Full text search on certain fields

Many asset fields containing text allow you to use full text search. Quickly find data of interest, combining advanced search capabilities to better interpret your question.

How to Search - The Basics

Let's take a look at the search field certificate:(subject.locality: ). There are many ways you can search this field.

Show any findings related to this title

certificate:(subject.locality: Redwood City)

Show any findings that contain Redwood or  City in title

certificate:(subject.locality: "Redwood City")

Show any findings that match exact value Remote Code

certificate:(subject.locality: `Redwood City`)

Additional Search Capabilities

In some cases, field values are split into tokens that can be searched individually. Let's consider some scenarios for searching field values with additional search capabilities.

1) Field value contains a comma (,) or period (.) between numbers

Example: name field contains the value "10.114.3.69" or "10.114.3,69"

In this case, the value is not split into tokens. Only exact or prefix matching on the full value is supported.

Matching:

asset:(name: "10.1")

asset:(name: "10.114")

asset:(name: "10,114.3,6")

Non-matching:

asset:(name: ".69" )

asset:(name: ",69")

2) Field value contains a period (.) between text

Example: name field contains the value "jira.intranet.qualys.com"

In this case, the value is not split into tokens. Only exact or prefix matching on the full value is supported.

Matching:

asset:(name: "jira")

asset:(name: "jira.intranet")

asset:(name: "jira.intranet.qualys")

Non-matching:

asset:(name: "intranet")

asset:(name: "com")

3) Field value contains a comma (,) or period (.) between a number and text

Example: name field contains the value "102354.qualys" or "qualys,25576.13"

The value "102354.qualys" is split into 2 tokens: "102354" and "qualys". Prefix search on each token is supported.

Matching:

asset:(name: "1023")

asset:(name: "qualy")

Non-matching:

asset:(name: "354")

asset:(name: "lys")

4) Field value contains special characters and line/paragraph separators

Value contains a comma (,) dash (-), semicolon (;), line separator, paragraph separator (space/tab), carriage return, line feed, brackets ( ( [ { } ] ) ) or other special characters (? @ $ % & / \)

Example: name field contains the value "qualys-corp"

The value "qualys-corp" is split into 2 tokens: "qualys" and "corp". Prefix search on each token is supported.

Matching:

asset:(name: "qua")

asset:(name: "cor")

Non-matching:

asset:(name: "alys")

asset:(name: "orp")

5) Field value contains a phrase with a space, tab or new line

Example: asset:(operatingSystem: Tandberg Device CentOS)  field has value "Tandberg Device CentOS"

The value is split into 3 tokens: "Tandberg", "Device ", and "CentOS". We will perform complete case insensitive matching on each token in your search string and perform a prefix match on the last token in your search string.

Matching:

asset:(operatingSystem: "Tandberg Device Cent")

The "Tangberg" and "Device" tokens match completely and "Cent" matches the prefix search for "CentOS".

asset:(operatingSystem: "Tandberg Dev")

The "Tangberg" token matches completely and "Dev" matches the prefix search for "Device".

asset:(operatingSystem: "Tandberg Device CentOS")

All 3 tokens "Tangberg", "Device" and "CentOS" match completely.

Non-matching:

asset:(operatingSystem: "Tand Cent")

The "Tand" token is leading and it does not match completely so this search would not return a match.

asset:(operatingSystem: "Dev Cent")

The "Dev" token is leading and it does not match completely so this search would not return a match.

asset:(operatingSystem: "Device Cent berg")

The "berg" token is the last token and it does not match completely nor does it match a prefix search.

Get more information

Tell me about related findings

Not using backticks?

I want to find case sensitive matches