Searching for AWS Resources
Use the search tokens below to search for resources discovered. You'll need to first choose cloud provider on the Resources tab to see the relevant tokens for your environment. Looking for help with writing your query? click here.
General
Use a text value ##### to show resources based on the unique account ID associated with the connector/ARN at the time of creation.
Example
Show findings with this account ID
account.id: 205767712438
aws.account.aliasaws.account.alias
Use a text value ##### to show connectors based on the account alias associated with the connector/ARN at the time of creation.
Example
Show connectors with this account alias
aws.account.alias: Example_connector
subscriptionNamesubscriptionName
Use a text value ##### to find Azure connectors based on the subscription name associated with the connector at the time of creation.
Example
Show connectors with this subscription name
subscriptionName: Sample Cloud Subscription
Use a date range or specific date to define when the resource was created.
Examples
Show resources created within certain dates
created: [2018-01-01 ... 2018-03-01]
Show resources created starting 2018-10-01, ending 1 month ago
created: [2018-01-01 ... now-1m]
Show resources created starting 2 weeks ago, ending 1 second ago
created: [now-2w ... now-1s]
Show resources created on specific date
created: 2018-01-08
Use a date range or specific date to define when the resource was last updated.
Examples
Show resources updated within certain dates
updated: [2018-01-01 ... 2018-03-01]
Show resources updated starting 2018-10-01, ending 1 month ago
updated: [2018-01-01 ... now-1m]
Show resources updated starting 2 weeks ago, ending 1 second ago
updated: [now-2w ... now-1s]
Show resources updated on specific date
updated: 2018-01-08
Use values within quotes to help you find the resource name you're looking for.
Examples
Show any findings with this name
name: my-resource
Show all the findings that exactly match with this name
name: `my-resource`
Use values within quotes to help you find the resources based on the arn.
Example
Find resources with the given ARN. Use backticks or quotes when providing the ARN value.
arn: `arn:aws:ec2:us-east-1:123456789012:instance/i-012abcd34efghi56`
Select the name of the cloud service provider you're interested in. Select from names in the drop-down menu.
Example
Find resources synced from Amazon AWS
provider: AWS
Select the name of the region you're interested in. Select from names in the drop-down menu.
Example
Find resources in the Singapore region
aws.region: Singapore
Use a text value ##### to find resources by the unique ID assigned to the resource.
Example
Show resources with ID acl-8e5198f5
resource.id: acl-8e5198f5
Select the type of resource you're interested in. Select from names in the drop-down menu.
Example
Show resources of type Instance
resource.type: Instance
Use a text value ##### to define the key of an AWS tag assigned to the resource (case sensitive).
Example
Show findings with key Department
tag.key: Department
Use a text value ##### to define the value of an AWS tag assigned to the resource (case sensitive).
Example
Show findings with tag value Finance
tag.value: Finance
Use a boolean query to express your query using AND logic.
Example
Show findings with account ID 205767712438 and type Subnet
account.id: 205767712438 and resource.type: Subnet
Use a boolean query to express your query using NOT logic.
Example
Show findings that are not region Hong Kong
not region: Hong Kong
Use a boolean query to express your query using OR logic.
Example
Show findings with one of these tag values
tag.value: Finance or tag.value: Accounting
Use a date range or specific date to find when the resource was first discovered.
Examples
Show resources discovered within certain dates
firstDiscoveredOn: [2024-01-01 ... 2024-03-01]
Show resources created starting 2018-10-01, ending 1 month ago
firstDiscoveredOn: [2024-01-01 ... now-1m]
Show resources created starting 2 weeks ago, ending 1 second ago
firstDiscoveredOn: [now-2w ... now-1s]
Show resources created on specific date
firstDiscoveredOn: 2024-01-08
AWS: Auto Scaling Group
These tokens are available in queries with resource.type:Auto Scaling Group
autoscaling.availabilityZoneautoscaling.availabilityZone
Select the availability zone you're interested in. Select from names in the drop-down menu.
Example
Find auto scaling groups in the us-east-1a availability zone
autoscaling.availabilityZone: us-east-1a
autoscaling.createdTimeautoscaling.createdTime
Use a date range or specific date to define when the Auto Scaling group was created.
Examples
Show groups discovered within certain dates
autoscaling.createdTime: [2018-01-01 ... 2018-03-01]
Show groups updated starting 2018-10-01, ending 1 month ago
autoscaling.createdTime: [2018-01-01 ... now-1m]
Show groups updated starting 2 weeks ago, ending 1 second ago
autoscaling.createdTime: [now-2w ... now-1s]
Show groups discovered on specific date
autoscaling.createdTime: 2018-01-08
autoscaling.healthCheckTypeautoscaling.healthCheckType
Select the health check type (ec2 or elb) you're interested in. Select from names in the drop-down menu.
Example
Show groups with health check type ec2
autoscaling.healthCheckType: ec2
autoscaling.instanceIdautoscaling.instanceId
Use a text value ##### to find auto scaling groups with a certain instance ID.
Example
Show findings with this instance ID
autoscaling.instanceId: i-1234567890abcdef0
autoscaling.launchConfigurationNameautoscaling.launchConfigurationName
Use a text value ##### to define the launch configuration name you're interested in.
Example
Show findings with this launch configuration name
autoscaling.launchConfigurationName: LaunchConfig-BF31WBIYCM64
autoscaling.loadBalancerNameautoscaling.loadBalancerName
Use a text value ##### to define the load balancer name you're interested in.
Example
Show findings with this load balancer name
autoscaling.loadBalancerName: AppServer ELB
AWS: IAM User
These tokens are available in queries with resource.type: IAM User
iamuser.accessKey1Activeiamuser.accessKey1Active
Use the values true | false to find IAM users with an active access key1.
Examples
Show findings with access key1 active
iamuser.accessKey1Active: true
Show findings with access key1 not active
iamuser.accessKey1Active: false
iamuser.accessKey1LastRotatediamuser.accessKey1LastRotated
Use a date range or specific date to define when access key1 was last rotated.
Examples
Show last rotated within certain dates
iamuser.accessKey1LastRotated: [2018-01-01 ... 2018-03-01]
Show last rotated starting 2018-10-01, ending 1 month ago
iamuser.accessKey1LastRotated: [2018-01-01 ... now-1m]
Show last rotated starting 2 weeks ago, ending 1 second ago
iamuser.accessKey1LastRotated: [now-2w ... now-1s]
Show last rotated on specific date
iamuser.accessKey1LastRotated: 2018-01-08
iamuser.accessKey1LastUsediamuser.accessKey1LastUsed
Use a date range or specific date to define when access key1 was last used.
Examples
Show last used within certain dates
iamuser.accessKey1LastUsed: [2018-01-01 ... 2018-03-01]
Show last used starting 2018-10-01, ending 1 month ago
iamuser.accessKey1LastUsed: [2018-01-01 ... now-1m]
Show last used starting 2 weeks ago, ending 1 second ago
iamuser.accessKey1LastUsed: [now-2w ... now-1s]
Show last used on specific date
iamuser.accessKey1LastUsed: 2018-01-08
iamuser.accessKey2Activeiamuser.accessKey2Active
Use the values true | false to find IAM users with an active access key2.
Examples
Show findings with access key2 active
iamuser.accessKey2Active: true
Show finings with access key2 not active
iamuser.accessKey2Active: false
iamuser.accessKey2lastRotatediamuser.accessKey2lastRotated
Use a date range or specific date to define when access key2 was last rotated.
Examples
Show last rotated within certain dates
iamuser.accessKey2lastRotated: [2018-01-01 ... 2018-03-01]
Show last rotated starting 2018-10-01, ending 1 month ago
iamuser.accessKey2lastRotated: [2018-01-01 ... now-1m]
Show last rotated starting 2 weeks ago, ending 1 second ago
iamuser.accessKey2lastRotated: [now-2w ... now-1s]
Show last rotated on specific date
iamuser.accessKey2lastRotated: 2018-01-08
iamuser.accessKey2LastUsediamuser.accessKey2LastUsed
Use a date range or specific date to define when access key2 was last used.
Examples
Show last used within certain dates
iamuser.accessKey2LastUsed: [2018-01-01 ... 2018-03-01]
Show last used starting 2018-01-012, ending 1 month ago
iamuser.accessKey2LastUsed: [2018-01-01 ... now-1m]
Show last used starting 2 weeks ago, ending 1 second ago
iamuser.accessKey2LastUsed: [now-2w ... now-1s]
Show last used on specific date
iamuser.accessKey2LastUsed: 2018-01-08
Use a text value ##### to define the Amazon Resource Name (ARN) of interest.
Example
Show findings with this ARN
iamuser.arn: arn:aws:iam::383031258652:user/LOCAL_1234
iamuser.mfaActiveiamuser.mfaActive
Use the values true | false to find IAM users with multi factor authentication enabled.
Examples
Show findings with multi factor authentication enabled
iamuser.mfaActive: true
Show findings without multi factor authentication enabled
iamuser.mfaActive: false
iamuser.passwordEnablediamuser.passwordEnabled
Use the values true | false to find IAM users with the user password enabled during account creation.
Examples
Show findings with password enabled
iamuser.passwordEnabled: true
Show finings without password enabled
iamuser.passwordEnabled: false
iamuser.passwordLastChangediamuser.passwordLastChanged
Use a date range or specific date to define when the password was last updated.
Examples
Show passwords last updated within certain dates
iamuser.passwordLastChanged: [2018-01-01 ... 2018-03-01]
Show passwords last updated starting 2018-01-01, ending 1 month ago
iamuser.passwordLastChanged: [2018-01-01 ... now-1m]
Show passwords last updated starting 2 weeks ago, ending 1 second ago
iamuser.passwordLastChanged: [now-2w ... now-1s]
Show passwords last updated on specific date
iamuser.passwordLastChanged: 2018-01-08
iamuser.passwordLastUsediamuser.passwordLastUsed
Use a date range or specific date to define when the password was last used.
Examples
Show passwords last used within certain dates
iamuser.passwordLastUsed: [2018-01-01 ... 2018-03-01]
Show passwords last used starting 2018-01-01, ending 1 month ago
iamuser.passwordLastUsed: [2018-01-01 ... now-1m]
Show passwords last used starting 2 weeks ago, ending 1 second ago
iamuser.passwordLastUsed: [now-2w ... now-1s]
Show passwords last used on specific date
iamuser.passwordLastUsed: 2018-01-08
iamuser.passwordNextRotationiamuser.passwordNextRotation
Use a date range or specific date to define the next time the password will be rotated.
Examples
Show next rotation within certain dates
iamuser.passwordNextRotation: [2018-01-01 ... 2018-03-01]
Show next rotation starting 2018-01-01, ending 1 month ago
iamuser.passwordNextRotation: [2018-01-01 ... now-1m]
Show next rotation starting 2 weeks ago, ending 1 second ago
iamuser.passwordNextRotation: [now-2w ... now-1s]
Show next rotation on specific date
iamuser.passwordNextRotation: 2018-01-08
iamuser.userCreationTimeiamuser.userCreationTime
Use a date range or specific date to define when the user was created.
Examples
Show users created within certain dates
iamuser.userCreationTime: [2018-01-01 ... 2018-03-01]
Show users created from starting 2018-01-01, ending 1 month ago
iamuser.userCreationTime: [2018-01-01 ... now-1m]
Show users created starting 2 weeks ago, ending 1 second ago
iamuser.userCreationTime: [now-2w ... now-1s]
Show users created on specific date
iamuser.userCreationTime: 2018-01-08
Use values within quotes to help you find IAM users with a certain user ID.
