Search Tokens for Cloud Agent
A complete list of tokens for writing search queries is provided below.
General | AWS EC2 | IBM | Microsoft Azure | Google Cloud Platform | Alibaba Cloud Platform | Assets | Oracle Cloud Compute Instance
General
and
Use a Boolean query to express your query using AND logic.
Example
Show findings with AWS EC2 accountId and availability zone
aws.ec2.accountId: 123456789012 and aws.ec2.availabilityZone: us-east-1a
not
Use a Boolean query to express your query using NOT logic.
Example
Show findings that are not specific AWS instance type
not aws.ec2.instanceType: t2.micro
or
Use a boolean query to express your query using OR logic.
Example
Show findings with one of these aws tag values
aws.tag: Finance or aws.tag: Accounting
Quick links: AWS EC2 | Microsoft Azure | Google Cloud Platform | Alibaba Cloud Platform | Assets | Threat Protection | Compliance
AWS EC2
Use these tokens when searching your AWS EC2 assets on the Assets list.
- Your results may return Terminated instances. It's recommended you include aws.ec2instanceState in your query to reduce the number of results.
- The syntax is different when writing queries for tag rules than when searching assets in the Assets list. Be sure to follow the syntax tips in the drop-down when writing your query.
aws.ec2.accountId
Use a text value ##### to find EC2 instances with a certain account ID.
Examples
Find EC2 instances that match this account ID
aws.ec2.accountId: 123456789012
Find EC2 instances with account ID starting "12345"
aws.ec2.accountId: 12345*
Find EC2 instances where account ID is null (remove the colon)
aws.ec2.accountId is null
aws.ec2.availabilityZone
Use a text value ##### to find EC2 instances by the availability zone in which the instance launched.
Example
Find EC2 instances in the us-east-1a availability zone
aws.ec2.availabilityZone: us-east-1a
aws.ec2.hasAgent
Use the values true | false to define whether the EC2 asset has a cloud agent.
Examples
Show findings with a cloud agent
aws.ec2.hasAgent: true
Show findings without a cloud agent
aws.ec2.hasAgent: false
aws.ec2.hostname
Use a text value ##### to find the EC2 hostname you're looking for.
Examples
Find instances related to name
aws.ec2.hostname: abc.qualys.com
Find instances that match exact value
aws.ec2.hostname: `abc.qualys.com`
aws.ec2.imageId
Use a text value ##### to find EC2 instances with a certain Image (AMI) ID.
Examples
Find instances related to the Image ID
aws.ec2.imageId: ami-2ea83347
Find instances that match exact value
aws.ec2.imageId: `ami-2ea83347`
aws.ec2.instanceId
Use a text value ##### to find EC2 instances by the instance ID.
Example
Find EC2 instances with this ID
aws.ec2.instanceId: i-1234567890abcdef0
aws.ec2.instanceState
Select the name of the instance state (e.g. PENDING, RUNNING, TERMINATED, STOPPED, etc) you're interested in. Select from names in the drop-down menu.
Example
Find running EC2 instances
aws.ec2.instanceState: RUNNING
aws.ec2.instanceType
Select the type of instance you're interested in. Select from names in the drop-down menu.
Example
Find EC2 instances with instance type t2.micro
aws.ec2.instanceType: t2.micro
aws.ec2.isQualysScanner
Use the values true | false to define whether the EC2 asset is a Qualys scanner.
Examples
Show findings where assets are scanners
aws.ec2.isQualysScanner: true
Show findings where assets are not scanners
aws.ec2.isQualysScanner: false
aws.ec2.kernelId
Use a text value ##### to find EC2 instances by kernel ID (AKI).
Example
Find EC2 instances with this kernel ID
aws.ec2.kernelId: aki-70ab0c10
aws.ec2.launchDate
Use a date range or specific date to define when the EC2 instance launched. Enter dates in yyyy-mm-dd format.
Examples
Find EC2 instances launched within certain dates
aws.ec2.launchDate: [2017-06-15 ... 2017-06-30]
Find EC2 instances launched on specific date
aws.ec2.launchDate:'2017-08-15'
aws.ec2.privateDns
Use a text value ##### to define a private DNS address you're interested in.
Example
Find the EC2 instance with this private DNS address
aws.ec2.privateDns: ip-10-90-2-85.ec2.internal
aws.ec2.privateIpAddress
Use a text value ##### to define a private IPv4 address or range of IPs you're interested in.
Examples
Find EC2 instances with this private IP address
aws.ec2.privateIpAddress: 10.90.0.119
Find EC2 instances within this IP range
aws.ec2.privateIpAddress: [10.1.78.23 ... 10.100.78.235]
aws.ec2.publicDns
Use a text value ##### to define a public DNS address you're interested in.
Example
Find the EC2 instance with this public DNS address
aws.ec2.publicDns: ec2-52-70-141-154.compute-1.amazonaws.com
aws.ec2.publicIpAddress
Use a text value ##### to define a public IPv4 address or range of IPs you're interested in.
Examples
Find EC2 instances with this public IP address
aws.ec2.publicIpAddress: 52.70.141.154
Find EC2 instances within this IP range
aws.ec2.publicIpAddress: [52.70.141.154 ... 52.70.141.164]
aws.ec2.region.code
Select the code of the region you're interested in. Select from codes in the drop-down menu.
Example
Find EC2 instances in the us-east-1 region
aws.ec2.region.code: us-east-1
aws.ec2.region.name
Select the name of the region you're interested in. Select from names in the drop-down menu.
Example
Find EC2 instances in the US East (N. Virginia) region
aws.ec2.region.name: US East (N. Virginia)
aws.ec2.spotInstance
Use the values true | false to define whether your EC2 instance is a Spot instance.
Examples
Show EC2 Spot instances
aws.ec2.spotInstance: "true"
Show EC2 instances that are not Spot instances
aws.ec2.spotInstance: "false"
aws.ec2.subnetId
Use a text value ##### to find EC2 instances by the ID of the subnet in which the interface resides.
Example
Find EC2 instances with this subnet ID
aws.ec2.subnetId: subnet-bc02c0d4
aws.ec2.vpcId
Use a text value ##### to find EC2 instances by the ID of the VPC in which the interface resides.
Example
Find EC2 instances with this VPC ID
aws.ec2.vpcId: vpc-1e37cd76
aws.tag
Use a text value ##### to find EC2 instances with a certain AWS tag key and value (both are case insensitive).
Example
Find EC2 instances with an AWS tag with key "abc" and value "xyz"
aws.tag: (key:abc and value:xyz)
aws.tag.key
Use a text value ##### to find EC2 instances with a certain AWS tag key/name (case insensitive).
Examples
Find EC2 instances with key "devops"
aws.tag.key: devops
Find EC2 instances with key starting "dev"
aws.tag.key: dev*
Find EC2 instances with key ending "ops"
aws.tag.key: *ops
aws.tag.value
Use a text value ##### to find EC2 instances with a certain AWS tag value (case insensitive).
Examples
Find EC2 instances with tag value "dailybuild"
aws.tag.value: dailybuild
Find EC2 instances with tag value starting "daily"
aws.tag.value: daily*
Find EC2 instances with tag value ending "build"
aws.tag.value: *build
IBM
Use these token when searching IBM assets on the Assets list.
ibm.tag.name
Use a text value ##### to find IBM instances with a certain tag name.
Example
Find IBM instances with this tag name
ibm.tag.name: name:abc
ibm.tag.value
Use a text value ##### to find IBM instances with a certain value.
Example
Find IBM instances with this tag value
ibm.tag.value: 'centos7'
ibm.virtualServer.id
Use a text value ##### to find IBM virtual server with a certain account ID.
Example
Find IBM virtual server with this Id
ibm.virtualServer.id: '123741814'
ibm.virtualServer.location
Use a text value ##### to find IBM virtual server with a certain location.
Example
Find IBM virtual server with this location
ibm.virtualServer.location: 'dal13'
ibm.virtualServer.datacenterId
Use a text value ##### to find IBM virtual server datacenter with a certain id.
Example
Find IBM virtual server datacenter with this Id
ibm.virtualServer.datacenterId: '1854895'
ibm.virtualServer.deviceName
Use a text value ##### to find IBM virtual server with device name.
Example
Find IBM virtual server with this device name
ibm.virtualServer.deviceName: 'virtualserver01.Qualys-Inc.cloud'
ibm.virtualServer.publicIpAddress
Use a numerical value ##### to find IBM virtual server with specific public IP address.
Example
Find IBM virtual server with this public IP address
ibm.virtualServer.publicIpAddress: '150.238.75.107'
ibm.virtualServer.privateIpAddress
Use a numerical value ##### to find IBM virtual server with specific private IP address.
Example
Find IBM virtual server with this private IP address
ibm.virtualServer.privateIpAddress: '10.187.94.40'
ibm.virtualServer.publicVlan
Use a numerical value ##### to find IBM virtual server with specific public vlan.
Example
Find IBM virtual server with this public vlan
ibm.virtualServer.publicVlan: '1796'
ibm.virtualServer.privateVlan
Use a numerical value ##### to find IBM virtual server with specific private vlan.
