Searching Asset Groups

Role Availability Read-Only Investigator Analyst Manager

USM Anywhere includes the option of searching items of interest on the page. There are several filters displayed by default. You can either filter your search or enter what you are looking for in the search field.

You can configure more filters and change which filters to display by clicking the Configure Filters link located in the upper-left side of the page. The management of filters is similar to that for assets. See Managing Filters for more information.

Filters Displayed by Default in the Main Asset Groups Page
Filter Name Meaning
Asset Grouping Filter asset groups Asset groups are administratively created objects that group similar assets for specific purposes. by "Static" and "Dynamic".
Advanced Search Use this filter to search for a specific value of a field. The advanced search is similar to that for assets An IP-addressable host, including but not limited to network devices, virtual servers, and physical servers.. See Advanced Search Filter for more information.
Sensor Filter asset groups by the associated sensor Sensors are deployed into an on-premises, cloud, or multi-cloud environment to collect logs and other security-related data. This data is normalized and then securely forwarded to USM Anywhere for analysis and correlation..
Asset Origin Type Filter asset groups by who added the asset group to the system.
Instance Type (Only for the AWS Sensor). Filter asset groups by AWS Amazon Web Services (AWS) is a suite of cloud computing services from Amazon that make up an on-demand platform giving users access to their computing resources. instance type.
Region (Only for the AWS Sensor). Filter asset groups by AWS Amazon Web Services (AWS) is a suite of cloud computing services from Amazon that make up an on-demand platform giving users access to their computing resources. region.
Operating System Filter asset groups by Operating System Software that manages computer hardware resources and provides common services for computer programs. Examples include Microsoft Windows, Macintosh OS X, UNIX, and Linux..
Asset Type Filter asset groups by asset type. See USM Accepted Asset Types for more information.
Associated Plugin Filter asset groups by assets that have plugins manually enabled.
Service Filter asset groups by service.
Software Filter asset groups by software.

Note: Keep in mind that the "Enter search phrase" box and the "Asset Grouping" filter make the search in the asset groups. The rest of the filters make the search in the members of the asset group. So long as a member of the asset group matches the selected filter, USM Anywhere will display the asset group, even if there is only a member matching that filter.

The number between brackets displayed by each filter indicates the number of items that matches the filter. You can also use the filter controls to provide a method of organizing your search and filtered results.

The following table shows the icons displayed with each filter box.

Icons Next to the Filter Title
Icon Meaning
Sort the filters alphabetically.
Sort the filters by number of items that matches them.

In the upper-left side of the page, you can see any filters you have applied. Remove filters by clicking theicon next to the filter. Or clear all filters by clicking Reset.

Selected Filters on the Asset Groups Main Page

Note: When applying filters, the search uses the logical AND operator if the used filters are different. However, when the filter is of the same type, the search uses the logical OR operator.

Those filters that have more than 10 options include a Filter Values search field for writing text and making the search easier. If there are more than 50 search results, a icon appears to the right of the Filter Values search field. Click this icon to download a CSV containing up to 1024 results.

Filter Value Search Field

USM Anywhere enables you to toggle the mode of search. The available modes are Standard and Advanced. You can change from one mode to the other by clicking the icon or clicking the icon located in the upper left corner of the page.

Standard Mode

This mode enables you to select one value per filter at the same time, and then the search is automatically performed. This mode is on by default.

To activate the standard mode when the advanced mode is on

  1. Go to Environment > Asset Groups.
  2. In the upper-left corner of the page, click the icon.
  3. This turns the icon gray, .

    4. Note: If you exit the advanced mode and the selected filters are not compatible with the standard mode, a warning dialog box opens to inform you the current filters will be removed.

Advanced Mode

Advanced mode enables you to select more than one value per filter at the same time. This mode is off by default.

To activate the advanced mode

  1. Go to Environment > Asset Groups.
  2. In the upper-left corner of the page, click the icon to activate the advanced mode.

    3. This turns the icon green, .

To perform a search in the advanced mode

  1. Go to Environment > Asset Groups.
  2. In the upper-left corner of the page, click the icon to activate the advanced mode.

    3. This turns the icon green, .

  3. Click the filters that you want to select.

    The selected filters display inside a dashed rectangle.

    Selected Filters on the Advanced Search Mode

  4. In the lower-left corner of the page, click Apply Filters. Or in the upper side of the page, click Apply.

    The result of your search displays.

