Use the search tokens below to search for resources discovered. You will need to first choose cloud provider on the Resources tab to see the relevant tokens for your environment. Looking for help with writing your query? click here
Example
Show findings with this account ID
account.id: 205767712438
Example
Show connectors with this account alias
account.alias: Example_connector
subscriptionNamesubscriptionName
Example
Show connectors with this subscription name
subscriptionName: Sample Cloud Subscription
Examples
Show resources created within certain dates
created: [2018-01-01 ... 2018-03-01]
Show resources created starting 2018-10-01, ending 1 month ago
created: [2018-01-01 ... now-1m]
Show resources created starting 2 weeks ago, ending 1 second ago
created: [now-2w ... now-1s]
Show resources created on specific date
created: 2018-01-08
Examples
Show resources updated within certain dates
updated: [2018-01-01 ... 2018-03-01]
Show resources updated starting 2018-10-01, ending 1 month ago
updated: [2018-01-01 ... now-1m]
Show resources updated starting 2 weeks ago, ending 1 second ago
updated: [now-2w ... now-1s]
Show resources updated on specific date
updated: 2018-01-08
Examples
Show any findings with this name
name: my-resource
Show all the findings that exactly match with this name
name: `my-resource`
Example
Find resources synced from Microsoft Azure
provider: Azure
Example
Find resources in the Singapore region
region: Singapore
Example
Show resources with ID acl-8e5198f5
resource.id: acl-8e5198f5
Example
Show resources of type Instance
resource.type: Instance
Example
Show findings with key Department
tag.key: Department
Example
Show findings with tag value Finance
tag.value: Finance
Example
Show any findings that contain "network" and "blue" in name
tags.name: "network blue"
Show any findings that contain "network" or "blue" in name (another method)
tags.name: "network"
OR
tags.name: "blue"
Show any findings that match exact value "Cloud Agent"
tags.name: "Cloud Agent"
Example
Show findings with account ID 205767712438 and type Subnet
account.id: 205767712438 and resource.type: Subnet
Example
Show findings that are not resource type Instance
not resource.type: Instance
Example
Show findings with one of these tag values
tag.value: Finance or tag.value: Accounting
Example
Show resources with this projectId
projectId: my-project-1513669048551
Example
Find resources in this location
location: Frankfurt
resourceGroupNameresourceGroupName
Example
Show resources with this group name
resourceGroupName: my-eastus-rg
Example
Show resources with this subscription ID
subscriptionId: fbb9ea64-abda-452e-adfa-83442409
These tokens are available in queries with resource.type:SQL Server
Example
Show resources with this type
sqlserver.type: Microsoft.sql
sqlserver.fullyQualifiedDomainNamesqlserver.fullyQualifiedDomainName
Example
Show resources with this FQDN
sqlserver.fullyQualifiedDomainName: severname.database.windows.net
sqlserver.versionsqlserver.version
Example
Show resources with this version
sqlserver.version: 12
sqlserver.statesqlserver.state
Example
Show resources with this state
sqlserver.state: ready
These tokens are available in queries with resource.type:SQL Server Database
sqldatabase.editionsqldatabase.edition
Example
Find resources with standard edition
sqldatabase.edition: standard
sqldatabase.statussqldatabase.status
Example
Show online databases
sqldatabase.status: online
These tokens are available in queries with resource.type:Virtual Machine
virtualmachine.vmIdvirtualmachine.vmId
Example
Show resources with this virtual machine ID
virtualmachine.vmId: MyVMID
connector.remediationEnabledconnector.remediationEnabled
Example
Show resources associated with the connector for which remediation is enabled
connector.remediationEnabled: TRUE
virtualmachine.vmSizevirtualmachine.vmSize
Example
Show resources with this virtual machine size
virtualmachine.vmSize: Standard_DS1_v2
virtualmachine.networkSecurityGroupvirtualmachine.networkSecurityGroup
Example
Show resources with this network security group
virtualmachine.networkSecurityGroup: myNSG
virtualmachine.osTypevirtualmachine.osType
Example
Show VMs with specified OS Type.
