sonar-ip-addresses
Queries the list of IP addresses registered as assets. When run without options, it returns all registered asset IPs. When the cve option is used, it returns only the asset IPs that have a specific CVE vulnerability registered.
Command properties
| Item | Description |
|---|---|
| Command type | Driver query |
| Required permission | None |
| License usage | Not counted |
| Parallel execution | Not supported |
| Distributed execution | Not supported |
Syntax
Options
cve=STR- Returns only asset IPs that have the specified CVE ID registered as a vulnerability. Specify in
CVE-YYYY-NNNNNformat.
Output fields
| Field | Type | Description |
|---|---|---|
guid | string | Asset IP GUID |
ip | string | IP address |
category_name | string | Asset category name |
category_guid | string | Asset category GUID |
hostname | string | Hostname |
workgroup | string | Workgroup or domain |
description | string | Asset description |
priority | integer | Asset priority |
emp_name | string | Primary contact name |
emp_name2 | string | Secondary contact name |
emp_guid | string | Primary contact GUID |
emp_guid2 | string | Secondary contact GUID |
emp_key | string | Primary contact key |
emp_key2 | string | Secondary contact key |
dept_name | string | Primary contact department name |
dept_name2 | string | Secondary contact department name |
os_name | string | Operating system name |
os_ver | string | Operating system version |
confidentiality | integer | Confidentiality rating (CIA triad) |
integrity | integer | Integrity rating (CIA triad) |
availability | integer | Availability rating (CIA triad) |
created | timestamp | Asset registration timestamp |
updated | timestamp | Asset last modified timestamp |
mac | string | MAC address |
location | string | Asset location |
installed | timestamp | Installation date |
site_name | string | Site name |
site_guid | string | Site GUID |
ext0 – ext9 | string | User-defined extension fields 0 through 9 |
Error codes
Parse errors
| Error code | Message | Description |
|---|---|---|
| 300101 | Invalid sonar session. | Raised when executed in an invalid session |
| 300142 | Invalid CVE ID format. | Raised when the cve option value is not a valid CVE ID format |
Runtime errors
N/A
Description
sonar-ip-addresses queries IP addresses registered as asset IPs in Sonar. Internally, it retrieves all asset IPs in pages of 1,000 records at a time and returns them sequentially.
When the cve option is used, only asset IPs with the specified CVE vulnerability registered are returned. The CVE ID is case-insensitive and is converted to uppercase internally.
You can combine the results with other event data using join, or use it alongside iplookup to look up detailed information about the asset where an event occurred.
Usage examples
-
Query all registered asset IPs
sonar-ip-addresses -
Query only asset IPs with a specific CVE vulnerability registered
sonar-ip-addresses cve="CVE-2024-12345" | fields ip, hostname, os_name, os_ver, dept_name -
Join asset IPs with events to look up asset information for events
table duration=1h sonar_events | join dst_ip [ sonar-ip-addresses | rename ip as dst_ip ] | fields _time, src_ip, dst_ip, hostname, dept_name -
Aggregate the number of asset IPs by operating system
sonar-ip-addresses | stats count by os_name | sort -count
Compatibility
The sonar-ip-addresses command is available since version 5.0.2603.0.
Related
- iplookup — Map asset IP information to fields
- sonar-set-ip-address — Register or update asset IP information
- matchnet — Network range-based field mapping