To search all values of a filter

  1. Go to Environment > Asset Groups.
  2. In the upper-left corner of the page, click the icon to activate the advanced mode.
  3. Select a filter title to select all filters below that title.

Searching Asset Groups by Using the Search Field

Use the search field to enter queries and refine your search. You can enter free text, use wildcards, and use advanced search syntax. When searching, keep in mind the accepted query string syntax list in this table.

Accepted Query String Syntax
Type of Query Meaning Example
Standard query with a blank space between terms By default, a space between query terms is considered an implicit “OR”. denylist malicious

Literal, using double quotes

" "

Matches fields that contain the full term. Literal searches are case-sensitive.

Note: This type of query will not match any searches in the raw log unless the phrase included in double quotes is an exact and complete match to the contents of the raw log.

Note: IP addresses and FQDNs are considered literal searches, so they don't require quotation marks.

"Event from asset not received"

Boolean operators or using parentheses

AND, OR, NOT, ( )

Including AND or OR between two search terms will search for results that match both of those terms.

Including NOT between two search terms will exclude results that match the second term, even though they otherwise match your query.

Parentheses can be used to group terms for higher precedence relative to the rest of your query. Parentheses are also used to designate subsearches.

(http OR tcp) AND ftp

Wildcards, asterisk

*

Appending an asterisk to the end of a term within your query will search for results that begin with your search term.

An asterisk cannot be used at the beginning of a search query.

instance*

Wildcards, question mark

?

Embedding a question mark in the middle of a term will search for results that otherwise match your query, no matter the value in the position held by the question mark in your search term.

A question mark cannot be used at the beginning of a search query.

qu?ck
Regular expression (regex), using /expression/

Regular expression inside forward slash characters. A dialog box opens to confirm the search.

Note: The characters ", *, ?, (, and ) are special characters included in expressions. If you want to search by these characters, you need to manually escape them by preceding them with a backslash.

 /Describe.*Instances/
OTX pulse Pulses are collections of Indicators of Compromise (IOCs). You need to insert the word pulse followed by a colon and the pulse ID or URL. pulse:59432536c1970e343ce61bf0

Any characters may be used in a query, but certain characters are reserved and must be escaped. The reserved characters are these:

+ - = & | > < ! { } [ ] ^ " ~ : \ /

Use a backslash (for example, "\>") to escape any reserved character (including a backslash).

To search for Asset Groups using the search field

  1. Go to Environment > Asset Groups.
  2. Enter your query in the search field.

    3. If you want to search for an exact phrase having two or more words, you need to put quotation marks around the words in the phrase. This includes email addresses (for example, "bob@mycompany.com").

    Note: Wildcard characters are considered as literal characters.

  3. Click the icon.

Asset Groups Search Field

The result of your search displays with the items identified.

Advanced Search Filter on Asset Groups

The Advanced Search filter enables you to enter a search value on a selected field.

The following table shows the filter fields that you can find in the first drop-down list.

Advanced Search Fields (First Drop-Down List)
Filter Name Meaning
Name Filter asset groups by the name of the asset.
Description Filter asset groups by the asset description.
UUID Filter asset groups by the universally unique identifier (UUID).
IP/CIDR Filter asset groups by IP and Classless Inter-Domain Routing (CIDR Classless Inter-Domain Routing, which provides a method for allocating IP addresses, routing Internet protocol packets, and subdividing networks. CIDR notation provides a syntax for specifying a range of IP addresses.). This is a method for allocating IP addresses and routing IP packets. It is the range of IP addresses that define the network.
FQDN Filter asset groups by Fully Qualified Domain Name (FQDN).
Asset Type Filter asset groups by asset type.
Instance Type Filter asset groups by instance type.
Region Filter asset groups by region.
Operating System Filter asset groups by operating system.
Service Filter asset groups by service.
Software Filter asset groups by software.
Associated Plugin Filter asset groups by the plugin associated to the asset.
Alarm Counter Filter asset groups by the number of alarms.
Event Counter Filter asset groups by the number of events.
Vulnerability Counter Filter asset groups by the number of vulnerabilities.
Configuration Issue Counter Filter asset groups by the number of configuration issues.
PCI Asset Filter asset groups by Payment Card Industry (PCI) Asset, if the asset is included or not in the PCI Data Security Standards (DSS) Asset Group. See Asset Group List View and Working with Assets and PCI DSS for more information.
HIPAA Asset Filter asset groups by Health Insurance Portability and Accountability Act (HIPAA) Asset, whether the asset is included in the HIPAA Asset Group. See Asset Group List View for more information.
Custom User Fields Filter asset groups by the fields you have created. If you have not created fields, this filter does not display.

