A complete list of tokens for writing search queries is provided below.
General | AWS EC2 | IBM | Microsoft Azure | Google Cloud Platform | Alibaba Cloud Platform | Assets | Oracle Cloud Compute Instance
and
Example
Show findings with AWS EC2 accountId and availability zone
aws.ec2.accountId: 123456789012 and aws.ec2.availabilityZone: us-east-1a
not
Example
Show findings that are not specific AWS instance type
not aws.ec2.instanceType: t2.micro
or
Example
Show findings with one of these aws tag values
aws.tag: Finance or aws.tag: Accounting
Quick links: AWS EC2 | Microsoft Azure | Google Cloud Platform | Alibaba Cloud Platform | Assets | Threat Protection | Compliance
Use these tokens when searching your AWS EC2 assets on the Assets list.
- Your results may return Terminated instances. It's recommended you include aws.ec2instanceState in your query to reduce the number of results.
- The syntax is different when writing queries for tag rules than when searching assets in the Assets list. Be sure to follow the syntax tips in the drop-down when writing your query.
Examples
Find EC2 instances that match this account ID
aws.ec2.accountId: 123456789012
Find EC2 instances with account ID starting "12345"
aws.ec2.accountId: 12345*
Find EC2 instances where account ID is null (remove the colon)
aws.ec2.accountId is null
Example
Find EC2 instances in the us-east-1a availability zone
aws.ec2.availabilityZone: us-east-1a
Examples
Show findings with a cloud agent
aws.ec2.hasAgent: true
Show findings without a cloud agent
aws.ec2.hasAgent: false
Examples
Find instances related to name
aws.ec2.hostname: abc.qualys.com
Find instances that match exact value
aws.ec2.hostname: `abc.qualys.com`
Examples
Find instances related to the Image ID
aws.ec2.imageId: ami-2ea83347
Find instances that match exact value
aws.ec2.imageId: `ami-2ea83347`
Example
Find EC2 instances with this ID
aws.ec2.instanceId: i-1234567890abcdef0
Example
Find running EC2 instances
aws.ec2.instanceState: RUNNING
Example
Find EC2 instances with instance type t2.micro
aws.ec2.instanceType: t2.micro
Examples
Show findings where assets are scanners
aws.ec2.isQualysScanner: true
Show findings where assets are not scanners
aws.ec2.isQualysScanner: false
Example
Find EC2 instances with this kernel ID
aws.ec2.kernelId: aki-70ab0c10
Examples
Find EC2 instances launched within certain dates
aws.ec2.launchDate: [2017-06-15 ... 2017-06-30]
Find EC2 instances launched on specific date
aws.ec2.launchDate:'2017-08-15'
Example
Find the EC2 instance with this private DNS address
aws.ec2.privateDns: ip-10-90-2-85.ec2.internal
Examples
Find EC2 instances with this private IP address
aws.ec2.privateIpAddress: 10.90.0.119
Find EC2 instances within this IP range
aws.ec2.privateIpAddress: [10.1.78.23 ... 10.100.78.235]
Example
Find the EC2 instance with this public DNS address
aws.ec2.publicDns: ec2-52-70-141-154.compute-1.amazonaws.com
Examples
Find EC2 instances with this public IP address
aws.ec2.publicIpAddress: 52.70.141.154
Find EC2 instances within this IP range
aws.ec2.publicIpAddress: [52.70.141.154 ... 52.70.141.164]
Example
Find EC2 instances in the us-east-1 region
aws.ec2.region.code: us-east-1
Example
Find EC2 instances in the US East (N. Virginia) region
aws.ec2.region.name: US East (N. Virginia)
Examples
Show EC2 Spot instances
aws.ec2.spotInstance: "true"
Show EC2 instances that are not Spot instances
aws.ec2.spotInstance: "false"
Example
Find EC2 instances with this subnet ID
aws.ec2.subnetId: subnet-bc02c0d4
Example
Find EC2 instances with this VPC ID
aws.ec2.vpcId: vpc-1e37cd76
Example
Find EC2 instances with an AWS tag with key "abc" and value "xyz"
aws.tag: (key:abc and value:xyz)
Examples
Find EC2 instances with key "devops"
aws.tag.key: devops
Find EC2 instances with key starting "dev"
aws.tag.key: dev*
Find EC2 instances with key ending "ops"
aws.tag.key: *ops
Examples
Find EC2 instances with tag value "dailybuild"
aws.tag.value: dailybuild
Find EC2 instances with tag value starting "daily"
aws.tag.value: daily*
Find EC2 instances with tag value ending "build"
aws.tag.value: *build
Use these token when searching IBM assets on the Assets list.
Example
Find IBM instances with this tag name
ibm.tag.name: name:abc
Example
Find IBM instances with this tag value
ibm.tag.value: 'centos7'
Example
Find IBM virtual server with this Id
ibm.virtualServer.id: '123741814'
Example
Find IBM virtual server with this location
ibm.virtualServer.location: 'dal13'
Example
Find IBM virtual server datacenter with this Id
ibm.virtualServer.datacenterId: '1854895'
Example
Find IBM virtual server with this device name
ibm.virtualServer.deviceName: 'virtualserver01.Qualys-Inc.cloud'
Example
Find IBM virtual server with this public IP address
ibm.virtualServer.publicIpAddress: '150.238.75.107'
Example
Find IBM virtual server with this private IP address
ibm.virtualServer.privateIpAddress: '10.187.94.40'
Example
Find IBM virtual server with this public vlan
ibm.virtualServer.publicVlan: '1796'
Example
Find IBM virtual server with this private vlan
ibm.virtualServer.privateVlan: '2236'
Example
Find IBM virtual server with this domain
ibm.virtualServer.domain: 'Qualys-Inc.cloud'
Use these tokens when searching Microsoft Azure assets on the Assets list.
