Search Tokens for Rules
Syntax help displayed in UI for tokens. Click each token to learn more about it.
Alerting use-cases support limited search tokens, since alerts flag incidents other than the normal or beyond the defined threshold. Only tokens that help in asset scoping OR directly related to the alert evaluation are supported for alerting rule creation.
Note:
- For all the date-related tokens, the date search is evaluated only for UTC format. The actual search results might show you the date as per your time zone.
- For the range searches, remember that the QQL search tokens are case-sensitive. Hence, make sure that you enter the correct token syntax. For more information, see Range Searches.
asset.createdDateasset.createdDate
Use a date range or specific date to define when assets were created.
Examples
Show assets created within certain dates
asset.createdDate:[2019-01-01 ... 2019-01-15]
Show assets created starting 2019-01-15, ending 1 month ago
asset.createdDate:[2019-01-15
... now-1M]
Show assets created starting 2 weeks ago, ending 1 second ago
asset.createdDate:[now-2w ... now-1s]
Show assets created on a specific date
asset.createdDate:'2019-03-18'
asset.lastLoggedOnUserasset.lastLoggedOnUser
Use a text value ##### to help you find assets last logged into by a user of interest.
Examples
Show assets with last logon by user asmith
asset.lastLoggedOnUser:asmith
asset.lastUpdatedDateasset.lastUpdatedDate
Use a date range or specific date to define when assets were last updated.
Examples
Show assets last updated within certain dates
asset.lastUpdatedDate:[2019-01-01 ... 2019-01-15]
Show assets last updated starting 2019-01-15, ending 1 month ago
asset.lastUpdatedDate:[2019-01-15
... now-1M]
Show assets last updated starting 2 weeks ago, ending 1 second ago
asset.lastUpdatedDate:[now-2w ... now-1s]
Show assets last updated on a specific date
asset.lastUpdatedDate:'2019-03-18'
asset.lastLocation.countryasset.lastLocation.country
Use a text value ##### to help you find assets based on country of the last location.
Example
Show assets with last location country as United States
asset.lastLocation.country: United States
sensor.lastVmScanDatesensor.lastVmScanDate
Use a date range or specific date to define when last VM scan was performed.
Examples
Show last VM scan within certain dates
sensor.lastVmScanDate:[2019-01-01 ... 2019-01-15]
Show last VM scan starting 2019-01-15, ending 1 month ago
sensor.lastVmScanDate:[2019-01-15 ... now-1M]
Show last VM scan starting 2 weeks ago, ending 1 second ago
sensor.lastVmScanDate:[now-2w ... now-1s]
Show last VM scan on a specific date
sensor.lastVmScanDate:'2019-03-18'
Use values within quotes or backticks to help you find the asset name you're looking for.
Examples
Show any findings that match the beginning of any substrings within the asset name
asset.name:"ACMENVT7"
Show any findings that match exact value "ACMENVT7"
asset.name:`ACMENVT7`
asset.domainRoleasset.domainRole
Use values within quotes or backticks to help you find the assets with certain domain role (Standalone Workstation, Member Workstation, Standalone Server, Member Server, Backup Domain Controller, and Primary Domain Controller). Select from values in the drop-down menu.
Examples
Show any findings that contain parts of name
asset.domainRole:"Member Ser"
Show any findings that match exact value "Member Server"
asset.domainRole:`Member Server`
asset.netbiosNameasset.netbiosName
Use a text value ##### to define the asset NetBIOS name you're interested in.
Examples
Show the asset with this name
asset.netbiosName:ACMENVT7
asset.trackingMethodasset.trackingMethod
Find assets with certain tracking method (QAGENT, IP, DNSNAME, NETBIOS, INSTANCE_ID, OCA, VIRTUAL_MACHINE_ID, SEM, and GCP_INSTANCE_ID). Select from values in the drop-down menu.
Example
Find assets with this tracking method
asset.trackingMethod: QAGENT
asset.lastLocation.nameasset.lastLocation.name
Use a text value ##### to help you find assets based on last location.
Example
Show assets with last location as Redwood City, California - United States
asset.lastLocation.name: 'Redwood City, California
- United States'
Example
Show assets with last location with exact string
asset.lastLocation.name: `Redwood City, California
- United States`
asset.criticalityScoreasset.criticalityScore
Use values within quotes or backticks to help you find the assets you're looking for based on the asset criticality score. The supported values are 1 to 5.
Examples
Show assets based on the asset criticality score 1
asset.criticalityScore:`1`
Use a numerical value ##### to search all the assets with their severity based on the calculated risk score between 0 to 1000.
Examples
Show all the assets with a risk score 900
asset.truRisk:900
Show all the assets with risk score between the range 800 to 1000
asset.truRisk:[800 ... 1000]
Show all the assets with a risk score greater than 500
asset.truRisk >500
Show all the assets with a risk score less than or equal to 800
asset.truRisk <=800
Use an integer value ##### to help you find systems with a Qualys asset ID of interest.
Example
Show findings with this asset ID
asset.id:122855563
asset.operationalStatusasset.operationalStatus
Use a text value ##### to help you find assets based on operational status.
Example
Show assets with operational status as Repair
asset.operationalStatus: Repair
asset.environmentasset.environment
Use a text value ##### to help you find assets based on environment.
Example
Show assets with environment as Production
asset.environment: Production
Use values within quotes or backticks to help you find assets owned by.
Examples
Show any findings that contain parts of name
asset.ownedBy:"Joey"
Show any findings that match exact value "Joey Bolick"
asset.ownedBy:`Joey Bolick`
asset.managedByasset.managedBy
Use values within quotes or backticks to help you find assets managed by.
Examples
Show any findings that contain parts of name
asset.managedBy:"Byron"
Show any findings that match exact value "Byron Fortuna"
asset.managedBy:`Byron Fortuna`
asset.supportedByasset.supportedBy
Use values within quotes or backticks to help you find assets supported by.
Examples
Show any findings that contain parts of name
asset.supportedBy:"John"
Show any findings that match exact value "John Doe"
asset.supportedBy:`John Doe`
asset.supportGroupasset.supportGroup
Use values within quotes or backticks to help you find assets with support group.
Examples
Show any findings that contain parts of name
asset.supportGroup:"Compliance"
Show any findings that match exact value "Compliance Managers"
asset.supportGroup:`Compliance Managers`
Use a text value ##### to help you find assets with company.
Example
Show assets with company as Qualys
org:(company: Qualys)
asset.assignedLocation.cityasset.assignedLocation.city
Use a text value ##### to help you find assets with city of the assigned location.
Example
Show assets with assigned location city as Miami
asset.assignedLocation.city: Miami
asset.assignedLocation.countryasset.assignedLocation.country
Use a text value ##### to help you find assets with country of the assigned location.
Example
Show assets with assigned location country as USA
asset.assignedLocation.country: USA
asset.lastLocation.stateasset.lastLocation.state
Use a text value ##### to help you find assets based on state of the last location.
Example
Show assets with last location state as California
asset.lastLocation.state: California
asset.hasMissingSoftwareasset.hasMissingSoftware
Use the values true | false to define whether asset has a missing software.
Example
Show asset that has a missing software
asset.hasMissingSoftware: "true"
Use values within quotes or backticks to help you find the hardware name you're looking for.
Examples
Show any findings that contain parts of name
hardware.name:"Dell Latitude e7470"
Show any findings that match exact value
hardware.name:`Dell Latitude e7470`
hardware.categoryhardware.category
Use values within quotes or backticks to help you find the hardware category you're looking for.
Examples
Show any findings that match exact value
hardware.category:Printers/Laser
hardware.category1hardware.category1
Use text value ##### to find assets with hardware category 1 value.
Example
If you are searching for assets that are laser printers, then category1 is Printers and category2 is Laser.
Show any findings that match exact value
hardware.category1:Printers
hardware.category2hardware.category2
Use text value ##### to find assets with hardware category 2 value.
Example
If you are searching for assets that are laser printers, then category1 is Printers and category2 is Laser.
Show any findings that match exact value
hardware.category2:Laser
hardware.lifecycle.eoshardware.lifecycle.eos
Use a date range or specific date to define a hardware End-of-Sale date of interest.
Examples
Show findings with hardware End-of-Sale date in this date range
hardware.lifecycle.eos:[2019-01-01 ... 2019-01-15]
Show findings with hardware End-of-Sale date starting 2019-01-15, ending 1 month ago
hardware.lifecycle.eos:[2019-01-15 ... now-1M]
Show findings with hardware End-of-Sale date starting 2 weeks ago, ending 1 second ago
hardware.lifecycle.eos:[now-2w ... now-1s]
Show findings with this hardware End-of-Sale date
hardware.lifecycle.eos:'2019-03-18'
hardware.lifecycle.obshardware.lifecycle.obs
Use a date range or specific date to define a hardware obsolete date of interest.
