How to Search in VMDR Mobile
Search by Field | String matching | Exact matching | Full Text Search | Is Null Queries | Range searches | Date searches | Match multiple values | Boolean operators | Nested Queries
Search by Field
Enter the field name, then a colon, then your query. Nested fields are dot separated.
Examples:
asset.status: Enrolled
user.username: .\Administrator
asset.assetID: 43954857
String matching
Use single quotes or double quotes around your query to match a string.
Examples:
auditLogs.operation:"Upload"
vulnerabilities.vulnerability.title:"Security Patch Missing"
Example using wildcard: If you want to search for exact count you should use asterisk (*). For example to find users with name starting with admin use this query:
user.username:admin*
Exact matching
Use backticks to exactly match a string. Your results will include any asset with the EXACT value returned.
Examples:
hardware.model:`SM-G935F`
vulnerabilities.vulnerability.title:`Google Pixel Android March 2021 Security Patch Missing`
Full Text Search
Many asset fields containing text allow you to use full text search and advanced search capabilities.
Examples:
Show any findings with this vulnerability title
vulnerabilities.vulnerability.title:Chrome
Show any findings that contain components of vulnerability title
vulnerabilities.vulnerability.title:"Security Patch Missing"
Show any findings that match exact title "Google Pixel Android March 2021 Security Patch Missing"
vulnerabilities.vulnerability.title:`Google Pixel Android March 2021 Security Patch Missing`
Is Null Queries
Want to match an empty/null value for a field? You'll need to remove the colon and then write "is null". For example, quickly find assets where the OS has not been identified.
Examples:
operatingSystem.version is null
asset.bluetoothMAC is null
hardware.model is null
Range searches
Ranges can be specified with the [lower .. upper]
syntax using () and/or [] as follows. This is supported for numeric and date fields.
Example:
inventory.created: [2018-08-01 .. 2018-09-01] // Between August 1st and September 1st 2018
Range options:
inventory.created:(date1 .. date2)
// Greater than but not equal to date1 and less than but not equal to date2
inventory.created:(date1 .. date2]
// Greater than but not equal to date1 and less than or equal to date2
inventory.created:[date1.. date2)
// Greater than or equal to date1 and less than but not equal to date2
inventory.created:[date1 .. date2]
// Greater than but or equal to date1 and less than or equal to date2
inventory.created > date1
// Greater than date1
inventory.created >= date1
// Greater than or equal to date1
inventory.created < date1
// Less than date1
inventory.created <= date1
// Less than or equal to date1
Date searches
Use a date range [start date .. end date] or a specific date. Several date variables are also available.
Examples:
asset.lastSeen: "2018-10-20"
asset.lastSeen <= "2018-11-20"
asset.lastSeen: ["2018-10-20" .. "2018-10-24"]
asset.lastSeen: [now-3d .. now-1s]
Match multiple values
Use to match values "In" or "Not In" fields. Available for all fields except analyzed fields (i.e. full text search fields).
Examples:
Find assets not last seen on date: 2018-08-31 or 2018-09-12
NOT asset.lastSeen: ["2018-08-31","2018-09-12"]
Supported date formats:
YYYY example: asset.lastSeen:["2017","2018"]
// in 2017 or 2018
YYYY-MM example: asset.lastSeen:["2018-08","2018-09"]
// in month of Aug or Sept
YYYY-MM-DD example: asset.lastSeen:["2018-10-30","2018-11-05"]
// on one of exact dates
Find assets with at least one of these two operating systems:
operatingSystem.name:[Android, Chrome]
Boolean Operators
Use keywords AND, OR, NOT to narrow or broaden your search. Click the link below for info on max query depth, using NOT with vulnerability queries.
Examples:
Show findings that have one of these operating systems:
operatingSystem.name: `Android` or operatingSystem.name: `iOS`
Show assets not created on or before date:
AND NOT inventory.created <= "2018-11-05"
Nested Queries
Use a single nested query, using parentheses, to include multiple fields in your query. This is supported only for certain tokens like "asset", "hardware", "interfaces", etc.
Example:
asset: (lastSeen: '2018-10-10' AND status: Enrolled)