Example
Find Azure instances with a tag with name "abc" and value "xyz"
azure.tag: (name:abc and value:xyz)
Examples
Find Azure instances with name "devops"
azure.tag.name: devops
Find Azure instances with name starting "dev"
azure.tag.name: dev*
Find Azure instances with name ending "ops"
azure.tag.name: *ops
Examples
Find Azure instances with tag value "dailybuild"
azure.tag.value: dailybuild
Find Azure instances with tag value starting "daily"
azure.tag.value: daily*
Find Azure instances with tag value ending "build"
azure.tag.value: *build
Examples
Find Azure instances related to name
azure.vm.imageOffer: UbuntuServer
Find Azure instances that match exact value
azure.vm.imageOffer: `UbuntuServer`
Examples
Find Azure instances related to name
azure.vm.imagePublisher: Canonical
Find Azure instances that match exact value
azure.vm.imagePublisher: `Canonical`
Example
Find Azure instances with this sku version
azure.vm.imageVersion: 16.04.201708030
Example
Find Azure instances in this location
azure.vm.location: westus
Example
Find Azure instances with this MAC address
azure.vm.macAddress: '000D3A36DDED'
Examples
Find Azure instances related to name
azure.vm.name: avset2
Find Azure instances that match exact value
azure.vm.name: `avset2`
Example
Find Azure instances on Windows platform
azure.vm.platform: Windows
Examples
Find Azure instances with this private IP
azure.vm.privateIpAddress: 10.1.2.5
Find Azure instances within this IP range
azure.vm.privateIpAddress: [10.1.2.5 ... 10.1.2.33]
Examples
Find Azure instances with this virtual network
azure.vm.virtualNetwork: `mburton01-vnet`
Examples
Find Azure instances with this public IP
azure.vm.publicIpAddress: 13.126.125.189
Find Azure instances within this IP range
azure.vm.publicIpAddress: [13.126.125.180 ... 13.126.125.255]
Examples
Find Azure instances related to name
azure.vm.resourceGroupName: my-eastus-rg
Find Azure instances that match exact value
azure.vm.resourceGroupName: `my-eastus-rg`
Example
Find Azure instances with this size
azure.vm.size: Standard_D1
Example
Find running Azure instances
azure.vm.state: RUNNING
Example
Find Azure instances with this subnet
azure.vm.subnet: 10.1.2.0
Example
Find Azure instances with this subscription ID
azure.vm.subscriptionId: fbb9ea64-abda-452e-adfa-83442409
Example
Find Azure instances with this ID
azure.vm.vmId: 13f56399-bd52-4150-9748-7190aae1ff21
Use these tokens when searching Google Cloud Platform assets on the Assets list.
Examples
Find GCP instances related to name
gcp.compute.hostname: instance-5.c.qvsa-dev.internal
Find GCP instances that match exact value
gcp.compute.hostname: `instance-5.c.qvsa-dev.internal`
Example
Find GCP instances with this ID
gcp.compute.instanceId: 4392196237934605253
Example
Find GCP instances with this MAC address
gcp.compute.macAddress: '000D3A36DDED'
Examples
Find GCP instances related to name
gcp.compute.machineType: n1-standard-1
Find GCP instances that match exact value
gcp.compute.machineType: `n1-standard-1`
Example
Find GCP instances with this network
gcp.compute.network: 000D3A36DDED
Examples
Find GCP instances with this private IP
gcp.compute.privateIpAddress: 10.240.0.7
Find GCP instances with this private IP range
gcp.compute.privateIpAddress: [10.240.0.7 ... 10.240.0.30]
Examples
Find GCP instances related to ID
gcp.compute.projectId: qvsa-dev
Find GCP instances that match exact value
gcp.compute.projectId: `qvsa-dev`
Examples
Find GCP instances related to this number
gcp.compute.projectNumber: 1035365309337
Find GCP instances that match exact value
gcp.compute.projectNumber: `1035365309337`
Examples
Find GCP instances with this public IP
gcp.compute.publicIpAddress: 104.196.57.216
Find GCP instances within this IP range
gcp.compute.publicIpAddress: [104.196.57.216 ... 104.196.57.218]
Examples
Find GCP instances related to name
gcp.compute.zone: us-east1-d
Find GCP instances that match exact value
gcp.compute.zone: `us-east1-d`
Examples
Find running GCP instances
gcp.compute.state: RUNNING
Use these tokens when searching Alibaba Cloud Platform assets on the Assets list.
Examples
Find instances with a cloud agent
alibaba.instance.hasAgent: "true"
Show instances which do not have cloud agent installed
alibaba.instance.hasAgent: "false"
Example
Find instances with given ID
alibaba.instance.instanceId: i-a2dxxxxsxxxxxhdfax
Example
Find alibaba cloud instances with given instance type
alibaba.instance.instanceType: ecs.t5-lc2m1.nano
Examples
Find instances in a RUNNING state
alibaba.instance.instanceState: "RUNNING"
Example
Find instances related to the given image ID
alibaba.instance.imageId: ubuntu_14_0405_64_20G_alibase_20170824.vhd
Examples
Find instances with the given alibaba account ID
alibaba.instance.accountId: 587xxxxxxx
Examples
Find instances that belong to the given serial number
alibaba.instance.serialNumber: 12trexxxxr-3xx-xxx-rtg4-xxxx6t45
Example
Find instances that belong to the given region code
alibaba.instance.region.id: "ap-south-1"
Example
Find instances that belong to the given region name
alibaba.instance.regionName: "India (Mumbai)"
Example
Find instances that belong to the given zone ID
alibaba.instance.zoneId: ap-south-1b
Example
Find instances that belong to the given VPC ID
alibaba.instance.vpcId: vpc-a2d6pxxxxvvdadd5yikj
Examples
Find instances that are associate with the given hostname
alibaba.instance.hostName: abc.qualys.com
Example
Find instances that are associated with the given DNS configurations
alibaba.instance.dnsServer:100.xxx.x.xxx
Examples
Find instances with the given private IP address.
alibaba.instance.privateIpAddress:192.168.XX.XX
Find instances with the given private IP address
alibaba.instance.privateIpAddress: [192.168.XX.XX.....192.168.XX.XX]
Example
Find instances with the given public IP address
alibaba.instance.publicIpAddress:149.xx.xx.xx
Find instances with the given public IP address
alibaba.instance.publicIpAddress: [149.xx.xx.xx... 149.xx.xx.xx]
Example
Find instances with the given MAC address
alibaba.instance.macAddress: 00:16:3e:0f:XX:XX
Example
Find instances belonging to given CIDR block of VPC network
alibaba.instance.vpcCidrBlock: 172.xx.x.x/16
Example
Find instances connected with the give vSwicth ID
alibaba.instance.vswitchId: vsw-a2dxxxoxxxxsqx1mxxxdd
Examples
Find instances connected with the given interface ID
alibaba.instance.interfaceId: eni-a2dxxxxaixxxtux572
Example
Find instances connected the given CIDR block of vSwitch
alibaba.instance.vswitchCidrBlock:192.168.XX.XX/24
Example
Choose the network type to find cloud instances
alibaba.instance.networkType:vpc
All tokens below are available with AssetView.
