Search for Alerting Rule: OCI Tokens

Use the search tokens below that we provide during rule creation wizard.

cloud.regioncloud.region

Select the name of the region you're interested in. Select from names in the drop-down menu. The drop-down menu options contains region code. For example, the region code for Singapore is ap-southeast-1. For the complete mapping of region code to region, view AWS Region Mapping.

Example

Find resources in the ap-southeast-1 (Singapore) region

cloud.region: ap-southeast-1

service.typeservice.type

Select the type of service you're interested in. Select from names in the drop-down menu. The drop-down menu options contains service type code. For example, the service code for CloudTrail is CLOUD_TRAIL. For the complete mapping of service type code to service type AWS Service Type Mapping.

Example

Show service type CloudTrail

service.type: CLOUD_TRAIL

cloud.resource.typecloud.resource.type

Select the type of resource you're interested in. Select from names in the drop-down menu. The drop-down menu options contains of resource type code. For example, the service code for S3 Bucket is BUCKET . For the complete mapping of resource type code to resource type, view AWS Resource Type Mapping.

Example

Show resources of type S3 Bucket

cloud.resource.type: BUCKET

cloud.resource.idcloud.resource.id

Use a text value ##### to find resources by the unique ID assigned to the resource.

Example

Show resources with ID acl-8e5198f5

cloud.resource.id: acl-8e5198f5

control.idcontrol.id

Use a text value ##### to show controls based on the unique control ID associated with the control at the time of creation.

Example

Show controls with this ID

control.id: 205767712438

control.namecontrol.name

Use values within quotes to help you find controls with a certain name.

Examples

Show findings with this name

control.name: Avoid the use of the root account

Show any findings that contain parts of name

control.name: "Avoid the use of the root account"

control.criticalitycontrol.criticality

Select the control criticality (HIGH, MEDIUM, LOW) you're interested in.

Example

Show controls with High criticality

control.criticality: HIGH

control.resultcontrol.result

Use control result value (FAIL) to view controls with specific result.

Example

Show controls that failed

control.result: FAIL

cloud.resource.evaluatedDatecloud.resource.evaluatedDate

Use a date range or specific date to define when the resource was evaluated on.

Examples

Show resources discovered within certain dates

cloud.resource.evaluatedDate: [2018-01-01 ... 2018-03-01]

Show resources updated starting 2018-10-01, ending 1 month ago

cloud.resource.evaluatedDate: [2018-01-01 ... now-1m]

Show resources updated starting 2 weeks ago, ending 1 second ago

cloud.resource.evaluatedDate: [now-2w ... now-1s]

Show resources discovered on specific date

cloud.resource.evaluatedDate: 2018-01-08

cloud.resource.lastEvaluatedDatecloud.resource.lastEvaluatedDate

Use a date range or specific date to define when the resource was last evaluated on.

Examples

Show resources last evaluated within certain dates

cloud.resource.lastEvaluatedDate: [2018-01-01 ... 2018-03-01]

Show resources last evaluated starting 2018-10-01, ending 1 month ago

cloud.resource.lastEvaluatedDate: [2018-01-01 ... now-1m]

Show resources last evaluated starting 2 weeks ago, ending 1 second ago

cloud.resource.lastEvaluatedDate: [now-2w ... now-1s]

Show resources last evaluated on specific date

cloud.resource.lastEvaluatedDate: 2018-01-08

cloud.resource.firstEvaluatedDatecloud.resource.firstEvaluatedDate

Use a date range or specific date to define when the resource was first discovered and evaluated.

Examples

Show resources first evaluated within certain dates

cloud.resource.firstEvaluatedDate: [2018-01-01 ... 2018-03-01]

Show resources first evaluated starting 2018-10-01, ending 1 month ago

cloud.resource.firstEvaluatedDate: [2018-01-01 ... now-1m]

Show resources first evaluated starting 2 weeks ago, ending 1 second ago

cloud.resource.firstEvaluatedDate: [now-2w ... now-1s]

Show resources first evaluated on specific date

cloud.resource.firstEvaluatedDate: 2018-01-08

policy.namepolicy.name

Use values within quotes to find a CIS or AWS policy by name.

Examples

Show findings with this name

policy.name: CIS Amazon Web Services Foundations Benchmark

Show any findings that contain parts of name

policy.name: "CIS Amazon Web Services Foundations Benchmark"

qflow.idqflow.id

Use a text value ##### to show controls created from QFlow with specified QFlow id.

Examples

Show controls with specific qflow id

qflow.id: 80313390-aa04-11e9-9596-45e2d51410b1

qflow.nameqflow.name

Use values within quotes or back-ticks to find controls created from QFlow with the specified name.