virtualmachine.osType: Windows
virtualmachine.agentInstalledvirtualmachine.agentInstalled
Example
Show VMs with agents installed.
virtualmachine.agentInstalled: True
virtualmachine.hasThreatsvirtualmachine.hasThreats
Example
Show resources with threats identified
virtualmachine.hasThreats: True
virtualmachine.publicIpAddressvirtualmachine.publicIpAddress
Example
Show resources with this IP address
virtualmachine.publicIpAddress: 13.126.125.189
virtualmachine.statusvirtualmachine.status
Example
Show virtual machines with VM running status
virtualmachine.status: VM running
virtualmachine.networkInterface.subnetIdvirtualmachine.networkInterface.subnetId
Example
Show findings with this address ID
virtualmachine.networkInterface.subnetId: id-12345
virtualmachine.networkInterface.privateDnsNamevirtualmachine.networkInterface.privateDnsName
Example
Show findings with this private DNS name
virtualmachine.networkInterface.privateDnsName: ip-172-31-33-67.us-east-2.compute.internal
virtualmachine.networkInterface.privateIpAddressvirtualmachine.networkInterface.privateIpAddress
Example
Show findings with this private IP
virtualmachine.networkInterface.privateIpAddress: 172.31.28.151
virtualmachine.networkInterface.secondaryPrivateIpvirtualmachine.networkInterface.secondaryPrivateIp
Example
Show findings with this secondary private IP
virtualmachine.networkInterface.secondaryPrivateIp: 10.0.0.85
virtualmachine.networkInterface.publicIpvirtualmachine.networkInterface.publicIp
Example
Show findings with this public IP address
virtualmachine.networkInterface.publicIp: 13.126.125.189
virtualmachine.networkInterface.ipv6Ipvirtualmachine.networkInterface.ipv6Ip
Example
Show findings with this IPv6 address
virtualmachine.networkInterface.ipv6Ip: 2010:ab2::1234:zzz:2002:1f
virtualmachine.isDockerHostvirtualmachine.isDockerHost
Example
Show VMs with docker installed on the host
virtualmachine.isDockerHost:true
Show VMs without docker installed on the host
virtualmachine.isDockerHost:false
virtualmachine.docker.versionvirtualmachine.docker.version
Example
Show VMs with specified docker version
virtualmachine.docker.version:8.2
virtualmachine.riskScorevirtualmachine.riskScore
Use an integer value (0-1000) to search for all the Azure VMs with the specified risk score.
Example
Show all VMs with a risk score greater than 125
virtualmachine.riskScore > 125
Show all VMs with a risk score of 125
virtualmachie.riskScore: 125
These tokens are available in queries with resource.type:Virtual Network
virtualnetwork.typevirtualnetwork.type
Example
Show resources with this virtual network type
virtualnetwork.type: Microsoft.Network/virtualNetworks
These tokens are available in queries with resource.type:Web App
Examples
Show any web apps with kind filter
webapp.kind: Linux
webapp.deploymentIdwebapp.deploymentId
Example
Show web apps with this deployment ID
webapp.deploymentId:depl-7495
Examples
Show web apps that are in running state
webapp.state:Running
webapp.availabilityStatewebapp.availabilityState
Example
Show web apps with availability state as LIMITED
webapp.availabilityState:LIMITED
webapp.usageStatewebapp.usageState
Example
Show web app on usage state
webapp.usageState:NORMAL
Examples
Show web apps which are default container.
webapp.enabled:true
webapp.isDefaultContainerwebapp.isDefaultContainer
Examples
Show web apps which are default container.
webapp.isDefaultContainer:true
webapp.httpsonlywebapp.httpsonly
Examples
Show web apps with HTTPSOnly feature enabled.
