Asset inventory

When viewing assets, you can use the following keywords to search and filter.

User-specified fields

Comments

Use the syntax comment:<text> to search comments on an asset.

comment:"contractor laptop"

comment:"imaging server"

Tags

Use the syntax tag:<term> to search tags added to an asset. The term can be the tag name, or the tag name followed by an equal sign and the tag value. Tag value matches must be exact.

tag:"group"

tag:"group=production"

Organization name or ID

Use the syntax organization:<term> to filter by organization name or ID.

organization:runZero

organization:"Temporary Project"

organization:f1c3ef6d-cb41-4d55-8887-6ed3cfb3d42d

Site name or ID

Use the syntax site:<term> to filter by site name or ID.

site:Primary

site:"Branch Office"

site:ad67d649-041b-439d-af59-f200053a8899

Explorer name or ID

Use the syntax explorer:<term> to filter by Explorer name or ID.

explorer:DESKTOP-AB451F

explorer:8b927a8e-d405-40e9-aa47-d6afc9bff237

Hosted zone

Use the syntax hosted_zone:<zone name> to filter by the hosted runZero Explorer that found the asset. Using this filter after a hosted scan can be a good way to locate externally facing assets.

Owner

Use the syntax owner:<term> to filter by owner name.

owner:user@runzero.com
owner:"Security Team"

Ownership status

Use the syntax owner_count:<number> to filter by owner count. This search term supports numerical comparison operators (>, >=, <, <=, =).

owner_count:>0
owner_count:0

Use the syntax has_owner:<boolean> to find assets with owners or assets that are missing owners.

The term is a boolean value:

  • true, t, 1, and yes represent true
  • false, f, 0, and no represent false
has_owner:t
has_owner:f

Use the syntax ownership_type:<term> to filter assets by ownership type name. This will return assets that have an owner assigned for the specified ownership type.

ownership_type:"Asset Owner"
ownership_type:"Security Owner"

Asset fields

Asset ID

The ID field is the unique identifier for a given asset, written as a UUID. Use the syntax id:<uuid> to filter by ID field.

id:cdb084f9-4811-445c-8ea1-3ea9cf88d536

Operating system

The operating system field is a string describing the detected operating system software. This field is searched using the syntax os:<text>. The OS version, if available, can be searched using os_version:<number>.

os:"Windows"

os:"Ubuntu Linux"

os_version:8

OS CPE

The operating system Common Platform Enumeration (CPE) field is a string describing the detected operating system software aligned to the CPE naming scheme. This field is searched using the syntax os.cpe23:<text>. In cases where runZero was able to fingerprint the operating system but the NIST database does not contain an official matching entry, an unofficial CPE will be generated and include r0_unofficial in the other field of the CPE.

os.cpe23:"ubuntu"

os.cpe23:="cpe:/o:canonical:ubuntu_linux:22.04.1"

os.cpe23:="cpe:/o:alma:linux:-::~~~~~r0_unofficial"

Type

The type field is a string describing the detected system type, such as Desktop, Laptop, Server, BMC, or Mobile. Use the syntax type:<text> to search this field.

type:Desktop

type:BMC

type:"Game Console"

Hardware

The hardware field is a string describing the detected physical hardware, such as macMini or Nintendo Switch. Use the syntax hardware:<text> to search this field.

hardware:Switch

hardware:macMini

Hostnames

The hostnames associated with an asset are obtained from DNS and exposed services. Use the syntax name:<text> to search these names.

name:"www"

name:"TV"

To search an asset where any asset has a specific prefix or suffix, use the := exact match operator, and use % as a wildcard:

name:="FTP.%"

name:="%-09"

Use the syntax name_count:<number>to search the hostname count. This search term supports numerical comparison operators (>, >=, <, <=, =).

name_count:>1

Use the syntax name_overlap:<boolean> to find assets sharing the same name. The term is a boolean value:

  • true, t, 1, and yes represent true
  • false, f, 0, and no represent false
name_overlap:t

Domains

The domains associated with an asset are obtained from DNS and exposed services. Use the syntax domain:<domainname> to search the domain names.

domain:"amazon.com"

domain:"corp.lan"

domain:"WORKGROUP"

The domain count can be searched using the syntax domain_count:<number>. This search term supports numerical comparison operators (>, >=, <, <=, =).

