Old and New Search Token Mappings
The token standardization for the Qualys Query Language (QQL) search tokens follows a standard naming convention.
The new token format follows the syntax: file.updatedBy.username
For example, in the new token file.createdDate, file is the entity, and createdDate is the attribute.
The Incidents, Alerts, Events, Advanced Hunting, Assets, Exception Rules, Forensics, and Profiles tokens, along with the tokens common to all Qualys applications, are now updated.
Only the new tokens are displayed in the auto-suggestion in the search bars within the UI. However, if you type the old token name manually, the QQL query still works. The visibility of old token names in the UI is removed.
The existing Dashboard widgets and Saved Search Queries will continue to support the old tokens. You can edit search queries and widgets to update the new tokens.
The following is the old and new tokens mapping list:
Advanced Hunting Search TokensAdvanced Hunting Search Tokens
| Old Token Name | New Token Name |
| query.userid | query.userId |
| query.isfavourite | query.isFavourite |
Alerts Search TokensAlerts Search Tokens
| Old Token Name | New Token Name |
| asset.agentid | agent.id |
| action | event.action |
| asset.tags.name | asset.tag.name |
| netbiosname | asset.netbiosName |
| platform | agent.platform |
| file.created | file.createdDate |
| file.fullpath | file.fullPath |
| file.properties.certificate.signed | file.properties.certificate.isSigned |
| file.properties.certificate.signeddate | file.properties.certificate.signedDate |
| file.properties.certificate.valid | file.properties.certificate.isValid |
| process.processfile.certificate.hash | process.processFile.certificate.hash |
| process.processfile.certificate.issuer | process.processFile.certificate.issuer |
| process.processfile.certificate.signed | process.processFile.certificate.isSigned |
| process.processfile.certificate.signeddate | process.processFile.certificate.signedDate |
| process.processfile.certificate.valid | process.processFile.certificate.isValid |
| file.lastmodifiedby | file.updatedBy.username |
| file.creatingapplication | file.creatingApplication |
| file.numofpages | file.numOfPages |
| file.ismacroembedded | file.isMacroEmbedded |
| file.nonpefile | file.nonPEFile |
| file.pdf.embeddedfile | file.pdf.embeddedFile |
| file.pdf.openaction | file.pdf.openAction |
| system.eventid | system.eventId |
| malware.category | incident.malware.category |
| malware.family | incident.malware.family |
| network.local.address.ip | network.local.ipAddress |
| network.local.address.port | network.local.port |
| network.remote.address.fqdn | network.remote.fqdn |
| network.remote.address.ip | network.remote.ipAddress |
| network.remote.address.port | network.remote.port |
| process.elevated | process.isElevated |
| process.image.fullpath | process.image.fullPath |
| process.parentname | process.parentName |
| process.parentpid | process.parentPid |
| process.started | process.startedDate |
| process.terminated | process.terminatedDate |
| type | event.type |
| event.scoresource | event.scoreSource |
| operatingsystem.fullname | operatingSystem.fullName |
| process.processfile.certificate.subject | process.processFile.certificate.subject |
| process.processfile.sha256 | process.processFile.sha256 |
| process.processfile.md5 | process.processFile.md5 |
| indicator.severityscore | indicator.severityScore |
| indicator.threatfeed | indicator.threatFeed |
| parent.name | process.parent.name |
| parent.pid | process.parent.pid |
| parent.imagepath | process.parent.imagePath |
| parent.event.id | process.parent.event.id |
| yara.ruleName | incident.yara.ruleName |
| parent.iscertificateexists | process.parent.isCertificateExists |
| parent.iscertificatevalid | process.parent.isCertificateValid |
| event.isdetectedbyepp | event.isDetectedByEpp |
| event.threatname | event.threatName |
| event.detectiontype | event.detectionType |
| event.antiransomware.attacktype | event.antiRansomware.attackType |
| parent.productname | process.parent.productName |
| process.productname | process.productName |
| process.iscertificateexists | process.isCertificateExists |
| response.user | response.username |
| response.userid | response.userId |
| response.priorscore | response.priorscore |
| response.statusmessage | response.statusMessage |
Assets Search TokensAssets Search Tokens
| Old Token Name | New Token Name |
| asset.agentid | agent.id |
| asset.platform | agent.platform |
