Searching for Microsoft Azure Resources

Use the search tokens below to search for resources discovered. You will need to first choose cloud provider on the Resources tab to see the relevant tokens for your environment.  Looking for help with writing your query? click here

General

account.idaccount.id

Use a text value ##### to show resources based on the unique account ID associated with the connector at the time of creation.

Example

Show findings with this account ID

account.id: 205767712438

account.aliasaccount.alias

Use a text value ##### to show connectors based on the account alias associated with the connector at the time of creation.

Example

Show connectors with this account alias

account.alias: Example_connector

subscriptionNamesubscriptionName

Use a text value ##### to find Azure connectors based on the subscription name associated with the connector at the time of creation.

Example

Show connectors with this subscription name

subscriptionName: Sample Cloud Subscription

createdcreated

Use a date range or specific date to define when the resource was created.

Example

Show resources created within certain dates

created: [2018-01-01 ... 2018-03-01]

Show resources created starting 2018-10-01, ending 1 month ago

created: [2018-01-01 ... now-1m]

Show resources created starting 2 weeks ago, ending 1 second ago

created: [now-2w ... now-1s]

Show resources created on specific date

created: 2018-01-08

updatedupdated

Use a date range or specific date to define when the resource was last updated.

Example

Show resources updated within certain dates

updated: [2018-01-01 ... 2018-03-01]

Show resources updated starting 2018-10-01, ending 1 month ago

updated: [2018-01-01 ... now-1m]

Show resources updated starting 2 weeks ago, ending 1 second ago

updated: [now-2w ... now-1s]

Show resources updated on specific date

updated: 2018-01-08

namename

Use backticks to help you find the exact match of the resource name you're looking for.

Example

Show any findings with this name

name: my-resource

Show all the findings that exactly match with this name

name: `my-resource`

providerprovider

Select the name of the cloud service provider you're interested in. Select from names in the drop-down menu.

Example

Find resources synced from Microsoft Azure

provider: Azure

regionregion

Select the name of the region you're interested in. Select from names in the drop-down menu.

Example

Find resources in the Singapore region

region: Singapore

resource.idresource.id

Use a text value ##### to find resources by the unique ID assigned to the resource.

Example

Show resources with ID acl-8e5198f5

resource.id: acl-8e5198f5

resource.typeresource.type

Select the type of resource you're interested in. Select from names in the drop-down menu.

Example

Show resources of type Instance

resource.type: Instance

tag.keytag.key

Use a text value ##### to define the key of an Azure tag assigned to the resource (case sensitive).

Example

Show findings with key Department

tag.key: Department

tag.valuetag.value

Use a text value ##### to define the value of an Azure tag assigned to the resource (case sensitive).

Example

Show findings with tag value Finance

tag.value: Finance

tags.nametags.name

Use values within quotes or backticks to help you find the resources with the specified tag you're looking for.

Example

Show any findings that contain "network" and "blue" in name

tags.name: "network blue"

Show any findings that contain "network" or "blue" in name (another method)

tags.name: "network" OR tags.name: "blue"

Show any findings that match exact value "Cloud Agent"

tags.name: "Cloud Agent"

andand

Use a boolean query to express your query using AND logic.

Example

Show findings with account ID 205767712438 and type Subnet

account.id: 205767712438 and resource.type: Subnet

notnot

Use a boolean query to express your query using NOT logic.

Example

Show findings that are not region Hong Kong

not region: Hong Kong

oror

Use a boolean query to express your query using OR logic.

Example

Show findings with one of these tag values

tag.value: Finance or tag.value: Accounting

projectIdprojectId

Use a text value ##### to find GCP resources with a certain project Id.

Example

Show resources with this projectId

projectId: my-project-1513669048551

azure.locationazure.location

Select the name of the Azure location you're interested in. Select from names in the drop-down menu.

Example

Find resources in this location

azure.location: Frankfurt

resourceGroupNameresourceGroupName

Use a text value ##### to find resources by the resource group name.

Example

Show resources with this group name

resourceGroupName: my-eastus-rg

subscriptionIdsubscriptionId

Use a text value ##### to find resources by the subscription ID.

Example

Show resources with this subscription ID

subscriptionId: fbb9ea64-abda-452e-adfa-83442409

Azure: SQL Server

These tokens are available in queries with resource.type:SQL Server

sqlserver.typesqlserver.type

Use a text value ##### to find resources by the SQL Server type.

Example

Show resources with this type

sqlserver.type: Microsoft.sql

sqlserver.fullyQualifiedDomainNamesqlserver.fullyQualifiedDomainName

Use a text value ##### to find resources by the SQL Server Fully Qualified Domain Name (FQDN).

Example

Show resources with this FQDN

sqlserver.fullyQualifiedDomainName: severname.database.windows.net

sqlserver.versionsqlserver.version

Use a text value ##### to find resources by the SQL Server version.

Example

Show resources with this version

sqlserver.version: 12

sqlserver.statesqlserver.state

Use a text value ##### to find resources by the current SQL Server state.

Example

Show resources with this state

sqlserver.state: ready

Azure: SQL Server Database

These tokens are available in queries with resource.type:SQL Server Database

sqldatabase.editionsqldatabase.edition

Select the database edition (basic, standard, premium) you're interested in. Select from names in the drop-down menu.

Example

Find resources with standard edition

sqldatabase.edition: standard

sqldatabase.statussqldatabase.status

Select the database status (online, offline, restoring, etc) you're interested in. Select from names in the drop-down menu.

Example

Show online databases

sqldatabase.status: online

Azure: Virtual Machine

These tokens are available in queries with resource.type:Virtual Machine

virtualmachine.vmIdvirtualmachine.vmId

Use a text value ##### to find resources by the virtual machine ID.

Example

Show resources with this virtual machine ID

virtualmachine.vmId: MyVMID

connector.remediationEnabledconnector.remediationEnabled

Use  true to view the resources associated with the connector for which remediation is enabled.

Example

Show resources associated with the connector for which remediation is enabled

connector.remediationEnabled: TRUE

virtualmachine.vmSizevirtualmachine.vmSize

Use a text value ##### to find resources by size of the virtual machine.

Example

Show resources with this virtual machine size

virtualmachine.vmSize: Standard_DS1_v2

virtualmachine.networkSecurityGroupvirtualmachine.networkSecurityGroup

Use a text value ##### to find the network security group of the virtual machine.

