Search by Field | String matching | Exact matching | Full Text Search | Is Null Queries | Range searches | Date searches | Match multiple values | Boolean operators | Nested Queries
Enter the field name, then a colon, then your query. Nested fields are dot separated.
Examples:
asset.status: Enrolled
user.username: .\Administrator
asset.assetID: 43954857
Use single quotes or double quotes around your query to match a string.
Examples:
auditLogs.operation:"Upload"
vulnerabilities.vulnerability.title:"Security Patch Missing"
Example using wildcard: If you want to search for exact count you should use asterisk (*). For example to find users with name starting with admin use this query:
user.username:admin*
Use backticks to exactly match a string. Your results will include any asset with the EXACT value returned.
Examples:
hardware.model:`SM-G935F`
vulnerabilities.vulnerability.title:`Google Pixel Android March 2021 Security Patch Missing`
Many asset fields containing text allow you to use full text search and advanced search capabilities.
Examples:
Show any findings with this vulnerability title
vulnerabilities.vulnerability.title:Chrome
Show any findings that contain components of vulnerability title
vulnerabilities.vulnerability.title:"Security Patch Missing"
Show any findings that match exact title "Google Pixel Android March 2021 Security Patch Missing"
vulnerabilities.vulnerability.title:`Google Pixel Android March 2021 Security Patch Missing`
Want to match an empty/null value for a field? You'll need to remove the colon and then write "is null". For example, quickly find assets where the OS has not been identified.
Examples:
operatingSystem.version is null
asset.bluetoothMAC is null
hardware.model is null
Ranges can be specified with the [lower .. upper] syntax using () and/or [] as follows. This is supported for numeric and date fields.
Example:
inventory.created: [2018-08-01 .. 2018-09-01] // Between August 1st and September 1st 2018
Range options:
inventory.created:(date1 .. date2) // Greater than but not equal to date1 and less than but not equal to date2
inventory.created:(date1 .. date2] // Greater than but not equal to date1 and less than or equal to date2
inventory.created:[date1.. date2) // Greater than or equal to date1 and less than but not equal to date2
inventory.created:[date1 .. date2] // Greater than but or equal to date1 and less than or equal to date2
inventory.created > date1 // Greater than date1
inventory.created >= date1 // Greater than or equal to date1
inventory.created < date1 // Less than date1
inventory.created <= date1 // Less than or equal to date1
Use a date range [start date .. end date] or a specific date. Several date variables are also available.
Examples:
asset.lastSeen: "2018-10-20"
asset.lastSeen <= "2018-11-20"
asset.lastSeen: ["2018-10-20" .. "2018-10-24"]
asset.lastSeen: [now-3d .. now-1s]
Use to match values "In" or "Not In" fields. Available for all fields except analyzed fields (i.e. full text search fields).
Examples:
Find assets not last seen on date: 2018-08-31 or 2018-09-12
NOT asset.lastSeen: ["2018-08-31","2018-09-12"]
Supported date formats:
YYYY example: asset.lastSeen:["2017","2018"] // in 2017 or 2018
YYYY-MM example: asset.lastSeen:["2018-08","2018-09"] // in month of Aug or Sept
YYYY-MM-DD example: asset.lastSeen:["2018-10-30","2018-11-05"] // on one of exact dates
Find assets with at least one of these two operating systems:
operatingSystem.name:[Android, Chrome]
Use keywords AND, OR, NOT to narrow or broaden your search. Click the link below for info on max query depth, using NOT with vulnerability queries.
Examples:
Show findings that have one of these operating systems:
operatingSystem.name: `Android` or operatingSystem.name: `iOS`
Show assets not created on or before date:
AND NOT inventory.created <= "2018-11-05"
Use a single nested query, using parentheses, to include multiple fields in your query. This is supported only for certain tokens like "asset", "hardware", "interfaces", etc.
Example:
asset: (lastSeen: '2018-10-10' AND status: Enrolled)