Many asset fields containing text allow you to use full text search. Quickly find data of interest, combining advanced search capabilities to better interpret your question.
Let's take a look at the search field certificate:(subject.locality: ). There are many ways you can search this field.
Show any findings related to this title
certificate:(subject.locality: Redwood City)
Show any findings that contain Redwood or City in title
certificate:(subject.locality: "Redwood City")
Show any findings that match exact value Remote Code
certificate:(subject.locality: `Redwood City`)
In some cases, field values are split into tokens that can be searched individually. Let's consider some scenarios for searching field values with additional search capabilities.
Example: name field contains the value "10.114.3.69" or "10.114.3,69"
In this case, the value is not split into tokens. Only exact or prefix matching on the full value is supported.
Matching:
asset:(name: "10.1")
asset:(name: "10.114")
asset:(name: "10,114.3,6")
Non-matching:
asset:(name: ".69" )
asset:(name: ",69")
Example: name field contains the value "jira.intranet.qualys.com"
In this case, the value is not split into tokens. Only exact or prefix matching on the full value is supported.
Matching:
asset:(name: "jira")
asset:(name: "jira.intranet")
asset:(name: "jira.intranet.qualys")
Non-matching:
asset:(name: "intranet")
asset:(name: "com")
Example: name field contains the value "102354.qualys" or "qualys,25576.13"
The value "102354.qualys" is split into 2 tokens: "102354" and "qualys". Prefix search on each token is supported.
Matching:
asset:(name: "1023")
asset:(name: "qualy")
Non-matching:
asset:(name: "354")
asset:(name: "lys")
Value contains a comma (,) dash (-), semicolon (;), line separator, paragraph separator (space/tab), carriage return, line feed, brackets ( ( [ { } ] ) ) or other special characters (? @ $ % & / \)
Example: name field contains the value "qualys-corp"
The value "qualys-corp" is split into 2 tokens: "qualys" and "corp". Prefix search on each token is supported.
Matching:
asset:(name: "qua")
asset:(name: "cor")
Non-matching:
asset:(name: "alys")
asset:(name: "orp")
Example: asset:(operatingSystem: Tandberg Device CentOS) field has value "Tandberg Device CentOS"
The value is split into 3 tokens: "Tandberg", "Device ", and "CentOS". We will perform complete case insensitive matching on each token in your search string and perform a prefix match on the last token in your search string.
Matching:
asset:(operatingSystem: "Tandberg Device Cent")
The "Tangberg" and "Device" tokens match completely and "Cent" matches the prefix search for "CentOS".
asset:(operatingSystem: "Tandberg Dev")
The "Tangberg" token matches completely and "Dev" matches the prefix search for "Device".
asset:(operatingSystem: "Tandberg Device CentOS")
All 3 tokens "Tangberg", "Device" and "CentOS" match completely.
Non-matching:
asset:(operatingSystem: "Tand Cent")
The "Tand" token is leading and it does not match completely so this search would not return a match.
asset:(operatingSystem: "Dev Cent")
The "Dev" token is leading and it does not match completely so this search would not return a match.
asset:(operatingSystem: "Device Cent berg")
The "berg" token is the last token and it does not match completely nor does it match a prefix search.
Tell me about related findings
I want to find case sensitive matches