Example

Show resources with this network security group

virtualmachine.networkSecurityGroup: myNSG

virtualmachine.osTypevirtualmachine.osType

Use a ####text value to find VMs with agents installed on them.

Example

Show VMs with specified OS Type.

virtualmachine.osType: Windows

virtualmachine.agentInstalledvirtualmachine.agentInstalled

Use True | False to find VMs with agents installed on them.

Example

Show VMs with agents installed.

virtualmachine.agentInstalled: True

virtualmachine.hasThreatsvirtualmachine.hasThreats

Use the values true | false to find virtual machines with that has threats identified.

Example

Show resources with threats identified

virtualmachine.hasThreats: True

virtualmachine.publicIpAddressvirtualmachine.publicIpAddress

Use a text value ##### to find virtual machines with certain IP address.

Example

Show resources with this IP address

virtualmachine.publicIpAddress: 13.126.125.189

virtualmachine.statusvirtualmachine.status

Select the status (Creating, Deleting, Updating, etc.) of the virtual machine you're interested in. Select the required status from the drop-down menu.

Example

Show virtual machines with VM running status

virtualmachine.status: VM running

virtualmachine.networkInterface.subnetIdvirtualmachine.networkInterface.subnetId

Use a text value ##### to find VMs with a certain network interface address ID.

Example

Show findings with this address ID

virtualmachine.networkInterface.subnetId: id-12345

virtualmachine.networkInterface.privateDnsNamevirtualmachine.networkInterface.privateDnsName

Use a text value ##### to find VMs having network interface with a certain private DNS name.

Example

Show findings with this private DNS name

virtualmachine.networkInterface.privateDnsName: ip-172-31-33-67.us-east-2.compute.internal

virtualmachine.networkInterface.privateIpAddressvirtualmachine.networkInterface.privateIpAddress

Use a text value ##### to find VMs having network interface with a certain private IP address.

Example

Show findings with this private IP

virtualmachine.networkInterface.privateIpAddress: 172.31.28.151

virtualmachine.networkInterface.secondaryPrivateIpvirtualmachine.networkInterface.secondaryPrivateIp

Use a text value ##### to find VMs having network interfaces with a certain secondary private IP address.

Example

Show findings with this secondary private IP

virtualmachine.networkInterface.secondaryPrivateIp: 10.0.0.85

virtualmachine.networkInterface.publicIpvirtualmachine.networkInterface.publicIp

Use a text value ##### to find VMs having network interfaces with a certain public IP address.

Example

Show findings with this public IP address

virtualmachine.networkInterface.publicIp: 13.126.125.189

virtualmachine.networkInterface.ipv6Ipvirtualmachine.networkInterface.ipv6Ip

Use a text value ##### to find VMs having network interfaces with a certain IPv6 IP address.

Example

Show findings with this IPv6 address

virtualmachine.networkInterface.ipv6Ip: 2010:ab2::1234:zzz:2002:1f

virtualmachine.isDockerHostvirtualmachine.isDockerHost

Use the values true | false to define whether the instance has a docker installed on the host.

Example

Show VMs with docker installed on the host

virtualmachine.isDockerHost:true

Show VMs without docker installed on the host

virtualmachine.isDockerHost:false

virtualmachine.docker.versionvirtualmachine.docker.version

Use a text value ##### to define Docker version you are looking for.

Example

Show VMs with specified docker version

virtualmachine.docker.version:8.2

virtualmachine.riskScorevirtualmachine.riskScore

Use an integer value (0-1000) to search for all the Azure VMs with the specified risk score.

Example

Show all VMs with a risk score greater than 125

virtualmachine.riskScore > 125

Show all VMs with a risk score of 125

virtualmachie.riskScore: 125

Azure: Virtual Network

These tokens are available in queries with resource.type:Virtual Network

virtualnetwork.typevirtualnetwork.type

Use a text value ##### to find resources by the virtual network type.

Example

Show resources with this virtual network type

virtualnetwork.type: Microsoft.Network/virtualNetworks

Azure: Network Interface

networkinterfaces.provisoningStatenetworkinterfaces.provisoningState

Find network interfaces based on their provisioning state (Deleting, Failed, Succeeded, Updating). Select the required state from the drop-down menu.

Example

Show network interfaces in Succeeded state.

networkinterfaces.provisoningState: Succeeded

networkinterfaces.subnet.idnetworkinterfaces.subnet.id

Find network interfaces based on their subnet ID.

Example

Show network interfaces with the specified ID.

networkinterfaces.subnet.id:/subscriptions/xxxxxx-xxxx-xxxx-xxxx-xxxxx8c0586/resourceGroups/azure_resource_group/providers/Microsoft.Network/virtualNetworks/customtest/subnets/subnet2

networkinterfaces.macAddressnetworkinterfaces.macAddress

Find network interfaces based on their MAC Address.

Example

Show network interfaces with the MAC Address.

networkinterfaces.macAddress:7C-1E-52-19-1F-3C

networkinterfaces.enableAcceleratedNetworkingnetworkinterfaces.enableAcceleratedNetworking

Select (Enabled, Disabled) to find Network Interfaces with Accelerated Networking enabled/disabled.

Example

Show network interfaces with the Accelerated Networking enabled.

networkinterfaces.enableAcceleratedNetworking:Enabled

networkinterfaces.vnetEncryptionSupportednetworkinterfaces.vnetEncryptionSupported

Select (True, False) to find Network Interfaces that support VNET encryption. 

Example

Show network interfaces supporting VNET Encryption.

networkinterfaces.subnet.id: true

networkinterfaces.enableIPForwardingnetworkinterfaces.enableIPForwarding

Select (True, False) to find Network Interfaces with IP Forwarding enabled or disabled.

Example

Show network interfaces with IP Forwarding enabled:

networkinterfaces.enableIPForwarding: true

networkinterfaces.disableTcpStateTrackingnetworkinterfaces.disableTcpStateTracking

Select (True, False) to find Network Interfaces with TCP State Tracking disabled or enabled.

Example

Show network interfaces with TCP State Tracking disabled:

networkinterfaces.disableTcpStateTracking: true

networkinterfaces.networkSecurityGroup.idnetworkinterfaces.networkSecurityGroup.id

Provide a string value to find Network Interfaces associated with a specific Network Security Group ID.

