Search Tokens for Vulnerabilities
Supported Boolean Operators
The Qualys Query Language (QQL) supports the following logical or Boolean query operators. Use these operators in your queries to narrow down or broaden your search.
Narrow down your search by using the 'and' operator in your Boolean query. The result contains all the token values that you provide in your query.
Example
vulnerabilities.isDisabled: TRUE and vulnerabilities.detectionScore:80
The vulnerabilities that are disabled and have a detection score of 80 are returned in the result.
Broaden your search by using the 'or' operator in your Boolean query. The result contains any of the token values that you provide in your query.
Example
vulnerabilities.isDisabled: TRUE or vulnerabilities.detectionScore:80
The vulnerabilities that are disabled or the vulnerabilities that have a detection score of 80 are returned in the result.
Vulnerability Tokens
Use these tokens to define search criteria for vulnerabilities.
vulnerabilities.isDisabledvulnerabilities.isDisabled
Use the values true or false to define whether vulnerabilities are disabled or enabled.
Example
Show findings with vulnerabilities disabled
vulnerabilities.isDisabled:TRUE
vulnerabilities.detectionScorevulnerabilities.detectionScore
Use an integer value (0-100) to help you find vulnerabilities based on specific detection score.
Examples
- Show vulnerabilities within this range of detection score
vulnerabilities.detectionScore:[40 ... 69]
vulnerabilities.isFoundvulnerabilities.isFound
Use the values true or false to define vulnerabilities are detected or not on the assets.
Example
Show findings with vulnerabilities detected
vulnerabilities.isFound:TRUE
vulnerabilities.firstFoundDatevulnerabilities.firstFoundDate
Use the specific date to define when findings were first found.
Examples
- Show findings first found on certain date
vulnerabilities.firstFoundDate:'2025-11-11'
vulnerabilities.isIgnoredvulnerabilities.isIgnored
Use true or flase to find vulnerabilities that have been marked as ignored.
Example
Show vulnerabilities that are marked as ignored
vulnerabilities.isIgnored:TRUE
vulnerabilities.instancevulnerabilities.instance
Use a text value to find vulnerabilities found on a certain instance.
Example
Show vulnerabilities found in this instance
vulnerabilities.instance: oracle
vulnerabilities.lastFixedDatevulnerabilities.lastFixedDate
Use a specific date to define when findings were last fixed.
Examples
- Show findings last fixed on certain date
vulnerabilities.lastFixedDate:'2025-01-11'
vulnerabilities.lastFoundDatevulnerabilities.lastFoundDate
Use aspecific date to define when findings were last found.
Examples
- Show findings last found on certain date
vulnerabilities.lastFoundDate:'2026-01-11'
vulnerabilities.nonExploitableConfigvulnerabilities.nonExploitableConfig
Use the values true or false to define vulnerabilities with non-exploitable configurations.
Examples
- Show findings with non exploitable configurations
vulnerabilities.nonExploitableConfig:TRUE - Show findings with exploitable configurations
vulnerabilities.nonExploitableConfig:FALSE
vulnerabilities.nonRunningKernelvulnerabilities.nonRunningKernel
Use the values true or false to view vulnerabilities found on non-running kernels.
Examples
- Show detections found on non-running Kernal
vulnerabilities.nonRunningKernel:TRUE - Show detections found on running Kernal
vulnerabilities.nonRunningKernel:FALSE
vulnerabilities.portvulnerabilities.port
Use an integer value to find vulnerabilities found on a certain port.
Example
Show vulnerabilities found on this port
vulnerabilities.port:443
vulnerabilities.protocolvulnerabilities.protocol
Use a text value UDP or TCP to define the port protocol.
Example
Show vulnerabilities found on TCP protocol
vulnerabilities.protocol:TCP
vulnerabilities.sslvulnerabilities.ssl
Use the values true or false to define vulnerabilities found on secure socket layer (SSL).
Example
Show vulnerabilities associated with SSL
vulnerabilities.ssl:TRUE
vulnerabilities.severityvulnerabilities.severity
Use an integer value to view the severity level set by you to find assets having vulnerabilities. The severity level ranges between 1-5. Select from values in the drop-down menu. If you do not set the severity level, its level will be the same as the level set by Qualys.
Example
Show findings with severity by 5
vulnerabilities.severity:5
For information about customer and Qualys severity, see Customer and Kb Severity Level
vulnerabilities.statusvulnerabilities.status
From the drop-down, select a status Active, Fixed, New, and Reopened to find vulnerabilities with certain status.
If you select the status as Fixed, the list will only show vulnerabilities that have been fixed in the last 365 days.
Example
Show vulnerabilities with New status
vulnerabilities.status:Fixed
vulnerabilities.typeDetectedvulnerabilities.typeDetected
From the drop-down, select a detection type, such as, Confirmed, Potential, and Information to find assets with vulnerabilities of this type.
Example
Show findings with this type
vulnerabilities.typeDetected:Confirmed
vulnerabilities.authTypevulnerabilities.authType
From the drop-down, select the asset.name, such as, WINDOWS_AUTH, UNIX_AUTH, ORACLE_AUTH of an authentication type.
Example
Show findings with Windows auth type
vulnerabilities.authType:WINDOWS_AUTH
vulnerabilities.vulnerability.bugTraqIdvulnerabilities.vulnerability.bugTraqId
Use a text value to find a BugTraq number.
Example
Show findings with BugTraq ID 22211
vulnerabilities.vulnerability.bugTraqId:22211
vulnerabilities.vulnerability.categoryvulnerabilities.vulnerability.category
From the drop-down, select a category, such as, `CGI`, `Database`, `DNS and BIND`, `Custom QID` to find vulnerabilities with this category.
Example
- Show findings with category `CGI`
vulnerabilities.vulnerability.category:`CGI`
Use quotes or backticks within values to help you find the compliance description.
Examples
- Show any findings related to this description
vulnerabilities.vulnerability.compliance.description:malicious software - Show any findings that contain "malicious" or "software" in description
vulnerabilities.vulnerability.compliance.description:"malicious software" - Show any findings that match exact value "malicious software"
vulnerabilities.vulnerability.compliance.description:`malicious software`
vulnerabilities.vulnerability.compliance.sectionvulnerabilities.vulnerability.compliance.section
Use quotes or backticks within values to help you find the compliance section.
