asset
asset
Create an asset investigation view with identity resolution, showing a unified timeline of all activity for a host, user, or IP address.
Description
The asset command builds an interactive investigation view that automatically resolves related identities (IPs, hostnames, users, MACs) and correlates all events across those identities within the time window. This gives you a complete picture of asset activity regardless of which identifier appears in each log source.
Syntax
... | asset [field=<field>] [sections=<list>] [max_age=<duration>]Optional Arguments
field
Syntax: field=<field>
Description: Identity field to use for resolution. Auto-detected from the search if not specified.
Values: src_ip, src_host, user, src_mac
Default: Auto-detected
sections
Syntax: sections=<comma-separated list>
Description: Which sections to include in the view.
Values: network, process, auth, file, dns, alert
Default: All sections
max_age
Syntax: max_age=<duration>
Description: Maximum age for identity resolution lookups.
Default: 14d
Identity Resolution
The asset command automatically resolves related identities using nano's identity observation data. If you search for a hostname, it finds all associated IPs, users, and MAC addresses observed during the time window.
For example, searching for workstation-jsmith might resolve to:
- IPs: 192.168.1.100, 10.0.0.50
- Hostnames: workstation-jsmith, workstation-jsmith.corp.local
- Users: jsmith, CORP\jsmith
- MACs: 00:50:56:aa:bb:cc
Events are then correlated across all resolved identities.
Timeline View
The asset view displays:
- Profile Card — Primary identifier, all resolved identities, first/last seen times. When investigating a user, this is automatically enriched with identity provider data (see below).
- Activity Histogram — Event volume over time with interactive brushing
- Prevalence Chart — First-seen artifacts and rarity indicators (clickable to filter)
- Event Timeline — Chronological list of all events, grouped by date
User Investigation
When the primary identifier is a user field (user="jsmith" | asset), the profile card is automatically enriched with data from configured identity providers (Entra ID, Google Workspace, etc.). This gives SOC analysts immediate context about the user without leaving the investigation.
User Profile Card
The enriched profile card displays:
- Display name and email — Full name and email from the identity provider
- Department — Organizational unit
- Title — Job title
- Manager — Direct manager (clickable to pivot to their asset view)
- Account status — Active, disabled, or suspended
- MFA status — Whether multi-factor authentication is enabled
- Groups — Directory group memberships (first 5 shown, expandable)
- Risk score — Aggregated risk score from detection signals
- Resolved identities — All associated IPs, hostnames, and MAC addresses
Requirements
User profile enrichment requires at least one identity provider configured in Settings → Identity Providers. Without a configured provider, the asset view falls back to the standard host-style profile card showing only resolved identities and first/last seen times.
Examples
user="jsmith" | assetuser="alice@corp.com" | assetuser="CORP\admin" | asset field=userEvent Type Categories
Events are automatically categorized:
| Category | Description | Example Sources |
|---|---|---|
NETWORK_CONNECTION | Outbound/inbound connections | Firewall, EDR, Proxy |
PROCESS_LAUNCH | Process execution | Sysmon, EDR |
AUTH_SUCCESS / AUTH_FAILURE | Authentication events | Windows Security, SSO |
FILE_CREATION / FILE_OPEN | File operations | EDR, DLP |
DNS_QUERY | DNS lookups | DNS logs, EDR |
NETWORK_INFO | DHCP, network adapter changes | DHCP, Infoblox |
ALERT | Detection signals | nano signals |
Filtering
The asset view includes built-in filters:
- Event Type — Toggle categories (process, network, auth, etc.)
- Source — Filter by log source (defender_edr, sysmon, etc.)
- User — Filter by associated user
- Text Search — Search within event fields
- Time Slider — Narrow the time window
Drilldown with Identity Context
When you click on a field value in the asset view to drill down, nano automatically includes the identity context. Clicking on dest_host="pastebin.com" produces:
(src_ip="192.168.1.100" OR src_host="workstation-jsmith" OR src_host="workstation-jsmith.corp.local") dest_host="pastebin.com"This ensures your drilldown search stays scoped to the asset you're investigating.
Prevalence Integration
Click on artifacts in the prevalence chart to filter the timeline:
- Click a domain/hash to show only events involving that artifact
- "First seen" and "Rare" indicators help identify anomalies
- Clear the filter by clicking the X in the timeline header
Examples
Investigate a host
src_host="workstation-42" | assetInvestigate by IP
src_ip="192.168.1.100" | assetInvestigate a user
user="jsmith" | assetSpecify the identity field explicitly
* | where src_host="workstation-42" | asset field=src_hostLimit to specific sections
src_host="server-01" | asset sections=network,process,authFull investigation of a compromised host
src_host="workstation-42" | assetInvestigate lateral movement from an IP
src_ip="10.1.1.50" | assetUsage Notes
Identity resolution: The command automatically resolves all related identities (IPs, hostnames, users, MACs) observed during the time window, giving a complete view regardless of which identifier appears in each log source.
Performance: Works best with a single asset. Use search expressions to narrow to one host/user/IP before piping to asset.
Time window: Identity resolution uses the search time range plus max_age to find associated identities.
Related Commands
- resolve_identity - Resolve IPs to hostnames/users without the investigation view
- prevalence - Filter or enrich based on artifact prevalence
- tree - Visualize hierarchical process or web relationships