Search query syntax

runZero supports a deep searching across the Asset, Service, and Wireless Inventory, across organizations and sites, and through the Query Library. The runZero Export API uses the same inventory search syntax to filter results.

Query syntax

Boolean operators

Search queries can be combined through AND and OR operators and be grouped using parenthesis.

AND

For example, a Asset Inventory query of os:"Windows 10" AND protocols:http AND protocols:smb2 will show only those assets where Windows 10 was identified and both SMB and a web server were discovered. Search values that contain spaces must be placed in double quotes.

OR

By contrast, the example query of os:"Windows 10" AND protocols:http OR protocols:smb2 will search for Windows 10 running a web server or any assets with the SMB service exposed. In addition to AND and OR, the NOT operator can be used to filter a query. For example, the query os:"Windows 10" AND NOT protocols:http will show Windows 10 systems without a web server. If the negation should happen as the first term the AND should be dropped. The query NOT protocol:http AND os:"Windows 10" is equivalent to the previous search, with the terms reversed.

Wildcard and fuzzy searches

Most keywords are a fuzzy match by default. To force an exact match, prefix match, or suffix match, the = prefix can be applied to the search term, with the % character used as a wildcard. To search an operating system name of just Windows, the Asset Inventory query would be os:="Windows", while to specify a prefix match of Ubuntu Linux, the query os:="Ubuntu Linux%" can be used.

Time and date values

Time and date (timestamp) fields can be searched using < (less than) and > (greater than) operators to compare against the current time. You can also use - to compare to a relative time in the past, for example <-3years would look for timestamps that occurred before three years ago. Supported units:

• hours
• minutes
• seconds
• months
• years

A special value of now can also be used.

For example, an asset search of first_seen:<1year would search for assets first detected this year. Other examples:

first_seen:<3days

first_seen:>2019-08-01

first_seen:>8/1/2019

last_seen:<1week

last_seen:<2months

last_seen:<1year

created_at:>2weeks

created_at:<30minutes

updated_at:>1year

updated_at:<12hours

os_eol:<now

os_eol:>4weeks

os_eol:<-2years

os_eol_extended:>now

os_eol_extended:>90days

Empty values

To search for an empty value, the = prefix can be used with no value after. For example, the query os:= will find assets with no identified operating system.

Note that this only works for single-valued attributes such as os and type; it won’t work for multi-value attributes such as names or addresses.

Asset and service inventory searches

Asset and Service attributes support two special search types in addition to the documented keywords:

• Asset Inventory searches treat unknown keywords as filters against individual Asset attributes.
• Service Inventory searches treat unknown keywords as filters against individual Service data values.

In situations where an Asset keyword conflicts with a Service data key, or an Asset attribute conflicts with a Service keyword, the prefixes _asset. and _service. can be used to disambiguate.

Searches are handled slightly differently. Service queries can filter against Asset attributes (os:linux) and Service attributes (banner:Password), but the Asset queries are limited to summary information about services (protocol:ssh).