Examples
Show findings with hardware obsolete date in this date range
hardware.lifecycle.obs:[2019-01-01 ... 2019-01-15]
Show findings with hardware obsolete date starting 2019-01-15, ending 1 month ago
hardware.lifecycle.obs:[2019-01-15 ... now-1M]
Show findings with hardware obsolete date starting 2 weeks ago, ending 1 second ago
hardware.lifecycle.obs:[now-2w ... now-1s]
Show findings with this hardware obsolete date
hardware.lifecycle.obs:'2019-03-18'
hardware.lifecycle.stagehardware.lifecycle.stage
Use a text value ##### in quotes to define the hardware lifecycle stage (INTRO, GA, EOS, OBS)
Example
Show End-of-Sale hardware
hardware.lifecycle.stage:"EOS"
hardware.manufacturerhardware.manufacturer
Use values within quotes or backticks to find assets having a certain hardware manufacturer.
Example
Show any findings that match exact value "Dell"
hardware.manufacturer:`Dell`
Use values within quotes or backticks to find assets having a certain hardware model.
Example
Show any findings that match exact value "e7470"
hardware.model:`De7470`
hardware.producthardware.product
Use values within quotes or backticks to find assets having a certain hardware product.
Example
Show any findings that match exact value "Latitude"
hardware.product:`Latitude`
asset.interface.addressasset.interface.address
Use values to define an IP address you're interested in.
Examples
Show the exact match of the IP address
asset.interface.address:`10.10.100.20`)
Show any findings that contain parts of the IP address
asset.interface.address:"10.10.100.2")
asset.interface.address: 10.10.100.2)
asset.interface.hostnameasset.interface.hostname
Use values within quotes or backticks to help you find the hostname you're looking for.
Examples
Show any findings related to name
asset.interface.hostname: xpsp2-jp-26-111)
Show any findings that contain parts of name
asset.interface.hostname: "xpsp2-jp-26-111")
Show any findings that match exact value "xpsp2-jp-26-111"
asset.interface.hostname: `xpsp2-jp-26-111`)
Show any findings related to name (we'll match super domains)
asset.interface.hostname: qcentos71sqp3.rdlab.acme.com)
Show any findings that match exact value "qcentos71sqp3.rdlab.acme.com"
asset.interface.hostname: `qcentos71sqp3.rdlab.acme.com`)
Show findings according to values entered in the square brackets.
Note: You can add multiple values in []. However, it's important to understand that partial values are not supported. You must enter the exact match value.
Example with correct syntax - asset.interface.hostname: [win7-181, bridge.vuln.qa.qualys.com])
Example with incorrect syntax - asset.interface.hostname: [win7, bridge.vuln.qa])
asset.interface:(gatewayAddressasset.interface:(gatewayAddress
Use a text value ##### to help you find assets with a certain default gateway address.
Example
Show assets with this default gateway address
asset.interface:(gatewayAddress:10.11.65.1)
asset.inventory:(createdDateasset.inventory:(createdDate
Use a date range or specific date to define when assets were created (i.e. when first scanned by a scanner appliance, or when agent was installed).
Examples
Show assets created within certain dates
asset.inventory:(createdDate:[2019-01-01 ... 2019-01-15])
Show assets created starting 2019-01-15, ending 1 month ago
asset.inventory:(createdDate:[2019-01-15 ... now-1M])
Show assets created starting 2 weeks ago, ending 1 second ago
asset.inventory:(createdDate:[now-2w ... now-1s])
Show assets created on specific date
asset.inventory:(createdDate:'2019-03-18')
asset.inventory:(lastUpdatedDateasset.inventory:(lastUpdatedDate
Use a date range or specific date to define when assets were updated (i.e. when re-scanned by a scanner appliance, or when host data uploaded to the Qualys Enterprise TruRisk™ Platform by an agent).
Examples
Show assets updated within certain dates
asset.inventory:(lastUpdatedDate: [2019-01-01 ... 2019-01-15])
Show assets updated starting 2019-01-15, ending 3 months ago
asset.inventory:(lastUpdatedDate: [2019-01-15 ... now-3M])
Show assets updated starting 2 weeks ago, ending 1 second ago
asset.inventory:(lastUpdatedDate: [now-2w ... now-1s])
Show assets updated on a specific date
asset.inventory:(lastUpdatedDate:'2019-03-18')
asset.inventory:(sourceasset.inventory:(source
Use a text value ##### to help you find assets from a certain Qualys source (QAGENT, IP, DNSNAME, NETBIOS, INSTANCE_ID, OCA, VIRTUAL_MACHINE_ID, SEM, and GCP_INSTANCE_ID). Select from values in the drop-down menu.
Example
Show findings from cloud agents
asset.inventory:(source:QAGENT)
openPorts:(firstFoundDateopenPorts:(firstFoundDate
Use a date range or specific date to define when open ports were first found.
Examples
Show open ports found within certain dates
openPorts:(firstFoundDate: [2019-01-01 ... 2019-01-15])
Show open ports found starting 2019-01-15, ending 3 months ago
openPorts:(firstFoundDate: [2019-01-15 ... now-3M])
Show open ports found starting 2 weeks ago, ending 1 second ago
openPorts:(firstFoundDate: [now-2w ... now-1s])
Show open ports found on a specific date
openPorts:(firstFoundDate:'2019-03-18')
openPorts:(lastUpdatedDateopenPorts:(lastUpdatedDate
Use a date range or specific date to define when open ports were last updated.
Examples
Show open ports last updated within certain dates
openPorts:(lastUpdatedDate:[2019-01-01 ... 2019-01-15])
Show open ports last updated starting 2019-01-15, ending 1 month ago
openPorts:(lastUpdatedDate:[2019-01-15 ... now-1M])
Show open ports last updated starting 2 weeks ago, ending 1 second ago
openPorts:(lastUpdatedDate:[now-2w ... now-1s])
Show open ports last updated on a specific date
openPorts:(lastUpdatedDate:'2019-03-18')
openPorts:(portopenPorts:(port
Use an integer value ##### to help you find assets with some open port.
Example
Show assets with open port 80
openPorts:(port:80)
Use values within quotes or backticks to help you find the asset tag you're looking for.
Examples
Show any findings that contain "network" and "blue" in name
asset.tag.name: "network blue"
Show any findings that contain "network" or "blue" in name (another method)
asset.tag.name: "network" OR asset.tag.name: blue"
Show any findings that match exact value "Cloud Agent"
asset.tag.name: `Cloud Agent`
Use an integer value ##### to help you find assets with a certain free volume space (GB).
Examples
Show findings with free volume space greater than 90 GB
volume:(free>90)
Show findings with free volume space greater than or equal to 90 GB
volume:(free>=90)
Show findings with free volume space less than 30 GB
volume:(free<30)
Show findings with free volume space less than or equal to 30 GB
volume:(free<=30)
Use this token to find assets synced from a certain cloud provider (AWS, AZURE,GCP).
Examples
Show assets synced from Amazon AWS
cloud.provider: "AWS"
aws.ec2.availabilityZoneaws.ec2.availabilityZone
Use a text value ##### to find EC2 instances by the availability zone in which the instance launched.
Example
Find EC2 instances in the us-east-1a availability zone
aws.ec2.availabilityZone: us-east-1a
aws.ec2.imageIdaws.ec2.imageId
Use a text value ##### to find EC2 instances with a certain Image (AMI) ID.
Examples
Find instances related to the Image ID
aws.ec2.imageId: ami-2ea83347
Find instances that match exact value
aws.ec2.imageId: `ami-2ea83347`
aws.ec2.instanceStateaws.ec2.instanceState
Select the name of the instance state (PENDING, RUNNING, TERMINATED, STOPPED, STOPPING, SHUTTING-DOWN) you're interested in. Select from names in the drop-down menu.
Example
Find running EC2 instances
aws.ec2.instanceState: RUNNING
aws.ec2.instanceIdaws.ec2.instanceId
Use a text value ##### to find EC2 instances by the instance ID.
Example
Find EC2 instances with this ID
aws.ec2.instanceId: i-1234567890abcdef0
aws.ec2.accountIdaws.ec2.accountId
Use a text value ##### to find EC2 instances with a certain account ID.
Examples
Find EC2 instances that match this account ID
aws.ec2.accountId: 123456789012
Find EC2 instances with account ID starting "12345"
aws.ec2.accountId: 12345*
Find EC2 instances where account ID is null (remove the colon)
aws.ec2.accountId is null
aws.ec2.instanceTypeaws.ec2.instanceType
Select the type of instance you're interested in. Select from names in the drop-down menu.
