--- title: "Asset inventory" --- When viewing assets, you can use the following keywords to ((search|search assets)) and filter. ## User-specified fields ### Comments {#assets-comments} Use the syntax `comment:` to search comments on an asset. ```plaintext comment:"contractor laptop" ``` ```plaintext comment:"imaging server" ``` ### Tags {#assets-tags} Use the syntax `tag:` to search tags added to an asset. The term can be the tag name, or the tag name followed by an equal sign and the tag value. Tag value matches must be exact. ```plaintext tag:"group" ``` ```plaintext tag:"group=production" ``` ### Organization name or ID {#assets-organization} Use the syntax `organization:` to filter by organization name or ID. ```plaintext organization:runZero ``` ```plaintext organization:"Temporary Project" ``` ```plaintext organization:f1c3ef6d-cb41-4d55-8887-6ed3cfb3d42d ``` ### Site name or ID {#assets-site} Use the syntax `site:` to filter by site name or ID. ```plaintext site:Primary ``` ```plaintext site:"Branch Office" ``` ```plaintext site:ad67d649-041b-439d-af59-f200053a8899 ``` ### Explorer name or ID {#assets-explorer} Use the syntax `explorer:` to filter by Explorer name or ID. ```plaintext explorer:DESKTOP-AB451F ``` ```plaintext explorer:8b927a8e-d405-40e9-aa47-d6afc9bff237 ``` ### Hosted zone Use the syntax `hosted_zone:` to filter by the hosted runZero Explorer that found the asset. Using this filter after a hosted scan can be a good way to locate externally facing assets. ### Owner Use the syntax `owner:` to filter by owner name. ```plaintext owner:user@runzero.com owner:"Security Team" ``` ### Ownership status Use the syntax `owner_count:` to filter by owner count. This search term supports numerical comparison operators (`>`, `>=`, `<`, `<=`, `=`). ```plaintext owner_count:>0 owner_count:0 ``` Use the syntax `has_owner:` to find assets with owners or assets that are missing owners. The term is a boolean value: - `true`, `t`, `1`, and `yes` represent _true_ - `false`, `f`, `0`, and `no` represent _false_ ```plaintext has_owner:t has_owner:f ``` Use the syntax `ownership_type:` to filter assets by ownership type name. This will return assets that have an owner assigned for the specified ownership type. ```plaintext ownership_type:"Asset Owner" ownership_type:"Security Owner" ``` ## Asset fields ### Asset ID {#assets-ID} The ID field is the unique identifier for a given asset, written as a UUID. Use the syntax `id:` to filter by ID field. ```plaintext id:cdb084f9-4811-445c-8ea1-3ea9cf88d536 ``` ### Operating system {#assets-OS} The operating system field is a string describing the detected operating system software. This field is searched using the syntax `os:`. The OS version, if available, can be searched using `os_version:`. ```plaintext os:"Windows" ``` ```plaintext os:"Ubuntu Linux" ``` ```plaintext os_version:8 ``` ### OS CPE {#assets-cpe} The operating system Common Platform Enumeration (CPE) field is a string describing the detected operating system software aligned to the CPE naming scheme. This field is searched using the syntax `os.cpe23:`. In cases where runZero was able to fingerprint the operating system but the NIST database does not contain an official matching entry, an unofficial CPE will be generated and include `r0_unofficial` in the `other` field of the CPE. ```plaintext os.cpe23:"ubuntu" ``` ```plaintext os.cpe23:="cpe:/o:canonical:ubuntu_linux:22.04.1" ``` ```plaintext os.cpe23:="cpe:/o:alma:linux:-::~~~~~r0_unofficial" ``` ### Type {#assets-type} The type field is a string describing the detected system type, such as Desktop, Laptop, Server, BMC, or Mobile. Use the syntax `type:` to search this field. ```plaintext type:Desktop ``` ```plaintext type:BMC ``` ```plaintext type:"Game Console" ``` ### Hardware {#assets-hardware} The hardware field is a string describing the detected physical hardware, such as `macMini` or `Nintendo Switch`. Use the syntax `hardware:` to search this field. ```plaintext hardware:Switch ``` ```plaintext hardware:macMini ``` ### Hostnames {#assets-hostnames} The hostnames associated with an asset are obtained from DNS and exposed services. Use the syntax `name:` to search these names. ```plaintext name:"www" ``` ```plaintext name:"TV" ``` To search an asset where any asset has a specific prefix or suffix, use the `:=` exact match operator, and use `%` as a wildcard: ```plaintext name:="FTP.