Examples
Show any findings with this ID
iamuser.userId: ABCDEFGHIJ1K2
Show any findings that contain parts of ID
iamuser.userId: "ABCDEFGHIJ1K2"
iamuser.usernameiamuser.username
Use values within quotes to help you find IAM users with a certain user name.
Examples
Show any findings with this name
iamuser.username: Jane
Use values within quotes to help you find IAM users with path.
Examples
Show any findings with this path
iamuser.path: /
Show any findings that contain parts of path
iamuser.path: "/"
iamuser.group.nameiamuser.group.name
Use values within quotes to help you find IAM users with a certain group name.
Examples
Show any findings with this group name
iamuser.group.name: Admin
iamuser.policy.arniamuser.policy.arn
Use a text value ##### to find users with the Policy Amazon Resource Name (ARN) of interest.
Example
Show Users with this Policy ARN
iamuser.policy.arn: arn:aws:iam::383031258652:user/LOCAL_1234
iamuser.boundaryPolicyiamuser.boundaryPolicy
Use a text value ##### to find the IAM User based on the provided Boundary Policy
Example
Show users with this boundary policy
iamuser.boundaryPolicy: DelegatedBoundaries
iamuser.accesskey.idiamuser.accesskey.id
Use a text value ##### to find the IAM User based on the provided Access Key ID
Example
Show users with the specified Acess Key ID
iamuser.accesskey.Id: AKIAIOSFODNN7EXAMPLE
AWS: Policy
Select from the dropdown (AWS MANAGED, CUSTOMER MANAGED) to find policies belonging to the specified type
Example
Show policies with this type.
policy.type: CUSTOMER MANAGED
Select from the dropdown (GLOBAL, US_GOV) to find policies belonging to the specified subtype
Example
Show Policies with this sub type.
policy.subType: GLOBAL
AWS: Group
group.managedPolicy.arngroup.managedPolicy.arn
Use a text value to find groups based on their policy ARN
Example
Show policies with this arn.
group.managedPolicy.arn: aws-policy
group.inlinePolicy.policyNamegroup.inlinePolicy.policyName
Use a text value to find groups based on their Inline policy name
Example
Show policies with this name.
group.inlinePolicy.policyName: inline-aws-policy
AWS: Role
Use a text value to find roles based on their path
Example
Show roles with this path.
path: "/"
role.lastActivity.lastUsedDaterole.lastActivity.lastUsedDate
Use a date range or specific date to find when the role was used.
Examples
Show roles used within certain dates
role.lastActivity.lastUsedDate: [2018-01-01 ... 2018-03-01]
Show roles used from starting 2018-01-01, ending 1 month ago
role.lastActivity.lastUsedDate: [2018-01-01 ... now-1m]
Show roles used starting 2 weeks ago, ending 1 second ago
role.lastActivity.lastUsedDate: [now-2w ... now-1s]
Show users created on specific date
role.lastActivity.lastUsedDate: 2018-01-08
AWS: VPC Endpoint
Use a text value to find VPC Endpoints by providing VPC ID
Example
Show VPC Endpoints with this VPC ID.
vpcendpoint.vpc: vpc-7b955c06
Select from the dropdown ( 'Interface', 'Gateway', 'Gateway Load Balancer') to find VPC Endpoints by providing VPC type
Example
Show VPC Endpoints with this VPC type.
vpcendpoint.vpc: Interface
Select from the dropdown ( 'Available', 'Deleted', 'Deleting', 'Pending') to find VPC Endpoints by providing the state
Example
Show VPC Endpoints with this state.
vpcendpoint.state: Available
Use true | false to find VPC Endpoints with Private DNS Enabled.
Example
Show VPC Enpoints with private DNS Enabled.
vpcendpoint.privatednsenabled: true
Use true | false to find VPC Endpoints with VPC manage set to true/false.
Example
Show VPC Endpoints with requester manged set to True.
vpcendpoint.requestermanaged: true
Select from the dropdown ( 'ipv4', 'ipv6') to find VPC Endpoints by providing the state
Example
Show VPC Endpoints with this IP address type.
vpcendpoint.ipaddresstype: ipv4
AWS: VPC Endpoint Service
Select from the dropdown ( 'Interface', 'Gateway', 'Gateway Load Balancer') to find VPC Endpoint Service by providing VPC type
Example
Show VPC Endpoints with this VPC type.
vpcendpointservice.type: Interface
Select from the dropdown ( 'ipv4', 'ipv6') to find VPC Endpoints by providing the state
Example
Show VPC Endpoints service with this IP address type.
vpcendpointservice.supportedIpAddressTypee:ipv4
Use true | false to find VPC Endpoints with acceptance set to required
Example
Show VPC Endpoints with acceptance set to True.
vpcendpointservice.acceptancerequired: true
Use an integer value to find VPC Endpoint service based on the VPC owner
Example
Show VPC Endpoint services belonging to the specified owner
vpcendpointservice.owner:951386378875
AWS: Instance
These tokens are available in queries with resource.type:Instance
instance.availabilityZoneinstance.availabilityZone
Select the availability zone you're interested in. Select from names in the drop-down menu.
Example
Show findings in the us-east-1a availability zone
instance.availabilityZone: us-east-1a
instance.imageIdinstance.imageId
Use a text value ##### to find EC2 instances with a certain Image (AMI) ID.
Example
Show findings with this image ID
instance.imageId: ami-2ea83347
instance.isDockerHostinstance.isDockerHost
Use the values true | false to define whether the instance has a docker installed on the host.
Example
Show instances with docker installed on the host
instance.isDockerHost:true
Show instances without docker installed on the host
instance.isDockerHost:false
instance.hasSensorinstance.hasSensor
Use the values true | false to define whether the instance has a Container Security Sensor installed on the host.
Example
Show instances with Container Security Sensor installed on the host
instance.hasSensor:true
Show instances without Container Security Sensor installed on the host
instance.hasSensor:false
instance.docker.versioninstance.docker.version
Use a text value ##### to define Docker version you are looking for.
Example
Show instances with specified docker version
instance.docker.version:8.2
instance.networkInterface.addressIdinstance.networkInterface.addressId
Use a text value ##### to find EC2 instances with a certain network interface address ID.
Example
Show findings with this address ID
instance.networkInterface.addressId: id-12345
instance.networkInterface.descriptioninstance.networkInterface.description
Use values within quotes to help you find network interfaces with certain keywords in the description.
Examples
Show any findings with this description
instance.networkInterface.description: My Description
Show any findings that contain parts of description
instance.networkInterface.description: "My Description"
instance.networkInterface.groupIdinstance.networkInterface.groupId
Use a text value ##### to find network interfaces with a certain group ID.
Example
Show findings with this group ID
instance.networkInterface.groupId: sg-1a2b3c4d
instance.networkInterface.groupNameinstance.networkInterface.groupName
Use a text value ##### to find network interfaces with a certain group name.
Example
Show findings with this group name
instance.networkInterface.groupName: My Group
instance.networkInterface.ipv6Ipinstance.networkInterface.ipv6Ip
Use a text value ##### to find EC2 instances having network interface with a certain IPv6 IP address.
Example
Show findings with this IPv6 address
instance.networkInterface.ipv6Ip: 2010:ab2::1234:zzz:2002:1f
instance.networkInterface.privateDnsNameinstance.networkInterface.privateDnsName
Use a text value ##### to find EC2 instances having network interface with a certain private DNS name.
Example
Show findings with this private DNS name
instance.networkInterface.privateDnsName: ip-172-31-33-67.us-east-2.compute.internal
instance.networkInterface.privateIpAddressinstance.networkInterface.privateIpAddress
Use a text value ##### to find EC2 instances having network interface with a certain private IP address.
Example
Show findings with this private IP
instance.networkInterface.privateIpAddress: 172.31.28.151
instance.networkInterface.publicIpinstance.networkInterface.publicIp
Use a text value ##### to find EC2 instances having network interface with a certain public IP address.
Example
Show findings with this public IP address
instance.networkInterface.publicIp: 13.126.125.189
instance.networkInterface.secondaryPrivateIpinstance.networkInterface.secondaryPrivateIp
Use a text value ##### to find EC2 instances having network interface with a certain secondary private IP address.
Example
Show findings with this secondary private IP
instance.networkInterface.secondaryPrivateIp: 10.0.0.85
instance.networkInterface.subnetIdinstance.networkInterface.subnetId
Use a text value ##### to find EC2 instances having network interface on a certain subnet.
Example
Show findings on this subnet ID
instance.networkInterface.subnetId: subnet-6f2cec07
instance.networkInterface.privateDnsNameinstance.networkInterface.privateDnsName
Use a text value ##### to find EC2 instances having a private DNS address you're interested in.
Example
Show findings with this private DNS address
instance.networkInterface.privateDnsName: ip-10-90-2-85.ec2.internal
instance.networkInterface.privateIpAddressinstance.networkInterface.privateIpAddress
Use a text value ##### to find EC2 instances having a private IPv4 address you're interested in.
Example
Show findings with this private IP address
instance.networkInterface.privateIpAddress: 10.90.0.119
instance.privateDnsNameinstance.privateDnsName
Use a text value ##### to find EC2 instances having a private DNS name you're interested in.
Example
Show findings with this private DNS name
instance.privateDnsName: ip-10-90-2-85.ec2.internal
instance.privateIpAddressinstance.privateIpAddress
Use a text value ##### to find EC2 instances having a private IPv4 address you're interested in.
Example
Show findings with this private IP address
instance.privateIpAddress: 10.90.0.119
instance.publicDnsNameinstance.publicDnsName
Use a text value ##### to find EC2 instances having a public DNS address you're interested in.
Example
Show findings with this public DNS address
instance.publicDnsName: ec2-52-70-141-154.compute-1.amazonaws.com
instance.publicIpAddressinstance.publicIpAddress
Use a text value ##### to find EC2 instances having a public IPv4 address you're interested in.
Example
Show findings with this public IP address
instance.publicIpAddress: 52.70.141.154
instance.secondaryPrivateIpAddressinstance.secondaryPrivateIpAddress
Use a text value ##### to find EC2 instances having a secondary private IPv4 address you're interested in.
Example
Show findings with this secondary private IP
instance.secondaryPrivateIpAddress: 10.90.0.119
instance.securityGroup.idinstance.securityGroup.id
Use a text value ##### to find EC2 instances having a certain security group ID.
Example
Show EC2 instances with this security group ID
instance.securityGroup.id: sg-4798a22f
instance.securityGroup.nameinstance.securityGroup.name
Use a text value ##### to find EC2 instances having a certain security group name.
Example
Show findings with this security group name
instance.securityGroup.name: Windows RDP Allow Group
instance.spotInstanceRequestIdinstance.spotInstanceRequestId
Use a text value ##### to find EC2 instances having a certain Spot Instance request ID.
Example
Show findings with this Spot Instance request ID
instance.spotInstanceRequestId: sir-08b93456
Select a state name (pending, running, shutting-down, terminated, etc) to find EC2 instances with a certain state. Select from names in the drop-down menu.
Example
Show running EC2 instances
instance.state: running
instance.statusinstance.status
Select the status (ok, impaired, insufficient-data, etc) you're interested in. Select from names in the drop-down menu.
Example
Show EC2 instances with impaired status
instance.status: impaired
instance.subnetIdinstance.subnetId
Use a text value ##### to find EC2 instances residing on a certain subnet ID.
Example
Show findings on this subnet ID
instance.subnetId: subnet-bc02c0d4
Select the type of EC2 instance you're interested in. Select from names in the drop-down menu.
Example
Show findings with this instance type
instance.type: t2.micro
Use a text value ##### to find EC2 instances having a certain VPC ID.
Example
Show findings with this VPC ID
instance.vpcId: vpc-1e37cd76
instance.profileNameinstance.profileName
Use a text value ##### to find EC2 instances having a certain profile name.
