Searching for Microsoft Azure Resources
Use the search tokens below to search for resources discovered. You will need to first choose cloud provider on the Resources tab to see the relevant tokens for your environment. Looking for help with writing your query? click here
General
Use a text value ##### to show resources based on the unique account ID associated with the connector at the time of creation.
Example
Show findings with this account ID
account.id: 205767712438
Use a text value ##### to show connectors based on the account alias associated with the connector at the time of creation.
Example
Show connectors with this account alias
account.alias: Example_connector
azure.subscriptionNameazure.subscriptionName
Use a text value ##### to find Azure connectors based on the subscription name associated with the connector at the time of creation.
Example
Show connectors with this subscription name
azure.subscriptionName: Sample Cloud Subscription
Use a date range or specific date to define when the resource was created.
Examples
Show resources created within certain dates
created: [2018-01-01 ... 2018-03-01]
Show resources created starting 2018-10-01, ending 1 month ago
created: [2018-01-01 ... now-1m]
Show resources created starting 2 weeks ago, ending 1 second ago
created: [now-2w ... now-1s]
Show resources created on specific date
created: 2018-01-08
Use a date range or specific date to define when the resource was last updated.
Examples
Show resources updated within certain dates
updated: [2018-01-01 ... 2018-03-01]
Show resources updated starting 2018-10-01, ending 1 month ago
updated: [2018-01-01 ... now-1m]
Show resources updated starting 2 weeks ago, ending 1 second ago
updated: [now-2w ... now-1s]
Show resources updated on specific date
updated: 2018-01-08
Use backticks to help you find the exact match of the resource name you're looking for.
Examples
Show any findings with this name
name: my-resource
Show all the findings that exactly match with this name
name: `my-resource`
Select the name of the cloud service provider you're interested in. Select from names in the drop-down menu.
Example
Find resources synced from Microsoft Azure
provider: Azure
Select the name of the region you're interested in. Select from names in the drop-down menu.
Example
Find resources in the Singapore region
region: Singapore
Use a text value ##### to find resources by the unique ID assigned to the resource.
Example
Show resources with ID acl-8e5198f5
resource.id: acl-8e5198f5
Select the type of resource you're interested in. Select from names in the drop-down menu.
Example
Show resources of type Instance
resource.type: Instance
Use a text value ##### to define the key of an Azure tag assigned to the resource (case sensitive).
Example
Show findings with key Department
tag.key: Department
Use a text value ##### to define the value of an Azure tag assigned to the resource (case sensitive).
Example
Show findings with tag value Finance
tag.value: Finance
Use values within quotes or backticks to help you find the resources with the specified tag you're looking for.
Example
Show any findings that contain "network" and "blue" in name
tags.name: "network blue"
Show any findings that contain "network" or "blue" in name (another method)
tags.name: "network" OR tags.name: "blue"
Show any findings that match exact value "Cloud Agent"
tags.name: "Cloud Agent"
Use a boolean query to express your query using AND logic.
Example
Show findings with account ID 205767712438 and type Subnet
account.id: 205767712438 and resource.type: Subnet
Use a boolean query to express your query using NOT logic.
Example
Show findings that are not region Hong Kong
not region: Hong Kong
Use a boolean query to express your query using OR logic.
Example
Show findings with one of these tag values
tag.value: Finance or tag.value: Accounting
Use a text value ##### to find GCP resources with a certain project Id.
Example
Show resources with this projectId
projectId: my-project-1513669048551
Azure: General
Select the name of the Azure location you're interested in. Select from names in the drop-down menu.
Example
Find resources in this location
azure.location: Frankfurt
azure.resourceGroupNameazure.resourceGroupName
Use a text value ##### to find resources by the resource group name.
Example
Show resources with this group name
azure.resourceGroupName: my-eastus-rg
Use a text value ##### to find resources by the subscription ID.
Example
Show resources with this subscription ID
subscriptionId: fbb9ea64-abda-452e-adfa-83442409
Azure: SQL Server
These tokens are available in queries with resource.type:SQL Server
Use a text value ##### to find resources by the SQL Server type.
Example
Show resources with this type
sqlserver.type: Microsoft.sql
sqlserver.fullyQualifiedDomainNamesqlserver.fullyQualifiedDomainName
Use a text value ##### to find resources by the SQL Server Fully Qualified Domain Name (FQDN).
Example
Show resources with this FQDN
sqlserver.fullyQualifiedDomainName: severname.database.windows.net
sqlserver.versionsqlserver.version
Use a text value ##### to find resources by the SQL Server version.
Example
Show resources with this version
sqlserver.version: 12
sqlserver.statesqlserver.state
Use a text value ##### to find resources by the current SQL Server state.
Example
Show resources with this state
sqlserver.state: ready
Azure: SQL Server Database
These tokens are available in queries with resource.type:SQL Server Database
sqldatabase.editionsqldatabase.edition
Select the database edition (basic, standard, premium) you're interested in. Select from names in the drop-down menu.
Example
Find resources with standard edition
sqldatabase.edition: standard
sqldatabase.statussqldatabase.status
Select the database status (online, offline, restoring, etc) you're interested in. Select from names in the drop-down menu.
Example
Show online databases
sqldatabase.status: online
Azure: Virtual Machine
These tokens are available in queries with resource.type:Virtual Machine
virtualmachine.vmIdvirtualmachine.vmId
Use a text value ##### to find resources by the virtual machine ID.
Example
Show resources with this virtual machine ID
virtualmachine.vmId: MyVMID
connector.remediationEnabledconnector.remediationEnabled
Use true to view the resources associated with the connector for which remediation is enabled.
Example
Show resources associated with the connector for which remediation is enabled
connector.remediationEnabled: TRUE
virtualmachine.vmSizevirtualmachine.vmSize
Use a text value ##### to find resources by size of the virtual machine.
