How To Search in Cloud Agent
Click to view navigation pane

Home

How to Search in Cloud Agent

Search by Field | Search without field | String matching | Exact matching | Full Text Search | Suffix matching | Prefix matching | Is Null Queries | Range searches | Date searches | Multiple values (In, Not In) | Boolean operators | Nested Queries | Query Limits

Search by Field

Enter the field name, then a colon, then your query. Nested fields are dot separated.

Examples:

openPorts.port: 80

accounts.username: administrator

operatingSystem: win*

Search without Field

When your query doesn’t have a field name we’ll perform the broadest possible search across the attributes of all fields in the asset index (100+ field names). Keep in mind some fields are not included in the asset index, like tag name and vulnerability title, and for those you’ll need to search by field name.

How it works - A search for “win” without a field name will return assets where win appears in the asset name, hostname, operating system, software name, and so on.

Syntax help - Use single quotes or double quotes around your query to match a string. If you want to perform prefix matching or suffix matching using wildcards, you’ll need to search using the field name (see above).

String matching

Use single quotes or double quotes around your query to match a string with more than one word. Note that interfaces.address and software.version are text fields and support string matching.

Examples:

tags.name: "Cloud Agent"

operatingSystem: 'Microsoft Windows'

interfaces.address: 10.10.10.10

software.version: 2.1.7

vulnerabilities.vulnerability.title: "Remote Code Execution Vulnerability"

Example using wildcard: If you want to search for exact count you should use asterisk (*). For example to find assets with name starting with WINDOWS2008 use this query:

name:WINDOWS2008*

Note that wildcards can only be used for prefix and suffix matching (as described below). We do not support substring wildcards, meaning you cannot search for a string in the middle of another string.

Exact matching

Use backticks to exactly match a string. Your results will include any asset with the EXACT value returned.

Examples:

operatingSystem: `Windows 7 Ultimate Service Pack 1`

interfaces.hostname: `xpsp2-jp-26-111`

Full Text Search

Many asset fields containing text allow you to use full text search and advanced search capabilities. If your query does not include quotes (single or double) then we'll perform the broadest search.

Learn more >>

Examples:

Show any findings related to this title

vulnerabilities.vulnerability.title: Remote Code Execution

Show any findings that contain "Remote" or "Code" in title

vulnerabilities.vulnerability.title: "Remote Code"

Show any findings that match exact value "Remote Code"

vulnerabilities.vulnerability.title: `Remote Code`

Show any findings that match nested query. Both sub fields must match in order for an asset to be returned.

vulnerabilities.vulnerability: (title: `Remote Code` AND severity=5)

Suffix matching

Suffix matching is supported when searching assets (on your Assets list) for the fields "name", "tags.name" and "netbiosName". Match asset values "ending in" a string you specify - using a string that starts with *. Matches are case insensitive.

Example: This query matches assets with an asset name ending in "53" like QK2K12QP3-65-53.

name:*53

Example: This query matches assets with tag names ending in "region east" like Region East, region east, Region EAST.

tags.name:*Region East

 

Suffix and domain matching is supported for the field "interfaces.hostname" but the syntax is different.

Example: These queries match assets with the hostname "com-pa3020-36.eng.sjc01.qualys.com".

interfaces.hostname:qualys.com

interfaces.hostname:sjc01.qualys.com

interfaces.hostname:eng.sjc01.qualys.com

interfaces.hostname:*lys.com

Prefix matching

Prefix matching is supported when searching assets (on your Assets list) using certain text fields. Match asset values "starting with" a string you specify - using a string that ends with *. Matches are case sensitive.

Example: This query matches assets with an asset name starting with "xp" like xpsp2-jp-26-111.

name:xp*

Example: This query matches assets with tag names starting with "Win" like Windows XP, Windows 2012, Windows Hosts.

tags.name:Win*

Example: This query matches assets with a hostname starting with "com-pa30" like com-pa3020-36.eng.sjc01.qualys.com.

interfaces.hostname:com-pa30*

Example: This query matches assets with an operating system starting with "Lin" like Linux 2.4-2.6.

operatingSystem:Lin*

Is Null Queries

Want to match an empty/null value for a field? You'll need to remove the colon and then write "is null". For example, quickly find assets where the OS has not been identified.

