Search Tokens for Vulnerabilities
Supported Boolean Operators
The Qualys Query Language (QQL) supports the following logical or Boolean query operators. Use these operators in your queries to narrow down or broaden your search.
Narrow down your search by using the 'and' operator in your Boolean query. The result contains all the token values that you provide in your query.
Example
vulnerabilities.isDisabled: TRUE and vulnerabilities.detectionScore:80
The vulnerabilities that are disabled and have a detection score of 80 are returned in the result.
Broaden your search by using the 'or' operator in your Boolean query. The result contains any of the token values that you provide in your query.
Example
vulnerabilities.isDisabled: TRUE or vulnerabilities.detectionScore:80
The vulnerabilities that are disabled or the vulnerabilities that have a detection score of 80 are returned in the result.
Vulnerability Tokens
Use these tokens to define search criteria for vulnerabilities.
vulnerabilities.isDisabledvulnerabilities.isDisabled
Use the values true or false to define whether vulnerabilities are disabled or enabled.
Example
Show findings with vulnerabilities disabled
vulnerabilities.isDisabled:TRUE
vulnerabilities.detectionScorevulnerabilities.detectionScore
Use an integer value (0-100) to help you find vulnerabilities based on specific detection score.
Examples
- Show vulnerabilities with detection score 80
vulnerabilities.detectionScore:80 - Show vulnerabilities with detection score 25
vulnerabilities.detectionScore:25
vulnerabilities.detectionSourcevulnerabilities.detectionSource
Use a string value within quotes or backticks to find vulnerabilities with a certain source of detection.
From the drop-down, select the asset.name of a detection source:
Generic, Qualys, Tenable, Wiz
Examples
- Show findings with Qualys as the detection source
vulnerabilities.detectionSource:Qualys - Show findings that contain parts of the detection source
vulnerabilities.detectionSource:"Qualys" - Show findings that match the exact value Qualys
vulnerabilities.detectionSource:`Qualys`
vulnerabilities.detectionSource.namevulnerabilities.detectionSource.name
Use quotes or backticks within values to help you find the source that detected the vulnerability. Understanding the origin of vulnerability data is essential for grasping the detection's context, reliability, and scope.
Examples
- Show findings with Qualys as the detection source
vulnerabilities.detectionSource.name:AZURE - Show findings that contain parts of the detection source
vulnerabilities.detectionSource.name:"CAR Agent" - Show findings that match the exact value Qualys
vulnerabilities.detectionSource.name:`Cloud Agent`
To use this token, contact your technical account manager.
vulnerabilities.detectionSource.firstFoundDatevulnerabilities.detectionSource.firstFoundDate
Use the date range or specific date to define when a vulnerability was first detected. Tracking this information helps teams analyze vulnerabilities, prioritize remediation, and identify trends. You can determine if further investigation or alternative remediation is needed by tracking the last and first found dates.
Examples
- Show vulnerabilities first detected on a certain date
vulnerabilities.detectionSource.firstFoundDate:[2017-10-21 ... 2017-10-30] - Show vulnerabilities first detected starting 2015-10-01, ending 1 month ago
vulnerabilities.detectionSource.firstFoundDate:[2015-10-01 ... now-1M] - Show vulnerabilities first detected 2 weeks ago, ending 1 second ago
vulnerabilities.detectionSource.firstFoundDate:[now-2w ... now-1s] - Show vulnerabilities first detected on certain date
vulnerabilities.detectionSource.firstFoundDate:'2016-11-11'
To use this token, contact your technical account manager.
vulnerabilities.detectionSource.lastFoundDatevulnerabilities.detectionSource.lastFoundDate
Use the date range or specific date to define when a vulnerability was last detected. This helps assess whether a vulnerability is active or has reappeared after remediation. You can determine if further investigation or alternative remediation is needed by tracking the last and first found dates.
Examples
- Show vulnerabilities last detected on a certain date
vulnerabilities.detectionSource.lastFoundDate:[2017-10-21 ... 2017-10-30] - Show vulnerabilities last detected starting 2015-10-01, ending 1 month ago
vulnerabilities.detectionSource.lastFoundDate:[2015-10-01 ... now-1M] - Show vulnerabilities last detected 2 weeks ago, ending 1 second ago
vulnerabilities.detectionSource.lastFoundDate:[now-2w ... now-1s] - Show vulnerabilities last detected on certain date
vulnerabilities.detectionSource.lastFoundDate:'2016-11-11'
To use this token, contact your technical account manager.
vulnerabilities.isFoundvulnerabilities.isFound
Use the values true or false to define vulnerabilities are detected or not on the assets.
Example
Show findings with vulnerabilities detected
vulnerabilities.isFound:TRUE
vulnerabilities.firstFoundDatevulnerabilities.firstFoundDate
Use the date range or specific date to define when findings were first found.
Examples
- Show findings first found within certain dates
vulnerabilities.firstFoundDate:[2017-10-21 ... 2017-10-30] - Show findings first found starting 2015-10-01, ending 1 month ago
vulnerabilities.firstFoundDate:[2015-10-01 ... now-1M] - Show findings first found starting 2 weeks ago, ending 1 second ago
vulnerabilities.firstFoundDate:[now-2w ... now-1s] - Show findings first found on certain date
vulnerabilities.firstFoundDate:'2016-11-11'
vulnerabilities.host.asset.namevulnerabilities.host.asset.name
Use quotes or backticks within values to help you find the host asset name.
