| Role Availability | Read-Only | Investigator | Analyst | Manager |
| Filter Name | Meaning |
|---|---|
| Name | Filter assets by the name of the asset. |
| Description | Filter assets by the asset description. |
| UUID | Filter assets by the universally unique identifier (UUID). |
| IP/CIDR | Filter assets by IP and Classless Inter-Domain Routing (). This is a method for allocating IP addresses and routing IP packets. It is the range of IP addresses that define the network. |
| FQDN | Filter assets by Fully Qualified Domain Name (FQDN). |
| Asset Type | Filter assets by asset type. |
| Instance Type | Filter assets by instance type. |
| Region | Filter assets by region. |
| Operating System | Filter assets by operating system. |
| Service | Filter assets by service. |
| Software | Filter assets by software. |
| Associated Plugin | Filter assets by the plugin associated to the asset. |
| Alarm Counter | Filter assets by the number of alarms. |
| Event Counter | Filter assets by the number of events. |
| Vulnerability Counter | Filter assets by the number of vulnerabilities. |
| Configuration Issue Counter | Filter assets by the number of configuration issues. |
| PCI Asset | Filter assets by Payment Card Industry (PCI) Asset, if the asset is included or not in the PCI Data Security Standards (DSS) Asset Group. See Asset Group List View and Working with Assets and PCI DSS for more information. |
| HIPAA Asset | Filter assets by Health Insurance Portability and Accountability Act (HIPAA) Asset, whether the asset is included in the HIPAA Asset Group. See Asset Group List View for more information. |
| Custom User Fields | Filter assets by the fields you have created. If you have not created fields, this filter does not display. |
Note: The result of a search when you use the Alarm Counter filter or the Event Counter filter depends on if an alarm or an event can identify the source or destination as an asset in the inventory. Your environment can have alarms or events associated with assets both included in the inventory and those not included in the inventory. Assets included in the inventory display their names in blue, and assets not included in the inventory display their names in gray. The alarm and event counter filters only count the identified (blue) assets.
Important: The alarm and event counts are not updated in real time but are calculated every hour. If the counts are not updated, it can happen because new events or alarms are in your environment after the last count.
| Operator | Meaning |
|---|---|
| > | Greater than. |
| >= | Greater than or equal to. |
| < | Less than. |
| <= | Less than or equal to. |
| Equal | Equal to. |
| IP Range | Range of IP addresses. |
| Is Empty | Include assets with no IP addresses. This operator is available only for IP/CIDR. |
| Is Not Empty | Include assets with IP addresses. This operator is available only for IP/CIDR. |
| Like | Search for the specified pattern. |
| Not Equal | Not equal to. Important: Some filters don’t include the NOT operator (for example, Services or Software). |
| Not Like | Not true. |
| Type of Query | Meaning | Example |
|---|---|---|
| Standard query with a blank space between terms | By default, a space between query terms is considered an implicit “OR”. | denylist malicious |
Literal, using double quotes " " | Matches fields that contain the full term. Literal searches are case-sensitive. Note: This type of query will not match any searches in the raw log because raw logs are tokenized. Note: IP addresses and FQDNs are considered literal searches, so they don’t require quotation marks. | ”Event from asset not received” |
Boolean operators or using parentheses AND, OR, NOT, ( ) | Including AND or OR between two search terms will search for results that match both of those terms. Including NOT between two search terms will exclude results that match the second term, even though they otherwise match your query. Parentheses can be used to group terms for higher precedence relative to the rest of your query. Parentheses are also used to designate subsearches. | (http OR tcp) AND ftp |
Wildcards, asterisk * | Appending an asterisk to the end of a term within your query will search for results that begin with your search term. An asterisk cannot be used at the beginning of a search query. | instance* |
Wildcards, question mark ? | Embedding a question mark in the middle of a term will search for results that otherwise match your query, no matter the value in the position held by the question mark in your search term. A question mark cannot be used at the beginning of a search query. | qu?ck |
Regular expression (regex), using /expression/ | Regular expression inside forward slash characters. A dialog box opens to confirm the search. Note: The characters ", *, ?, (, and ) are special characters included in expressions. If you want to search by these characters, you need to manually escape them by preceding them with a backslash. | /Describe.*Instances/ |
| OTX pulse | Pulses are collections of Indicators of Compromise (IOCs). You need to insert the word pulse: followed by the pulse ID or URL. | pulse:59432536c1970e343ce61bf0 |
-
- = & | > < ! [ ] ^ ” ~ : \ /
- Go to Environment > Assets.
-
Below Advanced Search filter, click Add Filter.
-
Select a field from the first drop-down list.
-
Select an operator from the drop-down list.
Important: Depending on the field you have chosen in the first drop-down list, the operators vary.See Advanced Search Fields (Second Drop-Down List) for more information.
- Enter the search value. If you want to search for an exact phrase having two or more words, you need to put quotation marks around the words in the phrase. This includes email addresses (for example, “bob@mycompany.com”)
- Click the icon.
- Click Add Filter if you want to add a new search.
- Click the icon.
- Click Apply.