Example
Show resources with this virtual machine size
virtualmachine.vmSize: Standard_DS1_v2
virtualmachine.networkSecurityGroupvirtualmachine.networkSecurityGroup
Use a text value ##### to find the network security group of the virtual machine.
Example
Show resources with this network security group
virtualmachine.networkSecurityGroup: myNSG
virtualmachine.osTypevirtualmachine.osType
Use a ####text value to find VMs with agents installed on them.
Example
Show VMs with specified OS Type.
virtualmachine.osType: Windows
virtualmachine.agentInstalledvirtualmachine.agentInstalled
Use True | False to find VMs with agents installed on them.
Example
Show VMs with agents installed.
virtualmachine.agentInstalled: True
virtualmachine.hasThreatsvirtualmachine.hasThreats
Use the values true | false to find virtual machines with that has threats identified.
Example
Show resources with threats identified
virtualmachine.hasThreats: True
virtualmachine.publicIpAddressvirtualmachine.publicIpAddress
Use a text value ##### to find virtual machines with certain IP address.
Example
Show resources with this IP address
virtualmachine.publicIpAddress: 13.126.125.189
virtualmachine.statusvirtualmachine.status
Select the status (Creating, Deleting, Updating, etc.) of the virtual machine you're interested in. Select the required status from the drop-down menu.
Example
Show virtual machines with VM running status
virtualmachine.status: VM running
virtualmachine.networkInterface.subnetIdvirtualmachine.networkInterface.subnetId
Use a text value ##### to find VMs with a certain network interface address ID.
Example
Show findings with this address ID
virtualmachine.networkInterface.subnetId: id-12345
virtualmachine.networkInterface.privateDnsNamevirtualmachine.networkInterface.privateDnsName
Use a text value ##### to find VMs having network interface with a certain private DNS name.
Example
Show findings with this private DNS name
virtualmachine.networkInterface.privateDnsName: ip-172-31-33-67.us-east-2.compute.internal
virtualmachine.networkInterface.privateIpAddressvirtualmachine.networkInterface.privateIpAddress
Use a text value ##### to find VMs having network interface with a certain private IP address.
Example
Show findings with this private IP
virtualmachine.networkInterface.privateIpAddress: 172.31.28.151
virtualmachine.networkInterface.secondaryPrivateIpvirtualmachine.networkInterface.secondaryPrivateIp
Use a text value ##### to find VMs having network interfaces with a certain secondary private IP address.
Example
Show findings with this secondary private IP
virtualmachine.networkInterface.secondaryPrivateIp: 10.0.0.85
virtualmachine.networkInterface.publicIpvirtualmachine.networkInterface.publicIp
Use a text value ##### to find VMs having network interfaces with a certain public IP address.
Example
Show findings with this public IP address
virtualmachine.networkInterface.publicIp: 13.126.125.189
virtualmachine.networkInterface.ipv6Ipvirtualmachine.networkInterface.ipv6Ip
Use a text value ##### to find VMs having network interfaces with a certain IPv6 IP address.
Example
Show findings with this IPv6 address
virtualmachine.networkInterface.ipv6Ip: 2010:ab2::1234:zzz:2002:1f
virtualmachine.isDockerHostvirtualmachine.isDockerHost
Use the values true | false to define whether the instance has a docker installed on the host.
Example
Show VMs with docker installed on the host
virtualmachine.isDockerHost:true
Show VMs without docker installed on the host
virtualmachine.isDockerHost:false
virtualmachine.docker.versionvirtualmachine.docker.version
Use a text value ##### to define Docker version you are looking for.
Example
Show VMs with specified docker version
virtualmachine.docker.version:8.2
virtualmachine.riskScorevirtualmachine.riskScore
Use an integer value (0-1000) to search for all the Azure VMs with the specified risk score.
Example
Show all VMs with a risk score greater than 125
virtualmachine.riskScore > 125
Show all VMs with a risk score of 125
virtualmachie.riskScore: 125
Azure: Virtual Network
These tokens are available in queries with resource.type:Virtual Network
virtualnetwork.typevirtualnetwork.type
Use a text value ##### to find resources by the virtual network type.
Example
Show resources with this virtual network type
virtualnetwork.type: Microsoft.Network/virtualNetworks
Azure: Network Interface
networkinterfaces.provisoningStatenetworkinterfaces.provisoningState
Find network interfaces based on their provisioning state (Deleting, Failed, Succeeded, Updating). Select the required state from the drop-down menu.
Example
Show network interfaces in Succeeded state.
networkinterfaces.provisoningState: Succeeded
networkinterfaces.subnet.idnetworkinterfaces.subnet.id
Find network interfaces based on their subnet ID.
Example
Show network interfaces with the specified ID.
networkinterfaces.subnet.id:/subscriptions/xxxxxx-xxxx-xxxx-xxxx-xxxxx8c0586/resourceGroups/azure_resource_group/providers/Microsoft.Network/virtualNetworks/customtest/subnets/subnet2
networkinterfaces.macAddressnetworkinterfaces.macAddress
Find network interfaces based on their MAC Address.
Example
Show network interfaces with the MAC Address.
networkinterfaces.macAddress:7C-1E-52-19-1F-3C
networkinterfaces.enableAcceleratedNetworkingnetworkinterfaces.enableAcceleratedNetworking
Select (Enabled, Disabled) to find Network Interfaces with Accelerated Networking enabled/disabled.
Example
Show network interfaces with the Accelerated Networking enabled.
networkinterfaces.enableAcceleratedNetworking:Enabled
networkinterfaces.vnetEncryptionSupportednetworkinterfaces.vnetEncryptionSupported
Select (True, False) to find Network Interfaces that support VNET encryption.
Example
Show network interfaces supporting VNET Encryption.
networkinterfaces.subnet.id: true
networkinterfaces.enableIPForwardingnetworkinterfaces.enableIPForwarding
Select (True, False) to find Network Interfaces with IP Forwarding enabled or disabled.