Example
Show assets with this exact username (case sensitive)
account.username: Administrator
Show assets with username starting with "Admin" (case sensitive)
account.username: Admin
Examples
Show assets activated for VM
sensor.activatedForModules: "VM"
Show assets activated for VM and PA/PC
sensor.activatedForModules: "VM" AND sensor.activatedForModules: "PC"
Example
Show assets with agents activated using this key
agent.activations.key: 057cc48a-8d84-48eb-add4-97a605d0567d
Example
Show assets with active agents
agent.activations.status: ACTIVE
Examples
Show assets with active agents, where the Agent has communicated in last 48 hours
agent.status: "ACTIVE"
Show assets with inactive agents, where the Agent has not communicated in last 48 hours
agent.status: "INACTIVE"
Example
Show the asset with this agent ID
agentID: f0c8e682-e9cc-4e7d-b92a-0c905d81ec74
Example
Show findings with agent version 1.3.2.0
agent.version: 1.3.2.0
Select the platform type to search the assets based on operating system of host asset.
Example
Show the list of assets with Windows platform.
platform.type:'Windows'
>Examples
Show any findings related to profile name
agent.configurationProfile: Initial Profile
Show any findings that contain parts of the name
agent.configurationProfile: "Initial Profile"
Show any findings that match exact value
agent.configurationProfile: `Initial Profile`
asset.cpuCountUse an integer value ##### to help you find assets with some number of CPUs.Example
Show assets that have 2 CPUs
asset.cpuCount: 2
agent.connectedFromUse a text value ##### to define the external IP address a cloud agent connected from.Example
Show findings for an external IP address that an agent connected from
agent.connectedFrom: 10.0.100.11
asset.createdDateUse a date range or specific date to define when assets were asset.createdDate (i.e. when first scanned by a scanner appliance, or when agent was installed).Examples
Show assets asset.createdDate within certain dates
asset.createdDate: [2016-01-01 ... 2016-01-10]
Show assets asset.createdDate starting 2015-10-01, ending 1 month ago
asset.createdDate: [2015-10-01 ... now-1M]
Show assets asset.createdDate starting 2 weeks ago, ending 1 second ago
asset.createdDate: [now-2w ... now-1s]
Show assets asset.createdDate on specific date
asset.createdDate:'2016-01-08'
agent.errorStatusUse the values true | false to define agents with or without error status.Example
Show agents with error status
agent.errorStatus: "true"
agent.fimCapableUse the values true | false to define whether or not agents are FIM capable. agent.fimCapable search is not supported for all operating systems. Check the Cloud Agent Getting Started Guide for platform/OS support.Examples
Show agents that are FIM capable and activated for FIM
agent.fimCapable: "true"
Show agents that are not FIM capable but can be upgraded to FIM capability
agent.fimCapable: "false"
asset.hostIdUse an integer value ##### to help you find the asset with a certain Qualys host ID (UUID), assigned by an agent or a scanner appliance when Agentless Tracking is used.Example
Show assets that have this host ID
asset.hostId: 2918869
asset.interface.addressUse a text value ##### to define an IP address (IPv4 of IPv6) you're interested in. Note that you cannot perform a range search since this is a text field.Examples
Show the asset with IPv4 address
asset.interface.address: 10.10.100.20
Show the asset with IPv6 address (enclose value in single quotes)
asset.interface.address: 'fe80:0:0:0:2501:b53c:4139:404b'
asset.interface.dnsAddressUse a text value ##### to define a DNS address you're interested in.Example
Show the asset with DNS address 10.0.100.11
asset.interface.dnsAddress: 10.0.100.11
asset.interface.gatewayAddressUse a text value ##### to help you find assets with a certain default gateway address.Example
Show assets with this default gateway address
asset.interface.gatewayAddress: 10.11.65.1
asset.interface.hostnameFind the hostname you're looking for. Search by domain name, use backticks for exact matching, or enter a partial value with an asterisk (*) for suffix/prefix matching.Examples
Show any findings related to name
asset.interface.hostname: xpsp2-jp-26-111
Show any findings related to name (we'll match super domains)
asset.interface.hostname: com-pa3020-36.eng.sjc01.qualys.com
Show any findings that match exact value
asset.interface.hostname: `xpsp2-jp-26-111`
asset.interface.hostname: `com-pa3020-36.eng.sjc01.qualys.com`
Show any findings that match domain name
asset.interface.hostname: qualys.com
asset.interface.hostname: sjc01.qualys.com
asset.interface.hostname: eng.sjc01.qualys.com
Show any findings starting with string (case sensitive)
asset.interface.hostname: xp*
asset.interface.hostname: com-pa30*
Show any findings ending with string
asset.interface.hostname: *111
asset.interface.hostname: *lys.com
asset.interface.nameUse a text value ##### to help you find a certain interface name.Example
Show the asset with name PRO/1000
asset.interface.name: PRO/1000
asset.interface.macAddressUse values within quotes to help you find a MAC address you're interested in.Example
Show the asset with this MAC address
asset.interface.macAddress: "00-50-56-A9-73-5A"
agent.lastActivityDateUse a date range or specific date to define when the last activity on the agent occurred.Examples
Show findings with last activity within certain dates
agent.lastActivityDate: [2016-01-01 ... 2016-01-10]
Show findings with last activity starting 2015-10-01, ending 1 month ago
agent.lastActivityDate: [2015-10-01 ... now-1M]
Show findings with last activity starting 2 weeks ago, ending 1 second ago
agent.lastActivityDate: [now-2w ... now-1s]
Show findings with last activity on a specific date
agent.lastActivityDate:'2015-12-01'
agent.lastCheckedInDateUse a date range or specific date to define when the asset was last checked in to the platform.Examples
Show findings with last check in within a specific date range.
agent.lastCheckedInDate:[2020-01-01 ... 2020-01-10]
Show findings with last check in starting 2019-11-01, ending 1 month ago.
agent.lastCheckedInDate:[2019-11-01 ... now-1M]
Show findings with last check in starting 2 weeks ago, ending 1 second ago
agent.lastCheckedInDate:[now-2w ... now-1s]
Show findings with last check in on a specific date
agent.lastCheckedInDate:'2020-02-11'
Show findings with last check in before (older than) last 30 days.
agent.lastCheckedInDate<now-30d
Note: We recommend not to use the NOT operator in your range search to form a query like NOT agent.lastCheckedInDate:[now-30d...now-2s]. See 'QQL Best Practices' topic in the Unified Dashboard online Help.