Example
Find IBM virtual server with this private vlan
ibm.virtualServer.privateVlan: '2236'
ibm.virtualServer.domain
Use a text value ##### to find IBM virtual server with specific domain.
Example
Find IBM virtual server with this domain
ibm.virtualServer.domain: 'Qualys-Inc.cloud'
Microsoft Azure
Use these tokens when searching Microsoft Azure assets on the Assets list.
azure.tag
Use a text value ##### to find Azure instances with a certain tag name and value. Both are case insensitive.
Example
Find Azure instances with a tag with name "abc" and value "xyz"
azure.tag: (name:abc and value:xyz)
azure.tag.name
Use a text value ##### to find Azure instances with a certain tag name (case insensitive).
Examples
Find Azure instances with name "devops"
azure.tag.name: devops
Find Azure instances with name starting "dev"
azure.tag.name: dev*
Find Azure instances with name ending "ops"
azure.tag.name: *ops
azure.tag.value
Use a text value ##### to find Azure instances with a certain tag value (case insensitive).
Examples
Find Azure instances with tag value "dailybuild"
azure.tag.value: dailybuild
Find Azure instances with tag value starting "daily"
azure.tag.value: daily*
Find Azure instances with tag value ending "build"
azure.tag.value: *build
azure.vm.imageOffer
Use a text value ##### to define the image offer name (i.e. UbuntuServer or WindowsServer) for images deployed from the Azure image gallery.
Examples
Find Azure instances related to name
azure.vm.imageOffer: UbuntuServer
Find Azure instances that match exact value
azure.vm.imageOffer: `UbuntuServer`
azure.vm.imagePublisher
Use a text value ##### to define the name of the Azure virtual machine image publisher (i.e. Canonical or MicrosoftWindowsServer).
Examples
Find Azure instances related to name
azure.vm.imagePublisher: Canonical
Find Azure instances that match exact value
azure.vm.imagePublisher: `Canonical`
azure.vm.imageVersion
Use a text value ##### to define the version of the Azure virtual machine image sku you're interested in.
Example
Find Azure instances with this sku version
azure.vm.imageVersion: 16.04.201708030
azure.vm.location
Use a text value ##### to define the region you're interested in.
Example
Find Azure instances in this location
azure.vm.location: westus
azure.vm.macAddress
Use a text value ##### to define the MAC address you're interested in.
Example
Find Azure instances with this MAC address
azure.vm.macAddress: '000D3A36DDED'
azure.vm.name
Use a text value ##### to find the Azure virtual machine name you're looking for.
Examples
Find Azure instances related to name
azure.vm.name: avset2
Find Azure instances that match exact value
azure.vm.name: `avset2`
azure.vm.platform
Use a text value ##### to define the operating system platform (Linux or Windows) of the Azure virtual machine.
Example
Find Azure instances on Windows platform
azure.vm.platform: Windows
azure.vm.privateIpAddress
Use a text value ##### to define a private IPv4 address or range of IPs you're interested in.
Examples
Find Azure instances with this private IP
azure.vm.privateIpAddress: 10.1.2.5
Find Azure instances within this IP range
azure.vm.privateIpAddress: [10.1.2.5 ... 10.1.2.33]
azure.vm.virtualNetwork
Use a text value ##### to find Azure instances that belong to a specific virtual network.
Examples
Find Azure instances with this virtual network
azure.vm.virtualNetwork: `mburton01-vnet`
azure.vm.publicIpAddress
Use a text value ##### to define a public IPv4 address or range of IPs you're interested in.
Examples
Find Azure instances with this public IP
azure.vm.publicIpAddress: 13.126.125.189
Find Azure instances within this IP range
azure.vm.publicIpAddress: [13.126.125.180 ... 13.126.125.255]
azure.vm.resourceGroupName
Use a text value ##### to define the name of the resource group you're interested in.
Examples
Find Azure instances related to name
azure.vm.resourceGroupName: my-eastus-rg
Find Azure instances that match exact value
azure.vm.resourceGroupName: `my-eastus-rg`
azure.vm.size
Use a text value ##### to help you find Azure VM instances with a certain virtual machine size.
Example
Find Azure instances with this size
azure.vm.size: Standard_D1
azure.vm.state
Select the name of the instance state (e.g. DEALLOCATED, RUNNING, STOPPED, TERMINATED, etc) you're interested in. Select from names in the drop-down menu.
Example
Find running Azure instances
azure.vm.state: RUNNING
azure.vm.subnet
Use a text value ##### to define the Azure virtual machine subnet you're interested in.
Example
Find Azure instances with this subnet
azure.vm.subnet: 10.1.2.0
azure.vm.subscriptionId
Use a text value ##### to define the subscription ID of the Azure virtual machine subscription.
Example
Find Azure instances with this subscription ID
azure.vm.subscriptionId: fbb9ea64-abda-452e-adfa-83442409
azure.vm.vmId
Use a text value ##### to define the Azure virtual machine ID you're looking for.
Example
Find Azure instances with this ID
azure.vm.vmId: 13f56399-bd52-4150-9748-7190aae1ff21
Google Cloud Platform
Use these tokens when searching Google Cloud Platform assets on the Assets list.
gcp.compute.hostname
Use a text value ##### to define the hostname you're looking for.
Examples
Find GCP instances related to name
gcp.compute.hostname: instance-5.c.qvsa-dev.internal
Find GCP instances that match exact value
gcp.compute.hostname: `instance-5.c.qvsa-dev.internal`
gcp.compute.imageId
Use the string value to search the Cloud Agent with Image ID.
Example
Search Cloud Agent wth the given GCP Image ID
gcp.compute.imageId: `ami-2ea83347`
gcp.compute.instanceId
Use a text value ##### to define the Google Compute instance ID you're looking for.
Example
Find GCP instances with this ID
gcp.compute.instanceId: 4392196237934605253
gcp.compute.macAddress
Use a text value ##### to define the MAC address you're interested in.
Example
Find GCP instances with this MAC address
gcp.compute.macAddress: '000D3A36DDED'
gcp.compute.machineType
Use a text value ##### to define the machine type of the virtual machine instance you're interested in.
Examples
Find GCP instances related to name
gcp.compute.machineType: n1-standard-1
Find GCP instances that match exact value
gcp.compute.machineType: `n1-standard-1`
gcp.compute.network
Use a text value ##### to find GCP instances by the VPC network the instance belongs to.
Example
Find GCP instances with this network
gcp.compute.network: 000D3A36DDED
gcp.compute.privateIpAddress
Use a text value ##### to define a private IPv4 address or range of IPs you're interested in.
Examples
Find GCP instances with this private IP
gcp.compute.privateIpAddress: 10.240.0.7
Find GCP instances with this private IP range
gcp.compute.privateIpAddress: [10.240.0.7 ... 10.240.0.30]
gcp.compute.projectId
Use a text value ##### to define the project ID assigned to the GCP Console project the instance belongs to.
Examples
Find GCP instances related to ID
gcp.compute.projectId: qvsa-dev
Find GCP instances that match exact value
gcp.compute.projectId: `qvsa-dev`
gcp.compute.projectNumber
Use an integer value ##### to define the project number assigned to the GCP Console project the instance belongs to.
Examples
Find GCP instances related to this number
gcp.compute.projectNumber: 1035365309337
Find GCP instances that match exact value
gcp.compute.projectNumber: `1035365309337`
gcp.compute.publicIpAddress
Use a text value ##### to define a public IPv4 address or range of IPs you're interested in.
Examples
Find GCP instances with this public IP
gcp.compute.publicIpAddress: 104.196.57.216
Find GCP instances within this IP range
gcp.compute.publicIpAddress: [104.196.57.216 ... 104.196.57.218]
gcp.compute.zone
Use a text value ##### to define the zone of the GCP instance you're looking for
Examples
Find GCP instances related to name
gcp.compute.zone: us-east1-d
Find GCP instances that match exact value
gcp.compute.zone: `us-east1-d`
gcp.compute.state
Select the state of the GCP instance (e.g. DEALLOCATED, PENDING, RUNNING, SHUTTING DOWN, STOPPED, STOPPING, TERMINATED, etc) you're interested in. Select the state from the drop-down menu.
Examples
Find running GCP instances
gcp.compute.state: RUNNING
Alibaba Cloud Platform
Use these tokens when searching Alibaba Cloud Platform assets on the Assets list.
alibaba.instance.hasAgent
Use the values true | false to define whether the alibaba instances have a cloud agent installed.
Examples
Find instances with a cloud agent
alibaba.instance.hasAgent: "true"
Show instances which do not have cloud agent installed
alibaba.instance.hasAgent: "false"
alibaba.instance.instanceId
Use a text value ##### to find alibaba cloud instances with a certain ID.
