Searching for Multiple assets

InsightVM Query Builder
1

Sorry I am very novice to the query builder.
My team forwarded me a long list of assets that need to be looked at.
I am trying to run query builder to filter out these assets. The list presented to me is in this format:
asset1, asset2, asset3, … asset100

Trying to find out if query builder can be used to show these assets in a single search or perhaps the ability to use these in a CSV file.
Greatly appreciate your help!

2

CSV is not support.
You can put those assets in a variable:
https://docs.rapid7.com/insightidr/use-variables-in-queries/
Each asset should be separated with a comma - for example just look at the prebuilt variables.
You can also do something like this:
source_asset icontains-any [asset1,asset2,asset3]
The syntax when using variable is similar to the syntax above - just review the link above for examples.

Please make sure that you are using the correct key filed. If you are searching the asset authentication log set those field could be:

source_asset
source_asset_address
destination_asset
destination_asset_address

icontains-any will perform case insensitive search against all of the supplied names. Partial matches will also be included when using icontains-any.
If you are absolutely sure that the values you are searching have the same format in the events then you can use in instead of icontains-any
source_asset in [asset1,asset2,asset3]
This should be speedup the search.

Please bear in mind that there is a hard limit of the number of character you can use in a search string. Also searching for multiple values is likely to slow down your search. If that is the case try searching in smaller intervals.

3

:frowning: am sorry I forgot to mention that this is for IVM. The query doesn’t seem to work for IVM or maybe I am doing something wrong :frowning:

4

nah you’re right, what he is referencing is for InsightIDR instead of InsightVM.

InsightVM query builder does not take a CSV as an argument for filtering. If this list of assets is a static group then my suggestion would be to create a tag for them in the console which can then by filtered on in the Query Builder.