| asset.operatingsystem | operatingSystem.name |
| isantimalwareenabled | antiMalware.isEnabled |
| asset.tags.name | asset.tag.name |
| antimalware.status | antiMalware.status |
| antimalware.status.category | antiMalware.statusCategory |
| antimalware.productversion | antiMalware.productVersion |
| antimalware.enginesversion | antiMalware.engineVersion |
| antimalwareerrorcode | antiMalware.errorCode |
| antimalware.scanstatus | antiMalware.scanStatus |
| antimalware.lastscandone | antiMalware.lastScanDate |
| antimalware.lastreportedtime | antiMalware.lastReportedTime |
| interfaces.address | asset.interface.address |
| asset.score.criticality | asset.criticalityScore |
| antimalwareprofile.name | antiMalware.profileName |
| asset.createdon | asset.createdDate |
| asset.edractivatedon | asset.edrActivationDate |
| asset.lastupdatedtime | asset.lastUpdatedDate |
| asset.lastreportedtime | asset.lastReportedTime |
| asset.tags.id | asset.tag.id |
| antimalwareprofile.id | antiMalware.profileId |
| antimalwareworkflow | antiMalware.workflow |
| assettype | asset.type |
| isantimalwareuptodate | antiMalware.isUpToDate |
| asset.avprofile.name | asset.avProfile.name |
| thirdparty.prodname | antiMalware.supportedProductNameByTPRT |
| thirdparty.prodversion | antiMalware.supportedProductVersionByTPRT |
| thirdparty.prodvendor | antiMalware.supportedProductVendorByTPRT |
| thirdparty.isuninstallsupported | antiMalware.isUninstallSupportedByTPRT |
| thirdparty.isremoved | antiMalware.isRemovedByTPRT |
| isrebootrequired | asset.isRebootRequired |
| asset.agentversion | agent.version |
| isedrenabled | asset.isEdrEnabled |
Events Search TokensEvents Search Tokens
| Old Token Name | New Token Name |
| response.user | response.username |
| response.userid | response.userId |
| response.priorscore | response.priorScore |
| response.statusmessage | response.statusMessage |
| event.phishingurl | event.phishingUrl |
| event.phishingtype | event.phishingType |
| event.threattype | event.threatType |
| event.fileactiontaken | event.fileActionTaken |
| event.filestate | event.fileState |
| event.networkurl | event.networkUrl |
| event.networkattacktechnique | event.networkAttackTechnique |
| event.antiexploittechnique | event.antiExploitTechnique |
| event.eppeventname | event.eppEventName |
| registry.value | registry.valueName |
| registry.data | registry.valueData |
| process.loadedmodule.name | process.loadedModule.name |
| process.loadedmodule.path | process.loadedModule.path |
| process.loadedmodule.fullpath | process.loadedModule.fullPath |
| process.loadedmodule.hash.md5 | process.loadedModule.hash.md5 |
| process.loadedmodule.hash.sha256 | process.loadedModule.hash.sha256 |
| action | event.action |
| asset.agentId | agent.id |
| asset.hostName | asset.hostname |
| asset.tags.name | asset.tag.name |
| netbiosname | asset.netbiosName |
| platform | agent.platform |
| file.created | file.createdDate |
| file.properties.certificate.signed | file.properties.certificate.isSigned |
| file.properties.certificate.signeddate | file.properties.certificate.signedDate |
| file.properties.certificate.valid | file.properties.certificate.isValid |
| process.processfile.certificate.hash | process.processFile.certificate.hash |
| process.processfile.certificate.issuer | process.processFile.certificate.issuer |
| process.processfile.certificate.signed | process.processFile.certificate.isSigned |
| process.processfile.certificate.signeddate | process.processFile.certificate.signedDate |
| process.processfile.certificate.valid | process.processFile.certificate.isValid |
| file.creatingapplication | file.creatingApplication |
| file.numofpages | file.numOfPages |
| file.ismacroembedded | file.isMacroEmbedded |
| file.nonpefile | file.nonPEFile |
| file.pdf.embeddedfile | file.pdf.embeddedFile |
| file.pdf.openaction | file.pdf.openAction |
| file.shortcutfiletarget | file.shortcutFileTarget |
| file.originalfilename | file.originalFilename |
| system.eventid | system.eventId |
| malware.category | incident.malware.category |
| malware.family | incident.malware.family |
| network.local.address.ip | network.local.ipAddress |
| network.local.address.port | network.local.port |
| network.remote.address.fqdn | network.remote.fqdn |
| network.remote.address.ip | network.remote.ipAddress |
| network.remote.address.port | network.remote.port |
| network.connectionid | network.connectionId |
| network.indata.size | network.inData.size |