Example
Find instances with given ID
alibaba.instance.instanceId: i-a2dxxxxsxxxxxhdfax
alibaba.instance.instanceType
Use a text value ##### to find alibaba cloud instances with a certain instance type: ecs.t5-lc1m2.small, ecs.t5-lc1m2.nano
Example
Find alibaba cloud instances with given instance type
alibaba.instance.instanceType: ecs.t5-lc2m1.nano
alibaba.instance.instanceState
Use the text value to find alibaba cloud instances in a selected state: MOVING, PROVISIONING, RUNNING, STARTING, STOPPING, STOPPED, CREATING_IMAGE, TERMINATING, TERMINATED.
Examples
Find instances in a RUNNING state
alibaba.instance.instanceState: "RUNNING"
alibaba.instance.imageId
Use a text value ##### to find alibaba cloud instances with the specified image ID that is used during instance creation.
Example
Find instances related to the given image ID
alibaba.instance.imageId: ubuntu_14_0405_64_20G_alibase_20170824.vhd
alibaba.instance.accountId
Use a text value ##### to find alibaba cloud instances with a certain account ID.
Examples
Find instances with the given alibaba account ID
alibaba.instance.accountId: 587xxxxxxx
alibaba.instance.serialNumber
Use an integer value ##### to find alibaba cloud instances that belong to the specific serial number.
Examples
Find instances that belong to the given serial number
alibaba.instance.serialNumber: 12trexxxxr-3xx-xxx-rtg4-xxxx6t45
alibaba.instance.regionCode
Use a text value ##### to find the alibaba cloud instances that belong to the specific region code.
Example
Find instances that belong to the given region code
alibaba.instance.region.id: "ap-south-1"
alibaba.instance.regionName
Use a text value ##### to find the alibaba cloud instances that belong to the specific region name. Select a value from the drop-down list.
Example
Find instances that belong to the given region name
alibaba.instance.regionName: "India (Mumbai)"
alibaba.instance.zoneId
Use a text value ##### to find alibaba cloud instances that belong to the specific zone ID.
Example
Find instances that belong to the given zone ID
alibaba.instance.zoneId: ap-south-1b
alibaba.instance.vpcId
Use a text value ##### to find alibaba cloud instances that belong to the specific virtual private clouds (VPC) ID.
Example
Find instances that belong to the given VPC ID
alibaba.instance.vpcId: vpc-a2d6pxxxxvvdadd5yikj
alibaba.instance.hostName
Use a text value #####to find the alibaba cloud instances associated with the hostname.
Examples
Find instances that are associate with the given hostname
alibaba.instance.hostName: abc.qualys.com
alibaba.instance.dnsServer
Use the value to find the aliababa cloud instances that are associated with the Domain Name System (DNS) configuration.
Example
Find instances that are associated with the given DNS configurations
alibaba.instance.dnsServer:100.xxx.x.xxx
alibaba.instance.privateIpAddress
Use a text value ##### to find alibaba cloud instances with private IPv4 address or range of IPs assigned to NIC.
Examples
Find instances with the given private IP address.
alibaba.instance.privateIpAddress:192.168.XX.XX
Find instances with the given private IP address
alibaba.instance.privateIpAddress: [192.168.XX.XX.....192.168.XX.XX]
alibaba.instance.publicIpAddress
Use a text value ##### to find alibaba cloud instances with public IPv4 address or range of IPs.
Example
Find instances with the given public IP address
alibaba.instance.publicIpAddress:149.xx.xx.xx
Find instances with the given public IP address
alibaba.instance.publicIpAddress: [149.xx.xx.xx... 149.xx.xx.xx]
alibaba.instance.macAddress
Use a text value ##### to find alibaba cloud instances with the specific MAC address.
Example
Find instances with the given MAC address
alibaba.instance.macAddress: 00:16:3e:0f:XX:XX
alibaba.instance.vpcCidrBlock
Use a text value ##### to find alibaba cloud instances that belongs to the CIDR block of the VPC network.
Example
Find instances belonging to given CIDR block of VPC network
alibaba.instance.vpcCidrBlock: 172.xx.x.x/16
alibaba.instance.vswitchId
Use a text value ##### to find alibaba cloud instances that is connected to the vSwitch ID.
Example
Find instances connected with the give vSwicth ID
alibaba.instance.vswitchId: vsw-a2dxxxoxxxxsqx1mxxxdd
alibaba.instance.interfaceId
Use a text value ##### to find alibaba cloud instances by ID of network interface controllers (NICs).
Examples
Find instances connected with the given interface ID
alibaba.instance.interfaceId: eni-a2dxxxxaixxxtux572
alibaba.instance.vswitchCidrBlock
Use a text value ##### to find alibaba cloud instances that are connected to the CIDR block of vSwitch.
Example
Find instances connected the given CIDR block of vSwitch
alibaba.instance.vswitchCidrBlock:192.168.XX.XX/24
alibaba.instance.networkType
Select the network type (vpc, classic) of the alibaba cloud instances.
Example
Choose the network type to find cloud instances
alibaba.instance.networkType:vpc
Assets
All tokens below are available with AssetView.
account.username
Use a text value ##### to find the username you're looking for.
Example
Show assets with this exact username (case sensitive)
account.username: Administrator
Show assets with username starting with "Admin" (case sensitive)
account.username: Admin
sensor.activatedForModules
Select the name ##### of an activated module you're interested in. Select from names in the drop-down menu.
Examples
Show assets activated for VM
sensor.activatedForModules: "VM"
Show assets activated for VM and PA/PC
sensor.activatedForModules: "VM" AND sensor.activatedForModules: "PC"
agent.activations.key
Use a text value ##### to define the agent activation key you're interested in.
Example
Show assets with agents activated using this key
agent.activations.key: 057cc48a-8d84-48eb-add4-97a605d0567d
agent.activations.status
Select the agent activation status (ACTIVE, INACTIVE, UNSUPPORTED) you're interested in. Select from names in the drop-down menu.
Example
Show assets with active agents
agent.activations.status: ACTIVE
agent.status
Select the agent status (ACTIVE or INACTIVE) you're interested in.
Examples
Show assets with active agents, where the Agent has communicated in last 48 hours
agent.status: "ACTIVE"
Show assets with inactive agents, where the Agent has not communicated in last 48 hours
agent.status: "INACTIVE"
agent.id
Use a text value ##### to find an agent ID of interest.
Example
Show the asset with this agent ID
agentID: f0c8e682-e9cc-4e7d-b92a-0c905d81ec74
agent.version
Use a text value ##### to find the agent version you're interested in.
Example
Show findings with agent version 1.3.2.0
agent.version: 1.3.2.0
platform.type
Select the platform type to search the assets based on operating system of host asset.
Example
Show the list of assets with Windows platform.
platform.type:'Windows'
agent.configurationProfile
Use quotes or backticks within values to help you find the agent configuration profile you're looking for. Quotes can be used when the value has more than one word.
Examples
Show any findings related to profile name
agent.configurationProfile: Initial Profile
Show any findings that contain parts of the name
agent.configurationProfile: "Initial Profile"
Show any findings that match exact value
agent.configurationProfile: `Initial Profile`
asset.cpuCount
Use an integer value ##### to help you find assets with some number of CPUs.
Example
Show assets that have 2 CPUs
asset.cpuCount: 2
agent.connectedFrom
Use a text value ##### to define the external IP address a cloud agent connected from.
Example
Show findings for an external IP address that an agent connected from
agent.connectedFrom: 10.0.100.11
asset.createdDate
Use a date range or specific date to define when assets were asset.createdDate (i.e. when first scanned by a scanner appliance, or when agent was installed).
Examples
Show assets asset.createdDate within certain dates
asset.createdDate: [2016-01-01 ... 2016-01-10]
Show assets asset.createdDate starting 2015-10-01, ending 1 month ago
asset.createdDate: [2015-10-01 ... now-1M]
Show assets asset.createdDate starting 2 weeks ago, ending 1 second ago
asset.createdDate: [now-2w ... now-1s]
Show assets asset.createdDate on specific date
asset.createdDate:'2016-01-08'
agent.errorStatus
Use the values true | false to define agents with or without error status.
Example
Show agents with error status
agent.errorStatus: "true"
agent.fimCapable
Use the values true | false to define whether or not agents are FIM capable. agent.fimCapable search is not supported for all operating systems. Check the Cloud Agent Getting Started Guide for platform/OS support.
Examples
Show agents that are FIM capable and activated for FIM
agent.fimCapable: "true"
Show agents that are not FIM capable but can be upgraded to FIM capability
agent.fimCapable: "false"
asset.hostId
Use an integer value ##### to help you find the asset with a certain Qualys host ID (UUID), assigned by an agent or a scanner appliance when Agentless Tracking is used.
Example
Show assets that have this host ID
asset.hostId: 2918869
asset.interface.address
Use a text value ##### to define an IP address (IPv4 of IPv6) you're interested in. Note that you cannot perform a range search since this is a text field.
Examples
Show the asset with IPv4 address
asset.interface.address: 10.10.100.20
Show the asset with IPv6 address (enclose value in single quotes)
asset.interface.address: 'fe80:0:0:0:2501:b53c:4139:404b'
asset.interface.dnsAddress
Use a text value ##### to define a DNS address you're interested in.
Example
Show the asset with DNS address 10.0.100.11
asset.interface.dnsAddress: 10.0.100.11
asset.interface.gatewayAddress
Use a text value ##### to help you find assets with a certain default gateway address.