Examples
- Show any findings related to asset.name
vulnerabilities.host.asset.name:QK2K12QP3-65-53 - Show any findings that contain parts of asset.name
vulnerabilities.host.asset.name:"QK2K12QP3-65-53" - Show any findings that match exact value "QK2K12QP3-65-53"
vulnerabilities.host.asset.name:`QK2K12QP3-65-53`
vulnerabilities.isIgnoredvulnerabilities.isIgnored
Use an integer value to find vulnerabilities that have been marked as ignored.
Example
Show vulnerabilities that are marked as ignored
vulnerabilities.isIgnored:TRUE
vulnerabilities.instancevulnerabilities.instance
Use a text value to find vulnerabilities found on a certain instance.
Example
Show vulnerabilities found in this instance
vulnerabilities.instance: oracle
vulnerabilities.lastFixedDatevulnerabilities.lastFixedDate
Use a date range or specific date to define when findings were last fixed.
Examples
- Show findings last fixed within certain dates
vulnerabilities.lastFixedDate:[2015-10-21 ... 2016-01-15] - Show findings last fixed starting 2016-01-01, ending 1 month ago
vulnerabilities.lastFixedDate:[2016-01-01 ... now-1M] - Show findings last fixed starting 2 weeks ago, ending 1 second ago
vulnerabilities.lastFixedDate:[now-2w ... now-1s] - Show findings last fixed on certain date
vulnerabilities.lastFixedDate:'2016-01-11' - Show findings last fixed within certain number of days
vulnerabilities.lastFixedDate: [91..180]
vulnerabilities.lastFoundDatevulnerabilities.lastFoundDate
Use a date range or specific date to define when findings were last found.
Examples
- Show findings last found within certain dates
vulnerabilities.lastFoundDate:[2015-10-21 ... 2016-01-15] - Show findings last found starting 2016-01-01, ending 1 month ago
vulnerabilities.lastFoundDate:[2016-01-01 ... now-1M] - Show findings last found starting 2 weeks ago, ending 1 second ago
vulnerabilities.lastFoundDate:[now-2w ... now-1s] - Show findings last found on certain date
vulnerabilities.lastFoundDate:'2016-01-11' - Show findings last found within certain number of days
vulnerabilities.lastFoundDate: [91..180] - Show findings last found on 2017-01-12 with patch available
vulnerabilities: (lastFound:'2017-01-12' AND vulnerabilities.vulnerability.isPatchAvailable:TRUE)
vulnerabilities.nonExploitableConfigvulnerabilities.nonExploitableConfig
Use the values true or false to define vulnerabilities with non-exploitable configurations.
Examples
- Show findings with non exploitable configurations
vulnerabilities.nonExploitableConfig:TRUE - Show findings with exploitable configurations
vulnerabilities.nonExploitableConfig:FALSE
vulnerabilities.nonRunningKernelvulnerabilities.nonRunningKernel
Use the values true or false to view vulnerabilities found on non-running kernels.
Examples
- Show detections found on non-running Kernal
vulnerabilities.nonRunningKernel:TRUE - Show detections found on running Kernal
vulnerabilities.nonRunningKernel:FALSE
vulnerabilities.portvulnerabilities.port
Use an integer value to find vulnerabilities found on a certain port.
Example
Show vulnerabilities found on this port
vulnerabilities.port:443
vulnerabilities.protocolvulnerabilities.protocol
Use a text value UDP or TCP to define the port protocol.
Example
Show vulnerabilities found on TCP protocol
vulnerabilities.protocol:TCP
vulnerabilities.runningServicevulnerabilities.runningService
Use the values true or false to define vulnerabilities found on a non-exploitable port/service.
Examples
- Show vulnerabilities found on running service
vulnerabilities.runningService:TRUE - Show vulnerabilities found on non-running service
vulnerabilities.nonexploitableService:FALSE
vulnerabilities.riskFactor.cisaKEVDueDatevulnerabilities.riskFactor.cisaKEVDueDate
Use a specific date to get the list of known exploited vulnerabilities whose remediation due date is as per the CISA Catalog. The date format used is yyyy-mm-dd.
Example
List the QIDs whose CISA Due Date is 3rd May 2022
vulnerabilities.riskFactor.cisaKEVDueDate:2022-05-03
vulnerabilities.riskFactor.isCisaKnownExploitvulnerabilities.riskFactor.isCisaKnownExploit
Use this token to get the list of QIDs impacted due to CISA Known Exploits. The token uses true or false as the input value.
Example
List the QIDs that are impacted due to CISA Known Exploit
vulnerabilities.riskFactor.isCisaKnownExploit:TRUE
vulnerabilities.riskFactor.threatActorNamevulnerabilities.riskFactor.threatActorName
Use string as an input value to get the list of QIDs that are impacted by the threat actor.
Example
List the QIDs that are impacted by the threat actor asset.name Labyrinth Chollima
vulnerabilities.riskFactor.threatActorName:"Labyrinth Chollima"
List the QIDs that are impacted by the threat actor asset.name Insiders
vulnerabilities.riskFactor.threatActorName:"Insiders"
List the QIDs that are impacted by the threat actor asset.name Senstive Information
vulnerabilities.riskFactor.threatActorName:"senstive information"
List the QIDs that are impacted by the threat actor asset.name Script Kiddies
vulnerabilities.riskFactor.threatActorName:"Script kiddies"
vulnerabilities.riskFactor.malwareNamevulnerabilities.riskFactor.malwareName
Use string as an input value to get the list of QIDs that are impacted by the malware name.
