Search Tokens for AWS Assets
Click to view navigation pane


Search Tokens for AWS Assets

Syntax help is displayed in the UI for tokens. Click each token to learn more about it.

Use these tokens when searching your AWS EC2 assets in the tag creation wizard (Dynamic tag > Cloud Asset Search rule).

- Your results may return Terminated instances. It's recommended you include aws.ec2instanceState in your query to reduce the number of results.

- The syntax is different when writing queries for tag rules than when searching assets in the Assets list. Be sure to follow the syntax tips in the drop-down when writing your query.

Note:

- For all the date-related tokens, the date search is evaluated only for UTC format. The actual search results might show you the date as per your time zone.

- For the range searches, remember that the QQL search tokens are case-sensitive. Hence, make sure that you enter the correct token syntax. For more information, see Range Searches.

 

aws.ec2.accountIdaws.ec2.accountId

Use a text value ##### to find EC2 instances with a certain account ID.

Examples

Find EC2 instances that match this account ID

aws.ec2.accountId: 123456789012

Find EC2 instances with account ID starting "12345"

aws.ec2.accountId: 12345*

Find EC2 instances where account ID is null (remove the colon)

aws.ec2.accountId is null

aws.ec2.availabilityZoneaws.ec2.availabilityZone

Use a text value ##### to find EC2 instances by the availability zone in which the instance launched.

Example

Find EC2 instances in the us-east-1a availability zone

aws.ec2.availabilityZone: us-east-1a

aws.ec2.hasAgentaws.ec2.hasAgent

Use the values true | false to define whether the EC2 asset has a cloud agent.

Examples

Show findings with a cloud agent

aws.ec2.hasAgent: true

Show findings without a cloud agent

aws.ec2.hasAgent: false

aws.ec2.hostnameaws.ec2.hostname

Use a text value ##### to find the EC2 hostname you're looking for.

Examples

Find instances related to name

aws.ec2.hostname: abc.qualys.com

Find instances that match exact value

aws.ec2.hostname: `abc.qualys.com`

aws.ec2.imageIdaws.ec2.imageId

Use a text value ##### to find EC2 instances with a certain Image (AMI) ID.

Examples

Find instances related to the Image ID

aws.ec2.imageId: ami-2ea83347

Find instances that match exact value

aws.ec2.imageId: `ami-2ea83347`

aws.ec2.instanceIdaws.ec2.instanceId

Use a text value ##### to find EC2 instances by the instance ID.

Example

Find EC2 instances with this ID

aws.ec2.instanceId: i-1234567890abcdef0

aws.ec2.instanceStateaws.ec2.instanceState

Select the name of the instance state (PENDING, RUNNING, TERMINATED, STOPPED, STOPPING, SHUTTING-DOWN) you're interested in. Select from names in the drop-down menu.

Example

Find running EC2 instances

aws.ec2.instanceState: RUNNING

aws.ec2.instanceTypeaws.ec2.instanceType

Select the type of instance you're interested in. Select from names in the drop-down menu.

Example

Find EC2 instances with instance type t2.micro

aws.ec2.instanceType: t2.micro

aws.ec2.isQualysScanneraws.ec2.isQualysScanner

Use the values true | false to define whether the EC2 asset is a Qualys scanner.

Examples

Show findings where assets are scanners

aws.ec2.isQualysScanner: true

Show findings where assets are not scanners

aws.ec2.isQualysScanner: false

aws.ec2.kernelIdaws.ec2.kernelId

Use a text value ##### to find EC2 instances by kernel ID (AKI).

Example

Find EC2 instances with this kernel ID

aws.ec2.kernelId: aki-70ab0c10

aws.ec2.launchDateaws.ec2.launchDate

Use a date range or specific date to define when the EC2 instance launched. Enter dates in yyyy-mm-dd format.

Examples

Find EC2 instances launched within certain dates

aws.ec2.launchDate: [2017-06-15 ... 2017-06-30]

Find EC2 instances launched on specific date

aws.ec2.launchDate:'2017-08-15'

aws.ec2.privateDNSaws.ec2.privateDNS

Use a text value ##### to define a private DNS address you're interested in.