webapp.httpsonly:TRUE
webapp.redundancyModewebapp.redundancyMode
Example
Show web apps with this redundancy mode.
webapp.redundancyMode:MANUAL
webapp.appserviceplanwebapp.appserviceplan
Examples
Show web apps with this AppServicePlan ID.
webapp.appserviceplan:app-service-plan-123
webapp.defaultHostNamewebapp.defaultHostName
Show web apps with this default host name
webapp.defaultHostName:windowsappabc123.azurewebsites.net
webapp.hostnames.enabledwebapp.hostnames.enabled
Example
Show web apps with this host names
webapp.hostnames.enabled:windowsappabc123.azurewebsites.net
webapp.hostnames.sslStatewebapp.hostnames.sslState
Example
Show web apps with disabled SSL state
webapp.hostnames.sslState:DISABLED
webapp.clientAffinityEnabledwebapp.clientAffinityEnabled
Example
Show web apps with client affinity enabled
webapp.clientAffinityEnabled:TRUE
webapp.clientCertEnabledwebapp.clientCertEnabled
Example
Show web apps with client cert enabled
webapp.clientCertEnabled:TRUE
These tokens are available in queries with resource.type:Function App
functionapp.kindfunctionapp.kind
Examples
Show any function apps with kind filter
functionapp.kind: Linux
functionapp.deploymentIdfunctionapp.deploymentId
Example
Show function apps with this deployment ID
functionapp.deploymentId:depl-7495
functionapp.statefunctionapp.state
Examples
Show function apps that are in running state
functionapp.state:Running
functionapp.availabilityStatefunctionapp.availabilityState
Example
Show function apps with availability state as LIMITED
functionapp.availabilityState:LIMITED
functionapp.usageStatefunctionapp.usageState
Example
Show function app on usage state
functionapp.usageState:NORMAL
functionapp.enabledfunctionapp.enabled
Examples
Show function apps which are default container.
functionapp.enabled:true
functionapp.isDefaultContainerfunctionapp.isDefaultContainer
Examples
Show function apps which are default container.
functionapp.isDefaultContainer:true
functionapp.httpsonlyfunctionapp.httpsonly
Examples
Show function apps with HTTPSOnly feature enabled.
functionapp.httpsonly:TRUE
functionapp.redundancyModefunctionapp.redundancyMode
Example
Show function apps with this redundancy mode.
functionapp.redundancyMode:MANUAL
functionapp.appserviceplanfunctionapp.appserviceplan
Examples
Show function apps with this AppServicePlan ID.
functionapp.appserviceplan:app-service-plan-123
functionapp.defaultHostNamefunctionapp.defaultHostName
Show function apps with this default host name
functionapp.defaultHostName:windowsappabc123.azurewebsites.net
functionapp.hostnames.enabledfunctionapp.hostnames.enabled
Example
Show function apps with this host names
functionapp.hostnames.enabled:windowsappabc123.azurewebsites.net
functionapp.hostnames.sslStatefunctionapp.hostnames.sslState
Example
Show function apps with disabled SSL state
functionapp.hostnames.sslState:DISABLED
functionapp.clientAffinityEnabledfunctionapp.clientAffinityEnabled
Example
Show function apps with client affinity enabled
functionapp.clientAffinityEnabled:TRUE
functionapp.clientCertEnabledfunctionapp.clientCertEnabled
Example
Show function apps with client cert enabled
functionapp.clientCertEnabled:TRUE
functionapp.languagefunctionapp.language
Example
Show function apps with client cert enabled
functionapp.language:CSharp
These tokens are available in queries with resource.type:vulnerability
vulnerability.qidvulnerability.qid
Example
Show findings with QID 90405
vulnerability.qid:90405
vulnerability.severityvulnerability.severity
Example
Show findings with severity 4
vulnerability.severity:4
vulnerability.customerSeverityvulnerability.customerSeverity
Example
Show findings with QID 90405
vulnerability.customerSeverity:3
vulnerability.exploitabilityvulnerability.exploitability
Examples
Show any findings related to this description
vulnerability.exploitability: GIF Parser Heap
Show any findings that contain "GIF", "Parser" or "Heap" in description
vulnerability.exploitability: "GIF Parser Heap"
Show any findings that match exact value