Example
List the QIDs that are impacted by the malware asset.name TROJ_PDFKA.DQ
vulnerabilities.riskFactor.malwareName:"TROJ_PDFKA.DQ"
vulnerabilities.riskFactor.exploitCodeMaturityvulnerabilities.riskFactor.exploitCodeMaturity
Use this token to get the list of QIDs that can be exploited based on the existing state of exploit techniques and code availability.
From the drop-down, select the asset.name of an exploit technique:
poc, weaponized
Example
List the QIDs exploited by Weaponized exploit code maturity technique
vulnerabilities.riskFactor.exploitCodeMaturity:"weaponized"
vulnerabilities.riskFactor.exploitTypevulnerabilities.riskFactor.exploitType
Use string as an input value to get the list of QIDs based on the type of exploits and its related vulnerabilities.
Example
List the QIDs that are exploited whose target vulnerabilities are in web applications
vulnerabilities.riskFactor.exploitType:"webapps"
vulnerabilities.riskFactor.exploitType:"shellcode"
vulnerabilities.riskFactor.exploitType:"remote"
vulnerabilities.riskFactor.rtivulnerabilities.riskFactor.rti
Use this token to get the list of QIDs with Real-Time Threat Indicators (RTI) related vulnerabilities.
Example
List the QIDs that are assoicated with the Denial of Service Real-Time Threat Indicator
vulnerabilities.riskFactor.rti:"Denial of Service"
vulnerabilities.riskFactor.trendingvulnerabilities.riskFactor.trending
Use this token to get the list of QIDs that are trending within a specific date range. You can select the date range from the drop-down.
Example
Show trending vulnerabilities with its QIDs within certain number of days
vulnerabilities.riskFactor.trending:[16..30]
vulnerabilities.sslvulnerabilities.ssl
Use the values true or false to define vulnerabilities found on secure socket layer (SSL).
Example
Show vulnerabilities associated with SSL
vulnerabilities.ssl:TRUE
vulnerabilities.severityvulnerabilities.severity
Use an integer value to view the severity level set by you to find assets having vulnerabilities. The severity level ranges between 1-5. Select from values in the drop-down menu. If you do not set the severity level, its level will be the same as the level set by Qualys.
Example
Show findings with severity by 5
vulnerabilities.severity:5
For information about customer and Qualys severity, see Customer and Kb Severity Level
vulnerabilities.statusvulnerabilities.status
From the drop-down, select a status Active, Fixed, New, and Reopened to find vulnerabilities with certain status.
If you select the status as Fixed, the list will only show vulnerabilities that have been fixed in the last 365 days.
Example
Show vulnerabilities with New status
vulnerabilities.status:Fixed
vulnerabilities.hidePatchSupersededvulnerabilities.hidePatchSuperseded
Use the boolean value True to generate the list of excluded superseded QIDs and show the latest patches.
Example
Show all the excluded superseded QIDs and the latest patches.
vulnerabilities.hidePatchSuperseded:True
vulnerabilities.ttr.firstFoundDatevulnerabilities.ttr.firstFoundDate
Use the number of days to determine the findings based on the Total and First Found time to remediate. The token accepts range input as number of days. You can also customize the range input.
Examples
- Show vulnerabilities findings based on total and first found calculation
vulnerabilities.ttr.firstFoundDate:[61..90] - Use custom query to see the vulnerabilities findings based on total and first found calculation
vulnerabilities.ttr.firstFoundDate:[0..90]
vulnerabilities.tag.namevulnerabilities.tag.name
Use quotes or backticks within values to help you find the vulnerabilities tag.
Examples
- Show any findings related to this tag asset.name
vulnerabilities.tag.name: Microsoft Security Update - Show any findings that contain "Ubuntu" or "2021" in asset.name
vulnerabilities.tag.name:"Ubuntu 2021" - Show any findings that match exact value "centOS_security"
vulnerabilities.tag.name:`centOS_security`
This token is available only to limited customers (in Beta phase).
vulnerabilities.typeDetectedvulnerabilities.typeDetected
From the drop-down, select a detection type, such as, Confirmed, Potential, and Information to find assets with vulnerabilities of this type.
Example
Show findings with this type
vulnerabilities.typeDetected:Confirmed
vulnerabilities.authTypevulnerabilities.authType
From the drop-down, select the asset.name, such as, WINDOWS_AUTH, UNIX_AUTH, ORACLE_AUTH of an authentication type.
Example
Show findings with Windows auth type
vulnerabilities.authType:WINDOWS_AUTH
vulnerabilities.vulnerability.bugTraqIdvulnerabilities.vulnerability.bugTraqId
Use a text value to find a BugTraq number.
Example
Show findings with BugTraq ID 22211
vulnerabilities.vulnerability.bugTraqId:22211
vulnerabilities.vulnerability.categoryvulnerabilities.vulnerability.category
From the drop-down, select a category, such as, `CGI`, `Database`, `DNS and BIND`, `Custom QID` to find vulnerabilities with this category.
Example
- Show findings with category `CGI`
vulnerabilities.vulnerability.category:`CGI`
Use quotes or backticks within values to help you find the compliance description.
Examples
- Show any findings related to this description
vulnerabilities.vulnerability.compliance.description:malicious software - Show any findings that contain "malicious" or "software" in description
vulnerabilities.vulnerability.compliance.description:"malicious software" - Show any findings that match exact value "malicious software"
vulnerabilities.vulnerability.compliance.description:`malicious software`
vulnerabilities.vulnerability.compliance.sectionvulnerabilities.vulnerability.compliance.section
Use quotes or backticks within values to help you find the compliance section.
