Syntax help displayed in UI for tokens. Click each token to learn more about it.
Note:
- For all the date-related tokens, the date search is evaluated only for UTC format. The actual search results might show you the date as per your time zone.
- For the range searches, remember that the QQL search tokens are case-sensitive. Hence, make sure that you enter the correct token syntax. For more information, see Range Searches.
- While using the nested QQL queries for software-related tokens using the 'not' operator and multiple values in [], the placement of 'not' is very important. Make sure to enter the correct token syntax. Otherwise, you will not get the expected results. For more information, see the Nested Queries section from the How to Search topic.
Asset Inventory and Passive Sensor | AWS EC2 | Microsoft Azure | Google Cloud Platform | Oracle Cloud Infrastructure | IBM Cloud |Passive Sensor only |Alibaba| Certificates
accounts.usernameaccounts.username
Example
Show findings with username administrator
accounts.username:"administrator"
agent.activations.keyagent.activations.key
Example
Show assets with agents activated using this key
agent.activations.key: "057cc48a-8d84-48eb-add4-97a605d0567d"
agent.activations.statusagent.activations.status
Example
Show assets with active agents
agent.activations.status: ACTIVE
Example
Show findings with this agent ID
asset.agentID:"0fc8e682-e9cc-4e7d-b92a-0c905d81ec74"
agent.configurationProfileagent.configurationProfile
Examples
Show any findings related to profile name
agent.configurationProfile: Initial Profile
Show any findings that contain parts of the name
agent.configurationProfile: "Initial Profile"
Show any findings that match exact value
agent.configurationProfile: `Initial Profile`
agent.connectedFromagent.connectedFrom
Example
Show findings for an external IP address that an agent connected from
agent.connectedFrom: 10.0.100.11
asset.isContainerHostasset.isContainerHost
Example
Show assets that host containers
asset.isContainerHost: "true"
asset.hostingCategory1asset.hostingCategory1
Example
Show findings with hosting catagory CDN
asset.hostingCategory1:"CDN"
agent.lastActivityagent.lastActivity
Examples
Show last agent activity within certain dates
agent.lastActivity:[2019-01-01 ... 2019-01-15]
Show last agent activity starting 2019-01-15, ending 1 month ago
agent.lastActivity:[2019-01-15 ... now-1M]
Show last agent activity starting 2 weeks ago, ending 1 second ago
agent.lastActivity:[now-2w ... now-1s]
Show last agent activity on a specific date
agent.lastActivity:'2019-03-18'
Show last agent activity within last 30 days excluding day 30.
agent.lastActivity>now-30d
Note: We recommend not to use the NOT operator in your range search to form query like NOT agent.lastActivity:[now-30d..now-2s]. See "QQL Best Practices" topic in the Unified Dashboard Online Help.
Show last agent activity within last 30 days including day 30.
agent.lastActivity>=now-30d
Show last agent activity which is older than last 30 days excluding day 30.
agent.lastActivity<now-30d
Show last agent activity which is older than last 30 days including day 30.
agent.lastActivity<=now-30d
agent.lastCheckedInagent.lastCheckedIn
Examples
Show findings with last check in within a specific date range.
agent.lastCheckedIn:[2020-01-01 ... 2020-01-10]
Show findings with last check in starting 2019-11-01, ending 1 month ago.
agent.lastCheckedIn:[2019-11-01 ... now-1M]
Show findings with last check in starting 2 weeks ago, ending 1 second ago.
agent.lastCheckedIn:[now-2w ... now-1s]
Show findings with last check in on a specific date
agent.lastCheckedIn:'2020-02-11'
Show findings with last check in before (older than) last 30 days.
agent.lastCheckedIn<now-30d
Note: In this case, we recommend not to use the NOT operator in your range search to form a query like NOT lastCheckedIn:[now-30d...now-2s]. See 'Say no to NO' section in the 'QQL Best Practices' topic in the Unified Dashboard online Help.
Show findings with last check in within last 30 days excluding day 30
agent.lastCheckedIn>now-30d
Show findings with last check in within last 30 days including day 30
agent.lastCheckedIn>=now-30d
Show findings with last check in which is older than last 30 days excluding day 30
agent.lastCheckedIn<now-30d
Show findings with last check in which is older than last 30 days including day 30
agent.lastCheckedIn<=now-30d
agent.lastInventoryagent.lastInventory
Examples
Show last inventory scan within certain dates
agent.lastInventory:[2019-01-01 ... 2019-01-15]
Show last inventory scan starting 2019-01-15, ending 1 month ago
agent.lastInventory:[2019-01-15 ... now-1M]
Show last inventory scan starting 2 weeks ago, ending 1 second ago
agent.lastInventory:[now-2w ... now-1s]
Show last inventory scan on a specific date
agent.lastInventory:'2019-03-18'
Show last inventory scan within last 30 days excluding day 30.
agent.lastInventory>now-30d
Note: We recommend not to use the NOT operator in your range search to form query like NOT agent.lastInventory:[now-30d..now-2s]. See "QQL Best Practices" topic in the Unified Dashboard Online Help.
Show last inventory scan within last 30 days including day 30.
agent.lastInventory>=now-30d
Show last inventory scan which is older than last 30 days excluding day 30.
agent.lastInventory<now-30d
Show last inventory scan which is older than last 30 days including day 30.
agent.lastInventory<=now-30d
agent.udcManifestAssignedagent.udcManifestAssigned
Examples
Show assets with agents assigned a UDC manfest
agent.udcManifestAssigned: "true"
Show assets with agents not assigned a UDC manifest
agent.udcManifestAssigned: "false"
Example
Show agents of this version
asset.version:1.3.2.0
agent.swCAIdealCandidateagent.swCAIdealCandidate
Example
Show assets on which at least one of the software components is identified
agent.swCAIdealCandidate:true
Example
Show findings with this agent ID
asset.agentID:12345679
Note: The same token is used to find the certificates for assets with the specified asset ID, but the token syntax is different. See all token examples.
Example
Show findings with this asset ID
asset.assetID:122855563
Find the certificates for assets with the specified asset ID
Examples for Certificate Token
Show certificates on assets with the specified asset ID.
asset:(assetID: 49267969)
Example
Show assets that have the specified number of crawled links.
asset.links:10
Show assets that have greater than or equal to the specified number of crawled links.
asset.links>=10
Show assets that have less than or equal to the specified number of crawled links.
asset.links>=10
Example
Show the web application that matches the asset URL.
asset.url:http://172.31.28
Show the web application that matches the asset URL
asset.url:https://10.100.200.60:12345/
asset.biosAssetTagasset.biosAssetTag
Examples
Show any findings that contain this BIOS asset tag
asset.biosAssetTag:113632
Show any findings that contain parts of BIOS asset tag
asset.biosAssetTag:"113632"
Show any findings that match exact value
asset.biosAssetTag:`113632`
asset.biosDescriptionasset.biosDescription
Examples
Show any findings that contain parts of description
asset.biosDescription:"American Megatrends Inc."
Show any findings that match exact value "American Megatrends Inc."
asset.biosDescription:`American Megatrends Inc.`
asset.biosSerialNumberasset.biosSerialNumber
Example
Show findings with this BIOS Serial Number
asset.biosSerialNumber:C02S50JDFVH8
Example
Show assets that have 2 CPUs
asset.cpuCount:2
Note: The same token is used to find the certificates for the specified asset creation date, but the token syntax is different. See all token examples.
Examples
Show assets created within certain dates
asset.created:[2019-01-01 ... 2019-01-15]
Show assets created starting 2019-01-15, ending 1 month ago
asset.created:[2019-01-15 ... now-1M]
Show assets created starting 2 weeks ago, ending 1 second ago
asset.created:[now-2w ... now-1s]
Show assets created on a specific date
asset.created:'2019-03-18'
Show assets created within last 30 days excluding day 30.
asset.created>now-30d
Note: We recommend not to use the NOT operator in your range search to form query like NOT asset.created:now-30d..now-2s. See "QQL Best Practices" topic in the Unified Dashboard Online Help.
Show assets created within last 30 days including day 30.
asset.created>=now-30d
Show assets created older than last 30 days excluding day 30.
asset.created<now-30d
Show last inventoryassets created older than last 30 days including day 30.
asset.created<=now-30d
Find the certificates for the specified asset creation date
Examples for Certificate Token
Show assets created within certain dates
asset:(created: [2023-01-01 ... 2024-01-15])
Show assets created starting 2019-01-15, ending 1 month ago
asset:(created: [2019-01-15... now-1M])
Show assets created starting 2 weeks ago, ending 1 second ago
asset:(created: [now-2w ... now-1s])
Show assets created on a specific date
asset:(created: `2024-01-18`)
asset.criticalityScoreasset.criticalityScore
Note: The same token is used to find the certificates for the specified asset criticality score, but the token syntax is different. See all token examples.
Examples
Show assets based on the asset criticality score 1
asset.criticalityScore:`1`
find the certificates for the specified asset criticality score
Examples for Certificate Token
Show certificates for assets with the following criticality score
asset:(criticalityScore: 5)
asset.riskScoreasset.riskScore
Note: The same token is used to find the certificates for assets with the specified asset risk score, but the token syntax is different. See all token examples.
Examples
Show all the assets with a risk score 900
asset.riskScore:900
Show all the assets with risk score between the range 800 to 1000
asset.riskScore:[800 ... 1000]
Show all the assets with a risk score greater than 500
asset.riskScore >500
Show all the assets with a risk score less than or equal to 800
asset.riskScore <=800
Find the certificates for assets with the specified asset risk score
Examples for Certificate Token
Show certificats for assets with a risk score 800
asset:(riskScore:800)
Show certificats for assets with risk score between the range 700 to 1000
asset:(riskScore:[700 ... 1000])
Show certificats for assets with a risk score greater than 600
asset:(riskScore >600)
Show certificats for assets with a risk score less than or equal to 600
asset:(riskScore <=600)
asset.biosHardwareUUIDasset.biosHardwareUUID
Example
Show findings with this bios hardware UUID
asset.biosHardwareUUID:152FBCC6-641B-5661-9E68-DEF35D8C4B51
Example
Show assets having this host ID
asset.hostID:43954857
Examples
Show assets last booted within certain dates
asset.lastBoot:[2019-01-01 ... 2019-01-15]
Show assets last booted starting 2019-01-15, ending 1 month ago
asset.lastBoot:[2019-01-15 ... now-1M]
Show assets last booted starting 2 weeks ago, ending 1 second ago
asset.lastBoot:[now-2w ... now-1s]
Show assets last booted on a specific date
asset.lastBoot:'2019-03-18'
asset.lastLoggedOnUserasset.lastLoggedOnUser
Examples
Show assets with last logon by user asmith
asset.lastLoggedOnUser:asmith
asset.lastUpdatedasset.lastUpdated
Note: The same token is used to find the certificates for the specified asset last updated date, but the token syntax is different. See all token examples.
Examples
Show assets last updated within certain dates
asset.lastUpdated:[2019-01-01 ... 2019-01-15]
Show assets last updated starting 2019-01-15, ending 1 month ago
asset.lastUpdated:[2019-01-15... now-1M]
Show assets last updated starting 2 hours ago, ending 1 second ago
asset.lastUpdated:[now-2h ... now-1s]
Show assets last updated starting 4 hours ago, ending 1 hour ago
asset.lastUpdated:[now-4h ... now-1h]
Show assets last updated starting 2 weeks ago, ending 1 second ago
asset.lastUpdated:[now-2w ... now-1s]
Show assets last updated on a specific date
asset.lastUpdated:'2019-03-18'
Show assets updated within last 30 days excluding day 30.
asset.lastUpdated>now-30d
Note: We recommend not to use the NOT operator in your range search to form query like NOT asset.lastUpdated:[now-30d..now-2s]. See "QQL Best Practices" topic in the Unified Dashboard Online Help.
Show assets updated within last 30 days including day 30.
asset.lastUpdated>=now-30d
Show assets updated older than last 30 days excluding day 30.
asset.lastUpdated<now-30d
Show assets updated older than last 30 days including day 30.
asset.lastUpdated<=now-30d
Find the certificates for the specified asset creation date
Examples for Certificate Token
Show certificates for assets last updated within certain dates
asset:(lastUpdated: [2019-01-01 ... 2019-01-15])
Show certificates for assets last updated starting 2019-01-15, ending 1 month ago
asset:(lastUpdated: [2019-01-15... now-1M])
Show certificates for assets last updated starting 2 weeks ago, ending 1 second ago
asset:(lastUpdated: [now-2w ... now-1s])
Show certificates for assets last updated on a specific date
asset:(lastUpdated: `2024-01-18`)
Examples
Show any findings that match the beginning of any substrings within the asset name
asset.name:"ACMENVT7"
Show any findings that match exact value "ACMENVT7"
asset.name:`ACMENVT7`
asset.netbiosNameasset.netbiosName
Examples
Show the asset with this name
asset.netbiosName:ACMENVT7
Example
Show assets with this timezone
asset.timezone:"-08:00"
asset.totalMemoryasset.totalMemory
Example
Show findings with total system memory greater than 900 MB
asset.totalMemory>900
Show findings with total system memory greater than or equal to 900 MB
asset.totalMemory>=900
Show findings with total system memory less than 300 MB
asset.totalMemory<300
Show findings with total system memory less than or equal to 300 MB
asset.totalMemory<=300
asset.trackingMethodasset.trackingMethod
Example
Find assets with this tracking method
asset.trackingMethod: QAGENT
asset.domainRoleasset.domainRole
Examples
Show any findings that contain parts of name
asset.domainRole:"Member Ser"
Show any findings that match exact value "Member Server"
asset.domainRole:`Member Server`
Example
Find assets of type host
asset.type: `HOST`
asset.lastLocationasset.lastLocation
Example
Show assets with last location as Redwood City, California - United States
asset.lastLocation: 'Redwood City, California - United States'
Example
Show assets with last location with exact string
asset.lastLocation: `Redwood City, California - United States`
asset.lastLocation.continentasset.lastLocation.continent
Example
Show assets with last location continent as North America
asset.lastLocation.continent: North America
asset.lastLocation.countryasset.lastLocation.country
Example
Show assets with last location country as United States
asset.lastLocation.country: United States
asset.lastLocation.stateasset.lastLocation.state
Example
Show assets with last location state as California
asset.lastLocation.state: California
asset.lastLocation.cityasset.lastLocation.city
Example
Show assets with assigned location city as Miami
asset.lastLocation.city: Miami
asset.lastLocation.postalasset.lastLocation.postal
Example
Show assets with last location postal as 94065
asset.lastLocation.postal: 94065
asset.operationalStatusasset.operationalStatus
Example
Show assets with operational status as Repair
asset.operationalStatus: Repair
asset.environmentasset.environment
Example
Show assets with environment as Production
asset.environment: Production
Examples
Show any findings that contain parts of name
asset.ownedBy:"Joey"
Show any findings that match exact value "Joey Bolick"
asset.ownedBy:`Joey Bolick`
asset.managedByasset.managedBy
Examples
Show any findings that contain parts of name
asset.managedBy:"Byron"
Show any findings that match exact value "Byron Fortuna"
asset.managedBy:`Byron Fortuna`
asset.supportedByasset.supportedBy
Examples
Show any findings that contain parts of name
asset.supportedBy:"John"
Show any findings that match exact value "John Doe"
asset.supportedBy:`John Doe`
asset.supportGroupasset.supportGroup
Note: The same token is used to find the certificates for assets with the specified support group, but the token syntax is different. See all token examples.