Examples

Show controls that are created from QFlow with a name that partially matches the specified QFlow name.

qflow.name: "Publicly accessible S3 buckets"

Show controls that are created from QFlow with a name that exactly matches the specified QFlow name.

qflow.name: `S3 buckets`

aws.account.tags.keyaws.account.tags.key

Use values within quotes or backticks to find list of AWS connector with the specified key.

Examples

Show AWS connectors with the specified key

aws.account.tags.key: "Department"

Show AWS connectors that match the exact specified key

aws.account.tags.key: `S3 Department`

aws.account.statusaws.account.status

Use this is search AWS resources based on their account status.

Example

Show AWS resources with ACTIVE account status

aws.account.status: ACTIVE

cloud.resource.lastFixedDatecloud.resource.lastFixedDate

Use a date range or specific date to find when the misconfigured or vulnerable resources were last fixed.

Examples

Show the misconfigured or vulnerable resources last fixed within certain dates

cloud.resource.lastFixedDate: [2023-10-01 .. 2023-12-01]

Show the misconfigured or vulnerable resources last fixed starting 2023-01-01, ending 1 month ago

cloud.resource.lastFixedDate: [2023-01-01 .. now-1m]

Show the misconfigured or vulnerable resources last fixed starting 2 weeks ago, ending 1 second ago

cloud.resource.lastFixedDate: [now-2w .. now-1s]

Show the misconfigured or vulnerable resources last fixed on specific date

cloud.resource.lastFixedDate: 2023-01-08

cloud.resource.lastReopenedDatecloud.resource.lastReopenedDate

Use a date range or specific date to find when the misconfigured or vulnerable resources were last reopened.

Examples

Show the misconfigured or vulnerable resources last reopened within certain dates

cloud.resource.lastReopenedDate: [2023-10-01 .. 2023-12-01]

Show the misconfigured or vulnerable resources last reopened starting 2023-01-01, ending 1 month ago

cloud.resource.lastReopenedDate: [2023-01-01 .. now-1m]

Show the misconfigured or vulnerable resources last reopened starting 2 weeks ago, ending 1 second ago

cloud.resource.lastReopenedDate: [now-2w .. now-1s]

Show the misconfigured or vulnerable resources last reopened on specific date

cloud.resource.lastReopenedDate: 2023-01-08

connector.tag.nameconnector.tag.name

Search for connectors based on the applied tag name. Select the tag name from the drop-down.

Example

Show connectors tagged with Production

connector.tag.name: Production

connector.uuidconnector.uuid

Filter results by the unique identifier (UUID) of a connector.

Example

Show results associated with the connector having UUID 123e4567-e89b-12d3-a456-426614174000

connector.uuid: 123e4567-e89b-12d3-a456-426614174000

control.idcontrol.id

Use a text value ##### to show controls based on the unique control ID associated with the control at the time of creation.

Example

Show controls with this ID

control.id: 205767712438

control.criticalitycontrol.criticality

Select the control criticality (HIGH, MEDIUM, LOW) you're interested in.

Example

Show controls with High criticality

control.criticality: HIGH

control.namecontrol.name

Use values within quotes to help you find controls with a certain name.

Examples

Show findings with this name

control.name: Avoid the use of the root account

Show any findings that contain parts of name

control.name: "Avoid the use of the root account"

control.resultcontrol.result

Select the control result you're interested in: PASS or FAIL.

Examples

Show controls that passed

control.result: PASS

Show controls that failed

control.result: FAIL

aws.account.tags.value aws.account.tags.value

Use values within quotes or backticks to find list of AWS connector with the specified value.

Examples

Show AWS connectors with the specified value

aws.account.tags.value: "Finance"

Show AWS connectors that match the exact specified value

aws.account.tags.value: `B1 Finance`

evidence.keyevidence.key

Filter results based on the specific evidence key associated with a finding.

Example

Show findings where the evidence key is "encryptionEnabled"

evidence.key: encryptionEnabled

oci.tenantIdoci.tenantId

Use a text value ##### to show OCI resources based on the unique tenant ID.

Example

Show findings with tenant ID

oci.tenantId: ocid1.tenancy.oc1..aaaaaaaax2gwhq3hszjqhte5pgzijgyge6gvlsrqar6kxn7itwhk7keokamq

evidence.valueevidence.value

Filter results based on the specific value captured in the evidence associated with a finding.

Example

Show findings where the evidence value is "false"

evidence.value: false

 

© 2025 Qualys, Inc. All rights reserved. Privacy Policy. Last updated: December, 2025