Example

Find Network Interfaces associated with the specified Network Security Group ID

networkinterfaces.networkSecurityGroup.id: /subscriptions/12345678-1234-1234-1234-123456789012/resourceGroups/myResourceGroup/providers/Microsoft.Network/networkSecurityGroups/myNSG

Azure: PostGRE Single Server

postgresingleserver.backupRetentionDayspostgresingleserver.backupRetentionDays

Provide an integer value to find PostgreSQL Single Servers with the specified backup retention period in days.

Example

Find PostgreSQL Single Servers with a 14-day backup retention period.

 postgresingleserver.backupRetentionDays: 14

postgresingleserver.geoRedundantBackuppostgresingleserver.geoRedundantBackup

Select (True, False) to find PostgreSQL Single Servers with geo-redundant backup enabled or disabled.

Example Show PostgreSQL Single Servers with geo-redundant backup enabled

postgresingleserver.geoRedundantBackup: true

postgresingleserver.sslEnforcementpostgresingleserver.sslEnforcement

Select (True, False) to find PostgreSQL Single Servers with SSL enforcement enabled or disabled.

Example Show PostgreSQL Single Servers with SSL enforcement enabled

postgresingleserver.sslEnforcement: true

postgresingleserver.byokEnforcementpostgresingleserver.byokEnforcement

Select (True, False) to find PostgreSQL Single Servers with Bring Your Own Key (BYOK) enforcement enabled or disabled.

Example

Show PostgreSQL Single Servers with BYOK enforcement enabled

postgresingleserver.byokEnforcement: true

postgresingleserver.storageAutogrowpostgresingleserver.storageAutogrow

Select (True, False) to find PostgreSQL Single Servers with storage auto-grow enabled or disabled.

Example

Show PostgreSQL Single Servers with storage auto-grow enable

postgresingleserver.storageAutogrow: true

postgresingleserver.publicNetworkAccesspostgresingleserver.publicNetworkAccess

Select (True, False) to find PostgreSQL Single Servers with public network access enabled or disabled.

Example

Show PostgreSQL Single Servers with public network access disabled 

postgresingleserver.publicNetworkAccess: false

postgresingleserver.skuTierpostgresingleserver.skuTier

Find PostgreSQL Single Servers based on their SKU tier (Basic, GeneralPurpose, MemoryOptimized). Select the required tier from the drop-down menu.

Example

Show PostgreSQL Single Servers with the General Purpose tier

postgresingleserver.skuTier: GeneralPurpose

postgresingleserver.minimalTlsVersion postgresingleserver.minimalTlsVersion

Find PostgreSQL Single Servers based on their minimal TLS version (TLS1_0, TLS1_1, TLS1_2, TLS1_3). Select the required version from the drop-down menu.

Example

Show PostgreSQL Single Servers with minimal TLS version 1.2

 postgresingleserver.minimalTlsVersion: TLS1_2

Azure: Load Balancer

loadbalancer.sku.nameloadbalancer.sku.name

Find Load Balancers based on their SKU name (Basic, Gateway, Standard). Select the required SKU name from the drop-down menu.

Example

Show Load Balancers with the Standard SKU

loadbalancer.sku.name: Standard

loadbalancer.sku.tierloadbalancer.sku.tier

Find Load Balancers based on their SKU tier (Global, Regional). Select the required tier from the drop-down menu.

Example

Show Load Balancers with the Regional tier

loadbalancer.sku.tier: Regional

loadbalancer.provisioningStateloadbalancer.provisioningState

Find Load Balancers based on their provisioning state (Succeeded, Updating, Deleting, Failed). Select the required state from the drop-down menu.

Example

Show Load Balancers in the Succeeded provisioning state

loadbalancer.provisioningState: Succeeded

Azure: Firewall

firewall.provisioningStatefirewall.provisioningState

Select the required state from the drop-down menu (Succeeded, Updating, Deleting, Failed) to find firewalls based on their current provisioning state.

Example

Show firewalls in the Succeeded provisioning state

firewall.provisioningState: Succeeded

firewall.threatIntelModefirewall.threatIntelMode

Select the required mode from the drop-down menu (Alert, Deny, Off) to find firewalls based on their Threat Intelligence mode.

Examples Show firewalls with Threat Intelligence in Alert mode:

firewall.threatIntelMode: Alert

Show firewalls with Threat Intelligence turned off

firewall.threatIntelMode: Off

Azure: MySQL

mysqlFlexibleServer.autoGrowmysqlFlexibleServer.autoGrow

Select (Enabled, Disabled) to find MySQL Flexible Servers with auto-grow storage enabled or disabled.

Example

Show MySQL Flexible Servers with auto-grow storage enabled

mysqlFlexibleServer.autoGrow: Enabled

mysqlFlexibleServer.publicNetworkAccessmysqlFlexibleServer.publicNetworkAccess

Select (Enabled, Disabled) to find MySQL Flexible Servers with public network access enabled or disabled.

Example

Show MySQL Flexible Servers with public network access disabled

mysqlFlexibleServer.publicNetworkAccess: Disabled

mysqlFlexibleServer.backupRetentionDaysmysqlFlexibleServer.backupRetentionDays

Provide an integer value to find MySQL Flexible Servers with the specified backup retention period in days. You can also use comparison operators for ranges.

Examples

Find MySQL Flexible Servers with a 14-day backup retention period

mysqlFlexibleServer.backupRetentionDays: 14

Find MySQL Flexible Servers with a backup retention period greater than 7 days

mysqlFlexibleServer.backupRetentionDays: >7

Azure: Storage Account

storageAccount.skuTierstorageAccount.skuTier

Select the required tier from the drop-down menu (Standard, Premium) to find Storage Accounts based on their SKU tier.

Example

Show Storage Accounts with the Premium tier

storageAccount.skuTier: Premium

storageAccount.minimumTlsVersionstorageAccount.minimumTlsVersion

Select the required version from the drop-down menu (TLS1_0, TLS1_1, TLS1_2, TLS1_3) to find Storage Accounts based on their minimum TLS version.

Example

Show Storage Accounts with minimum TLS version 1.2

storageAccount.minimumTlsVersion: TLS1_2

storageAccount.supportsHttpsTrafficOnlystorageAccount.supportsHttpsTrafficOnly

Select (True, False) to find Storage Accounts that do or do not support HTTPS traffic only.