Example
Show assets with this default gateway address
asset.interface.gatewayAddress: 10.11.65.1
asset.interface.hostname
Find the hostname you're looking for. Search by domain name, use backticks for exact matching, or enter a partial value with an asterisk (*) for suffix/prefix matching.
Examples
Show any findings related to name
asset.interface.hostname: xpsp2-jp-26-111
Show any findings related to name (we'll match super domains)
asset.interface.hostname: com-pa3020-36.eng.sjc01.qualys.com
Show any findings that match exact value
asset.interface.hostname: `xpsp2-jp-26-111`
asset.interface.hostname: `com-pa3020-36.eng.sjc01.qualys.com`
Show any findings that match domain name
asset.interface.hostname: qualys.com
asset.interface.hostname: sjc01.qualys.com
asset.interface.hostname: eng.sjc01.qualys.com
Show any findings starting with string (case sensitive)
asset.interface.hostname: xp*
asset.interface.hostname: com-pa30*
Show any findings ending with string
asset.interface.hostname: *111
asset.interface.hostname: *lys.com
asset.interface.name
Use a text value ##### to help you find a certain interface name.
Example
Show the asset with name PRO/1000
asset.interface.name: PRO/1000
asset.interface.macAddress
Use values within quotes to help you find a MAC address you're interested in.
Example
Show the asset with this MAC address
asset.interface.macAddress: "00-50-56-A9-73-5A"
agent.lastActivityDate
Use a date range or specific date to define when the last activity on the agent occurred.
Examples
Show findings with last activity within certain dates
agent.lastActivityDate: [2016-01-01 ... 2016-01-10]
Show findings with last activity starting 2015-10-01, ending 1 month ago
agent.lastActivityDate: [2015-10-01 ... now-1M]
Show findings with last activity starting 2 weeks ago, ending 1 second ago
agent.lastActivityDate: [now-2w ... now-1s]
Show findings with last activity on a specific date
agent.lastActivityDate:'2015-12-01'
agent.lastCheckedInDate
Use a date range or specific date to define when the asset was last checked in to the platform.
Examples
Show findings with last check in within a specific date range.
agent.lastCheckedInDate:[2020-01-01 ... 2020-01-10]
Show findings with last check in starting 2019-11-01, ending 1 month ago.
agent.lastCheckedInDate:[2019-11-01 ... now-1M]
Show findings with last check in starting 2 weeks ago, ending 1 second ago
agent.lastCheckedInDate:[now-2w ... now-1s]
Show findings with last check in on a specific date
agent.lastCheckedInDate:'2020-02-11'
Show findings with last check in before (older than) last 30 days.
agent.lastCheckedInDate<now-30d
Note: We recommend not to use the NOT operator in your range search to form a query like NOT agent.lastCheckedInDate:[now-30d...now-2s]. See 'QQL Best Practices' topic in the Unified Dashboard online Help.
Show findings with last check in within last 30 days excluding day 30
agent.lastCheckedInDate>now-30d
Show findings with last check in within last 30 days including day 30
agent.lastCheckedInDate>=now-30d
Show findings with last check in which is older than last 30 days excluding day 30
agent.lastCheckedInDate<now-30d
Show findings with last check in which is older than last 30 days including day 30
agent.lastCheckedInDate<=now-30d
sensor.lastComplianceScanDate
Use a date range or specific date to define when compliance scans were last conducted.
Examples
Show findings with last compliance scan within certain dates
sensor.lastComplianceScanDate: [2017-01-01 ... 2017-03-31]
Show findings with last compliance scan starting 2016-10-15, ending 1 month ago
sensor.lastComplianceScanDate: [2016-10-15 ... now-1M]
Show findings with last compliance scan starting 2 weeks ago, ending 1 second ago
sensor.lastComplianceScanDate: [now-2w ... now-1s]
Show findings with last compliance scan on specific date
sensor.lastComplianceScanDate:'2017-02-18'
sensor.lastFullScanDate
Use a date range or specific date to define when full scans (assessments) were last conducted using Cloud Agent (CA).
Examples
Show findings with last full scan within certain dates
sensor.lastFullScanDate: [2016-01-01 ... 2016-01-10]
Show findings with last full scan starting 2015-10-01, ending 1 month ago
sensor.lastFullScanDate: [2015-10-01 ... now-1M]
Show findings with last full scan starting 2 weeks ago, ending 1 second ago
sensor.lastFullScanDate: [now-2w ... now-1s]
Show findings with last full scan on a specific date
sensor.lastFullScanDate:'2016-02-08'
agent.lastInventoryDate
Use a date range or specific date to define when inventory scans were last conducted by agents. We recommend lastInventoryDate for date range queries using parameters i.e. [now-1M ... now-1s]
Examples
Show findings with last inventory scan within certain dates
agent.lastInventoryDate: [2018-06-01 ... 2018-06-10]
Show findings with last inventory scan on specific date
agent.lastInventoryDate:'2018-07-25'
asset.lastLoggedOnUser
Use a text value ##### to help you find assets last logged into by a user of interest.
Examples
Show assets with last logon by user asmith
asset.lastLoggedOnUser: asmith
sensor.lastVmAgentScanDate
Use a date range or specific date to define when vulnerability scans were last conducted.
Examples
Show findings with the last vulnerability scan within certain dates
sensor.lastVmAgentScanDate: [2017-01-01 ... 2017-02-10]
Show findings with the last vulnerability scan starting 2016-11-01, ending 1 month ago
sensor.lastVmAgentScanDate: [2016-11-01 ... now-1M]
Show findings with the last vulnerability scan starting 2 weeks ago, ending 1 second ago
sensor.lastVmAgentScanDate: [now-2w ... now-1s]
Show findings with the last vulnerability scan on specific date
sensor.lastVmAgentScanDate:'2017-04-10'
agent.lastDeepScanDate
Use the date value to search Cloud Agents with a specific last Deep Scan date or date range.
Examples
Search Cloud Agents that have completed the Deep Scan on a certain date.
agent.lastDeepScanDate:01-10-2025
Search Cloud Agents that completed the Deep Scan given date range.
agent.lastDeepScanDate: [01-10-2025 ... 15-10-2025]
asset.name
Use quotes or backticks within values to help you find the asset name you're looking for. Quotes can be used when the value has more than one word.
Examples
Show any findings related to name
asset.name: QK2K12QP3-65-53
Show any findings that match exact value
asset.name: `QK2K12QP3-65-53`
asset.netbiosName
Use a text value ##### to define the NetBIOS name you're interested in.
Examples
Show assets with this exact name (case sensitive)
asset.netbiosName: EC2AMAZ-19OC2IT
Show assets with name starting with "EC2" (case sensitive)
asset.netbiosName: EC2
Show assets with name ending with "c2it" (case insensitive)
asset.netbiosName: *c2it
openPorts.description
Use quotes or backticks within values to help you find the service description detected on an open port. Quotes can be used when the value has more than one word.
Examples
Show any findings with this description
openPorts.description: Windows Remote Desktop
Show any findings that contain parts of description
openPorts.description: "Windows Remote Desktop"
Show any findings that match exact value
openPorts.description: `Windows Remote Desktop`
openPorts.detectedService
Use quotes or backticks within values to help you find the detected service you're looking for. Quotes can be used when the value has more than one word.
Examples
Show any findings with this service name
openPorts.detectedService: win_remote_desktop
Show any findings that match exact value
openPorts.detectedService: `win_remote_desktop`
openPorts.port
Use an integer value ##### to help you find assets with some open port.
Example
Show assets with open port 80
openPorts.port: 80
openPorts.protocol
Use a text value ##### (UDP or TCP) to define the port protocol you're interested in.
Examples
Show findings found on TCP
openPorts.protocol: TCP
Show findings found on port 80 and TCP
openPorts: (port: 80 AND protocol: TCP)
processor.name
Use quotes or backticks within values to help you find the processor description you're looking for. Quotes can be used when the value has more than one word.
Examples
Show any findings with this description
processor.name: intel
Show any findings that match exact value
processor.name: `intel`
processor.speed
Use an integer value ##### to help you find assets with a certain processor speed.
Example
Show assets with this processor speed
processor.speed: 1995
cloud.provider
Select the name ##### of a cloud service provider you're looking for. Select from names in the drop-down menu.
Examples
Show assets synced from Amazon AWS
cloud.provider: "AWS"
agent.qualysCorrelationId
Use a text value #### to show assets with specific Qualys Correlation ID.
Example
Show assets with this Qualys Correlation ID
agent.qualysCorrelationId: "0f1b031712682e27cca306e4a2a9e3144696ac099b08fcdf76ccb6f3647ec058"
Show assets without any Qualys Correlation ID
agent.qualysCorrelationId: "UNIDENTIFIED"
Show assets all assets with Qualys Correlation ID
agent.qualysCorrelationId: "*"
service.description
Use quotes or backticks within values to help you find the service description you're looking for. Quotes can be used when the value has more than one word.