domain_count:>1

Addresses

Use the syntax address:<ip> to search the addresses (both primary and secondary) associated with an asset, primary_address:<ip> to search only the primary addresses associated with an asset, or secondary_address:<ip> to search only the secondary addresses associated with an asset. These keywords also allow for CIDR mask matching, as well as wildcard matches using ‘%’. A comma-separated list of addresses will be used as an efficient multiple-match.

address:192.168.0.1

address:10.0.0

address:10.1.2.0/24

address:%.0.1

address:10.%.254

address:10.0.0.1,10.0.0.2,10.0.0.3

Use the syntax address_count:<term> and address_extra_count:<number> to search address primary and secondary counts. This search term supports numerical comparison operators (>, >=, <, <=, =).

address_extra_count:0

Use the syntax address_overlap:<boolean> to find assets sharing primary IP addresses. This can be further filtered to single sites using the site keyword. The term is a boolean value:

  • true, t, 1, and yes represent true
  • false, f, 0, and no represent false
address_overlap:t

Use the syntax address_extra_overlap:<boolean> to find assets sharing secondary IP addresses. This can be further filtered to single sites using the site keyword. The term is a boolean value:

  • true, t, 1, and yes represent true
  • false, f, 0, and no represent false
address_extra_overlap:t

Networks

Use the syntax net:<cidr> to search the addresses (both primary and secondary) associated with an asset by CIDR mask.

net:192.168.0.0/24

Default SNMP communities

Use the syntax has:snmp.v2DefaultCommunities to search for assets with a default SNMP community (public, private, and other defaults).

has:snmp.v2DefaultCommunities
snmp.v2DefaultCommunities:public

Public address

Use the keyword has_public and syntax has_public:<boolean> to locate any asset with a non-reserved IP address. This often corresponds to public-facing systems, though public IPs can also be used internally behind a firewall. Note that public IPv6 addresses are included by this filter; to search for only public IPv4 addresses, you can use has_public_v4.

The term is a boolean value:

  • true, t, 1, and yes represent true
  • false, f, 0, and no represent false
has_public:true

Private address

Use the keyword has_private and syntax has_private:<boolean> to locate any asset with a private IP address.

The term is a boolean value:

  • true, t, 1, and yes represent true
  • false, f, 0, and no represent false
has_private:false

IPv6 address

Use the keyword has_ipv6 and the syntax has_ipv6:<boolean> to locate any asset with an identified IPv6 address.

The term is a boolean value:

  • true, t, 1, and yes represent true
  • false, f, 0, and no represent false
has_ipv6:false

Link-local IPv6 address

Use the keyword has_link_local and syntax has_link_local:<boolean> to locate any asset with an identified IPv6 link local (fe80::) address.

The term is a boolean value:

  • true, t, 1, and yes represent true
  • false, f, 0, and no represent false
has_link_local:true

MAC address

Use the syntax mac:<term> to search MAC addresses associated with an asset.

mac:00:5c:04

mac:00:00:1c

Use the syntax mac_count:<number> to search the MAC address count. This search term supports numerical comparison operators (>, >=, <, <=, =).

mac_count:>2

If you use exact search (:=) you can also search for full MAC addresses in Cisco format or dash-separated format:

mac:=00-10-fa-c2-bf-d5

mac:=0010.fac2.bfd5

Use the syntax mac_overlap:<boolean> to find assets sharing the same MAC address. The term is a boolean value:

  • true, t, 1, and yes represent true
  • false, f, 0, and no represent false
mac_overlap:t

MAC address vendors

The vendor associated with the MAC addresses of an asset can be searched using the syntax mac_vendor:<text>.

mac_vendor:Apple

mac_vendor:"Intel Corporate"

To search only the vendor associated with the newest MAC address, use the syntax newest_mac_vendor:<text>

newest_mac_vendor:Apple

The MAC address vendor count can be searched using the syntax mac_vendor_count:<number>. This search term supports numerical comparison operators (>, >=, <, <=, =).

mac_vendor_count:0

MAC address age

Use the syntax mac_age:<term> to search the allocation date of the newest MAC address associated with an asset. The term supports the standard runZero [time comparison syntax][time].

mac_age:>1year

mac_age:<6months

mac_age:2019-12-31

Outlier score

Use the syntax outlier_score:<value> to search the calculated outlier score of assets. The outlier score is in the range 0 to 5 inclusive. This search term supports numerical comparison operators (>, >=, <, <=, =).

outlier_score:>2

outlier_score:0

Upstream switch IP address

Use the syntax switch.ip:<address> to search the IP address of the upstream switch assets are connected to.