Example

Show Storage Accounts that support HTTPS traffic only

storageAccount.supportsHttpsTrafficOnly: true

Azure: Application Gateways

applicationgateways.provisioningStateapplicationgateways.provisioningState

Select the required state from the drop-down menu (Succeeded, Updating, Deleting, Failed) to find Application Gateways based on their current provisioning state.

Example

Show Application Gateways in the Succeeded provisioning state

applicationgateways.provisioningState: Succeeded

applicationgateways.sku.nameapplicationgateways.sku.name

Select the required SKU name from the drop-down menu (Standard_v2, Standard, WAF_v2, WAF) to find Application Gateways based on their SKU name. 

Example

Show Application Gateways with the WAF_v2 SKU

applicationgateways.sku.name: WAF_v2

applicationgateways.sku.tierapplicationgateways.sku.tier

Select the required tier from the drop-down menu (Basic, Standard, WAF, Standard_v2, WAF_v2) to find Application Gateways based on their SKU tier.

Example

Show Application Gateways with the Standard_v2 tier

applicationgateways.sku.tier: Standard_v2

applicationgateways.sku.familyapplicationgateways.sku.family

Select the required family from the drop-down menu (Generation_1, Generation_2) to find Application Gateways based on their SKU family.

Example

Show Application Gateways with the Generation_2 SKU family

applicationgateways.sku.family: Generation_2

applicationgateways.sku.capacityapplicationgateways.sku.capacity

Provide an integer value to find Application Gateways with a specific capacity (number of instances).

Example

Find Application Gateways with a capacity of 2 instances

applicationgateways.sku.capacity: 2

applicationgateways.operationalStateapplicationgateways.operationalState

Select the required state from the drop-down menu (Running, Stopped, Starting, Stopping). Find Application Gateways based on their current operational state.

Example

Show Application Gateways in the Running operational state

applicationgateways.operationalState: Running

applicationgateways.enableHttp2applicationgateways.enableHttp2

Select (True, False) to find Application Gateways with HTTP/2 support enabled or disabled.

Example

Show Application Gateways with HTTP/2 support enabled

applicationgateways.enableHttp2: true

Azure: MariaDB

mariadbServer.versionmariadbServer.version

Find MariaDB servers based on their version. Provide a string value for the version number.

Example

Show MariaDB servers running version 10.3

mariadbServer.version: 10.3

mariadbServer.minimumTLSVersionmariadbServer.minimumTLSVersion

Select the required version from the drop-down menu (TLSEnforcementDisabled, TLS1_0, TLS1_1, TLS1_2) to find MariaDB servers based on their minimum TLS version.

Example

Show MariaDB servers with minimum TLS version 1.2

mariadbServer.minimumTLSVersion: TLS1_2

mariadbServer.publicNetworkAccessmariadbServer.publicNetworkAccess

Select (True, False) to find MariaDB servers with public network access enabled or disabled.

Example Show MariaDB servers with public network access disabled

mariadbServer.publicNetworkAccess: false

mariadbServer.sku.tiermariadbServer.sku.tier

Select the required tier from the drop-down menu (Basic, GeneralPurpose, MemoryOptimized) to find MariaDB servers based on their SKU tier.

Example

Show MariaDB servers with the General Purpose tier.

mariadbServer.sku.tier: GeneralPurpose

Azure: Cosmos DB

cosmosdb.kindcosmosdb.kind

Select the required kind from the drop-down menu (GlobalDocumentDB, MongoDB) to find Cosmos DB accounts based on their database kind.

Example

Show Cosmos DB accounts of the MongoDB type

cosmosdb.kind: MongoDB

Show Cosmos DB accounts of the SQL (Core) API type

cosmosdb.kind: GlobalDocumentDB

Show Cosmos DB accounts of the Parse type

cosmosdb.kind: Parse

cosmosdb.publicNetworkAccesscosmosdb.publicNetworkAccess

Select (Enabled, Disabled) to find Cosmos DB accounts with public network access enabled or disabled.

Example

Show Cosmos DB accounts with public network access disabled

cosmosdb.publicNetworkAccess: Disabled

Azure: NAT Gateways

natGateways.provisioningStatenatGateways.provisioningState

Select the required state from the drop-down menu (Succeeded, Updating, Deleting, Failed) to find NAT Gateways based on their current provisioning state.

Example

Show NAT Gateways in the Succeeded provisioning state

natGateways.provisioningState: Succeeded

natGateways.idleTimeoutInMinutesnatGateways.idleTimeoutInMinutes

Provide an integer value to find NAT Gateways with a specific idle timeout setting in minutes. You can also use comparison operators for ranges.

Examples

Find NAT Gateways with an idle timeout of 15 minutes

natGateways.idleTimeoutInMinutes: 15

Find NAT Gateways with an idle timeout greater than 10 minutes

natGateways.idleTimeoutInMinutes: >10

Azure: Web App

These tokens are available in queries with resource.type:Web App

webapp.kindwebapp.kind

Use a text value ##### to find web apps based on the kind filter you are interested in..

Example

Show any web apps with kind filter

webapp.kind: Linux

webapp.deploymentIdwebapp.deploymentId

Use a text value ##### to find web apps based on the deployment ID of the web app.

Example

Show web apps with this deployment ID

webapp.deploymentId:depl-7495

webapp.statewebapp.state

Search web app based on its state.

Example

Show web apps that are in running state

webapp.state:Running

webapp.availabilityStatewebapp.availabilityState

>Select the web app state (NORMAL, LIMITED, DISASTER_RECOVERY_MODE) you're interested in. Select from names in the drop-down menu.

Example

Show web apps with availability state as LIMITED

webapp.availabilityState:LIMITED

webapp.usageStatewebapp.usageState

Search the web apps based on their usage state (NORMAL, EXCEEDED). Select from names in the drop-down menu.

Example

Show web app on usage state

webapp.usageState:NORMAL

webapp.enabledwebapp.enabled

Use the values true | false to find whether web app is enabled or not.

Example

Show web apps which are default container.

webapp.enabled:true

webapp.isDefaultContainerwebapp.isDefaultContainer

Use the values true | false to find whether web app is the default container or not.

Example

Show web apps which are default container.

webapp.isDefaultContainer:true

webapp.httpsonlywebapp.httpsonly

Use the values true | false to find whether HTTPSOnly feature is enabled or not on a web app.