Example
Show all EC2 instances having ANY instance profile
instance.profileName: (*..*)
instance.profileArninstance.profileArn
Use a text value ##### to find EC2 instances having a certain profile arn.
Example
Show all EC2 instances having profile arn
instance.profileArn: abc12345arnsample
Show all EC2 instances that exactly match the specified profile arn
instance.profileArn: `abc12345arnsample`
instanceProfile.role.nameinstanceProfile.role.name
Enter the name of roles associated with the profiles to search all the EC2 instances associated with it.
Example
Show all instances NOT associated with any roles in the profile
instanceProfile.role.name is null
instanceProfile.role.arninstanceProfile.role.arn
Enter the instance profile arn to search all the EC2 instances associated with it.
Example
Show all instances associated with any arn
instanceProfile.role.arn: (*..*)
Show all instances that exactly match the arn
instanceProfile.role.arn: `1de1e0a7-4f67-4812-917d-1236853844e1`
instance.riskScoreinstance.riskScore
Use an integer value (0-1000) to search for all the EC2 instances with the specified risk score.
Example
Show all instances with a risk score greater than 125
instance.riskScore > 125
Show all instances with the risk score of 125
instance.riskScore: 125
connector.remediationEnabledconnector.remediationEnabled
Use true to view the resources associated with the connector for which remediation is enabled.
Example
Show resources associated with the connector for which remediation is enabled
connector.remediationEnabled: TRUE
Select the action status ("Sucess", "Queued", "Error") you're interested in. Select from names in the drop-down menu.
Example
Show resources with success status for remediation action
action.status: Success
instance.hasAgentinstance.hasAgent
Select (True, False) to define whether the instance has a cloud agent installed.
Example
Show findings with a cloud agent
instance.hasAgent:true
Show findings without a cloud agent
instance.hasAgent:false
instance.hasThreatsinstance.hasThreats
Select (True, False) to find instances that have or have not been associated with any detected threats.
Examples
Show instances that have been associated with any detected threats
instance.hasThreats: true
Show instances that have not been associated with any detected threats
instance.hasThreats: false
hasThreat.SuspiciousComm.PortScanhasThreat.SuspiciousComm.PortScan
Select (True, False) to find assets that have or have not been detected performing port scanning activities.
Example
Show assets detected performing port scans
hasThreat.SuspiciousComm.PortScan: true
hasThreat.SuspiciousComm.AddressScanhasThreat.SuspiciousComm.AddressScan
Select (True, False) to find assets that have or have not been detected performing address scanning activities.
Example
Show assets detected performing address scans
hasThreat.SuspiciousComm.AddressScan: true
hasThreat.LateralMove.RDPHotAccounthasThreat.LateralMove.RDPHotAccount
Select (True, False) to find assets associated with RDP hot accounts, which may indicate potential lateral movement attempts.
Example
Show assets associated with RDP hot accounts
hasThreat.LateralMove.RDPHotAccount: true
hasThreat.LateralMove.RDPbruteforcehasThreat.LateralMove.RDPbruteforce
Select (True, False) to find assets that have or have not been targets of RDP brute force attempts.
Example
Show assets that have been targets of RDP brute force attempts
hasThreat.LateralMove.RDPbruteforce: true
hasThreat.LateralMove.RDPScanhasThreat.LateralMove.RDPScan
Select (True, False) to find assets that have or have not been detected performing RDP scanning activities.
Example
Show assets detected performing RDP scans
hasThreat.LateralMove.RDPScan: true
hasThreat.LateralMove.SSHbruteforcehasThreat.LateralMove.SSHbruteforce
Select (True, False) to find assets that have or have not been targets of SSH brute force attempts.
Example
Show assets that have been targets of SSH brute force attempts
hasThreat.LateralMove.SSHbruteforce: true
hasThreat.CnC.DNShasThreat.CnC.DNS
Select (True, False) to find assets that have or have not been detected communicating with potential Command and Control (C&C) servers over DNS.
Example
Show assets detected communicating with potential C&C servers over DNS
hasThreat.CnC.DNS: true
hasThreat.CnC.HTTPShasThreat.CnC.HTTPS
Select (True, False) to find assets that have or have not been detected communicating with potential Command and Control (C&C) servers over HTTPS.
Example
Show assets detected communicating with potential C&C servers over HTTPS
hasThreat.CnC.HTTPS: true
hasThreat.CnC.HTTPhasThreat.CnC.HTTP
Select (True, False) to find assets that have or have not been detected communicating with potential Command and Control (C&C) servers over HTTP.
Example
Show assets detected communicating with potential C&C servers over HTTP
hasThreat.CnC.HTTP: true
hasThreat.Exfiltration.DNShasThreat.Exfiltration.DNS
Select (True, False) to find assets that have or have not been detected potentially exfiltrating data over DNS.
Example
Show assets detected potentially exfiltrating data over DNS
hasThreat.Exfiltration.DNS: true
hasThreat.MalwarehasThreat.Malware
Select (True, False) to find assets that have or have not been detected with potential malware infections.
Example
how assets detected with potential malware infections
hasThreat.Malware: true
AWS: Secrets
secrets.rotationEnabledsecrets.rotationEnabled
Select (True, False) to find secrets with rotation enabled or disabled.
Example
Show secrets with rotation enabled
secrets.rotationEnabled: true
secrets.kmsKeyIdsecrets.kmsKeyId
Provide a string value to find secrets associated with a specific AWS Key Management Service (KMS) key ID.
Example
Find secrets using the KMS key ID "1234abcd-12ab-34cd-56ef-1234567890ab"
secrets.kmsKeyId: 1234abcd-12ab-34cd-56ef-1234567890ab
Provide a string value to find secrets with a specific Amazon Resource Name (ARN).
Example
Find a secret with the ARN "arn:aws:secretsmanager:us-west-2:123456789012:secret:MySecret-a1b2c3"
secrets.arn: arn:aws:secretsmanager:us-west-2:123456789012:secret:MySecret-a1b2c3
Provide a string value to find secrets with a specific name.
Example
Find secrets named "database-credentials"
secrets.name: database-credentials
AWS: SageMaker Notebook
sagemaker.notebook.arnsagemaker.notebook.arn
Provide a string value in quotes (" ") or backtick (` `) to find SageMaker Notebook instances with a specific Amazon Resource Name (ARN).
Example
Find a SageMaker Notebook instance with the ARN "arn:aws:sagemaker:us-west-2:123456789012:notebook-instance/my-notebook"
sagemaker.notebook.arn: "arn:aws:sagemaker:us-west-2:123456789012:notebook-instance/my-notebook"
sagemaker.notebook.namesagemaker.notebook.name
Provide a string value to find SageMaker Notebook instances with a specific name.
Example
Find SageMaker Notebook instances named "data-science-notebook"
sagemaker.notebook.name: data-science-notebook
sagemaker.notebook.statussagemaker.notebook.status
Select the required status from the drop-down menu (InService, Stopped, Failed, Deleting, Pending) to find SageMaker Notebook instances based on their current status..
Example
Show SageMaker Notebook instances that are currently in service
sagemaker.notebook.status: InService
AWS: CloudFront Distribution
cloudfront.distributions.idcloudfront.distributions.id
Provide a string value to find CloudFront distributions with a specific ID.
Example Find a CloudFront distribution with the ID "E2QWRUHAPOMQZL"
cloudfront.distributions.id: E2QWRUHAPOMQZL
cloudfront.distributions.domainnamecloudfront.distributions.domainname
Provide a string value to find CloudFront distributions with a specific domain name.
Example
Find CloudFront distributions with the domain name "d111111abcdef8.cloudfront.net"
cloudfront.distributions.domainname: d111111abcdef8.cloudfront.net
cloudfront.distributions.enabledcloudfront.distributions.enabled
Select (True, False) to find CloudFront distributions that are enabled or disabled.
Example
Show CloudFront distributions that are currently enabled
cloudfront.distributions.enabled: true
cloudfront.distributions.priceclasscloudfront.distributions.priceclass
Find CloudFront distributions based on their price class. Select the required class from the drop-down menu (PriceClass_100, PriceClass_200, PriceClass_All).
Example
Show CloudFront distributions with the price class PriceClass_200
cloudfront.distributions.priceclass: PriceClass_200
cloudfront.distributions.stagingcloudfront.distributions.staging
Select (True, False) to find CloudFront distributions that are in staging or production environment.
Example
Show CloudFront distributions that are in the staging environment
cloudfront.distributions.staging: true
cloudfront.distributions.arncloudfront.distributions.arn
Provide a string value to find CloudFront distributions with a specific Amazon Resource Name (ARN).
Example
Find a CloudFront distribution with the ARN "arn:aws:cloudfront::123456789012:distribution/E2QWRUHAPOMQZL"
cloudfront.distributions.arn: arn:aws:cloudfront::123456789012:distribution/E2QWRUHAPOMQZL
cloudfront.distributions.loggingEnabledcloudfront.distributions.loggingEnabled
Select (True, False) to find CloudFront distributions with logging enabled or disabled.
Example
Show CloudFront distributions with logging enabled
cloudfront.distributions.loggingEnabled: true
Route 53 Domains
route53.domain.autorenewroute53.domain.autorenew
Select (True, False) to find Route 53 domains based on their auto-renewal status.
Example
Show domains with auto-renewal enabled.
route53.domain.autorenew: true
Route 53 Hosted Zones
route53.hostedZone.recordnameroute53.hostedZone.recordname
Provide a string value to find Route 53 hosted zones with the specified record name.
Examples
Find hosted zones with the record "www.example.com"
route53.hostedZone.recordname: www.example.com
Select (True, False) to find Route 53 hosted zones based on whether they are private or public.
Example
Show private hosted zones.
route53.hostedZone.isPrivateZone: true
Provide a string value to find Route 53 hosted zones with the specified Amazon Resource Name (ARN).
Examples
Find a hosted zone with a specific ARN.
route53.hostedZone.arn: arn:aws:route53:::hostedzone/Z1PA6795UKMFR9
Redshift
redshift.clusteridentifierredshift.clusteridentifier
Provide a string value to find Redshift clusters with the specified cluster identifier.
Examples
Find a Redshift cluster with identifier "my-redshift-cluster"
redshift.clusteridentifier: my-redshift-cluster
redshift.clusterstatusredshift.clusterstatus
Select from available options (e.g., available, creating, deleting, final-snapshot, modifying, rebooting, renaming, resizing) to find Redshift clusters with the specified status.
Example
Show Redshift clusters that are currently available.
redshift.clusterstatus: available
redshift.clusternamespacearnredshift.clusternamespacearn
Provide a string value to find Redshift clusters with the specified namespace ARN (Amazon Resource Name).
Examples
Find a Redshift cluster with a specific namespace ARN.
redshift.clusternamespacearn: arn:aws:redshift:us-west-2:123456789012:namespace:my-namespace
redshift.kmskeyidredshift.kmskeyid
Provide a string value to find Redshift clusters using the specified KMS (Key Management Service) key ID for encryption.
Examples
Find Redshift clusters using a specific KMS key.
redshift.kmskeyid: 1234abcd-12ab-34cd-56ef-1234567890ab
Elastic Container Registry
Provide a string value to find ECR repositories associated with the specified registry ID.
Examples
Find ECR repositories in registry "123456789012" ecr.registryId: 123456789012
Provide a string value to find ECR repositories with the specified Amazon Resource Name (ARN).
Examples
Find an ECR repository with a specific ARN
ecr.arn: arn:aws:ecr:us-west-2:123456789012:repository/my-repo
ecr.encryptionConfigurations.encryptionTypeecr.encryptionConfigurations.encryptionType
Select from available options (e.g., AES256, KMS) to find ECR repositories with the specified encryption type.
