Search queries

Asset search keywords

User specified fields

Asset comments

Use the syntax comment:<text> to search comments on an asset.

comment:"contractor laptop"
comment:"imaging server"

Asset tags

Use the syntax tag:<term> to search tags added to an asset. The term can be the tag name, or the tag name followed by an equal sign and the tag value. Tag value matches must be exact.

tag:"group"
tag:"group=production"

Site name or ID

Use the syntax site:<term> to filter by site name or ID.

site:Primary
site:"Branch Office"
site:ad67d649-041b-439d-af59-f200053a8899

Explorer name or ID

Use the syntax explorer:<term> to filter by explorer name or ID.

explorer:DESKTOP-AB451F
explorer:8b927a8e-d405-40e9-aa47-d6afc9bff237

Asset fields

Asset ID

The ID field is the unique identifier for a given asset, written as a UUID. Uing the syntax id:<uuid> to filter by ID field.

id:cdb084f9-4811-445c-8ea1-3ea9cf88d536

Asset OS

The operating system field is a string describing the detected operating system software. This field is searched using the syntax os:<text>. The OS version, if available, can be searched using os_version:<number>.

os:"Windows"
os:"Ubuntu Linux"
os_version:8

Asset type

The type field is a string describing the detected system type, such as Desktop, Laptop, Server, BMC, or Mobile. Use the syntax type:<text> to search this field.

type:Desktop
type:BMC
type:"Game Console"

Asset hardware

The hardware field is a string describing the detected physical hardware, such as macMini or Nintendo Switch. Use the syntax hardware:<text> to search this field.

hardware:Switch
hardware:macMini

Asset hostnames

The hostnames associated with an asset are obtained from DNS and exposed services. Use the syntax name:<text> to search these names.

name:"www"
name:"TV"

To search an asset where any asset has a specific prefix or suffix, start the term with = and use % as a wildcard match:

name:="FTP.%"
name:="%-09"

Use the syntax name_count:<number>to search the hostname count. This search term supports numerical comparison operators (>, >=, <, <=, =).

name_count:>1

Asset domains

The domains associated with an asset are obtained from DNS and exposed services. Use the syntax domain:<domainname> to search the domain names.

domain:"amazon.com"
domain:"corp.lan"
domain:"WORKGROUP"

The domain count can be searched using the syntax domain_count:<number>. This search term supports numerical comparison operators (>, >=, <, <=, =).

domain_count:>1

Asset addresses

Use the syntax address:<ip> to search the addresses (both primary and secondary) associated with an asset. This keyword also allows for wildcard matches using ‘%’. A comma-separated list of addresses will be used as an efficient multiple-match.

address:192.168.0.1
address:10.0.0
address:%.0.1
address:10.%.254
address:10.0.0.1,10.0.0.2,10.0.0.3

Use the syntax address_count:<term> and address_extra_count:<number> to search address primary and secondary counts. This search term supports numerical comparison operators (>, >=, <, <=, =).

address_extra_count:0

Asset networks

Use the syntax net:<cidr> to search the addresses (both primary and secondary) associated with an asset by CIDR mask.

net:192.168.0.0/24

Asset default community

Use the syntax community:<text> to search for assets with a default SNMP community (public or private).

community:public

Asset public address

Use the keyword has_public and syntax has_public:<boolean> to locate any asset with a non-reserved IP address.

The term is a boolean value:

• true, t, 1, and yes represent true
• false, f, 0, and no represent false

has_public:true

Asset private address

Use the keyword has_private and syntax has_private:<boolean> to locate any asset with a private IP address.

The term is a boolean value:

• true, t, 1, and yes represent true
• false, f, 0, and no represent false

has_private:false

Asset IPv6 address

Use the keyword has_ipv6 and the syntax has_ipv6:<boolean> to locate any asset with an identified IPv6 address.

The term is a boolean value:

• true, t, 1, and yes represent true
• false, f, 0, and no represent false

has_ipv6:false

Asset link local IPv6 address

Use the keyword has_link_local and syntax has_link_local:<boolean>to locate any asset with an identified IPv6 link local (fe80::) address.