Example

Show web apps with HTTPSOnly feature enabled.

webapp.httpsonly:TRUE

webapp.redundancyModewebapp.redundancyMode

Use a text value ##### to define the redundancy mode of the web app.

Example

Show web apps with this redundancy mode.

webapp.redundancyMode:MANUAL

webapp.appserviceplanwebapp.appserviceplan

Use a text value ##### to define the AppServicePlanId of webapp you're looking for.

Example

Show web apps with this AppServicePlan ID.

webapp.appserviceplan:app-service-plan-123

webapp.defaultHostNamewebapp.defaultHostName

Use a text value ##### to define the default host name for web apps.

Example

Show web apps with this default host name

webapp.defaultHostName:windowsappabc123.azurewebsites.net

webapp.hostnames.enabledwebapp.hostnames.enabled

Use a text value ##### to define the enabled host names of the web apps.

Example

Show web apps with this host names

webapp.hostnames.enabled:windowsappabc123.azurewebsites.net

webapp.hostnames.sslStatewebapp.hostnames.sslState

Select web apps based on the SSL  state of the enabled hosts (DISABLED, SNI_ENABLED, IP_BASED_ENABLED) you're interested in. Select from names in the drop-down menu.

Example

Show web apps with disabled SSL state

webapp.hostnames.sslState:DISABLED

webapp.clientAffinityEnabledwebapp.clientAffinityEnabled

Use the values true | false to find whether client affinity is enabled or not on a web app.

Example

Show web apps with client affinity enabled

webapp.clientAffinityEnabled:TRUE

webapp.clientCertEnabledwebapp.clientCertEnabled

Use the values true | false to find whether client cert is enabled or not on a web app.

Example

Show web apps with client cert enabled

webapp.clientCertEnabled:TRUE

Azure: Function App

These tokens are available in queries with resource.type:Function App

functionapp.kindfunctionapp.kind

Use a text value ##### to find function apps based on the kind filter you are interested in..

Example

Show any function apps with kind filter

functionapp.kind: Linux

functionapp.deploymentIdfunctionapp.deploymentId

Use a text value ##### to find function apps based on the deployment ID of the function app.

Example

Show function apps with this deployment ID

functionapp.deploymentId:depl-7495

functionapp.statefunctionapp.state

Search function app based on its state.

Example

Show function apps that are in running state

functionapp.state:Running

functionapp.availabilityStatefunctionapp.availabilityState

>Select the function app state (NORMAL, LIMITED, DISASTER_RECOVERY_MODE) you're interested in. Select from names in the drop-down menu.

Example

Show function apps with availability state as LIMITED

functionapp.availabilityState:LIMITED

functionapp.usageStatefunctionapp.usageState

Search the function apps based on their usage state (NORMAL, EXCEEDED). Select from names in the drop-down menu.

Example

Show function app on usage state

functionapp.usageState:NORMAL

functionapp.enabledfunctionapp.enabled

Use the values true | false to find whether function app is enabled or not.

Example

Show function apps which are default container.

functionapp.enabled:true

functionapp.isDefaultContainerfunctionapp.isDefaultContainer

Use the values true | false to find whether function app is the default container or not.

Example

Show function apps which are default container.

functionapp.isDefaultContainer:true

functionapp.httpsonlyfunctionapp.httpsonly

Use the values true | false to find whether HTTPSOnly feature is enabled or not on the function app.

Example

Show function apps with HTTPSOnly feature enabled.

functionapp.httpsonly:TRUE

functionapp.redundancyModefunctionapp.redundancyMode

Use a text value ##### to define the redundancy mode of the function app.

Example

Show function apps with this redundancy mode.

functionapp.redundancyMode:MANUAL

functionapp.appserviceplanfunctionapp.appserviceplan

Use a text value ##### to define the AppServicePlanId of function app you're looking for.

Example

Show function apps with this AppServicePlan ID.

functionapp.appserviceplan:app-service-plan-123

functionapp.defaultHostNamefunctionapp.defaultHostName

Use a text value ##### to define the default host name for function apps.

Example

Show function apps with this default host name

functionapp.defaultHostName:windowsappabc123.azurewebsites.net

functionapp.hostnames.enabledfunctionapp.hostnames.enabled

Use a text value ##### to define the enabled host names of the function apps.

Example

Show function apps with this host names

functionapp.hostnames.enabled:windowsappabc123.azurewebsites.net

functionapp.hostnames.sslStatefunctionapp.hostnames.sslState

Select function apps based on the SSL  state of the enabled hosts (DISABLED, SNI_ENABLED, IP_BASED_ENABLED) you're interested in. Select from names in the drop-down menu.

Example

Show function apps with disabled SSL state

functionapp.hostnames.sslState:DISABLED

functionapp.clientAffinityEnabledfunctionapp.clientAffinityEnabled

Use the values true | false to find whether client affinity is enabled or not on a function app.

Example

Show function apps with client affinity enabled

functionapp.clientAffinityEnabled:TRUE

functionapp.clientCertEnabledfunctionapp.clientCertEnabled

Use the values true | false to find whether client cert is enabled or not on a function app.

Example

Show function apps with client cert enabled

functionapp.clientCertEnabled:TRUE

functionapp.languagefunctionapp.language

Use a text value ##### to find functionapps based on the language in which the functions under function apps are written.

Example

Show function apps with client cert enabled

functionapp.language:CSharp

Azure: Vulnerability 

These tokens are available in queries with resource.type:vulnerability

vulnerability.qidvulnerability.qid

Use an integer value ##### to define the QID in question.

Example

Show findings with QID 90405

vulnerability.qid:90405

vulnerability.severityvulnerability.severity

Select a severity (1-5) to find assets having vulnerabilities with this severity. Select from values in the drop-down menu.

Example

Show findings with severity 4

vulnerability.severity:4

vulnerability.customerSeverityvulnerability.customerSeverity

Use an integer value ##### to define the QID in question.

Example

Show findings with QID 90405

vulnerability.customerSeverity:3

vulnerability.exploitabilityvulnerability.exploitability

Use values within quotes or backticks to help you find known exploit description you're looking for. Quotes can be used when the value has more than one word.

Example

Show any findings related to this description

 vulnerability.exploitability: GIF Parser Heap

Show any findings that contain "GIF", "Parser" or "Heap" in description

 vulnerability.exploitability: "GIF Parser Heap"

Show any findings that match exact value

 vulnerability.exploitability: `GIF Parser Heap`

vulnerability.patchAvailablevulnerability.patchAvailable

Use the values true | false to define vulnerabilities with patch available.