Example
Show ECR repositories using KMS encryption.
ecr.encryyptionConfigurations.encryptionType: KMS
ecr.imageTagMutabilityecr.imageTagMutability
Select from available options (MUTABLE, IMMUTABLE) to find ECR repositories with the specified image tag mutability setting.
Example
Show ECR repositories with immutable tags. ecr.imageTagMutability: IMMUTABLE
ecr.imageScanningConfiguration.scanOnPushecr.imageScanningConfiguration.scanOnPush
Select (True, False) to find ECR repositories based on whether they're configured to scan images on push.
Example
Show ECR repositories with scan on push enabled.
ecr.imageScanningConfiguration.scanOnPush: true
ecr.imageDigestecr.imageDigest
Provide a string value to find ECR images with the specified image digest.
Examples
Find an ECR image with a specific digest ecr.imageDigest: sha256:a1b2c3d4e5f6...
ecr.repositoryUriecr.repositoryUri
Provide a string value to find ECR repositories with the specified URI.
Examples
Find an ECR repository with URI "123456789012.dkr.ecr.us-west-2.amazonaws.com/my-repo"
ecr.repositoryUri: 123456789012.dkr.ecr.us-west-2.amazonaws.com/my-repo
Vulnerability Tokens
These tokens are available in queries with resource.type:vulnerability
vulnerability.qidvulnerability.qid
Use an integer value ##### to define the QID in question.
Example
Show findings with QID 90405
vulnerability.qid:90405
vulnerability.severityvulnerability.severity
Select a severity (1-5) to find assets having vulnerabilities with this severity. Select from values in the drop-down menu.
Example
Show findings with severity 4
vulnerability.severity:4
vulnerability.customerSeverityvulnerability.customerSeverity
Use an integer value ##### to define the QID in question.
Example
Show findings with QID 90405
vulnerability.customerSeverity:3
vulnerability.exploitabilityvulnerability.exploitability
Use values within quotes or backticks to help you find known exploit description you're looking for. Quotes can be used when the value has more than one word.
Examples
Show any findings related to this description
vulnerability.exploitability: GIF Parser Heap
Show any findings that contain "GIF", "Parser" or "Heap" in description
vulnerability.exploitability: "GIF Parser Heap"
Show any findings that match exact value
vulnerability.exploitability: `GIF Parser Heap`
vulnerability.patchAvailablevulnerability.patchAvailable
Use the values true | false to define vulnerabilities with patch available.
Examples
Show findings with patch available
vulnerability.patchAvailable: "true"
Show findings with no patch available
vulnerability.patchAvailable: "false"
vulnerability.firstFoundvulnerability.firstFound
Use a date range or specific date to define when findings were first found.
Examples
Show findings first found within certain dates
vulnerability.firstFound: [2015-10-21 ... 2015-10-30]
Show findings first found starting 2015-10-01, ending 1 month ago
vulnerability.firstFound: [2015-10-01 ... now-1M]
Show findings first found starting 2 weeks ago, ending 1 second ago
vulnerability.firstFound: [now-2w ... now-1s]
Show findings first found on certain date
vulnerability.firstFound:'2015-11-11'
vulnerability.lastFoundvulnerability.lastFound
Use a date range or specific date to define when findings were last found.
Examples
Show findings last found within certain dates
vulnerability.lastFound: [2015-10-21 ... 2016-01-15]
Show findings last found starting 2016-01-01, ending 1 month ago
vulnerability.lastFound: [2016-01-01 ... now-1M]
Show findings last found starting 2 weeks ago, ending 1 second ago
vulnerability.lastFound: [now-2w ... now-1s]
Show findings last found on certain date
vulnerability.lastFound:'2016-01-11'
Show findings last found on 2017-01-12 with patch available
vulnerabilities: (lastFound: '2017-01-12' AND vulnerability.patchAvailable: "true")
vulnerability.titlevulnerability.title
Use quotes or backticks within values to help you find the title you're looking for. Quotes can be used when the value has more than one word.
Examples
Show any findings related to this title
vulnerability.title: Remote Code Execution
Show any findings that contain "Remote" or "Code" in title
vulnerability.title: "Remote Code"
Show any findings that match exact value
vulnerability.title: `Remote Code`
vulnerability.descriptionvulnerability.description
Use quotes or backticks within values to help you find the vulnerability description you're looking for. Quotes can be used when the value has more than one word.
Examples
Show any findings related to description
vulnerability.description: remote code execution
Show any findings that contain "remote" or "code" in description
vulnerability.description: "remote code execution"
Show any findings that match exact value
vulnerability.description: `remote code execution`
vulnerability.cveIdsvulnerability.cveIds
Use a text value ##### to find the CVE name you're interested in.
Example
Show findings with CVE name CVE-2015-0313
vulnerability.cveIds: CVE-2015-0313
vulnerability.categoryvulnerability.category
Select a category (CGI, Database, DNS, BIND, etc) to find vulnerabilities with this category. Select from names in the drop-down menu.
Example
Show findings with the category CGI
vulnerability.category: "CGI"
vulnerability.cvss3Info.baseScorevulnerability.cvss3Info.baseScore
Use an integer value ##### to help you find the CVSS base score you're interested in.
Example
Show assets with this score
vulnerability.cvss3Info.baseScore: 7.8
vulnerability.cvss3Info.temporalScorevulnerability.cvss3Info.temporalScore
Use an integer value ##### to help you find the CVSS temporal score you're interested in.
Example
Show assets with this score
vulnerability.cvss3Info.temporalScore: 6.4
vulnerability.cvssInfo.accessVectorvulnerability.cvssInfo.accessVector
Select the name ##### of a CVSS access vector you'd like to find (e.g. UNDEFINED, LOCAL_ACCESS, ADJACENT_NETWORK, NETWORK). Select from names in the drop-down menu.
Example
Show findings with this name
vulnerability.cvssInfo.accessVector: "NETWORK"
vulnerability.portvulnerability.port
Use an integer value ##### to help you find assets with some open port.
Example
Show vulnerability with port 80
vulnerability.port: 80
vulnerability.protocolvulnerability.protocol
Use a text value ##### (UDP or TCP) to define the port protocol you're interested in.
Examples
Show findings found on TCP
vulnerability.protocol: TCP
Show findings found on port 80 and TCP
vulnerability: (port: 80 AND protocol: TCP)
vulnerability.hostOSvulnerability.hostOS
Use quotes or backticks within values to help you find the instance operating system you're interested in.
Examples
Show any findings with this OS name
vulnerability.hostOS:Windows 2012
Show any findings that contain components of OS name
vulnerability.hostOS:"Windows 2012"
Show any findings that match exact value "Windows 2012"
vulnerability.hostOS:`Windows 2012`
vulnerability.typeDetectedvulnerability.typeDetected
Select a detection type (e.g. Confirmed, Potential, Information) to find instances with vulnerabilities of this type. Select from names in the drop-down menu.
Example
Show findings with this type
vulnerability.typeDetected:Confirmed
vulnerability.PCIvulnerability.PCI
Use the values true | false to find vulnerabilities that must be fixed for PCI Compliance (per PCI DSS).
Examples
Show PCI vulnerabilities
vulnerability.PCI:TRUE
Do not show PCI vulnerabilities
vulnerability.PCI:FALSE
vulnerability.authTypesvulnerability.authTypes
Select the name (WINDOWS_AUTH, UNIX_AUTH, ORACLE_AUTH, etc) of an authentication type you're interested in. Select from names in the drop-down menu.
Example
Show findings with Windows auth type
vulnerability.authTypes:WINDOWS_AUTH
vulnerability.bugTraqIdsvulnerability.bugTraqIds
Use a text value ##### to find a BugTraq number you're interested in.
Example
Show findings with BugTraq ID 22211
vulnerability.bugTraqIds:22211
vulnerability.compliance.descriptionvulnerability.compliance.description
Use quotes or backticks within values to help you find the compliance description you're looking for.
Examples
Show any findings related to this description
vulnerability.compliance.description:malicious software
Show any findings that contain "malicious" or "software" in description
vulnerability.compliance.description:"malicious software"
Show any findings that match exact value "malicious software"
vulnerability.compliance.description:`malicious software`
vulnerability.compliance.sectionvulnerability.compliance.section
Use quotes or backticks within values to help you find the compliance section you're looking for.
Examples
Show any findings related to this section
vulnerability.compliance.section:164.308
Show any findings that contain parts of section
vulnerability.compliance.section:"164.308"
Show any findings that match exact value "164.308"
vulnerability.compliance.section:`164.308`
vulnerability.compliance.typevulnerability.compliance.type
Select the name ##### of a compliance type you're interested in (e.g. COBIT, HIPAA, GLBA, SOX). Select from names in the drop-down menu.
Example
Show findings with the compliance type HIPAA
vulnerability.compliance.type:HIPAA
vulnerability.consequencevulnerability.consequence
Use quotes or backticks within values to help you find the consequence you're looking for.
Examples
Show any findings related to consequence
vulnerability.consequence:sensitive information
Show any findings that contain "sensitive" or "information" in consequence
vulnerability.consequence:"sensitive information"
Show any findings that match exact value "sensitive information"
vulnerability.consequence:`sensitive information`
vulnerability.flagsvulnerability.flags
Use a text value ##### to find the Qualys defined vulnerability property of interest (e.g. REMOTE, WINDOWS_AUTH, UNIX_AUTH, PCI_RELATED etc).
Example
Show findings with this flag
vulnerability.flags:PCI_RELATED
vulnerability.listsvulnerability.lists
Use a text value ##### to find the vulnerability list of interest (e.g. SANS_20, QUALYS_20, QUALYS_INT_10, QUALYS_EXT_10).
Example
Show findings with vulnerabilities in SANS Top 20
vulnerability.lists:SANS_20
vulnerability.patchesvulnerability.patches
Use an integer value ##### to help you find the patch QID you're interested in.
Example
Show assets with this patch QID
vulnerability.patches:90753
vulnerability.publishedvulnerability.published
Use a date range or specific date to define when vulnerabilities were first published in the KnowledgeBase.
Examples
Show findings for vulnerabilities published within certain dates
vulnerability.published:[2015-10-21 ... 2016-01-15]
Show findings for vulnerabilities published starting 2017-01-01, ending 1 month ago
vulnerability.published:[2017-01-01 ... now-1M]
Show findings for vulnerabilities published starting 2 weeks ago, ending 1 second ago
vulnerability.published:[now-2w ... now-1s]
Show findings for vulnerabilities published on certain date
vulnerability.published:'2018-01-15'
vulnerability.riskvulnerability.risk
Use an integer value ##### to define the vulnerability risk rating you're interested in. For confirmed and potential issues risk is 10 times severity, for information gathered it is severity.
Example
Show findings with risk 50
vulnerability.risk:50
vulnerability.osvulnerability.os
Use quotes or backticks within values to help you find the operating system vulnerabilities were detected on.
Examples
Show any findings related to this OS value
vulnerability.os:windows
Show any findings that contain parts of OS value
vulnerability.os:"windows"
Show any findings that match exact value "windows"
vulnerability.os:`windows`
vulnerability.cvssInfo.baseScorevulnerability.cvssInfo.baseScore
Use an integer value ##### to help you find the CVSS base score you're interested in.
Example
Show instances with this score
vulnerability.cvssInfo.baseScore:7.8
vulnerability.cvssInfo.temporalScorevulnerability.cvssInfo.temporalScore
Use an integer value ##### to help you find the CVSS temporal score you're interested in.
Example
Show instances with this score
vulnerability.cvssInfo.temporalScore:6.4
vulnerability.discoveryTypesvulnerability.discoveryTypes
Select a discovery type (Remote or Authenticated) to find instances with vulnerabilities having this discovery type. Select from names in the drop-down menu.
