Inventory Advanced Search
Overview
The advanced Language offers users a flexible, python-like syntax for querying and filtering assets with precision and efficiency.
The language uses a field operator value structure to construct search expressions, enabling advanced asset discovery capabilities.
Example Queries
- Basic Query:
type="android" - Regex Matching:
asset~=".*@mywebdomain\.com" - AND/OR Query:
type="android" OR type="ios" - Combined Query:
(type="android" OR type="ios") AND (owner="jhon.doe" OR owner~="prod-.*")
Syntax
Field-Operator-Value Structure
Each query is built using the following components:
- Field: The property to filter on (e.g.,
type,owner,service.port). - Operator: Specifies the condition (e.g.,
=,!=,<,>). - Value: The value to match (e.g.,
android,443).
Supported Operators
=: Equals.!=: Not equal to.<: Less than (for date and numeric fields).>: Greater than (for date and numeric fields).~=: Regex search.
Supported Fields
Below is a list of supported fields, along with their descriptions and available values:
| Field | Description | Supported Operators | Possible Values | Example |
|---|---|---|---|---|
ownership |
Differentiate between internal and acquisition-owned and third-party services assets | =, != |
internal, third_party_service,acquisition,rejected |
ownership="internal" |
type |
Filter by asset type | =, != |
android, ios, subdomain, domain, ip, org, asn, tld, email, address, person, certificate, coordinates |
type="android" |
owner |
Filter by the asset owner name | =, !=, ~= |
Any string or regex | owner="john.doe" or owner~="prod-.*" |
asset |
Search by asset content, like IP address, Mobile App package name or domain name value. | =, !=, ~= |
Any string or regex | asset="example.com" or asset~=".*@domain\.com" |
service.port |
Filter by service port | =, !=, <, > |
Any port number | service.port=443 or service.port>80 |
service.protocol |
Filter by service protocol | =, !=, ~= |
Any string or regex | service.protocol="https" |
whois.address |
Filter by WHOIS address | =, !=, ~= |
Any string or regex | whois.address="123 Main St" |
whois.email |
Filter by WHOIS email | =, !=, ~= |
Any string or regex | whois.email="admin@example.com" |
whois.org |
Filter by WHOIS organization name | =, !=, ~= |
Any string or regex | whois.org="Example Corp" |
dns.record |
Filter by DNS record type | =, != |
Any string or regex | dns.record="MX" |
dns.value |
Filter by DNS value | =, !=, ~= |
Any string or regex | dns.value="mail.example.com" |
dns.date |
Filter assets with DNS records modified on a specific date | <, >, = |
A valid date string must be in the format YYYY-MM-DD. | dns.date="2023-02-04" or dns.date>2023-01-01 |
fingerprint.name |
Filter by fingerprint name | =, !=, ~= |
Any string or regex | fingerprint.name="Apache" |
fingerprint.detail |
Filter by fingerprint details | =, !=, ~= |
Any string or regex | fingerprint.detail="2.4.41" |
fingerprint.version |
Filter by fingerprint version | =, !=, ~= |
Any string or regex | fingerprint.version="1.0.0" |
fingerprint.date |
Filter assets with fingerprints modified on a specific date | <, >, = |
A valid date string must be in the format YYYY-MM-DD. | fingerprint.date="2023-02-04" |
certificate.serial |
Filter by certificate serial number | =, !=, ~= |
Any string or regex | certificate.serial="123456" |
certificate.issuer |
Filter by certificate issuer | =, !=, ~= |
Any string or regex | certificate.issuer="Let's Encrypt" |
certificate.subject |
Filter by certificate subject | =, !=, ~= |
Any string or regex | certificate.subject="example.com" |
certificate.date |
Filter by certificate's date | <, >, = |
A valid date string must be in the format YYYY-MM-DD. | certificate.date="2023-02-04" |
tag |
Filter by tag name | =, != |
Any string or regex | tag="production" |
value |
Filter by tag value | =, != |
Any string or regex | value="critical" |
Combined Queries
Logical Operators
Combined queries leverage two primary logical operators:
AND: Combines conditions where both must be trueOR: Combines conditions where at least one must be true
Grouping with Parentheses
Parentheses () are used to create logical groupings and control the order of operations in complex queries.
Query Composition Examples
-
Multiple Condition Filtering
Finds Android assets owned by John Doe.type="android" AND owner="john.doe" -
Complex Condition Grouping
Finds mobile assets (Android or iOS) owned by John Doe or matching a production owner pattern.(type="android" OR type="ios") AND (owner="john.doe" OR owner~="prod-.*") -
Nested Condition Filtering
Finds domain assets with either HTTP or HTTPS ports.type="domain" AND (service.port="443" OR service.port=80)
Advanced Filtering Strategies
-
Exclusion Queries
Finds domain assets not owned by test or development teams.type="domain" AND owner!="test" AND owner!="dev" -
Regex-based Complex Matching
Finds subdomains matching multiple regex patterns.(asset~=".*internal\.com" OR asset~=".*external\.org") AND type="subdomain" -
Date-based Filtering
Finds certificates issued after January 1st, 2023, by Let's Encrypt.certificate.date>"2023-01-01" AND certificate.issuer="Let\'s Encrypt"