Show findings with last check in within last 30 days excluding day 30
agent.lastCheckedInDate>now-30d
Show findings with last check in within last 30 days including day 30
agent.lastCheckedInDate>=now-30d
Show findings with last check in which is older than last 30 days excluding day 30
agent.lastCheckedInDate<now-30d
Show findings with last check in which is older than last 30 days including day 30
agent.lastCheckedInDate<=now-30d
sensor.lastComplianceScanDateUse a date range or specific date to define when compliance scans were last conducted.Examples
Show findings with last compliance scan within certain dates
sensor.lastComplianceScanDate: [2017-01-01 ... 2017-03-31]
Show findings with last compliance scan starting 2016-10-15, ending 1 month ago
sensor.lastComplianceScanDate: [2016-10-15 ... now-1M]
Show findings with last compliance scan starting 2 weeks ago, ending 1 second ago
sensor.lastComplianceScanDate: [now-2w ... now-1s]
Show findings with last compliance scan on specific date
sensor.lastComplianceScanDate:'2017-02-18'
sensor.lastFullScanDateUse a date range or specific date to define when full scans (assessments) were last conducted using Cloud Agent (CA).Examples
Show findings with last full scan within certain dates
sensor.lastFullScanDate: [2016-01-01 ... 2016-01-10]
Show findings with last full scan starting 2015-10-01, ending 1 month ago
sensor.lastFullScanDate: [2015-10-01 ... now-1M]
Show findings with last full scan starting 2 weeks ago, ending 1 second ago
sensor.lastFullScanDate: [now-2w ... now-1s]
Show findings with last full scan on a specific date
sensor.lastFullScanDate:'2016-02-08'
agent.lastInventoryDateUse a date range or specific date to define when inventory scans were last conducted by agents. We recommend lastInventoryDate for date range queries using parameters i.e. [now-1M ... now-1s]Examples
Show findings with last inventory scan within certain dates
agent.lastInventoryDate: [2018-06-01 ... 2018-06-10]
Show findings with last inventory scan on specific date
agent.lastInventoryDate:'2018-07-25'
asset.lastLoggedOnUserUse a text value ##### to help you find assets last logged into by a user of interest.Examples
Show assets with last logon by user asmith
asset.lastLoggedOnUser: asmith
sensor.lastVmAgentScanDateUse a date range or specific date to define when vulnerability scans were last conducted.Examples
Show findings with last vulnerability scan within certain dates
sensor.lastVmAgentScanDate: [2017-01-01 ... 2017-02-10]
Show findings with last vulnerability scan starting 2016-11-01, ending 1 month ago
sensor.lastVmAgentScanDate: [2016-11-01 ... now-1M]
Show findings with last vulnerability scan starting 2 weeks ago, ending 1 second ago
sensor.lastVmAgentScanDate: [now-2w ... now-1s]
Show findings with last vulnerability scan on specific date
sensor.lastVmAgentScanDate:'2017-04-10'
asset.nameUse quotes or backticks within values to help you find the asset name you're looking for. Quotes can be used when the value has more than one word.Examples
Show any findings related to name
asset.name: QK2K12QP3-65-53
Show any findings that match exact value
asset.name: `QK2K12QP3-65-53`
asset.netbiosNameUse a text value ##### to define the NetBIOS name you're interested in.Examples
Show assets with this exact name (case sensitive)
asset.netbiosName: EC2AMAZ-19OC2IT
Show assets with name starting with "EC2" (case sensitive)
asset.netbiosName: EC2
Show assets with name ending with "c2it" (case insensitive)
asset.netbiosName: *c2it
openPorts.descriptionUse quotes or backticks within values to help you find the service description detected on an open port. Quotes can be used when the value has more than one word.Examples
Show any findings with this description
openPorts.description: Windows Remote Desktop
Show any findings that contain parts of description
openPorts.description: "Windows Remote Desktop"
Show any findings that match exact value
openPorts.description: `Windows Remote Desktop`
openPorts.detectedServiceUse quotes or backticks within values to help you find the detected service you're looking for. Quotes can be used when the value has more than one word.Examples
Show any findings with this service name
openPorts.detectedService: win_remote_desktop
Show any findings that match exact value
openPorts.detectedService: `win_remote_desktop`
openPorts.portUse an integer value ##### to help you find assets with some open port.Example
Show assets with open port 80
openPorts.port: 80
openPorts.protocolUse a text value ##### (UDP or TCP) to define the port protocol you're interested in.Examples
Show findings found on TCP
openPorts.protocol: TCP
Show findings found on port 80 and TCP
openPorts: (port: 80 AND protocol: TCP)
processor.nameUse quotes or backticks within values to help you find the processor description you're looking for. Quotes can be used when the value has more than one word.Examples
Show any findings with this description
processor.name: intel
Show any findings that match exact value
processor.name: `intel`
processor.speedUse an integer value ##### to help you find assets with a certain processor speed.Example
Show assets with this processor speed
processor.speed: 1995
cloud.providerSelect the name ##### of a cloud service provider you're looking for. Select from names in the drop-down menu.Examples
Show assets synced from Amazon AWS
cloud.provider: "AWS"
agent.qualysCorrelationIdUse a text value #### to show assets with specific Qualys Correlation ID.Example
Show assets with this Qualys Correlation ID
agent.qualysCorrelationId: "0f1b031712682e27cca306e4a2a9e3144696ac099b08fcdf76ccb6f3647ec058"
Show assets without any Qualys Correlation ID
agent.qualysCorrelationId: "UNIDENTIFIED"
Show assets all assets with Qualys Correlation ID
agent.qualysCorrelationId: "*"
image.service.descriptionUse quotes or backticks within values to help you find the service description you're looking for. Quotes can be used when the value has more than one word.Examples
Show any findings with this description
image.service.description: Windows Event Log