Examples
- Show any findings related to this section
vulnerabilities.vulnerability.compliance.section:164.308 - Show any findings that contain parts of section
vulnerabilities.vulnerability.compliance.section:"164.308" - Show any findings that match exact value "164.308"
vulnerabilities.vulnerability.compliance.section:`164.308`
vulnerabilities.vulnerability.compliance.typevulnerabilities.vulnerability.compliance.type
From the drop-down, select the asset.name of a compliance type:
COBIT, HIPAA, GLBA, SOX, PCI
Example
Show findings with the compliance type HIPAA
vulnerabilities.vulnerability.compliance.type:HIPAA
Show findings with the compliance type SOX
vulnerabilities.vulnerability.compliance.type:SOX
Show findings with the compliance type COBIT
vulnerabilities.vulnerability.compliance.type:COBIT
vulnerabilities.vulnerability.impactvulnerabilities.vulnerability.impact
Use quotes or backtick within values to find the impact.
Examples
- Show any findings related to impact
vulnerabilities.vulnerability.impact:sensitive information - Show any findings that contain "identity" or "theft" in consequence
vulnerabilities.vulnerability.impact:"identity theft" - Show any findings that match exact value "financial loss"
vulnerabilities.vulnerability.impact:`financial loss`
vulnerabilities.vulnerability.cveIdvulnerabilities.vulnerability.cveId
Use a text value to find the CVE name.
Example
Show findings with CVE asset.name CVE-2015-0313
vulnerabilities.vulnerability.cveId:CVE-2015-0313
Note: The CVE in the query is case sensitive and must be used in capital case.
vulnerabilities.vulnerability.cvss3BaseScorevulnerabilities.vulnerability.cvss3BaseScore
Use an integer value to find the CVSSv3.1 base score.
Example
Show assets with this score
vulnerabilities.vulnerability.cvss3BaseScore:7.8
vulnerabilities.vulnerability.cvss3TemporalScorevulnerabilities.vulnerability.cvss3TemporalScore
Use an integer value tofind the CVSSv3.1 temporal score.
Example
Show assets with this score
vulnerabilities.vulnerability.cvss3TemporalScore:6.4
vulnerabilities.vulnerability.cvss2AccessVectorvulnerabilities.vulnerability.cvss2AccessVector
Select the asset.name of a CVSS2 access vector, for example, UNDEFINED, LOCAL_ACCESS, ADJACENT_NETWORK, NETWORK. Select from names in the drop-down menu.
Example
Show findings with this asset.name
vulnerabilities.vulnerability.cvss2AccessVector:NETWORK
vulnerabilities.vulnerability.cvss2BaseScorevulnerabilities.vulnerability.cvss2BaseScore
Use an integer value to help you find the CVSS2 base score.
Example
Show assets with this score
vulnerabilities.vulnerability.cvss2BaseScore:7.8
vulnerabilities.vulnerability.cvss2TemporalScorevulnerabilities.vulnerability.cvss2TemporalScore
Use an integer value to help you find the CVSS2 temporal score.
Example
Show assets with this score
vulnerabilities.vulnerability.cvss2TemporalScore:6.4
vulnerabilities.vulnerability.discoveryTypevulnerabilities.vulnerability.discoveryType
Select a discovery type (Remote or Authenticated) to find assets with vulnerabilities having this discovery type. Select from names in the drop-down menu.
Example
Show findings with Remote discovery type
vulnerabilities.vulnerability.discoveryType:REMOTE
vulnerabilities.vulnerability.exploitabilityvulnerabilities.vulnerability.exploitability
Use quotes or backticks within values to find known exploit description.
Examples
Show any findings related to this description
vulnerabilities.vulnerability.exploitability:GIF
Parser Heap
Show any findings that contain "GIF", "Parser" or "Heap" in description
vulnerabilities.vulnerability.exploitability:"GIF
Parser Heap"
Show any findings that match exact value "GIF Parser Heap"
vulnerabilities.vulnerability.exploitability:`GIF
Parser Heap`
vulnerabilities.vulnerability.flagvulnerabilities.vulnerability.flag
Use a text value to find the Qualys defined vulnerability property, for example, REMOTE, WINDOWS_AUTH, UNIX_AUTH, PCI_RELATED etc.
Example
Show findings with this flag
vulnerabilities.vulnerability.flag:PCI_RELATED
Use the text value within quotes or backticks for the tactics id that represents the why of the ATT&CK technique or sub-technique.
Example
Show findings with the Tactic ID TA0007
vulnerabilities.vulnerability.mitre.attack.tactic.id:`TA0007`
Use the text value within quotes or backticks to view for the tactics asset.name that represents it's respective tactic id.
Example
Show findings with the tactic asset.name inital-access
vulnerabilities.vulnerability.mitre.attack.tactic.name:`inital-access`
Use the text value within quotes or backticks for the technique id that represents how a tactical goal can be achieved.
Example
Show findings with the Technique ID T1562.010
vulnerabilities.vulnerability.mitre.attack.technique.id:"T1562.010"
Use the text value within quotes or backticks to view for the technique asset.name that represents it's respective technique id.
Example
Show findings with the tactic asset.name Downgrade Attack
vulnerabilities.vulnerability.mitre.attack.technique.name:"Downgrade Attack"
vulnerabilities.vulnerability.isPatchAvailablevulnerabilities.vulnerability.isPatchAvailable
Use the values true |false to define vulnerabilities with patch available.
Examples
Show findings with patch available
vulnerabilities.vulnerability.isPatchAvailable:TRUE
Show findings with no patch available
vulnerabilities.vulnerability.isPatchAvailable:FALSE
vulnerabilities.vulnerability.isPCIvulnerabilities.vulnerability.isPCI
Use the values true | false to find vulnerabilities that must be fixed for PCI Compliance (per PCI DSS).