Example

Show findings with patch available

vulnerability.patchAvailable: "true"

Show findings with no patch available

vulnerability.patchAvailable: "false"

vulnerability.disabledvulnerability.disabled

Use the values true | false to define disabled vulnerabilities

Example

Show findings with disabled vulnerabilities

vulnerability.disabled: "true"

Show findings with disabled vulnerabilities

vulnerability.disabled: "false"

vulnerability.ignoredvulnerability.ignored

Use the values true | false to define ignored vulnerabilities 

Example

Show findings with ignored vulnerabilities

vulnerability.ignored: "true"

Show findings with ignored vulnerabilties

vulnerability.ignored: "false"

vulnerability.firstFoundvulnerability.firstFound

Use a date range or specific date to define when findings were first found.

Example

Show findings first found within certain dates

vulnerability.firstFound: [2015-10-21 ... 2015-10-30]

Show findings first found starting 2015-10-01, ending 1 month ago

vulnerability.firstFound: [2015-10-01 ... now-1M]

Show findings first found starting 2 weeks ago, ending 1 second ago

vulnerability.firstFound: [now-2w ... now-1s]

Show findings first found on certain date

vulnerability.firstFound:'2015-11-11'

vulnerability.lastFoundvulnerability.lastFound

Use a date range or specific date to define when findings were last found.

Example

Show findings last found within certain dates

vulnerability.lastFound: [2015-10-21 ... 2016-01-15]

Show findings last found starting 2016-01-01, ending 1 month ago

vulnerability.lastFound: [2016-01-01 ... now-1M]

Show findings last found starting 2 weeks ago, ending 1 second ago

vulnerability.lastFound: [now-2w ... now-1s]

Show findings last found on certain date

vulnerability.lastFound:'2016-01-11'

Show findings last found on 2017-01-12 with patch available

vulnerabilities: (lastFound: '2017-01-12' AND vulnerability.patchAvailable: "true")

vulnerability.titlevulnerability.title

Use quotes or backticks within values to help you find the title you're looking for. Quotes can be used when the value has more than one word.

Example

Show any findings related to this title

vulnerability.title: Remote Code Execution

Show any findings that contain "Remote" or "Code" in title

vulnerability.title: "Remote Code"

Show any findings that match exact value

vulnerability.title: `Remote Code`

vulnerability.descriptionvulnerability.description

Use quotes or backticks within values to help you find the vulnerability description you're looking for. Quotes can be used when the value has more than one word.

Example

Show any findings related to description

vulnerability.description: remote code execution

Show any findings  that contain "remote" or "code" in description

vulnerability.description: "remote code execution"

Show any findings that match exact value

vulnerability.description: `remote code execution`

vulnerability.cveIdsvulnerability.cveIds

Use a text value ##### to find the CVE name you're interested in.

Example

Show findings with CVE name CVE-2015-0313

vulnerability.cveIds: CVE-2015-0313

vulnerability.categoryvulnerability.category

Select a category (CGI, Database, DNS, BIND, etc) to find vulnerabilities with this category. Select from names in the drop-down menu.

Example

Show findings with the category CGI

vulnerability.category: "CGI"

vulnerability.cvss3Info.baseScorevulnerability.cvss3Info.baseScore

Use an integer value ##### to help you find the CVSS base score you're interested in.

Example

Show assets with this score

vulnerability.cvss3Info.baseScore: 7.8

vulnerability.cvss3Info.temporalScorevulnerability.cvss3Info.temporalScore

Use an integer value ##### to help you find the CVSS temporal score you're interested in.

Example

Show assets with this score

vulnerability.cvss3Info.temporalScore: 6.4

vulnerability.cvssInfo.accessVectorvulnerability.cvssInfo.accessVector

Select the name ##### of a CVSS access vector you'd like to find (e.g. UNDEFINED, LOCAL_ACCESS, ADJACENT_NETWORK, NETWORK). Select from names in the drop-down menu.

Example

Show findings with this name

vulnerability.cvssInfo.accessVector: "NETWORK"

vulnerability.portvulnerability.port

Use an integer value ##### to help you find assets with some open port.

Example

Show vulnerability with port 80

vulnerability.port: 80

vulnerability.protocolvulnerability.protocol

Use a text value ##### (UDP or TCP) to define the port protocol you're interested in.

Example

Show findings found on TCP

vulnerability.protocol: TCP

Show findings found on port 80 and TCP

vulnerability: (port: 80 AND protocol: TCP)

vulnerability.hostOSvulnerability.hostOS

Use quotes or backticks within values to help you find the instance operating system you're interested in.

Example

Show any findings with this OS name

vulnerability.hostOS:Windows 2012

Show any findings that contain components of OS name

vulnerability.hostOS:"Windows 2012"

Show any findings that match exact value "Windows 2012"

vulnerability.hostOS:`Windows 2012`

vulnerability.typeDetectedvulnerability.typeDetected

Select a detection type (e.g. Confirmed, Potential, Information) to find instances with vulnerabilities of this type. Select from names in the drop-down menu.

Example

Show findings with this type

vulnerability.typeDetected:Confirmed

vulnerability.PCIvulnerability.PCI

Use the values true | false to find vulnerabilities that must be fixed for PCI Compliance (per PCI DSS).

Example

Show PCI vulnerabilities

vulnerability.PCI:TRUE

Do not show PCI vulnerabilities

vulnerability.PCI:FALSE

vulnerability.authTypesvulnerability.authTypes

Select the name (WINDOWS_AUTH, UNIX_AUTH, ORACLE_AUTH, etc) of an authentication type you're interested in. Select from names in the drop-down menu.

Example

Show findings with Windows auth type

vulnerability.authTypes:WINDOWS_AUTH

vulnerability.bugTraqIdsvulnerability.bugTraqIds

Use a text value ##### to find vulnerabilities based on the BugTraq number you're interested in.

Example

Show findings with BugTraq ID 22211

vulnerability.bugTraqIds:22211

vulnerability.compliance.descriptionvulnerability.compliance.description

Use quotes or backticks within values to help you find the compliance description you're looking for.