Show any findings that contain parts of description
image.service.description: "Windows Event Log"
Show any findings that match exact value
image.service.description: `Windows Event Log`
image.service.nameUse quotes or backticks within values to help you find the service name you're looking for. Quotes can be used when the value has more than one word.Examples
Show any findings with this name
image.service.name: eventlog
Show any findings that match exact value
image.service.name: `eventlog`
image.service.statusUse quotes or backticks within values to help you find the service status you're looking for. Quotes can be used when the value has more than one word.Examples
Show any findings with this status
image.service.status: running
Show any findings that match exact value
image.service.status: `running`
software.nameUse quotes or backticks within values to help you find the software name you're looking for. Quotes can be used when the value has more than one word.Examples
Show any findings with this name
software.name: VMware Tools
Show any findings that contain parts of name
software.name: "VMware Tools"
Show any findings that match exact value
software.name: `VMware Tools`
Find assets with certain tag and software installed
asset.tag.name: `Cloud Agent` AND software: (name: `Cisco AnyConnect Secure Mobility Client` AND version: `3.1.12345`)
asset.biosDescriptionUse quotes or backticks within values to help you find the BIOS description you're looking for. Quotes can be used when the value has more than one word.Examples
Show any findings with this description
asset.biosDescription: Phoenix Technologies
Show any findings that contain parts of name
asset.biosDescription: "Phoenix Technologies"
Show any findings that match exact value
asset.biosDescription: `Phoenix Technologies`
asset.lastBootDateUse a date range or specific date to define when assets were last booted.Examples
Show assets last booted within certain dates
asset.lastBootDate: [2016-01-01 ... 2016-01-10]
Show assets last booted starting 2015-10-01, ending 1 month ago
asset.lastBootDate: [2015-10-01 ... now-1M]
Show assets last booted starting 2 weeks ago, ending 1 second ago
asset.lastBootDate: [now-2w ... now-1s]
Show assets last booted on a specific date
asset.lastBootDate:'2016-01-08'
hardware.manufacturerUse quotes or backticks within values to help you find the system manufacturer you're looking for. Quotes can be used when the value has more than one word.Examples
Show any findings with this name
hardware.manufacturer: dell
Show any findings that match exact value
hardware.manufacturer: `dell`
hardware.modelUse quotes or backticks within values to help you find the system model you're looking for. Quotes can be used when the value has more than one word.Examples
Show any findings with this name
hardware.model: optiplex
Show any findings that match exact value
hardware.model: `optiplex`
asset.timezoneUse a text value ##### in quotes to find assets with a certain timezone set.Example
Show assets with this timezone
asset.timezone: "-08:00"
asset.totalMemoryUse an integer value ##### to help you find assets with a certain total system memory.Example
Show assets with this total system memory
asset.totalMemory: 1024
asset.tag.nameUse quotes or backticks within values to help you find the asset tag you're looking for. Quotes can be used when the value has more than one word.Examples
Show any findings related to this tag name
asset.tag.name: Cloud Agent
Show any findings that contain "Cloud" or "Agent" in name
asset.tag.name: "Cloud Agent"
Show any findings that match exact value
asset.tag.name: `Cloud Agent`
asset.udcManifestAssignedUse the values true | false to find assets with PA/PC agents assigned a UDC manifest. Assets are found when agents have the PC module enabled and one or more user defined controls have been added to your subscription.Examples
Show assets with agents assigned a UDC manfest
asset.udcManifestAssigned: "true"
Show assets with agents not assigned a UDC manifest
asset.udcManifestAssigned: "false"
asset.lastUpdatedDateUse a date range or specific date to define when assets were asset.lastUpdatedDate (i.e. when re-scanned by a scanner appliance, or when host data uploaded to the cloud platform by an agent).Examples
Show assets asset.lastUpdatedDate within certain dates
asset.lastUpdatedDate: [2016-01-01 ... 2016-01-10]
Show assets asset.lastUpdatedDate starting 2015-10-01, ending 3 months ago
asset.lastUpdatedDate: [2015-10-01 ... now-3M]
Show assets asset.lastUpdatedDate starting 2 weeks ago, ending 1 second ago
asset.lastUpdatedDate: [now-2w ... now-1s]
Show assets asset.lastUpdatedDate on a specific date
asset.lastUpdatedDate:'2016-01-10'
volume.freeUse an integer value ##### to help you find assets with a certain free volume space.Example
Show assets with this free volume space
volume.free: 448312320
volume.nameUse a text value ##### to find assets with a certain volume name.Example
Show assets with this volume name
volume.name: /boot
volume.sizeUse an integer value ##### to help you find assets with a certain volume size.Example
Show assets with this volume size
volume.size: 481529856
asset.isVulnerableChoose the value * to find assets with vulnerabilities.Example
Show all findings that have asset.isVulnerable
asset.isVulnerable: *
vulnerabilities.firstFoundDateUse a date range or specific date to define when findings were first found.Examples
Show findings first found within certain dates
vulnerabilities.firstFoundDate: [2015-10-21 ... 2015-10-30]
Show findings first found starting 2015-10-01, ending 1 month ago
vulnerabilities.firstFoundDate: [2015-10-01 ... now-1M]
Show findings first found starting 2 weeks ago, ending 1 second ago
vulnerabilities.firstFoundDate: [now-2w ... now-1s]
Show findings first found on certain date
vulnerabilities.firstFoundDate:'2015-11-11'
vulnerabilities.lastFoundDateUse a date range or specific date to define when findings were last found.Examples
Show findings last found within certain dates
vulnerabilities.lastFoundDate: [2015-10-21 ... 2016-01-15]