%" ``` ```plaintext name:="%-09" ``` Use the syntax `name_count:`to search the hostname count. This search term supports numerical comparison operators (`>`, `>=`, `<`, `<=`, `=`). ```plaintext name_count:>1 ``` Use the syntax `name_overlap:` to find assets sharing the same name. The term is a boolean value: - `true`, `t`, `1`, and `yes` represent _true_ - `false`, `f`, `0`, and `no` represent _false_ ```plaintext name_overlap:t ``` ### Domains {#assets-domains} The domains associated with an asset are obtained from DNS and exposed services. Use the syntax `domain:` to search the domain names. ```plaintext domain:"amazon.com" ``` ```plaintext domain:"corp.lan" ``` ```plaintext domain:"WORKGROUP" ``` The domain count can be searched using the syntax `domain_count:`. This search term supports numerical comparison operators (`>`, `>=`, `<`, `<=`, `=`). ```plaintext domain_count:>1 ``` ### Addresses {#assets-addresses} Use the syntax `address:` to search the addresses (both primary and secondary) associated with an asset, `primary_address:` to search only the primary addresses associated with an asset, or `secondary_address:` to search only the secondary addresses associated with an asset. These keywords also allow for CIDR mask matching, as well as wildcard matches using '%'. A comma-separated list of addresses will be used as an efficient multiple-match. ```plaintext address:192.168.0.1 ``` ```plaintext address:10.0.0 ``` ```plaintext address:10.1.2.0/24 ``` ```plaintext address:%.0.1 ``` ```plaintext address:10.%.254 ``` ```plaintext address:10.0.0.1,10.0.0.2,10.0.0.3 ``` Use the syntax `address_count:` and `address_extra_count:` to search address primary and secondary counts. This search term supports numerical comparison operators (`>`, `>=`, `<`, `<=`, `=`). ```plaintext address_extra_count:0 ``` Use the syntax `address_overlap:` to find assets sharing primary IP addresses. This can be further filtered to single sites using the `site` keyword. The term is a boolean value: - `true`, `t`, `1`, and `yes` represent _true_ - `false`, `f`, `0`, and `no` represent _false_ ```plaintext address_overlap:t ``` Use the syntax `address_extra_overlap:` to find assets sharing secondary IP addresses. This can be further filtered to single sites using the `site` keyword. The term is a boolean value: - `true`, `t`, `1`, and `yes` represent _true_ - `false`, `f`, `0`, and `no` represent _false_ ```plaintext address_extra_overlap:t ``` ### Networks {#assets-networks} Use the syntax `net:` to search the addresses (both primary and secondary) associated with an asset by CIDR mask. ```plaintext net:192.168.0.0/24 ``` ### Default SNMP communities {#assets-snmp} Use the syntax `has:snmp.v2DefaultCommunities` to search for assets with a default SNMP community (public, private, and other defaults). ```plaintext has:snmp.v2DefaultCommunities snmp.v2DefaultCommunities:public ``` ### Public address {#assets-publicIP} Use the keyword `has_public` and syntax `has_public:` to locate any asset with a non-reserved IP address. This often corresponds to public-facing systems, though public IPs can also be used internally behind a firewall. Note that public IPv6 addresses are included by this filter; to search for only public IPv4 addresses, you can use `has_public_v4`. The term is a boolean value: - `true`, `t`, `1`, and `yes` represent _true_ - `false`, `f`, `0`, and `no` represent _false_ ```plaintext has_public:true ``` ### Private address {#assets-privateIP} Use the keyword `has_private` and syntax `has_private:` to locate any asset with a private IP address. The term is a boolean value: - `true`, `t`, `1`, and `yes` represent _true_ - `false`, `f`, `0`, and `no` represent _false_ ```plaintext has_private:false ``` ### IPv6 address {#assets-IPv6} Use the keyword `has_ipv6` and the syntax `has_ipv6:` to locate any asset with an identified IPv6 address. The term is a boolean value: - `true`, `t`, `1`, and `yes` represent _true_ - `false`, `f`, `0`, and `no` represent _false_ ```plaintext has_ipv6:false ``` ### Link-local IPv6 address {#assets-linkLocal} Use the keyword `has_link_local` and syntax `has_link_local:` to locate any asset with an identified IPv6 link local (`fe80::`) address. The term is a boolean value: - `true`, `t`, `1`, and `yes` represent _true_ - `false`, `f`, `0`, and `no` represent _false_ ```plaintext has_link_local:true ``` ### MAC address {#assets-MAC} Use the syntax `mac:` to search MAC addresses associated with an asset. ```plaintext mac:00:5c:04 ``` ```plaintext mac:00:00:1c ``` Use the syntax `mac_count:` to search the MAC address count. This search term supports numerical comparison operators (`>`, `>=`, `<`, `<=`, `=`). ```plaintext mac_count:>2 ``` If you use exact search (`:=`) you can also search for full MAC addresses in Cisco format or dash-separated format: ```plaintext mac:=00-10-fa-c2-bf-d5 ``` ```plaintext mac:=0010.fac2.bfd5 ``` Use the syntax `mac_overlap:` to find assets sharing the same MAC address. The term is a boolean value: - `true`, `t`, `1`, and `yes` represent _true_ - `false`, `f`, `0`, and `no` represent _false_ ```plaintext mac_overlap:t ``` ### MAC address vendors {#assets-MACvendor} The vendor associated with the MAC addresses of an asset can be searched using the syntax `mac_vendor:`. ```plaintext mac_vendor:Apple ``` ```plaintext mac_vendor:"Intel Corporate" ``` To search only the vendor associated with the newest MAC address, use the syntax `newest_mac_vendor:` ```plaintext newest_mac_vendor:Apple ``` The MAC address vendor count can be searched using the syntax `mac_vendor_count:`. This search term supports numerical comparison operators (`>`, `>=`, `<`, `<=`, `=`). ```plaintext mac_vendor_count:0 ``` ### MAC address age {#assets-MACage} Use the syntax `mac_age:` to search the allocation date of the newest MAC address associated with an asset. The term supports the standard runZero [time comparison syntax][time]. ```plaintext mac_age:>1year ``` ```plaintext mac_age:<6months ``` ```plaintext mac_age:2019-12-31 ``` ### Outlier score {#assets-outlier} Use the syntax `outlier_score:` to search the calculated outlier score of assets. The outlier score is in the range 0 to 5 inclusive. This search term supports numerical comparison operators (`>`, `>=`, `<`, `<=`, `=`). ```plaintext outlier_score:>2 ``` ```plaintext outlier_score:0 ``` ### Upstream switch IP address {#assets-switch-ip} Use the syntax `switch.ip:
` to search the IP address of the upstream switch assets are connected to. ```plaintext switch.ip:192.168.1.1 ``` ```plaintext switch.ip:fe80::81f2:1c9d:5ac9:5420 ``` ### Upstream switch name {#assets-switch-name} Use the syntax `switch.name:` to search the hostname of the upstream switch assets are connected to. ```plaintext switch.name:"SWITCH-1" ``` ```plaintext switch.name:office ``` ### Upstream switch port {#assets-switch-port} Use the syntax `switch.port:
-` to search the port on the upstream switch assets that are connected to. ```plaintext switch.port:192.168.1.1-25 ``` ```plaintext switch.port:10.1.2.3-0/1/2 ``` ### Upstream switch shared port {#assets-switch-shared} Use the syntax `attribute:switch.portShared` to find assets which connect to a switch port that reports multiple MAC addresses. ```plaintext attribute:switch.portShared ``` ### Attributes {#assets-attributes} Use the syntax `attribute:` to search the asset attribute fields, such as the port used to detect the TTL. ```plaintext attribute:"ip.ttl.port" ``` ```plaintext attribute:"cpe:/a:isc:bind:9.11.3" ``` ```plaintext attribute:"9.11.3" ``` To determine if an asset has any attribute defined, use the `has:` keyword. The `has` keyword can be inverted to find missing fields with `not has:`. ```plaintext has:"ip.ttl.port" ``` ```plaintext not has:"rdns.names" ``` In addition to the standard fields, the following special attributes are available: * `has:screenshot` returns assets where at least one screenshot was obtained. * `has:icons` returns assets where at least one icon was obtained (HTTP, UPnP, or similar). * `has:uplink` returns assets seen in the CAM table of a network switch. * `has:downlink` returns assets where the CAM table was queried at least one other asset was connected. * `has:unmapped` returns assets where the CAM table was queried at least one other asset was connected but not identified by IP. The attribute can be specified as a term directly. If the attribute name conflicts with an existing term, the prefix `_asset.