Example

Find the EC2 instance with this private DNS address

aws.ec2.privateDNS: ip-10-90-2-85.ec2.internal

aws.ec2.privateIpAddressaws.ec2.privateIpAddress

Use a text value ##### to define a private IPv4 address or range of IPs you're interested in.

Examples

Find EC2 instances with this private IP address

aws.ec2.privateIpAddress: 10.90.0.119

Find EC2 instances within this IP range

aws.ec2.privateIpAddress: [10.1.78.23 ... 10.100.78.235]

aws.ec2.publicDNSaws.ec2.publicDNS

Use a text value ##### to define a public DNS address you're interested in.

Example

Find the EC2 instance with this public DNS address

aws.ec2.publicDNS: ec2-52-70-141-154.compute-1.amazonaws.com

aws.ec2.publicIpAddressaws.ec2.publicIpAddress

Use a text value ##### to define a public IPv4 address or range of IPs you're interested in.

Examples

Find EC2 instances with this public IP address

aws.ec2.publicIpAddress: 52.70.141.154

Find EC2 instances within this IP range

aws.ec2.publicIpAddress: [52.70.141.154 ... 52.70.141.164]

aws.ec2.region.codeaws.ec2.region.code

Select the code of the region you're interested in. Select from codes in the drop-down menu.

Example

Find EC2 instances in the us-east-1 region

aws.ec2.region.code: us-east-1

aws.ec2.region.nameaws.ec2.region.name

Select the name of the region you're interested in. Select from names in the drop-down menu.

Example

Find EC2 instances in the US East (N. Virginia) region

aws.ec2.region.name: US East (N. Virginia)

aws.ec2.spotInstanceaws.ec2.spotInstance

Use the values true | false to define whether your EC2 instance is a Spot instance.

Examples

Show EC2 Spot instances

aws.ec2.spotInstance: "true"

Show EC2 instances that are not Spot instances

aws.ec2.spotInstance: "false"

aws.ec2.subnetIdaws.ec2.subnetId

Use a text value ##### to find EC2 instances by the ID of the subnet in which the interface resides.

Example

Find EC2 instances with this subnet ID

aws.ec2.subnetId: subnet-bc02c0d4

aws.ec2.vpcIdaws.ec2.vpcId

Use a text value ##### to find EC2 instances by the ID of the VPC in which the interface resides.

Example

Find EC2 instances with this VPC ID

aws.ec2.vpcId: vpc-1e37cd76

aws.tagsaws.tags

Use a text value ##### to find EC2 instances with a certain AWS tag key and value (both are case insensitive).

Example

Find EC2 instances with an AWS tag with key "abc" and value "xyz"

aws.tags: (key:abc and value:xyz)

aws.tags.keyaws.tags.key

Use a text value ##### to find EC2 instances with a certain AWS tag key/name (case insensitive).

Examples

Find EC2 instances with key "devops"

aws.tags.key: devops

Find EC2 instances with key starting "dev"

aws.tags.key: dev*

Find EC2 instances with key ending "ops"

aws.tags.key: *ops

aws.tags.valueaws.tags.value

Use a text value ##### to find EC2 instances with a certain AWS tag value (case insensitive).

Examples

Find EC2 instances with tag value "dailybuild"

aws.tags.value: dailybuild

Find EC2 instances with tag value starting "daily"

aws.tags.value: daily*

Find EC2 instances with tag value ending "build"

aws.tags.value: *build

 

Supported Boolean Operators

The Qualys Query Language (QQL) supports the following logical or Boolean query operators. Use these operators in your queries to narrow down or broaden your search.

andand

Narrow down your search by using the 'and' operator in your Boolean query. The result contains all the token values that you provide in your query.

Example

asset.status: Enrolled and asset.assetID: 122855563

The asset having the ID 122855563 and with status as Enrolled is returned in the result.

notnot

Narrow down your search by using the 'not' operator in your Boolean query. The result contains all the other values except the one that you specify after 'not' in your query.

Example

not tags.name: Windows

Assets with the Windows tag are excluded from search results.

oror

Broaden your search by using the 'or' operator in your Boolean query. The result contains any of the token values that you provide in your query.

Example

tags.name:Cloud Agent or tags.name:Windows

The assets that have the Cloud Agent tag or the Windows tag are returned in the result.