Search queries

Use the syntax comment:<text> to search comments on an asset.

comment:"contractor laptop"
comment:"imaging server"

Use the syntax tag:<term> to search tags added to an asset. The term can be the tag name, or the tag name followed by an equal sign and the tag value. Tag value matches must be exact.

tag:"group"
tag:"group=production"

Use the syntax site:<term> to filter by site name or ID.

site:Primary
site:"Branch Office"
site:ad67d649-041b-439d-af59-f200053a8899

Use the syntax explorer:<term> to filter by explorer name or ID.

explorer:DESKTOP-AB451F
explorer:8b927a8e-d405-40e9-aa47-d6afc9bff237

The ID field is the unique identifier for a given asset, written as a UUID. Uing the syntax id:<uuid> to filter by ID field.

id:cdb084f9-4811-445c-8ea1-3ea9cf88d536

The operating system field is a string describing the detected operating system software. This field is searched using the syntax os:<text>. The OS version, if available, can be searched using os_version:<number>.

os:"Windows"
os:"Ubuntu Linux"
os_version:8

The type field is a string describing the detected system type, such as Desktop, Laptop, Server, BMC, or Mobile. Use the syntax type:<text> to search this field.

type:Desktop
type:BMC
type:"Game Console"

The hardware field is a string describing the detected physical hardware, such as macMini or Nintendo Switch. Use the syntax hardware:<text> to search this field.

hardware:Switch
hardware:macMini

The hostnames associated with an asset are obtained from DNS and exposed services. Use the syntax name:<text> to search these names.

name:"www"
name:"TV"

Use the syntax name_count:<number>to search the hostname count. This search term supports numerical comparison operators (>, >=, <, <=, =).

name_count:>1

The domains associated with an asset are obtained from DNS and exposed services. Use the syntax domain:<domainname> to search the domain names.

domain:"amazon.com"
domain:"corp.lan"
domain:"WORKGROUP"

The domain count can be searched using the syntax domain_count:<number>. This search term supports numerical comparison operators (>, >=, <, <=, =).

domain_count:>1

Use the syntax address:<ip> to search the addresses (both primary and secondary) associated with an asset. This keyword also allows for wildcard matches using ‘%’.

address:192.168.0.1
address:10.0.0
address:%.0.1
address:10.%.254

Use the syntax address_count:<term> and address_extra_count:<number> to search address primary and secondary counts. This search term supports numerical comparison operators (>, >=, <, <=, =).

address_extra_count:0

Use the syntax net:<cidr> to search the addresses (both primary and secondary) associated with an asset by CIDR mask.

net:192.168.0.0/24

Use the syntax credentials:<text> to search credentials for an asset. The credentials will be text searched for the term.

credentials:admin

Use the keyword has_public and syntax has_public:<boolean> to locate any asset with a non-reserved IPv4 address.

The term is a boolean value:

• true, t, 1, and yes represent true
• false, f, 0, and no represent false

has_public:true

Use the keyword has_private and syntax has_private:<boolean> to locate any asset with RFC1918 IPv4 address.

The term is a boolean value:

• true, t, 1, and yes represent true
• false, f, 0, and no represent false

has_private:false

Use the keyword has_ipv6 and the syntax has_ipv6:<boolean> to locate any asset with an identified IPv6 address.

The term is a boolean value:

• true, t, 1, and yes represent true
• false, f, 0, and no represent false

has_ipv6:false

Use the keyword has_link_local and syntax has_link_local:<boolean>to locate any asset with an identified IPv6 link local (fe80::) address.