| network.outdata.size | network.outData.size |
| network.http.responseheader | network.http.responseHeader |
| network.http.responsecoder | network.http.responseCode |
| network.ftp.serverip | network.ftp.serverIp |
| process.elevated | process.isElevated |
| process.parentname | process.parentName |
| process.started | process.startedDate |
| process.terminated | process.terminatedDate |
| process.originalfilename | process.originalFileName |
| process.currentdirectory | process.currentDirectory |
| type | event.type |
| event.scoresource | event.scoreSource |
| event.hasapihook | event.hasApiHook |
| event.apiname | event.apiName |
| operatingsystem.fullname | operatingSystem.fullName |
| process.processfile.certificate.subject | process.processFile.certificate.subject |
| process.processfile.sha256 | process.processFile.sha256 |
| process.processfile.md5 | process.processFile.md5 |
| indicator.severityscore | indicator.severityScore |
| indicator.threatfeed | indicator.threatFeed |
| parent.name | process.parent.name |
| parent.pid | process.parent.pid |
| parent.imagepath | process.parent.imagePath |
| parent.event.id | process.parent.event.id |
| parent.integritylevel | process.parent.integrityLevel |
| parent.sid | process.parent.sid |
| parent.originalfilename | process.parent.originalFilename |
| yara.ruleName | incident.yara.ruleName |
| session.name | event.session.name |
| session.username | event.session.username |
| session.userid | event.session.userId |
| parent.iscertificateexists | process.parent.isCertificateExists |
| parent.iscertificatevalid | process.parent.isCertificateValid |
| event.isdetectedbyepp | event.isDetectedByEpp |
| event.threatname | event.threatName |
| event.detectiontype | event.detectionType |
| event.antiransomware.attacktype | event.antiRansomware.attackType |
| parent.productname | process.parent.productName |
| process.productname | process.productName |
| process.accessmask | process.accessMask |
| process.duplicatehandle | process.duplicateHandle |
| process.action.processname | process.action.processName |
| process.action.processid | process.action.processId |
| process.action.parentprocessid | process.action.parentProcessId |
| process.action.userid | process.action.userId |
| process.action.imagepath | process.action.imagePath |
| process.action.integritylevel | process.action.integrityLevel |
| process.action.uniqueid | process.action.uniqueId |
| creator.processid | process.creator.processId |
| creator.processname | process.creator.processName |
| creator.threadid | process.creator.threadId |
| creator.imagepath | process.creator.imagePath |
| creator.uniqueid | process.creator.uniqueId |
| creator.username | process.creator.username |
| creator.usersid | process.creator.usersId |
| creator.iscertificateexists | process.creator.isCertificateExists |
| creator.iscertificatevalid | process.creator.isCertificateValid |
| creator.productname | process.creator.productName |
| creator.integritylevel | process.creator.integrityLevel |
| creator.sid | process.creator.sid |
| creator.originalfilename | process.creator.originalFilename |
| remotethread.id | remoteThread.id |
| remotethread.creatorthreadid | remoteThread.creatorThreadId |
| process.iscertificateexists | process.isCertificateExists |
| device.connectiontype | device.connectionType |
| netbiosname | asset.netbiosName |
| platform | agent.platform |
| file.created | file.createdDate |
| file.properties.certificate.signed | file.properties.certificate.isSigned |
| file.properties.certificate.signeddate | file.properties.certificate.signedDate |
| file.properties.certificate.valid | file.properties.certificate.isValid |
| process.processfile.certificate.hash | process.processFile.certificate.hash |
| process.processfile.certificate.issuer | process.processFile.certificate.issuer |
| process.processfile.certificate.signed | process.processFile.certificate.isSigned |
| process.processfile.certificate.signeddate | process.processFile.certificate.signedDate |
| process.processfile.certificate.valid | process.processFile.certificate.isValid |
| file.lastmodifiedby | file.updatedBy.username |
| file.creatingapplication | file.creatingApplication |
| file.numofpages | file.numOfPages |
| file.ismacroembedded | file.isMacroEmbedded |
| file.nonpefile | file.nonPEFile |
| file.pdf.embeddedfile | file.pdf.embeddedFile |
| file.pdf.openaction | file.pdf.openAction |
| file.shortcutfiletarget | file.shortcutFileTarget |