Examples
- Show any findings related to this section
vulnerabilities.vulnerability.compliance.section:164.308 - Show any findings that contain parts of section
vulnerabilities.vulnerability.compliance.section:"164.308" - Show any findings that match exact value "164.308"
vulnerabilities.vulnerability.compliance.section:`164.308`
vulnerabilities.vulnerability.compliance.typevulnerabilities.vulnerability.compliance.type
From the drop-down, select the asset.name of a compliance type:
COBIT, HIPAA, GLBA, SOX, PCI
Example
Show findings with the compliance type HIPAA
vulnerabilities.vulnerability.compliance.type:HIPAA
Show findings with the compliance type SOX
vulnerabilities.vulnerability.compliance.type:SOX
Show findings with the compliance type COBIT
vulnerabilities.vulnerability.compliance.type:COBIT
vulnerabilities.vulnerability.impactvulnerabilities.vulnerability.impact
Use quotes or backtick within values to find the impact.
Examples
- Show any findings related to impact
vulnerabilities.vulnerability.impact:sensitive information - Show any findings that contain "identity" or "theft" in consequence
vulnerabilities.vulnerability.impact:"identity theft" - Show any findings that match exact value "financial loss"
vulnerabilities.vulnerability.impact:`financial loss`
vulnerabilities.vulnerability.cveIdvulnerabilities.vulnerability.cveId
Use a text value to find the CVE name.
Example
Show findings with CVE asset.name CVE-2015-0313
vulnerabilities.vulnerability.cveId:CVE-2015-0313
Note: The CVE in the query is case sensitive and must be used in capital case.
vulnerabilities.vulnerability.cvss3BaseScorevulnerabilities.vulnerability.cvss3BaseScore
Use an integer value to find the CVSSv3.1 base score.
Example
Show assets with this score
vulnerabilities.vulnerability.cvss3BaseScore:7.8
vulnerabilities.vulnerability.cvss3TemporalScorevulnerabilities.vulnerability.cvss3TemporalScore
Use an integer value tofind the CVSSv3.1 temporal score.
Example
Show assets with this score
vulnerabilities.vulnerability.cvss3TemporalScore:6.4
vulnerabilities.vulnerability.cvss2AccessVectorvulnerabilities.vulnerability.cvss2AccessVector
Select the asset.name of a CVSS2 access vector, for example, UNDEFINED, LOCAL_ACCESS, ADJACENT_NETWORK, NETWORK. Select from names in the drop-down menu.
Example
Show findings with this asset.name
vulnerabilities.vulnerability.cvss2AccessVector:NETWORK
vulnerabilities.vulnerability.cvss2BaseScorevulnerabilities.vulnerability.cvss2BaseScore
Use an integer value to help you find the CVSS2 base score.
Example
Show assets with this score
vulnerabilities.vulnerability.cvss2BaseScore:7.8
vulnerabilities.vulnerability.cvss2TemporalScorevulnerabilities.vulnerability.cvss2TemporalScore
Use an integer value to help you find the CVSS2 temporal score.
Example
Show assets with this score
vulnerabilities.vulnerability.cvss2TemporalScore:6.4
vulnerabilities.vulnerability.discoveryTypevulnerabilities.vulnerability.discoveryType
Select a discovery type (Remote or Authenticated) to find assets with vulnerabilities having this discovery type. Select from names in the drop-down menu.
Example
Show findings with Remote discovery type
vulnerabilities.vulnerability.discoveryType:REMOTE
vulnerabilities.vulnerability.flagvulnerabilities.vulnerability.flag
Use a text value to find the Qualys defined vulnerability property, for example, REMOTE, WINDOWS_AUTH, UNIX_AUTH, PCI_RELATED etc.
Example
Show findings with this flag
vulnerabilities.vulnerability.flag:PCI_RELATED
Use the text value within quotes or backticks for the tactics id that represents the why of the ATT&CK technique or sub-technique.
Example
Show findings with the Tactic ID TA0007
vulnerabilities.vulnerability.mitre.attack.tactic.id:`TA0007`
Use the text value within quotes or backticks to view for the tactics asset.name that represents it's respective tactic id.
Example
Show findings with the tactic asset.name inital-access
vulnerabilities.vulnerability.mitre.attack.tactic.name:`inital-access`
Use the text value within quotes or backticks for the technique id that represents how a tactical goal can be achieved.
Example
Show findings with the Technique ID T1562.010
vulnerabilities.vulnerability.mitre.attack.technique.id:"T1562.010"
Use the text value within quotes or backticks to view for the technique asset.name that represents it's respective technique id.
Example
Show findings with the tactic asset.name Downgrade Attack
vulnerabilities.vulnerability.mitre.attack.technique.name:"Downgrade Attack"
vulnerabilities.vulnerability.isPatchAvailablevulnerabilities.vulnerability.isPatchAvailable
Use the values true | false to define vulnerabilities with patch available.
Examples
Show findings with patch available
vulnerabilities.vulnerability.isPatchAvailable:TRUE
Show findings with no patch available
vulnerabilities.vulnerability.isPatchAvailable:FALSE
vulnerabilities.vulnerability.isRebootRequiredvulnerabilities.vulnerability.isRebootRequired
Use the values true | false to find vulnerabilities that need reboot.
Examples
Show vulnerabilities that need reboot.
vulnerabilities.vulnerability.isRebootRequired: TRUE
vulnerabilities.vulnerability.qidvulnerabilities.vulnerability.qid
Use an integer value to define the QID in question.
Example
Show findings with QID 90405
vulnerabilities.vulnerability.qid: 90405
vulnerabilities.vulnerability.ransomware.namevulnerabilities.vulnerability.ransomware.name
Use quotes or backticks within values to help you find the ransomware asset.name you're looking for. Quotes can be used when the value has more than one word.
Examples
Show findings with this asset.name
vulnerabilities.vulnerability.ransomware.name: Locky
Show findings that match exact value
vulnerabilities.vulnerability.ransomware.name: Locky
vulnerabilities.vulnerability.sans20Categoriesvulnerabilities.vulnerability.sans20Categories
Use a text value to find vulnerabilities in the SANS 20 category, for example, Anti-virus Software, Backup Software, etc.
Example
Show findings with this category asset.name
vulnerabilities.vulnerability.sans20Categories:Media
Players
vulnerabilities.vulnerability.severityvulnerabilities.vulnerability.severity
Use an integer value to view the severity level set by Qualys to find assets having vulnerabilities. The severity level ranges between 1-5. Select from values in the drop-down menu.