Example
Find EC2 instances with instance type t2.micro
aws.ec2.instanceType: t2.micro
aws.ec2.launchDateaws.ec2.launchDate
Use a date range or specific date to define when the EC2 instance launched. Enter dates in yyyy-mm-dd format.
Examples
Find EC2 instances launched within certain dates
aws.ec2.launchDate: [2017-06-15 ... 2017-06-30]
Find EC2 instances launched on specific date
aws.ec2.launchDate:'2017-08-15'
aws.ec2.privateIpAddressaws.ec2.privateIpAddress
Use a text value ##### to define a private IPv4 address or range of IPs you're interested in.
Examples
Find EC2 instances with this private IP address
aws.ec2.privateIpAddress: 10.90.0.119
Find EC2 instances within this IP range
aws.ec2.privateIpAddress: [10.1.78.23 ... 10.100.78.235]
aws.ec2.publicIpAddressaws.ec2.publicIpAddress
Use a text value ##### to define a public IPv4 address or range of IPs you're interested in.
Examples
Find EC2 instances with this public IP address
aws.ec2.publicIpAddress: 52.70.141.154
Find EC2 instances within this IP range
aws.ec2.publicIpAddress: [52.70.141.154 ... 52.70.141.164]
aws.ec2.region.codeaws.ec2.region.code
Select the code of the region you're interested in. Select from codes in the drop-down menu.
Example
Find EC2 instances in the us-east-1 region
aws.ec2.region.code: us-east-1
aws.ec2.subnetIdaws.ec2.subnetId
Use a text value ##### to find EC2 instances by the ID of the subnet in which the interface resides.
Example
Find EC2 instances with this subnet ID
aws.ec2.subnetId: subnet-bc02c0d4
Use a text value ##### to find EC2 instances by the ID of the VPC in which the interface resides.
Example
Find EC2 instances with this VPC ID
aws.ec2.vpcId: vpc-1e37cd76
aws.ec2.privateDnsaws.ec2.privateDns
Use a text value ##### to define a private DNS address you're interested in.
Example
Find the EC2 instance with this private DNS address
aws.ec2.privateDns: ip-10-90-2-85.ec2.internal
azure.vm.locationazure.vm.location
Use a text value ##### to define the region you're interested in.
Example
Find Azure instances in this location
azure.vm.location: westus
Use a text value ##### to find the Azure virtual machine name you're looking for.
Examples
Find Azure instances related to name
azure.vm.name: avset2
Find Azure instances that match exact value
azure.vm.name: `avset2`
azure.vm.privateIpAddressazure.vm.privateIpAddress
Use a text value ##### to define a private IPv4 address or range of IPs you're interested in.
Examples
Find Azure instances with this private IP
azure.vm.privateIpAddress: 10.1.2.5
Find Azure instances within this IP range
azure.vm.privateIpAddress: [10.1.2.5 ... 10.1.2.33]
azure.vm.publicIpAddressazure.vm.publicIpAddress
Use a text value ##### to define a public IPv4 address or range of IPs you're interested in.
Examples
Find Azure instances with this public IP
azure.vm.publicIpAddress: 13.126.125.189
Find Azure instances within this IP range
azure.vm.publicIpAddress: [13.126.125.180 ...
13.126.125.255]
azure.vm.resourceGroupNameazure.vm.resourceGroupName
Use a text value ##### to define the name of the resource group you're interested in.
Examples
Find Azure instances related to name
azure.vm.resourceGroupName: my-eastus-rg
Find Azure instances that match exact value
azure.vm.resourceGroupName: `my-eastus-rg`
Use a text value ##### to help you find Azure VM instances with a certain virtual machine size.
Example
Find Azure instances with this size
azure.vm.size: Standard_D1
Select the name of the instance state (DEALLOCATED, DEALLOCATING, DELETED, RUNNING, STARTING, STOPPED, STOPPING) you're interested in. Select from names in the drop-down menu.
Example
Find running Azure instances
azure.vm.state: RUNNING
azure.vm.subnetazure.vm.subnet
Use a text value ##### to define the Azure virtual machine subnet you're interested in.
Example
Find Azure instances with this subnet
azure.vm.subnet: 10.1.2.0
azure.vm.subscriptionIdazure.vm.subscriptionId
Use a text value ##### to define the subscription ID of the Azure virtual machine subscription.
Example
Find Azure instances with this subscription ID
azure.vm.subscriptionId: fbb9ea64-abda-452e-adfa-83442409
Use a text value ##### to define the Azure virtual machine ID you're looking for.
Example
Find Azure instances with this ID
azure.vm.vmId: 13f56399-bd52-4150-9748-7190aae1ff21
gcp.compute.hostnamegcp.compute.hostname
Use a text value ##### to define the hostname you're looking for.
Examples
Find GCP instances related to name
gcp.compute.hostname: instance-5.c.qvsa-dev.internal
Find GCP instances that match exact value
gcp.compute.hostname: `instance-5.c.qvsa-dev.internal`
gcp.compute.machineTypegcp.compute.machineType
Use a text value ##### to define the machine type of the virtual machine instance you're interested in.
Examples
Find GCP instances related to name
gcp.compute.machineType: n1-standard-1
Find GCP instances that match exact value
gcp.compute.machineType: `n1-standard-1`
gcp.compute.networkgcp.compute.network
Use a text value ##### to find GCP instances by the VPC network the instance belongs to.
Example
Find GCP instances with this network
gcp.compute.network: 000D3A36DDED
gcp.compute.privateIpAddressgcp.compute.privateIpAddress
Use a text value ##### to define a private IPv4 address or range of IPs you're interested in.
Examples
Find GCP instances with this private IP
gcp.compute.privateIpAddress: 10.240.0.7
Find GCP instances with this private IP range
gcp.compute.privateIpAddress: [10.240.0.7 ...
10.240.0.30]
gcp.compute.projectIdgcp.compute.projectId
Use a text value ##### to define the project ID assigned to the GCP Console project the instance belongs to.
Examples
Find GCP instances related to ID
gcp.compute.projectId: qvsa-dev
Find GCP instances that match exact value
gcp.compute.projectId: `qvsa-dev`
gcp.compute.projectNumbergcp.compute.projectNumber
Use an integer value ##### to define the project number assigned to the GCP Console project the instance belongs to.
Examples
Find GCP instances related to this number
gcp.compute.projectNumber: 1035365309337
Find GCP instances that match exact value
gcp.compute.projectNumber: `1035365309337`
gcp.compute.publicIpAddressgcp.compute.publicIpAddress
Use a text value ##### to define a public IPv4 address or range of IPs you're interested in.
Examples
Find GCP instances with this public IP
gcp.compute.publicIpAddress: 104.196.57.216
Find GCP instances within this IP range
gcp.compute.publicIpAddress: [104.196.57.216 ...
104.196.57.218]
gcp.compute.stategcp.compute.state
Type your drop-dowSelect the name of the instance state (PENDING, RUNNING, STOPPED, TERMINATED, STOPPING, SHUTTING_DOWN, DEALLOCATED) you're interested in. Select from names in the drop-down menu.
Example
Find running GCP instances
gcp.compute.state: RUNNING
gcp.compute.zonegcp.compute.zone
Use a text value ##### to define the zone of the GCP instance you're looking for
Examples
Find GCP instances related to name
gcp.compute.zone: us-east1-d
Find GCP instances that match exact value
gcp.compute.zone: `us-east1-d`
gcp.compute.instanceIdgcp.compute.instanceId
Use a text value ##### to define the Google Compute instance ID you're looking for.
Example
Find GCP instances with this ID
gcp.compute.instanceId: 4392196237934605253
gcp.labels:(namegcp.labels:(name
Use a text value ##### to find VM instances with a certain GCP labels name (case insensitive).
Examples
Find VM instances with key "department"
gcp.labels:(name: department)
Find VM instances that match exact key value "department"
gcp.labels:(name: 'department')
Find VM instances with key starting "dep"
gcp.labels:(name: dep*)
gcp.labels:(valuegcp.labels:(value
Use a text value ##### to find VM instances with a certain GCP labels value (case insensitive).
Examples
Find VM instances with tag value "product-management"
gcp.labels:(value: product-management)
Find VM instances that match exact key value "product-management"
gcp.labels:(value: 'product-management')
Find VM instances with tag value starting "product"
gcp.labels:(value: product*)
oci.compute.availabilityDomainoci.compute.availabilityDomain
Use a text value ##### to search all assets with the specified available domain.