The term is a boolean value:

• true, t, 1, and yes represent true
• false, f, 0, and no represent false

has_link_local:true

Asset MAC addresses

Use the syntax mac:<term> to search MAC addresses associated with an asset.

mac:00:5c:04
mac:00:00:1c

Use the syntax mac_count:<number> to search the MAC address count. This search term supports numerical comparison operators (>, >=, <, <=, =).

mac_count:>2

Asset MAC address vendors

The vendor associated with the MAC addresses of an asset can be searched using the syntax mac_vendor:<text>.

mac_vendor:Apple
mac_vendor:"Intel Corporate"

The MAC address vendor count can be searched using the syntax mac_vendor_count:<number>. This search term supports numerical comparison operators (>, >=, <, <=, =).

mac_vendor_count:0

Asset MAC address age

Use the syntax mac_age:<term> to search the allocation date of the newest MAC address associated with an asset. You can use a greater than > or less than < in your search.

mac_age:>1year
mac_age:<6months
mac_age:2019-12-31

Asset attributes

Use the syntax attribute:<term> to search the asset attribute fields, such as the port used to detect the TTL.

attribute:"ip.ttl.port"
attribute:"cpe:/a:isc:bind:9.11.3"
attribute:"9.11.3"

To determine if an asset has any attribute defined, use the has:<attribute-name> keyword. The has keyword can be inverted to find missing fields with not has:<term>.

has:"ip.ttl.port"
not has:"rdns.names"

In addition to the standard fields, the following special attributes are available:

• has:screenshot returns assets where at least one screenshot was obtained.
• has:icons returns assets where at least one icon was obtained (HTTP, UPnP, or similar).
• has:uplink returns assets seen in the CAM table of a network switch.
• has:downlink returns assets where the CAM table was queried at least one other asset was connected.
• has:unmapped returns assets where the CAM table was queried at least one other asset was connected but not identified by IP.

The attribute can be specified as a term directly. If the attribute name conflicts with an existing term, the prefix _asset. can be specified to disambiguate the query.

ip.ttl.port:80
rdns.names:"router" 
_asset.ip.ttl.hops:"1" 

Asset services

Asset service ports

TThe TCP and UDP services associated with an asset can be searched by port number using the syntax port:<number>.

port:80
port:161

Asset service TCP ports

Use the syntax tcp:<number> to search the TCP services associated with an asset by port number.

tcp:443

Asset service UDP ports

Use the syntax udp:<number> to search UDP services associated with an asset by port number.

udp:53

Asset service protocols

Use the syntax protocol:<term>to search the identified service protocols associated with an asset.

protocol:http
protocol:telnet

The protocol count can be searched using the syntax protocol_count:<number>. This search supports numerical comparison operators (>, >=, <, <=, =).

protocol_count:>1

Asset service products

Use the syntax product:<term> to search for the identified service products associated with an asset.

product:openssh
products:nginx

The product count can be searched using the syntax product_count:<number>. This search term supports numerical comparison operators (>, >=, <, <=, =).

product_count:>3

Asset service counts

Use the following keywords to search the number of services associated with an asset can be searched by port number:

• service_count_tcp:<number>
• service_count_udp:<number>
• service_count_icmp:<number>
• service_count_arp:<number>

These keywords support numerical comparison operators (>, >=, <, <=, =).

Examples include:

service_count_tcp:>=5
service_count_arp:0
service_count_udp:<=1

Asset tracking fields

Asset timestamps

Use the following syntaxes to search the asset timestamp fields (first_seen, last_seen, created_at, updated_at, os_eol, os_eol_extended):

• first_seen:<term>
• last_seen:<term>
• created_at:<term>
• updated_at:<term>
• os_eol:<term>
• os_eol_extended:<term>

The term supports greater than > or less than < operators only.

first_seen:<3days
first_seen:>2019-08-01
first_seen:>8/1/2019
last_seen:<1week
last_seen:<2months
last_seen:<1year
created_at:>2weeks
created_at:<30minutes
updated_at:>1year
updated_at:<12hours
os_eol:<now
os_eol:>4weeks
os_eol_extended:>now
os_eol_extended:>90days

Asset online status

Use the syntax online:<boolean> or the inverse syntax offline:<boolean> to search the online status of an asset.

The term is a boolean value:

• true, t, 1, and yes represent true
• false, f, 0, and no represent false

online:t
online:1
offline:0

Asset detection method

The detected by attribute of an asset can be searched using the syntax det:<term> or detected_by:<term>. The term is one of arp, icmp, <portnumber>-tcp, or <portnumber>-udp. In the case of multiple detections, the priority goes arp, icmp, and then the first detected service.

det:arp
detected_by:80-tcp
det:53-udp

Asset Time to Live (TTL) comparisons

Use the syntax ttl:<term> and lowest_ttl:<term> to search the lowest TTL of an asset. TTL is the estimated number of hops between the scan source and the asset.

This search term supports numerical comparison operators (>, >=, <, <=, =).

lowest_ttl:>3

Asset Round Trip Time (RTT) comparisons

Use the syntax rtt:<term> and lowest_rtt:<term> to search the lowest RTT for an asset. RTT is the round-trip response time of a given probe measured in nanoseconds (1,000,000 == 1ms).