Example
Show network interfaces with IP Forwarding enabled:
networkinterfaces.enableIPForwarding: true
networkinterfaces.disableTcpStateTrackingnetworkinterfaces.disableTcpStateTracking
Select (True, False) to find Network Interfaces with TCP State Tracking disabled or enabled.
Example
Show network interfaces with TCP State Tracking disabled:
networkinterfaces.disableTcpStateTracking: true
networkinterfaces.networkSecurityGroup.idnetworkinterfaces.networkSecurityGroup.id
Provide a string value to find Network Interfaces associated with a specific Network Security Group ID.
Example
Find Network Interfaces associated with the specified Network Security Group ID
networkinterfaces.networkSecurityGroup.id: /subscriptions/12345678-1234-1234-1234-123456789012/resourceGroups/myResourceGroup/providers/Microsoft.Network/networkSecurityGroups/myNSG
Azure: PostGRE Single Server
postgresingleserver.backupRetentionDayspostgresingleserver.backupRetentionDays
Provide an integer value to find PostgreSQL Single Servers with the specified backup retention period in days.
Example
Find PostgreSQL Single Servers with a 14-day backup retention period.
postgresingleserver.backupRetentionDays: 14
postgresingleserver.geoRedundantBackuppostgresingleserver.geoRedundantBackup
Select (True, False) to find PostgreSQL Single Servers with geo-redundant backup enabled or disabled.
Example Show PostgreSQL Single Servers with geo-redundant backup enabled
postgresingleserver.geoRedundantBackup: true
postgresingleserver.sslEnforcementpostgresingleserver.sslEnforcement
Select (True, False) to find PostgreSQL Single Servers with SSL enforcement enabled or disabled.
Example Show PostgreSQL Single Servers with SSL enforcement enabled
postgresingleserver.sslEnforcement: true
postgresingleserver.byokEnforcementpostgresingleserver.byokEnforcement
Select (True, False) to find PostgreSQL Single Servers with Bring Your Own Key (BYOK) enforcement enabled or disabled.
Example
Show PostgreSQL Single Servers with BYOK enforcement enabled
postgresingleserver.byokEnforcement: true
postgresingleserver.storageAutogrowpostgresingleserver.storageAutogrow
Select (True, False) to find PostgreSQL Single Servers with storage auto-grow enabled or disabled.
Example
Show PostgreSQL Single Servers with storage auto-grow enable
postgresingleserver.storageAutogrow: true
postgresingleserver.publicNetworkAccesspostgresingleserver.publicNetworkAccess
Select (True, False) to find PostgreSQL Single Servers with public network access enabled or disabled.
Example
Show PostgreSQL Single Servers with public network access disabled
postgresingleserver.publicNetworkAccess: false
postgresingleserver.skuTierpostgresingleserver.skuTier
Find PostgreSQL Single Servers based on their SKU tier (Basic, GeneralPurpose, MemoryOptimized). Select the required tier from the drop-down menu.
Example
Show PostgreSQL Single Servers with the General Purpose tier
postgresingleserver.skuTier: GeneralPurpose
postgresingleserver.minimalTlsVersion postgresingleserver.minimalTlsVersion
Find PostgreSQL Single Servers based on their minimal TLS version (TLS1_0, TLS1_1, TLS1_2, TLS1_3). Select the required version from the drop-down menu.
Example
Show PostgreSQL Single Servers with minimal TLS version 1.2
postgresingleserver.minimalTlsVersion: TLS1_2
Azure: Load Balancer
loadbalancer.sku.nameloadbalancer.sku.name
Find Load Balancers based on their SKU name (Basic, Gateway, Standard). Select the required SKU name from the drop-down menu.
Example
Show Load Balancers with the Standard SKU
loadbalancer.sku.name: Standard
loadbalancer.sku.tierloadbalancer.sku.tier
Find Load Balancers based on their SKU tier (Global, Regional). Select the required tier from the drop-down menu.
Example
Show Load Balancers with the Regional tier
loadbalancer.sku.tier: Regional
loadbalancer.provisioningStateloadbalancer.provisioningState
Find Load Balancers based on their provisioning state (Succeeded, Updating, Deleting, Failed). Select the required state from the drop-down menu.
Example
Show Load Balancers in the Succeeded provisioning state
loadbalancer.provisioningState: Succeeded
Azure: Firewall
firewall.provisioningStatefirewall.provisioningState
Select the required state from the drop-down menu (Succeeded, Updating, Deleting, Failed) to find firewalls based on their current provisioning state.
Example
Show firewalls in the Succeeded provisioning state
firewall.provisioningState: Succeeded
firewall.threatIntelModefirewall.threatIntelMode
Select the required mode from the drop-down menu (Alert, Deny, Off) to find firewalls based on their Threat Intelligence mode.
Examples Show firewalls with Threat Intelligence in Alert mode:
firewall.threatIntelMode: Alert
Show firewalls with Threat Intelligence turned off
firewall.threatIntelMode: Off
Azure: MySQL
mysqlFlexibleServer.autoGrowmysqlFlexibleServer.autoGrow
Select (Enabled, Disabled) to find MySQL Flexible Servers with auto-grow storage enabled or disabled.
Example
Show MySQL Flexible Servers with auto-grow storage enabled
mysqlFlexibleServer.autoGrow: Enabled
mysqlFlexibleServer.publicNetworkAccessmysqlFlexibleServer.publicNetworkAccess
Select (Enabled, Disabled) to find MySQL Flexible Servers with public network access enabled or disabled.
Example
Show MySQL Flexible Servers with public network access disabled
mysqlFlexibleServer.publicNetworkAccess: Disabled
mysqlFlexibleServer.backupRetentionDaysmysqlFlexibleServer.backupRetentionDays
Provide an integer value to find MySQL Flexible Servers with the specified backup retention period in days. You can also use comparison operators for ranges.