Example
Show findings with Remote discovery type
vulnerability.discoveryTypes:REMOTE
vulnerability.sans20Categoriesvulnerability.sans20Categories
Use a text value ##### to find vulnerabilities in the SANS 20 category you're interested in (e.g. Anti-virus Software, Backup Software, etc).
Example
Show findings with this category name
vulnerability.sans20Categories:Media Players
vulnerability.solutionvulnerability.solution
Use quotes or backticks within values to help you find the solution you're looking for.
Examples
Show any findings related to this solution
vulnerability.solution:Bulletin MS10-006
Show any findings that contain parts of solution
vulnerability.solution:"Bulletin MS10-006"
Show any findings that match exact value "Bulletin MS10-006"
vulnerability.solution:`Bulletin MS10-006`
vulnerability.statusvulnerability.status
Select the vulnerability status (ACTIVE, FIXED, NEW, REOPENED) you're interested in. Select from names from the drop-down menu.
Example
Show vulnerabilities with ACTIVE status
vulnerability.status:ACTIVE
vulnerability.supportedByvulnerability.supportedBy
Select a Qualys service (VM, Agent type, etc) to show vulnerabilities that can be detected by this service. Select from names in the drop-down menu.
Example
Show vulnerabilities supported by Linux Agent
vulnerability.supportedBy:LINUX_AGENT
vulnerability.vendorRefsvulnerability.vendorRefs
Use a text value ##### to find the vendor reference you're interested in.
Example
Show this vendor reference
vulnerability.vendorRefs:KB3021953
vulnerability.vendors.productNamevulnerability.vendors.productName
Use a text value ##### to find the vendor product name you're interested in.
Example
Show findings with this vendor product name
vulnerability.vendors.productName:Windows
vulnerability.vendors.vendorNamevulnerability.vendors.vendorName
Use a text value ##### to find the vendor name you're interested in.
Example
Show findings with this vendor name
vulnerability.vendors.vendorName:Adobe
Threat Protection
(For Threat Protection users) Use these tokens for searching Real-Time Threat Indicators (RTI).
vulnerability.threatIntel.activeAttacksvulnerability.threatIntel.activeAttacks
Use the values true | false to define real-time threats due to active attacks.
Example
Show resources with threats due to active attacks
vulnerability.threatIntel.activeAttacks: "true"
vulnerability.threatIntel.denialOfServicevulnerability.threatIntel.denialOfService
Use the values true | false to define real-time threats due to denial of service.
Example
Show resources with threats due to denial of service
vulnerability.threatIntel.denialOfService: "true"
vulnerability.threatIntel.easyExploitvulnerability.threatIntel.easyExploit
Use the values true | false to define real-time threats due to easy exploit.
Example
Show resources with threats due to easy exploit
vulnerability.threatIntel.easyExploit: "true"
vulnerability.threatIntel.exploitKitvulnerability.threatIntel.exploitKit
Use the values true | false to define real-time threats due to exploit kit.
Example
Show resources with threats due to exploit kit
vulnerability.threatIntel.exploitKit: "true"
vulnerability.threatIntel.exploitKitNamevulnerability.threatIntel.exploitKitName
Use quotes or backticks within values to help you find the exploit kit name you're looking for. Quotes can be used when the value has more than one word.
Examples
Show any findings with this name
vulnerability.threatIntel.exploitKitName: Angler
Show any findings that match exact value
vulnerability.threatIntel.exploitKitName: `Angler`
vulnerability.threatIntel.highDataLossvulnerability.threatIntel.highDataLoss
Use the values true | false to define real-time threats due to high data loss.
Example
Show resources with threats due to high data loss
vulnerability.threatIntel.highDataLoss: "true"
vulnerability.threatIntel.highLateralMovementvulnerability.threatIntel.highLateralMovement
Use the values true | false to define real-time threats due to high lateral movement.
Example
Show resources with threats due to high lateral movement
vulnerability.threatIntel.highLateralMovement: "true"
vulnerability.threatIntel.malwarevulnerability.threatIntel.malware
Use the values true | false to define real-time threats due to malware.
Example
Show resources with threats due to malware
vulnerability.threatIntel.malware: "true"
vulnerability.threatIntel.malwareNamevulnerability.threatIntel.malwareName
Use quotes or backticks within values to help you find the malware name you're looking for. Quotes can be used when the value has more than one word.
Examples
Show any findings with this name
vulnerability.threatIntel.malwareName: TROJ_PDFKA.DQ
Show any findings that match exact value
vulnerability.threatIntel.malwareName: `TROJ_PDFKA.DQ`
vulnerability.threatIntel.noPatchvulnerability.threatIntel.noPatch
Use the values true | false to define real-time threats due to no patch available.
Example
Show resources with threats due to no patch available
vulnerability.threatIntel.noPatch: "true"
vulnerability.threatIntel.publicExploitvulnerability.threatIntel.publicExploit
Use the values true | false to define real-time threats due to public exploit.
Example
Show resources with threats due to public exploit
vulnerability.threatIntel.publicExploit: "true"
vulnerability.threatIntel.publicExploitNamevulnerability.threatIntel.publicExploitName
Use quotes or backticks within values to help you find the public exploit name of interest. Quotes can be used when the value has more than one word.
Examples
Show any findings with this name
vulnerability.threatIntel.publicExploitName: RealVNC NULL Authentication Mode Bypass
Show any findings that contain parts of name
vulnerability.threatIntel.publicExploitName: "RealVNC NULL Authentication Mode Bypass"
Show any findings that match exact value
vulnerability.threatIntel.publicExploitName: `RealVNC NULL Authentication Mode Bypass`
vulnerability.threatIntel.zeroDayvulnerability.threatIntel.zeroDay
Use the values true | false to define real-time threats due to zero day exploit.
Example
Show resources with threats due to zero day exploit
vulnerability.threatIntel.zeroDay: "true"
AWS: Internet Gateway
These tokens are available in queries with resource.type:Internet Gateway
internetgateway.stateinternetgateway.state
Use a text value ##### to find internet gateways having a certain state.
Example
Show findings with this state
internetgateway.state: available
internetgateway.vpcIdinternetgateway.vpcId
Use a text value ##### to find resources having a certain VPC ID.
Example
Show findings with this VPC ID
internetgateway.vpcId: vpc-1e37cd76
AWS: Load Balancer
These tokens are available in queries with resource.type:Load Balancer
elb.availabilityZoneelb.availabilityZone
Select the availability zone you're interested in. Select from names in the drop-down menu.
Example
Find resources in the us-east-1a availability zone
elb.availabilityZone: us-east-1a
elb.createdTimeelb.createdTime
Use a date range or specific date to define when the resource was created.
Examples
Show resources created within certain dates
elb.createdTime: [2018-01-01 ... 2018-03-01]
Show resources created from starting 2018-01-01, ending 1 month ago
elb.createdTime: [2018-01-01 ... now-1m]
Show resources created starting 2 weeks ago, ending 1 second ago
elb.createdTime: [now-2w ... now-1s]
Show resources created on specific date
elb.createdTime: 2018-01-08
Use a text value ##### to find load balancers with a certain DNS name.
Example
Show findings with this DNS name
elb.dnsName: load-balancer-12345.elb.us-west.amazonaws.com
Use a text value ##### to find resources with a certain instance ID.
Example
Show resources with this instance ID
elb.instanceId: 10.90.0.119
elb.ipAddressTypeelb.ipAddressType
Use a text value ##### to find load balancers with certain IP address type.
Example
Show findings with this IP address type
elb.ipAddressType: ipv4
elb.listener.instancePortelb.listener.instancePort
Use a text value ##### to find load balancer listeners on a certain instance port.
Example
Show load balancers on this instance port
elb.listener.instancePort: 200
elb.listener.instanceProtocolelb.listener.instanceProtocol
Select the load balancer listener instance protocol (HTTP or HTTPS) you're interested in. Select from names in the drop-down menu.
Example
Show findings with this instance protocol
elb.listener.instanceProtocol: HTTPS
elb.listener.loadBalancerPortelb.listener.loadBalancerPort
Use a text value ##### to find load balancer listeners on a certain load balancer port.
Example
Show findings on this load balancer port
elb.listener.loadBalancerPort: 200
elb.listener.protocolelb.listener.protocol
Select the load balancer listener protocol (HTTP or HTTPS) you're interested in. Select from names in the drop-down menu.
Example
Show findings running on this listener protocol
elb.listener.protocol: HTTP
Use a text value ##### to find load balancer listeners with a certain scheme.
Example
Show findings with this scheme
elb.scheme: internet-facing
elb.securityGroupIdelb.securityGroupId
Use a text value ##### to find resources in a certain security group.
Example
Show findings with this security group ID
elb.securityGroupId: sg-1a2b3c4d
Select the load balancer state you're interested in. Select from names in the drop-down menu.
Example
Show findings with this load balancer state
elb.state: active
Use a text value ##### to find load balancers having a certain type.
Example
Show findings with this load balancer type
elb.type: classic
Use a text value ##### to find resources having a certain VPC ID.
Example
Show findings with this VPC ID
elb.vpcId: vpc-1e37cd76
Use a text value ##### to find load balancers in a certain subnet.
Example
Show findings in this subnet
elb.subnet: subnet-cc96efa8
AWS: Network ACL
These tokens are available in queries with resource.type:Network ACL
networkacl.association.subnetIdnetworkacl.association.subnetId
Use a text value ##### to define resources having an association with a certain subnet.
Example
Show findings with this ID
networkacl.association.subnetId: subnet-6f2cec07
networkacl.cidrBlocknetworkacl.cidrBlock
Use a text value ##### to find network ACLs having a certain IPv4 CIDR range.
Example
Show findings with this IPv4 CIDR block
networkacl.cidrBlock: 172.31.0.0/16
networkacl.defaultAclnetworkacl.defaultAcl
Use the values true | false to find a network ACL that is the default network ACL for the VPC.
Examples
Show findings with the default network ACL
networkacl.defaultAcl: true
Show findings not defined with default network ACL
networkacl.defaultAcl: false
networkacl.egressnetworkacl.egress
Use the values true | false to find a network ACL that applies (or doesn't apply) to egress traffic.
Examples
Show findings where the network ACL does apply to egress traffic
networkacl.egress: true
Show findings where it does not apply to egress traffic
networkacl.egress: false
networkacl.ipv6CidrBlocknetworkacl.ipv6CidrBlock
Use a text value ##### to define the IPv6 CIDR range associated with the network ACL.
Example
Show findings with this IPv6 CIDR block
networkacl.ipv6CidrBlock: 2001:db8::/32
networkacl.portRange.fromnetworkacl.portRange.from
Use an integer value ##### to define the start of the port range specified in the network ACL rule entry.
Example
Show findings with rules with port range starting at 1024
networkacl.portRange.from: 1024
networkacl.portRange.tonetworkacl.portRange.to
Use an integer value ##### to define the end of the port range specified in the network ACL rule entry.
Example
Show findings with rules with port range ending at 65535
networkacl.portRange.to: 65535
networkacl.protocolnetworkacl.protocol
Use a text value ##### to define the protocol (tcp, udp, etc) specified in the network ACL rule entry.
Example
Show findings with rules for protocol tcp
networkacl.protocol: tcp
networkacl.ruleActionnetworkacl.ruleAction
Use a text value ##### to find network ACLs with a certain rule action (allow or deny).
Example
Show findings with rules that allow matching traffic
networkacl.ruleAction: allow
networkacl.ruleNumbernetworkacl.ruleNumber
Use an integer value ##### to find network ACLs with a certain rule number.
Example
Show findings with rule number 130
networkacl.ruleNumber: 130
networkacl.vpcIdnetworkacl.vpcId
Use a text value ##### to define the ID of the VPC for the network ACL.