Examples
Show PCI vulnerabilities
vulnerabilities.vulnerability.isPCI:TRUE
Do not show PCI vulnerabilities
vulnerabilities.vulnerability.isPCI:FALSE
vulnerabilities.vulnerability.isRebootRequiredvulnerabilities.vulnerability.isRebootRequired
Use the values true | false to find vulnerabilities that need reboot.
Examples
Show vulnerabilities that need reboot.
vulnerabilities.vulnerability.isRebootRequired: TRUE
vulnerabilities.vulnerability.qidvulnerabilities.vulnerability.qid
Use an integer value to define the QID in question.
Example
Show findings with QID 90405
vulnerabilities.vulnerability.qid: 90405
vulnerabilities.vulnerability.ransomware.namevulnerabilities.vulnerability.ransomware.name
Use quotes or backticks within values to help you find the ransomware asset.name you're looking for. Quotes can be used when the value has more than one word.
Examples
Show findings with this asset.name
vulnerabilities.vulnerability.ransomware.name: Locky
Show findings that match exact value
vulnerabilities.vulnerability.ransomware.name: Locky
vulnerabilities.vulnerability.scaTechnologiesvulnerabilities.vulnerability.scaTechnologies
Use the SCA technology values like Python or Java for listing vulnerabilities associated with assets on which any of the software components are identified.
Example
List the vulnerabilities that have SCA Technology as Python
vulnerabilities.vulnerability.scaTechnologies: Python
vulnerabilities.vulnerability.sans20Categoriesvulnerabilities.vulnerability.sans20Categories
Use a text value to find vulnerabilities in the SANS 20 category, for example, Anti-virus Software, Backup Software, etc.
Example
Show findings with this category asset.name
vulnerabilities.vulnerability.sans20Categories:Media
Players
vulnerabilities.vulnerability.severityvulnerabilities.vulnerability.severity
Use an integer value to view the severity level set by Qualys to find assets having vulnerabilities. The severity level ranges between 1-5. Select from values in the drop-down menu.
Example
Show findings with severity set by Qualys as 5
vulnerabilities.vulnerability.severity:5
For information about customer and Qualys severity, see Customer and Kb Severity Level
vulnerabilities.vulnerability.solutionvulnerabilities.vulnerability.solution
Use quotes or backticks within values to help you find the solution.
Examples
Show any findings related to this solution
vulnerabilities.vulnerability.solution:Bulletin
MS10-006
Show any findings that contain parts of solution
vulnerabilities.vulnerability.solution:"Bulletin
MS10-006"
Show any findings that match exact value "Bulletin MS10-006"
vulnerabilities.vulnerability.solution:`Bulletin
MS10-006`
Select a Qualys service (VM, Agent type, etc) to show vulnerabilities that can be detected by this service. Select from names in the drop-down menu.
Example
Show vulnerabilities supported by Linux Agent
vulnerabilities.vulnerability.supportedBy.serviceName:CA-Linux
Agent
vulnerabilities.vulnerability.titlevulnerabilities.vulnerability.title
Use quotes or backticks within values to help you find the title.
Examples
Show any findings related to this title
vulnerabilities.vulnerability.title:Remote Code
Execution
Show any findings that contain "Remote" or "Code" in title
vulnerabilities.vulnerability.title:"Remote
Code"
Show any findings that match exact value "Remote Code"
vulnerabilities.vulnerability.title:`Remote Code`
vulnerabilities.vulnerability.typesvulnerabilities.vulnerability.types
Select a detection type (e.g. Vulnerability, Potential, Information) to find assets with vulnerabilities of this type. Select from names in the drop-down menu.
Example
Show findings with this type
vulnerabilities.vulnerability.types:VULNERABILITY
vulnerabilities.vulnerability.vendorRefvulnerabilities.vulnerability.vendorRef
Use a text value to find the vendor reference.
Example
Show this vendor reference
vulnerabilities.vulnerability.vendorRef:KB3021953
vulnerabilities.vulnerability.vendorProductNamevulnerabilities.vulnerability.vendorProductName
Use a text value to find the vendor product name.
Example
Show findings with this vendor product asset.name
vulnerabilities.vulnerability.vendorProductName:Windows
vulnerabilities.vulnerability.vendorNamevulnerabilities.vulnerability.vendorName
Use a text value to find the vendor name.
Example
Show findings with this vendor asset.name
vulnerabilities.vulnerability.vendorName:Adobe
vulnerabilities.nonExploitableKernelvulnerabilities.nonExploitableKernel
Use the values true | false to define vulnerabilities that exist on non exploitable kernels.
Examples
Show findings on non-exploitable kernels
vulnerabilities.nonExploitableKernel:TRUE
vulnerabilities.nonExploitableServicevulnerabilities.nonExploitableService
`Use the values true | false to define vulnerabilities that exist on non exploitable services.
Examples
Show findings on non-exploitable services
vulnerabilities.nonExploitableService:TRUE
vulnerabilities.vulnerability.patchReleasedDatevulnerabilities.vulnerability.patchReleasedDate
Use a date range or specific date to define when patch was available.
Examples
Show findings last found within certain dates
vulnerabilities.vulnerability.patchReleasedDate:[2018-10-21
... 2019-01-15]
Show findings last found starting 2020-01-01, ending 1 month ago
vulnerabilities.vulnerability.patchReleasedDate:[2020-01-01
... now-1M]
Show findings last found starting 2 weeks ago, ending 1 second ago
vulnerabilities.vulnerability.patchReleasedDate:[now-2w
... now-1s]
Show findings last found on certain date
vulnerabilities.vulnerability.patchReleasedDate:'2020-01-02'
vulnerabilities.timesFoundvulnerabilities.timesFound
Show findings that were detected for the specified number of times.