Examples
Show any findings that contain parts of name
asset.supportGroup:"Compliance"
Show any findings that match exact value "Compliance Managers"
asset.supportGroup:`Compliance Managers`
Find the certificates for assets with the specified support group.
Examples for Certificate Token
Show any findings that contain parts of name
asset:(supportGroup:"Compliance")
Show any findings that match exact value "Compliance Managers"
asset:(supportGroup:`Compliance Managers`)
asset.org.companyasset.org.company
Example
Show assets with company as Qualys
asset.org.company: Qualys
asset.org.departmentasset.org.department
Example
Show assets with department as Development
asset.org.department: Development
asset.assignedLocation.nameasset.assignedLocation.name
Examples
Show any findings that contain parts of name
asset.assignedLocation.name:"401 Biscayne St, Miami"
Show any findings that match exact value "401 Biscayne St, Miami FL"
asset.assignedLocation.name:`401 Biscayne St, Miami FL`
asset.assignedLocation.cityasset.assignedLocation.city
Example
Show assets with assigned location city as Miami
asset.assignedLocation.city: Miami
asset.assignedLocation.stateasset.assignedLocation.state
Example
Show assets with assigned location state as FL
asset.assignedLocation.state: FL
asset.assignedLocation.countryasset.assignedLocation.country
Example
Show assets with assigned location country as USA
asset.assignedLocation.country: USA
businessApp.namebusinessApp.name
Examples
Show any findings that contain parts of name
businessApp:(name:"HR")
Show any findings that match exact value "HR Intranet"
businessApp:(name:`HR Intranet`)
Example
Show findings with business app ID as APP007
businessApp:(id:APP007)
businessApp.operationalStatusbusinessApp.operationalStatus
Example
Show business applications with operational status as Installed
businessApp:(operationalStatus: Installed)
businessApp.businessCriticalitybusinessApp.businessCriticality
Examples
Show any findings that contain parts of name
businessApp:(businessCriticality:"1 - most")
Show any findings that match exact value "1 - most critical"
businessApp:(businessCriticality:`1 - most critical`)
businessApp.environmentbusinessApp.environment
Example
Show assets with business application environment as Production
businessApp:(environment: Production)
businessApp.ownedBybusinessApp.ownedBy
Examples
Show any findings that contain parts of name
businessApp:(ownedBy:"Joey")
Show any findings that match exact value "Joey Bolick"
businessApp:(ownedBy:`Joey Bolick`)
businessApp.managedBybusinessApp.managedBy
Examples
Show any findings that contain parts of name
businessApp:(managedBy:"Byron")
Show any findings that match exact value "Byron Fortuna"
businessApp:(managedBy:`Byron Fortuna`)
businessApp.supportedBybusinessApp.supportedBy
Examples
Show any findings that contain parts of name
businessApp:(supportedBy:"John")
Show any findings that match exact value "John Doe"
businessApp:(supportedBy:`John Doe`)
businessApp.supportGroupbusinessApp.supportGroup
Example
Show assets with business application support group as Security
businessApp:(supportGroup: Security)
qualysCorrelationIDqualysCorrelationID
Examples
Show assets with this correlation ID
qualysCorrelationID: 0f1b031712682e27cca306e4a2a9e3144696ac099b08fcdf76ccb6f3647ec058
Show assets without any correlation ID
qualysCorrelationID: UNIDENTIFIED
Show all assets with correlation ID
qualysCorrelationID: *
Example
Show assets detected by the following agent uuid.
caps.leader:ac49f3eb-e1ab-4947-9dc3-4bd2c3eea114
Show assets detected by the following agent uuid.
caps.leader:"ac49f3eb-e1ab-4947-9dc3-4bd2c3eea114"
Show assets detected by the following agent uuid.
caps.leader:`ac49f3eb-e1ab-4947-9dc3-4bd2c3eea114'
connectors.connector.nameconnectors.connector.name
Example
Show findings detected by connector name myec2
connectors.connector.name: myec2
connectors.connectorIdconnectors.connectorId
Note: This token is for the new feature, Third-Party Asset Identification, which is in the Beta phase. The feature is in early stage and only available on a request basis. Contact your Technical Account Manager (TAM) for more information.
Example
Show findings with this connector ID
connectors.connectorId:1278237
container.productcontainer.product
Examples
Show container product
container.product: CONTAINERD
Show container product
container.product: DOCKER
container.versioncontainer.version
Example
Show containers of this version
container.version:1.6
connectors.firstDiscoveredconnectors.firstDiscovered
Examples
Show connectors found within certain dates
connectors:(firstDiscovered: [2019-01-01 ... 2019-01-15])
Show connectors found starting 2019-01-15, ending 3 months ago
connectors:(firstDiscovered: [2019-01-15 ... now-3M])
Show connectors found starting 2 weeks ago, ending 1 second ago
connectors:(firstDiscovered: [now-2w ... now-1s])
Show connectors found on a specific date
connectors:(firstDiscovered:'2019-03-18')
Show connectors found within last 30 days excluding day 30.
connectors:(firstDiscovered>now-30d)
Note: We recommend not to use the NOT operator in your range search to form query like NOT connectors:(firstDiscovered:[now-30d..now-2s]). See "QQL Best Practices" topic in the Unified Dashboard Online Help.
Show connectors discovered within last 30 days including day 30.
connectors:(firstDiscovered>=now-30d)
Show connectors dicovered older than last 30 days excluding day 30.
connectors:(firstDiscovered<now-30d)
Show connectors found older than last 30 days including day 30.
connectors:(firstDiscovered<=now-30d)
connectors.lastDiscoveredconnectors.lastDiscovered
Examples
Show connectors last discovered within certain dates
connectors:(lastDiscovered: [2019-01-01 ... 2019-01-15])
Show connectors discovered starting 2019-01-15, ending 3 months ago
connectors:(lastDiscovered: [2019-01-15 ... now-3M])
Show connectors discovered starting 2 weeks ago, ending 1 second ago
connectors:(lastDiscovered: [now-2w ... now-1s])
Show connectors discovered on a specific date
connectors:(lastDiscovered:'2019-03-18')
Show connectors discovered within last 30 days excluding day 30.
connectors:(lastDiscovered>now-30d)
Note: We recommend not to use the NOT operator in your range search to form query like NOT connectors:(lastDiscovered:[now-30d..now-2s]). See "QQL Best Practices" topic in the Unified Dashboard Online Help.
Show connectors discovered within last 30 days including day 30.
connectors:(lastDiscovered>=now-30d)
Show connectors dicovered older than last 30 days excluding day 30.
connectors:(lastDiscovered<now-30d)
Show connectors found older than last 30 days including day 30.
connectors:(lastDiscovered<=now-30d)
container.noOfContainerscontainer.noOfContainers
Example
Show findings with 2 containers
container.noOfContainers:2
container.noOfImagescontainer.noOfImages
Example
Show findings with 5 container images
container.noOfImages:5
container.hasSensorcontainer.hasSensor
Use the values true | false to choose whether to show container hosts that have the Container Sensor installed.
Example
Show container hosts with container sensor installed.
container.hasSensor:"true"
customAttributes.connectorIdcustomAttributes.connectorId
Example
Find assets for connector 'Qualys'
customAttributes:(connectorId:0)
customAttributes.keycustomAttributes.key
Example
Find assets with "Department" as part of the key name
customAttributes:(key:"Department")
The result includes assets with the 'Department' custom attribute key.
Note: If 'Department' is part of the key name, such as Department 1, Department A-C, or Department US, those assets are also included in the result.
customAttributes.valuecustomAttributes.value
Example
Find assets with "DEVOPS" as part of the key value
customAttributes:(value:"DEVOPS")
The result includes assets with the 'DEVOPS' custom attribute value.
Note: If 'DEVOPS' is part of the value name, such as DEVOPS CSAM, DEVOPS CA, or DEVOPS PM, those assets are also included in the result.
Examples
Show any findings that contain parts of name
hardware:"Dell Latitude e7470"
Show any findings that match exact value
hardware:`Dell Latitude e7470`
hardware.categoryhardware.category
Examples
Show any findings that match exact value
hardware.category:Printers/Laser
hardware.category1hardware.category1
Example
If you are searching for assets that are laser printers, then category1 is Printers and category2 is Laser.
Show any findings that match exact value
hardware.category1:Printers
hardware.category2hardware.category2
Example
If you are searching for assets that are laser printers, then category1 is Printers and category2 is Laser.
Show any findings that match exact value
hardware.category2:Laser
hardware.lifecycle.gahardware.lifecycle.ga
Examples
Show findings with hardware GA date in this date range
hardware.lifecycle.ga:[2019-01-01 ... 2019-01-15]
Show findings with hardware GA date starting 2019-01-15, ending 1 month ago
hardware.lifecycle.ga:[2019-01-15 ... now-1M]
Show findings with hardware GA date starting 2 weeks ago, ending 1 second ago
hardware.lifecycle.ga:[now-2w ... now-1s]
Show findings with this hardware GA date
hardware.lifecycle.ga:'2019-03-18'
hardware.lifecycle.introhardware.lifecycle.intro
Examples
Show findings with hardware introduction date in this date range
hardware.lifecycle.intro:[2019-01-01 ... 2019-01-15]
Show findings with hardware introduction date starting 2019-01-15, ending 1 month ago
hardware.lifecycle.intro:[2019-01-15 ... now-1M]
Show findings with hardware introduction date starting 2 weeks ago, ending 1 second ago
hardware.lifecycle.intro:[now-2w ... now-1s]
Show findings with this hardware introduction date
hardware.lifecycle.intro:'2019-03-18'
hardware.lifecycle.eoshardware.lifecycle.eos
Examples
Show findings with hardware End-of-Sale date in this date range
hardware.lifecycle.eos:[2019-01-01 ... 2019-01-15]
Show findings with hardware End-of-Sale date starting 2019-01-15, ending 1 month ago
hardware.lifecycle.eos:[2019-01-15 ... now-1M]
Show findings with hardware End-of-Sale date starting 2 weeks ago, ending 1 second ago
hardware.lifecycle.eos:[now-2w ... now-1s]
Show findings with this hardware End-of-Sale date
hardware.lifecycle.eos:'2019-03-18'
hardware.lifecycle.obshardware.lifecycle.obs
Examples
Show findings with hardware obsolete date in this date range
hardware.lifecycle.obs:[2019-01-01 ... 2019-01-15]
Show findings with hardware obsolete date starting 2019-01-15, ending 1 month ago
hardware.lifecycle.obs:[2019-01-15 ... now-1M]
Show findings with hardware obsolete date starting 2 weeks ago, ending 1 second ago
hardware.lifecycle.obs:[now-2w ... now-1s]
Show findings with this hardware obsolete date
hardware.lifecycle.obs:'2019-03-18'
hardware.lifecycle.stagehardware.lifecycle.stage
Example
Show End-of-Sale hardware
hardware.lifecycle.stage:"EOS"
hardware.manufacturerhardware.manufacturer
Example
Show any findings that match exact value "Dell"
hardware.manufacturer:`Dell`
Example
Show any findings that match exact value "e7470"
hardware.model:`De7470`
hardware.producthardware.product
Example
Show any findings that match exact value "Latitude"
hardware.product:`Latitude`
interfaces:(addressinterfaces:(address
Examples
Show the exact match of the IP address
interfaces:(address:`10.10.100.20`)
Show any findings that contain parts of the IP address
interfaces:(address:"10.10.100.2")
interfaces:(address: 10.10.100.2)
interfaces:(dnsAddressinterfaces:(dnsAddress
Example
Show the asset with DNS address 10.0.100.11
interfaces:(dnsAddress:10.0.100.11)
interfaces:(gatewayAddressinterfaces:(gatewayAddress
Example
Show assets with this default gateway address
interfaces:(gatewayAddress:10.11.65.1)
interfaces:(hostnameinterfaces:(hostname
Examples
Show any findings related to name
interfaces:(hostname: xpsp2-jp-26-111)
Show any findings that contain parts of name
interfaces:(hostname: "xpsp2-jp-26-111")
Show any findings that match exact value "xpsp2-jp-26-111"
interfaces:(hostname: `xpsp2-jp-26-111`)
Show any findings related to name (we'll match super domains)
interfaces:(hostname: qcentos71sqp3.rdlab.acme.com)
Show any findings that match exact value "qcentos71sqp3.rdlab.acme.com"
interfaces:(hostname: `qcentos71sqp3.rdlab.acme.com`)
Show findings according to values entered in the square brackets.
Note: You can add multiple values in []. However, it's important to understand that partial values are not supported. You must enter the exact match value.
