Search Tokens for Azure Assets
Syntax help displayed in UI for tokens. Click each token to learn more about it.
Use these tokens when searching Microsoft Azure assets in the tag creation wizard (Dynamic tag > Cloud Asset Search rule).
Note:
- For all the date-related tokens, the date search is evaluated only for UTC format. The actual search results might show you the date as per your time zone.
- For the range searches, remember that the QQL search tokens are case-sensitive. Hence, make sure that you enter the correct token syntax. For more information, see Range Searches.
azure.vm.imageOfferazure.vm.imageOffer
Use a text value ##### to define the image offer name (i.e. UbuntuServer or WindowsServer) for images deployed from the Azure image gallery.
Examples
Find Azure instances related to name
azure.vm.imageOffer: UbuntuServer
Find Azure instances that match exact value
azure.vm.imageOffer: `UbuntuServer`
azure.vm.imagePublisherazure.vm.imagePublisher
Use a text value ##### to define the name of the Azure virtual machine image publisher (i.e. Canonical or MicrosoftWindowsServer).
Examples
Find Azure instances related to name
azure.vm.imagePublisher: Canonical
Find Azure instances that match exact value
azure.vm.imagePublisher: `Canonical`
azure.vm.imageVersionazure.vm.imageVersion
Use a text value ##### to define the version of the Azure virtual machine image sku you're interested in.
Example
Find Azure instances with this sku version
azure.vm.imageVersion: 16.04.201708030
azure.vm.locationazure.vm.location
Use a text value ##### to define the region you're interested in.
Example
Find Azure instances in this location
azure.vm.location: westus
azure.vm.macAddressazure.vm.macAddress
Use a text value ##### to define the MAC address you're interested in.
Example
Find Azure instances with this MAC address
azure.vm.macAddress: '000D3A36DDED'
Use a text value ##### to find the Azure virtual machine name you're looking for.
Examples
Find Azure instances related to name
azure.vm.name: avset2
Find Azure instances that match exact value
azure.vm.name: `avset2`
azure.vm.platformazure.vm.platform
Use a text value ##### to define the operating system platform (Linux or Windows) of the Azure virtual machine.
Example
Find Azure instances on Windows platform
azure.vm.platform: Windows
azure.vm.privateIpAddressazure.vm.privateIpAddress
Use a text value ##### to define a private IPv4 address or range of IPs you're interested in.
Examples
Find Azure instances with this private IP
azure.vm.privateIpAddress: 10.1.2.5
Find Azure instances within this IP range
azure.vm.privateIpAddress: [10.1.2.5 ... 10.1.2.33]
azure.vm.publicIpAddressazure.vm.publicIpAddress
Use a text value ##### to define a public IPv4 address or range of IPs you're interested in.
Examples
Find Azure instances with this public IP
azure.vm.publicIpAddress: 13.126.125.189
Find Azure instances within this IP range
azure.vm.publicIpAddress: [13.126.125.180 ...
13.126.125.255]
azure.vm.resourceGroupNameazure.vm.resourceGroupName
Use a text value ##### to define the name of the resource group you're interested in.
Examples
Find Azure instances related to name
azure.vm.resourceGroupName: my-eastus-rg
Find Azure instances that match exact value
azure.vm.resourceGroupName: `my-eastus-rg`
Use a text value ##### to help you find Azure VM instances with a certain virtual machine size.
Example
Find Azure instances with this size
azure.vm.size: Standard_D1
Select the name of the instance state (DEALLOCATED, DEALLOCATING, DELETED, RUNNING, STARTING, STOPPED, STOPPING) you're interested in. Select from names in the drop-down menu.
Example
Find running Azure instances
azure.vm.state: RUNNING
azure.vm.subnetazure.vm.subnet
Use a text value ##### to define the Azure virtual machine subnet you're interested in.
Example
Find Azure instances with this subnet
azure.vm.subnet: 10.1.2.0
azure.vm.subscriptionIdazure.vm.subscriptionId
Use a text value ##### to define the subscription ID of the Azure virtual machine subscription.
Example
Find Azure instances with this subscription ID
azure.vm.subscriptionId: fbb9ea64-abda-452e-adfa-83442409
Use a text value ##### to define the Azure virtual machine ID you're looking for.
Example
Find Azure instances with this ID
azure.vm.vmId: 13f56399-bd52-4150-9748-7190aae1ff21
azure.vm.virtualNetworkazure.vm.virtualNetwork
Use a text value ##### to define the operating system platform (Linux or Windows) of the Azure virtual machine.
Examples
Find Azure instances related to virtual network
azure.vm.virtualNetwork: cli-vnet
Find Azure instances that match exact value of virtual network
azure.vm.virtualNetwork: `cli-vnet`
azure.vm.hasAgentazure.vm.hasAgent
Use the values true | false to define whether the Azure virtual machine you're looking for has a cloud agent installed on it.
Example
Find Azure instances with agents
azure.vm.hasAgent: "true"
Supported Boolean Operators
The Qualys Query Language (QQL) supports the following logical or Boolean query operators. Use these operators in your queries to narrow down or broaden your search.
Narrow down your search by using the 'and' operator in your Boolean query. The result contains all the token values that you provide in your query.
Example
asset.status: Enrolled and asset.assetID: 122855563
The asset having the ID 122855563 and with status as Enrolled is returned in the result.
Narrow down your search by using the 'not' operator in your Boolean query. The result contains all the other values except the one that you specify after 'not' in your query.
Example
not tags.name: Windows
Assets with the Windows tag are excluded from search results.
Broaden your search by using the 'or' operator in your Boolean query. The result contains any of the token values that you provide in your query.
Example
tags.name:Cloud Agent or tags.name:Windows
The assets that have the Cloud Agent tag or the Windows tag are returned in the result.