Skip to content

Searching

The Brinqa platform includes several ways to search through data or limit what data is being reviewed in a given context, like on a report.

  • List Search: Find data on a list view with a text indexing and search engine. Using text search you can search all attributes, a specific attribute, or a combination of attributes.
  • Faceted Search: Faceting is the arrangement of data into categories (which are based on indexed attributes). Within each category, Brinqa reports on the number of hits or occurances of unique values. Faceting makes it easy for users to explore data sets on list views, where there are many attributes and many values for each attribute.
  • Filters: Filter data in various views, reports, and dashboards by using conditions.

List searches can be performed on list views, the pages that display a table of all instances of the associated data model (e.g. all hosts). List search is built on a text indexing and search engine, and can be performed by entering queries into the search bar at the top of the list view. List searches can be combined with faceted searches on list views.

Searches run from the search bar will only return results from attributes that have the "index text" setting set. See the attribute article for more information about attribute settings.

Search terms

A search query is broken up into terms and operators. There are two types of terms: single terms and phrases.

  • A single term is a single word such as "test" or "hello"
  • A phrase is a group of words surrounded by double quotes such as "UI redress attack"

Phrase searches will ignore stop words (common words that are excluded from searches) and punctuation.

Term Modifiers

Brinqa search supports a variety of term modifiers that add flexibility to searches. These modifiers include wildcard characters, characters for making a search "fuzzy" or more general, and so on. The sections below describe these modifiers in detail.

Wildcard searches

Wildcards use a symbol to stand in for zero or more characters in a term when its exact spelling or variation is not known. Wildcard characters can be applied to single terms, but not to search phrases.

To perform a single character wildcard search, use the question mark (?) symbol. This wildcard finds terms that contain any one character to replace the question mark. For example, to find "text" or "test", search for:

te?t

To perform a multiple character wildcard search, use the asterisk (*) symbol. This wildcard finds terms that contain zero or more characters to replace the asterisk. For example, to find "planned" or "placed", search for:

pl*d

Fuzzy searches

Fuzzy searches allow users to get results that are close to the specified query, but not an exact match. They are particularly useful when search terms may have multiple spellings, the spelling is unclear, or the value may be abbreviated (e.g. pkwy vs. parkway). Fuzzy searches are different from wildcard searches in that you don't need to know the exact character(s) that might be changed.

Fuzzy searches can be performed by adding a tilde (~) to the end of a single term along with a number. The number specifies how many characters in the word can be different, either absent or with a different value.

For example, sym~2 would return results with sym, symbl (two characters added), sam (one character change), lam (two character change), among others.

Proximity searches

Proximity searches allow users to search a phrase, but specify that the words in the phrase may or may not be directly next to each other. The phrase is within the standard double quotation marks (""), but a tilde (~) and number are added to the end of the phrase. The number determines how many words apart the terms in the phrase can be.

For example, the query "fake certificate"~3 might return results containing "fake self-signed certificate", since "fake" and "certificate" are still within three words of each other.

Attribute searches

Data indexed in the Brinqa search engine is organized in fields, which are defined based on data model attributes. If you do not specify an attribute in a query, Brinqa searches across all searchable attributes (i.e. attributes where the index search option is enabled). Using attribute searches, you can add precision to your search by searching for a term only in a specific attribute.

To specify an attribute, type the attribute name (not title) followed by a colon (:) and then the term you are searching for within the attribute. For example, if you want to find a vulnerability titled "Apache HTTP" which contains the consequence "denial of service" you could include either of the following terms in your search query on the vulnerability list view:

  • title: "Apache HTTP" AND consequence: denial
  • title: "Apache HTTP" AND consequence: "denial of service"

The attribute is only valid for the term that it directly precedes, so the query

consequence: denial of service

finds only "denial" in the consequence attribute. It will find "of" and "service" in all attributes.

To search by attributes on related data models (e.g. host OS when searching vulnerabilities), include the related attribute's data model as a prefix (e.g. host.os).

For example, to find all hosts with vulnerabilities containing "Dirty Cow" in the title and with the DNS "prod" or "uat", you could search the host list view with the following query:

vulnerabilities.title: "Dirty Cow" AND (dns: prod OR dns: uat)

In that query, the title attribute is modified with the data model that attribute is on (vulnerabilities). You could perform a search for the same results on the vulnerability list view with the following query:

title: "Dirty Cow" AND (host.dns: prod OR host.dns: uat)

Note that now the title attribute does not require modification because the search is being performed on that data model's list view. The DNS attribute now requires modification to indicate the host data model, instead.

Time Values

Date and time attributes can be searched both with absolute and relative values. The table below covers the options for relative time value searches.

Note

In time-related search queries, the minus symbol (-) indicates times in the past. E.g. last_scanned: -30d would return objects that were scanned in the last 30 days.