Example
Show all assets with the available domain Lhkx:US-ASHBURN-AD-1
oci.compute.availabilityDomain:"Lhkx:US-ASHBURN-AD-1"
oci.compute.compartmentIdoci.compute.compartmentId
Use a text value ##### to search all assets with the specified OCI compartment ID.
Example
Show assets with this OCI compartment ID
oci.compute.compartmentId:"ocid1.compartment.oc1..123452sjze35z6bkhvwjtzzgcp534zj4o75tgsizg3q36wl447jvfg6dq"
oci.compute.compartmentNameoci.compute.compartmentName
Use a text value ##### to search all assets with the specified OCI compartment name.
Example
Show assets with this OCI compartment name
oci.compute.compartmentName:"ocid1.compartment.abc"
oci.compute.faultDomainoci.compute.faultDomain
Use a text value ##### to search all assets with the specified fault domain.
Example
Show all assets with fault domain FAULT-DOMAIN-1
oci.compute.faultDomain:"FAULT-DOMAIN-1"
oci.compute.imageIdoci.compute.imageId
Use a text value ##### to search all assets with the specified image ID.
Example
Show all assets with the ocid1.image.oc1.iad.aaaaaaaaffp3cnkpfxibzrdkfnxbitkgxk7al33rrhpzhfnrhfv7ml2xdpyq image ID
oci.compute.imageId:"ocid1.image.oc1.iad.aaaaaaaaffp3cnkpfxibzrdkfnxbitkgxk7al33rrhpzhfnrhfv7ml2xdpyq"
oci.compute.ociIdoci.compute.ociId
Use a text value ##### to search all assets with the specified OCI ID.
Example
Show assets with this OCI ID
oci.compute.ociId:"ocid1.compartment.oc1..1234567lbhcx2ajiagh57wrurvqs2ubd4ttaimgy22cxh3r6brpmmugq"
oci.compute.regionoci.compute.region
Use a text value ##### to search all assets in the specified region.
Example
Show all assets with the region us-east-1
oci.compute.region:"us-east-1"
oci.compute.shapeoci.compute.shape
Use a text value ##### to search all assets with the specified shape.
Example
Show all assets with the shape x5-2.36.512
oci.compute.shape:"x5-2.36.512"
oci.compute.stateoci.compute.state
Use a text value ##### to search all assets with specific compute state.
Example
Show all assets with the compute state Starting
oci.compute.state:STARTING
oci.compute.tenantIdoci.compute.tenantId
Use a text value ##### to search all assets with specific tenant ID.
Example
Show all assets with the specific tenant ID
oci.compute.tenantId:"ocid1.tenancy.oc1..aaaaaaaax2gwhq3hszjqhte5pgzijgyge6gvlsrqar6kxn7itwhk7keokamq"
oci.compute.tenantNameoci.compute.tenantName
Use a text value ##### to search all assets with specific tenant name.
Example
Show all assets with the specific tenant name
oci.compute.tenantName:"oraclecengg1"
oci.compute.timeCreatedoci.compute.timeCreated
Use a text value ##### to search all assets created at the specified time.
Example
Show findings with last check in within a specific date range.
oci.compute.timeCreated:[2020-01-01 ... 2020-01-10]
Show findings with last check in starting 2019-11-01, ending 1 month ago.
oci.compute.timeCreated:[2019-11-01 ... now-1M]
Show findings with last check in starting 2 weeks ago, ending 1 second ago.
Use a text value ##### to search all assets with the specified tag key.
Example
Show all assets with the tag key CreatedBy
oci.tag:(key:CreatedBy)
oci.tag:(namespaceoci.tag:(namespace
Use a text value ##### to search all assets with the specified namespace.
Example
Show all assets with the namespace Oracle-Tags
oci.tag:(namespace:"Oracle-Tags")
Use a text value ##### to search all assets with specific tag type.
Example
Show all assets with the specific tag type
oci.tag:(type:DEFINED)
Use a text value ##### to search all assets with the specified tag value.
Example
Show all assets with the tag value 2021-02-09
oci.tag:(value:"2021-02-09")
oci.vnic.macAddroci.vnic.macAddr
Use a text value ##### to search all assets with the specified MAC address.
Example
Show all assets with the MAC address 02:00:17:06:bd:b3
oci.vnic(macAddr:"02:00:17:06:bd:b3")
oci.vnic.nicIndexoci.vnic.nicIndex
Use a text value ##### to search all assets with the specified index.
Example
Show all assets with the index 1
oci.vnic(nicIndex:1)
oci.vnic.privateIpoci.vnic.privateIp
Use a text value ##### to search all assets with the specified private IP.
Example
Show all assets with this private IP
oci.vnic(privateIp:10.0.0.222)
oci.vnic.publicIpoci.vnic.publicIp
Use a text value ##### to search all assets with the specified public IP.
Example
Show all assets with this public IP
oci.vnic(publicIp:10.0.0.222)
oci.vnic.subnetCidrBlockoci.vnic.subnetCidrBlock
Use a text value ##### to search all assets with the specified block.
Example
Show all assets with the block 10.0.0.0/24
oci.vnic(subnetCidrBlock:10.0.0.0/24)
oci.vnic.subnetIdoci.vnic.subnetId
Use a text value ##### to find OCI instances by the ID of the subnet in which the interface resides.
Example
Find OCI instances with this subnet ID
oci.vnic(subnetId: "subnet-bc02c0d4")
oci.vnic.subnetNameoci.vnic.subnetName
Use a text value ##### to find OCI instances by the name of the subnet in which the interface resides.
Example
Find OCI instances with this subnet name
oci.vnic(subnetName: "subnet-abc")
Use a text value ##### to search all assets with the specified VCN ID.
Example
Show all assets with this VCN ID
oci.vnic(vcnId:"ocid1.vnic.oc1.iad.abuwcljt6cdjcuwhkce37madk4p6bd6ocjknilpwzai5rsyjejteiodyp22q")
oci.vnic.vcnNameoci.vnic.vcnName
Use a text value ##### to search all assets with the specified vcn name.
Example
Show all assets with this vcn name
oci.vnic(vcnName:"abc")
oci.vnic.virtualRouterIpoci.vnic.virtualRouterIp
Use a text value ##### to search all assets with the specified router IP.
Example
Show all assets with the router IP 10.0.0.1
oci.vnic(virtualRouterIp:10.0.0.1)
oci.vnic.vlanTagoci.vnic.vlanTag
Use a text value ##### to search all assets with the specified vlan tag.
Example
Show all assets with the vlan tag 1
oci.vnic(vlanTag:1)
Use a text value ##### to find IBM instances with a certain tag name (case insensitive).
Examples
Find IBM instances with name "devops"
ibm.tag:(name: devops)
Find IBM instances with name starting "dev"
ibm.tag:(name: dev*)
Find IBM instances with name ending "ops"
ibm.tag:(name: *ops)
Use a text value ##### to find IBM instances with a certain tag value (case insensitive).
Examples
Find IBM instances with tag value "dailybuild"
ibm.tag:(value: dailybuild)
Find IBM instances with tag value starting "daily"
ibm.tag:(value: daily*)
Find IBM instances with tag value ending "build"
ibm.tag:(value: *build)
ibm.virtualServer.datacenterIdibm.virtualServer.datacenterId
Use a text value ##### to find IBM instances with datacenter ID .
Example
Find IBM instances with this datacenter ID
ibm.virtualServer.datacenterId: 1854895
ibm.virtualServer.deviceNameibm.virtualServer.deviceName
Use a text value ##### to find IBM instances with virtual server device name.
Examples
Find IBM instances related to name
ibm.virtualServer.deviceName: "virtualserver01.Qualys-Inc.cloud"
Find IBM instances that match exact value
ibm.virtualServer.deviceName: `virtualserver01.Qualys-Inc.cloud`
ibm.virtualServer.domainibm.virtualServer.domain
Use a text value ##### to search all assets with the specified virtual server domain.
Example
Show all assets with virtual server domain Qualys-Inc.cloud
ibm.virtualServer.domain:"Qualys-Inc.cloud"
ibm.virtualServer.idibm.virtualServer.id
Use a text value ##### to search all assets with the specified virtual server ID.
Example
Show all assets with the 8998892 virtual server ID
ibm.virtualServer.id:8998892
ibm.virtualServer.locationibm.virtualServer.location
Use a text value ##### to define the region you're interested in.
Example
Find IBM instances in this location
ibm.virtualServer.location: westus
ibm.virtualServer.privateIpAddressibm.virtualServer.privateIpAddress
Use a text value ##### to define a private IPv4 address or range of IPs you're interested in.
