--- title: "Service inventory" --- When viewing services, you can use the keywords in this section to ((search|search services)) and filter. ## Ports {#services-ports} The TCP and UDP services associated with a service can be searched by port number using the syntax `port:`. This search term supports numerical comparison operators (`>`, `>=`, `<`, `<=`, `=`). ```plaintext port:<=25 ``` ## TCP ports {#services-TCP} Use the syntax `tcp:` to search TCP service associated with a service by port number. ```plaintext tcp:53 ``` To search for all services on assets with a specific list of TCP ports open, you can use the syntax `service_ports_tcp:=`. Values should be in ascending numerical order, and separated by commas. ```plaintext service_ports_tcp:=80,443 ``` ## UDP ports {#services-UDP} Use the `udp:` syntax to search UDP services associated with a service by port number. ```plaintext udp:443 ``` To search for all services on assets with a specific list of UDP ports open, you can use the syntax `service_ports_udp:=`. Values should be in ascending numerical order, and separated by commas. ```plaintext service_ports_udp:=53,123 ``` ## Transport {#services-transport} Use the syntax `transport:` to search the transport associated with a service by name. ```plaintext transport:tcp ``` ```plaintext transport:udp ``` ```plaintext transport:icmp ``` ## Protocol {#services-protocol} Use the syntax `service_protocols:` (or `protocol:` for short) to search the protocols associated with services. ```plaintext protocol:http ``` ```plaintext protocol:telnet ``` ## Assets with product {#services-product} Use the syntax `service_products:` (or `product:` for short) to search for the identified service products associated with an asset, and return all services for the matching assets. ```plaintext product:openssh ``` ```plaintext service_products:nginx ``` ## Virtual Host (vHost) {#services-vhost} Use the syntax `vhost:` to search for virtual hosts associated with a service by name . ```plaintext vhost:"www" ``` ## Address {#services-address} Use the keyword `service_address` to match against the service IP address. ```plaintext service_address:192.168.0.1 ``` ## Public address {#services-public} Use the keyword `service_has_public` and syntax `service_has_public:` to locate any service with a non-reserved I address. The term is a boolean value: - `true`, `t`, `1`, and `yes` represent _true_ - `false`, `f`, `0`, and `no` represent _false_ ```plaintext service_has_public:true ``` ## Private address {#services-private} Use the keyword `service_has_private` and syntax `service_has_private:` to locate any service with a private IP address. The term is a boolean value: - `true`, `t`, `1`, and `yes` represent _true_ - `false`, `f`, `0`, and `no` represent _false_ ```plaintext service_has_private:false ``` ## IPv6 address {#services-IPv6} Use the keyword `service_has_ipv6` and the syntax `service_has_ipv6:` to locate any service with an identified IPv6 address. The term is a boolean value: - `true`, `t`, `1`, and `yes` represent _true_ - `false`, `f`, `0`, and `no` represent _false_ ```plaintext service_has_ipv6:false ``` ## Link-local IPv6 address {#services-linkLocal} Use the keyword `service_has_link_local` and syntax `service_has_link_local:`to locate any service with an identified IPv6 link local (`fe80::`) address. The term is a boolean value: - `true`, `t`, `1`, and `yes` represent _true_ - `false`, `f`, `0`, and `no` represent _false_ ```plaintext service_has_link_local:true ``` ## Assets with outlier score {#services-outlier} You can use the syntax `outlier_score:` to search the calculated outlier score of assets, and return all services on those assets. The outlier score is in the range 0 to 5 inclusive. This search term supports numerical comparison operators (`>`, `>=`, `<`, `<=`, `=`). ```plaintext outlier_score:>2 ``` ```plaintext outlier_score:0 ``` ## Assets with MAC address vendors {#services-MACvendor} To search the vendors associated with the MAC addresses of an