Use VMware Aria Automation for Secure Clouds queries to create your own custom search strings
This guide provides a general reference for using simple search query language (SSQL) in VMware Aria Automation for Secure Clouds to construct query strings in Explore Search.
Search for resources by type
Your assets in the cloud provider inventory are presented in VMware Aria Automation for Secure Clouds as resources. The easiest and most common way to find resources is by their resource type, which is expressed with the Provider.Service.ResourceType pattern. For example:
- AWS.EC2.Instance
- Azure.Compute.VirtualMachine
- GCP.Compute.Instance
Note: Occasionally the search for the resource type (GCP.Compute.Instance) can return results from other types as well. To limit them strictly to the type, use entityType=GCP.Compute.Instance. This is not needed if you have used property or tag conditions.
Apply property conditions
Your resource configurations are stored as properties and values of the resource object. For example, running EC2 instances will have a property StateName with value running.
To find resources with specific configurations, you can use the following property conditions.
| Condition | Syntax | Description |
|---|---|---|
| property with a value | pname = pvalue | Property with name pname has value equal to pvalue |
| property different than a value | pname != pvalue | Property with name pname has value different than pvalue |
| property exists | pn(pname) or propertyName(pname) | There is a property with name pname |
| property value exists | pv(pvalue) or propertyValue(pvalue) | There is a property with value pvalue |
To apply property conditions to your searches, use the following operators.
| Operator | Usage |
|---|---|
| HAS | Apply one or more conditions to a resource type |
| AND | Group conditions when all of them must be satisfied |
| OR | Group conditions when at least one of them must be satisfied |
| NOT | Reverse a condition |
| ( ) | Specify the order in which conditions are evaluated |
Note: The operators are case-insensitive, i.e. HAS is equivalent to has
Examples:
| Query | Description |
|---|---|
| Azure.Compute.VirtualMachine has PowerState = PowerState/running | Running Azure VMs |
| AWS.EC2.Instance has region = us-east-2 and pn(PublicIpAddress) | EC2 Instances from region us-east-2 with Public IP address set |
| region = us-east-2 | Any resources from region us-east-2 |
| AWS.EC2.Instance has (region = us-east-2 or region = us-east-1) | EC2 Instances from region us-east-1 or us-east-2. Without parenthesis we would get all resources from us-east-2 |
Apply tag conditions
The tags you configure in your cloud provider can be accessed with the tag prefix. For example, use tag.createdBy to access the tag with name createdBy
To find resources by tag, you specify the following tag conditions.
| Condition | Syntax | Description |
|---|---|---|
| tag with a value | tag.tagname = tagvalue | Tag with name tagname has value equal to tagvalye |
| tag different than a value | tag.tagname != tagvalue | Tag with name tagname has value different than tagvalue |
| tag exists | tag.tagname | There is a tag with name tagname |
| tag value exists | tag = tagvalue | There is a tag with value tagvalue |
Tag conditions are applied using the same operators as above and can be mixed and matched with property conditions.
Examples:
| Query | Description |
|---|---|
| Azure.Compute.VirtualMachine has PowerState = PowerState/running and tag.createdBy = Engineering | Running Azure VMs created by engineering |
| AWS.EC2.Instance has region = us-east-2 and not tag.Owner | EC2 Instances from region us-east-2 without an owner tag |
Comparison operators, Date and time functions
Comparison operators (<=, <, >, =>) are available for integer and datetime properties. In addition, some special date and time functions are available to construct dates easily.
| Syntax | Description |
|---|---|
| hoursAgo(n) | Returns the time n hours earlier than now |
| daysAgo(n) | Returns the time n days earlier than now |
| monthsAgo(n) | Returns the time n months earlier than now |
| yearsAgo(n) | Returns the time n years earlier than now |
Examples:
| Query | Description |
|---|---|
| AWS.EC2.Instance has CpuCoreCount >= 4 | EC2 Instances with 4 CPU cores or more |
| AWS.IAM.AccessKey HAS AccessKeyLastUsedDate < 2021-01-01 | Access keys last used earlier than Jan 1st 2021 |
| AWS.IAM.AccessKey HAS AccessKeyLastUsedDate < monthsAgo(6) | Access keys last used earlier than six months ago |
Wildcards
To find resource matching a pattern, use the wildcard operator *** in your query to match any string. You can use the operator in property names, property values, tag names and tag values.
Possible wildcard statements
| Statement type | Syntax | Description |
|---|---|---|
| begins with | abc* | begins with "abc" |
| ends with | *abc | ends with "abc" |
| begins and ends | abc*xyz | begins with "abc" and ends with "xyz" |
Notes: To search for the asterisk symbol, surround the string in double quotes, so that it won't have any special meaning. If the string itself contains double quotes, escape them with a backslash.
Examples for using wildcards:
| Query | Description |
|---|---|
| AWS.EC2.Instance has PrivateIpAddress = 10.0.1.* | EC2 Instances from the 10.0.1.x subnet. |
| AWS.IAM.PolicyStatement HAS Principal = {"Federated":* | PolicyStatement with principal property starting with {"Federated": |
Examples for escaping the wildcard operator:
| Query | Description |
|---|---|
| AWS.IAM.PolicyStatement HAS Action = "*" | Policy statement valid for all actions. |
| AWS.IAM.PolicyStatement HAS Principal = "{"AWS":"*"}" | Policy statement with Principal equal to {"AWS":"*"}. |
Search for related resources
To find related resources use the relationship operator -> to search for relationships between two sets of resources. To find resources that are not related, use the inverted relationship operator !->
Examples:
| Query | Description |
|---|---|
| AWS.EC2.Instance has region=us-east-1 → AWS.EC2.Volume HAS Encrypted = false | EC2 Instances with unencrypted Volumes |
| AWS.EC2.Volume !-> AWS.EC2.Instance | Volumes that are not attached to an EC2 instance. |
Count search results
To count the results of a search, add count(pname) at the end of the search query. This type of aggregation is supported for queries that don't include the relationship operator.
Examples:
| Query | Description |
|---|---|
| AWS.EC2.Instance HAS StateName=Running and pn(PublicIpAddress) count(region) | Running EC2 Instances with a public IP address by region |
| Azure.Compute.VirtualMachine has PowerState = PowerState/running count(ResourceGroup) | Running Azure VMs counted by resource group |
| GCP.Compute.Instance HAS pn(ExternalIPAddresses) count(region) | GCP Compute instances with external IP by region |
Syntax rules
Using double quotes
The usage of double quotes around strings is optional in most cases. However, double quotes are required if the string contains special characters that may cause ambiguity during parsing.
Examples:
| Query | Description |
|---|---|
| tag.Project = Stardeck | This is equivalent to tag.Project = "Stardeck". Double quotes are not required |
| tag.Project = "Stardeck(1)" | Double quotes are required because of the brackets. Otherwise the query is invalid. |
| tag.Description = "This is a descripion with spaces" | Double quotes are required because of the spaces |
| tag.Description = "This is a descripion with spaces and special characters !@#$%^&*()_+[]" | Double quotes are required, so each of the special characters is interpreted literally |
| tag.Description = "This is a descripion with spaces and "quotes"" | Double quotes are required and the quotes need to be escaped with a backslash. |
