Selecting Source Options in the Query Wizard

Use Different Source Options to create sophisticated query options:

The source drop-down contains the following options:

Aggregated Data

• Aggregated Data (displayed as ALL)
  • Use Aggregated Data to query on all asset common fields fetched from any of the adapter connections.
  • Aggregated Data is selected by default.

Complex Field

• Complex Field (displayed as OBJ)
  • Use Complex Field to query on assets with a specific complex field that meets the specified criteria.
    • Example: query on all devices that have installed software that meets the following criteria:
      • Installed Software:Software Name contains 'chrome'.
      • Installed Software:Software Version NOT later than 86.

Asset Entity

• Asset Entity (displayed as ENT)

  • Use Asset Entity to make a query on a specific asset entity, that is, an asset entity fetched from a specific adapter connection.

  • Asset Entity is useful if assets in your Axonius environment have been correlated by several different asset entities from the same adapter connection, for example: Amazon Web Services (AWS), Microsoft Entra ID (Azure AD), SolarWinds Network Performance Monitor and Tanium.

    • Example 1: query on all users that were fetched from Amazon Web Services (AWS) with a specific Adapter Connection Label and the Device Type is EC2.

• Example 2: You can also create queries on Complex Fields.

The 'Complex Field’ is available as an option for the second row onwards. You can choose complex fields according to the adapter type selected. For example, you can find devices with an asset entity that has a specific software name and version and that were last seen in the last 7 days.

Field Comparison

• Field Comparison (displayed as CMP)
  • Use Field Comparison to compare between adapter field values, and only return assets which match the comparison.
  • The following field types are supported: Enum, Boolean, Numeric, Date, and List.
  • For String, Enum, and Boolean fields - Equals operand is supported (String comparison is case-sensitive)
  • For Numeric fields - Equals, <, and > operands are supported
  • For Date fields - Equals, <, >, <days and >days, <hours and >hours operands are supported.
  • When comparing date fields by days, the time is ignored and only the date is compared.
  • The >days and >hours operands let you query if the first date field is later than the second date field by more than the number of days or the number of hours specified.
  • The <days and <hours operands let you query if the first date field is sooner than the second date field by more than the number of days or the number of hours specified.
  • Example: query all devices whose last seen by the Amazon Web Services (AWS) adapter is more than 3 days after their last seen by the Microsoft Active Directory (AD) adapter.

Field Comparison by Aggregated Values

When you select Field Comparison, and then select Aggregated, the Field drop-down allows you to select either by a preferred value, or by Latest Used User Email, Last Used Users AD Display Name, Total CVE Count (high, low etc), First Seen or Last Seen.

Field Comparison by List Fields

You can compare a list of values to receive an exact or partial match. For example, if you want to compare an Asset Name between devices or compare lists of IP addresses.

Use either the ‘in’, ‘contains’, or ‘equals’ operator to obtain the desired result.

Using the 'in' operator

When you select Field Comparison by adapter and compare between the list of values in the top and lower rows of the query using the in operator, the mutual values from the top row will appear in the results.
For example, if the device list in the top row contains Public IPs and the lower row contains a device containing Network Interface IPs, the results are the devices with the common IPs.

If NOT is selected, and if the top row contains a device with list values of 10.0.0.1, 10.0.0.2, and 10.0.0.3
and the lower row contains a device with list values of 10.0.0.1, 10.0.0.2, 10.0.0.3, and 10.0.0.4
the resulting devices displayed are all devices with values that aren't mutual between the top row and lower row. For example, 10.0.0.4 is returned.

The fields in the lower row are available by the top row's field type and operator. For example, comparing a single value with another single value by using the equals operator won't offer lists to compare. If you use the in operator, the list fields are available to compare.

Using the 'contains' operator

Use Field Comparison with the contains operator to compare mutual values that aren't case-sensitive, such as email addresses or partial matches between lists of IPs.

Using the 'equals' operator

Use Field Comparison with the equals operator to compare lists of case-sensitive values with exact matches.

Relationship

Relationship (displayed at RLT) - Use Relationship to query on assets that are connected to each other, i.e. that have a relationship between them, for instance Users that are connected to devices.

You can create a query on Assets based on the relationship between assets and by using a saved query from a different asset type. Learn more about Managing Custom Relationships.

To create a query based on relationship

1. Open the Assets page relevant to the asset type you are creating the query from.
2. Open the Query Wizard.

2. From the Source drop-down choose ‘Relationship’, the 'Asset Type' drop-down is displayed.

3. The list shows all the asset types which can be related to the asset type that you selected. Only asset types that you have permission to see are displayed in the Asset type drop-down. Select the asset type that you want to use in the relationship query.

4. The 'Relationship Type' field opens. Assets are related by values in specific fields, for instance, Devices and Vulnerabilities may be related by the CVE ID. The default field that creates the relationship is displayed and selected. If someone on your system has already created a custom relationship using a different field, then those fields are displayed too.
   .

5. From the 'Select Query' drop-down choose a Saved Query that is appropriate for the relationship selected. Note that you can’t choose a saved query which is already based on a relationship.

For example, on the Devices page select Vulnerabilities and choose the Saved Query, “Select all Critical vulnerabilities” The results screen will show all devices that have critical vulnerabilities based on the relationship between devices and vulnerabilities.

Or

From the Users page create a RLT query where the asset type is activities. Select the saved query called “Last Login data 3 days ago” The system will show all users whose last login date was 3 days ago.

6. Once you save the query you can use it in all places in the system where you use queries.

Examples:
You can use Realtionship queries to see:

• All devices of the enterprise's full time job employees.
• All users who used Unsecured devices in the last 7 days.
• All users who used Unmanaged applications.
• All licenses of Inactive users.