Examples
Show any findings with this description
service.description: Windows Event Log
Show any findings that contain parts of description
service.description: "Windows Event Log"
Show any findings that match exact value
service.description: `Windows Event Log`
service.name
Use quotes or backticks within values to help you find the service name you're looking for. Quotes can be used when the value has more than one word.
Examples
Show any findings with this name
service.name: eventlog
Show any findings that match exact value
service.name: `eventlog`
service.status
Use quotes or backticks within values to help you find the service status you're looking for. Quotes can be used when the value has more than one word.
Examples
Show any findings with this status
service.status: running
Show any findings that match exact value
service.status: `running`
software.name
Use quotes or backticks within values to help you find the software name you're looking for. Quotes can be used when the value has more than one word.
Examples
Show any findings with this name
software.name: VMware Tools
Show any findings that contain parts name of
software.name: "VMware Tools"
Show any findings that match the exact value
software.name: `VMware Tools`
Find assets with certain tag and software installed
asset.tag.name: `Cloud Agent` AND software: (name: `Cisco AnyConnecta Secure Mobility Client` AND version: `3.1.12345`)
asset.biosDescription
Use quotes or backticks within values to help you find the BIOS description you're looking for. Quotes can be used when the value has more than one word.
Examples
Show any findings with this description
asset.biosDescription: Phoenix Technologies
Show any findings that contain parts of name
asset.biosDescription: "Phoenix Technologies"
Show any findings that match exact value
asset.biosDescription: `Phoenix Technologies`
asset.lastBootDate
Use a date range or specific date to define when assets were last booted.
Examples
Show assets last booted within certain dates
asset.lastBootDate: [2016-01-01 ... 2016-01-10]
Show assets last booted starting 2015-10-01, ending 1 month ago
asset.lastBootDate: [2015-10-01 ... now-1M]
Show assets last booted starting 2 weeks ago, ending 1 second ago
asset.lastBootDate: [now-2w ... now-1s]
Show assets last booted on a specific date
asset.lastBootDate:'2016-01-08'
hardware.manufacturer
Use quotes or backticks within values to help you find the system manufacturer you're looking for. Quotes can be used when the value has more than one word.
Examples
Show any findings with this name
hardware.manufacturer: dell
Show any findings that match exact value
hardware.manufacturer: `dell`
hardware.model
Use quotes or backticks within values to help you find the system model you're looking for. Quotes can be used when the value has more than one word.
Examples
Show any findings with this name
hardware.model: optiplex
Show any findings that match exact value
hardware.model: `optiplex`
asset.timezone
Use a text value ##### in quotes to find assets with a certain timezone set.
Example
Show assets with this timezone
asset.timezone: "-08:00"
asset.totalMemory
Use an integer value ##### to help you find assets with a certain total system memory.
Example
Show assets with this total system memory
asset.totalMemory: 1024
asset.tag.name
Use quotes or backticks within values to help you find the asset tag you're looking for. Quotes can be used when the value has more than one word.
Examples
Show any findings related to this tag name
asset.tag.name: Cloud Agent
Show any findings that contain "Cloud" or "Agent" in name
asset.tag.name: "Cloud Agent"
Show any findings that match exact value
asset.tag.name: `Cloud Agent`
asset.udcManifestAssigned
Use the values true | false to find assets with PA/PC agents assigned a UDC manifest. Assets are found when agents have the PC module enabled and one or more user-defined controls have been added to your subscription.
Examples
Show assets with agents assigned a UDC manfest
asset.udcManifestAssigned: "true"
Show assets with agents not assigned a UDC manifest
asset.udcManifestAssigned: "false"
asset.lastUpdatedDate
Use a date range or specific date to define when assets were last updated(i.e. when re-scanned by a scanner appliance, or when host data uploaded to the cloud platform by an agent).
Examples
Show assets asset.lastUpdatedDate within certain dates
asset.lastUpdatedDate: [2016-01-01 ... 2016-01-10]
Show assets last updated starting 2015-10-01, ending 3 months ago
asset.lastUpdatedDate: [2015-10-01 ... now-3M]
Show assets last updated starting 2 weeks ago, ending 1 second ago
asset.lastUpdatedDate: [now-2w ... now-1s]
Show assets last updated on a specific date
asset.lastUpdatedDate:'2016-01-10'
volume.free
Use an integer value ##### to help you find assets with a certain free volume space.
Example
Show assets with this free volume space
volume.free: 448312320
volume.name
Use a text value ##### to find assets with a certain volume name.
Example
Show assets with this volume name
volume.name: /boot
volume.size
Use an integer value ##### to help you find assets with a certain volume size.
Example
Show assets with this volume size
volume.size: 481529856
asset.isVulnerable
Choose the value * to find assets with vulnerabilities.
Example
Show all findings that have vulnerability
asset.isVulnerable: *
vulnerabilities.firstFoundDate
Use a date range or specific date to define when findings were first found.
Examples
Show findings first found within certain dates
vulnerabilities.firstFoundDate: [2015-10-21 ... 2015-10-30]
Show findings first found starting 2015-10-01, ending 1 month ago
vulnerabilities.firstFoundDate: [2015-10-01 ... now-1M]
Show findings first found starting 2 weeks ago, ending 1 second ago
vulnerabilities.firstFoundDate: [now-2w ... now-1s]
Show findings first found on certain date
vulnerabilities.firstFoundDate:'2015-11-11'
vulnerabilities.lastFoundDate
Use a date range or specific date to define when findings were last found.
Examples
Show findings last found within certain dates
vulnerabilities.lastFoundDate: [2015-10-21 ... 2016-01-15]
Show findings last found starting 2016-01-01, ending 1 month ago
vulnerabilities.lastFoundDate: [2016-01-01 ... now-1M]
Show findings last found starting 2 weeks ago, ending 1 second ago
vulnerabilities.lastFoundDate: [now-2w ... now-1s]
Show findings last found on certain date
vulnerabilities.lastFoundDate:'2016-01-11'
Show findings last found on 2017-01-12 with patch available
asset.isVulnerable: (lastFound: '2017-01-12' AND vulnerability.patchAvailable: "true")
vulnerabilities.typeDetected
Select a detection type (e.g. Confirmed, Potential, Information) to find assets with vulnerability of this type. Select from names in the drop-down menu.
Example
Show findings with this type
vulnerabilities.typeDetected: "Confirmed"
vulnerabilities.vulnerability.authType
Select the name (WINDOWS_AUTH, UNIX_AUTH, ORACLE_AUTH, etc) of an authentication type you're interested in. Select from names in the drop-down menu.
Example
Show findings with Windows auth type
vulnerabilities.vulnerability.authType: "WINDOWS_AUTH"
vulnerabilities.vulnerability.bugTraqId
Use a text value ##### to find a BugTraq number you're interested in.
Example
Show findings with BugTraq ID 22211
vulnerabilities.vulnerability.bugTraqId: 22211
vulnerabilities.vulnerability.category
Select a category (CGI, Database, DNS, BIND, etc) to find vulnerability with this category. Select from names in the drop-down menu.
Example
Show findings with the category CGI
vulnerabilities.vulnerability.category: "CGI"
vulnerabilities.vulnerability.compliance.description
Use quotes or backticks within values to help you find the compliance description you're looking for. Quotes can be used when the value has more than one word.
Examples
Show any findings related to this description
vulnerabilities.vulnerability.compliance.description: malicious software
Show any findings that contain "malicious" or "software" in description
vulnerabilities.vulnerability.compliance.description: "malicious software"
Show any findings that match exact value
vulnerabilities.vulnerability.compliance.description: `malicious software`
vulnerabilities.vulnerability.compliance.section
Use quotes or backticks within values to help you find the compliance section you're looking for. Quotes can be used when the value has more than one word.
Examples
Show any findings related to this section
vulnerabilities.vulnerability.compliance.section: 164.308
Show any findings that match exact value
vulnerabilities.vulnerability.compliance.section: `164.308`
vulnerabilities.vulnerability.compliance.type
Select the name ##### of a compliance type you're interested in (e.g. COBIT, HIPAA, GLBA, SOX). Select from names in the drop-down menu.
Example
Show findings with the compliance type HIPAA
vulnerabilities.vulnerability.compliance.type: "HIPAA"
vulnerabilities.vulnerability.cveId
Use a text value ##### to find the CVE name you're interested in.
Example
Show findings with CVE name CVE-2015-0313
vulnerabilities.vulnerability.cveId: CVE-2015-0313
Note: The CVE in the query is case sensitive and must be used in capital case.
vulnerabilities.vulnerability.cvss2AccessVector
Select the name ##### of a CVSS access vector you'd like to find (e.g. UNDEFINED, LOCAL_ACCESS, ADJACENT_NETWORK, NETWORK). Select from names in the drop-down menu.
Example
Show findings with this name
vulnerabilities.vulnerability.cvss2AccessVector: "NETWORK"
vulnerabilities.vulnerability.cvss2BaseScore
Use an integer value ##### to help you find the CVSS base score you're interested in.
Example
Show assets with this score
vulnerabilities.vulnerability.cvss2BaseScore: 7.8
vulnerabilities.vulnerability.cvss2TemporalScore
Use an integer value ##### to help you find the CVSS temporal score you're interested in.