` can be specified to disambiguate the query. ```plaintext ip.ttl.port:80 ``` ```plaintext rdns.names:"router" ``` ```plaintext _asset.ip.ttl.hops:"1" ``` Foreign attributes from third-party inbound integrations can be queried using the syntax `@..:`. The table below includes the correct prefix for each integration. | Integration | Prefix | |----------------------------|------------------------------| | Miradore | `@miradore.dev.` | | AWS EC2 | `@aws.ec2.` | | AWS ELB & ELBv2 | `@aws.elb.` | | AWS RDS | `@aws.rds.` | | CrowdStrike | `@crowdstrike.dev.` | | Azure Load Balancer | `@azure.vm.` | | Azure VM | `@azure.vm.` | | Azure Scale Set VM | `@azure.vmss.` | | Censys | `@censys.host.` | | VMWare | `@vmware.vm.` | | GCP Load Balancer | `@gcp.lb.` | | GCP E2-Micro VM | `@gcp.vm.` | | GCP CloudSQL | `@gcp.cloudsql.` | | SentinelOne | `@sentinelone.dev.` | | Tenable.io & Nessus | `@tenable.dev.` | | Rapid7 Nexpose & InsightVM | `@rapid7.dev.` | | Qualys VMDR | `@qualys.dev.` | | Shodan | `@shodan.dev.` | | Azure AD | `azuread` | | Active Directory (LDAP) | `@ldap.computer.` | | Microsoft 365 Defender | `@ms365defender.dev.` | | Microsoft Intune | `@intune.dev.` | | Google Workspace ChromeOS | `@googleworkspace.chromeos.` | | Google Workspace Endpoint | `@googleworkspace.endpoint.` | | Google Workspace Mobile | `@googleworkspace.mobile.` | ```plaintext @aws.ec2.region:="us-east-2" ``` ```plaintext @crowdstrike.dev.agentVersion:="6.49.16201.0" ``` ```plaintext @googleworkspace.chromeos.model:="HP Chromebook" ``` Foreign attributes support semver-style comparison operators (`>`, `>=`, `<`, `<=`, `=`). Include at least the major and minor version number to use this search option. Any additional non-numerical text included in the prefix or suffix will be ignored in version comparison. ```plaintext @jamf.custom.osVersion:>6.0 ``` ## Asset services ### Service ports {#assets-ports} The TCP and UDP services associated with an asset can be searched by port number using the syntax `port:`. ```plaintext port:80 ``` ```plaintext port:161 ``` ### Service TCP ports {#assets-tcpPorts} Use the syntax `tcp:` to search the TCP services associated with an asset by port number. ```plaintext tcp:443 ``` To search for assets with a specific list of TCP ports open, you can use the syntax `service_ports_tcp:=`. Values should be in ascending numerical order, and separated by commas. ```plaintext service_ports_tcp:=80,443 ``` ### Service UDP ports {#assets-udpPorts} Use the syntax `udp:` to search UDP services associated with an asset by port number. ```plaintext udp:53 ``` To search for assets with a specific list of UDP ports open, you can use the syntax `service_ports_udp:=`. Values should be in ascending numerical order, and separated by commas. ```plaintext service_ports_udp:=53,123 ``` ### Service protocols {#assets-protocols} Use the syntax `service_protocols:` (or `protocol:` for short) to search the identified service protocols associated with an asset. ```plaintext protocol:http ``` ```plaintext service_protocol:telnet ``` The protocol count can be searched using the syntax `protocol_count:`. This search supports numerical comparison operators (`>`, `>=`, `<`, `<=`, `=`). ```plaintext protocol_count:>1 ``` ### Service products {#assets-products} Use the syntax `service_products:` (or `product:` for short) to search for the identified service products associated with an asset. ```plaintext product:openssh ``` ```plaintext service_products:nginx ``` The product count can be searched using the syntax `product_count:`. This search term supports numerical comparison operators (`>`, `>=`, `<`, `<=`, `=`). ```plaintext product_count:>3 ``` ### Service counts {#assets-counts} Use the following keywords to search the number of services associated with an asset can be