Example
Show findings with severity set by Qualys as 5
vulnerabilities.vulnerability.severity:5
For information about customer and Qualys severity, see Customer and Kb Severity Level
vulnerabilities.vulnerability.solutionvulnerabilities.vulnerability.solution
Use quotes or backticks within values to help you find the solution.
Examples
Show any findings related to this solution
vulnerabilities.vulnerability.solution:Bulletin
MS10-006
Show any findings that contain parts of solution
vulnerabilities.vulnerability.solution:"Bulletin
MS10-006"
Show any findings that match exact value "Bulletin MS10-006"
vulnerabilities.vulnerability.solution:`Bulletin
MS10-006`
vulnerabilities.vulnerability.titlevulnerabilities.vulnerability.title
Use quotes or backticks within values to help you find the title.
Examples
Show any findings related to this title
vulnerabilities.vulnerability.title:Remote Code
Execution
Show any findings that contain "Remote" or "Code" in title
vulnerabilities.vulnerability.title:"Remote
Code"
Show any findings that match exact value "Remote Code"
vulnerabilities.vulnerability.title:`Remote Code`
vulnerabilities.vulnerability.vendorRefvulnerabilities.vulnerability.vendorRef
Use a text value to find the vendor reference.
Example
Show this vendor reference
vulnerabilities.vulnerability.vendorRef:KB3021953
vulnerabilities.vulnerability.vendorProductNamevulnerabilities.vulnerability.vendorProductName
Use a text value to find the vendor product name.
Example
Show findings with this vendor product asset.name
vulnerabilities.vulnerability.vendorProductName:Windows
vulnerabilities.vulnerability.vendorNamevulnerabilities.vulnerability.vendorName
Use a text value to find the vendor name.
Example
Show findings with this vendor asset.name
vulnerabilities.vulnerability.vendorName:Adobe
vulnerabilities.nonExploitableServicevulnerabilities.nonExploitableService
`Use the values true | false to define vulnerabilities that exist on non exploitable services.
Examples
Show findings on non-exploitable services
vulnerabilities.nonExploitableService:TRUE
vulnerabilities.vulnerability.patchReleasedDatevulnerabilities.vulnerability.patchReleasedDate
Use a specific date to define when patch was available.
Examples
Show findings last found on certain date
vulnerabilities.vulnerability.patchReleasedDate:'2025-01-02'
vulnerabilities.timesFoundvulnerabilities.timesFound
Show findings that were detected for the specified number of times.
Examples
Show findings last found 3 times
vulnerabilities.timesFound:3
vulnerabilities.detectionAgevulnerabilities.detectionAge
Select the number of days from the range (0..30, 31..60, 61..90, 91..180,180..+) since the vulnerability was first detected (by a scanner or cloud agent) on the asset till the current date. The age is calculated irrespective of the vulnerability status.
Example
Show findings that were detected in the last 30 days.
vulnerabilities.detectionAge:[0..30]
vulnerabilities.vulnerability.descriptionvulnerabilities.vulnerability.description
Use quotes or backticks within values to help you find the vulnerability description.
Examples
Show any findings related to description
vulnerabilities.vulnerability.description:remote
code execution
Show any findings that contain "remote" or "code" in description
vulnerabilities.vulnerability.description:"remote
code execution"
Show any findings that match exact value "remote code execution"
vulnerabilities.vulnerability.description:`remote
code execution`
vulnerabilities.vulnerability.listvulnerabilities.vulnerability.list
Use a text value to find the vulnerability list of interest, for example, SANS_20, QUALYS_20, QUALYS_INT_10, QUALYS_EXT_10).
Example
Show findings with vulnerabilities in SANS Top 20
vulnerabilities.vulnerability.list:SANS_20
vulnerabilities.vulnerability.publishedDatevulnerabilities.vulnerability.publishedDate
Use a specific date to define when vulnerabilities were first published in the KnowledgeBase.
Examples
Show findings for vulnerabilities published on certain date
vulnerabilities.vulnerability.publishedDate:'2025-01-15'
vulnerabilities.vulnerability.riskvulnerabilities.vulnerability.risk
Use an integer value to define the vulnerability risk rating. For confirmed and potential issues risk is 10 times severity, for information gathered it is severity.
Example
Show findings with risk 50
vulnerabilities.vulnerability.risk:50
vulnerabilities.vulnerability.criticalityvulnerabilities.vulnerability.criticality
Select a criticality (e.g. "CRITICAL","HIGH","MEDIUM","LOW","NONE") to find assets with vulnerabilities of this type. Select from names in the drop-down menu.
If a QID does not have a CVSSv3 Base score, the CVSSv2 Base score takes the priority.
The following list of criticality defines the CVSS Score from 0.0 to 10.0:
- None: 0.0
- Low: 0.1-3.9
- Medium: 4.0-6.9
- High: 7.0-8.9
- Critical: 9.0-10.0
Examples
Show vulnerabilities with HIGH criticality
vulnerabilities.vulnerability.criticality: "HIGH"
vulnerabilities.vulnerability.updatedDatevulnerabilities.vulnerability.updatedDate
Use a specific date to define when vulnerabilities were last updated in the KnowledgeBase.
Examples
Show vulnerabilities last ipdated on certain date
vulnerabilities.vulnerability.updatedDate:'2025-03-08'
vulnerabilities.isQualysPatchablevulnerabilities.isQualysPatchable
Use the values true | false to indicate whether Qualys can patch a detected vulnerability.
Example
Show findings with vulnerabilities that can be patched
vulnerabilities.isQualysPatchable:TRUE
Use the values true | false to define real-time threats due to active attacks.
Examples
Show assets with threats due to active attacks
vulnerabilities.vulnerability.threatIntel.isActiveAttack: true
Show assets that don't have threats due to active attack
vulnerabilities.vulnerability.threatIntel.isActiveAttack: false
Use the values true | false to define real-time threats due to CISA Exploits.
Examples
Show assets with threats due to CISA exploit
vulnerabilities.vulnerability.threatIntel.isCisaKnownExploitedVuln: true
Show assets that don't have threats due to CISA exploit
vulnerabilities.vulnerability.threatIntel.isCisaKnownExploitedVuln: false
Use the values true | false to define real-time threats due to easy exploit.