This search term supports numerical comparison operators (>, >=, <, <=, =).

lowest_rtt:>50000000

Asset multiple MAC address status

Use the syntax multi_mac:<boolean> to determine if an asset has multiple MAC addresses.

The term is a boolean value:

• true, t, 1, and yes represent true
• false, f, 0, and no represent false

multi_mac:t

Asset any MAC address status

Use the syntax has_mac:<boolean> to find assets with any MAC addresses.

The term is a boolean value:

• true, t, 1, and yes represent true
• false, f, 0, and no represent false

has_mac:yes
has_mac:f

Asset multiple hostname status

Use the syntax multi_name:<boolean> to find assets with multiple hostnames.

The term is a boolean value:

• true, t, 1, and yes represent true
• false, f, 0, and no represent false

multi_name:yes
multi_name:false

Service search keywords

Service ports

The TCP and UDP services associated with a service can be searched by port number using the syntax port:<number>. This search term supports numerical comparison operators (>, >=, <, <=, =).

port:<=25

Service UDP ports

Use the udp:<number> syntax to search UDP services associated with a service by port number.

udp:443

Service TCP ports

Use the syntax tcp:<number> to search TCP service associated with a service by port number.

tcp:53

Service transport

Use the syntax transport:<term> to search the transport associated with a service by name.

transport:tcp
transport:udp
transport:icmp

Service Virtual Host (VHost)

Use the syntax vhost:<text> to search for virtual hosts associated with a service by name .

vhost:"www"

Service address

Use the keyword service_address to match against the service IP address.

service_address:192.168.0.1

Service public address

Use the keyword service_has_public and syntax service_has_public:<boolean> to locate any service with a non-reserved I address.

The term is a boolean value:

• true, t, 1, and yes represent true
• false, f, 0, and no represent false

service_has_public:true

Service private address

Use the keyword service_has_private and syntax service_has_private:<boolean> to locate any service with a private IP address.

The term is a boolean value:

• true, t, 1, and yes represent true
• false, f, 0, and no represent false

service_has_private:false

Service IPv6 address

Use the keyword service_has_ipv6 and the syntax service_has_ipv6:<boolean> to locate any service with an identified IPv6 address.

The term is a boolean value:

• true, t, 1, and yes represent true
• false, f, 0, and no represent false

service_has_ipv6:false

Service link local IPv6 address

Use the keyword service_has_link_local and syntax service_has_link_local:<boolean>to locate any service with an identified IPv6 link local (fe80::) address.

The term is a boolean value:

• true, t, 1, and yes represent true
• false, f, 0, and no represent false

service_has_link_local:true

Service attributes

You can search all service attributes with the syntax <attribute>:<term>. This search term supports numerical comparison operators (>, >=, <, <=, =).

If the attribute name conflicts with an existing term, the prefix _service. can be added to disambiguate the query.

Note that service attributes can be slow and it is often better to prefix _asset.protocol:<term> filter in front of the service attribute query. For example, to search for SSH banners, use the syntax _assets.protocol:ssh AND banner:<term>.

banner:password
service.product:"OpenSSH" 
html.title:"Apache2 Ubuntu Default Page" 
http.code:>=500
screenshot.image.size:=>100000
_service.arp.macVendor:Xerox

To determine if a service has an attribute at all, use the has keyword. The has keyword can be inverted to find missing fields, with not has:<term>.

has:"http.head.server"
not has:"html.title"

Wireless search keywords

SSID (ESSID)

The SSID/ESSID field can be searched using the syntax ssid:<text>.

ssid:"Guest Network"
ssid:"Corporate"

BSSID (MAC)

The BSSID field can be searched using the syntax bssid:<text> or mac:<text>.

bssid:"00:01:02:03:04:05"
mac:"00:01:%"

Vendor

The vendor field can be searched using the syntax mac_vendor:<text>.

mac_vendor:"Google"
mac_vendor:"Netgear"
mac_vendor:"Cisco"

Family

The family field can be searched using the syntax family:<term>.

family:"010304"

Channels

The channels field can be searched using the syntax channel:<term>.

channel:"11"

Type

The network type field can be searched using the syntax type:<text>.

type:"infrastructure"

Interface

The network interface field can be searched using the syntax interface:<text>.

interface:"wlan0"

Encryption

The encryption field can be searched using the syntax encryption:<term>.

encryption:"aes"
encryption:"none"

Authentication

The authentication field can be searched using the syntax authentication:<term>.

authentication:"wpa2-psk"
authentication:"open"

Timestamps

The timestamp fields (first_seen, last_seen, created_at) timestamps can be searched using the syntax first_seen:<term>, last_seen:<term> and created_at:<term>. The term supports the same time specifications as the asset timestamp.