Examples
Find MySQL Flexible Servers with a 14-day backup retention period
mysqlFlexibleServer.backupRetentionDays: 14
Find MySQL Flexible Servers with a backup retention period greater than 7 days
mysqlFlexibleServer.backupRetentionDays: >7
Azure: Storage Account
storageAccount.skuTierstorageAccount.skuTier
Select the required tier from the drop-down menu (Standard, Premium) to find Storage Accounts based on their SKU tier.
Example
Show Storage Accounts with the Premium tier
storageAccount.skuTier: Premium
storageAccount.minimumTlsVersionstorageAccount.minimumTlsVersion
Select the required version from the drop-down menu (TLS1_0, TLS1_1, TLS1_2, TLS1_3) to find Storage Accounts based on their minimum TLS version.
Example
Show Storage Accounts with minimum TLS version 1.2
storageAccount.minimumTlsVersion: TLS1_2
storageAccount.supportsHttpsTrafficOnlystorageAccount.supportsHttpsTrafficOnly
Select (True, False) to find Storage Accounts that do or do not support HTTPS traffic only.
Example
Show Storage Accounts that support HTTPS traffic only
storageAccount.supportsHttpsTrafficOnly: true
Azure: Application Gateways
applicationgateways.provisioningStateapplicationgateways.provisioningState
Select the required state from the drop-down menu (Succeeded, Updating, Deleting, Failed) to find Application Gateways based on their current provisioning state.
Example
Show Application Gateways in the Succeeded provisioning state
applicationgateways.provisioningState: Succeeded
applicationgateways.sku.nameapplicationgateways.sku.name
Select the required SKU name from the drop-down menu (Standard_v2, Standard, WAF_v2, WAF) to find Application Gateways based on their SKU name.
Example
Show Application Gateways with the WAF_v2 SKU
applicationgateways.sku.name: WAF_v2
applicationgateways.sku.tierapplicationgateways.sku.tier
Select the required tier from the drop-down menu (Basic, Standard, WAF, Standard_v2, WAF_v2) to find Application Gateways based on their SKU tier.
Example
Show Application Gateways with the Standard_v2 tier
applicationgateways.sku.tier: Standard_v2
applicationgateways.sku.familyapplicationgateways.sku.family
Select the required family from the drop-down menu (Generation_1, Generation_2) to find Application Gateways based on their SKU family.
Example
Show Application Gateways with the Generation_2 SKU family
applicationgateways.sku.family: Generation_2
applicationgateways.sku.capacityapplicationgateways.sku.capacity
Provide an integer value to find Application Gateways with a specific capacity (number of instances).
Examples
Find Application Gateways with a capacity of 2 instances
applicationgateways.sku.capacity: 2
applicationgateways.operationalStateapplicationgateways.operationalState
Select the required state from the drop-down menu (Running, Stopped, Starting, Stopping). Find Application Gateways based on their current operational state.
Example
Show Application Gateways in the Running operational state
applicationgateways.operationalState: Running
applicationgateways.enableHttp2applicationgateways.enableHttp2
Select (True, False) to find Application Gateways with HTTP/2 support enabled or disabled.
Example
Show Application Gateways with HTTP/2 support enabled
applicationgateways.enableHttp2: true
Azure: MariaDB
mariadbServer.versionmariadbServer.version
Find MariaDB servers based on their version. Provide a string value for the version number.
Example
Show MariaDB servers running version 10.3
mariadbServer.version: 10.3
mariadbServer.minimumTLSVersionmariadbServer.minimumTLSVersion
Select the required version from the drop-down menu (TLSEnforcementDisabled, TLS1_0, TLS1_1, TLS1_2) to find MariaDB servers based on their minimum TLS version.
Example
Show MariaDB servers with minimum TLS version 1.2
mariadbServer.minimumTLSVersion: TLS1_2
mariadbServer.publicNetworkAccessmariadbServer.publicNetworkAccess
Select (True, False) to find MariaDB servers with public network access enabled or disabled.
Example Show MariaDB servers with public network access disabled
mariadbServer.publicNetworkAccess: false
mariadbServer.sku.tiermariadbServer.sku.tier
Select the required tier from the drop-down menu (Basic, GeneralPurpose, MemoryOptimized) to find MariaDB servers based on their SKU tier.
Example
Show MariaDB servers with the General Purpose tier.
mariadbServer.sku.tier: GeneralPurpose
Azure: Cosmos DB
Select the required kind from the drop-down menu (GlobalDocumentDB, MongoDB) to find Cosmos DB accounts based on their database kind.
Examples
Show Cosmos DB accounts of the MongoDB type
cosmosdb.kind: MongoDB
Show Cosmos DB accounts of the SQL (Core) API type
cosmosdb.kind: GlobalDocumentDB
Show Cosmos DB accounts of the Parse type
cosmosdb.kind: Parse
cosmosdb.publicNetworkAccesscosmosdb.publicNetworkAccess
Select (Enabled, Disabled) to find Cosmos DB accounts with public network access enabled or disabled.
Example
Show Cosmos DB accounts with public network access disabled
cosmosdb.publicNetworkAccess: Disabled
Azure: NAT Gateways
natGateways.provisioningStatenatGateways.provisioningState
Select the required state from the drop-down menu (Succeeded, Updating, Deleting, Failed) to find NAT Gateways based on their current provisioning state.
Example
Show NAT Gateways in the Succeeded provisioning state
natGateways.provisioningState: Succeeded
natGateways.idleTimeoutInMinutesnatGateways.idleTimeoutInMinutes
Provide an integer value to find NAT Gateways with a specific idle timeout setting in minutes. You can also use comparison operators for ranges.
Examples
Find NAT Gateways with an idle timeout of 15 minutes
natGateways.idleTimeoutInMinutes: 15
Find NAT Gateways with an idle timeout greater than 10 minutes
natGateways.idleTimeoutInMinutes: >10
Azure: Web App
These tokens are available in queries with resource.type:Web App
Use a text value ##### to find web apps based on the kind filter you are interested in..
Examples
Show any web apps with kind filter
webapp.kind: Linux
webapp.deploymentIdwebapp.deploymentId
Use a text value ##### to find web apps based on the deployment ID of the web app.