| file.originalfilename | file.originalFilename |
| malware.category | incident.malware.category |
| malware.family | incident.malware.family |
| network.local.address.ip | network.local.ipAddress |
| network.local.address.port | network.local.port |
| network.remote.address.fqdn | network.remote.fqdn |
| network.remote.address.ip | network.remote.ipAddress |
| network.remote.address.port | network.remote.port |
| process.elevated | process.isElevated |
| process.parentname | process.parentName |
| process.started | process.startedDate |
| process.terminated | process.terminatedDate |
| process.originalfilename | process.originalFileName |
| process.currentdirectory | process.currentDirectory |
| type | event.type |
| event.scoresource | event.scoreSource |
| operatingsystem.fullname | operatingSystem.fullName |
| process.processfile.certificate.subject | process.processFile.certificate.subject |
| process.processfile.sha256 | process.processFile.sha256 |
| process.processfile.md5 | process.processFile.md5 |
| indicator.severityscore | indicator.severityScore |
| indicator.threatfeed | indicator.threatFeed |
| parent.name | process.parent.name |
| parent.pid | process.parent.pid |
| parent.imagepath | process.parent.imagePath |
| parent.event.id | process.parent.event.id |
| parent.integritylevel | process.parent.integrityLevel |
| parent.sid | process.parent.sid |
| parent.originalfilename | process.parent.originalFilename |
| yara.ruleName | incident.yara.ruleName |
| session.name | event.session.name |
| session.username | event.session.username |
| session.userid | event.session.userId |
| parent.iscertificateexists | process.parent.isCertificateExists |
| parent.iscertificatevalid | process.parent.isCertificateValid |
| event.isdetectedbyepp | event.isDetectedByEpp |
| event.threatname | event.threatName |
| event.detectiontype | event.detectionType |
| event.antiransomware.attacktype | event.antiRansomware.attackType |
| parent.productname | process.parent.productName |
| process.productname | process.productName |
| process.iscertificateexists | process.isCertificateExists |
| device.connectiontype | device.connectionType |
| process.accessmask | process.accessMask |
| process.duplicatehandle | process.duplicateHandle |
| process.action.processname | process.action.processName |
| creator.processid | process.creator.processId |
| creator.processname | process.creator.processName |
| creator.imagepath | process.creator.imagePath |
| remotethread.id | remoteThread.id |
| remotethread.creatorthreadid | remoteThread.creatorThreadId |
| netbiosname | asset.netbiosName |
| platform | agent.platform |
| file.created | file.createdDate |
| file.fullpath | file.fullPath |
| process.image.fullpath | process.image.fullPath |
| process.parentpid | process.parentPid |
Forensics Search TokensForensics Search Tokens
| Old Token Name | New Token Name |
| asset.agentid | agent.id |
| request.requesttime | request.requestTime |
| request.expirytime | request.expiryTime |
| request.userid | request.userId |
| request.incidentnumber | request.incidentNumber |
| request.logtype | request.logType |
Incidents Search TokensIncidents Search Tokens
| Old Token Name | New Token Name |
| incident.asset.agentid | agent.id |
| incident.asset.hostname | asset.hostname |
| incident.asset.name | asset.name |
| asset.operatingsystem | operatingSystem.name |
| incident.severityscore | incident.severityScore |
| incident.yara.rulename | incident.yara.ruleName |
| incident.updatedon | incident.updatedDate |
| incident.platform | agent.platform |
| incident.hasantiransomwaredetection | incident.hasAntiRansomwareDetection |
| incident.scoresource | incident.scoreSource |
Profiles Search TokensProfiles Search Tokens
| Old Token Name | New Token Name |
| name | profile.name |
| description | profile.description |
| ondemandscan.isscheduledrunenabled | profile.onDemandScan.isScheduledRunEnabled |
| fileScan.isenabled | profile.fileScan.isEnabled |
| behaviour.isenabled | profile.behaviour.isEnabled |
| assetcount | profile.assetCount |
| isdefaultprofile | profile.isDefaultProfile |
| profile.createdby.userid | profile.createdBy.userId |
| profile.createdby.name | profile.createdBy.username |
Remediation Search TokensRemediation Search Tokens
| Old Token Name | New Token Name |
| asset.agentid | agent.id |
| platform | platform.type |
| rulename | rule.name |
| jobname | job.name |
| response.userid | response.userId |
| indicator.severityscore | indicator.severityScore |