Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

add full text search #179

Merged
merged 2 commits into from
May 21, 2024
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 2 additions & 2 deletions docs/cnspec/saas/ms365.md
Original file line number Diff line number Diff line change
Expand Up @@ -22,9 +22,9 @@ To test your Microsoft 365 environment with cnspec, you must have:

### Log into Microsoft 365

cnspec relies on the Microsoft Graph API to collect the data it needs. To give cnspec permission to access this data, you must create a registered app in Azure. To learn how to register and configure the app, read [Secure Microsoft 365 with Mondoo](Register an Azure app: /platform/infra/saas/ms365/ms365-auto/).
cnspec relies on the Microsoft Graph API to collect the data it needs. To give cnspec permission to access this data, you must create a registered app in Azure. To learn how to register and configure the app, read [Secure Microsoft 365 with Mondoo](/platform/infra/saas/ms365/ms365-auto/).

After registering the App, the method you choose for scanning depends on your goals:
After registering the app, the method you choose for scanning depends on your goals:

- For widescale assessment of your Microsoft 365 infrastructure, scan using policy bundles. These collections of tests work together to present a broad picture of your Microsoft 365 security posture.
- To run ad hoc checks against your Microsoft 365 environment, use cnspec's interactive shell. It has auto-complete to guide you, which is especially helpful when you're new to cnspec and learning MQL.
Expand Down
346 changes: 14 additions & 332 deletions docs/platform/intel/search.mdx
Original file line number Diff line number Diff line change
Expand Up @@ -6,354 +6,36 @@ description: Search for assets in your Mondoo inventory
image: /img/featured_img/mondoo-feature.jpg
---

You can quickly search an entire organization from the Mondoo Console's top navigation bar. Find assets by name, platform, and more.
You can quickly search an entire organization from the Mondoo Console's top navigation bar. Full-text search allows you to find a text string in every asset name, resource, and field where it occurs.

Mondoo's inventory search is straightforward but powerful. Specialized search predicates that are unique to Mondoo provide capabilities beyond a simple text search.
Examples:

- Searching for the Google Cloud project ID `luna-discovery` can return not only the project asset itself but also storage buckets with that project ID and a Terraform file with the name `luna-discovery-backend`.

- You can search for `[email protected]` to see all assets in your organization that contain Stella's email in any resource field.

- Search for `terraform` across an entire organization to find all Terraform assets in all spaces in the organization.

## Search for assets

1. In the Mondoo Console, [navigate](/platform/start/navigate/) to the organization or space where you want to search.

2. Locate the search box in the top-left corner of the Mondoo Console.
2. Locate the search box in the top-right corner of the Mondoo Console.

![Search an organization in the Mondoo Console](/img/platform/intel/search-box-org.png)

3. Enter search parameters in the search box and press **Enter**. To learn about search syntax and capabilities, read the section below.

![Mondoo search results](/img/platform/intel/simple-results.png)
3. Enter search parameters in the search box and press **Enter**.

4. Use the drop-down in the top-right corner to change the scope of the search:

- To limit your search to the current space, select **IN SPACE**. (This option is available only if you're currently working in a space.)
![Change search scope in the Mondoo Console](/img/platform/intel/search-drop.png)

- To limit your search to the current space, select **Search in Space**. (This option is available only if you're currently working in a space.)

- To extend your search to the entire current organization, select **IN ORGANIZATION**.
- To extend your search to the entire current organization, select **Search in Organization**.

5. From the results list, select the asset you want to view.

To cancel the search, press **Esc** or select the **x** on the right side of the search box.

## Mondoo inventory search syntax and predicates

Mondoo search supports text matching, partial text matching, and Boolean operators. It includes specialized predicates to help you refine your search.

### Text matching and partial matching

Enter a number or word to find assets with names containing that number or word. Text search is not case sensitive.

For example, if you search for `luna`, the results include assets named:

- gcr.io/luna-store/currencyservice@bd0fa063169b

- AltaLuna44005

- AWS Account lunalectric-prod (69892234400)

Enter multiple words and/or numbers separated by a space to find assets with names containing both.

For example, if you search for `luna AWS`, the results include assets named:

- AltaLuna44005AWS4

- AWS Account lunalectric-prod (69892234400)

- 11440075 Calluna AWS

Mondoo treats the aws in the search text as a Boolean AND. If you prefer, you can type `luna AND aws` for the same result.

Mondoo also supports the OR operator. The search `luna OR aws` returns assets named:

- AltaLuna44005AWS4

- AWS Account lunalectric-prod (69892234400)

- 11440075 Calluna AWS

- lunalectric-gke-001

- AWS Account marsrover-prod (69892234499)

For a text match that includes a space, put the search terms in quotes: Of the results above, only `11440075 Calluna AWS` shows up in a search for `"luna aws"`.

### Specialized predicates

By default, Mondoo searches based on the asset name. However, Mondoo's specialized search predicates let you target a different attribute, such as hostname or annotation. For example, enter `platform:redhat` to find all Red Hat assets.