Example with correct syntax - interfaces:(hostname: [win7-181, bridge.vuln.qa.qualys.com])
Example with incorrect syntax - interfaces:(hostname: [win7, bridge.vuln.qa])
interfaces:(interfaceNameinterfaces:(interfaceName
Example
Show the asset with name PRO/1000
interfaces:(interfaceName:PRO/1000)
interfaces:(macAddressinterfaces:(macAddress
Example
Show the asset with this MAC address
interfaces:(macAddress:"00:50:56:A9:73:5A")
interfaces:(manufacturerinterfaces:(manufacturer
Example
Show the asset with interface hardware manufacturer
interfaces:(manufacturer:"Apple")
interfaces:(netmaskinterfaces:(netmask
Example
Show the assets with the following netmask
interfaces:(netmask:255.255.255.0)
inventory:(createdinventory:(created
Examples
Show assets created within certain dates
inventory:(created: [2019-01-01 ... 2019-01-15])
Show assets created starting 2019-01-15, ending 1 month ago
inventory:(created: [2019-01-15 ... now-1M])
Show assets created starting 2 weeks ago, ending 1 second ago
inventory:(created: [now-2w ... now-1s])
Show assets created on specific date
inventory:(created: '2019-03-18')
Show assets createdwithin last 30 days excluding day 30.
inventory:(created>now-30d)
Note: We recommend not to use the NOT operator in your range search to form query like NOT inventory.(created:[now-30d..now-2s]. See "QQL Best Practices" topic in the Unified Dashboard Online Help.
Show assets created within last 30 days including day 30.
inventory:(created>=now-30d)
Show assets created older than last 30 days excluding day 30.
inventory:(created<now-30d)
Show assets created older than last 30 days including day 30.
inventory:(created<=now-30d)
inventory:(lastUpdatedinventory:(lastUpdated
Examples
Show assets updated within certain dates
inventory:(lastUpdated: [2019-01-01 ... 2019-01-15])
Show assets updated starting 2019-01-15, ending 3 months ago
inventory:(lastUpdated: [2019-01-15 ... now-3M])
Show assets updated starting 2 weeks ago, ending 1 second ago
inventory:(lastUpdated: [now-2w ... now-1s])
Show assets updated on a specific date
inventory:(lastUpdated:'2019-03-18')
Show assets updated within last 30 days excluding day 30.
inventory:(lastUpdated>now-30d)
Note: We recommend not to use the NOT operator in your range search to form query like NOT inventory:(lastUpdated:[now-30d..now-2s]. See "QQL Best Practices" topic in the Unified Dashboard Online Help.
Show assets updated within last 30 days including day 30.
inventory:(lastUpdated>=now-30d)
Show assets updated which is older than last 30 days excluding day 30.
inventory:(lastUpdated<now-30d)
Show assets updated which is older than last 30 days including day 30.
inventory:(lastUpdated<=now-30d)
passiveSensor.idpassiveSensor.id
Type
Example
Show this sensor ID
passiveSensor.id:"003687557369:1654660042:3809075:704:1654660042:3809075:704"
passiveSensor.locationpassiveSensor.location
Examples
Show assets with sensor location (appliance location label) as SanJose1
passiveSensor.location:"SanJose1"
passiveSensor.namepassiveSensor.name
Examples
Show assets with sensor name as ITCorp-appliance
passiveSensor.name:"ITCorp-appliance"
inventory:(sourceinventory:(source
Examples
Show findings from cloud agents
inventory:(source: Cloud Agent)
Show findings from Passive Sensor
inventory:(source: Passive Sensor)
openPorts:(descriptionopenPorts:(description
Examples
Show any findings with this description
openPorts:(description: Windows Remote Desktop)
Show any findings that contain parts of description
openPorts:(description: "Windows Remote Desktop")
Show any findings that match exact value "Windows Remote Desktop"
openPorts:(description: `Windows Remote Desktop`)
openPorts:(detectedServiceopenPorts:(detectedService
Examples
Show any findings with this service name
openPorts:(detectedService: win_remote_desktop)
Show any findings that contain parts of name
openPorts:(detectedService: "win_remote_desktop")
Show any findings that match exact value "win_remote_desktop"
openPorts:(detectedService: `win_remote_desktop`)
openPorts:(firstFoundopenPorts:(firstFound
Examples
Show open ports found within certain dates
openPorts:(firstFound: [2019-01-01 ... 2019-01-15])
Show open ports found starting 2019-01-15, ending 3 months ago
openPorts:(firstFound: [2019-01-15 ... now-3M])
Show open ports found starting 2 weeks ago, ending 1 second ago
openPorts:(firstFound: [now-2w ... now-1s])
Show open ports found on a specific date
openPorts:(firstFound:'2019-03-18')
Show open ports found within last 30 days excluding day 30.
openPorts:(firstFound>now-30d)
Note: We recommend not to use the NOT operator in your range search to form query like NOT openPorts:(firstFound:[now-30d..now-2s]). See "QQL Best Practices" topic in the Unified Dashboard Online Help.
Show assets updated within last 30 days including day 30.
openPorts:(firstFound>=now-30d)
Show open ports found older than last 30 days excluding day 30.
aopenPorts:(firstFound<now-30d)
Show open ports found older than last 30 days including day 30.
openPorts:(firstFound<=now-30d)
openPorts:(lastUpdatedopenPorts:(lastUpdated
Examples
Show open ports last updated within certain dates
openPorts:(lastUpdated:[2019-01-01 ... 2019-01-15])
Show open ports last updated starting 2019-01-15, ending 1 month ago
openPorts:(lastUpdated:[2019-01-15 ... now-1M])
Show open ports last updated starting 2 weeks ago, ending 1 second ago
openPorts:(lastUpdated:[now-2w ... now-1s])
Show open ports last updated on a specific date
openPorts:(lastUpdated:'2019-03-18')
Show open ports found within last 30 days excluding day 30.
openPorts:(lastUpdated>now-30d)
Note: We recommend not to use the NOT operator in your range search to form query like NOT openPorts.(lastUpdated:[now-30d..now-2s]). See "QQL Best Practices" topic in the Unified Dashboard Online Help.
Show assets updated within last 30 days including day 30.
openPorts:(lastUpdated>=now-30d)
Show open ports found older than last 30 days excluding day 30.
aopenPorts:(lastUpdated<now-30d)
Show open ports found older than last 30 days including day 30.
openPorts:(lastUpdated<=now-30d)
openPorts:(portopenPorts:(port
Example
Show assets with open port 80
openPorts:(port:80)
openPorts:(protocolopenPorts:(protocol
Examples
Show findings found on TCP
openPorts:(protocol: TCP)
Show findings found on port 80 and TCP
openPorts:(port: 80 AND protocol: TCP)
openPorts:(detectionScoreopenPorts:(detectionScore
Examples
Show open ports based on the following QDS score
openPorts:(detectionScore: 80)
Show open ports based on the following QDS score
openPorts:(detectionScore>80)
Show open ports based on the following QDS score
openPorts:(detectionScore<80)
Show open ports based on the following QDS score
openPorts:(detectionScore>=80)
Examples
Show any findings that contain parts of name
processors:"iIntel Xwon® CPU ES-2673 v3"
Show any findings that match exact value
processors:`Intel Xwon® CPU ES-2673 v3`
processors.coresPerSocketprocessors.coresPerSocket
Example
Show the number of cores per socket
processors.coresPerSocket:2
processors.multithreadingStatus processors.multithreadingStatus
Example
Show multi-threading enabled processor
processors.multithreadingStatus: "ENABLED"
processors.numberOfCpuprocessors.numberOfCpu
Example
Show the logical CPUs
processors.numberOfCpu:4
processors.numberOfSockets processors.numberOfSockets
Example
Show number of sockets
processors.numberOfSockets:2
processors.speedprocessors.speed
Example
Show assets with this processor speed
processors.speed:2394
processors.threadsPerCoreprocessors.threadsPerCore
Example
Show number of threads per core
processors.threadsPerCore:1
Examples
Show assets synced from Amazon AWS
provider: "AWS"
sensors.activatedForModulessensors.activatedForModules
Examples
Show sensors activated for VM
sensors.activatedForModules: "VM"
Show sensors activated for VM and PC
sensors.activatedForModules: "VM" AND sensors.activatedForModules: "PC"
sensors.lastFullScansensors.lastFullScan
Examples
Show last full scan within certain dates
sensors.lastFullScan:[2019-01-01 ... 2019-01-15]
Show last full scan starting 2019-01-15, ending 1 month ago
sensors.lastFullScan:[2019-01-15 ... now-1M]
Show last full scan starting 2 weeks ago, ending 1 second ago
sensors.lastFullScan:[now-2w ... now-1s]
Show last full scan on a specific date
sensors.lastFullScan:'2019-03-18'
Show last full scan within last 30 days excluding day 30.
sensors.lastFullScan>now-30d
Note: We recommend not to use the NOT operator in your range search to form query like NOT sensors.lastFullScan:[now-30d..now-2s]. See "QQL Best Practices" topic in the Unified Dashboard Online Help.
Show last full scan within last 30 days including day 30.
sensors.lastFullScan>=now-30d
Show last full scan which is older than last 30 days excluding day 30.
sensors.lastFullScan<now-30d
Show last full scan which is older than last 30 days including day 30.
sensors.lastFullScan<=now-30d
agent.errorStatusagent.errorStatus
Example
Show agents with error status
agent.errorStatus: "true"
sensors.lastComplianceScansensors.lastComplianceScan
Examples
Show last compliance scan within certain dates
sensors.lastComplianceScan:[2019-01-01 ... 2019-01-15]
Show last compliance scan starting 2019-01-15, ending 1 month ago
sensors.lastComplianceScan:[2019-01-15 ... now-1M]
Show last compliance scan starting 2 weeks ago, ending 1 second ago
sensors.lastComplianceScan:[now-2w ... now-1s]
Show last compliance scan on a specific date
sensors.lastComplianceScan:'2019-03-18'
Show last compliance scan within last 30 days excluding day 30.
sensors.lastComplianceScan>now-30d
Note: We recommend not to use the NOT operator in your range search to form query like NOT sensors.lastComplianceScan:[now-30d..now-2s]. See "QQL Best Practices" topic in the Unified Dashboard Online Help.
Show last compliance scan within last 30 days including day 30.
sensors.lastComplianceScan>=now-30d
Show last compliance scan which is older than last 30 days excluding day 30.
sensors.lastComplianceScan<now-30d
Show last compliance scan which is older than last 30 days including day 30.
sensors.lastComplianceScan<=now-30d
sensors.lastVmScansensors.lastVmScan
Examples
Show last VM scan within certain dates
sensors.lastVmScan:[2019-01-01 ... 2019-01-15]
Show last VM scan starting 2019-01-15, ending 1 month ago
sensors.lastVmScan:[2019-01-15 ... now-1M]
Show last VM scan starting 2 weeks ago, ending 1 second ago
sensors.lastVmScan:[now-2w ... now-1s]
Show last VM scan on a specific date
sensors.lastVmScan:`2019-03-18`
Show last VM Scan within last 30 days excluding day 30.
sensors.lastVmScan>now-30d
Note: We recommend not to use the NOT operator in your range search to form query like NOT sensors.lastVmScan:[now-30d..now-2s]. See "QQL Best Practices" topic in the Unified Dashboard Online Help.
Show last VM Scan within last 30 days including day 30.
sensors.lastVmScan>=now-30d
Show last VM Scan which is older than last 30 days excluding day 30.
sensors.lastVmScan<now-30d
Show last aVM Scan which is older than last 30 days including day 30.
sensors.lastVmScan<=now-30d
sensors.lastVmScanDateScannersensors.lastVmScanDateScanner
Examples
Show last VM scan within certain dates
sensors.lastVmScanDateScanner:[2019-01-01 ... 2019-01-15]
Show last VM scan starting 2019-01-15, ending 1 month ago
sensors.lastVmScanDateScanner:[2019-01-15 ... now-1M]
Show last VM scan starting 2 weeks ago, ending 1 second ago
sensors.lastVmScanDateScanner:[now-2w ... now-1s]
Show last VM scan on a specific date
sensors.lastVmScanDateScanner:'2019-03-18'
Show last agent activity within last 30 days excluding day 30.
sensors.lastVmScanDateScanner>now-30d
Note: We recommend not to use the NOT operator in your range search to form query like NOT sensors.lastVmScanDateScanner:[now-30d..now-2s]. See "QQL Best Practices" topic in the Unified Dashboard Online Help.
Show last VM Scan within last 30 days including day 30.
sensors.lastVmScanDateScanner>=now-30d
Show last VM Scan which is older than last 30 days excluding day 30.
sensors.lastVmScanDateScanner<now-30d
Show last VM Scan which is older than last 30 days including day 30.
sensors.lastVmScanDateScanner<=now-30d
sensors.lastVmScanDateAgentsensors.lastVmScanDateAgent
Examples
Show last VM scan within certain dates
sensors.lastVmScanDateAgent:[2019-01-01 ... 2019-01-15]
Show last VM scan starting 2019-01-15, ending 1 month ago
sensors.lastVmScanDateAgent:[2019-01-15 ... now-1M]
Show last VM scan starting 2 weeks ago, ending 1 second ago
sensors.lastVmScanDateAgent:[now-2w ... now-1s]
Show last VM scan on a specific date
sensors.lastVmScanDateAgent:'2019-03-18'
Show last agent activity within last 30 days excluding day 30.
sensors.lastVmScanDateAgent>now-30d
Note: We recommend not to use the NOT operator in your range search to form query like NOT sensors.lastVmScanDateAgent:[now-30d..now-2s]. See "QQL Best Practices" topic in the Unified Dashboard Online Help.
Show last VM Scan within last 30 days including day 30.
sensors.lastVmScanDateAgent>=now-30d
Show last VM Scan which is older than last 30 days excluding day 30.
sensors.lastVmScanDateAgent<now-30d
Show last VM Scan which is older than last 30 days including day 30.
sensors.lastVmScanDateAgent<=now-30d
sensors.lastPcScanDateScannersensors.lastPcScanDateScanner
Examples
Show last PC scan within certain dates
sensors.lastPcScanDateScanner:[2019-01-01 ... 2019-01-15]
Show last PC scan starting 2019-01-15, ending 1 month ago
sensors.lastPcScanDateScanner:[2019-01-15 ... now-1M]
Show last PC scan starting 2 weeks ago, ending 1 second ago
sensors.lastPcScanDateScanner:[now-2w ... now-1s]
Show last PC scan on a specific date
sensors.lastPcScanDateScanner:'2019-03-18'
Show last PC scan within last 30 days excluding day 30.
sensors.lastPcScanDateScanner>now-30d
Note: We recommend not to use the NOT operator in your range search to form query like NOT sensors.lastPcScanDateScanner:[now-30d..now-2s]. See "QQL Best Practices" topic in the Unified Dashboard Online Help.