Show findings last found starting 2016-01-01, ending 1 month ago
vulnerabilities.lastFoundDate: [2016-01-01 ... now-1M]
Show findings last found starting 2 weeks ago, ending 1 second ago
vulnerabilities.lastFoundDate: [now-2w ... now-1s]
Show findings last found on certain date
vulnerabilities.lastFoundDate:'2016-01-11'
Show findings last found on 2017-01-12 with patch available
asset.isVulnerable: (lastFound: '2017-01-12' AND vulnerability.patchAvailable: "true")
vulnerabilities.typeDetectedSelect a detection type (e.g. Confirmed, Potential, Information) to find assets with asset.isVulnerable of this type. Select from names in the drop-down menu. Example
Show findings with this type
vulnerabilities.typeDetected: "Confirmed"
vulnerabilities.vulnerability.authTypeSelect the name (WINDOWS_AUTH, UNIX_AUTH, ORACLE_AUTH, etc) of an authentication type you're interested in. Select from names in the drop-down menu.Example
Show findings with Windows auth type
vulnerabilities.vulnerability.authType: "WINDOWS_AUTH"
vulnerabilities.vulnerability.bugTraqIdUse a text value ##### to find a BugTraq number you're interested in.Example
Show findings with BugTraq ID 22211
vulnerabilities.vulnerability.bugTraqId: 22211
vulnerabilities.vulnerability.categorySelect a category (CGI, Database, DNS, BIND, etc) to find asset.isVulnerable with this category. Select from names in the drop-down menu.Example
Show findings with the category CGI
vulnerabilities.vulnerability.category: "CGI"
vulnerabilities.vulnerability.compliance.descriptionUse quotes or backticks within values to help you find the compliance description you're looking for. Quotes can be used when the value has more than one word.Examples
Show any findings related to this description
vulnerabilities.vulnerability.compliance.description: malicious software
Show any findings that contain "malicious" or "software" in description
vulnerabilities.vulnerability.compliance.description: "malicious software"
Show any findings that match exact value
vulnerabilities.vulnerability.compliance.description: `malicious software`
vulnerabilities.vulnerability.compliance.sectionUse quotes or backticks within values to help you find the compliance section you're looking for. Quotes can be used when the value has more than one word.Examples
Show any findings related to this section
vulnerabilities.vulnerability.compliance.section: 164.308
Show any findings that match exact value
vulnerabilities.vulnerability.compliance.section: `164.308`
vulnerabilities.vulnerability.compliance.typeSelect the name ##### of a compliance type you're interested in (e.g. COBIT, HIPAA, GLBA, SOX). Select from names in the drop-down menu.Example
Show findings with the compliance type HIPAA
vulnerabilities.vulnerability.compliance.type: "HIPAA"
vulnerabilities.vulnerability.cveIdUse a text value ##### to find the CVE name you're interested in.Example
Show findings with CVE name CVE-2015-0313
vulnerabilities.vulnerability.cveId: CVE-2015-0313
Note: The CVE in the query is case sensitive and must be used in capital case.
vulnerabilities.vulnerability.cvss2AccessVectorSelect the name ##### of a CVSS access vector you'd like to find (e.g. UNDEFINED, LOCAL_ACCESS, ADJACENT_NETWORK, NETWORK). Select from names in the drop-down menu.Example
Show findings with this name
vulnerabilities.vulnerability.cvss2AccessVector: "NETWORK"
vulnerabilities.vulnerability.cvss2BaseScoreUse an integer value ##### to help you find the CVSS base score you're interested in.Example
Show assets with this score
vulnerabilities.vulnerability.cvss2BaseScore: 7.8
vulnerabilities.vulnerability.cvss2TemporalScoreUse an integer value ##### to help you find the CVSS temporal score you're interested in.Example
Show assets with this score
vulnerabilities.vulnerability.cvss2TemporalScore: 6.4
vulnerabilities.vulnerability.descriptionUse quotes or backticks within values to help you find the vulnerability description you're looking for. Quotes can be used when the value has more than one word.Examples
Show any findings related to description
vulnerabilities.vulnerability.description: remote code execution
Show any findings that contain "remote" or "code" in description
vulnerabilities.vulnerability.description: "remote code execution"
Show any findings that match exact value
vulnerabilities.vulnerability.description: `remote code execution`
vulnerabilities.vulnerability.discoveryTypeSelect a discovery type (Remote or Authenticated) to find assets with asset.isVulnerable having this discovery type. Select from names in the drop-down menu.Example
Show findings with Remote discovery type
vulnerabilities.vulnerability.discoveryType: Remote
vulnerabilities.vulnerability.exploitabilityUse quotes or backticks within values to help you find known exploit description you're looking for. Quotes can be used when the value has more than one word.Examples
Show any findings related to this description
vulnerabilities.vulnerability.exploitability: GIF Parser Heap
Show any findings that contain "GIF", "Parser" or "Heap" in description
vulnerabilities.vulnerability.exploitability: "GIF Parser Heap"
Show any findings that match exact value
vulnerabilities.vulnerability.exploitability: `GIF Parser Heap`
vulnerabilities.vulnerability.flagUse a text value ##### to find the Qualys defined vulnerability property of interest (e.g. REMOTE, WINDOWS_AUTH, UNIX_AUTH etc, PCI_RELATED).Example
Show findings with this property
vulnerabilities.vulnerability.flag: PCI_RELATED
vulnerabilities.vulnerability.impactUse quotes or backticks within values to help you find the impact you're looking for.Example
Show any findings related to impact
vulnerabilities.vulnerability.impact: sensitive information
Show any findings that contain "sensitive" or "information" in consequence
vulnerabilities.vulnerability.impact: "sensitive information"
Show any findings that match exact value "sensitive information"
vulnerabilities.vulnerability.impact: 'sensitive information'
vulnerabilities.vulnerability.listUse a text value ##### to find the vulnerability list of interest (e.g. SANS_20, QUALYS_20, QUALYS_INT_10, QUALYS_EXT_10).Example