Example

Show any findings related to this description

vulnerability.compliance.description:malicious software

Show any findings that contain "malicious" or "software" in description

vulnerability.compliance.description:"malicious software"

Show any findings that match exact value "malicious software"

vulnerability.compliance.description:`malicious software`

vulnerability.compliance.sectionvulnerability.compliance.section

Use quotes or backticks within values to help you find the compliance section you're looking for.

Example

Show any findings related to this section

vulnerability.compliance.section:164.308

Show any findings that contain parts of section

vulnerability.compliance.section:"164.308"

Show any findings that match exact value "164.308"

vulnerability.compliance.section:`164.308`

vulnerability.compliance.typevulnerability.compliance.type

Select the name ##### of a compliance type you're interested in (e.g. COBIT, HIPAA, GLBA, SOX). Select from names in the drop-down menu.

Example

Show findings with the compliance type HIPAA

vulnerability.compliance.type:HIPAA

vulnerability.consequencevulnerability.consequence

Use quotes or backticks within values to help you find the consequence you're looking for.

Example

Show any findings related to consequence

vulnerability.consequence:sensitive information

Show any findings that contain "sensitive" or "information" in consequence

vulnerability.consequence:"sensitive information"

Show any findings that match exact value "sensitive information"

vulnerability.consequence:`sensitive information`

vulnerability.flagsvulnerability.flags

Use a text value ##### to find the Qualys defined vulnerability property of interest (e.g. REMOTE, WINDOWS_AUTH, UNIX_AUTH, PCI_RELATED etc).

Example

Show findings with this flag

vulnerability.flags:PCI_RELATED

vulnerability.listsvulnerability.lists

Use a text value ##### to find the vulnerability list of interest (e.g. SANS_20, QUALYS_20, QUALYS_INT_10, QUALYS_EXT_10).

Example

Show findings with vulnerabilities in SANS Top 20

vulnerability.lists:SANS_20

vulnerability.patchesvulnerability.patches

Use an integer value ##### to help you find the patch QID you're interested in.

Example

Show assets with this patch QID

vulnerability.patches:90753

vulnerability.publishedvulnerability.published

Use a date range or specific date to define when vulnerabilities were first published in the KnowledgeBase.

Example

Show findings for vulnerabilities published within certain dates

vulnerability.published:[2015-10-21 ... 2016-01-15]

Show findings for vulnerabilities published starting 2017-01-01, ending 1 month ago

vulnerability.published:[2017-01-01 ... now-1M]

Show findings for vulnerabilities published starting 2 weeks ago, ending 1 second ago

vulnerability.published:[now-2w ... now-1s]

Show findings for vulnerabilities published on certain date

vulnerability.published:'2018-01-15'

vulnerability.riskvulnerability.risk

Use an integer value ##### to define the vulnerability risk rating you're interested in. For confirmed and potential issues risk is 10 times severity, for information gathered it is severity.

Example

Show findings with risk 50

vulnerability.risk:50

vulnerability.osvulnerability.os

Use quotes or backticks within values to help you find the operating system vulnerabilities were detected on.

Example

Show any findings related to this OS value

vulnerability.os:windows

Show any findings that contain parts of OS value

vulnerability.os:"windows"

Show any findings that match exact value "windows"

vulnerability.os:`windows`

vulnerability.cvssInfo.baseScorevulnerability.cvssInfo.baseScore

Use an integer value ##### to help you find the CVSS base score you're interested in.

Example

Show instances with this score

vulnerability.cvssInfo.baseScore:7.8

vulnerability.cvssInfo.temporalScorevulnerability.cvssInfo.temporalScore

Use an integer value ##### to help you find the CVSS temporal score you're interested in.

Example

Show instances with this score

vulnerability.cvssInfo.temporalScore:6.4

vulnerability.discoveryTypesvulnerability.discoveryTypes

Select a discovery type (Remote or Authenticated) to find instances with vulnerabilities having this discovery type. Select from names in the drop-down menu.

Example

Show findings with Remote discovery type

vulnerability.discoveryTypes:REMOTE

vulnerability.sans20Categoriesvulnerability.sans20Categories

Use a text value ##### to find vulnerabilities in the SANS 20 category you're interested in (e.g. Anti-virus Software, Backup Software, etc).

Example

Show findings with this category name

vulnerability.sans20Categories:Media Players

vulnerability.solutionvulnerability.solution

Use quotes or backticks within values to help you find the solution you're looking for.

Example

Show any findings related to this solution

vulnerability.solution:Bulletin MS10-006

Show any findings that contain parts of solution

vulnerability.solution:"Bulletin MS10-006"

Show any findings that match exact value "Bulletin MS10-006"

vulnerability.solution:`Bulletin MS10-006`

vulnerability.statusvulnerability.status

Select the vulnerability status (ACTIVE, FIXED, NEW, REOPENED) you're interested in. Select from names from the drop-down menu.

Example

Show vulnerabilities with ACTIVE status

vulnerability.status:ACTIVE

vulnerability.supportedByvulnerability.supportedBy

Select a Qualys service (VM, Agent type, etc) to show vulnerabilities that can be detected by this service. Select from names in the drop-down menu.

Example

Show vulnerabilities supported by Linux Agent

vulnerability.supportedBy:LINUX_AGENT

vulnerability.vendorRefsvulnerability.vendorRefs

Use a text value ##### to find the vendor reference you're interested in.

Example

Show this vendor reference

vulnerability.vendorRefs:KB3021953

vulnerability.vendors.productNamevulnerability.vendors.productName

Use a text value ##### to find the vendor product name you're interested in.

Example

Show findings with this vendor product name

vulnerability.vendors.productName:Windows

vulnerability.vendors.vendorNamevulnerability.vendors.vendorName

Use a text value ##### to find the vendor name you're interested in.

Example

Show findings with this vendor name

vulnerability.vendors.vendorName:Adobe

vulnerability.disabledvulnerability.disabled

Use the values true | false to define vulnerabilities that are disabled.

Example

Show findings with this disabled set to False

vulnerability.disabled:False

Threat Protection

(For Threat Protection users) Use these tokens for searching Real-Time Threat Indicators (RTI).

vulnerability.threatIntel.activeAttacksvulnerability.threatIntel.activeAttacks

Use the values true | false to define real-time threats due to active attacks.

Example

Show resources with threats due to active attacks

vulnerability.threatIntel.activeAttacks: "true"

vulnerability.threatIntel.denialOfServicevulnerability.threatIntel.denialOfService

Use the values true | false to define real-time threats due to denial of service.