Example
Show assets with this score
vulnerabilities.vulnerability.cvss2TemporalScore: 6.4
vulnerabilities.vulnerability.description
Use quotes or backticks within values to help you find the vulnerability description you're looking for. Quotes can be used when the value has more than one word.
Examples
Show any findings related to description
vulnerabilities.vulnerability.description: remote code execution
Show any findings that contain "remote" or "code" in description
vulnerabilities.vulnerability.description: "remote code execution"
Show any findings that match exact value
vulnerabilities.vulnerability.description: `remote code execution`
vulnerabilities.vulnerability.discoveryType
Select a discovery type (Remote or Authenticated) to find assets with vulnerability having this discovery type. Select from names in the drop-down menu.
Example
Show findings with Remote discovery type
vulnerabilities.vulnerability.discoveryType: Remote
vulnerabilities.vulnerability.exploitability
Use quotes or backticks within values to help you find known exploit description you're looking for. Quotes can be used when the value has more than one word.
Examples
Show any findings related to this description
vulnerabilities.vulnerability.exploitability: GIF Parser Heap
Show any findings that contain "GIF", "Parser" or "Heap" in description
vulnerabilities.vulnerability.exploitability: "GIF Parser Heap"
Show any findings that match exact value
vulnerabilities.vulnerability.exploitability: `GIF Parser Heap`
vulnerabilities.vulnerability.flag
Use a text value ##### to find the Qualys defined vulnerability property of interest (e.g. REMOTE, WINDOWS_AUTH, UNIX_AUTH etc, PCI_RELATED).
Example
Show findings with this property
vulnerabilities.vulnerability.flag: PCI_RELATED
vulnerabilities.vulnerability.impact
Use quotes or backticks within values to help you find the impact you're looking for.
Example
Show any findings related to impact
vulnerabilities.vulnerability.impact: sensitive information
Show any findings that contain "sensitive" or "information" in consequence
vulnerabilities.vulnerability.impact: "sensitive information"
Show any findings that match exact value "sensitive information"
vulnerabilities.vulnerability.impact: 'sensitive information'
vulnerabilities.vulnerability.list
Use a text value ##### to find the vulnerability list of interest (e.g. SANS_20, QUALYS_20, QUALYS_INT_10, QUALYS_EXT_10).
Example
Show findings with vulnerability in SANS Top 20
vulnerabilities.vulnerability.list: SANS_20
vulnerabilities.vulnerability.isPatchAvailable
Use the values true | false to define vulnerability with patch available.
Examples
Show findings with patch available
vulnerabilities.vulnerability.isPatchAvailable: "true"
Show findings with no patch available
vulnerabilities.vulnerability.isPatchAvailable: "false"
vulnerabilities.vulnerability.patches
Use an integer value ##### to help you find the patch QID you're interested in.
Example
Show assets with this patch QID
vulnerabilities.vulnerability.patches: 90753
vulnerabilities.vulnerability.publishedDate
Use a date range or specific date to define when vulnerability were first published in the KnowledgeBase.
Examples
Show findings for vulnerability published within certain dates
vulnerabilities.vulnerability.publishedDate: [2015-10-21 ... 2016-01-15]
Show findings for vulnerability published starting 2016-01-01, ending 1 month ago
vulnerabilities.vulnerability.publishedDate: [2016-01-01 ... now-1M]
Show findings for vulnerability published starting 2 weeks ago, ending 1 second ago
vulnerabilities.vulnerability.publishedDate: [now-2w ... now-1s]
Show findings for vulnerability published on certain date
vulnerabilities.vulnerability.publishedDate:'2015-07-15'
vulnerabilities.vulnerability.qid
Use an integer value ##### to filter assets with specific QID. By default, the results exclude the vulnerability with the Fixed status.
Example
Show findings with QID 90405
vulnerabilities.vulnerability.qid: 90405
vulnerabilities.vulnerability.risk
Use an integer value ##### to define the vulnerability risk rating you're interested in. For confirmed and potential issues risk is 10 times severity, for information gathered it is severity.
Example
Show findings with risk 50
vulnerabilities.vulnerability.risk: 50
vulnerabilities.vulnerability.sans20Categories
Use a text value ##### to find vulnerability in the SANS 20 category you're interested in (e.g. Anti-virus Software, Backup Software, etc).
Example
Show findings with this category name
vulnerabilities.vulnerability.sans20Categories: "Media Players"
vulnerabilities.severity
Select a severity (1-5) to find assets having vulnerability with this severity. Select from values in the drop-down menu.
Example
Show findings with severity 4
vulnerabilities.severity: "4"
vulnerabilities.vulnerability.solution
Use quotes or backticks within values to help you find the solution you're looking for. Quotes can be used when the value has more than one word.
Examples
Show any findings related to this solution
vulnerabilities.vulnerability.solution: Bulletin MS10-006
Show any findings that contain parts of solution
vulnerabilities.vulnerability.solution: "Bulletin MS10-006"
Show any findings that match exact value
vulnerabilities.vulnerability.solution: `Bulletin MS10-006`
vulnerabilities.vulnerability.title
Use quotes or backticks within values to help you find the title you're looking for. Quotes can be used when the value has more than one word.
Examples
Show any findings related to this title
vulnerabilities.vulnerability.title: Remote Code Execution
Show any findings that contain "Remote" or "Code" in title
vulnerabilities.vulnerability.title: "Remote Code"
Show any findings that match exact value
vulnerabilities.vulnerability.title: `Remote Code`
vulnerabilities.vulnerability.type
Select a detection type (e.g. Vulnerability, Potential, Information) to find assets with vulnerability of this type. Select from names in the drop-down menu.
Example
Show findings with this type
vulnerabilities.vulnerability.type: "VULNERABILITY"
vulnerabilities.vulnerability.updatedDate
Use a date range or specific date to define when vulnerability were last updated in the KnowledgeBase.
Examples
Show vulnerability last updated within certain dates
vulnerabilities.vulnerability.updatedDate: [2015-10-21 ... 2015-10-30]
Show vulnerability last updated starting 2015-11-01, ending 1 month ago
vulnerabilities.vulnerability.updatedDate: [2015-11-01 ... now-1M]
Show vulnerability last updated stating 2 weeks ago, ending 1 second ago
vulnerabilities.vulnerability.updatedDate: [now-2w ... now-1s]
Show vulnerability last updated on certain date
vulnerabilities.vulnerability.updatedDate: '2015-03-08'
vulnerabilities.vulnerability.vendorRef
Use a text value ##### to find the vendor reference you're interested in.
Example
Show findings with this reference
vulnerabilities.vulnerability.vendorRef: KB3021953
and
Use a boolean query to express your query using AND logic.
Example
Show assets with operating system Windows and Linux
operatingSystem.name: windows and operatingSystem.name: linux
not
Use a boolean query to express your query using NOT logic.
Example
Show assets that don't have Windows operating system
not operatingSystem.name: windows
or
Use a boolean query to express your query using OR logic.
Example
Show assets with one of these tag names
tag.name: Cloud Agent or tag.name: HQ
asset.vmManifestVersion
Find the host assets, using the last VM manifest version processed by Cloud Agent.
Example
Show host assets that has proccessed a specific maifest version
asset.vmManifestVersion: "VULNSIGS-VM-0.49.0.0-18"
asset.pcManifestVersion
Find the host assets, using the last PA/PC manifest version processed by Cloud Agent.
Example
Show host assets that has proccessed a specific maifest version
asset.pcManifestVersion: "VULNSIGS-PC-2.5.889-6"
asset.paManifestVersion
Find the host assets, using the last PA/PC manifest version processed by Cloud Agent.
Example
Show host assets that has proccessed a specific maifest version
asset.paManifestVersion: "VULNSIGS-PC-2.5.890-6"
asset.scaManifestVersion
Find the host assets, using the last SCA manifest version processed by Cloud Agent.
Example
Show host assets that has proccessed a specific maifest version
asset.scaManifestVersion: "VULNSIGS-SCA-2.5.891-2"
asset.udcManifestVersion
Find the host assets, using the last UDC manifest version processed by Cloud Agent.
Example
Show host assets that has proccessed a specific maifest version
asset.udcManifestVersion: "UDCVULNSIGS-1014"
asset.middlewareManifestVersion
Find the host assets, using the last middleware manifest version processed by Cloud Agent.
Example
Show host assets that has proccessed a specific maifest version
asset.middlewareManifestVersion: "VULNSIGS-MIDDLEWARE-SCAN-2.5.884-2"
agent.downloadedManifestVersion
Use this token to search the Cloud Agent with the given manifest version.
Example
Search Cloud Agents that have downloaded the PC-2.6.422.3-2 manifest.
agent.downloadedManifestVersion: `VULNSIGNS-PC-2.6.422.3-2`
agent.swCAIdealCandidate
Use the values true | false to find assets on which at least one of the software components—Ruby, Node.js, Go, Rust, PHP, Python, Java Platform, and Standard Edition (Java SE), is identified.