Examples
Show assets with threats due to easy exploit
vulnerabilities.vulnerability.threatIntel.isEasyExploit: true
Show assets that don't have threats due to easy exploit
vulnerabilities.vulnerability.threatIntel.isEasyExploit: false
Use the values true | false to define real-time threats due to high data loss.
Examples
Show assets with threats due to high data loss
vulnerabilities.vulnerability.threatIntel.isHighDataLoss: true
Show assets that don't have threats due to high data loss
vulnerabilities.vulnerability.threatIntel.isHighDataLoss: false
Use the values true | false to define real-time threats due to high lateral movement.
Examples
Show assets with threats due to high lateral movement
vulnerabilities.vulnerability.threatIntel.isHighLateralMovement: true
Show assets that don't have threats due to high lateral movement
vulnerabilities.vulnerability.threatIntel.isHighLateralMovement: false
Use the values true | false to define real-time threats due to malware.
Examples
Show assets with threats due to malware
vulnerabilities.vulnerability.threatIntel.isMalware: true
Show assets that don't have threats due to malware
vulnerabilities.vulnerability.threatIntel.isMalware: false
Use the values true | false to define real-time threats due to no patch available.
Examples
Show assets with threats due to no patch available
vulnerabilities.vulnerability.threatIntel.hasNoPatch: true
Show assets that don't have threats due to no patch available
vulnerabilities.vulnerability.threatIntel.hasNoPatch: false
Use the values true | false to define real-time threats due to predicted high risk.
Examples
Show assets with predicted high-risk threat
vulnerabilities.vulnerability.threatIntel.isPredictedHighRisk: true
Show assets without predicted high-risk threat
vulnerabilities.vulnerability.threatIntel.isPredictedHighRisk: false
Use the values true | false to define real-time threats due to privilege escalation risk.
Examples
Show assets with privilege escalation threat
vulnerabilities.vulnerability.threatIntel.isPrivilegeEscalation: true
Show assets without privilege escalation threat
vulnerabilities.vulnerability.threatIntel.isPrivilegeEscalation: false
Use the values true | false to define real-time threats due to public exploit.
Examples
Show assets with threats due to public exploit
vulnerabilities.vulnerability.threatIntel.isPublicExploit: true
Show assets that don't have threats due to public exploit
vulnerabilities.vulnerability.threatIntel.isPublicExploit: false
Use the values true | false to define real-time threats due to ransomeware vulnerability.
Examples
Show assets with ransomeware threat
vulnerabilities.vulnerability.threatIntel.isRansomware: true
Show assets not linked to ransomware threat
vulnerabilities.vulnerability.threatIntel.isRansomware: false
Use the values true | false to define real-time threats due to remote code execution risk.
Examples
Show assets with remote code execution threat
vulnerabilities.vulnerability.threatIntel.isRemoteCodeExecution: true
Show assets without remote code execution threat
vulnerabilities.vulnerability.threatIntel.isRemoteCodeExecution: false
Use the values true | false to filter real-time threats due to Solorigate/Sunburst risk.
Examples
Show assets impacted by Solorigate/SUNBURST-related threat
vulnerabilities.vulnerability.threatIntel.isSolorigateSunburst: true
Show assets not impacted by Solorigate/SUNBURST
vulnerabilities.vulnerability.threatIntel.isSolorigateSunburst: false
Use the values true | false to define real-time threats due to unauthenticated exploitation risk.
Examples
Show assets with unauthenticated exploitation vulnerabilities
vulnerabilities.vulnerability.threatIntel.isUnauthenticatedExploitation: true
Show assets requiring authentication to exploit
vulnerabilities.vulnerability.threatIntel.isUnauthenticatedExploitation: false
Use the values true | false to define real-time wormable threats.
Examples
Show assets with wormable vulnerabilities
vulnerabilities.vulnerability.threatIntel.isWormable: true
Show assets without wormable vulnerabilities
vulnerabilities.vulnerability.threatIntel.isWormable: false
Use the values true | false to define real-time threats due to zero day exploit.
Examples
Show assets with threats due to zero day exploit
vulnerabilities.vulnerability.threatIntel.isZeroDay: true
Show assets not affected by zero-day exploit
vulnerabilities.vulnerability.threatIntel.isZeroDay: false
Use the values true | false to define real-time threats due to denial of service.
Examples
Show assets with threats due to denial of service
vulnerabilities.vulnerability.threatIntel.denialOfService: true
Show assets that don't have threats due to denial of service
vulnerabilities.vulnerability.threatIntel.denialOfService: false
vulnerabilities.hostOS vulnerabilities.hostOS
Use quotes or backticks within values to help you find the host operating system.
Examples
Show any findings with this OS name
vulnerabilities.hostOS:Windows 2012
Show any findings that contain components of OS name
vulnerabilities.hostOS:"Windows 2012"
Show any findings that match exact value "Windows 2012"
vulnerabilities.hostOS:`Windows 2012`
vulnerabilities.vulnerability.pci vulnerabilities.vulnerability.pci
Use the values true | false to find vulnerabilities that must be fixed for PCI Compliance (per PCI DSS).
Examples
Show PCI-related vulnerabilities
vulnerabilities.vulnerability.pci: true
Show non-PCI vulnerabilities
vulnerabilities.vulnerability.pci: false
vulnerabilities.vulnerability.supportedBy vulnerabilities.vulnerability.supportedBy
Select a Qualys service (VM, Agent type, etc) to show vulnerabilities that can be detected by this service. Select from names in the drop-down menu.
Examples
Show vulnerabilities supported by Linux Agent
vulnerabilities.vulnerability.supportedBy:CA-Linux Agent
Use the values true | false to define real-time threats due to the exploit kit.
Examples
Show assets with threats due to exploit kit
vulnerabilities.vulnerability.threatIntel.exploitKit: true
Show assets that don't have threats due to exploit kit
vulnerabilities.vulnerability.threatIntel.exploitKit: false
Use quotes or backticks within values to help you find the exploit kit name. Quotes can be used when the value has more than one word.
Examples
Show any findings with this name
vulnerabilities.vulnerability.threatIntel.exploitKitName: Angler
Show any findings that match the exact value
vulnerabilities.vulnerability.threatIntel.exploitKitName: `Angler`
Use quotes or backticks within values to help you find the malware name. Quotes can be used when the value has more than one word.
