Service inventory

When viewing services, you can use the keywords in this section to search and filter.

Ports

The TCP and UDP services associated with a service can be searched by port number using the syntax port:<number>. This search term supports numerical comparison operators (>, >=, <, <=, =).

port:<=25

TCP ports

Use the syntax tcp:<number> to search TCP service associated with a service by port number.

tcp:53

To search for all services on assets with a specific list of TCP ports open, you can use the syntax service_ports_tcp:=<list>. Values should be in ascending numerical order, and separated by commas.

service_ports_tcp:=80,443

UDP ports

Use the udp:<number> syntax to search UDP services associated with a service by port number.

udp:443

To search for all services on assets with a specific list of UDP ports open, you can use the syntax service_ports_udp:=<list>. Values should be in ascending numerical order, and separated by commas.

service_ports_udp:=53,123

Transport

Use the syntax transport:<term> to search the transport associated with a service by name.

transport:tcp
transport:udp
transport:icmp

Protocol

Use the syntax service_protocols:<term> (or protocol:<term> for short) to search the protocols associated with services.

protocol:http
protocol:telnet

Assets with product

Use the syntax service_products:<term> (or product:<term> for short) to search for the identified service products associated with an asset, and return all services for the matching assets.

product:openssh
service_products:nginx

Virtual Host (vHost)

Use the syntax vhost:<text> to search for virtual hosts associated with a service by name .

vhost:"www"

Address

Use the keyword service_address to match against the service IP address.

service_address:192.168.0.1

Public address

Use the keyword service_has_public and syntax service_has_public:<boolean> to locate any service with a non-reserved I address.

The term is a boolean value:

  • true, t, 1, and yes represent true
  • false, f, 0, and no represent false
service_has_public:true

Private address

Use the keyword service_has_private and syntax service_has_private:<boolean> to locate any service with a private IP address.

The term is a boolean value:

  • true, t, 1, and yes represent true
  • false, f, 0, and no represent false
service_has_private:false

IPv6 address

Use the keyword service_has_ipv6 and the syntax service_has_ipv6:<boolean> to locate any service with an identified IPv6 address.

The term is a boolean value:

  • true, t, 1, and yes represent true
  • false, f, 0, and no represent false
service_has_ipv6:false

Link-local IPv6 address

Use the keyword service_has_link_local and syntax service_has_link_local:<boolean>to locate any service with an identified IPv6 link local (fe80::) address.

The term is a boolean value:

  • true, t, 1, and yes represent true
  • false, f, 0, and no represent false
service_has_link_local:true

Assets with outlier score

You can use the syntax outlier_score:<value> to search the calculated outlier score of assets, and return all services on those assets. The outlier score is in the range 0 to 5 inclusive. This search term supports numerical comparison operators (>, >=, <, <=, =).

outlier_score:>2
outlier_score:0

Assets with MAC address vendors

To search the vendors associated with the MAC addresses of an asset, and return all services on those assets, use the syntax mac_vendor:<text>.

mac_vendor:Apple
mac_vendor:"Intel Corporate"

To search only the vendor associated with the newest MAC address, use the syntax newest_mac_vendor:<text>

newest_mac_vendor:Apple

Assets with MAC address age

To search the ages of the newest MAC addresses associated with each asset, and return all services associated with those assets, use the syntax mac_age:<term>. The term supports the standard runZero [time comparison syntax][time].

mac_age:>1year
mac_age:<6months
mac_age:2019-12-31

Attributes

You can search all service attributes with the syntax <attribute>:<term>. This search term supports numerical comparison operators (>, >=, <, <=, =).

If the attribute name conflicts with an existing term, the prefix _service. can be added to disambiguate the query.

Note that service attributes can be slow and it is often better to prefix _asset.protocol:<term> filter in front of the service attribute query. For example, to search for SSH banners, use the syntax _asset.protocol:ssh AND banner:<term>.

banner:password
service.product:"OpenSSH"
html.title:"Apache2 Ubuntu Default Page"
http.code:>=500
screenshot.image.size:=>100000
_service.arp.macVendor:Xerox

To determine if a service has an attribute at all, use the has keyword. The has keyword can be inverted to find missing fields, with not has:<term>.

has:"http.head.server"
not has:"html.title"