Examples
Show assets that has at least one of the software components from the list, is identified.
agent.swCAIdealCandidate: "true"
Show assets where none of the software components from the list are identified.
agent.swCAIdealCandidate: "false"
agent.lastSwCAScanDate
Use a date value to find the Cloud Agent hosts with specific last SwCA scan date or date range.
Examples
Show the list of Cloud Agent hosts with specified last SwCA scan date.
agent.lastSwCAScanDate: '2024-10-31'
Show the list of Cloud Agent hosts with last SwCA scan date between 2024-09-11 and 2024-10-31.
agent.lastSwCAScanDate: [2024-09-11 ... 2024-10-31]
Show the list of Cloud Agent hosts with last SwCA scan date greater than 2024-06-27.
agent.lastSwCAScanDate > '2024-06-27'
Show the list of Cloud Agent hosts with last SwCA scan date less than or equal to 2024-10-31.
agent.lastSwCAScanDate =< '2024-10-31'
agent.swcaConfigName
Use this token to search Cloud Agents matching the specified SwCA Configuration Profile name.
Examples
Use the SwCA profile name in the backticks (`...`) to search for Cloud Agents with a SwCA profile exactly matching the specified profile name.
agent.swcaConfigName: `test_swca_profile`
Use the SwCA profile name in the quotes ("...") to search for Cloud Agents with a SwCA profile containing the part of the specified profile name.
agent.swcaConfigName: "test"
agent.iocCapable
Use the text value to search the Cloud Agents that are IOC Capable.
Examples
Search the Cloud Agents that are IOC capable.
agent.iocCapable: true
software.version
Use the text value to search the software with specific versions.
Examples
Search software given software version.
software.version: 4.25
Oracle Cloud Compute Instance
Use these tokens for searching Oracle Cloud Compute instances (OCI).
oci.compute.id
Use a text value ##### to search all assets with the specified OCI ID.
Example
Show assets with this OCI ID
oci.compute.id:ocid1.compartment.oc1..1234567lbhcx2ajiagh57wrurvqs2ubd4ttaimgy22cxh3r6brpmmugq'
oci.compute.compartmentId
Use a text value ##### to search all assets with the specified OCI compartment ID.
Example
Show assets with this OCI compartment ID
oci.compute.compartmentId:ocid1.compartment.oc1..123452sjze35z6bkhvwjtzzgcp534zj4o75tgsizg3q36wl447jvfg6dq'
oci.compute.displayName
Use a text value ##### to search all assets with the specified display name.
Example
Show assets with display name oracle 8.
oci.compute.displayName:oracle 8
oci.compute.shape
Use a text value ##### to search all assets with the specified shape.
Example
Show all assets with the shape x5-2.36.512
oci.compute.shape:x5-2.36.512
oci.compute.region
Use a text value ##### to search all assets in the specified region.
Example
Show all assets with the region us-east-1
oci.compute.region:us-east-1
oci.compute.regionKey
Use a text value ##### to search all assets with the specified region key.
Example
Show all assets with the region key SYD
oci.compute.regionKey:SYD
oci.compute.regionRealm
Use a text value ##### to search all groups with the specified region realm.
Example
Show all assets with the region realm OC1
oci.compute.regionRealm:OC1
oci.compute.availabilityDomain
Use a text value ##### to search all assets with the specified available domain.
Example
Show all assets with the available domain Lhkx:US-ASHBURN-AD-1
oci.compute.availabilityDomain:Lhkx:US-ASHBURN-AD-1
oci.compute.timeCreated
Use a text value ##### to search all assets asset.createdDate at the specified time.
Example
Show all assets with the asset.createdDate time 2021-02-09T07:24:31.000Z (Use 2021-02-09 while searching in UI)
oci.compute.timeCreated:2021-02-09
oci.compute.imageId
Use a text value ##### to search all assets with the specified image ID.
Example
Show all assets with the ocid1.image.oc1.iad.aaaaaaaaffp3cnkpfxibzrdkfnxbitkgxk7al33rrhpzhfnrhfv7ml2xdpyq image ID
oci.compute.imageId:ocid1.image.oc1.iad.aaaaaaaaffp3cnkpfxibzrdkfnxbitkgxk7al33rrhpzhfnrhfv7ml2xdpyq
oci.compute.faultDomain
Use a text value ##### to search all assets with the specified fault domain.
Example
Show all assets with fault domain FAULT-DOMAIN-1
oci.compute.faultDomain:FAULT-DOMAIN-1
oci.compute.hostName
Use a text value ##### to search all assets with the specified host name.
Example
Show all findings with the host name oracle-8
oci.compute.hostName:oracle-8
oci.compute.canonicalRegionName
Use a text value ##### to search all assets having the specified canonical region name.
Example
Show all assets with the canonical region name us-ashburn-1
oci.compute.canonicalRegionName:us-ashburn-1
oci.compute.isQualysScanner
Use the values true | false to list all assets that are Qualys Scanner. Choose True to list all assets that are Qualys Scanner and choose False to list all assets that are not Qualys Scanner.
Example
Show all assets that are Qualys Scanner.
oci.compute.isQualysScanner:"true"
oci.compute.hasAgent
Use the values true | false to list all assets that have cloud agents. Choose True to list all assets having cloud agents and choose False to list all assets that do not have cloud agents.
Example
Show all assets with having cloud agent installed
oci.compute.hasAgent:"true"
oci.tag.name
Use a text value ##### to search all assets with the specified tags.
Example
Show all assets with the tag key CreatedBy and specific value
oci.tag.name:(key:CreatedBy and value:oktasso/[email protected])
oci.tag.key
Use a text value ##### to search all assets with the specified tag key.
Example
Show all assets with the tag key CreatedBy
oci.tag.key:CreatedBy
oci.tag.value
Use a text value ##### to search all assets with the specified tag value.
Example
Show all assets with the tag value 2021-02-09
oci.tag.value:2021-02-09
oci.tag.namespace
Use a text value ##### to search all assets with the specified namespace.
Example
Show all assets with the namespace Oracle-Tags
oci.tag.namespace:Oracle-Tags
oci.vnic.vnicId
Use a text value ##### to search all assets with the specified VNIC ID.
Example
Show all assets with the VNIC ID ocid1.vnic.oc1.iad.abuwcljt6cdjcuwhkce37madk4p6bd6ocjknilpwzai5rsyjejteiodyp22q
oci.vnic.vnicId:ocid1.vnic.oc1.iad.abuwcljt6cdjcuwhkce37madk4p6bd6ocjknilpwzai5rsyjejteiodyp22q
oci.vnic.vcnId
Use a text value ##### to search all assets with the specified VCN ID.
Example
Show all assets with this VCN ID
oci.vnic.vcnId:ocid1.vnic.oc1.iad.abuwcljt6cdjcuwhkce37madk4p6bd6ocjknilpwzai5rsyjejteiodyp22q
oci.vnic.privateIp
Use a text value ##### to search all assets with the specified private IP.
Example
Show all assets with this private IP
oci.vnic.privateIp:10.0.0.222
oci.vnic.vlanTag
Use a text value ##### to search all assets with the specified vlan tag.
Example
Show all assets with the vlan tag 1
oci.vnic.vlanTag:1
oci.vnic.macAddr
Use a text value ##### to search all assets with the specified MAC address.
Example
Show all assets with the MAC address 02:00:17:06:bd:b3
oci.vnic.macAddr:02:00:17:06:bd:b3
oci.vnic.virtualRouterIp
Use a text value ##### to search all assets with the specified router IP.
Example
Show all assets with the router IP 10.0.0.1
oci.vnic.virtualRouterIp:10.0.0.1
oci.vnic.subnetCidrBlock
Use a text value ##### to search all assets with the specified block.
Example
Show all assets with the block 10.0.0.0/24
oci.vnic.subnetCidrBlock:10.0.0.0/24
oci.vnic.nicIndex
Use a text value ##### to search all assets with the specified index.
Example
Show all assets with the index 1
oci.vnic.nicIndex:1
oci.compute.state
Use a text value ##### to search all assets with specific compute state.
Example
Show all assets with the compute state Starting
oci.compute.state:STARTING
Tokens for Vulnerability Findings
finding.vulnerability.cveId
Use a text value ##### to find the CVE name you're interested in.
Examples
Show findings with CVE name CVE-2015-0313
finding.vulnerability.cveId: CVE-2015-0313
Note: The CVE in the query is case sensitive and must be used in capital case.
finding.firstFoundDate
Use a date range or specific date to define when findings were first found.
Examples
Show findings first found within certain dates
finding.firstFoundDate: [2015-10-21 ... 2015-10-30]
Show findings first found starting 2015-10-01, ending 1 month ago
finding.firstFoundDate: [2015-10-01 ... now-1M]
Show findings first found starting 2 weeks ago, ending 1 second ago
finding.firstFoundDate: [now-2w ... now-1s]
Show findings first found on certain date
finding.firstFoundDate:'2015-11-11'
finding.lastFoundDate
Use a date range or specific date to define when findings were last found.