Show last PC scan within last 30 days including day 30.
sensors.lastPcScanDateScanner>=now-30d
Show last PC scan which is older than last 30 days excluding day 30.
sensors.lastPcScanDateScanner<now-30d
Show last PC scan which is older than last 30 days including day 30.
sensors.lastPcScanDateScanner<=now-30d
sensors.lastPcScanDateAgentsensors.lastPcScanDateAgent
Examples
Show last PC scan within certain dates
sensors.lastPcScanDateAgent:[2019-01-01 ... 2019-01-15]
Show last PC scan starting 2019-01-15, ending 1 month ago
sensors.lastPcScanDateAgent:[2019-01-15 ... now-1M]
Show last PC scan starting 2 weeks ago, ending 1 second ago
sensors.lastPcScanDateAgent:[now-2w ... now-1s]
Show last PC scan on a specific date
sensors.lastPcScanDateAgent:'2019-03-18'
Show last PC scan within last 30 days excluding day 30.
sensors.lastPcScanDateAgent>now-30d
Note: We recommend not to use the NOT operator in your range search to form query like NOT sensors.lastPcScanDateScanner:[now-30d..now-2s]. See "QQL Best Practices" topic in the Unified Dashboard Online Help.
Show last PC scan within last 30 days including day 30.
sensors.lastPcScanDateAgent>=now-30d
Show last PC scan which is older than last 30 days excluding day 30.
sensors.lastPcScanDateAgent<now-30d
Show last PC scan which is older than last 30 days including day 30.
sensors.lastPcScanDateAgent<=now-30d
sensors.pendingActivationForModulessensors.pendingActivationForModules
Examples
Show sensors pending activation for VM
sensors.pendingActivationForModules: "VM"
Show sensors pending activation for VM and FIM
sensors.pendingActivationForModules: "VM" AND sensors.pendingActivationForModules: "FIM"
services.descriptionservices.description
Examples
Show any findings that contain parts of description
services:(description:"Certificate Propagation")
Show any findings that match exact value "Windows Event Log"
services:(description:`Certificate Propagation`)
Example
Show any findings that match exact value
services:(name:CertPropSvc)
services.statusservices.status
Example
Show any findings that match exact value
services:(status:RUNNING)
software:(architecturesoftware:(architecture
Example
Show any findings that match exact value
software:(architecture:64-Bit)
software:(categorysoftware:(category
Example
Show any findings that match exact value
software:(category:`Application Development/Testing`)
software:(isRequiredsoftware:(isRequired
Example
Show software that is required
software:(isRequired: "true")
asset.hasMissingSoftwareasset.hasMissingSoftware
Example
Show asset that has a missing software
asset.hasMissingSoftware: "true"
missingSoftware.category1missingSoftware.category1
Example
If you are searching for assets missing testing software, then category1 is Application Development and category2 is Testing.
Show any findings that match exact value
missingSoftware.category1:Application Development
missingSoftware.category2missingSoftware.category2
Example
If you are searching for assets missing testing software, then category1 is Application Development and category2 is Testing.
Show any findings that match exact value
missingSoftware.category2:Testing
missingSoftware.publishermissingSoftware.publisher
Example
Show findings without this software publisher
missingSoftware.publisher:Microsoft
missingSoftware.productmissingSoftware.product
Example
Show findings with this exact product name
missingSoftware.product:Office
missingSoftware.namemissingSoftware.name
Examples
Show any findings with this name
missingSoftware.name: VMware Tools
Show any findings that contain parts of name
missingSoftware.name: "VMware Tools"
Show any findings that match exact value
missingSoftware.name: `VMware Tools`
Find assets with certain tag and missing software
tags.name: `Cloud Agent` AND missingSoftware.name: `Cisco AnyConnect Secure Mobility Client` AND version: `3.1.12345`
software:(category1software:(category1
Example
If you are searching for assets having testing software, then category1 is Application Development and category2 is Testing.
Show any findings that match exact value
software:(category1:Application Development)
software:(category2software:(category2
Example
If you are searching for assets having testing software, then category1 is Application Development and category2 is Testing.
Show any findings that match exact value
software:(category2:Testing)
software:(editionsoftware:(edition
Example
Show any findings that match exact value
software:(edition:Professional)
software:(installDatesoftware:(installDate
Examples
Show software installed within certain dates
software:(installDate:[2019-01-01 ... 2019-01-15])
Show software installed starting 2019-01-15, ending 1 month ago
software:(installDate:[2019-01-15 ... now-1M])
Show software installed starting 2 weeks ago, ending 1 second ago
software:(installDate:[now-2w ... now-1s])
Show software installed on a specific date
software:(installDate:'2019-03-18')
Show software installed within last 30 days excluding day 30.
software:(installDate>now-30d)
Note: We recommend not to use the NOT operator in your range search to form query like NOT sensors.lastPcScanDateScanner:[now-30d..now-2s]. See "QQL Best Practices" topic in the Unified Dashboard Online Help.
Show software installed within last 30 days including day 30.
software:(installDate>=now-30d)
Show last PC scan which are older than last 30 days excluding day 30.
software:(installDate<now-30d)
Show software installed which are older than last 30 days including day 30.
software:(installDate<=now-30d)
software.installPathsoftware.installPath
Example
Show findings with this exact software install path
software:(installPath:C:\Program Files\)
software:(isPackagesoftware:(isPackage
Example
Show software that is a package
software:(isPackage: "true")
software:(isPCSupportedsoftware:(isPCSupported
Example
Show software that is PC supported
software:(isPCSupported: "true")
software:(hasRunningInstancesoftware:(hasRunningInstance
Example
Show software that has a running instance
software:(hasRunningInstance: "true")
software:(isPackageComponentsoftware:(isPackageComponent
Example
Show software that is a package component
software:(isPackageComponent: "true")
software:(lastUpdatedsoftware:(lastUpdated
Examples
Show software last updated within certain dates
software:(lastUpdated:[2019-01-01 ... 2019-01-15])
Show software last updated starting 2019-01-15, ending 1 month ago
software:(lastUpdated:[2019-01-15 ... now-1M])
Show software last updated starting 2 weeks ago, ending 1 second ago
software:(lastUpdated:[now-2w ... now-1s])
Show software last updated on a specific date
software:(lastUpdated:'2019-03-18')
Show software last updated within last 30 days excluding day 30.
software:(lastUpdated>now-30d)
Note: We recommend not to use the NOT operator in your range search to form query like NOT software:(lastUpdated:[now-30d..now-2s]). See "QQL Best Practices" topic in the Unified Dashboard Online Help.
Show software last updated within last 30 days including day 30.
software:(lastUpdated>=now-30d)
Show software last updated which is older than last 30 days excluding day 30.
software:(lastUpdated<now-30d)
Show lsoftware last updated which is older than last 30 days including day 30.
software:(lastUpdated<=now-30d)
software:(lastUseDatesoftware:(lastUseDate
Note: This token is not supported for windows assets.
Examples
Show software last used within certain dates
software:(lastUseDate:[2019-01-01 ... 2019-01-15])
Show software last used starting 2019-01-15, ending 1 month ago
software:(lastUseDate:[2019-01-15 ... now-1M])
Show software last used starting 2 weeks ago, ending 1 second ago
software:(lastUseDate:[now-2w ... now-1s])
Show software last used on a specific date
software:(lastUseDate:'2019-03-18')
Show software last used within last 30 days excluding day 30.
software:(lastUseDate>now-30d)
Note: We recommend not to use the NOT operator in your range search to form query like NOT software:(lastUseDate:[now-30d..now-2s]). See "QQL Best Practices" topic in the Unified Dashboard Online Help.
Show software last used within last 30 days including day 30.
software:(lastUseDate>=now-30d)
Show software last used which is older than last 30 days excluding day 30.
software:(lastUseDate<now-30d)
Show software last used which is older than last 30 days including day 30.
software:(lastUseDate<=now-30d)
software:(license.categorysoftware:(license.category
Example
Show any findings that match exact value
software:(license.category:`Open Source`)
software:(license.subcategorysoftware:(license.subcategory
Example
Show any findings that match exact value
software:(license.subcategory:Apache 2.0)
software:(lifecycle.gasoftware:(lifecycle.ga
Examples
Show findings with software GA date in this date range
software:(lifecycle.ga:[2019-01-01 ... 2019-01-15])
Show findings with woftware GA date starting 2019-01-15, ending 1 month ago
software:(lifecycle.ga:[2019-01-15 ... now-1M])
Show findings with software GA date starting 2 weeks ago, ending 1 second ago
software:(lifecycle.ga:[now-2w ... now-1s])
Show findings with this software GA date
software:(lifecycle.ga:'2019-03-18')
software:(lifecycle.eolsoftware:(lifecycle.eol
Examples
Show findings with software End-of-Life date in this date range
software:(lifecycle.eol:[2019-01-01 ... 2019-01-15])
Show findings with software End-of-Life date starting 2019-01-15, ending 1 month ago
software:(lifecycle.eol:[2019-01-15 ... now-1M])
Show findings with software End-of-Life date starting 2 weeks ago, ending 1 second ago
software:(lifecycle.eol:[now-2w ... now-1s])
Show findings with this software End-of-Life date
software:(lifecycle.eol:'2019-03-18')
software:(lifecycle.eossoftware:(lifecycle.eos
Examples
Show findings with software End-of-Support date in this date range
software:(lifecycle.eos:[2019-01-01 ... 2019-01-15])
Show findings with software End-of-Support date starting 2019-01-15, ending 1 month ago
software:(lifecycle.eos:[2019-01-15 ... now-1M])
Show findings with software End-of-Support date starting 2 weeks ago, ending 1 second ago
software:(lifecycle.eos:[now-2w ... now-1s])
Show findings with this software End-of-Support date
software:(lifecycle.eos:'2019-03-18')
software:(lifecycle.stagesoftware:(lifecycle.stage
Examples
Show findings having this software lifecycle stage
software:(lifecycle.stage:eol)
Show findings having software category Windows and software lifecycle stage "active"
software:(category:Windows AND lifecycle.stage:eol)
software:(marketVersionsoftware:(marketVersion
Example
Show any findings that match exact value
software:(marketVersion:7)
Examples
Show any findings with this name
software:(name: VMware Tools)
Show any findings that contain parts of name
software:(name: "VMware Tools")
Show any findings that match exact value
software:(name: `VMware Tools`)
Find assets with certain tag and software installed
tags.name: `Cloud Agent` AND software: (name: `Cisco AnyConnect Secure Mobility Client` AND version: `3.1.12345`)
software:(productsoftware:(product
Example
Show findings with this exact product name
software:(product:Office)
software:(publishersoftware:(publisher
Example
Show findings with this exact software publisher
software:(publisher:Microsoft)
software:(supportStagesoftware:(supportStage
Example
Show software having premium support
software:(supportStage: Premier Support)
software:(lifecycle.detectionScoresoftware:(lifecycle.detectionScore
Examples
Show the software product with the lifecycle detection score
software:(lifecycle.detectionScore: 80)
Show the software product with the lifecycle detection score
software:(lifecycle.detectionScore>80)
Show the software product with the lifecycle detection score
software:(lifecycle.detectionScore<80)
Show the software product with the lifecycle detection score
software:(lifecycle.detectionScore<=80)
Show the software product with the lifecycle detection score
software:(lifecycle.detectionScore>=80)
Example
Show findings having this software type
software:(type:Installer Package)
software:(updatesoftware:(update
Example
Show findings with this exact software update version
software:(update:16.0.1.2)
Show findings with software update version greater than 16.0.1.2
software:(update>16.0.1.2)
Show findings with software update version greater than or equal to 16.0.1.2
software:(update>=16.0.1.2)
Show findings with software update version less than 16.0.1.2
software:(update<16.0.1.2)
Show findings with software update version less than or equal to 16.0.1.2
software:(update<=16.0.1.2)
Show findings with software update version within this version range
software:(update:[16.0.1.2 ... 16.0.1.5])
software:(versionsoftware:(version
Example
Show findings with this exact software version
software:(version:16.0)
Show findings with software version greater than 16.0
software:(version>16.0)
Show findings with software version greater than or equal to 16.0
software:(version>=16.0)
Show findings with software version less than 16.0
software:(version<16.0)
Show findings with software version less than or equal to 16.0
software:(version<=16.0)
Show findings with software version within this version range
software:(version:[16.0 ... 20.0])
software:(componentsoftware:(component
Example
Show findings with Client software component
software:(component:Client)
software:(firstFoundsoftware:(firstFound
Examples
Show assets with software first found within certain dates
software:(firstFound: [2017-06-15 ... 2017-06-30])
Show assets with software first found starting 2017-06-22, ending 1 month ago
software:(firstFound: [2017-06-22 ... now-1M])
Show assets with software first found starting 2 weeks ago, ending 1 second ago
software:(firstFound: [now-2w ... now-1s])
Show assets with software first found on specific date
software:(firstFound:'2017-06-14')
Show assets with software first found within last 30 days excluding day 30.
software:(firstFound>now-30d)
Note: We recommend not to use the NOT operator in your range search to form query like NOT software:(lastUseDate:[now-30d..now-2s]). See "QQL Best Practices" topic in the Unified Dashboard Online Help.