Examples
Find IBM instances with this private IP
ibm.virtualServer.privateIpAddress: 10.240.0.7
Find IBM instances with this private IP range
ibm.virtualServer.privateIpAddress: [10.240.0.7
... 10.240.0.30]
ibm.virtualServer.publicIpAddressibm.virtualServer.publicIpAddress
Use a text value ##### to define a public IPv4 address or range of IPs you're interested in.
Examples
Find IBM instances with this public IP
ibm.virtualServer.publicIpAddress: 10.240.0.7
Find IBM instances with this public IP range
ibm.virtualServer.publicIpAddress: [10.240.0.7
... 10.240.0.30]
ibm.virtualServer.stateibm.virtualServer.state
Use a text value ##### to search all assets with specific virtual server state.
Example
Show all assets with the virtual server state Starting
ibm.virtualServer.state:STARTING
Use values within quotes or backticks to help you find the assets with the organization name you're looking for.
Examples
Show assets details that match the exact value of the organization name
org:(name: `Qualys, Inc.`)
Show assets details that contain parts of the organization name
org:(name: "Qualys,")
Use values within quotes or backticks to help you find the assets with the Internet Service cloud.provider (ISP) name you're looking for.
Examples
Show assets that match the exact ISP name
asset.isp: `amazon.com, Inc.`
Show assets that are with the parts of the ISP name
asset.isp: "amazon.com,"
Use values within quotes or backticks to help you find the assets with the ASN value you're looking for.
Examples
Show assets that match the exact value of ASN
asset.asn: `AS8075`
Show assets that are with the parts of the ASN
asset.asn: "AS807"
Use values within quotes or backticks to help you find the assets with their domain.
Examples
Show assets that match the exact value of the domain
asset.domain: `qualys.com`
Show assets that contain parts of the domain
asset.domain: "qualys."
asset.subDomainasset.subDomain
Use values within quotes or backticks to help you find assets using their subdomains.
Examples
Show assets that match the exact value of the subdomains
asset.subDomain: `doc.qualys.com`
Show assets that contain the parts of the subdomains
asset.subDomain: "doc.qualys."
whoIs:(createdDatewhoIs:(createdDate
Use a date range or specific date to find all the assets with the whoIs creation date.
Examples
Show assets with whoIs creation date within certain dates
whoIs:(createdDate: [2019-01-01 ... 2019-01-15])
Show assets with whoIs creation date starting 2019-01-15, ending 1 month ago
whoIs:(createdDate: [2019-01-15 ... now-1M])
Show assets with whoIs creation date starting 2 weeks ago, ending 1-second ago
whoIs:(createdDate: [now-2w ... now-1s])
Show assets with whoIs creation date last updated on a specific date
whoIs:(createdDate: `2022-06-04`)
whoIs:(registrantOrgwhoIs:(registrantOrg
Use values within quotes or backticks to find all the assets using the registrant organization of domain or subdomain.
Examples
Show all the assets for which the exact registrant organization of domain/subdomain matches
whoIs:(registrantOrg: `Qualys, Inc`)
Show all the assets for which the part of the registrant organization of domain/subdomain matches
whoIs:(registrantOrg: "Qualys,")
whoIs:(registrantEmailIdwhoIs:(registrantEmailId
Use values within quotes or backticks to find all the assets using the registrant email id of domain or subdomain.
Examples
Show all the assets for which the exact registrant email id of the domain or subdomain matches
whoIs:(registrantEmailId: `[email protected]`)
Show all the assets for which the part of the registrant email
id of the domain or subdomain matches
whoIs:(registrantEmailId: "[email protected]")
whoIs:(registrarwhoIs:(registrar
Use values within quotes or backticks to find all the assets using the registrar.
Examples
Show all the assets for which the exact registrar matches
whoIs:(registrar: `abc net`)
Show all assets for which the part of the registrar matches
whoIs:(registrar: "abc net")
businessApp:(namebusinessApp:(name
Use values within quotes or backticks to help you find the business application name you're looking for.
Examples
Show any findings that contain parts of name
businessApp:(name:"HR")
Show any findings that match exact value "HR Intranet"
businessApp:(name:`HR Intranet`)
businessApp:(idbusinessApp:(id
Use a text value ##### to help you find business application using unique ID.
Example
Show findings with business app ID as APP007
businessApp:(id:APP007)
businessApp:(operationalStatusbusinessApp:(operationalStatus
Use a text value ##### to help you find business applications based on operational status.
Example
Show business applications with operational status as Installed
businessApp:(operationalStatus: Installed)
businessApp:(businessCriticalitybusinessApp:(businessCriticality
Use values within quotes or backticks to help you find the business application you're looking for.
Examples
Show any findings that contain parts of name
businessApp:(businessCriticality:"1 - most")
Show any findings that match exact value "1 - most critical"
businessApp:(businessCriticality:`1 - most critical`)
businessApp:(environmentbusinessApp:(environment
Use a text value ##### to help you find business application based on environment.
Example
Show assets with business application environment as Production
businessApp:(environment: Production)
businessApp:(ownedBy.usernamebusinessApp:(ownedBy.username
Use values within quotes or backticks to help you find business applications owned by.
Examples
Show any findings that contain parts of name
businessApp:(ownedBy.username:"Joey")
Show any findings that match exact value "Joey Bolick"
businessApp:(ownedBy.username:`Joey Bolick`)
businessApp:(managedBy.usernamebusinessApp:(managedBy.username
Use values within quotes or backticks to help you find business applications managed by.
Examples
Show any findings that contain parts of name
businessApp:(managedBy.username:"Byron")
Show any findings that match exact value "Byron Fortuna"
businessApp:(managedBy.username:`Byron Fortuna`)
businessApp:(supportedBy.usernamebusinessApp:(supportedBy.username
Use values within quotes or backticks to help you find business applications supported by.
Examples
Show any findings that contain parts of name
businessApp:(supportedBy.username:"John")
Show any findings that match exact value "John Doe"
businessApp:(supportedBy.username:`John Doe`)
businessApp:(supportGroupbusinessApp:(supportGroup
Use a text value ##### to help you find business applications with support group.
Example
Show assets with business application support group as Security
businessApp:(supportGroup: Security)
software:(architecturesoftware:(architecture
Use text value ##### to help you find the software architecture you're looking for, i.e 32-Bit or 64-Bit.
Example
Show any findings that match exact value
software:(architecture:`64-Bit`)
Show any findings with this name
software:(architecture:64-Bit)
Show any findings that contain parts of name
software:(architecture:"64-Bit")
Show findings that have software with both the architecture and software version.
software:(architecture:64-Bit) AND software:(version:2.0)
Show findings that have the specified architecture and those that have the specified software version.
software:(architecture:64-Bit) AND software:(version:2.0)
software:(categorysoftware:(category
Use values within quotes or backticks to help you find a software category.
Example
Show any findings that match exact value
software:(category:`Application Development/Testing`)
Show any findings with this name
software:(category:Application Development/Testing)
Show any findings that contain parts of name
software:(category:"Application Development/Testing")
Show findings that have software with both the specified category and the software version.
software:(category:Application Development/Testing AND version:2.0)
Show findings that have the specified category and those that have the specified software version.
software:(category:Application Development/Testing) AND software:(version:2.0)
software:(isRequiredsoftware:(isRequired
Use the values true | false to define whether the software is required.
Example
Show software that is required
software:(isRequired:"true")
Show software that is required and has the specified software version.
software:(isRequired:true AND version:2.0)
Show software that is required and those that have the specified software version.
software:(isRequired:true AND software:(version:2.0)
software:(category1software:(category1
Use text value ##### to help you find the software category 1 value you are looking for.
Example
If you are searching for assets with testing software, then category1 is Application Development and category2 is Testing.
Show any findings that match exact value
software:(category1:Application Development)
Show any findings with this name
software:(category1: Application Development)
Show any findings that contain parts of name
software:(category1: "Application Development")
Show findings that have software with both the specified category and the software version.
software:(category1:Application Development AND version:2.0)
Show findings that have the specified category and those that have the specified software version.
software:(category1:Application Development/Testing) AND software:(version:2.0)
software:(category2software:(category2
Use text value ##### to help you find the software category 2 value you're looking for.
Example
If you are searching for assets having testing software, then category1 is Application Development and category2 is Testing.
Show any findings that match exact value
software:(category2:Testing)
Show any findings with this name
software:(category2: Testing)
Show any findings that contain parts of name
software:(category2: "Testing")
Show findings that have software with both the specified category and the software version.
software:(category2:Testing AND version:2.0)
Show findings that have the specified category and those that have the specified software version.
software:(category2:Testing) AND software:(version:2.0)
software:(editionsoftware:(edition
Use text value ##### to help you find the software edition you are looking for.