Show findings with asset.isVulnerable in SANS Top 20
vulnerabilities.vulnerability.list: SANS_20
vulnerabilities.vulnerability.isPatchAvailableUse the values true | false to define asset.isVulnerable with patch available.Examples
Show findings with patch available
vulnerabilities.vulnerability.isPatchAvailable: "true"
Show findings with no patch available
vulnerabilities.vulnerability.isPatchAvailable: "false"
vulnerabilities.vulnerability.patchesUse an integer value ##### to help you find the patch QID you're interested in.Example
Show assets with this patch QID
vulnerabilities.vulnerability.patches: 90753
vulnerabilities.vulnerability.publishedDateUse a date range or specific date to define when asset.isVulnerable were first published in the KnowledgeBase.Examples
Show findings for asset.isVulnerable published within certain dates
vulnerabilities.vulnerability.publishedDate: [2015-10-21 ... 2016-01-15]
Show findings for asset.isVulnerable published starting 2016-01-01, ending 1 month ago
vulnerabilities.vulnerability.publishedDate: [2016-01-01 ... now-1M]
Show findings for asset.isVulnerable published starting 2 weeks ago, ending 1 second ago
vulnerabilities.vulnerability.publishedDate: [now-2w ... now-1s]
Show findings for asset.isVulnerable published on certain date
vulnerabilities.vulnerability.publishedDate:'2015-07-15'
vulnerabilities.vulnerability.qidUse an integer value ##### to filter assets with specific QID. By default, the results exclude the asset.isVulnerable with the Fixed status.Example
Show findings with QID 90405
vulnerabilities.vulnerability.qid: 90405
vulnerabilities.vulnerability.riskUse an integer value ##### to define the vulnerability risk rating you're interested in. For confirmed and potential issues risk is 10 times severity, for information gathered it is severity.Example
Show findings with risk 50
vulnerabilities.vulnerability.risk: 50
vulnerabilities.vulnerability.sans20CategoriesUse a text value ##### to find asset.isVulnerable in the SANS 20 category you're interested in (e.g. Anti-virus Software, Backup Software, etc).Example
Show findings with this category name
vulnerabilities.vulnerability.sans20Categories: "Media Players"
vulnerabilities.severitySelect a severity (1-5) to find assets having asset.isVulnerable with this severity. Select from values in the drop-down menu.Example
Show findings with severity 4
vulnerabilities.severity: "4"
vulnerabilities.vulnerability.solutionUse quotes or backticks within values to help you find the solution you're looking for. Quotes can be used when the value has more than one word.Examples
Show any findings related to this solution
vulnerabilities.vulnerability.solution: Bulletin MS10-006
Show any findings that contain parts of solution
vulnerabilities.vulnerability.solution: "Bulletin MS10-006"
Show any findings that match exact value
vulnerabilities.vulnerability.solution: `Bulletin MS10-006`
vulnerabilities.vulnerability.titleUse quotes or backticks within values to help you find the title you're looking for. Quotes can be used when the value has more than one word.Examples
Show any findings related to this title
vulnerabilities.vulnerability.title: Remote Code Execution
Show any findings that contain "Remote" or "Code" in title
vulnerabilities.vulnerability.title: "Remote Code"
Show any findings that match exact value
vulnerabilities.vulnerability.title: `Remote Code`
vulnerabilities.vulnerability.typeSelect a detection type (e.g. Vulnerability, Potential, Information) to find assets with asset.isVulnerable of this type. Select from names in the drop-down menu. Example
Show findings with this type
vulnerabilities.vulnerability.type: "VULNERABILITY"
vulnerabilities.vulnerability.updatedDateUse a date range or specific date to define when asset.isVulnerable were asset.lastUpdatedDate in the KnowledgeBase.Examples
Show asset.isVulnerable asset.lastUpdatedDate within certain dates
vulnerabilities.vulnerability.updatedDate: [2015-10-21 ... 2015-10-30]
Show asset.isVulnerable asset.lastUpdatedDate starting 2015-11-01, ending 1 month ago
vulnerabilities.vulnerability.updatedDate: [2015-11-01 ... now-1M]
Show asset.isVulnerable asset.lastUpdatedDate stating 2 weeks ago, ending 1 second ago
vulnerabilities.vulnerability.updatedDate: [now-2w ... now-1s]
Show asset.isVulnerable asset.lastUpdatedDate on certain date
vulnerabilities.vulnerability.updatedDate: '2015-03-08'
vulnerabilities.vulnerability.vendorRefUse a text value ##### to find the vendor reference you're interested in.Example
Show findings with this reference
vulnerabilities.vulnerability.vendorRef: KB3021953
andUse a boolean query to express your query using AND logic.Example
Show assets with operating system Windows and Linux
operatingSystem.name: windows and operatingSystem.name: linux
Example
Show assets that don't have Windows operating system
not operatingSystem.name: windows
orUse a boolean query to express your query using OR logic.Example
Show assets with one of these tag names
tag.name: Cloud Agent or tag.name: HQ
Example
Show host assets that has proccessed a specific maifest version
asset.vmManifestVersion: "VULNSIGS-VM-0.49.0.0-18"
Example
Show host assets that has proccessed a specific maifest version
asset.pcManifestVersion: "VULNSIGS-PC-2.5.889-6"
Example
Show host assets that has proccessed a specific maifest version
asset.scaManifestVersion: "VULNSIGS-SCA-2.5.891-2"
Example
Show host assets that has proccessed a specific maifest version
asset.udcManifestVersion: "UDCVULNSIGS-1014"
Example
Show host assets that has proccessed a specific maifest version
asset.middlewareManifestVersion: "VULNSIGS-MIDDLEWARE-SCAN-2.5.884-2"
Examples
Show assets that has at least one of the software components from the list, is identified.
agent.swCAIdealCandidate: "true"
Show assets where none of the software components from the list are identified.
agent.swCAIdealCandidate: "false"
Use a date value to find the Cloud Agent hosts with specific last SwCA scan date or date range.