Examples
Show findings last found 3 times
vulnerabilities.timesFound:3
vulnerabilities.vulnerability.kbAgevulnerabilities.vulnerability.kbAge
Select the number of days from the range (00..30, 31..60, 61..90, 91..180,180..+) since the vulnerability was published by Qualys in the Knowledge Base. The kbAge is the published date for the QIDs. Select the number of days from the drop-down menu.
Example
Show findings/QIDs that were recently published (in the last 30 days)
vulnerabilities.vulnerability.kbAge:[00..30]
vulnerabilities.detectionAgevulnerabilities.detectionAge
Select the number of days from the range (00..30, 31..60, 61..90, 91..180,180..+) since the vulnerability was first detected (by a scanner or cloud agent) on the asset till the current date. The age is calculated irrespective of the vulnerability status.
Example
Show findings that were detected in the last 30 days.
vulnerabilities.detectionAge:[00..30]
vulnerabilities.vulnerability.descriptionvulnerabilities.vulnerability.description
Use quotes or backticks within values to help you find the vulnerability description.
Examples
Show any findings related to description
vulnerabilities.vulnerability.description:remote
code execution
Show any findings that contain "remote" or "code" in description
vulnerabilities.vulnerability.description:"remote
code execution"
Show any findings that match exact value "remote code execution"
vulnerabilities.vulnerability.description:`remote
code execution`
vulnerabilities.vulnerability.listvulnerabilities.vulnerability.list
Use a text value to find the vulnerability list of interest, for example, SANS_20, QUALYS_20, QUALYS_INT_10, QUALYS_EXT_10).
Example
Show findings with vulnerabilities in SANS Top 20
vulnerabilities.vulnerability.list:SANS_20
vulnerabilities.vulnerability.patchesvulnerabilities.vulnerability.patches
Use an integer value to help you find the patch QID.
Example
Show assets with this patch QID
vulnerabilities.vulnerability.patches:90753
vulnerabilities.vulnerability.publishedDatevulnerabilities.vulnerability.publishedDate
Use a date range or specific date to define when vulnerabilities were first published in the KnowledgeBase.
Examples
Show findings for vulnerabilities published within certain dates
vulnerabilities.vulnerability.publishedDate:[2015-10-21
... 2016-01-15]
Show findings for vulnerabilities published starting 2017-01-01, ending 1 month ago
vulnerabilities.vulnerability.publishedDate:[2017-01-01
... now-1M]
Show findings for vulnerabilities published starting 2 weeks ago, ending 1 second ago
vulnerabilities.vulnerability.publishedDate:[now-2w
... now-1s]
Show findings for vulnerabilities published on certain date
vulnerabilities.vulnerability.publishedDate:'2018-01-15'
vulnerabilities.vulnerability.riskvulnerabilities.vulnerability.risk
Use an integer value to define the vulnerability risk rating. For confirmed and potential issues risk is 10 times severity, for information gathered it is severity.
Example
Show findings with risk 50
vulnerabilities.vulnerability.risk:50
vulnerabilities.vulnerability.qualysPatchablevulnerabilities.vulnerability.qualysPatchable
Use the values true | false to define that can be patched at Qualys.
Examples
Show vulnerabilities with patch available at Qualys
vulnerabilities.vulnerability.qualysPatchable: "true"
Show vulnerabilities with patch not available at Qualys
vulnerabilities.vulnerability.qualysPatchable: "false"
vulnerabilities.vulnerability.criticalityvulnerabilities.vulnerability.criticality
Select a criticality (e.g. "CRITICAL","HIGH","MEDIUM","LOW","NONE") to find assets with vulnerabilities of this type. Select from names in the drop-down menu.
If a QID does not have a CVSSv3 Base score, the CVSSv2 Base score takes the priority.
The following list of criticality defines the CVSS Score from 0.0 to 10.0:
- None: 0.0
- Low: 0.1-3.9
- Medium: 4.0-6.9
- High: 7.0-8.9
- Critical: 9.0-10.0
Examples
Show vulnerabilities with HIGH criticality
vulnerabilities.vulnerability.criticality: "HIGH"
vulnerabilities.vulnerability.updatedDatevulnerabilities.vulnerability.updatedDate
Use a date range or specific date to define when vulnerabilities were asset.lastUpdatedDate in the KnowledgeBase.
Examples
Show vulnerabilities asset.lastUpdatedDate within certain dates
vulnerabilities.vulnerability.updatedDate:[2017-10-21
... 2017-10-30]
Show vulnerabilities asset.lastUpdatedDate starting 2017-11-01, ending 1 month ago
vulnerabilities.vulnerability.updatedDate:[2017-11-01
... now-1M]
Show vulnerabilities asset.lastUpdatedDate stating 2 weeks ago, ending 1 second ago
vulnerabilities.vulnerability.updatedDate:[now-2w
... now-1s]
Show vulnerabilities asset.lastUpdatedDate on certain date
vulnerabilities.vulnerability.updatedDate:'2018-03-08'
vulnerabilities.mitigationDetectedvulnerabilities.mitigationDetected
Use this token to filter vulnerabilities where the "PCControl" mitigation has been detected.
Example
Show PCControl mitigated data
vulnerabilities.mitigationDetected:PCControl
vulnerabilities.isQualysPatchablevulnerabilities.isQualysPatchable
Use the values true | false to indicate whether Qualys can patch a detected vulnerability.