switch.ip:192.168.1.1

switch.ip:fe80::81f2:1c9d:5ac9:5420

Upstream switch name

Use the syntax switch.name:<hostname> to search the hostname of the upstream switch assets are connected to.

switch.name:"SWITCH-1"

switch.name:office

Upstream switch port

Use the syntax switch.port:<address>-<port number string> to search the port on the upstream switch assets that are connected to.

switch.port:192.168.1.1-25

switch.port:10.1.2.3-0/1/2

Upstream switch shared port

Use the syntax attribute:switch.portShared to find assets which connect to a switch port that reports multiple MAC addresses.

attribute:switch.portShared

Attributes

Use the syntax attribute:<term> to search the asset attribute fields, such as the port used to detect the TTL.

attribute:"ip.ttl.port"

attribute:"cpe:/a:isc:bind:9.11.3"

attribute:"9.11.3"

To determine if an asset has any attribute defined, use the has:<attribute-name> keyword. The has keyword can be inverted to find missing fields with not has:<term>.

has:"ip.ttl.port"

not has:"rdns.names"

In addition to the standard fields, the following special attributes are available:

  • has:screenshot returns assets where at least one screenshot was obtained.
  • has:icons returns assets where at least one icon was obtained (HTTP, UPnP, or similar).
  • has:uplink returns assets seen in the CAM table of a network switch.
  • has:downlink returns assets where the CAM table was queried at least one other asset was connected.
  • has:unmapped returns assets where the CAM table was queried at least one other asset was connected but not identified by IP.

The attribute can be specified as a term directly. If the attribute name conflicts with an existing term, the prefix _asset. can be specified to disambiguate the query.

ip.ttl.port:80

rdns.names:"router"

_asset.ip.ttl.hops:"1"

Foreign attributes from third-party inbound integrations can be queried using the syntax @<integration>.<source>.<attribute>:<term>. The table below includes the correct prefix for each integration.

Integration Prefix
Miradore @miradore.dev.
AWS EC2 @aws.ec2.
AWS ELB & ELBv2 @aws.elb.
AWS RDS @aws.rds.
CrowdStrike @crowdstrike.dev.
Azure Load Balancer @azure.vm.
Azure VM @azure.vm.
Azure Scale Set VM @azure.vmss.
Censys @censys.host.
VMWare @vmware.vm.
GCP Load Balancer @gcp.lb.
GCP E2-Micro VM @gcp.vm.
GCP CloudSQL @gcp.cloudsql.
SentinelOne @sentinelone.dev.
Tenable.io & Nessus @tenable.dev.
Rapid7 Nexpose & InsightVM @rapid7.dev.
Qualys VMDR @qualys.dev.
Shodan @shodan.dev.
Azure AD azuread
Active Directory (LDAP) @ldap.computer.
Microsoft 365 Defender @ms365defender.dev.
Microsoft Intune @intune.dev.
Google Workspace ChromeOS @googleworkspace.chromeos.
Google Workspace Endpoint @googleworkspace.endpoint.
Google Workspace Mobile @googleworkspace.mobile. 
@aws.ec2.region:="us-east-2"

@crowdstrike.dev.agentVersion:="6.49.16201.0"

@googleworkspace.chromeos.model:="HP Chromebook"

Asset services

Service ports

The TCP and UDP services associated with an asset can be searched by port number using the syntax port:<number>.

port:80

port:161

Service TCP ports

Use the syntax tcp:<number> to search the TCP services associated with an asset by port number.

tcp:443

To search for assets with a specific list of TCP ports open, you can use the syntax service_ports_tcp:=<list>. Values should be in ascending numerical order, and separated by commas.

service_ports_tcp:=80,443

Service UDP ports

Use the syntax udp:<number> to search UDP services associated with an asset by port number.

udp:53

To search for assets with a specific list of UDP ports open, you can use the syntax service_ports_udp:=<list>. Values should be in ascending numerical order, and separated by commas.

service_ports_udp:=53,123

Service protocols

Use the syntax service_protocols:<term> (or protocol:<term> for short) to search the identified service protocols associated with an asset.

protocol:http

service_protocol:telnet

The protocol count can be searched using the syntax protocol_count:<number>. This search supports numerical comparison operators (>, >=, <, <=, =).

protocol_count:>1

Service products

Use the syntax service_products:<term> (or product:<term> for short) to search for the identified service products associated with an asset.

product:openssh

service_products:nginx

The product count can be searched using the syntax product_count:<number>. This search term supports numerical comparison operators (>, >=, <, <=, =).

product_count:>3

Service counts

Use the following keywords to search the number of services associated with an asset can be searched by port number:

  • service_count_tcp:<number>
  • service_count_udp:<number>
  • service_count_icmp:<number>
  • service_count_arp:<number>

These keywords support numerical comparison operators (>, >=, <, <=, =).