Mondoo supports these search predicates:

- [`platform`](#platform)

- [`kind`](#kind)

- [`annotation`](#annotation)

- [`name`](#name)

#### platform

The `platform` predicate lets you limit search results by the asset platform. For example, enter `platform:windows` to find Windows assets.

The Boolean operators, text matching, and partial text matching guidelines described above apply to the `platform` predicate. For example:

- `platform:win` finds Windows assets.

- `platform:k8s` finds assets with the `platform` value `k8s-node`, `k8s-pod`, `k8s-admission`, and so on.

- `platform:alpine OR amazonlinux` finds assets that have either `alpine` or `amazonlinux` as their `platform` value.

<details>
<summary>Show or hide a list of <code>platform</code> values.</summary>

- `alpine`

- `amazonlinux`

- `arch`

- `arista-eos`

- `aws`

- `aws-cloudtrail-trail`

- `aws-cloudwatch-loggroup`

- `aws-dynamodb-table`

- `aws-ebs-snapshot`

- `aws-ebs-volume`

- `aws-ecs-instance`

- `aws-iam-group`

- `aws-iam-user`

- `aws-kms-key`

- `aws-lambda-function`

- `aws-rds-dbinstance`

- `aws-rds-dbcluster`

- `aws-s3-bucket`

- `aws-security-group`

- `aws-vpc`

- `azure`

- `azure-compute-vm`

- `azure-mysql-server`

- `azure-network-security-group`

- `busybox`

- `centos`

- `clear-linux-os`

- `cloudlinux`

- `cos`

- `debian`

- `docker-image`

- `euleros`

- `fedora`

- `gcp-bigquery-dataset`

- `gcp-compute-firewall`

- `gcp-compute-image`

- `gcp-compute-instance`

- `gcp-compute-network`

- `gcp-compute-subnetwork`

- `gcp-folder`

- `gcp-gke-cluster`

- `gcp-org`

- `gcp-organization`

- `gcp-project`

- `gcp-storage-bucket`

- `gentoo`

- `github-org`

- `github-repo`

- `github-user`

- `gitlab`

- `google-workspace`

- `k8s-admission`

- `k8s-cluster`

- `k8s-cronjob`

- `k8s-daemonset`

- `k8s-deployment`

- `k8s-ingress`

- `k8s-job`

- `k8s-manifest`

- `k8s-namespace`

- `k8s-node`

- `k8s-pod`

- `k8s-replicaset`

- `k8s-statefulset`

- `kali`

- `linuxmint`

- `macos`

- `manjaro-arm`

- `mariner`

- `microsoft365`

- `oci`

- `okta-org`

- `opensuse-leap`

- `oraclelinux`

- `parrot`

- `photon`

- `pop`

- `raspbian`

- `redhat`

- `rhcos`

- `rockylinux`

- `scratch`

- `slack-team`

- `sles`

- `terraform-hcl`

- `terraform-plan`

- `terraform-state`

- `ubuntu`

- `vmware-esxi`

- `vmware-vsphere`

- `windows`

If you need to search for a platform that you don't see in this list, please ask us about it in the [Mondoo Community Slack Channel](https://mondoo.link/slack).

</details>

#### kind

The `kind` predicate lets you limit search results by their type or kind, which is a categorization unique to Mondoo.

<details>
<summary>Show or hide a list of <code>kind</code> values.</summary>

- `api`

- `aws_object`

- `azure_object`

- `bare_metal`

- `code`

- `container`

- `container_image`

- `gcp_object`

- `k8s_object`

- `network`

- `package`

- `process`

- `unknown`

- `virtual_machine`

- `virtual_machine_image`

</details>

#### annotation

Mondoo annotations are metadata you can add to assets. They're key-value pairs containing any text you want. To learn more, read [Annotate (Tag) Assets](/platform/intel/annotations).

You can search for assets that have a certain key-value pair or you can search for assets that have any value for a certain key. These are examples:

- `annotation:[email protected]` finds assets that have the "owner" annotation with "[email protected]" in the value. This is a fast way to find assets belonging to one user.

- `annotation:project` finds all assets that have the "project" annotation with any value.

- `annotation:project=rover` finds all assets that have the "project" annotation with "rover" in the value. This search finds assets that belong to the Mars Rover and Moon Rover projects.

#### name

`name` is the default predicate for an asset search, so you don't need to specify `name` if you _only_ want to search asset names. For example, a search for `southwest` is the same as a search for `name:southwest`.

When you combine predicates in a single search, you don't have to include `name` if it's the first predicate in the search. For example this search finds only assets that have both `southwest` in their name and have the type `azure_object`:

`southwest AND platform=aws-ec2-snapshot`

However, if the `name` predicate in a search comes after another predicate, you must include the `name` predicate. For example, this search fails because it tries to find assets that have both `aws-ec2-snapshot` and `southwest` in the platform:

`platform=aws-ec2-snapshot AND southwest`

If you add the `name` predicate, then you search for assets that have both `aws-ec2-snapshot` in their platform and `southwest` in the name:

`platform=aws-ec2-snapshot AND name:southwest`

---
Binary file added static/img/platform/intel/search-drop.png
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file removed static/img/platform/intel/simple-results.png
Binary file not shown.
Loading