Example
Show findings with vulnerabilities that can be patched
vulnerabilities.isQualysPatchable:TRUE
vulnerabilities.isQualysMitigablevulnerabilities.isQualysMitigable
Use the values true | false to indicate whether Qualys can mitigate a detected vulnerability.
Example
Show findings with vulnerabilities that can be mitigated
vulnerabilities.isQualysMitigable:TRUE
This QQL is dependent on other modules. To use this QQL, ensure that all prerequisites are met.
Patch Management v3.0.0 and higher | Mitigation - v3.0 | ARSC Services - v1.10.0
vulnerabilities.mitigated.statevulnerabilities.mitigated.state
Use this token to filter vulnerabilities based on their mitigation status.
Example
Show vulnerabilities that have been completely fixed
vulnerabilities.mitigated.state:Complete
To use this token, contact your technical account manager.
vulnerabilities.mitigated.methodvulnerabilities.mitigated.method
Use this token to filter and identify vulnerabilities based on the specific method used to mitigate them. From the drop-down, select a method: TruRiskMitigate, PCControl, TruRiskIsolate
Example
Show vulnerabilities mitigated by applying risk-based mitigation actions through the TruRisk approach
vulnerabilities.mitigated.method:TruRiskMitigate
Show vulnerabilities mitigated by implementing compliance controls or configurations as defined in the Variable "policy_compliance_long" is not defined module
vulnerabilities.mitigated.method:PCControl
Show vulnerabilities mitigated by isolating the associated asset or threat
vulnerabilities.mitigated.method:TruRiskIsolate
To use this token, contact your technical account manager.
vulnerabilities.isMitigatedvulnerabilities.isMitigated
Use the values true or false to filter vulnerabilities based on whether they have been mitigated.
Example
Show all mitigated vulnerabilities
vulnerabilities.isMitigated:true
To use this token, contact your technical account manager.
vulnerabilities.qualysMitigableTypevulnerabilities.qualysMitigableType
Use the values fix or mitigate to vulnerabilities based on the type of mitigation that Qualys can recommend or facilitate. This token helps identify actionable vulnerabilities through specific Qualys features, such as patching, configuration changes, or compensating controls.
Example
Show all fix vulnerabilities
vulnerabilities.qualysMitigableType:Fix
vulnerabilities.riskAcceptancevulnerabilities.riskAcceptance
Use the token to indicate different statuses for how a vulnerability is being handled or categorized.
You can choose from the following options: RISK_ACCEPTED, FALSE_POSITIVE
Example
Show vulnerabilities where associated risks have been accepted without immediate remediation
vulnerabilities.riskAcceptance:RISK_ACCEPTED
Show vulnerabilities that were identified as a false positive, meaning it does not exist or are incorrectly flagged
vulnerabilities.riskAcceptance:FALSE_POSITIVE
To use this token, contact your technical account manager.
vulnerabilities.riskAcceptanceIdvulnerabilities.riskAcceptanceId
Use this token to see vulnerabilities associated with a unique identifier that links it to a corresponding risk acceptance record.
Example
Show vulnerabilities associated with RiskAcceptanceID 12345
vulnerabilities.riskAcceptanceId:12345
To use this token, contact your technical account manager.
Use the values true | false to define real-time threats due to active attacks.
Examples
Show assets with threats due to active attacks
vulnerabilities.vulnerability.threatIntel.isActiveAttack: true
Show assets that don't have threats due to active attack
vulnerabilities.vulnerability.threatIntel.isActiveAttack: false
Use the values true | false to define real-time threats due to CISA Exploits.
Examples
Show assets with threats due to CISA exploit
vulnerabilities.vulnerability.threatIntel.isCisaKnownExploitedVuln: true
Show assets that don't have threats due to CISA exploit
vulnerabilities.vulnerability.threatIntel.isCisaKnownExploitedVuln: false
Use the values true | false to define real-time threats due to easy exploit.
Examples
Show assets with threats due to easy exploit
vulnerabilities.vulnerability.threatIntel.isEasyExploit: true
Show assets that don't have threats due to easy exploit
vulnerabilities.vulnerability.threatIntel.isEasyExploit: false
Use the values true | false to define real-time threats due to high data loss.
Examples
Show assets with threats due to high data loss
vulnerabilities.vulnerability.threatIntel.isHighDataLoss: true
Show assets that don't have threats due to high data loss
vulnerabilities.vulnerability.threatIntel.isHighDataLoss: false
Use the values true | false to define real-time threats due to high lateral movement.
Examples
Show assets with threats due to high lateral movement
vulnerabilities.vulnerability.threatIntel.isHighLateralMovement: true
Show assets that don't have threats due to high lateral movement
vulnerabilities.vulnerability.threatIntel.isHighLateralMovement: false
Use the values true | false to define real-time threats due to malware.
Examples
Show assets with threats due to malware
vulnerabilities.vulnerability.threatIntel.isMalware: true
Show assets that don't have threats due to malware
vulnerabilities.vulnerability.threatIntel.isMalware: false
Use the values true | false to define real-time threats due to no patch available.
Examples
Show assets with threats due to no patch available
vulnerabilities.vulnerability.threatIntel.hasNoPatch: true
Show assets that don't have threats due to no patch available
vulnerabilities.vulnerability.threatIntel.hasNoPatch: false
Use the values true | false to define real-time threats due to predicted high risk.