Examples include:

service_count_tcp:>=5

service_count_arp:0

service_count_udp:<=1

Asset tracking fields

Timestamps

Use the following syntaxes to search the asset timestamp fields (first_seen, last_seen, created_at, updated_at, os_eol, os_eol_extended):

  • first_seen:<term>
  • last_seen:<term>
  • created_at:<term>
  • updated_at:<term>
  • os_eol:<term>
  • os_eol_extended:<term>

The term supports the standard runZero [time comparison syntax][time].

first_seen:<3days

first_seen:>2019-08-01

first_seen:>8/1/2019

last_seen:<1week

last_seen:<2months

last_seen:<1year

created_at:>2weeks

created_at:<30minutes

updated_at:>1year

updated_at:<12hours

os_eol:<now

os_eol:>4weeks

os_eol_extended:>now

os_eol_extended:>90days

Online status

Use the syntax online:<boolean> or the inverse syntax offline:<boolean> to search the online status of an asset.

The term is a boolean value:

  • true, t, 1, and yes represent true
  • false, f, 0, and no represent false
online:t

online:1

offline:0

Operating system support status

The syntax os_eol_expired:<boolean> can be used to find identify assets based on whether their operating systems are End of Life (EOL). This field evaluates both the os_eol and os_eol_extended values to only return assets with expired coverage.

The term is a boolean value:

  • true, t, 1, and yes represent true
  • false, f, 0, and no represent false
os_eol_expired:t

os_eol_expired:1

os_eol_expired:no

Detection method

The detected by attribute of an asset can be searched using the syntax det:<term> or detected_by:<term>. The term is one of arp, icmp, <portnumber>-tcp, or <portnumber>-udp. In the case of multiple detections, the priority goes arp, icmp, and then the first detected service.

det:arp

detected_by:80-tcp

det:53-udp

Time to Live (TTL) comparisons

Use the syntax ttl:<term> and lowest_ttl:<term> to search the lowest TTL of an asset. TTL is the estimated number of hops between the scan source and the asset.

This search term supports numerical comparison operators (>, >=, <, <=, =).

lowest_ttl:>3

Round Trip Time (RTT) comparisons

Use the syntax rtt:<term> and lowest_rtt:<term> to search the lowest RTT for an asset. RTT is the round-trip response time of a given probe measured in nanoseconds (1,000,000 == 1ms).

This search term supports numerical comparison operators (>, >=, <, <=, =).

lowest_rtt:>50000000

Multiple MAC address status

Use the syntax multi_mac:<boolean> to determine if an asset has multiple MAC addresses.

The term is a boolean value:

  • true, t, 1, and yes represent true
  • false, f, 0, and no represent false
multi_mac:t

Any MAC address status

Use the syntax has_mac:<boolean> to find assets with any MAC addresses.

The term is a boolean value:

  • true, t, 1, and yes represent true
  • false, f, 0, and no represent false
has_mac:yes

has_mac:f

Multiple IP address status

Use the syntax multi_home:<boolean> to determine if an asset has multiple IP addresses.

The term is a boolean value:

  • true, t, 1, and yes represent true
  • false, f, 0, and no represent false
multi_home:t

Multiple hostname status

Use the syntax multi_name:<boolean> to find assets with multiple hostnames.

The term is a boolean value:

  • true, t, 1, and yes represent true
  • false, f, 0, and no represent false
multi_name:yes

multi_name:false

Software installations

Use the syntax software:<term>> to find assets with associated software.

The term has three forms:

  • software:<product> will look for any assets with a software product that matches the term.
  • software:<product>/<version> will look for any assets with a software product and version that matches the term exactly.
  • software:<vendor>/<product>/<version> will look for any assets with a software vendor, product, and version that matches the term exactly.

All three forms allow the use of % as a wildcard (beginning, middle, or end of the term).

software:IIS

software:Microsoft/IIS/10.0
Updated
Previous: Inventory keywords Next: Service inventory