Search Queries

Asset Inventory
Service Inventory
Wireless Inventory

Organizations
Sites
Query Library

Asset Search Keywords

User Specified Fields

Comments that have been set on an asset can be searched using the syntax comment:<term>.

comment:"contractor laptop"
comment:"imaging server"

Tags that have been set on an asset can be searched using the syntax tag:<term>. The term can be either the tag name, or tag name followed by an equal sign and the tag value. Tag matches are exact terms.

tag:"group"
tag:"group=production"

The site name or ID can be used as a filter with the syntax site:<term>

site:Primary
site:"Branch Office"
site:ad67d649-041b-439d-af59-f200053a8899

The agent name or ID can be used as a filter with the syntax agent:<term>

agent:DESKTOP-AB451F
agent:8b927a8e-d405-40e9-aa47-d6afc9bff237

Asset Fields

The ID field is the unique identifier for a given asset, written as a UUID. This field is searched using the syntax id:<uuid>.

id:cdb084f9-4811-445c-8ea1-3ea9cf88d536

The operating system field is a string describing the detected operating system software. This field is searched using the syntax os:<term>. The OS version, if available, can be searched using os_version:.

os:"Windows"
os:"Ubuntu Linux"
os_version:8

The type field is a string describing the detected system type, such as Desktop, Laptop, Server, BMC, or Mobile. This field is searched using the syntax type:<term>.

type:Desktop
type:BMC
type:"Game Console"

The hardware field is a string describing the detected physical hardware, such as macMini or Nintendo Switch. This field is searched using the syntax hardware:term.

hardware:Switch
hardware:macMini

The hostnames associated with an asset are obtained from DNS and exposed services. These names can be searched using the syntax name:<term>.

name:"www"
name:"TV"

The hostname count can be searched using the syntax name_count:<term>. This keyword supports numerical comparison operators (>, >=, <, <=, =).

name_count:>=1

The domains associated with an asset are obtained from DNS and exposed services. These domain names can be searched using the syntax domain:<term>.

domain:"amazon.com"
domain:"corp.lan"
domain:"WORKGROUP"

The domain count can be searched using the syntax domain_count:<term>. This keyword supports numerical comparison operators (>, >=, <, <=, =).

domain_count:>=1

The addresses (both primary and secondary) associated with an asset can be searched using the syntax address:<term>. This keyword also allows for wildcard matches using ‘%'.

address:192.168.0.1
address:10.0.0
address:%.0.1
address:10.%.254

The address counts (both primary and secondary) can be searched using the syntax address_count:<term> and address_extra_count:<term>. This keyword supports numerical comparison operators (>, >=, <, <=, =).

address_count:>=2
address_extra_count:0

The addresses (both primary and secondary) associated with an asset can be searched by CIDR mask using the syntax net:<term>.

net:192.168.0.0/24

The credentials for an asset can be searched using the syntax credentials:<term>. The credentials will be text searched for the term.

credentials:admin

The keyword haspublic can be used to locate any asset with a non-reserved IPv4 address using the syntax haspublic:<term>.

haspublic:true

The keyword hasprivate can be used to locate any asset with RFC1918 IPv4 address using the syntax hasprivate:<term>.

hasprivate:false

The keyword hasipv6 can be used to locate any asset with an identified IPv6 address using the syntax hasipv6:<term>.

hasipv6:false

The keyword haslinklocal can be used to locate any asset with an identified IPv6 link local (fe80::) address using the syntax haslinklocal:<term>.

haslinklocal:true

The MAC addresses associated with an asset can be searched using the syntax mac:<term>.

mac:00:5c:04
mac:00:00:1c

The MAC address count can be searched using the syntax mac_count:<term>. This keyword supports numerical comparison operators (>, >=, <, <=, =).

mac_count:>=1

The vendor associated with the MAC addresses of an asset can be searched using the syntax mac_vendor:<term>.

mac_vendor:Apple
mac_vendor:"Intel Corporate"

The MAC address vendor count can be searched using the syntax mac_vendor_count:<term>. This keyword supports numerical comparison operators (>, >=, <, <=, =).