Examples
Show assets with predicted high-risk threat
vulnerabilities.vulnerability.threatIntel.isPredictedHighRisk: true
Show assets without predicted high-risk threat
vulnerabilities.vulnerability.threatIntel.isPredictedHighRisk: false
Use the values true | false to define real-time threats due to privilege escalation risk.
Examples
Show assets with privilege escalation threat
vulnerabilities.vulnerability.threatIntel.isPrivilegeEscalation: true
Show assets without privilege escalation threat
vulnerabilities.vulnerability.threatIntel.isPrivilegeEscalation: false
Use the values true | false to define real-time threats due to public exploit.
Examples
Show assets with threats due to public exploit
vulnerabilities.vulnerability.threatIntel.isPublicExploit: true
Show assets that don't have threats due to public exploit
vulnerabilities.vulnerability.threatIntel.isPublicExploit: false
Use the values true | false to define real-time threats due to ransomeware vulnerability.
Examples
Show assets with ransomeware threat
vulnerabilities.vulnerability.threatIntel.isRansomware: true
Show assets not linked to ransomware threat
vulnerabilities.vulnerability.threatIntel.isRansomware: false
Use the values true | false to define real-time threats due to remote code execution risk.
Examples
Show assets with remote code execution threat
vulnerabilities.vulnerability.threatIntel.isRemoteCodeExecution: true
Show assets without remote code execution threat
vulnerabilities.vulnerability.threatIntel.isRemoteCodeExecution: false
Use the values true | false to filter real-time threats due to Solorigate/Sunburst risk.
Examples
Show assets impacted by Solorigate/SUNBURST-related threat
vulnerabilities.vulnerability.threatIntel.isSolorigateSunburst: true
Show assets not impacted by Solorigate/SUNBURST
vulnerabilities.vulnerability.threatIntel.isSolorigateSunburst: false
Use the values true | false to define real-time threats due to unauthenticated exploitation risk.
Examples
Show assets with unauthenticated exploitation vulnerabilities
vulnerabilities.vulnerability.threatIntel.isUnauthenticatedExploitation: true
Show assets requiring authentication to exploit
vulnerabilities.vulnerability.threatIntel.isUnauthenticatedExploitation: false
Use the values true | false to define real-time wormable threats.
Examples
Show assets with wormable vulnerabilities
vulnerabilities.vulnerability.threatIntel.isWormable: true
Show assets without wormable vulnerabilities
vulnerabilities.vulnerability.threatIntel.isWormable: false
Use the values true | false to define real-time threats due to zero day exploit.
Examples
Show assets with threats due to zero day exploit
vulnerabilities.vulnerability.threatIntel.isZeroDay: true
Show assets not affected by zero-day exploit
vulnerabilities.vulnerability.threatIntel.isZeroDay: false
Use the values true | false to define real-time threats due to denial of service.
Examples
Show assets with threats due to denial of service
vulnerabilities.vulnerability.threatIntel.denialOfService: true
Show assets that don't have threats due to denial of service
vulnerabilities.vulnerability.threatIntel.denialOfService: false
vulnerabilities.hostOS vulnerabilities.hostOS
Use quotes or backticks within values to help you find the host operating system.
Examples
Show any findings with this OS name
vulnerabilities.hostOS:Windows 2012
Show any findings that contain components of OS name
vulnerabilities.hostOS:"Windows 2012"
Show any findings that match exact value "Windows 2012"
vulnerabilities.hostOS:`Windows 2012`
vulnerabilities.vulnerability.pci vulnerabilities.vulnerability.pci
Use the values true | false to find vulnerabilities that must be fixed for PCI Compliance (per PCI DSS).
Examples
Show PCI-related vulnerabilities
vulnerabilities.vulnerability.pci: true
Show non-PCI vulnerabilities
vulnerabilities.vulnerability.pci: false
vulnerabilities.vulnerability.supportedBy vulnerabilities.vulnerability.supportedBy
Select a Qualys service (VM, Agent type, etc) to show vulnerabilities that can be detected by this service. Select from names in the drop-down menu.
Examples
Show vulnerabilities supported by Linux Agent
vulnerabilities.vulnerability.supportedBy:CA-Linux Agent
Use the values true | false to define real-time threats due to the exploit kit.
Examples
Show assets with threats due to exploit kit
vulnerabilities.vulnerability.threatIntel.exploitKit: true
Show assets that don't have threats due to exploit kit
vulnerabilities.vulnerability.threatIntel.exploitKit: false
Use quotes or backticks within values to help you find the exploit kit name. Quotes can be used when the value has more than one word.
Examples
Show any findings with this name
vulnerabilities.vulnerability.threatIntel.exploitKitName: Angler
Show any findings that match the exact value
vulnerabilities.vulnerability.threatIntel.exploitKitName: `Angler`
Use quotes or backticks within values to help you find the malware name. Quotes can be used when the value has more than one word.
Examples
Show any findings with this name
vulnerabilities.vulnerability.threatIntel.malwareName: TROJ_PDFKA.DQ
Show any findings that match exact value
vulnerabilities.vulnerability.threatIntel.malwareName: `TROJ_PDFKA.DQ`
Use quotes or backticks within values to help you find the public exploit name of interest. Quotes can be used when the value has more than one word.
Examples
Show any findings with this name
vulnerabilities.vulnerability.threatIntel.publicExploitName: RealVNC NULL Authentication Mode Bypass
Show assets that don't have threats due to public exploit
vulnerabilities.vulnerability.threatIntel.publicExploitName: "RealVNC NULL Authentication Mode Bypass"
Show assets that don't have threats due to public exploit
vulnerabilities.vulnerability.threatIntel.publicExploitName: `RealVNC NULL Authentication Mode Bypass`