asset, and return all services on those assets, use the syntax `mac_vendor:`. ```plaintext mac_vendor:Apple ``` ```plaintext mac_vendor:"Intel Corporate" ``` To search only the vendor associated with the newest MAC address, use the syntax `newest_mac_vendor:` ```plaintext newest_mac_vendor:Apple ``` ## Assets with MAC address age {#services-MACage} To search the ages of the newest MAC addresses associated with each asset, and return all services associated with those assets, use the syntax `mac_age:`. The term supports the standard runZero [time comparison syntax][time]. ```plaintext mac_age:>1year ``` ```plaintext mac_age:<6months ``` ```plaintext mac_age:2019-12-31 ``` ## Attributes {#services-attributes} You can search all service attributes with the syntax `:`. This search term supports numerical comparison operators (`>`, `>=`, `<`, `<=`, `=`). If the attribute name conflicts with an existing term, the prefix `_service.` can be added to disambiguate the query. Note that service attributes can be slow and it is often better to prefix `_asset.protocol:` filter in front of the service attribute query. For example, to search for SSH banners, use the syntax `_asset.protocol:ssh AND banner:.` ```plaintext banner:password ``` ```plaintext service.product:"OpenSSH" ``` ```plaintext html.title:"Apache2 Ubuntu Default Page" ``` ```plaintext http.code:>=500 ``` ```plaintext screenshot.image.size:=>100000 ``` ```plaintext _service.arp.macVendor:Xerox ``` To determine if a service has an attribute at all, use the `has` keyword. The `has` keyword can be inverted to find missing fields, with `not has:`. ```plaintext has:"http.head.server" ``` ```plaintext not has:"html.title" ``` ## Certificate fields {#services-certificates} Certificates related to the service can be searched as well. ### Certificate ID {#service-certificate-id} Use the syntax `certificate_id:` to filter by certificate ID. ```plaintext certificate_id:4e3a2b1c-5d6f-7a8b-9c0d-1e2f3a4b5c6d ``` ### Certificate fingerprint (bkhash) {#service-certificate-fp-bkhash} Use the syntax `fp_bkhash:=` to search for services with certificates that match the specified bkhash fingerprint anywhere in the certificate chain. ```plaintext fp_bkhash:=d2c7e8f9a1b2c3d4e5f6 ``` ### Certificate fingerprint (SHA256) {#service-certificate-fp-sha256} Use the syntax `fp_sha256:=` to search for services with certificates that match the specified SHA256 fingerprint anywhere in the certificate chain. ```plaintext fp_sha256:=SHA256:19vJPgdyh3BdGgTiSSavQsKx133lzFkJhu51n6fzG+k= ``` ### Certificate fingerprint (SHA1) {#service-certificate-fp-sha1} Use the syntax `fp_sha1:=` to search for services with certificates that match the specified SHA1 fingerprint anywhere in the certificate chain. ```plaintext fp_sha1:=a1b2c3d4e5f6g7h8i9j0 ``` ### Certificate validity fields {#services-certificate-validity} Use the following syntax to search details about when the certificate found on the service was created. These fields support the standard runZero [time comparison syntax][time]. ```plaintext certificate_valid_from:>2025-01-01 certificate_valid_until:<2026-01-01 certificate_created_at:<1year certificate_updated_at:>2024-12-01 certificate_last_seen:<2months ``` ### Certificate authority key ID {#services-certificate-authority-key-id} Use the syntax `certificate_authority_key_id:` to search by certificate authority key ID. ```plaintext certificate_authority_key_id:"c03152cd5a50c3827c7471cecbe99cf97aeb82e2" ``` ### Certificate common name (CN) {#services-certificate-cn} Use the syntax `certificate_cn:` to search by certificate common name. ```plaintext certificate_cn:"example.com" ``` ### Certificate public key algorithm {#services-certificate-pk-algorithm} Use the syntax `certificate_public_key_algorithm:` to search by public key algorithm. ```plaintext certificate_public_key_algorithm:rsaEncryption ``` ### Certificate serial number {#services-certificate-serial} Use the syntax `certificate_serial:` to search by certificate serial