Examples
Show any findings with this name
vulnerabilities.vulnerability.threatIntel.malwareName: TROJ_PDFKA.DQ
Show any findings that match exact value
vulnerabilities.vulnerability.threatIntel.malwareName: `TROJ_PDFKA.DQ`
Use quotes or backticks within values to help you find the public exploit name of interest. Quotes can be used when the value has more than one word.
Examples
Show any findings with this name
vulnerabilities.vulnerability.threatIntel.publicExploitName: RealVNC NULL Authentication Mode Bypass
Show assets that don't have threats due to public exploit
vulnerabilities.vulnerability.threatIntel.publicExploitName: "RealVNC NULL Authentication Mode Bypass"
Show assets that don't have threats due to public exploit
vulnerabilities.vulnerability.threatIntel.publicExploitName: `RealVNC NULL Authentication Mode Bypass`
Finding Tokens
finding.authTypefinding.authType
From the drop-down, select the asset name, such as, WINDOWS_AUTH, UNIX_AUTH, ORACLE_AUTH of an authentication type.
Example
Show findings with Windows auth type
finding.authType:WINDOWS_AUTH
finding.isDisabledfinding.isDisabled
Use the values true or false to define whether vulnerabilities are disabled or enabled.
Example
Show findings with vulnerabilities disabled
finding.isDisabled:TRUE
Use an integer value to help you find vulnerabilities based on specific QDS.
Examples
- Show findings within this QDS range
finding.qds:[40 ... 69]
finding.isFoundfinding.isFound
Use the values true or false to define vulnerabilities are detected or not on the assets.
Examples
Show findings with vulnerability detected
finding.isFound:TRUE
finding.isIgnoredfinding.isIgnored
Use true | false to find vulnerabilities that have been marked as ignored.
Example
Show vulnerabilities that are marked as ignored
finding.isIgnored:TRUE
finding.instancefinding.instance
Use a text value to find vulnerabilities found on a certain instance.
Example
Show vulnerabilities found in this instance
finding.instance: oracle
finding.lastFixedDatefinding.lastFixedDate
Use a specific date to define when findings were last fixed.
Examples
- Show findings last fixed on certain date
finding.lastFixedDate:'2025-01-11'
finding.lastFoundDatefinding.lastFoundDate
Use a specific date to define when findings were last found.
Examples
- Show findings last found on certain date
finding.lastFoundDate:'2025-01-11'
finding.nonExploitableConfigfinding.nonExploitableConfig
Use the values true or false to define vulnerabilities with non-exploitable configurations.
Examples
- Show findings with non exploitable configurations
finding.nonExploitableConfig:TRUE - Show findings with exploitable configurations
finding.nonExploitableConfig:FALSE
finding.nonRunningKernelfinding.nonRunningKernel
Use the values true or false to view vulnerabilities found on non-running kernels.
Examples
- Show detections found on non-running Kernel
finding.nonRunningKernel:TRUE - Show detections found on running Kernel
finding.nonRunningKernel:FALSE
Use an integer value to find vulnerabilities found on a certain port.
Example
Show vulnerabilities found on this port
finding.port:443
finding.protocolfinding.protocol
Use a text value UDP or TCP to define the port protocol.
Example
Show vulnerabilities found on TCP protocol
finding.protocol:TCP
finding.riskFactor.cisaKEVDueDatefinding.riskFactor.cisaKEVDueDate
Use a specific date to get the list of known exploited vulnerabilities whose remediation due date is as per the CISA Catalog. The date format used is yyyy-mm-dd.
Example
List the QIDs whose CISA Due Date is 3rd May 2022
finding.riskFactor.cisaKEVDueDate:2022-05-03
Use the values true or false to define vulnerabilities found on secure socket layer (SSL).
Example
Show vulnerabilities associated with SSL
finding.ssl:TRUE
finding.severityfinding.severity
Use an integer value to view the severity level set by you to find assets having vulnerabilities. The severity level ranges between 1-5. Select from values in the drop-down menu. If you do not set the severity level, its level will be the same as the level set by Qualys.
Example
Show findings with severity by 5
finding.severity:5
From the drop-down, select a status Active, Fixed, New, and Reopened to find vulnerabilities with certain status.
If you select the status as Fixed, the list will only show vulnerabilities that are fixed in the last 365 days.
Example
Show vulnerabilities with New status
finding.status:Fixed
finding.typeDetectedfinding.typeDetected
From the drop-down, select a detection type, such as, Confirmed, Potential, and Information to find assets with vulnerabilities of this type.
Example
Show findings with this type
finding.typeDetected:Confirmed
finding.vulnerability.bugTraqIdfinding.vulnerability.bugTraqId
Use a text value to find a BugTraq number.
Example
Show findings with BugTraq ID 22211
finding.vulnerability.bugTraqId:22211
finding.vulnerability.categoryfinding.vulnerability.category
From the drop-down, select a category, such as, `CGI`, `Database`, `DNS and BIND`, `Custom QID` to find vulnerabilities with this category.
Example
Show findings with category `CGI`
finding.vulnerability.category:`CGI`
finding.vulnerability.compliance.descriptionfinding.vulnerability.compliance.description
Use quotes or backticks within values to help you find the compliance description.
Examples
- Show any findings related to this description
finding.vulnerability.compliance.description:malicious software - Show any findings that contain "malicious" or "software" in description
finding.vulnerability.compliance.description:"malicious software" - Show any findings that match exact value "malicious software"
finding.vulnerability.compliance.description:`malicious software`
finding.vulnerability.compliance.sectionfinding.vulnerability.compliance.section
Use quotes or backticks within values to help you find the compliance section.
Examples
- Show any findings related to this section
finding.vulnerability.compliance.section:164.308 - Show any findings that contain parts of section
finding.vulnerability.compliance.section:"164.308" - Show any findings that match exact value "164.308"
finding.vulnerability.compliance.section:`164.308`
finding.vulnerability.compliance.typefinding.vulnerability.compliance.type
From the drop-down, select the name of a compliance type:
COBIT, HIPAA, GLBA, SOX, PCI
Examples
- Show findings with the compliance type HIPAA
finding.vulnerability.compliance.type:HIPAA - Show findings with the compliance type SOX
finding.vulnerability.compliance.type:SOX - Show findings with the compliance type COBIT
finding.vulnerability.compliance.type:COBIT
finding.vulnerability.impactfinding.vulnerability.impact
Use quotes or backtick within values to find the impact.