The term is a boolean value:

• true, t, 1, and yes represent true
• false, f, 0, and no represent false

has_link_local:true

Use the syntax mac:<term> to search MAC addresses associated with an asset.

mac:00:5c:04
mac:00:00:1c

Use the syntax mac_count:<number> to search the MAC address count. This search term supports numerical comparison operators (>, >=, <, <=, =).

mac_count:>2

The vendor associated with the MAC addresses of an asset can be searched using the syntax mac_vendor:<text>.

mac_vendor:Apple
mac_vendor:"Intel Corporate"

The MAC address vendor count can be searched using the syntax mac_vendor_count:<number>. This search term supports numerical comparison operators (>, >=, <, <=, =).

mac_vendor_count:0

Use the syntax mac_age:<term> to search the allocation date of the newest MAC address associated with an asset. You can use a greater than > or less than < in your search.

mac_age:>1year
mac_age:<6months
mac_age:2019-12-31

Use the syntax attribute:<term> to search the asset attribute fields, such as the port used to detect the TTL.

attribute:"ip.ttl.port"
attribute:"cpe:/a:isc:bind:9.11.3"
attribute:"9.11.3"

To determine if an asset has any attribute defined, use the has:<attribute-name> keyword. The has keyword can be inverted to find missing fields with not has:<term>.

has:"ip.ttl.port"
not has:"rdns.names"

In addition to the standard fields, the following special attributes are available:

• has:screenshot returns assets where at least one screenshot was obtained.
• has:icons returns assets where at least one icon was obtained (HTTP, UPnP, or similar).
• has:uplink returns assets seen in the CAM table of a network switch.
• has:downlink returns assets where the CAM table was queried at least one other asset was connected.
• has:unmapped returns assets where the CAM table was queried at least one other asset was connected but not identified by IP.

The attribute can be specified as a term directly. If the attribute name conflicts with an existing term, the prefix _asset. can be specified to disambiguate the query.

ip.ttl.port:80
rdns.names:"router" 
_asset.ip.ttl.hops:"1" 

TThe TCP and UDP services associated with an asset can be searched by port number using the syntax port:<number>.

port:80
port:161

Use the syntax tcp:<number> to search the TCP services associated with an asset by port number.

tcp:443

Use the syntax udp:<number> to search UDP services associated with an asset by port number.

udp:53

Use the syntax protocol:<term>to search the identified service protocols associated with an asset.

protocol:http
protocol:telnet

The protocol count can be searched using the syntax protocol_count:<number>. This search supports numerical comparison operators (>, >=, <, <=, =).

protocol_count:>1

Use the syntax product:<term> to search for the identified service products associated with an asset.

product:openssh
products:nginx

The product count can be searched using the syntax product_count:<number>. This search term supports numerical comparison operators (>, >=, <, <=, =).

product_count:>3

Use the following keywords to search the number of services associated with an asset can be searched by port number:

• service_count_tcp:<number>
• service_count_udp:<number>
• service_count_icmp:<number>
• service_count_arp:<number>

These keywords support numerical comparison operators (>, >=, <, <=, =).

Examples include:

service_count_tcp:>=5
service_count_arp:0
service_count_udp:<=1

Use the following syntaxes to seartch the asset timestamp fields (first_seen, last_seen, created_at, updated_at):

• first_seen:<term>
• last_seen:<term>
• created_at:<term>
• updated_at:<term>

The term supports greater than > or less than < operators.

first_seen:<3days
first_seen:>2019-08-01
first_seen:>8/1/2019
last_seen:<1week
last_seen:<2months
last_seen:<1year
created_at:>2weeks
created_at:<30minutes
updated_at:>1year
updated_at:<12hours

Use the syntax online:<boolean> or the inverse syntax offline:<boolean> to search the online status of an asset.

The term is a boolean value:

• true, t, 1, and yes represent true
• false, f, 0, and no represent false

online:t
online:1
offline:0

The detected by attribute of an asset can be searched using the syntax det:<term> or detected_by:<term>. The term is one of arp, icmp, <portnumber>-tcp, or <portnumber>-udp. In the case of multiple detections, the priority goes arp, icmp, and then the first detected service.

det:arp
detected_by:80-tcp
det:53-udp

Use the syntax ttl:<term> and lowest_ttl:<term> to search the lowest TTL of an asset. TTL is the estimated number of hops between the scan source and the asset.