Table 1. Time values

Value Description
y Years. E.g. created_date: -3y
M Months. E.g. last_found: -2M
w Weeks. E.g. closed: -6w
d Days. E.g. first_found: -4d
h Hours. E.g. last_updated: -12h
m Minutes. Note that the lowercase m indicates minutes, while uppercase M indicates months.
now / today Now and today function the same in a date search, standing in for the current time. E.g. last_scanned: [01-21-16 - now]
yesterday Yesterday represents the current time minus 24 hours.
startOfDay() Start of day will return 12:00 AM of the day specified in the brackets. E.g. startOfDay(01-21-17) or startOfDay(today)
endOfDay() End of day will return 11:59 PM of the day specified in the brackets. E.g. endOfDay(01-21-17) or endOfDay(yesterday)
startOfWeek() Start of week will return 12:00 AM on either Sunday or Monday of the week in the brackets, depending on the regional settings on the searcher's machine.
endOfWeek() End of week will return 11:59 PM on either Saturday or Sunday of the week in the brackets, depending on the regional settings on the searcher's machine.
startOfMonth() Start of month will return 12:00 AM on the first calendar day of the month of the date in the brackets.
endOfMonth() End of month will return 11:59 PM on the last calendar day of the month of the date in the brackets.
startOfYear() Start of year will return 12:00 AM on January 1st of the year of the date in the brackets.
endOfYear() End of year will return 11:59 PM on December 31st of the year of the date in the brackets.

Operators

Brinqa search allows standard Boolean operators, as well as relational operators, ranges, and boosted searches. The OR operator is the default conjunction operator, so if there is no Boolean operator between two terms, the OR operator is used. The OR operator links two terms and finds a matching data set if either of the terms exist, like a union using sets.

The table below covers operator options and what they do.

Note

When specifying Boolean operators with keywords such as AND or NOT, the keywords must appear in all uppercase.

Table 2. Operators

Operator Name Symbol(s) Description
And AND
&&
Requires both terms on either side of the Boolean operator to be present for a match. For example, to find hosts that have "Windows 2008" operating system and "Production" environment, search for

os: "Windows 2008" AND environment: "Production"
Or OR
||
Requires that either term (or both terms) be present for a match.
Not NOT
!
-
Requires that the following term not be present.

Note that the minus symbol functions differently in time-related searches, where it indicates dates in the past.
Required + Requires that the term after the + symbol exist somewhere in an attribute in at least one dataset in order for the query to return a match.

For example, to search for vulnerabilities that must contain "OpenSSL" and that may or may not contain "Heartbleed," use the following query:

+OpenSSL Heartbleed
Boost ^ Indicates the importance of a single term within the query. The caret (^) symbol should be followed by a number, with higher numbers indicating higher importance and increasing the relevance score of queries with that term.
Ranges [ - ]
{ - }
Ranges can be indicated with a dash and regular brackets or curly brackets, e.g.

severity: [4 - 5] or severity: {4 - 5}

Ranges can be used to search integers or dates. Dates should be formatted the way they appear on the list view being searched, e.g.