Examples
- Show any findings related to impact
finding.vulnerability.impact:sensitive information - Show any findings that contain "identity" or "theft" in consequence
finding.vulnerability.impact:"identity theft" - Show any findings that match exact value "financial loss"
finding.vulnerability.impact:`financial loss`
finding.vulnerability.cveIdfinding.vulnerability.cveId
Use a text value to find the CVE name.
Example
Show findings with CVE name CVE-2015-0313
finding.vulnerability.cveId:CVE-2015-0313
Note: The CVE in the query is case sensitive and must be used in capital case.
finding.vulnerability.cvss3BaseScorefinding.vulnerability.cvss3BaseScore
Use an integer value to find the CVSSv3.1 base score.
Example
Show assets with this score
finding.vulnerability.cvss3BaseScore:7.8
finding.vulnerability.cvss3TemporalScorefinding.vulnerability.cvss3TemporalScore
Use an integer value to find the CVSSv3.1 temporal score.
Example
Show assets with this score
finding.vulnerability.cvss3TemporalScore:6.4
finding.vulnerability.cvss2AccessVectorfinding.vulnerability.cvss2AccessVector
Select the name of a CVSS2 access vector, for example, UNDEFINED, LOCAL_ACCESS, ADJACENT_NETWORK, NETWORK. Select from names in the drop-down menu.
Example
Show findings with this name
finding.vulnerability.cvss2AccessVector:NETWORK
finding.vulnerability.cvss2BaseScorefinding.vulnerability.cvss2BaseScore
Use an integer value to help you find the CVSS2 base score.
Example
Show assets with this score
finding.vulnerability.cvss2BaseScore:7.8
finding.vulnerability.cvss2TemporalScorefinding.vulnerability.cvss2TemporalScore
Use an integer value to help you find the CVSS2 temporal score.
Example
Show assets with this score
finding.vulnerability.cvss2TemporalScore:6.4
finding.vulnerability.discoveryTypefinding.vulnerability.discoveryType
Select a discovery type (Remote or Authenticated) to find assets with vulnerabilities having this discovery type. Select from names in the drop-down menu.
Example
Show findings with Remote discovery type
finding.vulnerability.discoveryType:REMOTE
finding.vulnerability.flagfinding.vulnerability.flag
Use a text value to find the Qualys defined vulnerability property, for example, REMOTE, WINDOWS_AUTH, UNIX_AUTH, PCI_RELATED etc.
Example
Show findings with this flag
finding.vulnerability.flag:PCI_RELATED
finding.vulnerability.mitre.attack.tactic.idfinding.vulnerability.mitre.attack.tactic.id
Use the text value within quotes or backticks for the tactics id that represents the why of the ATT&CK technique or sub-technique.
Example
Show findings with the Tactic ID TA0007
finding.vulnerability.mitre.attack.tactic.id:`TA0007`
finding.vulnerability.mitre.attack.tactic.namefinding.vulnerability.mitre.attack.tactic.name
Use the text value within quotes or backticks to view for the tactics name that represents it's respective tactic id.
Example
Show findings with the tactic name inital-access
finding.vulnerability.mitre.attack.tactic.name:`inital-access`
finding.vulnerability.mitre.attack.technique.idfinding.vulnerability.mitre.attack.technique.id
Use the text value within quotes or backticks for the technique ID that represents how a tactical goal can be achieved.
Example
Show findings with the Technique ID T1562.010
finding.vulnerability.mitre.attack.technique.id:"T1562.010"
finding.vulnerability.mitre.attack.technique.namefinding.vulnerability.mitre.attack.technique.name
Use the text value within quotes or backticks to view for the technique name that represents it's respective technique id.
Example
Show findings with the tactic name Downgrade Attack
finding.vulnerability.mitre.attack.technique.name:"Downgrade Attack"
finding.vulnerability.isPatchAvailablefinding.vulnerability.isPatchAvailable
Use the values true | false to define vulnerabilities with patch available.
Examples
- Show findings with patch available
finding.vulnerability.isPatchAvailable:TRUE - Show findings with no patch available
finding.vulnerability.isPatchAvailable:FALSE
finding.vulnerability.isPCIfinding.vulnerability.isPCI
Use the values true | false to find vulnerabilities that must be fixed for PCI Compliance (per PCI DSS).
Examples
- Show PCI vulnerabilities
finding.vulnerability.isPCI:TRUE - Do not show PCI vulnerabilities
finding.vulnerability.isPCI:FALSE
finding.vulnerability.isRebootRequiredfinding.vulnerability.isRebootRequired
Use the values true | false to find vulnerabilities that need reboot.
Example
Show vulnerabilities that need reboot.
finding.vulnerability.isRebootRequired: TRUE
finding.vulnerability.qidfinding.vulnerability.qid
Use an integer value to define the QID in question.
Example
Show findings with QID 90405
finding.vulnerability.qid: 90405
finding.vulnerability.ransomware.namefinding.vulnerability.ransomware.name
Use quotes or backticks within values to help you find the ransomware name you are looking for. Quotes can be used when the value has more than one word.
Examples
- Show findings with this name
finding.vulnerability.ransomware.name: Locky - Show findings that match exact value
finding.vulnerability.ransomware.name: Locky
finding.vulnerability.sans20Categoriesfinding.vulnerability.sans20Categories
Use a text value to find vulnerabilities in the SANS 20 category, for example, Anti-virus Software, Backup Software, etc.
Example
Show findings with this category name
finding.vulnerability.sans20Categories:Media Players
finding.vulnerability.severityfinding.vulnerability.severity
Use an integer value to view the severity level set by Qualys to find assets having vulnerabilities. The severity level ranges between 1-5. Select from values in the drop-down menu.
Example
Show findings with severity set by Qualys as 5
finding.vulnerability.severity:5
finding.vulnerability.solutionfinding.vulnerability.solution
Use quotes or backticks within values to help you find the solution.
Examples
- Show any findings related to this solution
finding.vulnerability.solution:Bulletin MS10-006 - Show any findings that contain parts of solution
finding.vulnerability.solution:"Bulletin MS10-006" - Show any findings that match exact value "Bulletin MS10-006"
finding.vulnerability.solution:`Bulletin MS10-006`
finding.vulnerability.supportedBy.serviceNamefinding.vulnerability.supportedBy.serviceName
Select a Qualys service (VM, Agent type, etc) to show vulnerabilities that can be detected by this service. Select from names in the drop-down menu.