Example
Show web apps with this deployment ID
webapp.deploymentId:depl-7495
Search web app based on its state.
Examples
Show web apps that are in running state
webapp.state:Running
webapp.availabilityStatewebapp.availabilityState
>Select the web app state (NORMAL, LIMITED, DISASTER_RECOVERY_MODE) you're interested in. Select from names in the drop-down menu.
Example
Show web apps with availability state as LIMITED
webapp.availabilityState:LIMITED
webapp.usageStatewebapp.usageState
Search the web apps based on their usage state (NORMAL, EXCEEDED). Select from names in the drop-down menu.
Example
Show web app on usage state
webapp.usageState:NORMAL
Use the values true | false to find whether web app is enabled or not.
Examples
Show web apps which are default container.
webapp.enabled:true
webapp.isDefaultContainerwebapp.isDefaultContainer
Use the values true | false to find whether web app is the default container or not.
Examples
Show web apps which are default container.
webapp.isDefaultContainer:true
webapp.httpsonlywebapp.httpsonly
Use the values true | false to find whether HTTPSOnly feature is enabled or not on a web app.
Examples
Show web apps with HTTPSOnly feature enabled.
webapp.httpsonly:TRUE
webapp.redundancyModewebapp.redundancyMode
Use a text value ##### to define the redundancy mode of the web app.
Example
Show web apps with this redundancy mode.
webapp.redundancyMode:MANUAL
webapp.appserviceplanwebapp.appserviceplan
Use a text value ##### to define the AppServicePlanId of webapp you're looking for.
Examples
Show web apps with this AppServicePlan ID.
webapp.appserviceplan:app-service-plan-123
webapp.defaultHostNamewebapp.defaultHostName
Use a text value ##### to define the default host name for web apps.
Example
Show web apps with this default host name
webapp.defaultHostName:windowsappabc123.azurewebsites.net
webapp.hostnames.enabledwebapp.hostnames.enabled
Use a text value ##### to define the enabled host names of the web apps.
Example
Show web apps with this host names
webapp.hostnames.enabled:windowsappabc123.azurewebsites.net
webapp.hostnames.sslStatewebapp.hostnames.sslState
Select web apps based on the SSL state of the enabled hosts (DISABLED, SNI_ENABLED, IP_BASED_ENABLED) you're interested in. Select from names in the drop-down menu.
Example
Show web apps with disabled SSL state
webapp.hostnames.sslState:DISABLED
webapp.clientAffinityEnabledwebapp.clientAffinityEnabled
Use the values true | false to find whether client affinity is enabled or not on a web app.
Example
Show web apps with client affinity enabled
webapp.clientAffinityEnabled:TRUE
webapp.clientCertEnabledwebapp.clientCertEnabled
Use the values true | false to find whether client cert is enabled or not on a web app.
Example
Show web apps with client cert enabled
webapp.clientCertEnabled:TRUE
Azure: Function App
These tokens are available in queries with resource.type:Function App
functionapp.kindfunctionapp.kind
Use a text value ##### to find function apps based on the kind filter you are interested in..
Examples
Show any function apps with kind filter
functionapp.kind: Linux
functionapp.deploymentIdfunctionapp.deploymentId
Use a text value ##### to find function apps based on the deployment ID of the function app.
Example
Show function apps with this deployment ID
functionapp.deploymentId:depl-7495
functionapp.statefunctionapp.state
Search function app based on its state.
Examples
Show function apps that are in running state
functionapp.state:Running
functionapp.availabilityStatefunctionapp.availabilityState
>Select the function app state (NORMAL, LIMITED, DISASTER_RECOVERY_MODE) you're interested in. Select from names in the drop-down menu.
Example
Show function apps with availability state as LIMITED
functionapp.availabilityState:LIMITED
functionapp.usageStatefunctionapp.usageState
Search the function apps based on their usage state (NORMAL, EXCEEDED). Select from names in the drop-down menu.
Example
Show function app on usage state
functionapp.usageState:NORMAL
functionapp.enabledfunctionapp.enabled
Use the values true | false to find whether function app is enabled or not.
Examples
Show function apps which are default container.
functionapp.enabled:true
functionapp.isDefaultContainerfunctionapp.isDefaultContainer
Use the values true | false to find whether function app is the default container or not.
Examples
Show function apps which are default container.
functionapp.isDefaultContainer:true
functionapp.httpsonlyfunctionapp.httpsonly
Use the values true | false to find whether HTTPSOnly feature is enabled or not on the function app.
Examples
Show function apps with HTTPSOnly feature enabled.
functionapp.httpsonly:TRUE
functionapp.redundancyModefunctionapp.redundancyMode
Use a text value ##### to define the redundancy mode of the function app.
Example
Show function apps with this redundancy mode.
functionapp.redundancyMode:MANUAL
functionapp.appserviceplanfunctionapp.appserviceplan
Use a text value ##### to define the AppServicePlanId of function app you're looking for.
Examples
Show function apps with this AppServicePlan ID.
functionapp.appserviceplan:app-service-plan-123
functionapp.defaultHostNamefunctionapp.defaultHostName
Use a text value ##### to define the default host name for function apps.
Example
Show function apps with this default host name
functionapp.defaultHostName:windowsappabc123.azurewebsites.net
functionapp.hostnames.enabledfunctionapp.hostnames.enabled
Use a text value ##### to define the enabled host names of the function apps.
Example
Show function apps with this host names
functionapp.hostnames.enabled:windowsappabc123.azurewebsites.net
functionapp.hostnames.sslStatefunctionapp.hostnames.sslState
Select function apps based on the SSL state of the enabled hosts (DISABLED, SNI_ENABLED, IP_BASED_ENABLED) you're interested in. Select from names in the drop-down menu.
Example
Show function apps with disabled SSL state
functionapp.hostnames.sslState:DISABLED
functionapp.clientAffinityEnabledfunctionapp.clientAffinityEnabled
Use the values true | false to find whether client affinity is enabled or not on a function app.