Examples:

operatingSystem is null

interfaces.macAddress is null

aws.ec2.accountId is null

Range searches

Ranges can be specified with the [lower .. upper] syntax using () and/or [] as follows. This is supported for numeric and date fields.

Please note that interfaces.address and software.version are text fields (not numeric fields). You cannot perform range searches for these. See String matching to search text fields.

Examples:

openPorts.port:(123 .. 1234)  // Greater than but not equal to 123 and less than but not equal to 1234.

openPorts.port:(123 .. 1234]  // Greater than but not equal to 123 and less than or equal to 1234.

openPorts.port:[123 .. 1234)  // Greater than or equal to 123 and less than but not equal to 1234.

openPorts.port:[123 .. 1234]  // Greater than but or equal to 123 and less than or equal to 1234.

openPorts.port > 123  // Greater than 123.

openPorts.port >= 123  // Greater than or equal to 123.

openPorts.port < 1234  // Less than 1234.

openPorts.port <= 1234  // Less than or equal to 1234.

vulnerabilities.firstFound:[2018-01-01 .. 2018-04-01]  // Between January 1st and April 1st 2018.

Date searches

Use a date range [start date .. end date] or a specific date. Several date variables are also available.

Learn more >>

Examples:

updated: "2018-10-20"

updated <= "2018-10-20"

updated: ["2018-10-20" .. "2018-10-24"]

updated: [now-3d .. now-1s]

Multiple values (In, Not In)

Use to match values "In" or "Not In" fields. You'll include a comma-separated list of values within square brackets. Available for all fields except analyzed fields (i.e. full text search fields). Values must exactly match. Matches are case sensitive.

Example: Find all assets with an operating system value that exactly matches one listed:

operatingSystem:["Cisco IOS Version 12.4(19)","Windows Server 2003 Service Pack 2",Windows]

Example: Find all assets with a name value that exactly matches one listed:

name:[MACMINI-ACA70B,2k8r2-u-10-11,10.10.10.43]

Example: Find all assets with an asset ID value that exactly matches one listed:

assetId:[5301908,10233,2345]

Example: Find all assets with at least one of the CVE IDs listed:

vulnerabilities.vulnerability.cveIds:[CVE-2003-0818,CVE-2002-0126,CVE-1999-1058]

Example: Find all assets with vulnerabilities NOT first found on the dates listed:

NOT vulnerabilities.firstFound:["2018-08-31","2018-09-12"]

Supported date formats:

YYYY example: ["2017","2018"]

YYYY-MM example: ["2018-08","2018-09"]

YYYY-MM-DD example: ["2018-08-31","2018-08-30"]

Analyzed fields (i.e. full text search fields) are not supported such as:

vulnerabilities.vulnerability.description

vulnerabilities.vulnerability.solution

vulnerabilities.vulnerability.consequence

Boolean Operators

Use keywords AND, OR, NOT to narrow or broaden your search. Click the link below for info on max query depth, using NOT with vulnerability queries.

Learn more >>

Examples:

operatingSystem: windows OR operatingSystem: linux

(operatingSystem: windows OR operatingSystem: linux) AND (openPorts.port: 80 OR openPorts.port: 8080)

AND NOT updated <= "2018-10-20"

Nested Queries

Use a single nested query, using parentheses, to include multiple fields in your query per examples below.

Learn more >>

Example: Find vulnerabilities that are severity 5 and are confirmed

vulnerabilities: (vulnerability.severity: 5 AND typeDetected: "Confirmed")

Example: Find vulnerabilities that are severity 5, have Easy Exploit RTI, and first found in the last 5 days:

vulnerabilities: (vulnerability.severity: 5 AND vulnerability.threatIntel.easyExploit: true AND firstFound > now-5d)

Example: Find assets on port 80 and TCP

openPorts: (port: 80 AND protocol: TCP)

Example: Find assets that have Windows Time service that is running

service: (name: Windows Time AND status: running)

Query Limits

Maximum query length allowed: 4096 characters

Maximum field value length allowed: 256 characters

Good to know:

- If your query exceeds a limit, an error message is shown and you won't get search results

- These query limits apply to queries created using these apps: AV, TP, CA, VM dashboard

- Spaces in between characters are counted as characters