last_found: [02-01-2017 - 02-08-2017]
Greater than >
GREATER_THAN
Relational operator for greater than, e.g. severity > 4
Less than <
LESS_THAN
Relational operator for less than, e.g. riskScore < 5
Equal to =
EQUALS_TO
Relational operator for equal to, e.g. host = 127.45.6.1
Less than or equal to <=
LESS_THAN_OR_EQUALS_TO
Relational operator for less than or equal to, e.g. severity <= 3
Greater than or equal to >=
GREATER_THAN_OR_EQUALS_TO
Relational operator for greater than or equal to, e.g. riskScore >= 7
Does not start with NOT_STARTS_WITH Value cannot start with a certain term. Values are case sensitive.
Starts with STARTS_WITH Value must start with a certain term. Values are case sensitive.
Is none of NOT_IN_LIST
NOT_IS_ANY
Value cannot equal to any of the terms listed. Values should be listed separated by commas.
Is one of IN_LIST
IS_ANY
Value must be one of the terms listed. Values should be listed separated by commas.
Does not exist NOT_EXISTS Value cannot exist.
Exists EXISTS Value must exist.
Does not end with NOT_ENDS_WITH Value cannot end with the term. Values are case sensitive.
Ends with ENDS_WITH Value must end with the term. Values are case sensitive.
Contains none of NOT_CONTAINS_ALL Value must not be or contain all of the terms listed. Terms should be separated by commas and are case sensitive.
Contains all CONTAINS_ALL Value must be or contain all of the terms listed. Terms should be separated by commas and are case sensitive.
Contains any CONTAINS_ANY Value must be or contain one of the terms listed. Terms should be separated by commas and are case sensitive.
Does not contain NOT_CONTAINS Value cannot be or contain the term listed. Term is case sensitive.
Does not contain any NOT_CONTAINS_ANY Value cannot be or contain any of the terms listed. Terms should be separated by commas and are case sensitive.
Contains CONTAINS Value must be or contain the term listed. Term is case sensitive.
Less than or equal to attribute LESS_THAN_OR_EQUALS_TO_ATTRIBUTE Attribute value must be less than or equal to the value of the attribute specified, e.g.
riskScore LESS_THAN_OR_EQUALS_TO_ATTRIBUTE severity
Less than attribute LESS_THAN_ATTRIBUTE Attribute value must be less than the value of the attribute specified, e.g.
riskScore LESS_THAN_ATTRIBUTE severity
Greater than or equal to attribute GREATER_THAN_OR_EQUALS_TO_ATTRIBUTE Attribute value must be greater than or equal to the value of the attribute specified, e.g.
riskScore GREATER_THAN_OR_EQUALS_TO_ATTRIBUTE severity
Greater than attribute GREATER_THAN_ATTRIBUTE Attribute value must be greater than the value of the attribute specified, e.g.
riskScore GREATER_THAN_ATTRIBUTE severity
Not equals to attribute NOT_EQUALS_TO_ATTRIBUTE Attribute value cannot equal the value of the attribute specified, e.g.
riskScore NOT_EQUALS_TO_ATTRIBUTE severity
Equals to attribute EQUALS_TO_ATTRIBUTE Attribute value cannot equal the value of the attribute specified, e.g.
riskScore EQUALS_TO_ATTRIBUTE severity
Not equals to NOT_EQUALS_TO Values on either side of the operator cannot be equal. E.g.
riskScore NOT_EQUALS_TO 5
Not like NOT_LIKE Similar to NOT_CONTAINS, but allows wildcard characters and is not case sensitive.
Like LIKE Similar to CONTAINS, but allows wildcard characters and is not case sensitive.
Not in last NOT_IN_LAST Date value cannot be in last specified time frame. See the Time Values section for relative time terms.
In last IN_LAST Date value must be in last specified time frame. See the Time Values section for relative time terms.
Not in next NOT_IN_NEXT Date value cannot be in next specified time frame. See the Time Values section for relative time terms.
In next IN_NEXT Date value must be in next specified time frame. See the Time Values section for relative time terms.
Is not NOT_IS Date value does not equal the specified date. Date values must use NOT_IS instead of NOT_EQUALS_TO.
Is IS Date value equals to the specified date. Date values must use IS instead of EQUALS_TO.
Since SINCE Date value must be since the specified date.
Before BEFORE Date value must be before the specified date.

Grouping search terms

Brinqa search supports using parentheses to group clauses to form sub-queries. This can be very useful if you want to control the Boolean logic for a query. The query below searches for all hosts with vulnerabilities containing "NetBIOS" in the title and whose risk rating is "high" or "critical":

vulnerabilities.title: "NetBIOS" AND (risk_rating: high OR risk_rating: critical)

Attributes with the Supports Facets setting can be used to filter data presented on list views.

To use faceted search, navigate to the list view of a data model and click the filter icon button above the search bar. This will open a side panel with available facets.

Each facet displays the number of datasets with that attribute value next to it. Different attribute facets can be selected simultaneously, e.g. severity and operating system. However, selecting multiple facets within the same attribute is not supported at this time.

Adding new facets

To make an attribute available in the facet panel, it must be marked Supports Facets.

  1. Navigate to Administration > Data Management > Data Models
  2. Open the data model with the attribute you need to modify. Some data models will only be modifiable from the Platform application.
  3. Open the attribute that should be made facetable
  4. Check the Supports Facets box near the bottom of the attribute modal
  5. Click Update on the attribute modal
  6. Click Update on the data model form

Filters

Filters, while not strictly a search, allow you to limit the data that appears in views and visualizations. They use the same condition UI that appears throughout the system. To apply a filter:

  1. Navigate to the view or report whose data you want to filter
  2. Click the Edit button associated with the section you want to filter
  3. Select Filters
  4. Add filters using the filter clause interface:

Table 3. Filter clause interface

Element Description
Add AND Clause Specifies multiple conditions (or sets of conditions) that must be met. (E.g. owner is Dave)
Add OR Clause Specifies an alternate set of conditions that could be met. (E.g. owner is Dave OR owner is Marg)
Reset Filters Clears all the filter options.
Attribute Attribute referenced for the condition. (E.g. owner)
Operator Operator for the specified value. (E.g. greater than, equal to, is not, contains)
Value Value the operator compares the data to. (E.g. a specific name or host)
AND Adds an additional AND condition to the associated section.
OR Adds an OR between two different conditions within a clause (e.g. owner is Marg and status is New OR Active). These ORs must share the same attribute. E.g. Status is Active OR New, but not Status is Active OR Priority is Critical.

Adding new filters

If you don’t see an attribute as a filtering option, it isn’t set to allow filters in the data model. This can be changed by modifying the attribute’s metadata.

  1. Navigate to the application the attribute’s data model is associated with
  2. Navigate to Administration > Data Management > Data Models
  3. Select the data model associated with the attribute
  4. Find the desired attribute on the data model and click the Actions button
  5. Select Edit
  6. At the bottom of the modal window, check Supports Filter
  7. Click Update on the attribute modal
  8. Click Update on the data model form