <=, =).

mac_vendor_count:0

The allocation date of the newest MAC address associated with an asset can be searched using the syntax mac_age:<term>. The term supports a greater than > or less than <

mac_age:>1year
mac_age:<6months
mac_age:2019-12-31

The asset attribute fields, such as the port used to detect the TTL, can be searched using the syntax attribute:<term>.

attribute:"ip.ttl.port"
attribute:"cpe:/a:isc:bind:9.11.3"
attribute:"9.11.3"

To determine if an asset has an attribute at all, the has:<attribute-name> keyword can be used. The has keyword can be inverted to find missing fields, with not has:<term>.

has:"ip.ttl.port"
not has:"rdns.names"

In addition to the standard fields, the following special attributes exist:

• has:screenshot returns assets where at least one screenshot was obtained.
• has:icons returns assets where at least one icon was obtained (HTTP, UPnP, or similar).
• has:uplink returns assets seen in the CAM table of a network switch.
• has:downlink returns assets where the CAM table was queried at least one other asset was connected.
• has:unmapped returns assets where the CAM table was queried at least one other asset was connected but not identified by IP.

The attribute can be specified as a term directly. If the attribute name conflicts with an existing term, the prefix _asset. can be specified to disambiguate the query.

ip.ttl.port:80
rdns.names:"router" 
_asset.ip.ttl.hops:"1" 

TThe TCP and UDP services associated with an asset can be searched by port number using the syntax port:<number>.

port:80
port:161

The TCP services associated with an asset can be searched by port number using the syntax tcp:<number>.

tcp:443

The UDP services associated with an asset can be searched by port number using the syntax udp:<number>.

udp:53

The identified service protocols associated with an asset can be searched using the syntax protocol:<term>.

protocol:http
protocol:telnet

The protocol count can be searched using the syntax protocol_count:<number>. This search supports numerical comparison operators (>, >=, <, <=, =).

protocol_count:>1

The identified service products associated with an asset can be searched using the syntax product:<term> and product:<term>.

product:openssh
products:nginx

The product count can be searched using the syntax product_count:<number>. This search term supports numerical comparison operators (>, >=, <, <=, =).

product_count:>3

The number of services associated with an asset can be searched by port number using the following keywords:

• service_count_tcp:<number>
• service_count_udp:<number>
• service_count_icmp:<number>
• service_count_arp:<number>

These keywords support numerical comparison operators (>, >=, <, <=, =).

Examples include:

service_count_tcp:>=5
service_count_arp:0
service_count_udp:<=1

The asset timestamp fields (first_seen, last_seen, created_at, updated_at) can be searched using the syntax:

• first_seen:<term>
• last_seen:<term>
• created_at:<term>
• updated_at:<term>

The term supports greater than > or less than < operators.

first_seen:<3days
first_seen:>2019-08-01
first_seen:>8/1/2019
last_seen:<1week
last_seen:<2months
last_seen:<1year
created_at:>2weeks
created_at:<30minutes
updated_at:>1year
updated_at:<12hours

The online status of an asset can be searched using the syntax online:<boolean> as well as the inverse with the syntax offline:<boolean>.

The term is a boolean value:

• true, t, 1, and yes represent true
• false, f, 0, and no represent false

online:t
online:1
offline:0

The detected by attribute of an asset can be searched using the syntax det:<term> or detected_by:<term>. The term is one of arp, icmp, <portnumber>-tcp, or <portnumber>-udp. In the case of multiple detections, the priority goes arp, icmp, and then the first detected service.

det:arp
detected_by:80-tcp
det:53-udp

The lowest TTL of an asset can be searched using the syntax ttl:<term> and lowest_ttl:<term>. The TTL is the estimated number of hops between the scan source and the asset. This search term supports numerical comparison operators (>, >=, <, <=, =).

lowest_ttl:>3

The lowest RTT of an asset can be searched using the syntax rtt:<term> and lowest_rtt:<term>. The RTT is the round-trip response time of a given probe measured in nanoseconds (1,000,000 == 1ms). This search term supports numerical comparison operators (>, >=, <, <=, =).

lowest_rtt:>50000000

Whether an asset has multiple MAC addresses can be searched with the multi_mac:<boolean> keyword. The term is a boolean value:

• true, t, 1, and yes represent true
• false, f, 0, and no represent false

multi_mac:t

Assets with any MAC addresses can be searched using the syntax has_mac:<boolean>.

The term is a boolean value:

• true, t, 1, and yes represent true
• false, f, 0, and no represent false

has_mac:yes
has_mac:f

Assets with multiple hostnames can be searched using the syntax multi_name:<boolean>.

The term is a boolean value:

• true, t, 1, and yes represent true
• false, f, 0, and no represent false

multi_name:yes
multi_name:false

The TCP and UDP services associated with a service can be searched by port number using the syntax port:<number>. This search term supports numerical comparison operators (>, >=, <, <=, =).

port:<=25

The UDP services associated with a service can be searched by port number using the syntax udp:<number>.

udp:443

The TCP service associated with a service can be searched by port number using the syntax tcp:<number>.

tcp:53

The transport associated with a service can be searched by name using the syntax transport:<term>.

transport:tcp
transport:udp
transport:icmp

The virtual host associated with a service can be searched by name using the syntax vhost:<text>.

vhost:"www"

All service attributes can be searched using the syntax <attribute>:<term>. This search term supports numerical comparison operators (>, >=, <, <=, =). If the attribute name conflicts with an existing term, the prefix _service. can be added to disambiguate the query.