Show assets with software first found within last 30 days including day 30.
software:(firstFound>=now-30d)
Show assets with software first found which is older than last 30 days excluding day 30.
software:(firstFound<now-30d)
Show assets with software first found which is older than last 30 days including day 30.
software:(firstFound<=now-30d)
Examples
Show findings with free volume space greater than 90 GB
volumes:(free>90)
Show findings with free volume space greater than or equal to 90 GB
volumes:(free>=90)
Show findings with free volume space less than 30 GB
volumes:(free<30)
Show findings with free volume space less than or equal to 30 GB
volumes:(free<=30)
Example
Show findings with this volume name
volumes:(name:D:)
Example
Show findings with volume size greater than 90 GB
volumes:(size>90)
Show findings with volume size greater than or equal to 90 GB
volumes:(size>=90)
Show findings with volume size less than 30 GB
volumes:(size<30)
Show findings with volume size less than or equal to 30 GB
volume:(size<=30)
gcp.labels.namegcp.labels.name
Examples
Find VM instances with key "department"
gcp.labels:(name: department)
Find VM instances that match exact key value "department"
gcp.labels:(name: 'department')
Find VM instances with key starting "dep"
gcp.labels:(name: dep*)
gcp.labels.valuegcp.labels.value
Examples
Find VM instances with tag value "product-management"
gcp.labels:(value: product-management)
Find VM instances that match exact key value "product-management"
gcp.labels:(value: 'product-management')
Find VM instances with tag value starting "product"
gcp.labels:(value: product*)
Note: The same token is used to find the certificates for assets with the specified org name, but the token syntax is different. See all token examples.
Examples
Show assets details that match the exact value of the organization name
asset.org.name: `Qualys, Inc.`
Show assets details that contain parts of the organization name
asset.org.name: "Qualys,"
Find tcertificates for assets with the specified org name
Examples for Certificate Token
Show assets details that match the exact value of the organization name
asset:(org.name: `Qualys, Inc.`)
Show assets details that contain parts of the organization name
asset:(org.name: "Qualys,")
Note: The same token is used to find the certificates for assets with the specified ISP, but the token syntax is different. See all token examples.
Examples
Show assets that match the exact ISP name
asset.isp: `amazon.com, Inc.`
Show assets that are with the parts of the ISP name
asset.isp: "amazon.com,"
Find the certificates for assets with the specified ISP
Examples for Certificate Token
Show certificates that match the exact ISP name
asset:(isp: `amazon.com, Inc.`)
Show certificates that are with the parts of the ISP name
asset:(isp: "amazon.com,")
Examples
Show assets that match the exact value of ASN
asset.asn: `AS8075`
Show assets that are with the parts of the ASN
asset.asn: "AS807"
Note: The same token is used to find the certificates for assets with the specified domain, but the token syntax is different. See all token examples.
Examples
Show assets that match the exact value of the domain
asset.domain: `qualys.com`
Show assets that contain parts of the domain
asset.domain: "qualys."
Find the certificates for assets with the specified domain
Examples for Certificate Token
Show certificates for assets that match the exact value of the domain
asset:(domain: `qualys.com`)
Show certificates for assets that contain parts of the domain
asset:(domain: "qualys.")
asset.subdomainasset.subdomain
Note: The same token is used to find the certificates for assets with the specified subdomain, but the token syntax is different. See all token examples.
Examples
Show assets that match the exact value of the subdomains
asset.subdomain: `doc.qualys.com`
Show assets that contain the parts of the subdomains
asset.subdomain: "doc.qualys."
Find certificates that match the exact value of the subdomains
asset:(subdomain: `doc.qualys.com`)
Find certificates that contain the parts of the subdomains
asset:(subdomain: "doc.qualys.")
whoIs.creationDatewhoIs.creationDate
Examples
Show assets with whoIs creation date within certain dates
whoIs:(creationDate: [2019-01-01 ... 2019-01-15])
Show assets with whoIs creation date starting 2019-01-15, ending 1 month ago
whoIs:(creationDate: [2019-01-15 ... now-1M])
Show assets with whoIs creation date starting 2 weeks ago, ending 1-second ago
whoIs:(creationDate: [now-2w ... now-1s])
Show assets with whoIs creation date last updated on a specific date
whoIs:(creationDate: `2022-06-04`)
Show assets with whoIs creation date within last 30 days excluding day 30.
whoIs:(creationDate>now-30d)
Note: We recommend not to use the NOT operator in your range search to form query like NOT software:(lastUseDate:[now-30d..now-2s]). See "QQL Best Practices" topic in the Unified Dashboard Online Help.
Show assets with whoIs creation date within last 30 days including day 30.
whoIs:(creationDate>=now-30d)
Show assets with whoIs creation date which is older than last 30 days excluding day 30.
whoIs:(creationDate<now-30d)
Show assets with whoIs creation date which is older than last 30 days including day 30.
whoIs:(creationDate<=now-30d)
whoIs.registrantOrgwhoIs.registrantOrg
Examples
Show all the assets for which the exact registrant organization of domain/subdomain matches
whoIs:(registrantOrg: `Qualys, Inc`)
Show all the assets for which the part of the registrant organization of domain/subdomain matches
whoIs:(registrantOrg: "Qualys,")
whoIs.registrantEmailIdwhoIs.registrantEmailId
Examples
Show all the assets for which the exact registrant email id of the domain or subdomain matches
whoIs:(registrantEmailId: `66aab8e6ace-49101@contact.qualys.net`)
Show all the assets for which the part of the registrant email id of the domain or subdomain matches
whoIs:(registrantEmailId: "66aab8e6ace-49101@contact.qualys.net")
whoIs.registrarwhoIs.registrar
Examples
Show all the assets for which the exact registrar matches
whoIs:(registrar: `abc net`)
Show all assets for which the part of the registrar matches
whoIs:(registrar: "abc net")
Example
Show assets with active agents
agent.status: ACTIVE
Example
Show assets on windows platform
agent.platform: Windows
sensors.firstEasmScanDatesensors.firstEasmScanDate
Example
Show a list of externally exposed assets scanned for the first time on or after 2022-10-04
sensors.firstEasmScanDate >= '2022-10-04'
Show a list of externally exposed assets that are scanned for the first time before 2022-10-04
sensors.firstEasmScanDate <= '2022-10-04'
Show a list of externally exposed assets that are scanned for the first time after 2022-10-04
sensors.firstEasmScanDate > '2022-10-04'
Show a list of externally exposed assets that are scanned for the first time on 2022-10-04
sensors.lastEasmScanDatesensors.lastEasmScanDate
Example
Show a list of externally exposed assets from the latest scan on or after 2022-10-04
sensors.lastEasmScanDate >= '2022-10-04'
Show a list of externally exposed assets from the latest scan before 2022-10-04
sensors.lastEasmScanDate <= '2022-10-04'
Show a list of externally exposed assets from the latest scan after 2022-10-04
sensors.lastEasmScanDate > '2022-10-04'
Note: This token is for the "Third-Party Asset Import" which is a new feature in the Beta phase. It's in the early stage and only available on a request basis. Contact your Technical Account Manager (TAM) for more information.
Examples
Show findings that include the following content part in the rule name
ruleName:"IP and Mac"
Show findings with the exact rule name
ruleName:`IP and Mac Rule`
identificationAttributeidentificationAttribute
Note: This token is for the "Third-Party Asset Import" which is a new feature in the Beta phase. It's in the early stage and only available on a request basis. Contact your Technical Account Manager (TAM) for more information.
Example
Show findings with the specified attribute.
identificationAttribute:`Hostname`
agent.isPassiveSensoragent.isPassiveSensor
Select true to view assets for which the cloud agent acts as a passive sensor.
Examples
Show findings to view assets for which the cloud agent acts as a passive sensor.
agent.isPassiveSensor:true
Show findings to view assets for which the cloud agent doesn't act as a passive sensor.
agent.isPassiveSensor:false
openPorts:(discoverySourcesopenPorts:(discoverySources
Examples
Show findings from cloud agents
openPorts:(discoverySources: Cloud Agent)
Show findings from Passive Sensor
openPorts:(discoverySources: CMDB)
software:(discoverySourcessoftware:(discoverySources
Examples
Show findings from cloud agents
software:(discoverySources: Cloud Agent)
Show findings from Passive Sensor
software:(discoverySources: CMDB)
missingSoftware.detectionScoremissingSoftware.detectionScore
Examples
Show findings with the the missing software detection score
missingSoftware.detectionScore: 50)
Show findings with the missing software detection score
missingSoftware.detectionScore>50)
Show findings with the missing software detection score
missingSoftware.detectionScore<50)
Show findings with the missing software detection score
missingSoftware.detectionScore>=50)
Show findings with the missing software detection score
missingSoftware.detectionScore<=50)
vmManifestVersionvmManifestVersion
Use the manifest version to find host assets, where VM scan is performed using the specific manifest version.
Example
Show host assets, where VM scan is performed with the specified manifest version
vmManifestVersion: "VULNSIGS-VM-2.6.30.3-4"
pcManifestVersionpcManifestVersion
Use the manifest version to find host assets, where PC scan is performed using the specific manifest version.
Example
Show host assets, where PC scan is performed with the specified manifest version.
pcManifestVersion: "VULNSIGS-PC-2.6.40-5"
udcManifestVersionudcManifestVersion
Use the manifest version to find host assets, where UDC scan is performed using the specific manifest version.
Example
Show host assets, where UDC scan is performed with the specified manifest version
udcManifestVersion: "UDCVULNSIGS-1797"
middlewareManifestVersionmiddlewareManifestVersion
Use the manifest version to find host assets, where middleware scan is performed using the specific manifest version.
Example
Show host assets, where middleware scan is performed with the specified manifest version
middlewareManifestVersion: "VULNSIGS-2.5.526.2-1-MiddlewarePC-LINUX"
scaManifestVersionscaManifestVersion
Use the manifest version to find host assets, where SCA scan is performed using the specific manifest version.
Example
Show host assets, where SCA scan is performed with the specified manifest version
scaManifestVersion: "VULNSIGS-SCA-0.35.0.0-3"
instance:(lastFoundinstance:(lastFound
Use a date range or specific date to find when the instances were last found.
Examples
Show the last found instances within certain dates
instance:(lastFound: [2024-01-01 ... 2024-01-15])
Show the last found instances starting 2024-01-15, ending 3 months ago
instance:(lastFound: [2024-01-15 ... now-3M])
Show the last found instances starting 2 weeks ago, ending 1 second ago
instance:(lastFound: [now-2w ... now-1s])
Show the last found instances found on a specific date
instance:(lastFound: `2019-03-18`)
Show the last found instances within last 30 days excluding day 30.
instance:(lastFound>now-30d)
Note: We recommend not to use the NOT operator in your range search to form query like NOT instance:(lastFound:[now-30d..now-2s]). See "QQL Best Practices" topic in the Unified Dashboard Online Help.
Show the last found instances within last 30 days including day 30.
instance:(lastFound>=now-30d)
Show the last found instances date which are older than last 30 days excluding day 30.
instance:(lastFound<now-30d)
Show the last found instances which are older than last 30 days including day 30.
instance:(lastFound<=now-30d)
instance:(lastEasmVmScanDateinstance:(lastEasmVmScanDate
Use a date range or specific date to find instances based on the last EASM scan date.
Examples
Show instances based on the last EASM scan date within certain dates
instance:(lastEasmVmScanDate:[2024-01-01 ... 2024-01-15])
Show instances based on the last EASM scan date starting 2024-01-15, ending 1 month ago
instance:(lastEasmVmScanDate:[2024-01-15... now-1M])
Show instances based on the last EASM scan date on a specific date
instance:(lastEasmVmScanDate:`2024-03-18`)
Show instances based on the last EASM scan date within last 30 days excluding day 30.
instance:(lastEasmVmScanDate>now-30d)
Note: We recommend not to use the NOT operator in your range search to form query like NOT instance:(lastEasmVmScanDate:[now-30d..now-2s]). See "QQL Best Practices" topic in the Unified Dashboard Online Help.
Show instances based on the last EASM scan date within last 30 days including day 30.
instance:(lastEasmVmScanDate>=now-30d)
Show instances based on the last EASM scan date which are older than last 30 days excluding day 30.
instance:(lastEasmVmScanDate<now-30d)
Show instances based on the last EASM scan date which are older than last 30 days including day 30.
instance:(lastEasmVmScanDate<=now-30d)
sensors.firstEasmVmScanDatesensors.firstEasmVmScanDate
Use a date range or specific date to find instances based on the first EASM VM scan date.
Examples
Show instances based on the first EASM VMscan date within certain dates
sensors.firstEasmVmScanDate:[2024-01-01 ... 2024-01-15]
Show instances based on the first EASM VMscan date starting 2024-01-15, ending 1 month ago
sensors.firstEasmVmScanDate:[2024-01-15... now-1M]
Show instances based on the first EASM VMscan date on a specific date
sensors.firstEasmVmScanDate:`2024-03-18`
Show instances basedon the first EASM VMscan date within last 30 days excluding day 30.
sensors.firstEasmVmScanDate>now-30d
Note: We recommend not to use the NOT operator in your range search to form query like NOT sensors.firstEasmVmScanDate:[now-30d..now-2s]. See "QQL Best Practices" topic in the Unified Dashboard Online Help.
Show instances based on the first EASM VMscan date within last 30 days including day 30.
sensors.firstEasmVmScanDate>=now-30d
Show instances based on the first EASM VMscan date which are older than last 30 days excluding day 30.
sensors.firstEasmVmScanDate<now-30d
Show instances basedon the first EASM VMscan date which are older than last 30 days including day 30.
sensors.firstEasmVmScanDate<=now-30d
sensors.lastEasmVmScanDatesensors.lastEasmVmScanDate
Use a date range or specific date to find instances based on the last EASM VM scan date.
Examples
Show instances based on the last EASM VM scan date within certain dates
sensors.lastEasmVmScanDate:[2024-01-01 ... 2024-01-15]
Show instances based on the last EASM VM scan date starting 2024-01-15, ending 1 month ago
sensors.lastEasmVmScanDate:[2024-01-15... now-1M]
Show instances based on the last EASM VM scan date on a specific date
sensors.lastEasmVmScanDate:`2024-03-18`
Show instances based on the last EASM VM scan date within last 30 days excluding day 30.
sensors.lastEasmVmScanDate>now-30d
Note: We recommend not to use the NOT operator in your range search to form query like NOT sensors.lastEasmVmScanDate:[now-30d..now-2s]. See "QQL Best Practices" topic in the Unified Dashboard Online Help.
