Looking for EDR search fields? Click here


How to Search

Search by Field | String matching | Exact matching | Full Text Search | Suffix matching | Is Null Queries | Range searches | Date searches | Multiple values (In, Not In) | Boolean operators | Nested Queries

Search by Field

Enter the field name, then a colon, then your query. Nested fields are dot separated.


openPorts.port: 80

accounts.username: administrator

operatingSystem: win*

String matching

Use single quotes or double quotes around your query to match a string. Your results will include any asset that contains the string.


tags.name: "Cloud Agent"

operatingSystem: 'Microsoft Windows'

vulnerabilities.vulnerability.title: "Remote Code Execution Vulnerability"

Exact matching

Use backticks to exactly match a string. Your results will include any asset with the EXACT value returned.


operatingSystem: `Windows 7 Ultimate Service Pack 1`

interfaces.hostname: `xpsp2-jp-26-111`

Full Text Search

Many asset fields containing text allow you to use full text search and advanced search capabilities.


Show any findings related to this title

vulnerabilities.vulnerability.title: Remote Code Execution

Show any findings that contain "Remote" or "Code" in title

vulnerabilities.vulnerability.title: "Remote Code"

Show any findings that match exact value "Remote Code"

vulnerabilities.vulnerability.title: `Remote Code`

Show any findings that match nested query. Both sub fields must match in order for an asset to be returned.

vulnerabilities.vulnerability: (title: `Remote Code` AND patchAvailable: "true")

Suffix matching

Suffix matching is supported when searching assets (on your Assets list) for the fields "name", "tags.name" and "netbiosName". Match asset values "ending in" a string you specify - using a string that starts with *. Matches are case insensitive.

Example: This query matches assets with an asset name ending in "53" like QK2K12QP3-65-53.


Example: This query matches assets with tag names ending in "region east" like Region East, region east, Region EAST.

tags.name:*Region East


Suffix matching is also supported for the field "interfaces.hostname" but the syntax is different.

Example: These queries match assets with the hostname "T100.qualys.corp.com".




Is Null Queries

Want to match an empty/null value for a field? You'll need to remove the colon and then write "is null". For example, quickly find assets where the OS has not been identified.


operatingSystem is null

interfaces.macAddress is null

aws.ec2.accountId is null

Range searches

Ranges can be specified with the [lower .. upper] syntax using () and/or [] as follows. This is supported for numeric and date fields.


openPorts.port:(123 .. 1234)  // Greater than but not equal to 123 and less than but not equal to 1234.

openPorts.port:(123 .. 1234]  // Greater than but not equal to 123 and less than or equal to 1234.

openPorts.port:[123 .. 1234)  // Greater than or equal to 123 and less than but not equal to 1234.

openPorts.port:[123 .. 1234]  // Greater than but or equal to 123 and less than or equal to 1234.

openPorts.port > 123  // Greater than 123.

openPorts.port >= 123  // Greater than or equal to 123.

openPorts.port < 1234  // Less than 1234.

openPorts.port <= 1234  // Less than or equal to 1234.

vulnerabilities.firstFound: [2015-01-01 .. 2015-04-01]  // Between January 1st and April 1st 2015.

Date searches

Use a date range [start date .. end date] or a specific date. Several date variables are also available.


updated: "2017-11-20"

updated <= "2017-11-20"

updated: ["2017-11-20" .. "2017-11-24"]

updated: [now-3d .. now-1s]

Match multiple values

Use to match values "In" or "Not In" fields. Available for all fields except analyzed fields (i.e. full text search fields).

Example: Find assets with at least one of these three CVE IDs:

vulnerabilities.vulnerability.cveIds:[CVE-2003-0818 , CVE-2002-0126 , CVE-1999-1058]

Example: Find assets with vulnerabilities not first found on date: 2016-08-31 or 2016-09-12

NOT vulnerabilities.firstFound: ["2016-08-31","2016-09-12"]

Supported date formats:

YYYY example: vulnerabilities.firstFound:["2016","2015"]  // in 2015 or 2016

YYYY-MM example: vulnerabilities.firstFound:["2016-08","2015-07"]  // in month of Aug or Sept

YYYY-MM-DD example: vulnerabilities.firstFound:["2016-08-31","2016-08-30"]  // on one of exact dates

Analyzed fields (i.e. full text search fields) are not supported such as:




Boolean Operators

Use keywords AND, OR, NOT to narrow or broaden your search.


operatingSystem: windows OR operatingSystem: linux

(operatingSystem: windows OR operatingSystem: linux) AND (openPorts.port: 80 OR openPorts.port: 8080)

AND NOT updated <= "2017-11-20"

Nested Queries

Use a single nested query, using parentheses, to include multiple fields in your query per examples below.

Example: Find vulnerabilities that are patchable and are confirmed

vulnerabilities: (vulnerability.patchAvailable: "true" AND typeDetected: "Confirmed")

Example: Find vulnerabilities that are patchable, have Easy Exploit RTI, and first found in the last 5 days:

vulnerabilities: (vulnerability.patchAvailable: "true" AND vulnerability.threatIntel.easyExploit: true AND firstFound > now-5d)

Example: Find assets on port 80 and TCP

openPorts: (port: 80 AND protocol: TCP)

Example: Find assets that have Windows Time service that is running

service: (name: Windows Time AND status: running)