Example
Show any findings that match exact value
software:(edition:Professional)
Show any findings with this name
software:(edition: Professional)
Show any findings that contain parts of name
software:(edition: "Professional")
Show findings that have software with both the specified edition and the software version.
software:(edition:Professional AND version:2.0)
Show findings that have the specified edition and those that have the specified software version.
software:(edition:Professional) AND software:(version:2.0)
software:(installDatesoftware:(installDate
Use a date range or specific date to define when software was installed.
Examples
Show software installed within certain dates
software:(installDate:[2019-01-01 ... 2019-01-15])
Show software installed starting 2019-01-15, ending 1 month ago
software:(installDate:[2019-01-15 ... now-1M])
Show software installed starting 2 weeks ago, ending 1 second ago
software:(installDate:[now-2w ... now-1s])
Show software installed on a specific date
software:(installDate:'2019-03-18')
Show software installed within last 30 days excluding day 30.
software:(installDate>now-30d)
Note: We recommend not using the NOT operator in your range search to form a query like
NOT sensor.lastPcScannerScanDate:[now-30d..now-2s].
See the "QQL Best Practices" topic in the Unified Dashboard Online Help.
Show software installed within last 30 days including day 30.
software:(installDate>=now-30d)
Show last PC scans that are older than last 30 days excluding day 30.
software:(installDate<now-30d)
Show software installed that is older than last 30 days including day 30.
software:(installDate<=now-30d)
Show software installed that has the specific version and was installed on a specific date.
software:(installDate:'2019-03-18' AND version:2.0)
Show software installed that has the specific version and those installed on a specific date.
software:(installDate:'2019-03-18') AND software:(version:2.0)
software:(isPackagesoftware:(isPackage
Use the values true | false to define whether the software is a package.
Example
Show software that is a package
software:(isPackage:"true")
Show software that is a package and has the specified software version.
software:(isPackage:true AND version:2.0)
Show software that is a package and those that have the specified software version.
software:(isPackage:true) AND software:(version:2.0)
software:(isPCSupportedsoftware:(isPCSupported
Use the values true | false to define whether the software is PC supported.
Example
Show software that is PC supported
software:(isPCSupported:"true")
Show software that is supported on PC and has the specified software version.
software:(isPCSupported:true AND version:2.0)
Show software that is supported on PC and those that have the specified software version.
software:(isPCSupported:true) AND software:(version:2.0)
software:(hasRunningInstancesoftware:(hasRunningInstance
Use the values true | false to find whether the software has a running instance.
Example
Show software that has a running instance
software:(hasRunningInstance:"true")
Show software that has a running instance and has the specified software version.
software:(hasRunningInstance:true AND version:2.0)
Show software that has a running instance and those that have the specified software version.
software:(hasRunningInstance:true) AND software:(version:2.0)
software:(isPackageComponentsoftware:(isPackageComponent
Use the values true | false to define whether the software is a package component.
Example
Show software that is a package component
software:(isPackageComponent:"true")
Show software that is a package component and has the specified software version.
software:(isPackageComponent:true AND version:2.0)
Show software that is a package component and those that have the specified software version.
software:(isPackageComponent:true AND software:(version:2.0)
software:(lastUpdatedDatesoftware:(lastUpdatedDate
Use a date range or specific date to define when a software was last updated.
Examples
Show software last updated within certain dates
software:(lastUpdatedDate:[2019-01-01 ... 2019-01-15])
Show software last updated starting 2019-01-15, ending 1 month ago
software:(lastUpdatedDate:[2019-01-15 ... now-1M])
Show software last updated starting 2 weeks ago, ending 1 second ago
software:(lastUpdatedDate:[now-2w ... now-1s])
Show software last updated on a specific date
software:(lastUpdatedDate:'2019-03-18')
Show software last updated within last 30 days excluding day 30.
software:(lastUpdatedDate>now-30d)
Note: We recommend not using the NOT operator in your range search to form a query like
NOT software:(lastUpdatedDate:[now-30d..now-2s]).
See the "QQL Best Practices" topic in the Unified Dashboard Online Help.
Show software last updated within last 30 days including day 30.
software:(lastUpdatedDate>=now-30d)
Show software last updated which is older than last 30 days excluding day 30.
software:(lastUpdatedDate<now-30d)
Show software last updated which is older than last 30 days including day 30.
software:(lastUpdatedDate<=now-30d)
Show software that has the specific version and was last updated on a specific date.
software:(lastUpdatedDate:'2019-03-18' AND version:2.0)
Show software that has the specific version and those last updated on a specific date.
software:(lastUpdatedDate:'2019-03-18') AND software:(version:2.0)
software:(lastUseDatesoftware:(lastUseDate
Use a date range or specific date to define when a software was last used.
Note: This token is not supported for Windows assets.
Examples
Show software last used within certain dates
software:(lastUseDate:[2019-01-01 ... 2019-01-15])
Show software last used starting 2019-01-15, ending 1 month ago
software:(lastUseDate:[2019-01-15 ... now-1M])
Show software last used starting 2 weeks ago, ending 1 second ago
software:(lastUseDate:[now-2w ... now-1s])
Show software last used on a specific date
software:(lastUseDate:'2019-03-18')
Show software last used within last 30 days excluding day 30.
software:(lastUseDate>now-30d)
Note: We recommend not using the NOT operator in your range search to form a query like
NOT software:(lastUseDate:[now-30d..now-2s]).
See the "QQL Best Practices" topic in the Unified Dashboard Online Help.
Show software last used within last 30 days including day 30.
software:(lastUseDate>=now-30d)
Show software last used which is older than last 30 days excluding day 30.
software:(lastUseDate<now-30d)
Show software last used which is older than last 30 days including day 30.
software:(lastUseDate<=now-30d)
Show software last used on a specific date with the specific version.
software:(lastUseDate:'2019-03-18' AND version:2.0)
Show software that has the specific version and those last used on a specific date.
software:(lastUseDate:'2019-03-18') AND software:(version:2.0)
software:(license.categorysoftware:(license.category
Use text value ##### to help you find a software license category, e.g., Open Source, Commercial.
Example
Show any findings that match exact value
software:(license.category:`Open Source`)
Show any findings with this name
software:(license.category:Open Source)
Show any findings that contain parts of name
software:(license.category:"Open Source")
Show findings that have software with both the specified license category and the software version.
software:(license.category:Open Source AND version:2.0)
Show findings that have the specified software license category and those that have the specified software version.
software:(license.category:Open Source) AND software:(version:2.0)
software:(license.subcategorysoftware:(license.subcategory
Use text value ##### to help you find a software license subcategory, e.g., GPL, Apache 2.0, BSD.
Example
Show any findings that match exact value
software:(license.subcategory:`Apache 2.0`)
Show any findings with this name
software:(license.subcategory:Apache 2.0)
Show any findings that contain parts of name
software:(license.subcategory:"Apache 2.0")
Show findings that have software with both the specified license subcategory and the software version.
software:(license.subcategory:Apache 2.0 AND version:2.0)
Show findings that have the specified software license subcategory and those that have the specified software version.
software:(license.subcategory:Apache 2.0) AND software:(version:2.0)
software:(lifecycle.gasoftware:(lifecycle.ga
Use a date range or specific date to define a software general availability date of interest.
Examples
Show findings with software GA date in this date range
software:(lifecycle.ga:[2019-01-01 ... 2019-01-15])
Show findings with woftware GA date starting 2019-01-15, ending 1 month ago
software:(lifecycle.ga:[2019-01-15 ... now-1M])
Show findings with software GA date starting 2 weeks ago, ending 1 second ago
software:(lifecycle.ga:[now-2w ... now-1s])
Show findings with this software GA date
software:(lifecycle.ga:'2019-03-18')
software:(lifecycle.eolsoftware:(lifecycle.eol
Use a date range or specific date to define an software End-of-Life date of interest.
Examples
Show findings with software End-of-Life date in this date range
software:(lifecycle.eol:[2019-01-01 ... 2019-01-15])
Show findings with software End-of-Life date starting 2019-01-15, ending 1 month ago
software:(lifecycle.eol:[2019-01-15 ... now-1M])
Show findings with software End-of-Life date starting 2 weeks ago, ending 1 second ago
software:(lifecycle.eol:[now-2w ... now-1s])
Show findings with this software End-of-Life date
software:(lifecycle.eol:'2019-03-18')
software:(lifecycle.eossoftware:(lifecycle.eos
Use a date range or specific date to define an software End-of-Support date of interest.