searched by port number: * `service_count_tcp:` * `service_count_udp:` * `service_count_icmp:` * `service_count_arp:` These keywords support numerical comparison operators (`>`, `>=`, `<`, `<=`, `=`). Examples include: ```plaintext service_count_tcp:>=5 ``` ```plaintext service_count_arp:0 ``` ```plaintext service_count_udp:<=1 ``` ## Asset tracking fields ### Timestamps {#assets-timestamps} Use the following syntaxes to search the asset timestamp fields (`first_seen`, `last_seen`, `created_at`, `updated_at`, `os_eol`, `os_eol_extended`): * `first_seen:` * `last_seen:` * `created_at:` * `updated_at:` * `os_eol:` * `os_eol_extended:` The term supports the standard runZero [time comparison syntax][time]. ```plaintext first_seen:<3days ``` ```plaintext first_seen:>2019-08-01 ``` ```plaintext first_seen:>8/1/2019 ``` ```plaintext last_seen:<1week ``` ```plaintext last_seen:<2months ``` ```plaintext last_seen:<1year ``` ```plaintext created_at:>2weeks ``` ```plaintext created_at:<30minutes ``` ```plaintext updated_at:>1year ``` ```plaintext updated_at:<12hours ``` ```plaintext os_eol:4weeks ``` ```plaintext os_eol_extended:>now ``` ```plaintext os_eol_extended:>90days ``` ### Online status {#assets-online} Use the syntax `online:` or the inverse syntax `offline:` to search the online status of an asset. The term is a boolean value: - `true`, `t`, `1`, and `yes` represent _true_ - `false`, `f`, `0`, and `no` represent _false_ ```plaintext online:t ``` ```plaintext online:1 ``` ```plaintext offline:0 ``` ### Operating system support status {#assets-os-eol} The syntax `os_eol_expired:` can be used to find identify assets based on whether their operating systems are End of Life (EOL). This field evaluates both the `os_eol` and `os_eol_extended` values to only return assets with expired coverage. The term is a boolean value: - `true`, `t`, `1`, and `yes` represent _true_ - `false`, `f`, `0`, and `no` represent _false_ ```plaintext os_eol_expired:t ``` ```plaintext os_eol_expired:1 ``` ```plaintext os_eol_expired:no ``` ### Detection method {#assets-detection} The detected by attribute of an asset can be searched using the syntax `det:` or `detected_by:`. The term is one of `arp`, `icmp`, `-tcp`, or `-udp`. In the case of multiple detections, the priority goes `arp`, `icmp`, and then the first detected service. ```plaintext det:arp ``` ```plaintext detected_by:80-tcp ``` ```plaintext det:53-udp ``` ### Time to Live (TTL) comparisons {#assets-TTL} Use the syntax `ttl:` and `lowest_ttl:` to search the lowest TTL of an asset. TTL is the estimated number of hops between the scan source and the asset. This search term supports numerical comparison operators (`>`, `>=`, `<`, `<=`, `=`). ```plaintext lowest_ttl:>3 ``` ### Round Trip Time (RTT) comparisons {#assets-RTT} Use the syntax `rtt:` and `lowest_rtt:` to search the lowest RTT for an asset. RTT is the round-trip response time of a given probe measured in nanoseconds (1,000,000 == 1ms). This search term supports numerical comparison operators (`>`, `>=`, `<`, `<=`, `=`). ```plaintext lowest_rtt:>50000000 ``` ### Multiple MAC address status {#assets-multipleMAC} Use the syntax `multi_mac:` to determine if an asset has multiple MAC addresses. The term is a boolean value: - `true`, `t`, `1`, and `yes` represent _true_ - `false`, `f`, `0`, and `no` represent _false_ ```plaintext multi_mac:t ``` ### Any MAC address status {#assets-anyMAC} Use the syntax `has_mac:` to find assets with any MAC addresses. The term is a boolean value: - `true`, `t`, `1`, and `yes` represent _true_ - `false`, `f`, `0`, and `no` represent _false_ ```plaintext has_mac:yes ``` ```plaintext has_mac:f ``` ### Multiple IP address status {#assets-multipleIP} Use the syntax `multi_home:` to determine if an asset has multiple IP addresses. The term is a boolean value: - `true`, `t`, `1`, and `yes` represent _true_ - `false`, `f`, `0`, and `no` represent _false_ ```plaintext multi_home:t ``` ### Multiple hostname status {#assets-multipleHostname} Use the syntax `multi_name:` to find assets with multiple hostnames. The term is a boolean value: - `true`, `t`, `1`, and `yes` represent _true_ - `false`, `f`, `0`, and `no` represent _false_ ```plaintext multi_name:yes ``` ```plaintext multi_name:false ``` ### Software installations {#assets-software} Use the syntax `software:>` to find assets with associated software. The term has three forms: - `software:` will look for any assets with a software product that matches the term. - `software:/` will look for any assets with a software product and version that matches the term exactly. - `software://` will look for any assets with a software vendor, product, and version that matches the term exactly. All three forms allow the use of `%` as a wildcard (beginning, middle, or end of the term). Version terms can be specified with comparators to search for versions that are less than or greater than a specific version. For example `software:"Google/Google Chrome/>=135"` will returns all assets with Google Chrome version 135 or greater. ```plaintext software:IIS ``` ```plaintext software:Microsoft/IIS/10.0 ``` ## Certificate fields {#asset-certificates} Certificate-related fields can be searched using the following keywords. ### Certificate ID {#asset-certificate-id} Use the syntax `certificate_id:` to filter by certificate ID. ```plaintext certificate_id:4e3a2b1c-5d6f-7a8b-9c0d-1e2f3a4b5c6d ``` ### Certificate type {#asset-certificate-type} Use the syntax `certificate_type:` to search by certificate type. ```plaintext certificate_type:"x509" ``` ### Certificate serial {#asset-certificate-serial} Use the syntax `certificate_serial:` to search by certificate serial number. ```plaintext certificate_serial:"01A23B45C" ``` ### Certificate public key {#asset-certificate-public-key} Use the syntax `certificate_public_key:` to search by certificate public key. ```plaintext certificate_public_key:"MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A..." ``` ### Certificate public key algorithm {#asset-certificate-public-key-algorithm} Use the syntax `certificate_public_key_algorithm:` to search by certificate public key algorithm. ```plaintext certificate_public_key_algorithm:"ecPublicKey" ``` ### Certificate signature {#asset-certificate-signature} Use the syntax `certificate_signature:` to search by certificate signature. ```plaintext certificate_signature:"abcdef1234567890" ``` ### Certificate signature algorithm {#asset-certificate-signature-algorithm} Use the syntax `certificate_signature_algorithm:` to search by certificate signature algorithm. ```plaintext certificate_signature_algorithm:"rsaEncryption" ``` ### Certificate fingerprint (bkhash) {#asset-certificate-bkhash} Use the syntax `certificate_fp_bkhash:` to search by certificate fingerprint (bkhash). ```plaintext certificate_fp_bkhash:"d2c7e8f9..." ``` ### Certificate fingerprint (SHA1) {#asset-certificate-sha1} Use the syntax `certificate_fp_sha1:` to search by certificate SHA1 fingerprint. ```plaintext certificate_fp_sha1:"349eb7db55bbad9d7deabc5effdfd5521ed984a0" ``` ### Certificate fingerprint (SHA256) {#asset-certificate-sha256} Use the syntax `certificate_fp_sha256:` to search by certificate SHA256 fingerprint. ```plaintext certificate_fp_sha256:"SHA256:Sc0pLUCvlNaGtu4Xy2fOTe1A6cC+KyU3x7xuN8+aLtA=" ``` ### Certificate subject {#asset-certificate-subject} Use the syntax `certificate_subject:` to search by certificate subject. ```plaintext certificate_subject:"CN=example.com,O=ExampleCorp,C=US" ``` ### Certificate common name (CN) {#asset-certificate-cn} Use the syntax `certificate_cn:` to search by certificate common name. ```plaintext certificate_cn:"example.com" ``` ### Certificate issuer {#asset-certificate-issuer} Use the syntax `certificate_issuer:` to search by certificate issuing authority. ```plaintext certificate_issuer:"CN=Example CA,O=Example Corp,C=US" ``` ### Certificate subject key ID {#asset-certificate-subject-key-id} Use the syntax `certificate_subject_key_id:` to search by certificate subject key ID. ```plaintext certificate_subject_key_id:"1234567890abcdef" ``` ### Certificate authority key ID {#asset-certificate-authority-key-id} Use the syntax `certificate_authority_key_id:` to search by certificate issuing authority key ID. ```plaintext certificate_authority_key_id:"abcdef1234567890" ```