vulnerability.exploitability: `GIF Parser Heap`
vulnerability.patchAvailablevulnerability.patchAvailable
Examples
Show findings with patch available
vulnerability.patchAvailable: "true"
Show findings with no patch available
vulnerability.patchAvailable: "false"
vulnerability.firstFoundvulnerability.firstFound
Examples
Show findings first found within certain dates
vulnerability.firstFound: [2015-10-21 ... 2015-10-30]
Show findings first found starting 2015-10-01, ending 1 month ago
vulnerability.firstFound: [2015-10-01 ... now-1M]
Show findings first found starting 2 weeks ago, ending 1 second ago
vulnerability.firstFound: [now-2w ... now-1s]
Show findings first found on certain date
vulnerability.firstFound:'2015-11-11'
vulnerability.lastFoundvulnerability.lastFound
Examples
Show findings last found within certain dates
vulnerability.lastFound: [2015-10-21 ... 2016-01-15]
Show findings last found starting 2016-01-01, ending 1 month ago
vulnerability.lastFound: [2016-01-01 ... now-1M]
Show findings last found starting 2 weeks ago, ending 1 second ago
vulnerability.lastFound: [now-2w ... now-1s]
Show findings last found on certain date
vulnerability.lastFound:'2016-01-11'
Show findings last found on 2017-01-12 with patch available
vulnerabilities: (lastFound: '2017-01-12' AND vulnerability.patchAvailable: "true")
vulnerability.titlevulnerability.title
Examples
Show any findings related to this title
vulnerability.title: Remote Code Execution
Show any findings that contain "Remote" or "Code" in title
vulnerability.title: "Remote Code"
Show any findings that match exact value
vulnerability.title: `Remote Code`
vulnerability.descriptionvulnerability.description
Examples
Show any findings related to description
vulnerability.description: remote code execution
Show any findings that contain "remote" or "code" in description
vulnerability.description: "remote code execution"
Show any findings that match exact value
vulnerability.description: `remote code execution`
vulnerability.cveIdsvulnerability.cveIds
Example
Show findings with CVE name CVE-2015-0313
vulnerability.cveIds: CVE-2015-0313
vulnerability.categoryvulnerability.category
Example
Show findings with the category CGI
vulnerability.category: "CGI"
vulnerability.cvss3Info.baseScorevulnerability.cvss3Info.baseScore
Example
Show assets with this score
vulnerability.cvss3Info.baseScore: 7.8
Example
Show assets with this score
vulnerability.cvss3Info.temporalScore: 6.4
vulnerability.cvssInfo.accessVectorvulnerability.cvssInfo.accessVector
Example
Show findings with this name
vulnerability.cvssInfo.accessVector: "NETWORK"
vulnerability.portvulnerability.port
Example
Show vulnerability with port 80
vulnerability.port: 80
vulnerability.protocolvulnerability.protocol
Examples
Show findings found on TCP
vulnerability.protocol: TCP
Show findings found on port 80 and TCP
vulnerability: (port: 80 AND protocol: TCP)
vulnerability.hostOSvulnerability.hostOS
Examples
Show any findings with this OS name
vulnerability.hostOS:Windows 2012
Show any findings that contain components of OS name
vulnerability.hostOS:"Windows 2012"
Show any findings that match exact value "Windows 2012"
vulnerability.hostOS:`Windows 2012`
vulnerability.typeDetectedvulnerability.typeDetected
Example
Show findings with this type
vulnerability.typeDetected:Confirmed
vulnerability.PCIvulnerability.PCI
Examples
Show PCI vulnerabilities
vulnerability.PCI:TRUE
Do not show PCI vulnerabilities
vulnerability.PCI:FALSE
vulnerability.authTypesvulnerability.authTypes
Example
Show findings with Windows auth type
vulnerability.authTypes:WINDOWS_AUTH
vulnerability.bugTraqIdsvulnerability.bugTraqIds
Example
Show findings with BugTraq ID 22211
vulnerability.bugTraqIds:22211
vulnerability.compliance.descriptionvulnerability.compliance.description
Examples
Show any findings related to this description
vulnerability.compliance.description:malicious software
Show any findings that contain "malicious" or "software" in description
vulnerability.compliance.description:"malicious software"