Example
Show findings with this VPC ID
networkacl.vpcId: vpc-1e37cd76
networkacl.association.idnetworkacl.association.id
Use a text value ##### to find network ACLs with a certain association ID.
Example
Show findings with this association ID
networkacl.association.id: aclassoc-3999875b
networkacl.association.networkAclIdnetworkacl.association.networkAclId
Use a text value ##### to find network ACLs having an association with a certain network ACL ID.
Example
Show findings with this ID
networkacl.association.networkAclId: acl-211bf848
AWS: Route Table
These tokens are available in queries with resource.type:Route Table
routetable.mainroutetable.main
Use the values true | false to find the main route table for the VPC.
Examples
Show findings for the main route table
routetable.main: true
Show findings that are not the main route table
routetable.main: false
routetable.route.destinationCidrBlockroutetable.route.destinationCidrBlock
Use a text value ##### to find route tables having routes with a certain IPv4 CIDR range used for destination match.
Example
Show findings with this IPv4 CIDR range
routetable.route.destinationCidrBlock: 10.0.0.0/16
routetable.route.stateroutetable.route.state
Select a route state (active or blackhole) to help you find route tables having routes with this state. Select from names in the drop-down menu.
Example
Show findings with this route state
routetable.route.state: active
routetable.subnetIdroutetable.subnetId
Use a text value ##### to define resources having an association with a certain subnet ID.
Example
Show findings with this ID
routetable.subnetId: subnet-6f2cec07
routetable.vpcIdroutetable.vpcId
Use a text value ##### to find resources having a certain VPC ID.
Example
Show findings with this VPC ID
routetable.vpcId: vpc-1e37cd76
routetable.association.idroutetable.association.id
Use a text value ##### to find route tables with a certain association ID.
Example
Show findings with this ID
routetable.association.id: rtbassoc-781d0d1a
routetable.association.routeTableIdroutetable.association.routeTableId
Use a text value ##### to find route tables having a certain route table ID involved in the association between route table and subnet.
Example
Show findings for this ID
routetable.association.routeTableId: rtb-ffbe1297
routetable.route.destinationIpv6CidrBlockroutetable.route.destinationIpv6CidrBlock
Use a text value ##### to find route tables having routes with a certain IPv6 CIDR range used for destination match.
Example
Show findings with this IPv6 CIDR range
routetable.route.destinationIpv6CidrBlock: 2001:db8::/32
routetable.route.destinationPrefixroutetable.route.destinationPrefix
Use a text value ##### to find route tables having routes with a certain ID (prefix) of the AWS service.
Example
Show findings with this prefix list ID
routetable.route.destinationPrefix: pl-63a5400a
routetable.route.egressInternetGatewayIdroutetable.route.egressInternetGatewayId
Use a text value ##### to find route tables having routes with a certain egress-only Internet gateway ID.
Example
Show findings with this ID
routetable.route.egressInternetGatewayId: pl-eigw-1234567890
routetable.route.gatewayIdroutetable.route.gatewayId
Use a text value ##### to find route tables having routes with a certain virtual private gateway ID.
Example
Show findings with this virtual private gateway ID
routetable.route.gatewayId: igw-12345678
routetable.route.instanceIdroutetable.route.instanceId
Use a text value ##### to find route tables having routes with a certain NAT instance ID.
Example
Show findings with this ID
routetable.route.instanceId: rtb-f8805e91
routetable.route.instanceOwnerIdroutetable.route.instanceOwnerId
Use a text value ##### to find route tables having routes with a NAT instance that has a certain owner.
Example
Show findings with this AWS account ID
routetable.route.instanceOwnerId: aws-acct-id
routetable.route.natGatewayIdroutetable.route.natGatewayId
Use a text value ##### to find route tables having routes with a certain NAT gateway ID.
Example
Show findings with this ID
routetable.route.natGatewayId: local
routetable.route.networkInterfaceIdroutetable.route.networkInterfaceId
Use a text value ##### to find route tables having routes with a certain network interface ID.
Example
Show findings with this ID
routetable.route.networkInterfaceId: eni-12345
routetable.route.vpcPeeringIdroutetable.route.vpcPeeringId
Use a text value ##### to find route tables having routes with a certain VPC peering connection.
Example
Show findings with this ID
routetable.route.vpcPeeringId: pcx-00197469
AWS: S3 Bucket
These tokens are available in queries with resource.type:S3 Bucket
s3.creationDates3.creationDate
Use a date range or specific date to define when the S3 bucket was created.
Examples
show S3 buckets created within certain dates
s3.creationDate: [2018-01-01 ... 2018-03-01]
Show S3 bucketscreated from starting 2018-01-01, ending 1 month ago
s3.creationDate: [2018-01-01 ... now-1m]
Show S3 bucketscreated starting 2 weeks ago, ending 1 second ago
s3.creationDate: [now-2w ... now-1s]
Show S3 buckets created on specific date
s3.creationDate: 2018-01-08
s3.isPubliclyAccessibles3.isPubliclyAccessible
Use the values true | false to find s3 buckets that are (or aren't) publicly accessible.
Examples
Show s3 buckets that are publicly accessible
s3.isPubliclyAccessible: true
Show s3 buckets that are not publicly accessible
s3.isPubliclyAccessible: false
Use a text value ##### to define S3 bucket owner ID of interest.
Example
Show findings with this owner ID
s3.ownerId: a3a33997d333416174cb4c27fa89364a2f31b12498ffc
Use values within quotes to help you find the S3 bucket owner name of interest.
Examples
Show any findings with this name
s3.ownerName: Andrew Smith
Show any findings that contain parts of name
s3.ownerName: "Andrew Smith"
AWS: Security Group
These tokens are available in queries with resource.type:Security Group
securitygroup.descriptionsecuritygroup.description
Use values within quotes to help you find security groups with certain keywords in the security group description.
Examples
Show any findings with this description
securitygroup.description: Allow RDP to Windows Machines
Show any findings that contain parts of description
securitygroup.description: "Allow RDP to Windows Machines"
securitygroup.inboundRule.fromPortsecuritygroup.inboundRule.fromPort
Use an integer value ##### to find security groups having inbound rules with a certain from port.
Example
Show findings with this from port
securitygroup.inboundRule.fromPort: 200
securitygroup.inboundRule.ipProtocolsecuritygroup.inboundRule.ipProtocol
Select an IP protocol (tcp, udp, icmp) to find security groups having inbound rules with a certain IP protocol. Select from names in the drop-down menu.
Example
Show findings with the tcp protocol
securitygroup.inboundRule.ipProtocol: tcp
securitygroup.inboundRule.ipv4Rangesecuritygroup.inboundRule.ipv4Range
Use a text value ##### to find security groups having inbound rules with a certain IPv4 range.
Example
Show findings with this range
securitygroup.inboundRule.ipv4Range: 203.0.113.0/24
securitygroup.inboundRule.ipv6Rangesecuritygroup.inboundRule.ipv6Range
Use a text value ##### to find security groups having inbound rules with a certain IPv6 range.
Example
Show findings with this range
securitygroup.inboundRule.ipv6Range: 2001:db8::/32
securitygroup.inboundRule.toPortsecuritygroup.inboundRule.toPort
Use an integer value ##### to find security groups having inbound rules with a certain to port.
Example
Show findings with this group ID
securitygroup.inboundRule.toPort: 200
securitygroup.namesecuritygroup.name
Use a text value ##### to find security groups with a certain group name in an inbound security group rule.
Example
Show findings with this group name
securitygroup.name: Windows RDP Allow Group
securitygroup.outboundRule.fromPortsecuritygroup.outboundRule.fromPort
Use an integer value ##### to find security groups having outbound rules with a certain from port.
Example
Show findings with this from port
securitygroup.outboundRule.fromPort: 200
securitygroup.outboundRule.ipProtocolsecuritygroup.outboundRule.ipProtocol
Select an IP protocol (tcp, udp, icmp) to find security groups having outbound rules with a certain IP protocol. Select from names in the drop-down menu.
Example
Show findings with the tcp protocol
securitygroup.outboundRule.ipProtocol: tcp
securitygroup.outboundRule.ipv4Rangesecuritygroup.outboundRule.ipv4Range
Use a text value ##### to find security groups having outbound rules with a certain IPv4 range.
Example
Show findings with this range
securitygroup.outboundRule.ipv4Range: 203.0.113.0/24
securitygroup.outboundRule.ipv6Rangesecuritygroup.outboundRule.ipv6Range
Use a text value ##### to find security groups having outbound rules with a certain IPv6 range.
Example
Show findings with this range
securitygroup.outboundRule.ipv6Range: 2001:db8::/32
securitygroup.outboundRule.toPortsecuritygroup.outboundRule.toPort
Use an integer value ##### to find security groups having outbound rules with a certain to port.
Example
Show findings with this to port
securitygroup.outboundRule.toPort: 151
securitygroup.vpcIdsecuritygroup.vpcId
Use an integer value ##### to find resources having a certain VPC ID.
Example
Show findings with this VPC ID
securitygroup.vpcId: vpc-1e37cd76
AWS: Vulnerability Tokens
association.instances.vulnerability.qidassociation.instances.vulnerability.qid
Use an integer value ##### to define the QID in question.
Example
Show findings with QID 90405
association.instances.vulnerability.qid:90405
association.instances.vulnerability.severityassociation.instances.vulnerability.severity
Select a severity (1-5) to find resources having vulnerabilities with this severity. Select from values in the drop-down menu.
Example
Show findings with severity 4
association.instances.vulnerability.severity:4
Select a severity (1-5) to find resources having vulnerabilities with this customizedseverity. Select from values in the drop-down menu.
Example
Show findings with severity 3
association.instances.vulnerability.customerSeverity:3
association.instances.vulnerability.exploitabilityassociation.instances.vulnerability.exploitability
Use quotes or backticks within values to help you find known exploit description you're looking for. Quotes can be used when the value has more than one word.
Examples
Show any findings related to this description
association.instances.vulnerability.exploitability: GIF Parser Heap
Show any findings that contain "GIF", "Parser" or "Heap" in description
association.instances.vulnerability.exploitability: "GIF Parser Heap"
Show any findings that match exact value
association.instances.vulnerability.exploitability: `GIF Parser Heap`
association.instances.vulnerability.patchAvailableassociation.instances.vulnerability.patchAvailable
Use the values true | false to define vulnerabilities with patch available.
Examples
Show findings with patch available
association.instances.vulnerability.patchAvailable: "true"
Show findings with no patch available
association.instances.vulnerability.patchAvailable: "false"
association.instances.vulnerability.firstFoundassociation.instances.vulnerability.firstFound
Use a date range or specific date to define when findings were first found.
Examples
Show findings first found within certain dates
association.instances.vulnerability.firstFound: [2015-10-21 ... 2015-10-30]
Show findings first found starting 2015-10-01, ending 1 month ago
association.instances.vulnerability.firstFound: [2015-10-01 ... now-1M]
Show findings first found starting 2 weeks ago, ending 1 second ago
association.instances.vulnerability.firstFound: [now-2w ... now-1s]
Show findings first found on certain date
association.instances.vulnerability.firstFound:'2015-11-11'
association.instances.vulnerability.lastFoundassociation.instances.vulnerability.lastFound
Use a date range or specific date to define when findings were last found.