Showinstances based on the last EASM VM scan date within last 30 days including day 30.
sensors.lastEasmVmScanDate>=now-30d
Show instances based on the last EASM VM scan date which are older than last 30 days excluding day 30.
sensors.lastEasmVmScanDate<now-30d
Show instances based on the last EASM VM scan date which are older than last 30 days including day 30.
sensors.lastEasmVmScanDate<=now-30d
Show results based on the specified GPU chip.
Note: The result you get after you enter the QQL search token depends on the tab on which you enter the QQL search token. The result will show the assets, software, potential web assets, open ports, and domains associated with the GPU assets.
Example
Show the GPU assets with the specified substring or component of the GPU chip value.
gpu.chip: "Eclipse"
Show the GPI assets based on the exact specified GPU chip value.
gpu.chip: `Eclipse`
gpu.isAIModelSupportedgpu.isAIModelSupported
Note: The result you get after you enter the QQL search token depends on the tab on which you enter the QQL search token. The result will show the assets, software, potential web assets, open ports, and domains associated with the GPU assets.
Example
Show results, for example, assets with the AI model support.
gpu.isAIModelSupported:true
gpu.manufacturergpu.manufacturer
Note: The result you get after you enter the QQL search token depends on the tab on which you enter the QQL search token. The result will show the assets, software, potential web assets, open ports, and domains associated with the GPU assets.
Examples
Show the GPU assets based on the specified substring or component of the GPU manufacturer value.
gpu.manufacturer: "Matrox"
Show GPU assets based on the specified exact GPU manufacturer value.
gpu.manufacturer: `Matrox`
Note: The result you get after you enter the QQL search token depends on the tab on which you enter the QQL search token. The result will show the assets, software, potential web assets, open ports, and domains associated with the GPU assets.
Example
Show GPU assets based on the substring or component of the specified GPU model value.
gpu.model: "MGA"
Show GPU assets based on the specified exact GPU model value.
gpu.model: `MGA G200e`
Note: The result you get after you enter the QQL search token depends on the tab on which you enter the QQL search token. The result will show the assets, software, potential web assets, open ports, and domains associated with the GPU assets.
Example
Show GPU assets based on the specified substring or component of the GPU name.
gpu.name: "Matrox Electronics"
Show GPU assets based on the specified exact GPU name value.
gpu.name: `Matrox Electronics Millennium G200 MGA G200e`
gpu.tensorCoresgpu.tensorCores
Note: The result you get after you enter the QQL search token depends on the tab on which you enter the QQL search token. The result will show the assets, software, potential web assets, open ports, and domains associated with the GPU assets.
Example
Show GPU assets based on the specified substring or component of the tensorCores value.
gpu.tensorCores: "12"
Show GPU assets based on the specified exact tensorCores value.
gpu.tensorCores: `123`
Use these tokens when searching your AWS EC2 assets on the Assets list.
- Your results may return Terminated instances. It's recommended you include aws.ec2instanceState in your query to reduce the number of results.
- The syntax is different when writing queries for tag rules than when searching assets in the Assets list. Be sure to follow the syntax tips in the drop-down when writing your query.
aws.ec2.accountIdaws.ec2.accountId
Examples
Find EC2 instances that match this account ID
aws.ec2.accountId: 123456789012
Find EC2 instances with account ID starting "12345"
aws.ec2.accountId: 12345*
Find EC2 instances where account ID is null (remove the colon)
aws.ec2.accountId is null
aws.ec2.availabilityZoneaws.ec2.availabilityZone
Example
Find EC2 instances in the us-east-1a availability zone
aws.ec2.availabilityZone: us-east-1a
aws.ec2.hasAgentaws.ec2.hasAgent
Examples
Show findings with a cloud agent
aws.ec2.hasAgent: true
Show findings without a cloud agent
aws.ec2.hasAgent: false
aws.ec2.hostnameaws.ec2.hostname
Examples
Find instances related to name
aws.ec2.hostname: abc.qualys.com
Find instances that match exact value
aws.ec2.hostname: `abc.qualys.com`
aws.ec2.imageIdaws.ec2.imageId
Examples
Find instances related to the Image ID
aws.ec2.imageId: ami-2ea83347
Find instances that match exact value
aws.ec2.imageId: `ami-2ea83347`
aws.ec2.instanceIdaws.ec2.instanceId
Example
Find EC2 instances with this ID
aws.ec2.instanceId: i-1234567890abcdef0
aws.ec2.instanceStateaws.ec2.instanceState
Example
Find running EC2 instances
aws.ec2.instanceState: RUNNING
aws.ec2.instanceTypeaws.ec2.instanceType
Example
Find EC2 instances with instance type t2.micro
aws.ec2.instanceType: t2.micro
aws.ec2.isQualysScanneraws.ec2.isQualysScanner
Examples
Show findings where assets are scanners
aws.ec2.isQualysScanner: true
Show findings where assets are not scanners
aws.ec2.isQualysScanner: false
aws.ec2.kernelIdaws.ec2.kernelId
Example
Find EC2 instances with this kernel ID
aws.ec2.kernelId: aki-70ab0c10
aws.ec2.launchDateaws.ec2.launchDate
Examples
Find EC2 instances launched within certain dates
aws.ec2.launchDate: [2017-06-15 ... 2017-06-30]
Find EC2 instances launched on specific date
aws.ec2.launchDate:'2017-08-15'
aws.ec2.privateDNSaws.ec2.privateDNS
Example
Find the EC2 instance with this private DNS address
aws.ec2.privateDNS: ip-10-90-2-85.ec2.internal
aws.ec2.privateIpAddressaws.ec2.privateIpAddress
Examples
Find EC2 instances with this private IP address
aws.ec2.privateIpAddress: 10.90.0.119
Find EC2 instances within this IP range
aws.ec2.privateIpAddress: [10.1.78.23 ... 10.100.78.235]
aws.ec2.publicDNSaws.ec2.publicDNS
Example
Find the EC2 instance with this public DNS address
aws.ec2.publicDNS: ec2-52-70-141-154.compute-1.amazonaws.com
aws.ec2.publicIpAddressaws.ec2.publicIpAddress
Examples
Find EC2 instances with this public IP address
aws.ec2.publicIpAddress: 52.70.141.154
Find EC2 instances within this IP range
aws.ec2.publicIpAddress: [52.70.141.154 ... 52.70.141.164]
aws.ec2.region.codeaws.ec2.region.code
Example
Find EC2 instances in the us-east-1 region
aws.ec2.region.code: us-east-1
aws.ec2.region.nameaws.ec2.region.name
Example
Find EC2 instances in the US East (N. Virginia) region
aws.ec2.region.name: US East (N. Virginia)
aws.ec2.spotInstanceaws.ec2.spotInstance
Examples
Show EC2 Spot instances
aws.ec2.spotInstance: "true"
Show EC2 instances that are not Spot instances
aws.ec2.spotInstance: "false"
aws.ec2.subnetIdaws.ec2.subnetId
Example
Find EC2 instances with this subnet ID
aws.ec2.subnetId: subnet-bc02c0d4
Example
Find EC2 instances with this VPC ID
aws.ec2.vpcId: vpc-1e37cd76
Use these tokens when searching Microsoft Azure assets on the Assets list.
azure.vm.imageOfferazure.vm.imageOffer
Examples
Find Azure instances related to name
azure.vm.imageOffer: UbuntuServer
Find Azure instances that match exact value
azure.vm.imageOffer: `UbuntuServer`
azure.vm.imagePublisherazure.vm.imagePublisher
Examples
Find Azure instances related to name
azure.vm.imagePublisher: Canonical
Find Azure instances that match exact value
azure.vm.imagePublisher: `Canonical`
azure.vm.imageVersionazure.vm.imageVersion
Example
Find Azure instances with this sku version
azure.vm.imageVersion: 16.04.201708030
azure.vm.locationazure.vm.location
Example
Find Azure instances in this location
azure.vm.location: westus
azure.vm.macAddressazure.vm.macAddress
Example
Find Azure instances with this MAC address
azure.vm.macAddress: '000D3A36DDED'
Examples
Find Azure instances related to name
azure.vm.name: avset2
Find Azure instances that match exact value
azure.vm.name: `avset2`
azure.vm.platformazure.vm.platform
Example
Find Azure instances on Windows platform
azure.vm.platform: Windows
azure.vm.privateIpAddressazure.vm.privateIpAddress
Examples
Find Azure instances with this private IP
azure.vm.privateIpAddress: 10.1.2.5
Find Azure instances within this IP range
azure.vm.privateIpAddress: [10.1.2.5 ... 10.1.2.33]
azure.vm.publicIpAddressazure.vm.publicIpAddress
Examples
Find Azure instances with this public IP
azure.vm.publicIpAddress: 13.126.125.189
Find Azure instances within this IP range
azure.vm.publicIpAddress: [13.126.125.180 ... 13.126.125.255]
azure.vm.virtualNetworkazure.vm.virtualNetwork
Examples
Find Azure instances related to virtual network
azure.vm.virtualNetwork: cli-vnet
Find Azure instances that match exact value of virtual network
azure.vm.virtualNetwork: `cli-vnet`
azure.vm.resourceGroupNameazure.vm.resourceGroupName
Examples
Find Azure instances related to name
azure.vm.resourceGroupName: my-eastus-rg
Find Azure instances that match exact value
azure.vm.resourceGroupName: `my-eastus-rg`
Example
Find Azure instances with this size
azure.vm.size: Standard_D1
Example
Find running Azure instances
azure.vm.state: RUNNING
azure.vm.subnetazure.vm.subnet
Example
Find Azure instances with this subnet
azure.vm.subnet: 10.1.2.0
azure.vm.subscriptionIdazure.vm.subscriptionId
Example
Find Azure instances with this subscription ID
azure.vm.subscriptionId: fbb9ea64-abda-452e-adfa-83442409
Example
Find Azure instances with this ID
azure.vm.vmId: 13f56399-bd52-4150-9748-7190aae1ff21
azure.vm.hasAgentazure.vm.hasAgent
Example
Find Azure instances with agents
azure.vm.hasAgent: "true"
Use these tokens when searching Google Cloud Platform assets on the Assets list.
gcp.compute.hostnamegcp.compute.hostname
Examples
Find GCP instances related to name
gcp.compute.hostname: instance-5.c.qvsa-dev.internal
Find GCP instances that match exact value
gcp.compute.hostname: `instance-5.c.qvsa-dev.internal`
gcp.compute.imageIdgcp.compute.imageId
Examples
Find GCP instances related to the Image ID
gcp.compute.imageId: projects/centos-cloud
Find GCP instances that match exact value
gcp.compute.imageId: `projects/centos-cloud/global/images/centos-6-v20191014`
gcp.compute.instanceIdgcp.compute.instanceId
Example
Find GCP instances with this ID
gcp.compute.instanceId: 4392196237934605253
gcp.compute.macAddressgcp.compute.macAddress
Example
Find GCP instances with this MAC address
gcp.compute.macAddress: '000D3A36DDED'
gcp.compute.machineTypegcp.compute.machineType
Examples
Find GCP instances related to name
gcp.compute.machineType: n1-standard-1
Find GCP instances that match exact value
gcp.compute.machineType: `n1-standard-1`
gcp.compute.networkgcp.compute.network
Example
Find GCP instances with this network
gcp.compute.network: 000D3A36DDED
gcp.compute.privateIpAddressgcp.compute.privateIpAddress
Examples
Find GCP instances with this private IP
gcp.compute.privateIpAddress: 10.240.0.7
Find GCP instances with this private IP range
gcp.compute.privateIpAddress: [10.240.0.7 ... 10.240.0.30]
gcp.compute.projectIdgcp.compute.projectId
Examples
Find GCP instances related to ID
gcp.compute.projectId: qvsa-dev
Find GCP instances that match exact value
gcp.compute.projectId: `qvsa-dev`
gcp.compute.projectNumbergcp.compute.projectNumber
Examples
Find GCP instances related to this number
gcp.compute.projectNumber: 1035365309337
Find GCP instances that match exact value
gcp.compute.projectNumber: `1035365309337`
gcp.compute.publicIpAddressgcp.compute.publicIpAddress
Examples
Find GCP instances with this public IP
gcp.compute.publicIpAddress: 104.196.57.216
Find GCP instances within this IP range
gcp.compute.publicIpAddress: [104.196.57.216 ... 104.196.57.218]
gcp.compute.stategcp.compute.state
Type your drop-dowSelect the name of the instance state (PENDING, RUNNING, STOPPED, TERMINATED, STOPPING, SHUTTING_DOWN, DEALLOCATED) you're interested in. Select from names in the drop-down menu.