mac_vendor_count:>=1
mac_vendor_count:0

The allocate date of the newest MAC address associated with an asset can be searched using the syntax mac_age:<term>. The term supports a greater than > or less than < operator followed by either a relative or absolute date expression. Relative date expressions include seconds (sec, s), minutes (min, m), hours (hr, h), days (d), weeks (w), and years (yr, y), in both plural and singular forms. Absolute date expressions can be in international (2019-12-31), USA (12/31/2019), or Unix timestamp format.

mac_age:>1year
mac_age:<6months
mac_age:2019-12-31

The asset attribute fields, such as the port used to detect the TTL, can be searched using the syntax attribute:<term>.

attribute:"ip.ttl.port"
attribute:"cpe:/a:isc:bind:9.11.3"
attribute:"9.11.3"

To determine if an asset has an attribute at all, the has: keyword can be used. The has keyword can be inverted to find missing fields, with not has:<term>.

has:"ip.ttl.port"
not has:"rdns.names"

In addition to the standard fields, the following special attributes exist:

has:screenshot returns assets where at least one screenshot was obtained.
has:icons returns assets where at least one icon was obtained (HTTP, UPnP, or similar).
has:uplink returns assets seen in the CAM table of a network switch.
has:downlink returns assets where the CAM table was queried at least one other asset was connected.
has:unmapped returns assets where the CAM table was queried at least one other asset was connected but not identified by IP.

The attribute can be specified as a term directly. If the attribute name conflicts with an existing term, the prefix _asset. can be specified to disambiguate the query.

ip.ttl.port:80
rdns.names:"router" 
_asset.ip.ttl.hops:"1"

Asset Services

TThe TCP and UDP services associated with an asset can be searched by port number using the syntax port:<term>.

port:80
port:161

The TCP services associated with an asset can be searched by port number using the syntax tcp:<term>.

tcp:443

The UDP services associated with an asset can be searched by port number using the syntax udp:<term>.

udp:53

The identified service protocols associated with an asset can be searched using the syntax protocol:<term>.

protocol:http
protocol:telnet

The protocol count can be searched using the syntax protocol_count:<term>. This keyword supports numerical comparison operators (>, >=, <, <=, =).

protocol_count:>=5

The identified service products associated with an asset can be searched using the syntax product:<term> and product:<term>.

product:openssh
products:nginx

The product count can be searched using the syntax product_count:<term>. This keyword supports numerical comparison operators (>, >=, <, <=, =).

product_count:>=3

The number of services associated with an asset can be searched by port number using the following keywords. These support numerical comparison operators (>, >=, <, <=, =).

service_count:<term>
service_count_tcp:<term>
service_count_udp:<term>
service_count_icmp:<term>
service_count_arp:<term>

Examples include:

service_count_tcp:>=5
service_count_arp:0
service_count_udp:<=1

Asset Tracking Fields

The asset timestamp fields (first_seen, last_seen, created_at, updated_at) can be searched using the syntax first_seen:<term>, last_seen:<term>, created_at:<term> and updated_at:<term>.

The term supports a greater than > or less than < operator followed by either a relative or absolute date expression. Relative date expressions include seconds (sec, s), minutes (min, m), hours (hr, h), days (d), weeks (w), and years (yr, y), in both plural and singular forms. Absolute date expressions can be in international (2019-12-31), USA (12/31/2019), or Unix timestamp format.

Note that created_at is usually identical to first_seen (initial asset detection) while updated_at can be very different from last_seen; the former indicates when the asset record was last updated (offline or otherwise) while the latter is when the asset was last seen alive. The updated_at query can be useful when synchonizing the inventory to external systems (using updated_at:<24hours on a daily import, etc).

first_seen:<30seconds
first_seen:>3days
first_seen:>2019-08-01
first_seen:>8/1/2019
last_seen:<1week
last_seen:<2months
last_seen:<1year
created_at:>2weeks
created_at:<30minutes
updated_at:>1year
updated_at:<12hours

The online status of an asset can be searched using the syntax online:<term> as well as the inverse with the syntax offline:<term>. The term is a boolean value, where true, t, 1, and yes represent true and false, f, 0, and no represent false.

online:t
online:1
offline:0

The detected by attribute of an asset can be searched using the syntax det:<term> and detected-by:<term>. The term is one of arp, icmp, tcp-<port>, or udp-<port>. In the case of multiple detections, the priority goes arp, icmp, and then the first detected service.