Example

Show resources with threats due to denial of service

vulnerability.threatIntel.denialOfService: "true"

vulnerability.threatIntel.easyExploitvulnerability.threatIntel.easyExploit

Use the values true | false to define real-time threats due to easy exploit.

Example

Show resources with threats due to easy exploit

vulnerability.threatIntel.easyExploit: "true"

vulnerability.threatIntel.exploitKitvulnerability.threatIntel.exploitKit

Use the values true | false to define real-time threats due to exploit kit.

Example

Show resources with threats due to exploit kit

vulnerability.threatIntel.exploitKit: "true"

vulnerability.threatIntel.exploitKitNamevulnerability.threatIntel.exploitKitName

Use quotes or backticks within values to help you find the exploit kit name you're looking for. Quotes can be used when the value has more than one word.

Example

Show any findings with this name

vulnerability.threatIntel.exploitKitName: Angler

Show any findings that match exact value

vulnerability.threatIntel.exploitKitName: `Angler`

vulnerability.threatIntel.highDataLossvulnerability.threatIntel.highDataLoss

Use the values true | false to define real-time threats due to high data loss.

Example

Show resources with threats due to high data loss

vulnerability.threatIntel.highDataLoss: "true"

vulnerability.threatIntel.highLateralMovementvulnerability.threatIntel.highLateralMovement

Use the values true | false to define real-time threats due to high lateral movement.

Example

Show resources with threats due to high lateral movement

vulnerability.threatIntel.highLateralMovement: "true"

vulnerability.threatIntel.malwarevulnerability.threatIntel.malware

Use the values true | false to define real-time threats due to malware.

Example

Show resources with threats due to malware

vulnerability.threatIntel.malware: "true"

vulnerability.threatIntel.malwareNamevulnerability.threatIntel.malwareName

Use quotes or backticks within values to help you find the malware name you're looking for. Quotes can be used when the value has more than one word.

Example

Show any findings with this name

vulnerability.threatIntel.malwareName: TROJ_PDFKA.DQ

Show any findings that match exact value

vulnerability.threatIntel.malwareName: `TROJ_PDFKA.DQ`

vulnerability.threatIntel.noPatchvulnerability.threatIntel.noPatch

Use the values true | false to define real-time threats due to no patch available.

Example

Show resources with threats due to no patch available

vulnerability.threatIntel.noPatch: "true"

vulnerability.threatIntel.publicExploitvulnerability.threatIntel.publicExploit

Use the values true | false to define real-time threats due to public exploit.

Example

Show resources with threats due to public exploit

vulnerability.threatIntel.publicExploit: "true"

vulnerability.threatIntel.publicExploitNamevulnerability.threatIntel.publicExploitName

Use quotes or backticks within values to help you find the public exploit name of interest. Quotes can be used when the value has more than one word.

Example

Show any findings with this name

vulnerability.threatIntel.publicExploitName: RealVNC NULL Authentication Mode Bypass

Show any findings that contain parts of name

vulnerability.threatIntel.publicExploitName: "RealVNC NULL Authentication Mode Bypass"

Show any findings that match exact value

vulnerability.threatIntel.publicExploitName: `RealVNC NULL Authentication Mode Bypass`

vulnerability.threatIntel.zeroDayvulnerability.threatIntel.zeroDay

Use the values true | false to define real-time threats due to zero day exploit.

Example

Show resources with threats due to zero day exploit

vulnerability.threatIntel.zeroDay: "true"

Azure: Public IP Addresses

namename

Provide a string value to find resources with the specified name.

Example

Find a resource named "my-public-ip"

name: my-public-ip

resource.idresource.id

Provide a string value to find resources with the specified Azure Resource ID.

Example

Find a resource with ID "/subscriptions/12345678-1234-1234-1234-123456789012/resourceGroups/myResourceGroup/providers/Microsoft.Network/publicIPAddresses/my-public-ip"

resource.id: /subscriptions/12345678-1234-1234-1234-123456789012/resourceGroups/myResourceGroup/providers/Microsoft.Network/publicIPAddresses/my-public-ip

locationlocation

Provide a string value to find resources in the specified Azure region.

Example

Find resources in the East US region

location: eastus

typetype

Select the type of resource you're interested in. Select from names in the drop-down menu.

Example

Show resources of type Instance

type: VM

publicipaddresses.sku.namepublicipaddresses.sku.name

Select from available options (e.g., Basic, Standard) to find public IP addresses with the specified SKU name.

Example

Show public IP addresses with Standard SKU.

publicipaddresses.sku.name: Standard

publicipaddresses.sku.tierpublicipaddresses.sku.tier

Select from available options (e.g., Regional, Global) to find public IP addresses with the specified SKU tier.

Example

Show public IP addresses with Regional tier.

publicipaddresses.sku.tier: Regional

publicipaddresses.provisioningStatepublicipaddresses.provisioningState

Select from available options (e.g., Succeeded, Updating, Deleting, Failed) to find public IP addresses with the specified provisioning state.

Example

Show successfully provisioned public IP addresses.

publicipaddresses.provisioningState: Succeeded

publicipaddresses.publicIPAddressVersionpublicipaddresses.publicIPAddressVersion

Select from available options (IPv4, IPv6) to find public IP addresses of the specified IP version.

Example

Show IPv4 public IP addresses.

publicipaddresses.publicIPAddressVersion: IPv4

publicipaddresses.publicIPAllocationMethodpublicipaddresses.publicIPAllocationMethod

Select from available options (Dynamic, Static) to find public IP addresses with the specified allocation method.

Example

Show static public IP addresses.

publicipaddresses.publicIPAllocationMethod: Static

publicipaddresses.idleTimeoutInMinutespublicipaddresses.idleTimeoutInMinutes

Provide an integer value to find public IP addresses with the specified idle timeout in minutes.

Example

Find public IP addresses with a 4-minute idle timeout

publicipaddresses.idleTimeoutInMinutes: 4

publicipaddresses.ddosSettings.protectionMode publicipaddresses.ddosSettings.protectionMode

Select from available options (e.g., Enabled, Disabled) to find public IP addresses with the specified DDoS protection mode.

Example

Show public IP addresses with DDoS protection enabled.

publicipaddresses.ddosSettings.protectionMode: Enabled