Example
Show function apps with client affinity enabled
functionapp.clientAffinityEnabled:TRUE
functionapp.clientCertEnabledfunctionapp.clientCertEnabled
Use the values true | false to find whether client cert is enabled or not on a function app.
Example
Show function apps with client cert enabled
functionapp.clientCertEnabled:TRUE
functionapp.languagefunctionapp.language
Use a text value ##### to find functionapps based on the language in which the functions under function apps are written.
Example
Show function apps with client cert enabled
functionapp.language:CSharp
Azure: Vulnerability
These tokens are available in queries with resource.type:vulnerability
vulnerability.qidvulnerability.qid
Use an integer value ##### to define the QID in question.
Example
Show findings with QID 90405
vulnerability.qid:90405
vulnerability.severityvulnerability.severity
Select a severity (1-5) to find assets having vulnerabilities with this severity. Select from values in the drop-down menu.
Example
Show findings with severity 4
vulnerability.severity:4
vulnerability.customerSeverityvulnerability.customerSeverity
Use an integer value ##### to define the QID in question.
Example
Show findings with QID 90405
vulnerability.customerSeverity:3
vulnerability.exploitabilityvulnerability.exploitability
Use values within quotes or backticks to help you find known exploit description you're looking for. Quotes can be used when the value has more than one word.
Examples
Show any findings related to this description
vulnerability.exploitability: GIF Parser Heap
Show any findings that contain "GIF", "Parser" or "Heap" in description
vulnerability.exploitability: "GIF Parser Heap"
Show any findings that match exact value
vulnerability.exploitability: `GIF Parser Heap`
vulnerability.patchAvailablevulnerability.patchAvailable
Use the values true | false to define vulnerabilities with patch available.
Examples
Show findings with patch available
vulnerability.patchAvailable: "true"
Show findings with no patch available
vulnerability.patchAvailable: "false"
vulnerability.disabledvulnerability.disabled
Use the values true | false to define disabled vulnerabilities
Examples
Show findings with disabled vulnerabilities
vulnerability.disabled: "true"
Show findings with disabled vulnerabilities
vulnerability.disabled: "false"
vulnerability.ignoredvulnerability.ignored
Use the values true | false to define ignored vulnerabilities
Examples
Show findings with ignored vulnerabilities
vulnerability.ignored: "true"
Show findings with ignored vulnerabilties
vulnerability.ignored: "false"
vulnerability.firstFoundvulnerability.firstFound
Use a date range or specific date to define when findings were first found.
Examples
Show findings first found within certain dates
vulnerability.firstFound: [2015-10-21 ... 2015-10-30]
Show findings first found starting 2015-10-01, ending 1 month ago
vulnerability.firstFound: [2015-10-01 ... now-1M]
Show findings first found starting 2 weeks ago, ending 1 second ago
vulnerability.firstFound: [now-2w ... now-1s]
Show findings first found on certain date
vulnerability.firstFound:'2015-11-11'
vulnerability.lastFoundvulnerability.lastFound
Use a date range or specific date to define when findings were last found.
Examples
Show findings last found within certain dates
vulnerability.lastFound: [2015-10-21 ... 2016-01-15]
Show findings last found starting 2016-01-01, ending 1 month ago
vulnerability.lastFound: [2016-01-01 ... now-1M]
Show findings last found starting 2 weeks ago, ending 1 second ago
vulnerability.lastFound: [now-2w ... now-1s]
Show findings last found on certain date
vulnerability.lastFound:'2016-01-11'
Show findings last found on 2017-01-12 with patch available
vulnerabilities: (lastFound: '2017-01-12' AND vulnerability.patchAvailable: "true")
vulnerability.titlevulnerability.title
Use quotes or backticks within values to help you find the title you're looking for. Quotes can be used when the value has more than one word.
Examples
Show any findings related to this title
vulnerability.title: Remote Code Execution
Show any findings that contain "Remote" or "Code" in title
vulnerability.title: "Remote Code"
Show any findings that match exact value
vulnerability.title: `Remote Code`
vulnerability.descriptionvulnerability.description
Use quotes or backticks within values to help you find the vulnerability description you're looking for. Quotes can be used when the value has more than one word.
Examples
Show any findings related to description
vulnerability.description: remote code execution
Show any findings that contain "remote" or "code" in description
vulnerability.description: "remote code execution"
Show any findings that match exact value
vulnerability.description: `remote code execution`
vulnerability.cveIdsvulnerability.cveIds
Use a text value ##### to find the CVE name you're interested in.
Example
Show findings with CVE name CVE-2015-0313
vulnerability.cveIds: CVE-2015-0313
vulnerability.categoryvulnerability.category
Select a category (CGI, Database, DNS, BIND, etc) to find vulnerabilities with this category. Select from names in the drop-down menu.
Example
Show findings with the category CGI
vulnerability.category: "CGI"
vulnerability.cvss3Info.baseScorevulnerability.cvss3Info.baseScore
Use an integer value ##### to help you find the CVSS base score you're interested in.
Example
Show assets with this score
vulnerability.cvss3Info.baseScore: 7.8
Use an integer value ##### to help you find the CVSS temporal score you're interested in.
Example
Show assets with this score
vulnerability.cvss3Info.temporalScore: 6.4
vulnerability.cvssInfo.accessVectorvulnerability.cvssInfo.accessVector
Select the name ##### of a CVSS access vector you'd like to find (e.g. UNDEFINED, LOCAL_ACCESS, ADJACENT_NETWORK, NETWORK). Select from names in the drop-down menu.
Example
Show findings with this name
vulnerability.cvssInfo.accessVector: "NETWORK"
vulnerability.portvulnerability.port
Use an integer value ##### to help you find assets with some open port.
Example
Show vulnerability with port 80
vulnerability.port: 80
vulnerability.protocolvulnerability.protocol
Use a text value ##### (UDP or TCP) to define the port protocol you're interested in.