Example
Find running GCP instances
gcp.compute.state: RUNNING
gcp.compute.zonegcp.compute.zone
Examples
Find GCP instances related to name
gcp.compute.zone: us-east1-d
Find GCP instances that match exact value
gcp.compute.zone: `us-east1-d`
gcp.compute.hasAgentgcp.compute.hasAgent
Example
Find GCP instances with agents
gcp.compute.hasAgent: "true"
Use these tokens when searching Oracle Cloud Infrastructure (OCI) assets on the Assets list.
oci.compute.availabilityDomainoci.compute.availabilityDomain
Example
Show all assets with the available domain Lhkx:US-ASHBURN-AD-1
oci.compute.availabilityDomain:"Lhkx:US-ASHBURN-AD-1"
oci.compute.canonicalRegionNameoci.compute.canonicalRegionName
Example
Show all assets with the canonical region name us-ashburn-1
oci.compute.canonicalRegionName:"us-ashburn-1"
oci.compute.compartmentIdoci.compute.compartmentId
Example
Show assets with this OCI compartment ID
oci.compute.compartmentId:"ocid1.compartment.oc1..123452sjze35z6bkhvwjtzzgcp534zj4o75tgsizg3q36wl447jvfg6dq"
oci.compute.compartmentNameoci.compute.compartmentName
Example
Show assets with this OCI compartment name
oci.compute.compartmentName:"ocid1.compartment.abc"
oci.compute.displayNameoci.compute.displayName
Example
Show assets with display name oracle 8.
oci.compute.displayName:"oracle 8"
oci.compute.faultDomainoci.compute.faultDomain
Example
Show all assets with fault domain FAULT-DOMAIN-1
oci.compute.faultDomain:"FAULT-DOMAIN-1"
oci.compute.hasAgentoci.compute.hasAgent
Example
Show all assets with having cloud agent installed
oci.compute.hasAgent:"true"
oci.compute.hostNameoci.compute.hostName
Example
Show all findings with the host name oracle-8
oci.compute.hostName:"oracle-8"
oci.compute.imageIdoci.compute.imageId
Example
Show all assets with the ocid1.image.oc1.iad.aaaaaaaaffp3cnkpfxibzrdkfnxbitkgxk7al33rrhpzhfnrhfv7ml2xdpyq image ID
oci.compute.imageId:"ocid1.image.oc1.iad.aaaaaaaaffp3cnkpfxibzrdkfnxbitkgxk7al33rrhpzhfnrhfv7ml2xdpyq"
oci.compute.isQualysScanneroci.compute.isQualysScanner
Example
Show all assets that are Qualys Scanner.
oci.compute.isQualysScanner:"true"
oci.compute.ociIdoci.compute.ociId
Example
Show assets with this OCI ID
oci.compute.ociId:"ocid1.compartment.oc1..1234567lbhcx2ajiagh57wrurvqs2ubd4ttaimgy22cxh3r6brpmmugq"
oci.compute.regionoci.compute.region
Example
Show all assets with the region us-east-1
oci.compute.region:"us-east-1"
oci.compute.regionKeyoci.compute.regionKey
Example
Show all assets with the region key SYD
oci.compute.regionKey:"SYD"
oci.compute.regionRealmoci.compute.regionRealm
Example
Show all assets with the region realm OC1
oci.compute.regionRealm:"OC1"
oci.compute.shapeoci.compute.shape
Example
Show all assets with the shape x5-2.36.512
oci.compute.shape:"x5-2.36.512"
oci.compute.stateoci.compute.state
Example
Show all assets with the compute state Starting
oci.compute.state:STARTING
oci.compute.tenantIdoci.compute.tenantId
Example
Show all assets with the specific tenant ID
oci.compute.tenantId:"ocid1.tenancy.oc1..aaaaaaaax2gwhq3hszjqhte5pgzijgyge6gvlsrqar6kxn7itwhk7keokamq"
oci.compute.tenantNameoci.compute.tenantName
Example
Show all assets with the specific tenant name
oci.compute.tenantName:"oraclecengg1"
oci.compute.timeCreatedoci.compute.timeCreated
Example
Show findings with last check in within a specific date range.
oci.compute.timeCreated:[2020-01-01 ... 2020-01-10]
Show findings with last check in starting 2019-11-01, ending 1 month ago.
oci.compute.timeCreated:[2019-11-01 ... now-1M]
Show findings with last check in starting 2 weeks ago, ending 1 second ago.
oci.vnic.macAddroci.vnic.macAddr
Example
Show all assets with the MAC address 02:00:17:06:bd:b3
oci.vnic(macAddr:"02:00:17:06:bd:b3")
oci.vnic.nicIndexoci.vnic.nicIndex
Example
Show all assets with the index 1
oci.vnic(nicIndex:1)
oci.vnic.privateIpoci.vnic.privateIp
Example
Show all assets with this private IP
oci.vnic(privateIp:10.0.0.222)
oci.vnic.publicIpoci.vnic.publicIp
Example
Show all assets with this public IP
oci.vnic(publicIp:10.0.0.222)
oci.vnic.subnetCidrBlockoci.vnic.subnetCidrBlock
Example
Show all assets with the block 10.0.0.0/24
oci.vnic(subnetCidrBlock:10.0.0.0/24)
oci.vnic.subnetIdoci.vnic.subnetId
Example
Find OCI instances with this subnet ID
oci.vnic(subnetId: "subnet-bc02c0d4")
oci.vnic.subnetNameoci.vnic.subnetName
Example
Find OCI instances with this subnet name
oci.vnic(subnetName: "subnet-abc")
Example
Show all assets with this VCN ID
oci.vnic(vcnId:"ocid1.vnic.oc1.iad.abuwcljt6cdjcuwhkce37madk4p6bd6ocjknilpwzai5rsyjejteiodyp22q")
oci.vnic.vcnNameoci.vnic.vcnName
Example
Show all assets with this vcn name
oci.vnic(vcnName:"abc")
oci.vnic.virtualRouterIpoci.vnic.virtualRouterIp
Example
Show all assets with the router IP 10.0.0.1
oci.vnic(virtualRouterIp:10.0.0.1)
oci.vnic.vlanTagoci.vnic.vlanTag
Example
Show all assets with the vlan tag 1
oci.vnic(vlanTag:1)
oci.vnic.vnicIdoci.vnic.vnicId
Example
Show all assets with the VNIC ID ocid1.vnic.oc1.iad.abuwcljt6cdjcuwhkce37madk4p6bd6ocjknilpwzai5rsyjejteiodyp22q
oci.vnic(vnicId:"ocid1.vnic.oc1.iad.abuwcljt6cdjcuwhkce37madk4p6bd6ocjknilpwzai5rsyjejteiodyp22q")
Use these tokens when searching IBM Cloud assets on the Assets list.
ibm.virtualServer.datacenterIdibm.virtualServer.datacenterId
Example
Find IBM instances with this datacenter ID
ibm.virtualServer.datacenterId: 1854895
ibm.virtualServer.deviceNameibm.virtualServer.deviceName
Examples
Find IBM instances related to name
ibm.virtualServer.deviceName: "virtualserver01.Qualys-Inc.cloud"
Find IBM instances that match exact value
ibm.virtualServer.deviceName: `virtualserver01.Qualys-Inc.cloud`
ibm.virtualServer.domainibm.virtualServer.domain
Example
Show all assets with virtual server domain Qualys-Inc.cloud
ibm.virtualServer.domain:"Qualys-Inc.cloud"
ibm.virtualServer.idibm.virtualServer.id
Example
Show all assets with the 8998892 virtual server ID
ibm.virtualServer.id:8998892
ibm.virtualServer.locationibm.virtualServer.location
Example
Find IBM instances in this location
ibm.virtualServer.location: "westus"
ibm.virtualServer.privateIpAddressibm.virtualServer.privateIpAddress
Examples
Find IBM instances with this private IP
ibm.virtualServer.privateIpAddress: 10.240.0.7
Find IBM instances with this private IP range
ibm.virtualServer.privateIpAddress: [10.240.0.7 ... 10.240.0.30]
ibm.virtualServer.privateVlanibm.virtualServer.privateVlan
Example
Find the IBM instance with this private Vlan address
ibm.virtualServer.privateVlan: 3455
ibm.virtualServer.publicIpAddressibm.virtualServer.publicIpAddress
Examples
Find IBM instances with this public IP
ibm.virtualServer.publicIpAddress: 10.240.0.7
Find IBM instances with this public IP range
ibm.virtualServer.publicIpAddress: [10.240.0.7 ... 10.240.0.30]
ibm.virtualServer.publicVlanibm.virtualServer.publicVlan
Example
Find the IBM instance with this public Vlan address
ibm.virtualServer.publicVlan: 3455
ibm.virtualServer.stateibm.virtualServer.state
Example
Show all assets with the virtual server state Starting
ibm.virtualServer.state:STARTING
The Qualys Query Language (QQL) supports the following logical or Boolean query operators. Use these operators in your queries to narrow down or broaden your search.
Narrow down your search by using the 'and' operator in your Boolean query. The result contains all the token values that you provide in your query.
Example
asset.status: Enrolled and asset.assetID: 122855563
The asset having the ID 122855563 and with status as Enrolled is returned in the result.
Narrow down your search by using the 'not' operator in your Boolean query. The result contains all the other values except the one that you specify after 'not' in your query.
Example
not tags.name: Windows
Assets with the Windows tag are excluded from search results.
Broaden your search by using the 'or' operator in your Boolean query. The result contains any of the token values that you provide in your query.
Example
tags.name:Cloud Agent or tags.name:Windows
The assets that have the Cloud Agent tag or the Windows tag are returned in the result.
hardware.typingConfidencehardware.typingConfidence
Example
Show this hardware typing confidence
hardware.typingConfidence:HIGH
passiveSensor.idpassiveSensor.id
Example
Show this sensor ID
passiveSensor.id:"003687557369:1654660042:3809075:704:1654660042:3809075:704"
passiveSensor.locationpassiveSensor.location
Examples
Show assets with sensor location (appliance location label) as SanJose1
passiveSensor.location:"SanJose1"
passiveSensor.namepassiveSensor.name
Examples
Show assets with sensor name as ITCorp-appliance
passiveSensor.name:"ITCorp-appliance"
passiveSensor.lastUpdatedpassiveSensor.lastUpdated
Examples
Show passive sensors last updated within certain dates
passiveSensor.lastUpdated:[2019-01-01 ... 2019-01-15]
Show passive sensors last updated starting 2019-01-15, ending 1 month ago
passiveSensor.lastUpdated:[2019-01-15 ... now-1M]
Show passive sensors last updated starting 2 weeks ago, ending 1 second ago
passiveSensor.lastUpdated:[now-2w ... now-1s]
Show passive sensors last updated on a specific date
passiveSensor.lastUpdated:`2019-03-18`
openPorts.lastFoundopenPorts.lastFound
Examples
Show open ports found within certain dates
openPorts.lastFound: [2019-01-01 ... 2019-01-15]
Show open ports found starting 2019-01-15, ending 3 months ago
openPorts.lastFound: [2019-01-15 ... now-3M]
Show open ports found starting 2 weeks ago, ending 1 second ago
openPorts.lastFound: [now-2w ... now-1s]
Show open ports found on a specific date
openPorts.lastFound:'2019-03-18'
openPort.lastUpdatedopenPort.lastUpdated
Examples
Show ports updated within certain dates
openPort.lastUpdated: [2019-01-01 ... 2019-01-15]
Show ports updated starting 2019-01-15, ending 3 months ago
openPort.lastUpdated: [2019-01-15 ... now-3M]
Show ports updated starting 2 weeks ago, ending 1 second ago
openPort.lastUpdated: [now-2w ... now-1s]
Show ports updated on a specific date
openPort.lastUpdated:'2019-03-18'
traffic.protocoltraffic.protocol
Example
Show assets with traffic over TCP
traffic.protocol:tcp
Example
Show assets with traffic over port 80
traffic.port:80
Example
Show assets with peer to peer traffic
traffic.family:Peer to Peer
traffic.applicationtraffic.application
Example
Show assets with traffic from BitTorrent
traffic.application:BitTorrent
traffic.servicetraffic.service
Example
Show assets with traffic from HTTP
traffic.service:http
inventory.scannerIDinventory.scannerID
Example
Show traffic with this scanner ID
inventory.scannerID:345678892
inventory.scannerNameinventory.scannerName
Examples
Show any traffic that contain parts of name
inventory.scannerName:"acme-ps-001"
Show any traffic that match exact value "acme-ps-001"
inventory.scannerName:`acme-ps-001`
inventory.scannerLocationinventory.scannerLocation
Example
Show traffic with scanner location as Pune 10th floor States
inventory.scannerLocation: Pune 10th floor
Example
Find traffic of client type Managed
client.type: Managed
Example
Show traffic with this client asset ID
client.assetID:122855563
Examples
Show any traffic that contain parts of name
client.name:"ACMENVT7"
Show any traffic that match exact value "ACMENVT7"
client.name:`ACMENVT7`
client.lastLoggedOnUserclient.lastLoggedOnUser
Examples
Show traffic with last logon by user jdoe
client.lastLoggedOnUser:jdoe
client.hardware.categoryclient.hardware.category
Examples
Show any traffic that match exact value
client.hardware.category:Computer/Server
client.hardwareclient.hardware
Examples
Show any traffic that contain parts of name
client.hardware:"Dell Latitude e7470"
Show any traffic that match exact value
client.hardware:`Dell Latitude e7470`
client.interfaces.macAddressclient.interfaces.macAddress
Example
Show the traffic with this MAC address
client.interfaces.macAddress:"00:0D:3A:27:15:BA"
client.interfaces.addressclient.interfaces.address
Examples
Show traffic for this IP address
client.interfaces.address:10.20.0.5
Example
Find traffic for server type Internal
server.type: Internal
Example
Show traffic for this asset ID
server.assetID:122855563
Examples
Show any traffic that contain parts of name
server.name:"ACMENVT7"
Show any traffic that match exact value "ACMENVT7"
server.name:`ACMENVT7`
server.lastLoggedOnUserserver.lastLoggedOnUser
Examples
Show traffic with last logon by user jdoe
server.lastLoggedOnUser:jdoe
server.hardware.categoryserver.hardware.category
Use values within quotes or backticks to help you find the traffic based on server hardware category.