Examples
Show findings with software End-of-Support date in this date range
software:(lifecycle.eos:[2019-01-01 ... 2019-01-15])
Show findings with software End-of-Support date starting 2019-01-15, ending 1 month ago
software:(lifecycle.eos:[2019-01-15 ... now-1M])
Show findings with software End-of-Support date starting 2 weeks ago, ending 1 second ago
software:(lifecycle.eos:[now-2w ... now-1s])
Show findings with this software End-of-Support date
software:(lifecycle.eos:'2019-03-18')
software:(lifecycle.stagesoftware:(lifecycle.stage
Use a text value ##### to define a software lifecycle stage you're looking for, i.e. active, eol, obsolete.
Examples
Show findings having this software lifecycle stage
software:(lifecycle.stage:eol)
Show findings having software category Windows and software lifecycle stage "eol"
software:(category:Windows AND lifecycle.stage:eol)
Show findings having software category Windows and those having software lifecycle stage "eol"
software:(category:Windows) AND software:(lifecycle.stage:eol)
software:(marketVersionsoftware:(marketVersion
Use text value ##### to help you find a software market version, e.g., Windows OS.
Example
Show any findings that match exact value
software:(marketVersion:7)
Show findings that have software with both the specified market version and the software version.
software:(marketVersion:7 AND version:2.0)
Show findings that have the specified software market version and those that have the specified software version.
software:(marketVersion:7) AND software:(version:2.0)
Use values within quotes or backticks to help you find the software name you're looking for. Quotes can be used when the value has more than one word.
Examples
Show any findings with this name
software:(name: VMware Tools)
Show any findings that contain parts of name
software:(name: "VMware Tools")
Show any findings that match exact value
software:(name: `VMware Tools`)
Find assets that have software with both the specified name and version
software:(name: VMware Tools AND version:2.0)
Find assets that have the specified software name and those that have the specified software version
software:(name: VMware Tools) AND software:(version:2.0)
Find assets with a certain tag and software installed
tags.name: `Cloud Agent` AND software:(name: `Cisco AnyConnect Secure Mobility Client` AND version: `3.1.12345`)
software:(productsoftware:(product
Use a text value ##### to define the software product name you are looking for.
Example
Show findings with this exact product name
software:(product:`Office`)
Show any findings with this name
software:(product: Office)
Show any findings that contain parts of name
software:(product: "Office")
Show findings that have software with both the product name and the software version
software:(product: Office AND version:2.0)
Show findings that have the specified product name and those that have the specified software version
software:(product: Office) AND software:(version:2.0)
software:(publishersoftware:(publisher
Use a text value ##### to define the software manufacturer you're looking for.
Example
Show findings with this exact software publisher
software:(publisher:`Microsoft`)
Show any findings with this name
software:(publisher: Microsoft)
Show any findings that contain parts of name
software:(publisher: "Microsoft")
Show findings that have software with both the specified publisher and software version
software:(publisher: Microsoft AND version:2.0)
Show findings that have the specified publisher and those that have the specified software version
software:(publisher: Microsoft) AND software:(version:2.0)
software:(supportStagesoftware:(supportStage
Use a text value ##### to define the software support stage.
Example
Show software having premium support
software:(supportStage:`Premier Support`)
Show any findings that contain parts of the name
software:(supportStage: "Premier Support")
Show findings that have software with premium support and the specified software version
software:(supportStage: Premier Support AND version:2.0)
Show software that have the premium support and those that have the specified software version
software:(supportStage: Premier Support AND software:(version:2.0)
software:(lifecycle.detectionScoresoftware:(lifecycle.detectionScore
Use a text value ##### to find the software product with the lifecycle detection score you are looking for
Examples
Show the software product with the lifecycle detection score
software:(lifecycle.detectionScore: 80)
Show the software product with the lifecycle detection score
software:(lifecycle.detectionScore>80)
Show the software product with the lifecycle detection score
software:(lifecycle.detectionScore<80)
Show the software product with the lifecycle detection score
software:(lifecycle.detectionScore<=80)
Show the software product with the lifecycle detection score
software:(lifecycle.detectionScore>=80)
software:(updatesoftware:(update
Use a text value ##### to define a software update version of interest.
Example
Show findings with this exact software update version
software:(update:16.0.1.2)
Show findings with software update version greater than 16.0.1.2
software:(update>16.0.1.2)
Show findings with software update version greater than or equal to 16.0.1.2
software:(update>=16.0.1.2)
Show findings with software update version less than 16.0.1.2
software:(update<16.0.1.2)
Show findings with software update version less than or equal to 16.0.1.2
software:(update<=16.0.1.2)
Show findings with software update version within this version range
software:(update:[16.0.1.2 ... 16.0.1.5])
software:(versionsoftware:(version
Use a text value ##### to define the software version you're interested in.
Example
Show findings with this exact software version
software:(version:16.0
Show findings with software version greater than 16.0
software:(version>16.0
Show findings with software version greater than or equal to 16.0
software:(version>=16.0
Show findings with software version less than 16.0
software:(version<16.0
Show findings with software version less than or equal to 16.0
software:(version<=16.0
Show findings with software version within this version range
software:(version:[16.0 ... 20.0]
Show findings with these software name and versions
software:(name:`VMware Tools` AND software:(version:2.0
Show findings with another software and version
software:(name:`DataRobot` AND software:(version:1.0
software:(componentsoftware:(component
Use a value Client, Server or "" (empty field) to identify the software component.
Example
Show software with Client software component
software:(component:Client)
Show any software that contain parts of component name
software:(component:"Client")
Show assets that have a software component named Client with version 2.0.
software:(component:Client AND version:2.0)
Show assets that have the specified software component and assets that have the specified software version.
software:(component:Client) AND software:(version:2.0)
software:(firstFoundDatesoftware:(firstFoundDate
Use a date range or specific date to define when software was first found.
Examples
Show assets with software first found within certain dates
software:(firstFoundDate: [2017-06-15 ... 2017-06-30])
Show assets with software first found starting 2017-06-22, ending 1 month ago
software:(firstFoundDate: [2017-06-22 ... now-1M])
Show assets with software first found starting 2 weeks ago, ending 1 second ago
software:(firstFoundDate: [now-2w ... now-1s])
Show assets with software first found on specific date
software:(firstFoundDate:'2017-06-14')
Show assets with software first found within last 30 days excluding day 30.
software:(firstFoundDate>now-30d)
Note: We recommend not to use the NOT operator in your range search to form a query like
NOT software:(lastUseDate:[now-30d..now-2s]).
See "QQL Best Practices" topic in the Unified Dashboard Online Help.
Show assets with software first found within last 30 days including day 30.
software:(firstFoundDate>=now-30d)
Show assets with software first found which is older than last 30 days excluding day 30.
software:(firstFoundDate<now-30d)
Show assets with software first found which is older than last 30 days including day 30.
software:(firstFoundDate<=now-30d)
missingSoftware:(category1missingSoftware:(category1
Use text value ##### to help you find the missing software category 1 value you're looking for.
Example
If you are searching for assets missing testing software, then category1 is Application Development and category2 is Testing.
Show any findings that match exact value
missingSoftware:(category1:Application Development)
missingSoftware:(category2missingSoftware:(category2
Example
If you are searching for assets missing testing software, then category1 is Application Development and category2 is Testing.
Show any findings that match exact value
missingSoftware:(category2:Testing)
missingSoftware:(publishermissingSoftware:(publisher
Use a text value ##### to find a software without publisher.
Example
Show findings without this software publisher
missingSoftware:(publisher:Microsoft)
missingSoftware:(productmissingSoftware:(product
Use a text value ##### to find a software without product name.
Example
Show findings with this exact product name
missingSoftware:(product:Office)
missingSoftware:(namemissingSoftware:(name
Use values within quotes or backticks to help you find the missing software name you're looking for. Quotes can be used when the value has more than one word.
Examples
Show any findings with this name
missingSoftware:(name: VMware Tools)
Show any findings that contain parts of name
missingSoftware:(name: "VMware Tools")
Show any findings that match exact value
missingSoftware:(name: `VMware Tools`)
Find assets with certain tag and missing software
tags.name: `Cloud Agent` AND missingSoftware:(name: `Cisco AnyConnect Secure Mobility Client` AND product: Office)
openPorts:(detectionScoreopenPorts:(detectionScore
Filter the open ports based on the QDS score.