Example
Show vulnerabilities supported by Linux Agent
finding.vulnerability.supportedBy.serviceName:CA-Linux Agent
finding.vulnerability.titlefinding.vulnerability.title
Use quotes or backticks within values to help you find the title.
Examples
- Show any findings related to this title
finding.vulnerability.title:Remote Code Execution - Show any findings that contain "Remote" or "Code" in title
finding.vulnerability.title:"Remote Code" - Show any findings that match exact value "Remote Code"
finding.vulnerability.title:`Remote Code`
finding.vulnerability.vendorReffinding.vulnerability.vendorRef
Use a text value to find the vendor reference.
Example
Show this vendor reference
finding.vulnerability.vendorRef:KB3021953
finding.vulnerability.vendorProductNamefinding.vulnerability.vendorProductName
Use a text value to find the vendor product name.
Example
Show findings with this vendor product name
finding.vulnerability.vendorProductName:Windows
finding.vulnerability.vendorNamefinding.vulnerability.vendorName
Use a text value to find the vendor name.
Example
Show findings with this vendor name
finding.vulnerability.vendorName:Adobe
finding.nonRunningKernelfinding.nonRunningKernel
Use the values true | false to define vulnerabilities that exist on non exploitable kernels.
Example
Show findings on non-exploitable kernels
finding.nonRunningKernel:TRUE
finding.nonExploitableServicefinding.nonExploitableService
Use the values true | false to define vulnerabilities that exist on non-exploitable services.
Examples
Show findings on non-exploitable services
finding.nonExploitableService:TRUE
finding.vulnerability.patchReleasedDatefinding.vulnerability.patchReleasedDate
Use specific date to define when patch was available.
Examples
- Show findings last found on certain date
finding.vulnerability.patchReleasedDate:'2025-01-02'
finding.timesFoundfinding.timesFound
Show findings that were detected for the specified number of times.
Example
Show findings last found 3 times
finding.timesFound:3
finding.detectionAgefinding.detectionAge
Select the number of days from the range (0..30, 31..60, 61..90, 91..180,180..+) since the vulnerability was first detected (by a scanner or cloud agent) on the asset till the current date. The age is calculated irrespective of the vulnerability status.
Example
Show findings that were detected in the last 30 days.
finding.detectionAge:[0..30]
finding.vulnerability.descriptionfinding.vulnerability.description
Use quotes or backticks within values to help you find the vulnerability description.
Examples
- Show any findings related to description
finding.vulnerability.description:remote code execution - Show any findings that contain "remote" or "code" in description
finding.vulnerability.description:"remote code execution" - Show any findings that match exact value "remote code execution"
finding.vulnerability.description:`remote code execution`
finding.vulnerability.listfinding.vulnerability.list
Use a text value to find the vulnerability list of interest, for example, SANS_20, QUALYS_20, QUALYS_INT_10, QUALYS_EXT_10).
Example
Show findings with vvulnerabilitiesv in SANS Top 20
finding.vulnerability.list:SANS_20
finding.vulnerability.publishedDatefinding.vulnerability.publishedDate
Use a date range or specific date to define when vulnerabilities were first published in the KnowledgeBase.
Examples
- Show findings for vulnerabilities published on certain date
finding.vulnerability.publishedDate:'2025-01-15'
finding.vulnerability.riskfinding.vulnerability.risk
Use an integer value to define the vulnerability risk rating. For confirmed and potential issues risk is 10 times severity, for information gathered it is severity.
Example
Show findings with risk 50
finding.vulnerability.risk:50
finding.vulnerability.criticalityfinding.vulnerability.criticality
Select a criticality (for example, "CRITICAL","HIGH","MEDIUM","LOW","NONE") to find assets with vulnerabilities of this type. Select from names in the drop-down menu.
If a QID does not have a CVSSv3 Base score, the CVSSv2 Base score takespriority.
The following list of criticality defines the CVSS Score from 0.0 to 10.0:
- None: 0.0
- Low: 0.1-3.9
- Medium: 4.0-6.9
- High: 7.0-8.9
- Critical: 9.0-10.0
Example
Show vulnerabilitiesv with HIGH criticality
finding.vulnerability.criticality: "HIGH"
finding.vulnerability.updatedDatefinding.vulnerability.updatedDate
Use a date range or specific date to define when vulnerabilities were updated in the KnowledgeBase.
Examples
- Show vulnerabilities updated on certain date
finding.vulnerability.updatedDate:'2025-03-08'
finding.isQualysPatchablefinding.isQualysPatchable
Use the values true | false to indicate whether Qualys can patch a detected vulnerability.
Example
Show findings with vulnerabilities that can be patched
finding.isQualysPatchable:TRUE
finding.riskFactor.cisaKEVDueDatefinding.riskFactor.cisaKEVDueDate
Use a date value or relative time to filter vulnerabilities based on the CISA Known Exploited Vulnerabilities (KEV) remediation due date. This token helps identify vulnerabilities that must be remediated by the due date specified in the CISA KEV catalog.
You can compare the due date using operators such as <, >, <=, >=, or specify a date range.
Examples
- Show findings with a CISA KEV due date earlier than the current time
finding.riskFactor.cisaKEVDueDate<now - Show findings with a CISA KEV due date within a specific date range
finding.riskFactor.cisaKEVDueDate:[2025-03-01 ... 2025-03-31] - Show Windows vulnerabilities listed in the CISA KEV catalog with a due date that has already passed
finding.vulnerability.threatIntel.cisaKnownExploitedVulns:TRUE and finding.vulnerability.category:`Windows` and finding.riskFactor.cisaKEVDueDate<now
finding.firstFoundDatefinding.firstFoundDate
Use the date range or specific date to define when findings were first found.
Examples
- Show findings first found on certain dat
finding.firstFoundDate:'2025-11-11'
finding.vulnerability.threatIntel.exploitKitfinding.vulnerability.threatIntel.exploitKit
Use the values true | false to define real-time threats due to exploit kit.
Examples
- Show assets with threats due to exploit kit
finding.vulnerability.threatIntel.exploitKit: true - Show assets that don't have threats due to exploit kit
finding.vulnerability.threatIntel.exploitKit: false
finding.vulnerability.threatIntel.exploitKitNamefinding.vulnerability.threatIntel.exploitKitName
Use quotes or backticks within values to help you find the exploit kit asset.name you're looking for. Quotes can be used when the value has more than one word.