Examples
Show the list of Cloud Agent hosts with specified last SwCA scan date.
agent.lastSwCAScanDate: '2024-10-31'
Show the list of Cloud Agent hosts with last SwCA scan date between 2024-09-11 and 2024-10-31.
agent.lastSwCAScanDate: [2024-09-11 ... 2024-10-31]
Show the list of Cloud Agent hosts with last SwCA scan date greater than 2024-06-27.
agent.lastSwCAScanDate > '2024-06-27'
Show the list of Cloud Agent hosts with last SwCA scan date less than or equal to 2024-10-31.
agent.lastSwCAScanDate =< '2024-10-31'
Use these tokens for searching Oracle Cloud Compute instances (OCI).
oci.compute.idUse a text value ##### to search all assets with the specified OCI ID.Example
Show assets with this OCI ID
oci.compute.id:ocid1.compartment.oc1..1234567lbhcx2ajiagh57wrurvqs2ubd4ttaimgy22cxh3r6brpmmugq'
oci.compute.compartmentIdUse a text value ##### to search all assets with the specified OCI compartment ID.Example
Show assets with this OCI compartment ID
oci.compute.compartmentId:ocid1.compartment.oc1..123452sjze35z6bkhvwjtzzgcp534zj4o75tgsizg3q36wl447jvfg6dq'
oci.compute.displayNameUse a text value ##### to search all assets with the specified display name.Example
Show assets with display name oracle 8.
oci.compute.displayName:oracle 8
oci.compute.shapeUse a text value ##### to search all assets with the specified shape.Example
Show all assets with the shape x5-2.36.512
oci.compute.shape:x5-2.36.512
oci.compute.regionUse a text value ##### to search all assets in the specified region.Example
Show all assets with the region us-east-1
oci.compute.region:us-east-1
oci.compute.regionKeyUse a text value ##### to search all assets with the specified region key.Example
Show all assets with the region key SYD
oci.compute.regionKey:SYD
oci.compute.regionRealmUse a text value ##### to search all groups with the specified region realm.Example
Show all assets with the region realm OC1
oci.compute.regionRealm:OC1
oci.compute.availabilityDomainUse a text value ##### to search all assets with the specified available domain.Example
Show all assets with the available domain Lhkx:US-ASHBURN-AD-1
oci.compute.availabilityDomain:Lhkx:US-ASHBURN-AD-1
oci.compute.timeCreatedUse a text value ##### to search all assets asset.createdDate at the specified time.Example
Show all assets with the asset.createdDate time 2021-02-09T07:24:31.000Z (Use 2021-02-09 while searching in UI)
oci.compute.timeCreated:2021-02-09
oci.compute.imageIdUse a text value ##### to search all assets with the specified image ID.Example
Show all assets with the ocid1.image.oc1.iad.aaaaaaaaffp3cnkpfxibzrdkfnxbitkgxk7al33rrhpzhfnrhfv7ml2xdpyq image ID
oci.compute.imageId:ocid1.image.oc1.iad.aaaaaaaaffp3cnkpfxibzrdkfnxbitkgxk7al33rrhpzhfnrhfv7ml2xdpyq
oci.compute.faultDomainUse a text value ##### to search all assets with the specified fault domain.Example
Show all assets with fault domain FAULT-DOMAIN-1
oci.compute.faultDomain:FAULT-DOMAIN-1
oci.compute.hostNameUse a text value ##### to search all assets with the specified host name.Example
Show all findings with the host name oracle-8
oci.compute.hostName:oracle-8
oci.compute.canonicalRegionNameUse a text value ##### to search all assets having the specified canonical region name.Example
Show all assets with the canonical region name us-ashburn-1
oci.compute.canonicalRegionName:us-ashburn-1
oci.compute.isQualysScannerUse the values true | false to list all assets that are Qualys Scanner. Choose True to list all assets that are Qualys Scanner and choose False to list all assets that are not Qualys Scanner.Example
Show all assets that are Qualys Scanner.
oci.compute.isQualysScanner:"true"
oci.compute.hasAgentUse the values true | false to list all assets that have cloud agents. Choose True to list all assets having cloud agents and choose False to list all assets that do not have cloud agents.Example
Show all assets with having cloud agent installed
oci.compute.hasAgent:"true"
oci.tag.nameUse a text value ##### to search all assets with the specified tags.Example
Show all assets with the tag key CreatedBy and specific value
oci.tag.name:(key:CreatedBy and value:oktasso/abc@example.com)
oci.tag.keyUse a text value ##### to search all assets with the specified tag key.Example
Show all assets with the tag key CreatedBy
oci.tag.key:CreatedBy
oci.tag.valueUse a text value ##### to search all assets with the specified tag value.Example
Show all assets with the tag value 2021-02-09
oci.tag.value:2021-02-09
oci.tag.namespaceUse a text value ##### to search all assets with the specified namespace.Example
Show all assets with the namespace Oracle-Tags
oci.tag.namespace:Oracle-Tags
oci.vnic.vnicIdUse a text value ##### to search all assets with the specified VNIC ID.Example
Show all assets with the VNIC ID ocid1.vnic.oc1.iad.abuwcljt6cdjcuwhkce37madk4p6bd6ocjknilpwzai5rsyjejteiodyp22q
oci.vnic.vnicId:ocid1.vnic.oc1.iad.abuwcljt6cdjcuwhkce37madk4p6bd6ocjknilpwzai5rsyjejteiodyp22q
oci.vnic.vcnIdUse a text value ##### to search all assets with the specified VCN ID.Example
Show all assets with this VCN ID
oci.vnic.vcnId:ocid1.vnic.oc1.iad.abuwcljt6cdjcuwhkce37madk4p6bd6ocjknilpwzai5rsyjejteiodyp22q
oci.vnic.privateIpUse a text value ##### to search all assets with the specified private IP.Example
Show all assets with this private IP
oci.vnic.privateIp:10.0.0.222
oci.vnic.vlanTagUse a text value ##### to search all assets with the specified vlan tag.Example
Show all assets with the vlan tag 1
oci.vnic.vlanTag:1
oci.vnic.macAddrUse a text value ##### to search all assets with the specified MAC address.Example
Show all assets with the MAC address 02:00:17:06:bd:b3
oci.vnic.macAddr:02:00:17:06:bd:b3
oci.vnic.virtualRouterIpUse a text value ##### to search all assets with the specified router IP.Example
Show all assets with the router IP 10.0.0.1
oci.vnic.virtualRouterIp:10.0.0.1
oci.vnic.subnetCidrBlockUse a text value ##### to search all assets with the specified block.Example
Show all assets with the block 10.0.0.0/24
oci.vnic.subnetCidrBlock:10.0.0.0/24
oci.vnic.nicIndexUse a text value ##### to search all assets with the specified index.Example
Show all assets with the index 1
oci.vnic.nicIndex:1
oci.compute.stateUse a text value ##### to search all assets with specific compute state.Example
Show all assets with the compute state Starting
oci.compute.state:STARTING