Note: The result of a search when you use the Alarm Counter filter or the Event Counter filter depends on if an alarm or an event can identify the source or destination as an asset in the inventory. Your environment can have alarms or events associated with assets both included in the inventory and those not included in the inventory.

The following table shows the operators that you can find in the second drop-down list.

Advanced Search Fields (Second Drop-Down List)

Operator Meaning
> Greater than.
>= Greater than or equal to.
< Less than.
<= Less than or equal to.
Equal Equal to.
IP Range Range of IP addresses.
Is Empty Include assets with no IP addresses. This operator is available only for IP/CIDR.
Is Not Empty Include assets with IP addresses. This operator is available only for IP/CIDR.
Like Search for the specified pattern.
Not Equal

Not equal to.

Important: Some filters don't include the NOT operator (for example, Services or Software).
Not Like Not true.

The following table shows the operators that you can include in your query string.

Use the search field to enter queries and refine your search. You can enter free text, use wildcards, and use advanced search syntax. When searching, keep in mind the accepted query string syntax list in this table.

Accepted Query String Syntax
Type of Query Meaning Example
Standard query with a blank space between terms By default, a space between query terms is considered an implicit “OR”. denylist malicious

Literal, using double quotes

" "

Matches fields that contain the full term. Literal searches are case-sensitive.

Note: This type of query will not match any searches in the raw log unless the phrase included in double quotes is an exact and complete match to the contents of the raw log.

Note: IP addresses and FQDNs are considered literal searches, so they don't require quotation marks.

"Event from asset not received"

Boolean operators or using parentheses

AND, OR, NOT, ( )

Including AND or OR between two search terms will search for results that match both of those terms.

Including NOT between two search terms will exclude results that match the second term, even though they otherwise match your query.

Parentheses can be used to group terms for higher precedence relative to the rest of your query. Parentheses are also used to designate subsearches.

(http OR tcp) AND ftp

Wildcards, asterisk

*

Appending an asterisk to the end of a term within your query will search for results that begin with your search term.

An asterisk cannot be used at the beginning of a search query.

instance*

Wildcards, question mark

?

Embedding a question mark in the middle of a term will search for results that otherwise match your query, no matter the value in the position held by the question mark in your search term.

A question mark cannot be used at the beginning of a search query.

qu?ck
Regular expression (regex), using /expression/

Regular expression inside forward slash characters. A dialog box opens to confirm the search.

Note: The characters ", *, ?, (, and ) are special characters included in expressions. If you want to search by these characters, you need to manually escape them by preceding them with a backslash.

 /Describe.*Instances/
OTX pulse Pulses are collections of Indicators of Compromise (IOCs). You need to insert the word pulse followed by a colon and the pulse ID or URL. pulse:59432536c1970e343ce61bf0

Any characters may be used in a query, but certain characters are reserved and must be escaped. The reserved characters are these:

+ - = & | > < ! { } [ ] ^ " ~ : \ /

Use a backslash (for example, "\>") to escape any reserved character (including a backslash).

To search asset groups using the advanced search filter

  1. Go to Environment > Asset Groups.

  2. Below Advanced Search filter, click Add Filter.

    Advanced Search on the Asset Main Page

  3. Select a field from the first drop-down list.

    Advanced Search on the Asset Main Page

    See Advanced Search Fields (First Drop-Down List) for more information.

  4. Select an operator from the drop-down list.

    Important: Depending on the field you have chosen in the first drop-down list, the operators vary.

    Advanced Search on the Asset Main Page

    See Advanced Search Fields (Second Drop-Down List) for more information.

  5. Enter the search value.

    6. If you want to search for an exact phrase having two or more words, you need to put quotation marks around the words in the phrase. This includes email addresses (for example, "bob@mycompany.com").

  6. Click the icon.
  7. Click Add Filter if you want to add a new search.
  8. Click the icon.
  9. Click Apply.

The result of your search displays with the assets identified.