Examples
Show findings last found within certain dates
finding.lastFoundDate: [2015-10-21 ... 2016-01-15]
Show findings last found starting 2016-01-01, ending 1 month ago
finding.lastFoundDate: [2016-01-01 ... now-1M]
Show findings last found starting 2 weeks ago, ending 1 second ago
finding.lastFoundDate: [now-2w ... now-1s]
Show findings last found on certain date
finding.lastFoundDate:'2016-01-11'
Show findings last found on 2017-01-12 with patch available
asset.isVulnerable: (lastFound: '2017-01-12' AND vulnerability.patchAvailable: "true")
finding.severity
Select a severity (1-5) to find assets having vulnerability with this severity. Select from values in the drop-down menu.
Examples
Show findings with severity 4
finding.severity: "4"
finding.vulnerability.title
Use quotes or backticks within values to help you find the title you're looking for. Quotes can be used when the value has more than one word.
Examples
Show any findings related to this title
finding.vulnerability.title: Remote Code Execution
Show any findings that contain "Remote" or "Code" in title
finding.vulnerability.title: "Remote Code"
Show any findings that match exact value
finding.vulnerability.title: `Remote Code`
finding.typeDetected
Select a detection type (e.g. Confirmed, Potential, Information) to find assets with vulnerability of this type. Select from names in the drop-down menu.
Examples
Show findings with this type
finding.typeDetected: "Confirmed"
finding.vulnerability.description
Use quotes or backticks within values to help you find the vulnerability description you're looking for. Quotes can be used when the value has more than one word.
Examples
Show any findings related to description
finding.vulnerability.description: remote code execution
Show any findings that contain "remote" or "code" in description
finding.vulnerability.description: "remote code execution"
Show any findings that match exact value
finding.vulnerability.description: `remote code execution`
finding.vulnerability.qid
Use an integer value ##### to filter assets with specific QID. By default, the results exclude the vulnerability with the Fixed status.
Examples
Show findings with QID 90405
finding.vulnerability.qid: 90405
finding.vulnerability.impact
Use quotes or backticks within values to help you find the impact you're looking for.
Examples
Show any findings related to impact
finding.vulnerability.impact: sensitive information
Show any findings that contain "sensitive" or "information" in consequence
finding.vulnerability.impact: "sensitive information"
Show any findings that match exact value "sensitive information"
finding.vulnerability.impact: 'sensitive information'
finding.vulnerability.solution
Use quotes or backticks within values to help you find the solution you're looking for. Quotes can be used when the value has more than one word.
Examples
Show any findings related to this solution
finding..vulnerability.solution: Bulletin MS10-006
Show any findings that contain parts of solution
finding.vulnerability.solution: "Bulletin MS10-006"
Show any findings that match exact value
finding.vulnerability.solution: `Bulletin MS10-006`
finding.vulnerability.flag
Use a text value ##### to find the Qualys defined vulnerability property of interest (e.g. REMOTE, WINDOWS_AUTH, UNIX_AUTH etc, PCI_RELATED).
Examples
Show findings with this property
finding.vulnerability.flag: PCI_RELATED
finding.vulnerability.patches
Use an integer value ##### to help you find the patch QID you're interested in.
Examples
Show assets with this patch QID
finding.vulnerability.patches: 90753
finding.vulnerability.exploitability
Use quotes or backticks within values to help you find known exploit description you're looking for. Quotes can be used when the value has more than one word.
Examples
Show any findings related to this description
finding.vulnerability.exploitability: GIF Parser Heap
Show any findings that contain "GIF", "Parser" or "Heap" in description
finding.vulnerability.exploitability: "GIF Parser Heap"
Show any findings that match exact value
finding.vulnerability.exploitability: `GIF Parser Heap`
finding.vulnerability.isPatchAvailable
Use the values true | false to define vulnerability with patch available.
Examples
Show findings with patch available
finding.vulnerability.isPatchAvailable: "true"
Show findings with no patch available
finding.vulnerability.isPatchAvailable: "false"
finding.vulnerability.vendorRef
Use a text value ##### to find the vendor reference you're interested in.
Examples
Show findings with this reference
finding.vulnerability.vendorRef: KB3021953
finding.vulnerability.bugTraqId
Use a text value ##### to find a BugTraq number you're interested in.
Examples
Show findings with BugTraq ID 22211
finding.vulnerability.bugTraqId: 22211
finding.vulnerability.sans20Categories
Use a text value ##### to find vulnerability in the SANS 20 category you're interested in (e.g. Anti-virus Software, Backup Software, etc).
Examples
Show findings with this category name
finding.vulnerability.sans20Categories: "Media Players"
finding.vulnerability.list
Use a text value ##### to find the vulnerability list of interest (e.g. SANS_20, QUALYS_20, QUALYS_INT_10, QUALYS_EXT_10).
Examples
Show findings with vulnerability in SANS Top 20
finding.vulnerability.list: SANS_20
finding.vulnerability.compliance.type
Select the name ##### of a compliance type you're interested in (e.g. COBIT, HIPAA, GLBA, SOX). Select from names in the drop-down menu.
Examples
Show findings with the compliance type HIPAA
finding.vulnerability.compliance.type: "HIPAA"
finding.vulnerability.compliance.section
Use quotes or backticks within values to help you find the compliance section you're looking for. Quotes can be used when the value has more than one word.
Examples
Show any findings related to this section
finding.vulnerability.compliance.section: 164.308
Show any findings that match exact value
finding.vulnerability.compliance.section: `164.308`
finding.vulnerability.compliance.description
Use quotes or backticks within values to help you find the compliance description you're looking for. Quotes can be used when the value has more than one word.
Examples
Show any findings related to this description
finding.vulnerability.compliance.description: malicious software
Show any findings that contain "malicious" or "software" in description
finding.vulnerability.compliance.description: "malicious software"
Show any findings that match exact value
finding.vulnerability.compliance.description: `malicious software`
finding.vulnerability.category
Select a category (CGI, Database, DNS, BIND, etc) to find vulnerability with this category. Select from names in the drop-down menu.
Examples
Show findings with the category CGI
finding.vulnerability.category: "CGI"
finding.vulnerability.type
Select a detection type (e.g. Vulnerability, Potential, Information) to find assets with vulnerability of this type. Select from names in the drop-down menu.
Examples
Show findings with this type
finding.vulnerability.type: "VULNERABILITY"
finding.vulnerability.risk
Use an integer value ##### to define the vulnerability risk rating you're interested in. For confirmed and potential issues risk is 10 times severity, for information gathered it is severity.
Examples
Show findings with risk 50
finding.vulnerability.risk: 50
finding.vulnerability.publishedDate
Use a date range or specific date to define when Vulnerable were first published in the KnowledgeBase.
Examples
Show findings for vulnerability published within certain dates
finding.vulnerability.publishedDate: [2015-10-21 ... 2016-01-15]
Show findings for vulnerability published starting 2016-01-01, ending 1 month ago
finding.vulnerability.publishedDate: [2016-01-01 ... now-1M]
Show findings for vulnerability published starting 2 weeks ago, ending 1 second ago
finding.vulnerability.publishedDate: [now-2w ... now-1s]
Show findings for vulnerability published on certain date
finding.vulnerability.publishedDate:'2015-07-15'
finding.vulnerability.updatedDate
Use a date range or specific date to define when vulnerability were last updated in the KnowledgeBase.
Examples
Show vulnerability last updated within certain dates
finding.vulnerability.updatedDate: [2015-10-21 ... 2015-10-30]
Show vulnerability last updated starting 2015-11-01, ending 1 month ago
finding.vulnerability.updatedDate: [2015-11-01 ... now-1M]
Show vulnerability last updated stating 2 weeks ago, ending 1 second ago
finding.vulnerability.updatedDate: [now-2w ... now-1s]
Show vulnerability last updated on certain date
finding.vulnerability.updatedDate: '2015-03-08'
finding.vulnerability.discoveryType
Select a discovery type (Remote or Authenticated) to find assets with vulnerability having this discovery type. Select from names in the drop-down menu.
Examples
Show findings with Remote discovery type
finding.vulnerability.discoveryType: Remote
finding.vulnerability.authType
Select the name (WINDOWS_AUTH, UNIX_AUTH, ORACLE_AUTH, etc) of an authentication type you're interested in. Select from names in the drop-down menu.
Examples
Show findings with Windows auth type
finding.vulnerability.authType: "WINDOWS_AUTH"
finding.vulnerability.cvss2AccessVector
Select the name ##### of a CVSS access vector you'd like to find (e.g. UNDEFINED, LOCAL_ACCESS, ADJACENT_NETWORK, NETWORK). Select from names in the drop-down menu.
Examples
Show findings with this name
finding.vulnerability.cvss2AccessVector: "NETWORK"
finding.vulnerability.cvss2BaseScore
Use an integer value ##### to help you find the CVSS base score you're interested in.
Examples
Show assets with this score
finding.vulnerability.cvss2BaseScore: 7.8
finding.vulnerability.cvss2TemporalScore
Use an integer value ##### to help you find the CVSS temporal score you're interested in.
Examples
Show assets with this score
finding.vulnerability.cvss2TemporalScore: 6.4