Show any findings that match exact value "malicious software"
vulnerability.compliance.description:`malicious software`
vulnerability.compliance.sectionvulnerability.compliance.section
Examples
Show any findings related to this section
vulnerability.compliance.section:164.308
Show any findings that contain parts of section
vulnerability.compliance.section:"164.308"
Show any findings that match exact value "164.308"
vulnerability.compliance.section:`164.308`
vulnerability.compliance.typevulnerability.compliance.type
Example
Show findings with the compliance type HIPAA
vulnerability.compliance.type:HIPAA
vulnerability.consequencevulnerability.consequence
Examples
Show any findings related to consequence
vulnerability.consequence:sensitive information
Show any findings that contain "sensitive" or "information" in consequence
vulnerability.consequence:"sensitive information"
Show any findings that match exact value "sensitive information"
vulnerability.consequence:`sensitive information`
vulnerability.flagsvulnerability.flags
Example
Show findings with this flag
vulnerability.flags:PCI_RELATED
vulnerability.listsvulnerability.lists
Example
Show findings with vulnerabilities in SANS Top 20
vulnerability.lists:SANS_20
vulnerability.patchesvulnerability.patches
Example
Show assets with this patch QID
vulnerability.patches:90753
vulnerability.publishedvulnerability.published
Examples
Show findings for vulnerabilities published within certain dates
vulnerability.published:[2015-10-21 ... 2016-01-15]
Show findings for vulnerabilities published starting 2017-01-01, ending 1 month ago
vulnerability.published:[2017-01-01 ... now-1M]
Show findings for vulnerabilities published starting 2 weeks ago, ending 1 second ago
vulnerability.published:[now-2w ... now-1s]
Show findings for vulnerabilities published on certain date
vulnerability.published:'2018-01-15'
vulnerability.riskvulnerability.risk
Example
Show findings with risk 50
vulnerability.risk:50
vulnerability.osvulnerability.os
Examples
Show any findings related to this OS value
vulnerability.os:windows
Show any findings that contain parts of OS value
vulnerability.os:"windows"
Show any findings that match exact value "windows"
vulnerability.os:`windows`
vulnerability.cvssInfo.baseScorevulnerability.cvssInfo.baseScore
Example
Show instances with this score
vulnerability.cvssInfo.baseScore:7.8
vulnerability.cvssInfo.temporalScorevulnerability.cvssInfo.temporalScore
Example
Show instances with this score
vulnerability.cvssInfo.temporalScore:6.4
vulnerability.discoveryTypesvulnerability.discoveryTypes
Example
Show findings with Remote discovery type
vulnerability.discoveryTypes:REMOTE
vulnerability.sans20Categoriesvulnerability.sans20Categories
Example
Show findings with this category name
vulnerability.sans20Categories:Media Players
vulnerability.solutionvulnerability.solution
Examples
Show any findings related to this solution
vulnerability.solution:Bulletin MS10-006
Show any findings that contain parts of solution
vulnerability.solution:"Bulletin MS10-006"
Show any findings that match exact value "Bulletin MS10-006"
vulnerability.solution:`Bulletin MS10-006`
vulnerability.statusvulnerability.status
Example
Show vulnerabilities with ACTIVE status
vulnerability.status:ACTIVE
vulnerability.supportedByvulnerability.supportedBy
Example
Show vulnerabilities supported by Linux Agent
vulnerability.supportedBy:LINUX_AGENT
vulnerability.vendorRefsvulnerability.vendorRefs
Example
Show this vendor reference
vulnerability.vendorRefs:KB3021953
vulnerability.vendors.productNamevulnerability.vendors.productName
Example
Show findings with this vendor product name
vulnerability.vendors.productName:Windows
vulnerability.vendors.vendorNamevulnerability.vendors.vendorName
Example
Show findings with this vendor name
vulnerability.vendors.vendorName:Adobe
vulnerability.disabledvulnerability.disabled
Example
Show findings with this disabled set to False
vulnerability.disabled:False
(For Threat Protection users) Use these tokens for searching Real-Time Threat Indicators (RTI).