Examples
Show findings last found within certain dates
association.instances.vulnerability.lastFound: [2015-10-21 ... 2016-01-15]
Show findings last found starting 2016-01-01, ending 1 month ago
association.instances.vulnerability.lastFound: [2016-01-01 ... now-1M]
Show findings last found starting 2 weeks ago, ending 1 second ago
association.instances.vulnerability.lastFound: [now-2w ... now-1s]
Show findings last found on certain date
association.instances.vulnerability.lastFound:'2016-01-11'
Show findings last found on 2017-01-12 with patch available
vulnerabilities: (lastFound: '2017-01-12' AND association.instances.vulnerability.patchAvailable: "true")
association.instances.vulnerability.titleassociation.instances.vulnerability.title
Use quotes or backticks within values to help you find the title you're looking for. Quotes can be used when the value has more than one word.
Examples
Show any findings related to this title
association.instances.vulnerability.title: Remote Code Execution
Show any findings that contain "Remote" or "Code" in title
association.instances.vulnerability.title: "Remote Code"
Show any findings that match exact value
association.instances.vulnerability.title: `Remote Code`
association.instances.vulnerability.descriptionassociation.instances.vulnerability.description
Use quotes or backticks within values to help you find the vulnerability description you're looking for. Quotes can be used when the value has more than one word.
Examples
Show any findings related to description
association.instances.vulnerability.description: remote code execution
Show any findings that contain "remote" or "code" in description
association.instances.vulnerability.description: "remote code execution"
Show any findings that match exact value
association.instances.vulnerability.description: `remote code execution`
association.instances.vulnerability.cveIdsassociation.instances.vulnerability.cveIds
Use a text value ##### to find the CVE name you're interested in.
Example
Show findings with CVE name CVE-2015-0313
association.instances.vulnerability.cveIds: CVE-2015-0313
association.instances.vulnerability.categoryassociation.instances.vulnerability.category
Select a category (CGI, Database, Debian, OEL, etc) to find vulnerabilities with this category. Select from names in the drop-down menu.
Example
Show findings with the category CGI
association.instances.vulnerability.category: "CGI"
Use an integer value ##### to help you find the CVSS base score you're interested in.
Example
Show resources with this score
association.instances.vulnerability.cvssInfo.baseScore: 7.8
Use an integer value ##### to help you find the CVSS temporal score you're interested in.
Example
Show resources with this score
association.instances.vulnerability.cvssInfo.temporalScore: 6.4
Select the name ##### of a CVSS access vector you'd like to find (e.g. UNDEFINED, LOCAL_ACCESS, ADJACENT_NETWORK, NETWORK). Select from names in the drop-down menu.
Example
Show findings with this name
association.instances.vulnerability.cvssInfo.accessVector: "NETWORK"
instance.securityGroup.nameinstance.securityGroup.name
Use a text value ##### to find the security group name you're looking for.
Examples
Find security group related to name
instance.securityGroup.name: abc.qualys.com
Find security group that match exact value
instance.securityGroup.name: `abc.qualys.com`
association.instances.publicIpAddressassociation.instances.publicIpAddress
Use a text value ##### to define a public IPv4 address or range of IPs you're interested in.
Examples
Find security groups with this public IP address
association.instances.publicIpAddress: 52.70.141.154
Find security groups within this IP range
association.instances.publicIpAddress: [52.70.141.154 ... 52.70.141.164]
association.instances.vulnerability.portassociation.instances.vulnerability.port
Use an integer value ##### to help you find assets with some open port.
Example
Show vulnerability with port 80
association.instances.vulnerability.port: 80
association.instances.vulnerability.protocolassociation.instances.vulnerability.protocol
Use a text value ##### (UDP or TCP) to define the port protocol you're interested in.
Examples
Show findings found on TCP
association.instances.vulnerability.protocol: TCP
Show findings found on port 80 and TCP
vulnerability: (port: 80 AND protocol: TCP)
Threat Protection
(For Threat Protection users) Use these tokens for searching Real-Time Threat Indicators (RTI).
Use the values true | false to define real-time threats due to active attacks.
Example
Show resources with threats due to active attacks
association.instances.vulnerability.threatIntel.activeAttacks: "true"
Use the values true | false to define real-time threats due to denial of service.
Example
Show resources with threats due to denial of service
association.instances.vulnerability.threatIntel.denialOfService: "true"
Use the values true | false to define real-time threats due to easy exploit.
Example
Show resources with threats due to easy exploit
association.instances.vulnerability.threatIntel.easyExploit: "true"
Use the values true | false to define real-time threats due to exploit kit.
Example
Show resources with threats due to exploit kit
association.instances.vulnerability.threatIntel.exploitKit: "true"
Use quotes or backticks within values to help you find the exploit kit name you're looking for. Quotes can be used when the value has more than one word.
Examples
Show any findings with this name
association.instances.vulnerability.threatIntel.exploitKitName: Angler
Show any findings that match exact value
association.instances.vulnerability.threatIntel.exploitKitName: `Angler`
Use the values true | false to define real-time threats due to high data loss.
Example
Show resources with threats due to high data loss
association.instances.vulnerability.threatIntel.highDataLoss: "true"
Use the values true | false to define real-time threats due to high lateral movement.
Example
Show resources with threats due to high lateral movement
association.instances.vulnerability.threatIntel.highLateralMovement: "true"
Use the values true | false to define real-time threats due to malware.
Example
Show resources with threats due to malware
association.instances.vulnerability.threatIntel.malware: "true"
Use quotes or backticks within values to help you find the malware name you're looking for. Quotes can be used when the value has more than one word.
Examples
Show any findings with this name
association.instances.vulnerability.threatIntel.malwareName: TROJ_PDFKA.DQ
Show any findings that match exact value
association.instances.vulnerability.threatIntel.malwareName: `TROJ_PDFKA.DQ`
Use the values true | false to define real-time threats due to no patch available.
Example
Show resources with threats due to no patch available
association.instances.vulnerability.threatIntel.noPatch: "true"
Use the values true | false to define real-time threats due to public exploit.
Example
Show resources with threats due to public exploit
association.instances.vulnerability.threatIntel.publicExploit: "true"
Use quotes or backticks within values to help you find the public exploit name of interest. Quotes can be used when the value has more than one word.
Examples
Show any findings with this name
association.instances.vulnerability.threatIntel.publicExploitName: RealVNC NULL Authentication Mode Bypass
Show any findings that contain parts of name
association.instances.vulnerability.threatIntel.publicExploitName: "RealVNC NULL Authentication Mode Bypass"
Show any findings that match exact value
association.instances.vulnerability.threatIntel.publicExploitName: `RealVNC NULL Authentication Mode Bypass`
Use the values true | false to define real-time threats due to zero day exploit.
Example
Show resources with threats due to zero day exploit
association.instances.vulnerability.threatIntel.zeroDay: "true"
AWS: Subnet
These tokens are available in queries with resource.type:Subnet
subnet.autoAssignIpv6Addresssubnet.autoAssignIpv6Address
Use the values true | false to find a subnet with auto-assign IPv6 addresses enabled.
Examples
Show subnets with auto-assign IPv6 address
subnet.autoAssignIpv6Address: true
Show subnets without auto-assign IPv6 address
subnet.autoAssignIpv6Address: false
subnet.autoAssignPublicIpsubnet.autoAssignPublicIp
Use the values true | false to find subnets where a public IPv4 address is assigned on launch.
Examples
Show subnets with public IP address assigned on launch
subnet.autoAssignPublicIp: true
Show subnets without public IP address assigned on launch
subnet.autoAssignPublicIp: false
subnet.availabilityZonesubnet.availabilityZone
Use a text value ##### to find subnets by availability zone.
Example
Show findings in the us-east-1a availability zone
subnet.availabilityZone: us-east-1a
subnet.availableIpCountsubnet.availableIpCount
Use a text value ##### to find subnets by available IP count.
Example
Show findings with this available IP count
subnet.availableIpCount: 4091
subnet.cidrBlocksubnet.cidrBlock
Use a text value ##### to find resources having a certain IPv4 CIDR block.
Example
Show findings with this IPv4 CIDR block
subnet.cidrBlock: 172.31.0.0/16
subnet.defaultSubnetsubnet.defaultSubnet
Use the values true | false to find the default subnet.
Examples
Show subnets that are the default
subnet.defaultsubnet: true
Show subnets that are not the default
subnet.defaultSubnet: false
subnet.ipv6CidrBlocksubnet.ipv6CidrBlock
Use a text value ##### to find resources having a certain IPv6 CIDR block.
Example
Show findings with this IPv6 CIDR block
subnet.ipv6CidrBlock: 2001:db8::/32
Use a text value ##### to find resources with a certain VPC ID.
Example
Show findings with this VPC ID
subnet.vpcId: vpc-1e37cd76
AWS: VPC
These tokens are available in queries with resource.type:VPC
Use a text value ##### to help you find resources (VPCs/subnets) having a certain IPv4 CIDR block.
Example
Show findings with this IPv4 CIDR block
vpc.cidrBlock: 172.31.0.0/16
Use the values true | false to find the default VPC.
Examples
Show VPCs that are the default
vpc.defaultVpc: true
Show VPCs that are not the default
vpc.defaultVpc: false
vpc.instanceTenancyvpc.instanceTenancy
Use values within quotes to find VPCs with certain instance tenancy.
Examples
Show any findings with this tenancy
vpc.instanceTenancy: default
Show findings that contain parts of tenancy
vpc.instanceTenancy: "default"
vpc.ipv6CidrBlockvpc.ipv6CidrBlock
Use a text value ##### to find resources (VPCs/subnets) with a certain IPv6 CIDR block.
Example
Show findings with this IPv6 CIDR block
vpc.ipv6CidrBlock: 2001:db8::/32
AWS: RDS
These tokens are available in queries with resource.type:RDS
rds.dbInstanceIdentifierrds.dbInstanceIdentifier
Use a text value ##### to help you find resources (RDS) having a certain DB instance name.
Example
Show RDS resources with this DB instance name
rds.dbInstanceIdentifier: RDSdatabasename
rds.endpoint.portrds.endpoint.port
Use a text value ##### to find RDS resources with specified port as endpoint.
Examples
Show RDS resources that use this port as endpoint
rds.endpoint.port: 5432
Use values within quotes to find resources with certain engine name.
Examples
Show RDS resources with this engine name
rds.engine: mysql
rds.instanceClassrds.instanceClass
Use a text value ##### to find resources (RDS) with a certain size.
Example
Show RDS resources with this size
rds.instanceClass: db.t2.micro
rds.publiclyAccessiblerds.publiclyAccessible
Use the values true | false to find if the resource is publicly accessible or not.
Examples
Show RDS resources that are the accessible
rds.publiclyAccessible: true
Show RDS resources that are not publicly accessible
rds.publiclyAccessible: false
rds.securityGroup.idrds.securityGroup.id
Use a text value ##### to find RDS resources with specified security group Id.
Examples
Show RDS resources with this security group Id.
rds.securityGroup.id: sg-3abe5246
Use a text value ##### to find resources (RDS) with a certain state.
Example
Show RDS resources that are available
rds.status: available
rds.subnetGroup.dbSubnetVpcIdrds.subnetGroup.dbSubnetVpcId
Use a text value ##### to find resources (RDs) with a certain VPC Id .
Example
Show RDS resources with this VPC Id
rds.subnetGroup.dbSubnetVpcId: vpc-1e37cd7e
AWS: EBS Volume
These tokens are available in queries with resource.type:EBS Volume
ebsvolume.encryptedebsvolume.encrypted
Use the values true | false to know if the resource is encrypted or not.
Examples
Show EBS volume resources that are encrypted.
ebsvolume.encrypted: true
ebsvolume.instanceebsvolume.instance
Use a text value ##### to find EBS Volume resources with a certain instance ID.
Examples
Show resources with this instance ID
ebsvolume.instance: i-045d8dd17d8a2a96f
ebsvolume.stateebsvolume.state
Use available or in-use state to find EBS volume instances with a certain state.