det:arp
detected-by:80-tcp
det:53-udp

The lowest TTL of an asset can be searched using the syntax ttl:<term> and lowest_ttl:<term>. The TTL is the estimated number of hops between the scan source and the asset. This term supports numerical comparison operators (>, >=, <, <=, =).

ttl:0
lowest_ttl:>=1

The lowest RTT of an asset can be searched using the syntax rtt:<term> and lowest_rtt:<term>. The RTT is the round-trip response time of a given probe measured in nanoseconds (1,000,000 == 1ms). This term supports numerical comparison operators (>, >=, <, <=, =). The RTT

Find assets that responded in less than one millisecond:

rtt:<=1000000

Find assets that responded in more than 50 milliseconds:

lowest_rtt:>=50000000

Find assets that responded in less than one millisecond:

rtt:<=1000000

Find assets that responded in more than 50 milliseconds:

lowest_rtt:>=50000000

Assets with any MAC addresses can be searched using the syntax hasmac:<term>. The term is a boolean value, where true, t, 1, and yes represent true and false, f, 0, and no represent false.

hasmac:yes
hasmac:f

| HasMAC | hasmac | Assets with at least one MAC address. Boolean (t, 1, yes or f, 0, no) |

Assets with multiple hostnames can be searched using the syntax multiname:<term>. The term is a boolean value, where true, t, 1, and yes represent true and false, f, 0, and no represent false.

multiname:yes
multiname:false

Service Search Keywords

The TCP and UDP services associated with a service can be searched by port number using the syntax port:<term>. This keyword supports numerical comparison operators (>, >=, <, <=, =).

port:80
port:161
port:>=10000
port:<=25

The UDP services associated with a service can be searched by port number using the syntax udp:<term>.

udp:443

The TCP service associated with a service can be searched by port number using the syntax tcp:<term>.

tcp:53

The transport associated with a service can be searched by name using the syntax transport:<term>.

transport:tcp
transport:udp
transport:icmp

The virtual host associated with a service can be searched by name using the syntax vhost:<term>.

vhost:"www"

All service attributes can be searched using the syntax <attribute>:<term>. This keyword supports numerical comparison operators (>, >=, <, <=, =). If the attribute name conflicts with an existing term, the prefix _service. can be specified to disambiguate the query.

Note that service attributes can be slow and it is often better to prefix _asset.protocol:<term> filter in front of the service attribute query. For example, to search for SSH banners, use the syntax _assets.protocol:ssh AND banner:<term>.

banner:password
service.product:"OpenSSH" 
html.title:"Apache2 Ubuntu Default Page" 
http.code:>=500
screenshot.image.size:=>100000
_service.arp.macVendor:Xerox

To determine if a service has an attribute at all, the has keyword can be used. The has keyword can be inverted to find missing fields, with not has:<term>.

has:"http.head.server"
not has:"html.title"

Wireless Search Keywords

General Fields

The SSID/ESSID field can be searched using the syntax ssid:<term>.

ssid:"Guest Network"
ssid:"Corporate"

The BSSID field can be searched using the syntax bssid:<term> or mac:<term>.

bssid:"00:01:02:03:04:05"
mac:"00:01:%"

The vendor field can be searched using the syntax mac_vendor:<term>.

mac_vendor:"Google"
mac_vendor:"Netgear"
mac_vendor:"Cisco"

The family field can be searched using the syntax family:<term>.

family:"010304"

The channels field can be searched using the syntax channel:<term>.

channel:"11"

The network type field can be searched using the syntax type:<term>.

type:"infrastructure"

The network interface field can be searched using the syntax interface:<term>.

interface:"wlan0"

The encryption field can be searched using the syntax encryption:<term>.

encryption:"aes"
encryption:"none"

The authentication field can be searched using the syntax authentication:<term>.

authentication:"wpa2-psk"
authentication:"open"

The timestamp fields (first_seen, last_seen, created_at) timestamps can be searched using the syntax first_seen:<term>, last_seen:<term> and created_at:<term>. The term supports the same time specifications as the Asset Timestamp.

first_seen:<30seconds
first_seen:>2019-08-01
last_seen:<1week
last_seen:<2months
created_at:>2weeks
created_at:<30minutes