Examples
Show any traffic that match exact value
server.hardware.category:Computer/Server
server.hardwareserver.hardware
Examples
Show any traffic that contain parts of name
server.hardware:"Dell Latitude e7470"
Show any traffic that match exact value
server.hardware:`Dell Latitude e7470`
server.interfaces.macAddressserver.interfaces.macAddress
Example
Show the traffic with this MAC address
server.interfaces.macAddress:"00:0D:3A:27:15:BA"
server.interfaces.addressserver.interfaces.address
Examples
Show traffic for this IP address
server.interfaces.address:10.20.0.5
traffic.serverPorttraffic.serverPort
Example
Show traffic with server port 80
traffic.serverPort:80
traffic.stc.volumetraffic.stc.volume
Examples
Show Server-to-Client traffic greater than 1 MB volume
traffic.stc.volume > 1000000
Show Server-to-Client traffic less than 1 GB volume
traffic.stc.volume < 1000000000
Show Server-to-Client traffic with 1 GB volume
traffic.stc.volume : 1000000000
traffic.cts.volumetraffic.cts.volume
Examples
Show Client-to-Server traffic greater than 1 MB volume
traffic.cts.volume > 1000000
Show Client-to-Server traffic less than 1 GB volume
traffic.cts.volume < 1000000000
Show Client-to-Server traffic with 1 GB volume
traffic.cts.volume : 1000000000
traffic.total.volumetraffic.total.volume
Examples
Show total traffic greater than 1 MB volume
traffic.total.volume > 1000000
Show total traffic less than 1 GB volume
traffic.total.volume < 1000000000
Show total traffic with 1 GB volume
traffic.total.volume : 1000000000
traffic.reportingStartTimetraffic.reportingStartTime
Example
Show traffic with reporting start time
traffic.reportingStartTime > '2020-07-01'
traffic.reportingEndTimetraffic.reportingEndTime
Example
Show traffic with reporting end time
traffic.reportingEndTime < '2020-07-01'
Use these tokens when searching Alibaba assets.
alibaba.instance.accountIdalibaba.instance.accountId
Examples
Find Alibaba instances with the following account ID
alibaba.instance.accountId: 123456789012
Find Alibaba instances with account ID starting "12345"
alibaba.instance.accountId: 12345*
alibaba.instance.dnsServeralibaba.instance.dnsServer
Example
Find Alibaba instances of the following DNS
alibaba.instance.dnsServer: 100.xxx.x.xxx
alibaba.instance.hasAgentalibaba.instance.hasAgent
Example
Find Alibaba instances with agents
alibaba.instance.hasAgent: true
alibaba.instance.hostNamealibaba.instance.hostName
Example
Find Alibaba instances related to name
alibaba.instance.hostName: abc.qualys.com
alibaba.instance.imageIdalibaba.instance.imageId
Example
Find instances related to image id
alibaba.instance.imageId: ubuntu_14_0405_64_20G_alibase_20170824.vhd
alibaba.instance.instanceIdalibaba.instance.instanceId
Example
Find Alibaba instances with this instance ID
alibaba.instance.instanceId: i-a2dxxxxsxxxxxhdfax
alibaba.instance.instanceTypealibaba.instance.instanceType
Example
Find Alibaba instances with this instance type
alibaba.instance.instanceType: ecs.t5-lc1m1.small
alibaba.instance.interfaceIdalibaba.instance.interfaceId
Example
Find Alibaba instances of the following interface id
alibaba.instance.interfaceId: a2dxxxxaixxxtux572
alibaba.instance.instanceStatealibaba.instance.instanceState
Example
Find Alibaba instances for the following state
alibaba.instance.instanceState: RUNNING
alibaba.instance.macAddressalibaba.instance.macAddress
Example
Find Alibaba instances with this MAC address
alibaba.instance.macAddress: 00:16:3e:0f:XX:XX
alibaba.instance.networkTypealibaba.instance.networkType
Example
Find Alibaba instances with this network type
alibaba.instance.networkType: vpc
alibaba.instance.privateIpAddressalibaba.instance.privateIpAddress
Example
Find Alibaba instances with the following private IP address
alibaba.instance.privateIpAddress: 192.168.XX.XX
alibaba.instance.publicIpAddressalibaba.instance.publicIpAddress
Example
Find Alibaba instances with the following public IP address
alibaba.instance.publicIpAddress: 149.xx.xx.xx
alibaba.instance.region.codealibaba.instance.region.code
Example
Find Alibaba instances for the following region code
alibaba.instance.region.code: cn-chengdu
alibaba.instance.region.namealibaba.instance.region.name
Example
Find Alibaba instances for the following region
alibaba.instance.region.name: US (Silicon Valley)
alibaba.instance.serialNumberalibaba.instance.serialNumber
Example
Find Alibaba instances of the following serial number
alibaba.instance.serialNumber: 12trexxxxr-3xx-xxx-rtg4-xxxx6t45
alibaba.instance.vpcCidrBlockalibaba.instance.vpcCidrBlock
Use a text value to define the serial number of the instance.
Example
Find Alibaba instances of the following CIDR block
alibaba.instance.vpcCidrBlock: 172.xx.x.x/16
alibaba.instance.vpcIdalibaba.instance.vpcId
Use a text value to search all the Alibaba instances with the specified VPC ID.
Example
Show Alibaba instances with this VPC ID
alibaba.instance.vpcId: vpc-a2d6pxxxxvvdadd5yikj
alibaba.instance.vswitchIdalibaba.instance.vswitchId
Use a text value to search all the Alibaba instances with the specified vswitchId.
Example
Show Alibaba instances with of the following switch ID
alibaba.instance.vswitchId: vsw-a2dxxxoxxxxsqx1mxxxdd
alibaba.instance.vswitchCidrBlockalibaba.instance.vswitchCidrBlock
Use an integer value to define the CIDR block of the switch to which the Alibaba instance is connected.
Example
Find Alibaba instances of the following CIDR block of the switch
alibaba.instance.vswitchCidrBlock: 192.168.XX.XX/24
alibaba.instance.zoneIdalibaba.instance.zoneId
Examples
Find Alibaba instances of the following zone id
alibaba.instance.zoneId: cn-chengdu-a
Use these tokens when searching for Certificate details
Example
Show certificates for the asset with the following asset name
asset:(name: investor.qualys.com)
asset:(interfaces.hostnameasset:(interfaces.hostname
Example
Show certificates for the asset with the following interface hostname
asset:(interfaces.hostname: xpsp2-jp-26-111)
asset:(interfaces.addressasset:(interfaces.address
Example
Show certificates for the asset with the following interface address
asset:(interfaces.address: 10.20.30.40)
asset:(netbiosNameasset:(netbiosName
Example
Show certificate details for the specified host NetBios name.
asset:(netbiosName: server1)
Example
Show certificates on assets scanned by WAS using WAS URL
asset:(wasUrl: "https://www.example.com")
certificate:(approvedcertificate:(approved
Example
Show certificates that have approval status true from approved CAs
certificate:(approved: true)
certificate:(dncertificate:(dn
Examples
Show certificates that have this subject identifier in the distinguished name.
certificate:(dn: ST=California)
certificate:(certhashcertificate:(certhash
Example
Show certificates that have this hash value
certificate:(certhash: 20e1541486f2cd405559d8483a3663f2a77c3cf93c72f4f915259f084f814221)
certificate:(issuer.countrycertificate:(issuer.country
Example
Show certificates that have this country in issuer DN
certificate:(issuer.country: US)
certificate:(issuer.organizationcertificate:(issuer.organization
Example
Show certificates that have this organization in issuer DN
certificate:(issuer.organization: Symantec Corporation)
certificate:(issuer.namecertificate:(issuer.name
Example
Show the certificates having this issuing authority name
certificate:(issuer.name: Symantec Class 3 EV SSL CA - G3)
certificate:(issuer.organizationUnitcertificate:(issuer.organizationUnit
Example
Show certificates that have this organization unit in issuer DN
certificate:(issuer.organizationUnit: Symantec Trust Network)
certificate:(issuerCategorycertificate:(issuerCategory
Example
Show DigiCert SHA2 Extended Validation Server CA certificates
certificate:(issuerCategory: DigiCert SHA2 Extended Validation Server CA)
certificate:(keySizecertificate:(keySize
Example
Show certificates that have 2048-bit keys
certificate:(keySize: 2048)
certificate:(subject.countrycertificate:(subject.country
Example
Show certificates that have this country in subject DN
certificate:(subject.country: US)
certificate:(subject.organizationcertificate:(subject.organization
Example
Show certificates that have this organization in subject DN
certificate:(subject.organization: Qualys, Inc.)
certificate:(subject.namecertificate:(subject.name
Example
Show certificates with this name
certificate:(subject.name: www.qualys.com)
certificate:(subject.localitycertificate:(subject.locality
Example
Show certificates that have this locality in subject DN
certificate:(subject.locality: Redwood City)
certificate:(subject.statecertificate:(subject.state
Example
Show certificates that have this state in subject DN
certificate:(subject.state: California)
certificate:(subjectAlternativeNames.dnsNamecertificate:(subjectAlternativeNames.dnsName
Example
Show certificates that have the specified DNS Name in Certificate SAN
certificate:(subjectAlternativeNames.dnsName: www.qualys.com)
certificate:(subjectAlternativeNames.ipAddresscertificate:(subjectAlternativeNames.ipAddress
Example
Show certificates that have the specified the IP address in Certificate SAN
certificate:(subjectAlternativeNames.ipAddress: 10.113.197.210)
certificate:(validFromcertificate:(validFrom
Examples
Show certificates that are valid within certain dates
certificate:(validFrom: [2018-06-15 ... 2018-06-30])
Show certificates that are valid on a specific date
certificate:(validFrom: '2017-12-14')
certificate:(validTocertificate:(validTo
Examples
Show certificates that expire before 2022-01-20
certificate:(validTo < "2022-01-20")
Show certificates that expire after 2020
certificate:(validTo > "2020")
Show certificates that expire before March 2020 (yyyy-mm)
certificate:(validTo < "2020-03")
Show certificates that expire between today and 2020-12-01
certificate:(validTo: "[now..2020-12-01]")
certificate:(validitycertificate:(validity
Note: For the Rule query builder of the Responses tab qualifiers like d, m, y are currently not supported. Please specify the value in number of days only.
Examples
Show all certificates whose validity is greater than 200 days
certificate:(validity > 200)
Show all certificates whose validity is less than 200 days
certificate:(validity < 200d)
Show all certificates whose validity is greater than 3 months. One month is considered as 30 days.
certificate:(validity > 3m)
Show all certificates whose validity is greater than 1 year. Here one year is considered as 365 days.
certificate:(validity > 1y)
certificate:(serialNumbercertificate:(serialNumber
Example
Show the certificate that has this serial number
certificate:(serialNumber: "01ab8a210a7cf9955665c47fca758459ca78")
certificate:(expiryGroupcertificate:(expiryGroup
Examples
Show certificates which expired in last 20 days
certificate:(expiryGroup: "In 30 Days")
Show all expired certificates in your subscription
certificate:(expiryGroup: "Expired")
certificate:(isRenewablecertificate:(isRenewable
Example
Show certificates that are renewable with Qualys
certificate:(isRenewable: true)
certificate:(selfSignedcertificate:(selfSigned
Example
Show certificates that are self-signed
certificate:(selfSigned: true)
instance:(cipherSuites.valueinstance:(cipherSuites.value
Example
Show certificates that have this cipher suit enabled in the SSL/TLS instance
instance:(cipherSuites.value: DES-CBC3-SHA)
Example
Show certificates on assets that have this host FQDN
instance:(fqdn: server1.qualys.com)
instance:(gradeinstance:(grade
Example
Show certificates that have this Certificate Grade for an instance on the host
instance:(grade: B)
Example
Show certificates on assets that have this listening port open
instance:(port: 443)
instance:(serviceinstance:(service
Example
Show certificates on assets that have this service
instance:(service: SMTP)
instance:(sourcesinstance:(sources
Examples
Show certificates that are scanned through Cloud Agent
instance:(sources: Cloud Agent)
Show certificates that are scanned through EASM
instance:(sources: EASM)
instance:(sslProtocolsinstance:(sslProtocols
Example
Show certificates on assets that have this SSL/TLS protocol
instance:(sslProtocols: TLSv1.2)
instance:(vulns.severityinstance:(vulns.severity
Example
Show certificates on assets that have this vulnerability severity
instance:(vulns.severity: 3)
instance:(vulns.titleinstance:(vulns.title
Example
Show certificates on assets with vulnerabilities that have POODLE in the vulnerability title
instance:(vulns.title: POODLE)
instance:(vulns.qidinstance:(vulns.qid
Example
Show assets that have this vulnerability QID
instance:(vulns.qid: 38603)
asset:(activatedForModulesasset:(activatedForModules
Examples
Show certificates for assets activated for VM
asset:(activatedForModules: "VM")
asset:(businessApp.nameasset:(businessApp.name
Examples
Show any findings that contain parts of name
businessApp:(name:"HR")
Show any findings that match exact value "HR Intranet"
businessApp:(name:`HR Intranet`)
asset:(businessApp.businessCriticalityasset:(businessApp.businessCriticality
Examples
Show any findings that contain parts of name
asset:(businessApp.businessCriticality: "1 - most")
Show any findings that match exact value "1 - most critical"
asset:(businessApp.businessCriticality: `1 - most critical`)
asset:(businessApp.supportGroupasset:(businessApp.supportGroup
Example
Show certificates with business application support group as Security
asset:(businessApp.supportGroup: Security)
asset:(hardware.category1asset:(hardware.category1
Example
If you are searching for assets that are laser printers, then category1 is Printers and category2 is Laser.
Show any findings that match exact value
asset:(hardware.category1:`Computers`)
asset:(hardware.category2asset:(hardware.category2
Example
If you are searching for assets that are laser printers, then category1 is Printers and category2 is Laser.
Show any findings that match exact value
asset:(hardware.category2:`I/O Module`)
asset:(providerasset:(provider
Examples
Show certificates for assets synced from Amazon AWS
asset:(provider: `AWS`)
asset:(inventory.sourceasset:(inventory.source
Examples
Show certificates for assets with the following inventory source
asset:(inventory.source: `EASM`)
asset:(inventory.createdasset:(inventory.created
Examples
Show asset inventory created within certain dates
asset:(inventory.created: [2019-01-01 ... 2019-01-15])
Show asset inventory created starting 2024-01-15, ending 1 month ago
asset:(inventory.created:[2024-01-15 ... now-1M])
Show asset inventory created starting 2 weeks ago, ending 1 second ago
asset:(Inventory.created: [now-2w ... now-1s])
Show asset inventory created on a specific date
asset:(inventory.created: '2024-03-18')
asset:(inventory.lastUpdatedasset:(inventory.lastUpdated
Examples
Show asset inventory last updated within certain dates
asset:(inventory.lastUpdated: [2024-01-01 ... 2024-01-15])
Show asset inventory last updated starting 2024-01-15, ending 1 month ago
asset:(inventory.lastUpdated: [2024-01-15 ... now-1M])
Show asset inventory starting 2 weeks ago, ending 1 second ago
asset:(inventory.lastUpdated: [now-2w ... now-1s])
Show asset inventory last updated on a specific date
asset:(inventory.lastUpdated: '2024-03-18')