Example
Show running EBS volume instances
ebsvolume.state: in-use
ebsvolume.volumeIdebsvolume.volumeId
Use a text value ##### to find resources (EBS volumne) with a certain volumeId.
Example
Show resources with this volumeId
ebsvolume.volumeId: vol-0ac36138436791ca5
AWS: Lambda Function
lambda.tracingConfiglambda.tracingConfig
Use the values Active or Passthrough to decide if we can sample and trace a subset of incoming requests with AWS X-Ray.
Example
Show resources which allow to sample and trace incoming requests with AWS X-Ray. Use Active to achieve this.
lambda.tracingConfig: Active
Use a numberic value ##### in seconds to find resources (Lambda function) with a certain timeout value. Timeout is the amount of time that Lambda allows a function to run before stopping it. By default, it is 3 seconds. Maximum allowable timeout value is 900 seconds.
Example
Show resources with this volumeId
lambda.timeout: vol-0ac36138436791ca5
Use a text value ##### to find resources (Lambda function) with a certain role name.
Example
Show resources with role name as sample_role_lambda
lambda.role: sample_role_lambda
Use a text value ##### to find resources (Lambda function) based on the programming language used to write the lambda function.
Example
Show resources that are written in Python 2.7
lambda.runtime: python2.7
lambda.functionNamelambda.functionName
Use a text value ##### to find resources (Lambda function) with a certain name.
Example
Show resources with exact name match as sample_lambda_function
lambda.functionName: sample_lambda_function
lambda.memorySizelambda.memorySize
Use a numeric value ##### to find resources (Lambda function) based on memory size (in MB) assigned to lambda function for execution.
Example
Show resources with 128 MB memory allocated for execution
lambda.memorySize: 128
lambda.trigger.arnlambda.trigger.arn
Use a value ##### to define the Amazon Resource Name (ARN) that would trigger the Lambda function.
Example
Show resources that are triggered on specified ARN
lambda.trigger.arn: arn:aws:iam::383031258652:user/LOCAL_1234
lambda.trigger.typelambda.trigger.type
Use a text value ##### to define the type of trigger to be initiated when to execute Lambda function.
Example
Show resources that triggered on s3 type
lambda.trigger.type: s3
lambda.layer.namelambda.layer.name
Use a text value ##### to find resources (Lambda function) with name of layer assigned to the lambda function.
Example
Show resources with this name assigned to the layer
lambda.layer.name: Sample_layer_name
Use a text value ##### to find resources (Lambda function) associated with a certain VPCID.
Example
Show resources with this VPCID
lambda.vpcId: vpc-4bd3013
Use a text value ##### to define the key of an AWS or Azure tag assigned to the Lambda function (case sensitive).
Example
Show resources with key Department
tag.key: Department
Use a text value ##### to define the value of an AWS or Azure tag assigned to the resource (case sensitive).
Example
Show resources with tag value Finance
tag.value: Finance
AWS: EKS Cluster
ekscluster.nameekscluster.name
Use a text value ##### to find resources (EKS Cluster) with specific name.
Example
Show resources with specific name.
ekscluster.name: testCluster
ekscluster.statusekscluster.status
Use to search for EKS Clusters with certain status. Select the status (ACTIVE, UPDATING, FAILED, etc.) of EKS Cluster you're interested in.
Example
Show resources with ACTIVE status
ekscluster.status: ACTIVE
ekscluster.versionekscluster.version
Use Kubernetes versions such as 1.15. 1.16, 1.18 etc to find EKS Clusters with the specified Kubernetes version.
Example
Show resources with specified Kubernetes version
ekscluster.version: 1.18
ekscluster.platformVersionekscluster.platformVersion
Use a text value ##### to find resources (EKS Cluster) with specified EKS Cluster platform version.
Example
Show resources with specified platform version
ekscluster.platformVersion: eks.3
ekscluster.endpointPublicAccessekscluster.endpointPublicAccess
Use the values true | false to define whether the EKS Cluster has a API server public endpoint access.
Example
Show resources with public endpoint access of API server
ekscluster.endpointPublicAccess: true
ekscluster.endpointPrivateAccessekscluster.endpointPrivateAccess
Use the values true | false to define whether the EKS Cluster has a API server private endpoint access.
Example
Show resources with private endpoint access of API server
ekscluster.endpointPrivateAccess: true
ekscluster.endpointekscluster.endpoint
Use a text value ##### to find resources (EKS Cluster) with certain API server endpoint.
Example
Show resources with specified API server endpoint
ekscluster.endpoint: https://F41FF93B0AF978CF32886442BF14945B.sk1.ap-south-1.eks.amazonaws.com
ekscluster.role.nameekscluster.role.name
Use a text value ##### to find resources (EKS Cluster) with IAM role name.
Example
Show resources with specified IAM role name
ekscluster.role.name: eksclusterrole
ekscluster.eksnodegroup.nameekscluster.eksnodegroup.name
Use a text value ##### to find resources (EKS Cluster) with the associated node group name.
Example
Show resources with specified associated node group name
ekscluster.eksnodegroup.name: testNodeGroup
ekscluster.fargateprofile.nameekscluster.fargateprofile.name
Use a text value ##### to find resources (EKS Cluster) with the associated Fargate Profile name.
Example
Show resources with specified associated Fargate Profile name
ekscluster.fargateprofile.name: testFargate
ekscluster.vpcIdekscluster.vpcId
Use a text value ##### to find resources (EKS Cluster) with a VPC Id.
Example
Show resources with specified VPC Id
ekscluster.vpcId: vpc-b00ce2db
ekscluster.subnetIdekscluster.subnetId
Use a text value ##### to find resources (EKS Cluster) with a subnet Id.
Example
Show resources with specified subnet Id
ekscluster.subnetId: subnet-d17cf3aa
AWS: EKS Node Group
eksnodegroup.nameeksnodegroup.name
Use a text value ##### to find resources (EKS Node Group) with specific name.
Example
Show resources with specific name.
eksnodegroup.name: testNodeGroup
eksnodegroup.statuseksnodegroup.status
Use to search for EKS Node Group with certain status. Select the status (ACTIVE, UPDATING, FAILED, etc.) of EKS Node Group you're interested in.
Example
Show resources with ACTIVE status
eksnodegroup.status: ACTIVE
eksnodegroup.versioneksnodegroup.version
Use Kubernetes versions such as 1.15. 1.16, 1.18 etc to find EKS Node Group with the specified Kubernetes version.
Example
Show resources with specified Kubernetes version
eksnodegroup.version: 1.18
eksnodegroup.desiredSizeeksnodegroup.desiredSize
Use a number to find resources (EKS Node Group) with desired node size.
Example
Show resources with specified node size
eksnodegroup.desiredSize: 1
eksnodegroup.amiTypeeksnodegroup.amiType
Use a text value ##### to find resources (EKS Node Group) with the ami type of the EKS worker nodes.
Example
Show resources with specified ami type of EKS worker nodes
eksnodegroup.amiType: AL2_x86_64
eksnodegroup.instanceTypeeksnodegroup.instanceType
UUse a text value ##### to find resources (EKS Node Group) with certain instance type.
Example
Show resources with specified instance type
eksnodegroup.instanceType: t3.micro
eksnodegroup.diskSizeeksnodegroup.diskSize
Use a disk Size value to find resources (EKS Node Group) with certain disk Size.
Example
Show resources with specified disk size value
eksnodegroup.diskSize: 20
eksnodegroup.minSizeeksnodegroup.minSize
Use a number to find resources (EKS Node Group) with minimum node group size.
Example
Show resources with specified minimum node group size
eksnodegroup.minSize: 1
eksnodegroup.maxSizeeksnodegroup.maxSize
Use a number to find resources (EKS Node Group) with maximum node group size.
Example
Show resources with specified maximum node group size
eksnodegroup.maxSize: 1
eksnodegroup.labels.keyeksnodegroup.labels.key
Use a text value ##### to find resources (EKS Node Group) with the Kubernetes label key.
Example
Show resources with specified Kubernetes label key
eksnodegroup.labels.key: testLabelKey
eksnodegroup.labels.valueeksnodegroup.labels.value
Use a text value ##### to find resources (EKS Node Group) with the Kubernetes label value.
Example
Show resources with specified Kubernetes label value
eksnodegroup.labels.value: testLabelValue
eksnodegroup.role.nameeksnodegroup.role.name
Use a text value ##### to find resources (EKS Node Group) with IAM role name.
Example
Show resources with specified IAM role name
eksnodegroup.role.name: nodeGroupRole
eksnodegroup.subnetIdeksnodegroup.subnetId
Use a text value ##### to find resources (EKS Node Group) with a subnet Id.
Example
Show resources with specified subnet Id
eksnodegroup.subnetId: subnet-d17cf3aa
eksnodegroup.autoScalingGroup.Nameeksnodegroup.autoScalingGroup.Name
Use a text value ##### to find resources (EKS Node Group) with the associated auto scaling group.
Example
Show resources with specified auto scaling group name
eksnodegroup.autoScalingGroup.Name: eks-ecbbcabe-6a2c-9e3b-41a9-0670c6d325a1
eksnodegroup.ekscluster.nameeksnodegroup.ekscluster.name
Use a text value ##### to find resources (EKS Node Group) with associated EKS cluster name.
Example
Show resources with specified EKS cluster name
eksnodegroup.ekscluster.name: testCluster
eksnodegroup.securityGroupeksnodegroup.securityGroup
Use a text value ##### to find resources (EKS Node Group) with associated security group.
Example
Show resources with specified security group
eksnodegroup.securityGroup: nodeGroupRole
AWS: EKS Fargate Profile
eksfargateprofile.nameeksfargateprofile.name
Use a text value ##### to find resources (EKS Fargate Profile) with specific name.
Example
Show resources with specific name.
eksfargateprofile.name: testNodeGroup
eksfargateprofile.statuseksfargateprofile.status
Use to search for EKS Fargate Profile resources with certain status. Select the status (ACTIVE, UPDATING, FAILED, etc.) of EKS Node Group you're interested in.
Example
Show resources with ACTIVE status
eksfargateprofile.statuss: ACTIVE
eksfargateprofile.selectors.namespace.nameeksfargateprofile.selectors.namespace.name
Use a text value ##### to find resources (Fargate Profile) with the associated selector namespace.
Example
Show resources with specified associated selector namespace
eksfargateprofile.selectors.namespace.name: testSelectorNameSpace
eksfargateprofile.selectors.namespace.labels.keyeksfargateprofile.selectors.namespace.labels.key
Use a text value ##### to find resources (Fargate Profile) with the associated selector namespace's key.
Example
Show resources with specified key of the associated selector namespace
eksfargateprofile.selectors.namespace.labels.key: testLabelKey
eksfargateprofile.selectors.namespace.labels.valueeksfargateprofile.selectors.namespace.labels.value
Use a text value ##### to find resources (Fargate Profile) with the associated selector namespace's value.
Example
Show resources with specified value of the associated selector namespace
eksfargateprofile.selectors.namespace.labels.value: testLabelValue
eksfargateprofile.role.nameeksfargateprofile.role.name
Use a text value ##### to find resources (Fargate Profile) with IAM role name.
Example
Show resources with specified IAM role name
eksfargateprofile.role.name: fargateRole
eksfargateprofile.subnetIdeksfargateprofile.subnetId
Use a text value ##### to find resources (Fargate Profile) with a subnet Id.
Example
Show resources with specified subnet Id
eksfargateprofile.subnetId: subnet-d17cf3aa
eksfargateprofile.ekscluster.nameeksfargateprofile.ekscluster.name
Use a text value ##### to find resources (Fargate Profile) with associated EKS cluster name.
Example
Show resources with specified EKS cluster name
eksfargateprofile.ekscluster.name: testCluster