Examples
Show findings found on TCP
vulnerability.protocol: TCP
Show findings found on port 80 and TCP
vulnerability: (port: 80 AND protocol: TCP)
vulnerability.hostOSvulnerability.hostOS
Use quotes or backticks within values to help you find the instance operating system you're interested in.
Examples
Show any findings with this OS name
vulnerability.hostOS:Windows 2012
Show any findings that contain components of OS name
vulnerability.hostOS:"Windows 2012"
Show any findings that match exact value "Windows 2012"
vulnerability.hostOS:`Windows 2012`
vulnerability.typeDetectedvulnerability.typeDetected
Select a detection type (e.g. Confirmed, Potential, Information) to find instances with vulnerabilities of this type. Select from names in the drop-down menu.
Example
Show findings with this type
vulnerability.typeDetected:Confirmed
vulnerability.PCIvulnerability.PCI
Use the values true | false to find vulnerabilities that must be fixed for PCI Compliance (per PCI DSS).
Examples
Show PCI vulnerabilities
vulnerability.PCI:TRUE
Do not show PCI vulnerabilities
vulnerability.PCI:FALSE
vulnerability.authTypesvulnerability.authTypes
Select the name (WINDOWS_AUTH, UNIX_AUTH, ORACLE_AUTH, etc) of an authentication type you're interested in. Select from names in the drop-down menu.
Example
Show findings with Windows auth type
vulnerability.authTypes:WINDOWS_AUTH
vulnerability.bugTraqIdsvulnerability.bugTraqIds
Use a text value ##### to find vulnerabilities based on the BugTraq number you're interested in.
Example
Show findings with BugTraq ID 22211
vulnerability.bugTraqIds:22211
vulnerability.compliance.descriptionvulnerability.compliance.description
Use quotes or backticks within values to help you find the compliance description you're looking for.
Examples
Show any findings related to this description
vulnerability.compliance.description:malicious software
Show any findings that contain "malicious" or "software" in description
vulnerability.compliance.description:"malicious software"
Show any findings that match exact value "malicious software"
vulnerability.compliance.description:`malicious software`
vulnerability.compliance.sectionvulnerability.compliance.section
Use quotes or backticks within values to help you find the compliance section you're looking for.
Examples
Show any findings related to this section
vulnerability.compliance.section:164.308
Show any findings that contain parts of section
vulnerability.compliance.section:"164.308"
Show any findings that match exact value "164.308"
vulnerability.compliance.section:`164.308`
vulnerability.compliance.typevulnerability.compliance.type
Select the name ##### of a compliance type you're interested in (e.g. COBIT, HIPAA, GLBA, SOX). Select from names in the drop-down menu.
Example
Show findings with the compliance type HIPAA
vulnerability.compliance.type:HIPAA
vulnerability.consequencevulnerability.consequence
Use quotes or backticks within values to help you find the consequence you're looking for.
Examples
Show any findings related to consequence
vulnerability.consequence:sensitive information
Show any findings that contain "sensitive" or "information" in consequence
vulnerability.consequence:"sensitive information"
Show any findings that match exact value "sensitive information"
vulnerability.consequence:`sensitive information`
vulnerability.flagsvulnerability.flags
Use a text value ##### to find the Qualys defined vulnerability property of interest (e.g. REMOTE, WINDOWS_AUTH, UNIX_AUTH, PCI_RELATED etc).
Example
Show findings with this flag
vulnerability.flags:PCI_RELATED
vulnerability.listsvulnerability.lists
Use a text value ##### to find the vulnerability list of interest (e.g. SANS_20, QUALYS_20, QUALYS_INT_10, QUALYS_EXT_10).
Example
Show findings with vulnerabilities in SANS Top 20
vulnerability.lists:SANS_20
vulnerability.patchesvulnerability.patches
Use an integer value ##### to help you find the patch QID you're interested in.
Example
Show assets with this patch QID
vulnerability.patches:90753
vulnerability.publishedvulnerability.published
Use a date range or specific date to define when vulnerabilities were first published in the KnowledgeBase.
Examples
Show findings for vulnerabilities published within certain dates
vulnerability.published:[2015-10-21 ... 2016-01-15]
Show findings for vulnerabilities published starting 2017-01-01, ending 1 month ago
vulnerability.published:[2017-01-01 ... now-1M]
Show findings for vulnerabilities published starting 2 weeks ago, ending 1 second ago
vulnerability.published:[now-2w ... now-1s]
Show findings for vulnerabilities published on certain date
vulnerability.published:'2018-01-15'
vulnerability.riskvulnerability.risk
Use an integer value ##### to define the vulnerability risk rating you're interested in. For confirmed and potential issues risk is 10 times severity, for information gathered it is severity.
Example
Show findings with risk 50
vulnerability.risk:50
vulnerability.osvulnerability.os
Use quotes or backticks within values to help you find the operating system vulnerabilities were detected on.
Examples
Show any findings related to this OS value
vulnerability.os:windows
Show any findings that contain parts of OS value
vulnerability.os:"windows"
Show any findings that match exact value "windows"
vulnerability.os:`windows`
vulnerability.cvssInfo.baseScorevulnerability.cvssInfo.baseScore
Use an integer value ##### to help you find the CVSS base score you're interested in.
Example
Show instances with this score
vulnerability.cvssInfo.baseScore:7.8
vulnerability.cvssInfo.temporalScorevulnerability.cvssInfo.temporalScore
Use an integer value ##### to help you find the CVSS temporal score you're interested in.
Example
Show instances with this score
vulnerability.cvssInfo.temporalScore:6.4
vulnerability.discoveryTypesvulnerability.discoveryTypes
Select a discovery type (Remote or Authenticated) to find instances with vulnerabilities having this discovery type. Select from names in the drop-down menu.