This search term supports numerical comparison operators (>, >=, <, <=, =).

lowest_ttl:>3

Use the syntax rtt:<term> and lowest_rtt:<term> to search the lowest RTT for an asset. RTT is the round-trip response time of a given probe measured in nanoseconds (1,000,000 == 1ms).

This search term supports numerical comparison operators (>, >=, <, <=, =).

lowest_rtt:>50000000

Use the syntax multi_mac:<boolean> to determine if an asset has multiple MAC addresses.

The term is a boolean value:

• true, t, 1, and yes represent true
• false, f, 0, and no represent false

multi_mac:t

Use the syntax has_mac:<boolean> to find assets with any MAC addresses.

The term is a boolean value:

• true, t, 1, and yes represent true
• false, f, 0, and no represent false

has_mac:yes
has_mac:f

Use the syntax multi_name:<boolean> to find assets with multiple hostnames.

The term is a boolean value:

• true, t, 1, and yes represent true
• false, f, 0, and no represent false

multi_name:yes
multi_name:false

The TCP and UDP services associated with a service can be searched by port number using the syntax port:<number>. This search term supports numerical comparison operators (>, >=, <, <=, =).

port:<=25

Use the udp:<number> syntax to search UDP services associated with a service by port number.

udp:443

Use the syntax tcp:<number> to search TCP service associated with a service by port number.

tcp:53

Use the syntax transport:<term> to search the transport associated with a service by name.

transport:tcp
transport:udp
transport:icmp

Use the syntax vhost:<text> to search for virtual hosts associated with a service by name .

vhost:"www"

You can search all service attributes with the syntax <attribute>:<term>. This search term supports numerical comparison operators (>, >=, <, <=, =).

If the attribute name conflicts with an existing term, the prefix _service. can be added to disambiguate the query.

Note that service attributes can be slow and it is often better to prefix _asset.protocol:<term> filter in front of the service attribute query. For example, to search for SSH banners, use the syntax _assets.protocol:ssh AND banner:<term>.

banner:password
service.product:"OpenSSH" 
html.title:"Apache2 Ubuntu Default Page" 
http.code:>=500
screenshot.image.size:=>100000
_service.arp.macVendor:Xerox

To determine if a service has an attribute at all, use the has keyword. The has keyword can be inverted to find missing fields, with not has:<term>.

has:"http.head.server"
not has:"html.title"

The SSID/ESSID field can be searched using the syntax ssid:<text>.

ssid:"Guest Network"
ssid:"Corporate"

The BSSID field can be searched using the syntax bssid:<text> or mac:<text>.

bssid:"00:01:02:03:04:05"
mac:"00:01:%"

The vendor field can be searched using the syntax mac_vendor:<text>.

mac_vendor:"Google"
mac_vendor:"Netgear"
mac_vendor:"Cisco"

The family field can be searched using the syntax family:<term>.

family:"010304"

The channels field can be searched using the syntax channel:<term>.

channel:"11"

The network type field can be searched using the syntax type:<text>.

type:"infrastructure"

The network interface field can be searched using the syntax interface:<text>.

interface:"wlan0"

The encryption field can be searched using the syntax encryption:<term>.

encryption:"aes"
encryption:"none"

The authentication field can be searched using the syntax authentication:<term>.

authentication:"wpa2-psk"
authentication:"open"

The timestamp fields (first_seen, last_seen, created_at) timestamps can be searched using the syntax first_seen:<term>, last_seen:<term> and created_at:<term>. The term supports the same time specifications as the asset timestamp.

first_seen:<30seconds
first_seen:>2019-08-01
last_seen:<1week
last_seen:<2months
created_at:>2weeks
created_at:<30minutes

The signal field can be searched using the syntax signal:<number> or sig:<number>. The term can include the operators >, =, <=, and =. The default operator is =.