first_seen:<30seconds
first_seen:>2019-08-01
last_seen:<1week
last_seen:<2months
created_at:>2weeks
created_at:<30minutes

Signal

The signal field can be searched using the syntax signal:<number> or sig:<number>. The term can include the operators >, =, <=, and =. The default operator is =.

signal:">75"
signal:"<=25"
signal:99

Site name or ID

The site name or ID can be used as a filter with the syntax site:<term>

site:Primary
site:"Branch Office"
site:ad67d649-041b-439d-af59-f200053a8899

Explorer name or ID

The explorer name or ID can be used as a filter with the syntax explorer:<term>

explorer:DESKTOP-AB451F
explorer:8b927a8e-d405-40e9-aa47-d6afc9bff237

Wireless ID

The ID field is the unique identifier for a given wireless network, written as a UUID. This field is searched using the syntax id:<uuid>.

id:cdb084f9-4811-445c-8ea1-3ea9cf88d536

Last task ID

The Last Task ID field defines which task most recently reported the wireless network and is written as a UUID. This field is searched using the syntax task:<uuid>.

task:39ab0e71-3cf1-4176-b6b0-4ed495288229

Wireless attributes

All wireless attributes can be searched using the syntax <attribute>:<term>.

radio_type:"802.11n"

Organization search keywords

Name

The Name field can be searched using the syntax name:<text>.

name:"main"

Description

The Description field can be searched using the syntax description:<text>

description:"branch office"
description:"pci"

Timestamps (created at, updated at)

The timestamp fields (created_at, updated_at) timestamps can be searched using the syntax created_at:<term> and updated_at:<term>. The term accepts the same comparison options as the asset timestamp.

created_at:>2weeks
created_at:<30minutes
updated_at:>1month
updated_at:2hours

Site search keywords

Name

The Name field can be searched using the syntax name:<text>.

name:"Primary"

Description

The Description field can be searched using the syntax description:<text>.

description:"wireless"
description:"vlan 50"

Scope

The Scope field can be searched using the syntax scope:<term> .

scope:"10.10.10."

Excludes

The Excludes field can be searched using the syntax excludes:<term> .

excludes:"192.168.0."

Timestamps (created at, updated at)

The timestamp fields (created_at, updated_at) timestamps can be searched using the syntax created_at:<term> and updated_at:<term>. The term accepts the same comparison syntax as the asset timestamp.

created_at:>2weeks
created_at:<30minutes
updated_at:>1month
updated_at:2hours

Query library search keywords

Name

The Name field can be searched using the syntax name:<text>.

name:"smb2"

Description

The Description field can be searched using the syntax description:<text>.

description:"smb version 1"
description:"wep"

Type

The Type field can be searched using the syntax type:<term> .

type:"services"

Category

The Category field can be searched using the syntax category:<term>.

category:"security"
category:"audit"

Severity

The Severity field can be searched using the syntax severity:<term>.

severity:"info"
severity:"critical"

Created by

The Created By field can be searched using the syntax created_by:<term>.

created_by:"rumble"

Timestamps (created at, updated at)

The timestamp fields, created_at and updated_at, can be searched using the syntax created_at:<term> and updated_at:<term>. The term accepts the same comparison syntax as the asset timestamp.

created_at:>2weeks
created_at:<30minutes
updated_at:>1month
updated_at:2hours

Credential search keywords

Credential fields

Credential ID

The ID field is the unique identifier for a given credential, written as a UUID. This field is searched using the syntax id:<uuid>.

id:cdb084f9-4811-445c-8ea1-3ea9cf88d536

Credential name

The credential name can be searched using the syntax name:<text>.

name:"AWS read-only account"
name:"Miradore API key"

Credential type

The credential type can be searched using the syntax name:<text>.

type:aws_access_secret
type:miradore_api_key_v1

Credential global property

The global property describes the level of access for all organizations. If a credential is global, all organizations have access to it. The global property can be searched using the syntax global:<boolean>.

The term is a boolean value:

• true, t, 1, and yes represent true
• false, f, 0, and no represent false

global:true
global:0

Credential timestamps

Credential timestamp fields (created_at and last_used_at) can be searched using the syntax:

• created_at:<term>
• last_used_at:<term>

The term supports greater than > or less than < operators.

created_at:<3days
created_at:>2019-08-01
created_at:>8/1/2019
created_at:<1week
created_at:<2months
last_used_at:<1year
last_used_at:>2weeks
last_used_at:<30minutes
last_used_at:>1year
last_used_at:<12hours
last_used_at:0

Credential created by

The created_by_email holds the email address for the user that created the credential. It can be searched using the syntax created_by_email:<term>.

created_by_email:user@example.com