The signal field can be searched using the syntax signal:<term> or sig:<term>. The term can include the operators >, <, >=, <=, and =. The default operator is =.

signal:">75"
signal:"<=25"
signal:99

The site name or ID can be used as a filter with the syntax site:<term>

site:Primary
site:"Branch Office"
site:ad67d649-041b-439d-af59-f200053a8899

The agent name or ID can be used as a filter with the syntax agent:<term>

agent:DESKTOP-AB451F
agent:8b927a8e-d405-40e9-aa47-d6afc9bff237

The ID field is the unique identifier for a given wireless network, written as a UUID. This field is searched using the syntax id:<uuid>.

id:cdb084f9-4811-445c-8ea1-3ea9cf88d536

The Last Task ID field defines which task most recently reported the wireless network and is written as a UUID. This field is searched using the syntax task:<uuid>.

task:39ab0e71-3cf1-4176-b6b0-4ed495288229

All wireless attributes can be searched using the syntax <attribute>:<term>.

radio_type:"802.11n"

Organization Search Keywords

The Name field can be searched using the syntax name:<term>.

name:"main"

The Description field can be searched using the syntax description:<term>

description:"branch office"
description:"pci"

The timestamp fields (created_at, updated_at) timestamps can be searched using the syntax created_at:<term> and updated_at:<term>. The term accepts the same comparison options as the Asset Timestamp.

created_at:>2weeks
created_at:<30minutes
updated_at:>1month
updated_at:2hours

Site Search Keywords

The Name field can be searched using the syntax name:<term>.

name:"Primary"

The Description field can be searched using the syntax description:<term>.

description:"wireless"
description:"vlan 50"

The Scope field can be searched using the syntax scope:<term> .

scope:"10.10.10."

The Excludes field can be searched using the syntax excludes:<term> .

excludes:"192.168.0."

created_at:>2weeks
created_at:<30minutes
updated_at:>1month
updated_at:2hours

Query Library Search Keywords

The Name field can be searched using the syntax name:<term>.

name:"smb2"

The Description field can be searched using the syntax description:<term>.

description:"smb version 1"
description:"wep"

The Type field can be searched using the syntax type:<term> .

type:"services"

The Category field can be searched using the syntax category:<term>.

category:"security"
category:"audit"

The Severity field can be searched using the syntax severity:<term>.

severity:"info"
severity:"critical"

The Created By field can be searched using the syntax created_by:<term>.

created_by:"rumble"

created_at:>2weeks
created_at:<30minutes
updated_at:>1month
updated_at:2hours

Search Queries

Contents

Asset Search Keywords

User Specified Fields

Asset Comments

Asset Tags

Site Name or ID

Agent Name or ID

Asset Fields

Asset ID

Asset OS

Asset Type

Asset Hardware

Asset Hostnames

Asset Domains

Asset Addresses

Asset Networks

Asset Credentials

Asset Public IPv4 Address

Asset Private IPv4 Address

Asset IPv6 Address

Asset Link Local IPv6 Address

Asset MAC Addresses

Asset MAC Address Vendors

Asset MAC Address Age

Asset Attributes

Asset Services

Asset Service Ports

Asset Service TCP Ports

Asset Service UDP Ports

Asset Service Protocols

Asset Service Products

Asset Service Counts

Asset Tracking Fields

Asset Timestamps

Asset Online Status

Asset Detection Method

Asset Time to Live (TTL) Comparisons

Asset Round Trip Time (RTT) Comparisons

Asset Multiple MAC Address Status

Asset Any MAC Address Status

Asset Multiple Hostname Status

Service Search Keywords

Service Ports

Service UDP Ports

Service TCP Ports

Service Transport

Service Virtual Host

Service Attributes

Wireless Search Keywords

General Fields

SSID (ESSID)

BSSID (MAC)

Vendor

Family

Channels

Type

Interface

Encryption

Authentication

Timestamps

Signal

Site Name or ID

Agent Name or ID

Wireless ID

Last Task ID

Wireless Attributes

Organization Search Keywords

Name

Description

Timestamps (Created At, Updated At)

Site Search Keywords

Name

Description

Scope

Excludes

Timestamps (Created At, Updated At)

Query Library Search Keywords

Name

Description