Example
Show findings with Remote discovery type
vulnerability.discoveryTypes:REMOTE
vulnerability.sans20Categoriesvulnerability.sans20Categories
Use a text value ##### to find vulnerabilities in the SANS 20 category you're interested in (e.g. Anti-virus Software, Backup Software, etc).
Example
Show findings with this category name
vulnerability.sans20Categories:Media Players
vulnerability.solutionvulnerability.solution
Use quotes or backticks within values to help you find the solution you're looking for.
Examples
Show any findings related to this solution
vulnerability.solution:Bulletin MS10-006
Show any findings that contain parts of solution
vulnerability.solution:"Bulletin MS10-006"
Show any findings that match exact value "Bulletin MS10-006"
vulnerability.solution:`Bulletin MS10-006`
vulnerability.statusvulnerability.status
Select the vulnerability status (ACTIVE, FIXED, NEW, REOPENED) you're interested in. Select from names from the drop-down menu.
Example
Show vulnerabilities with ACTIVE status
vulnerability.status:ACTIVE
vulnerability.supportedByvulnerability.supportedBy
Select a Qualys service (VM, Agent type, etc) to show vulnerabilities that can be detected by this service. Select from names in the drop-down menu.
Example
Show vulnerabilities supported by Linux Agent
vulnerability.supportedBy:LINUX_AGENT
vulnerability.vendorRefsvulnerability.vendorRefs
Use a text value ##### to find the vendor reference you're interested in.
Example
Show this vendor reference
vulnerability.vendorRefs:KB3021953
vulnerability.vendors.productNamevulnerability.vendors.productName
Use a text value ##### to find the vendor product name you're interested in.
Example
Show findings with this vendor product name
vulnerability.vendors.productName:Windows
vulnerability.vendors.vendorNamevulnerability.vendors.vendorName
Use a text value ##### to find the vendor name you're interested in.
Example
Show findings with this vendor name
vulnerability.vendors.vendorName:Adobe
vulnerability.disabledvulnerability.disabled
Use the values true | false to define vulnerabilities that are disabled.
Example
Show findings with this disabled set to False
vulnerability.disabled:False
Threat Protection
(For Threat Protection users) Use these tokens for searching Real-Time Threat Indicators (RTI).
vulnerability.threatIntel.activeAttacksvulnerability.threatIntel.activeAttacks
Use the values true | false to define real-time threats due to active attacks.
Example
Show resources with threats due to active attacks
vulnerability.threatIntel.activeAttacks: "true"
vulnerability.threatIntel.denialOfServicevulnerability.threatIntel.denialOfService
Use the values true | false to define real-time threats due to denial of service.
Example
Show resources with threats due to denial of service
vulnerability.threatIntel.denialOfService: "true"
vulnerability.threatIntel.easyExploitvulnerability.threatIntel.easyExploit
Use the values true | false to define real-time threats due to easy exploit.
Example
Show resources with threats due to easy exploit
vulnerability.threatIntel.easyExploit: "true"
vulnerability.threatIntel.exploitKitvulnerability.threatIntel.exploitKit
Use the values true | false to define real-time threats due to exploit kit.
Example
Show resources with threats due to exploit kit
vulnerability.threatIntel.exploitKit: "true"
vulnerability.threatIntel.exploitKitNamevulnerability.threatIntel.exploitKitName
Use quotes or backticks within values to help you find the exploit kit name you're looking for. Quotes can be used when the value has more than one word.
Examples
Show any findings with this name
vulnerability.threatIntel.exploitKitName: Angler
Show any findings that match exact value
vulnerability.threatIntel.exploitKitName: `Angler`
vulnerability.threatIntel.highDataLossvulnerability.threatIntel.highDataLoss
Use the values true | false to define real-time threats due to high data loss.
Example
Show resources with threats due to high data loss
vulnerability.threatIntel.highDataLoss: "true"
vulnerability.threatIntel.highLateralMovementvulnerability.threatIntel.highLateralMovement
Use the values true | false to define real-time threats due to high lateral movement.
Example
Show resources with threats due to high lateral movement
vulnerability.threatIntel.highLateralMovement: "true"
vulnerability.threatIntel.malwarevulnerability.threatIntel.malware
Use the values true | false to define real-time threats due to malware.
Example
Show resources with threats due to malware
vulnerability.threatIntel.malware: "true"
vulnerability.threatIntel.malwareNamevulnerability.threatIntel.malwareName
Use quotes or backticks within values to help you find the malware name you're looking for. Quotes can be used when the value has more than one word.
Examples
Show any findings with this name
vulnerability.threatIntel.malwareName: TROJ_PDFKA.DQ
Show any findings that match exact value
vulnerability.threatIntel.malwareName: `TROJ_PDFKA.DQ`
vulnerability.threatIntel.noPatchvulnerability.threatIntel.noPatch
Use the values true | false to define real-time threats due to no patch available.
Example
Show resources with threats due to no patch available
vulnerability.threatIntel.noPatch: "true"
vulnerability.threatIntel.publicExploitvulnerability.threatIntel.publicExploit
Use the values true | false to define real-time threats due to public exploit.
Example
Show resources with threats due to public exploit
vulnerability.threatIntel.publicExploit: "true"
vulnerability.threatIntel.publicExploitNamevulnerability.threatIntel.publicExploitName
Use quotes or backticks within values to help you find the public exploit name of interest. Quotes can be used when the value has more than one word.
Examples
Show any findings with this name
vulnerability.threatIntel.publicExploitName: RealVNC NULL Authentication Mode Bypass
Show any findings that contain parts of name
vulnerability.threatIntel.publicExploitName: "RealVNC NULL Authentication Mode Bypass"
Show any findings that match exact value
vulnerability.threatIntel.publicExploitName: `RealVNC NULL Authentication Mode Bypass`
vulnerability.threatIntel.zeroDayvulnerability.threatIntel.zeroDay
Use the values true | false to define real-time threats due to zero day exploit.
Example
Show resources with threats due to zero day exploit
vulnerability.threatIntel.zeroDay: "true"