signal:">75"
signal:"<=25"
signal:99

The site name or ID can be used as a filter with the syntax site:<term>

site:Primary
site:"Branch Office"
site:ad67d649-041b-439d-af59-f200053a8899

The explorer name or ID can be used as a filter with the syntax explorer:<term>

explorer:DESKTOP-AB451F
explorer:8b927a8e-d405-40e9-aa47-d6afc9bff237

The ID field is the unique identifier for a given wireless network, written as a UUID. This field is searched using the syntax id:<uuid>.

id:cdb084f9-4811-445c-8ea1-3ea9cf88d536

The Last Task ID field defines which task most recently reported the wireless network and is written as a UUID. This field is searched using the syntax task:<uuid>.

task:39ab0e71-3cf1-4176-b6b0-4ed495288229

All wireless attributes can be searched using the syntax <attribute>:<term>.

radio_type:"802.11n"

The Name field can be searched using the syntax name:<text>.

name:"main"

The Description field can be searched using the syntax description:<text>

description:"branch office"
description:"pci"

The timestamp fields (created_at, updated_at) timestamps can be searched using the syntax created_at:<term> and updated_at:<term>. The term accepts the same comparison options as the asset timestamp.

created_at:>2weeks
created_at:<30minutes
updated_at:>1month
updated_at:2hours

The Name field can be searched using the syntax name:<text>.

name:"Primary"

The Description field can be searched using the syntax description:<text>.

description:"wireless"
description:"vlan 50"

The Scope field can be searched using the syntax scope:<term> .

scope:"10.10.10."

The Excludes field can be searched using the syntax excludes:<term> .

excludes:"192.168.0."

The timestamp fields (created_at, updated_at) timestamps can be searched using the syntax created_at:<term> and updated_at:<term>. The term accepts the same comparison syntax as the asset timestamp.

created_at:>2weeks
created_at:<30minutes
updated_at:>1month
updated_at:2hours

The Name field can be searched using the syntax name:<text>.

name:"smb2"

The Description field can be searched using the syntax description:<text>.

description:"smb version 1"
description:"wep"

The Type field can be searched using the syntax type:<term> .

type:"services"

The Category field can be searched using the syntax category:<term>.

category:"security"
category:"audit"

The Severity field can be searched using the syntax severity:<term>.

severity:"info"
severity:"critical"

The Created By field can be searched using the syntax created_by:<term>.

created_by:"rumble"

The timestamp fields, created_at and updated_at, can be searched using the syntax created_at:<term> and updated_at:<term>. The term accepts the same comparison syntax as the asset timestamp.

created_at:>2weeks
created_at:<30minutes
updated_at:>1month
updated_at:2hours

The ID field is the unique identifier for a given credential, written as a UUID. This field is searched using the syntax id:<uuid>.

id:cdb084f9-4811-445c-8ea1-3ea9cf88d536

The credential name can be searched using the syntax name:<text>.

name:"AWS read-only account"
name:"Miradore API key"

The credential type can be searched using the syntax name:<text>.

type:aws_access_secret
type:miradore_api_key_v1

The global property describes the level of access for all organizations. If a credential is global, all organizations have access to it. The global property can be searched using the syntax global:<boolean>.

The term is a boolean value:

• true, t, 1, and yes represent true
• false, f, 0, and no represent false

global:true
global:0

Credential timestamp fields (created_at and last_used_at) can be searched using the syntax:

• created_at:<term>
• last_used_at:<term>

The term supports greater than > or less than < operators.

created_at:<3days
created_at:>2019-08-01
created_at:>8/1/2019
created_at:<1week
created_at:<2months
last_used_at:<1year
last_used_at:>2weeks
last_used_at:<30minutes
last_used_at:>1year
last_used_at:<12hours
last_used_at:0

The created_by_email holds the email address for the user that created the credential. It can be searched using the syntax created_by_email:<term>.

created_by_email:user@example.com