Note that service attributes can be slow and it is often better to prefix _asset.protocol:<term> filter in front of the service attribute query. For example, to search for SSH banners, use the syntax _assets.protocol:ssh AND banner:<term>.

banner:password
service.product:"OpenSSH" 
html.title:"Apache2 Ubuntu Default Page" 
http.code:>=500
screenshot.image.size:=>100000
_service.arp.macVendor:Xerox

To determine if a service has an attribute at all, the has keyword can be used. The has keyword can be inverted to find missing fields, with not has:<term>.

has:"http.head.server"
not has:"html.title"

The SSID/ESSID field can be searched using the syntax ssid:<text>.

ssid:"Guest Network"
ssid:"Corporate"

The BSSID field can be searched using the syntax bssid:<text> or mac:<text>.

bssid:"00:01:02:03:04:05"
mac:"00:01:%"

The vendor field can be searched using the syntax mac_vendor:<text>.

mac_vendor:"Google"
mac_vendor:"Netgear"
mac_vendor:"Cisco"

The family field can be searched using the syntax family:<term>.

family:"010304"

The channels field can be searched using the syntax channel:<term>.

channel:"11"

The network type field can be searched using the syntax type:<text>.

type:"infrastructure"

The network interface field can be searched using the syntax interface:<text>.

interface:"wlan0"

The encryption field can be searched using the syntax encryption:<term>.

encryption:"aes"
encryption:"none"

The authentication field can be searched using the syntax authentication:<term>.

authentication:"wpa2-psk"
authentication:"open"

The timestamp fields (first_seen, last_seen, created_at) timestamps can be searched using the syntax first_seen:<term>, last_seen:<term> and created_at:<term>. The term supports the same time specifications as the asset timestamp.

first_seen:<30seconds
first_seen:>2019-08-01
last_seen:<1week
last_seen:<2months
created_at:>2weeks
created_at:<30minutes

The signal field can be searched using the syntax signal:<number> or sig:<number>. The term can include the operators >, =, <=, and =. The default operator is =.

signal:">75"
signal:"<=25"
signal:99

The site name or ID can be used as a filter with the syntax site:<term>

site:Primary
site:"Branch Office"
site:ad67d649-041b-439d-af59-f200053a8899

The explorer name or ID can be used as a filter with the syntax explorer:<term>

explorer:DESKTOP-AB451F
explorer:8b927a8e-d405-40e9-aa47-d6afc9bff237

The ID field is the unique identifier for a given wireless network, written as a UUID. This field is searched using the syntax id:<uuid>.

id:cdb084f9-4811-445c-8ea1-3ea9cf88d536

The Last Task ID field defines which task most recently reported the wireless network and is written as a UUID. This field is searched using the syntax task:<uuid>.

task:39ab0e71-3cf1-4176-b6b0-4ed495288229

All wireless attributes can be searched using the syntax <attribute>:<term>.

radio_type:"802.11n"

The Name field can be searched using the syntax name:<text>.

name:"main"

The Description field can be searched using the syntax description:<text>

description:"branch office"
description:"pci"

The timestamp fields (created_at, updated_at) timestamps can be searched using the syntax created_at:<term> and updated_at:<term>. The term accepts the same comparison options as the asset timestamp.

created_at:>2weeks
created_at:<30minutes
updated_at:>1month
updated_at:2hours

The Name field can be searched using the syntax name:<text>.

name:"Primary"

The Description field can be searched using the syntax description:<text>.

description:"wireless"
description:"vlan 50"

The Scope field can be searched using the syntax scope:<term> .

scope:"10.10.10."

The Excludes field can be searched using the syntax excludes:<term> .

excludes:"192.168.0."

The timestamp fields (created_at, updated_at) timestamps can be searched using the syntax created_at:<term> and updated_at:<term>. The term accepts the same comparison syntax as the asset timestamp.

created_at:>2weeks
created_at:<30minutes
updated_at:>1month
updated_at:2hours

The Name field can be searched using the syntax name:<text>.

name:"smb2"

The Description field can be searched using the syntax description:<text>.

description:"smb version 1"
description:"wep"

The Type field can be searched using the syntax type:<term> .

type:"services"

The Category field can be searched using the syntax category:<term>.

category:"security"
category:"audit"

The Severity field can be searched using the syntax severity:<term>.

severity:"info"
severity:"critical"

The Created By field can be searched using the syntax created_by:<term>.

created_by:"rumble"

The timestamp fields (created_at, updated_at) timestamps can be searched using the syntax created_at:<term> and updated_at:<term>. The term accepts the same comparison syntax as the asset timestamp.

created_at:>2weeks
created_at:<30minutes
updated_at:>1month
updated_at:2hours