number. ```plaintext certificate_serial:123456 ``` ### Certificate signature algorithm {#services-certificate-sig-algorithm} Use the syntax `certificate_signature_algorithm:` to search by signature algorithm. ```plaintext certificate_signature_algorithm:sha256WithRSAEncryption ``` ### Certificate subject key ID {#services-certificate-subject-key-id} Use the syntax `certificate_subject_key_id:` to search by subject key ID. ```plaintext certificate_subject_key_id:"c769916e10f850397928f62bd34ca6ec39d8e00a" ``` ### Certificate type {#services-certificate-type} Use the syntax `certificate_type:` to search by certificate type. ```plaintext certificate_type:x509 ``` ### Certificate key usage {#services-certificate-key-usage} Use the syntax `certificate_key_usage:` to search by key usage. ```plaintext certificate_key_usage:"digitalSignature" ``` ### Certificate extended key usage {#services-certificate-ext-key-usage} Use the syntax `certificate_ext_key_usage:` to search by extended key usage. ```plaintext certificate_ext_key_usage:"serverAuth" ``` ### Certificate OCSP server {#services-certificate-ocsp-server} Use the syntax `certificate_ocsp_server:` to search by OCSP server. ```plaintext certificate_ocsp_server:http://ocsp.example.com ``` ### Certificate CRL distribution points {#services-certificate-crl-distribution-points} Use the syntax `certificate_crl_distribution_points:` to search by CRL distribution point. ```plaintext certificate_crl_distribution_points:http://crl.example.com/ ``` ### Certificate issuing certificate URL {#services-certificate-issuing-certificate-url} Use the syntax `certificate_issuing_certificate_url:` to search by issuing certificate URL. ```plaintext certificate_issuing_certificate_url:http://issuer.example.com/ ``` ### Certificate signature {#services-certificate-signature} Use the syntax `certificate_signature:` to search by certificate signature. ```plaintext certificate_signature:Bden73ipj8B2xb1Ozy5nOvIytCktGrht5xL7ZfFlaLIBQxbGO5Iuf6Y1yICcEpYqsgSJS6JKCdw5dujmPmGRwBZfVhIbSRb0exFQ4BVp82WtDHfy3QBgcmtusRIxLyM5ToTT2O53NxaSGaw3IRLXZ0y343RGlKOyQxEXeoHbLsVrpmMrqAKkHJkhjTKn7E9WDc4RCsAvd13BIDP80dDWK7OMZJnCDXGQwz2MkAYZNyjRRXA5XeO2cvMq36/4phyJDhIz1oDgDLOFDnCGKkW5gc8MjE0uxFIYTHKNkx+2WIU/j4uQGNAJQbqqCnupV4qjI29PQFnFecnphkKw== ``` ### Certificate public key {#services-certificate-public-key} Use the syntax `certificate_public_key:` to search by certificate public key. ```plaintext certificate_public_key:MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDJ899KGnqHjVuBekYqosp2l8zWbiyu2I62CzaqaouLtqn1nXaQLMdruhlNN9ShCPfCM2JAROVjrd1PwhxLvJxAMbC+UJz2914SRn+lhFQl7yo03t+OoobwSXyj+ukbOHp1lYklYjMauScZScIDdPmLEjwDa8pfSr2TQoihjSDeawIDAQAB ``` ### Certificate comments {#services-certificate-comments} Use the syntax `certificate_comments:` to search comments on a certificate. ```plaintext certificate_comments:"our self signed wildcard" ``` ### Certificate self-signed {#services-certificate-self-signed} Use the syntax `certificate_self_signed:` to search for self-signed certificates. ```plaintext certificate_self_signed:true ``` ### Certificate hidden {#services-certificate-hidden} Use the syntax `certificate_hidden:` to search for certificates that have been hidden from the inventory. ```plaintext certificate_hidden:true ``` ### Certificate signature algorithm insecure {#services-certificate-signature-algorithm-insecure} Use the syntax `certificate_signature_algorithm_insecure:` to search for certificates with insecure signature algorithms. ```plaintext certificate_signature_algorithm_insecure:true ``` ### Certificate public key insecure {#services-certificate-public-key-insecure} Use the syntax `certificate_public_key_insecure:` to search for certificates with insecure public key algorithm and key size combinations. ```plaintext certificate_public_key_insecure:true ``` ### Certificate is CA {#services-certificate-is-ca} Use the syntax `certificate_is_ca:` to search for certificates that are certificate authorities (CAs). ```plaintext certificate_is_ca:true ```