vulnerability.threatIntel.activeAttacksvulnerability.threatIntel.activeAttacks
Example
Show resources with threats due to active attacks
vulnerability.threatIntel.activeAttacks: "true"
vulnerability.threatIntel.denialOfServicevulnerability.threatIntel.denialOfService
Example
Show resources with threats due to denial of service
vulnerability.threatIntel.denialOfService: "true"
vulnerability.threatIntel.easyExploitvulnerability.threatIntel.easyExploit
Example
Show resources with threats due to easy exploit
vulnerability.threatIntel.easyExploit: "true"
vulnerability.threatIntel.exploitKitvulnerability.threatIntel.exploitKit
Example
Show resources with threats due to exploit kit
vulnerability.threatIntel.exploitKit: "true"
vulnerability.threatIntel.exploitKitNamevulnerability.threatIntel.exploitKitName
Examples
Show any findings with this name
vulnerability.threatIntel.exploitKitName: Angler
Show any findings that match exact value
vulnerability.threatIntel.exploitKitName: `Angler`
vulnerability.threatIntel.highDataLossvulnerability.threatIntel.highDataLoss
Example
Show resources with threats due to high data loss
vulnerability.threatIntel.highDataLoss: "true"
vulnerability.threatIntel.highLateralMovementvulnerability.threatIntel.highLateralMovement
Example
Show resources with threats due to high lateral movement
vulnerability.threatIntel.highLateralMovement: "true"
vulnerability.threatIntel.malwarevulnerability.threatIntel.malware
Example
Show resources with threats due to malware
vulnerability.threatIntel.malware: "true"
vulnerability.threatIntel.malwareNamevulnerability.threatIntel.malwareName
Examples
Show any findings with this name
vulnerability.threatIntel.malwareName: TROJ_PDFKA.DQ
Show any findings that match exact value
vulnerability.threatIntel.malwareName: `TROJ_PDFKA.DQ`
vulnerability.threatIntel.noPatchvulnerability.threatIntel.noPatch
Example
Show resources with threats due to no patch available
vulnerability.threatIntel.noPatch: "true"
vulnerability.threatIntel.publicExploitvulnerability.threatIntel.publicExploit
Example
Show resources with threats due to public exploit
vulnerability.threatIntel.publicExploit: "true"
vulnerability.threatIntel.publicExploitNamevulnerability.threatIntel.publicExploitName
Examples
Show any findings with this name
vulnerability.threatIntel.publicExploitName: RealVNC NULL Authentication Mode Bypass
Show any findings that contain parts of name
vulnerability.threatIntel.publicExploitName: "RealVNC NULL Authentication Mode Bypass"
Show any findings that match exact value
vulnerability.threatIntel.publicExploitName: `RealVNC NULL Authentication Mode Bypass`
vulnerability.threatIntel.zeroDayvulnerability.threatIntel.zeroDay
Example
Show resources with threats due to zero day exploit
vulnerability.threatIntel.zeroDay: "true"
Was this topic helpful?