Examples
- Show any findings with this asset.name
finding.vulnerability.threatIntel.exploitKitName: Angler - Show any findings that match exact value
finding.vulnerability.threatIntel.exploitKitName: `Angler`
finding.vulnerability.threatIntel.hasNoPatchfinding.vulnerability.threatIntel.hasNoPatch
Use the values true | false to define real-time threats due to no patch available.
Examples
- Show assets with threats due to no patch available
finding.vulnerability.threatIntel.hasNoPatch: true - Show assets that don't have threats due to no patch available
finding.vulnerability.threatIntel.hasNoPatch: false
finding.vulnerability.threatIntel.isActiveAttackfinding.vulnerability.threatIntel.isActiveAttack
Use the values true | false to define real-time threats due to active attacks.
Examples
- Show assets with threats due to active attacks
finding.vulnerability.threatIntel.isActiveAttack: true - Show assets that don't have threats due to active attack
finding.vulnerability.threatIntel.isActiveAttack: false
Use the values true | false to define real-time threats due to CISA Exploits.
Examples
- Show assets with threats due to CISA exploit
finding.vulnerability.threatIntel.isCisaKnownExploitedVuln: true - Show assets that don't have threats due to CISA exploit
finding.vulnerability.threatIntel.isCisaKnownExploitedVuln: false
Use the values true | false to define real-time threats due to denial of service.
Examples
- Show assets with threats due to denial of service
finding.vulnerability.threatIntel.isDenialOfService: true - Show assets that don't have threats due to denial of service
finding.vulnerability.threatIntel.isDenialOfService: false
finding.vulnerability.threatIntel.isEasyExploitfinding.vulnerability.threatIntel.isEasyExploit
Use the values true | false to define real-time threats due to easy exploit.
Examples
- Show assets with threats due to easy exploit
finding.vulnerability.threatIntel.isEasyExploit:true - Show assets that don't have threats due to easy exploit
finding.vulnerability.threatIntel.isEasyExploit:false
finding.vulnerability.threatIntel.isHighDataLossfinding.vulnerability.threatIntel.isHighDataLoss
Use the values true | false to define real-time threats due to high data loss.
Examples
- Show assets with threats due to high data loss
finding.vulnerability.threatIntel.isHighDataLoss:true - Show assets that don't have threats due to high data loss
finding.vulnerability.threatIntel.isHighDataLoss:false
Use the values true | false to define real-time threats due to high lateral movement.
Examples
- Show assets with threats due to high lateral movement
finding.vulnerability.threatIntel.isHighLateralMovement: true - Show assets that don't have threats due to high lateral movement
finding.vulnerability.threatIntel.isHighLateralMovement: false
finding.vulnerability.threatIntel.isMalwarefinding.vulnerability.threatIntel.isMalware
Use the values true | false to define real-time threats due to malware.
Examples
- Show assets with threats due to malware
finding.vulnerability.threatIntel.isMalware:true - Show assets that don't have threats due to malware
finding.vulnerability.threatIntel.isMalware:false
Use the values true | false to define real-time threats due to predicted high risk.
Example
Show assets with predicted high risk threat
finding.vulnerability.threatIntel.isPredictedHighRisk:"true"
Use the values true | false to define real-time threats due to privilege escalation risk.
Example
Show assets with privilege escalation threat
finding.vulnerability.threatIntel.isPrivilegeEscalation:"true"
finding.vulnerability.threatIntel.isPublicExploitfinding.vulnerability.threatIntel.isPublicExploit
Use the values true | false to define real-time threats due to public exploit.
Example
- Show assets with threats due to public exploit
finding.vulnerability.threatIntel.isPublicExploit: true - Show assets that don't have threats due to public exploit
finding.vulnerability.threatIntel.isPublicExploit: false
finding.vulnerability.threatIntel.isRansomwarefinding.vulnerability.threatIntel.isRansomware
Use the values true | false to define real-time threats due to ransomeware vulnerability.
Example
Show assets with ransomeware threat
finding.vulnerability.threatIntel.isRansomware: "true"
Use the values true | false to define real-time threats due to remote code execution risk.
Example
Show assets with remote code execution threat
finding.vulnerability.threatIntel.isRemoteCodeExecution:"true"
Use the values true | false to filter real-time threats due to Solorigate/Sunburst risk.
Example
Show assets with Solorigate/Sunburst threat
finding.vulnerability.threatIntel.isSolorigateSunburst:"true"
Use the values true | false to define real-time threats due to unauthenticated exploitation risk.
Example
Show assets with unauthenticated exploitation threat
finding.vulnerability.threatIntel.isUnauthenticatedExploitation: "true"
finding.vulnerability.threatIntel.isWormablefinding.vulnerability.threatIntel.isWormable
Use the values true | false to define real-time wormable threats.
Example
Show assets with wormable threats
finding.vulnerability.threatIntel.isWormable:"true"
finding.vulnerability.threatIntel.isZeroDayfinding.vulnerability.threatIntel.isZeroDay
Use the values true | false to define real-time threats due to zero day exploit.
Examples
- Show assets with threats due to zero day exploit
finding.vulnerability.threatIntel.isZeroDaytrue - Show assets that don't have threats due to zero day exploit
finding.vulnerability.threatIntel.isZeroDay: false
finding.vulnerability.threatIntel.malwareNamefinding.vulnerability.threatIntel.malwareName
Use quotes or backticks within values to help you find the malware name. Quotes can be used when the value has more than one word.
Examples
- Show any findings with this asset.name
finding.vulnerability.threatIntel.malwareName:TROJ_PDFKA.DQ - Show any findings that match exact value
finding.vulnerability.threatIntel.malwareName:`TROJ_PDFKA.DQ`
Use quotes or backticks within values to help you find the public exploit asset.name of interest. Quotes can be used when the value has more than one word.
Examples
- Show any findings with this asset.name
finding.vulnerability.threatIntel.publicExploitName:RealVNC NULL Authentication Mode Bypass - Show assets that don't have threats due to public exploit
finding.vulnerability.threatIntel.publicExploitName:"RealVNC NULL Authentication Mode Bypass" - Show assets that don't have threats due to public exploit
finding.vulnerability.threatIntel.publicExploitName:`RealVNC NULL Authentication Mode Bypass`