Examples
Show open ports based on the following QDS score
openPorts:(detectionScore: 80)
Show open ports based on the following QDS score
openPorts:(detectionScore>80)
Show open ports based on the following QDS score
openPorts:(detectionScore<80)
Show open ports based on the following QDS score
openPorts:(detectionScore>=80)
openPorts:(discoverySourcesopenPorts:(discoverySources
Use a text value ##### to help you find open ports detected from a certain discovery source. (Active Directory, BMC Helix, CMDB, Cloud Agent, EASM, ICS OCA, IP Scanner, OCA, Passive Sensor, ServiceNow, Unknown, and Webhook) Select from values in the drop-down menu.
Examples
Show findings from cloud agents
openPorts:(discoverySources: Cloud Agent)
Show findings from Passive Sensor
openPorts:(discoverySources: CMDB)
openPorts:(protocolopenPorts:(protocol
Use a text value ##### (UDP or TCP) to define the port protocol you're interested in.
Examples
Show findings found on TCP
openPorts:(protocol: TCP)
Show findings found on port 80 and TCP
openPorts:(port: 80 AND protocol: TCP)
asset.inventory:(firstDiscoveredSourceasset.inventory:(firstDiscoveredSource
Use a text value ##### to help you find assets by their first discovered source. You can select any of the following sources:
API, API Based Scan, Active Directory, Appliance, Azure, BMC Helix, CAPS, CMDB, CV Connector, Cloud Agent, EC2, GCP, IBM, ICS OCA, EASM, IP Scanner, LDAP, Malware Domain, Mobility Scanner, OCA, OCI, Passive Sensor, SCANNER, ServiceNow, Snapshot Based Scan, VMWare vSphere, VMware ESXi, Web Application Scanner, and Webhook.
Note: Some options are only displayed when the EASM toggle is enabled.
Examples
Show findings from cloud agents
asset.inventory:(firstDiscoveredSource: EASM)
Show findings from Passive Sensor
asset.inventory:(firstDiscoveredSource: Passive Sensor)
missingSoftware:(detectionScoremissingSoftware:(detectionScore
Use a text value ##### to show findings that match the missing software detection score
Examples
Show findings with the the missing software detection score
missingSoftware:(detectionScore: 50)
Show findings with the missing software detection score
missingSoftware:(detectionScore>50)
Show findings with the missing software detection score
missingSoftware:(detectionScore<50)
Show findings with the missing software detection score
missingSoftware:(detectionScore>=50)
Show findings with the missing software detection score
missingSoftware:(detectionScore<=50)
Alibaba
Use these tokens when searching Alibaba assets.
alibaba.instance.accountIdalibaba.instance.accountId
Use a text value to define the instance id of the Alibaba cloud account.
Examples
Find Alibaba instances with the following account ID
alibaba.instance.accountId: 123456789012
Find Alibaba instances with account ID starting "12345"
alibaba.instance.accountId: 12345*
alibaba.instance.dnsServeralibaba.instance.dnsServer
Use an integer value to define the Domain Name System (DNS) configurations of the instance.
Example
Find Alibaba instances of the following DNS
alibaba.instance.dnsServer: 100.xxx.x.xxx
alibaba.instance.hasAgentalibaba.instance.hasAgent
Use the boolean value, true | false to define whether the Alibaba instance has a cloud agent installed on it.
Example
Find Alibaba instances with agents
alibaba.instance.hasAgent: true
alibaba.instance.hostNamealibaba.instance.hostName
Use a text value to find Alibaba hostname.
Example
Find Alibaba instances related to name
alibaba.instance.hostName: abc.qualys.com
alibaba.instance.imageIdalibaba.instance.imageId
Use a text value to find the Id of the image used during the instance creation process.
Example
Find instances related to image id
alibaba.instance.imageId: ubuntu_14_0405_64_20G_alibase_20170824.vhd
alibaba.instance.instanceIdalibaba.instance.instanceId
Use a text value to define the Alibaba instance id.
Example
Find Alibaba instances with this instance ID
alibaba.instance.instanceId: i-a2dxxxxsxxxxxhdfax
alibaba.instance.instanceTypealibaba.instance.instanceType
Use a text value to define the instance type.
Example
Find Alibaba instances with this instance type
alibaba.instance.instanceType: ecs.t5-lc1m1.small
alibaba.instance.interfaceIdalibaba.instance.interfaceId
Use a text value to define the identifier of the NIC.
Example
Find Alibaba instances of the following interface id
alibaba.instance.interfaceId: a2dxxxxaixxxtux572
alibaba.instance.instanceStatealibaba.instance.instanceState
Use a text value to define the state of the Alibaba instance. Some of the examples of the state of the instance are: MOVING, RUNNING, STARTED, STOPPED, STOPPING, and TERMINATED.
Example
Find Alibaba instances for the following state
alibaba.instance.instanceState: RUNNING
alibaba.instance.macAddressalibaba.instance.macAddress
Use a text value to define the MAC address.
Example
Find Alibaba instances with this MAC address
alibaba.instance.macAddress: 00:16:3e:0f:XX:XX
alibaba.instance.networkTypealibaba.instance.networkType
Use the network type values to find the Alibaba cloud instances. The network type can be vpc or classic.
Example
Find Alibaba instances with this network type
alibaba.instance.networkType: vpc
alibaba.instance.privateIpAddressalibaba.instance.privateIpAddress
Use an integer value to define a private IPv4 address or range of IPs.
Example
Find Alibaba instances with the following private IP address
alibaba.instance.privateIpAddress: 192.168.XX.XX
alibaba.instance.publicIpAddressalibaba.instance.publicIpAddress
Use an integer value to define a public IPv4 address or range of IPs.
Example
Find Alibaba instances with the following public IP address
alibaba.instance.publicIpAddress: 149.xx.xx.xx
alibaba.instance.regionCodealibaba.instance.regionCode
Use a text value to find the alibaba cloud instances that belong to the region with specific code. Some of the examples of codes are ap-northeast-1, ap-south-1, nanjing, cn-chengdu, and eu-central-1.
Example
Find Alibaba instances for the following region code
alibaba.instance.regionCode: cn-chengdu
alibaba.instance.regionNamealibaba.instance.regionName
Use a text value to define the region name. Australia (Sydney), Beijing, China, Japan (Tokyo), India (Mumbai), and Philippines (Manila).
Example
Find Alibaba instances for the following region
alibaba.instance.regionName: US (Silicon Valley)
alibaba.instance.serialNumberalibaba.instance.serialNumber
Use a text value to define the serial number of the instance.
Example
Find Alibaba instances of the following serial number
alibaba.instance.serialNumber: 12trexxxxr-3xx-xxx-rtg4-xxxx6t45
alibaba.instance.vpcCidrBlockalibaba.instance.vpcCidrBlock
Use a text value to define the serial number of the instance.
Example
Find Alibaba instances of the following CIDR block
alibaba.instance.vpcCidrBlock: 172.xx.x.x/16
alibaba.instance.vpcIdalibaba.instance.vpcId
Use a text value to search all the Alibaba instances with the specified VPC ID.
Example
Show Alibaba instances with this VPC ID
alibaba.instance.vpcId: vpc-a2d6pxxxxvvdadd5yikj
alibaba.instance.vswitchIdalibaba.instance.vswitchId
Use a text value to search all the Alibaba instances with the specified vswitchId.
Example
Show Alibaba instances with of the following switch ID
alibaba.instance.vswitchId: vsw-a2dxxxoxxxxsqx1mxxxdd
alibaba.instance.vswitchCidrBlockalibaba.instance.vswitchCidrBlock
Use an integer value to define the CIDR block of the switch to which the Alibaba instance is connected.
Example
Find Alibaba instances of the following CIDR block of the switch
alibaba.instance.vswitchCidrBlock: 192.168.XX.XX/24
alibaba.instance.zoneIdalibaba.instance.zoneId
Use a text value to define the zone id.
Examples
Find Alibaba instances of the following zone id
alibaba.instance.zoneId: cn-chengdu-a
Supported Boolean Operators
The Qualys Query Language (QQL) supports the following logical or Boolean query operators. Use these operators in your queries to narrow down or broaden your search.
Narrow down your search by using the 'and' operator in your Boolean query. The result contains all the token values that you provide in your query.
Example
asset.status: Enrolled and asset.id: 122855563
The asset having the ID 122855563 and with status as Enrolled is returned in the result.
Narrow down your search by using the 'not' operator in your Boolean query. The result contains all the other values except the one that you specify after 'not' in your query.
Example
not tags.name: Windows
Assets with the Windows tag are excluded from search results.
Broaden your search by using the 'or' operator in your Boolean query. The result contains any of the token values that you provide in your query.
Example
tags.name:Cloud Agent or tags.name:Windows
The assets that have the Cloud Agent tag or the Windows tag are returned in the result.