Home

Looking for EDR search fields? Click here

 

How to Search

Search by Field | String matching | Exact matching | Full Text Search | Suffix matching | Is Null Queries | Range searches | Date searches | Multiple values (In, Not In) | Boolean operators | Nested Queries

Search by Field

Enter the field name, then a colon, then your query. Nested fields are dot separated.

Examples:

openPorts.port: 80

accounts.username: administrator

operatingSystem: win*

String matching

Use single quotes or double quotes around your query to match a string. Your results will include any asset that contains the string.

Examples:

tags.name: "Cloud Agent"

operatingSystem: 'Microsoft Windows'

vulnerabilities.vulnerability.title: "Remote Code Execution Vulnerability"

Exact matching

Use backticks to exactly match a string. Your results will include any asset with the EXACT value returned.

Examples:

operatingSystem: `Windows 7 Ultimate Service Pack 1`

interfaces.hostname: `xpsp2-jp-26-111`

Full Text Search

Many asset fields containing text allow you to use full text search and advanced search capabilities.

Examples:

Show any findings related to this title

vulnerabilities.vulnerability.title: Remote Code Execution

Show any findings that contain "Remote" or "Code" in title

vulnerabilities.vulnerability.title: "Remote Code"

Show any findings that match exact value "Remote Code"

vulnerabilities.vulnerability.title: `Remote Code`

Show any findings that match nested query. Both sub fields must match in order for an asset to be returned.

vulnerabilities.vulnerability: (title: `Remote Code` AND patchAvailable: "true")

Suffix matching

Suffix matching is supported when searching assets (on your Assets list) for the fields "name", "tags.name" and "netbiosName". Match asset values "ending in" a string you specify - using a string that starts with *. Matches are case insensitive.

Example: This query matches assets with an asset name ending in "53" like QK2K12QP3-65-53.

name:*53

Example: This query matches assets with tag names ending in "region east" like Region East, region east, Region EAST.

tags.name:*Region East

 

Suffix matching is also supported for the field "interfaces.hostname" but the syntax is different.

Example: These queries match assets with the hostname "T100.qualys.corp.com".

interfaces.hostname:com

interfaces.hostname:corp.com

interfaces.hostname:qualys.corp.com

Is Null Queries

Want to match an empty/null value for a field? You'll need to remove the colon and then write "is null". For example, quickly find assets where the OS has not been identified.

Examples:

operatingSystem is null

interfaces.macAddress is null

aws.ec2.accountId is null

Range searches

Ranges can be specified with the [lower .. upper] syntax using () and/or [] as follows. This is supported for numeric and date fields.

Examples:

openPorts.port:(123 .. 1234)  // Greater than but not equal to 123 and less than but not equal to 1234.

openPorts.port:(123 .. 1234]  // Greater than but not equal to 123 and less than or equal to 1234.

openPorts.port:[123 .. 1234)  // Greater than or equal to 123 and less than but not equal to 1234.

openPorts.port:[123 .. 1234]  // Greater than but or equal to 123 and less than or equal to 1234.

openPorts.port > 123  // Greater than 123.

openPorts.port >= 123  // Greater than or equal to 123.

openPorts.port < 1234  // Less than 1234.

openPorts.port <= 1234  // Less than or equal to 1234.

vulnerabilities.firstFound: [2015-01-01 .. 2015-04-01]  // Between January 1st and April 1st 2015.

Date searches

Use a date range [start date .. end date] or a specific date. Several date variables are also available.

Examples:

updated: "2017-11-20"

updated <= "2017-11-20"

updated: ["2017-11-20" .. "2017-11-24"]

updated: [now-3d .. now-1s]

Match multiple values

Use to match values "In" or "Not In" fields. Available for all fields except analyzed fields (i.e. full text search fields).

Example: Find assets with at least one of these three CVE IDs:

vulnerabilities.vulnerability.cveIds:[CVE-2003-0818 , CVE-2002-0126 , CVE-1999-1058]

Example: Find assets with vulnerabilities not first found on date: 2016-08-31 or 2016-09-12

NOT vulnerabilities.firstFound: ["2016-08-31","2016-09-12"]

Supported date formats:

YYYY example: vulnerabilities.firstFound:["2016","2015"]  // in 2015 or 2016

YYYY-MM example: vulnerabilities.firstFound:["2016-08","2015-07"]  // in month of Aug or Sept

YYYY-MM-DD example: vulnerabilities.firstFound:["2016-08-31","2016-08-30"]  // on one of exact dates

Analyzed fields (i.e. full text search fields) are not supported such as:

vulnerabilities.vulnerability.description

vulnerabilities.vulnerability.solution

vulnerabilities.vulnerability.consequence

Boolean Operators

Use keywords AND, OR, NOT to narrow or broaden your search.

Examples:

operatingSystem: windows OR operatingSystem: linux

(operatingSystem: windows OR operatingSystem: linux) AND (openPorts.port: 80 OR openPorts.port: 8080)

AND NOT updated <= "2017-11-20"

Nested Queries

Use a single nested query, using parentheses, to include multiple fields in your query per examples below.

Example: Find vulnerabilities that are patchable and are confirmed

vulnerabilities: (vulnerability.patchAvailable: "true" AND typeDetected: "Confirmed")

Example: Find vulnerabilities that are patchable, have Easy Exploit RTI, and first found in the last 5 days:

vulnerabilities: (vulnerability.patchAvailable: "true" AND vulnerability.threatIntel.easyExploit: true AND firstFound > now-5d)

Example: Find assets on port 80 and TCP

openPorts: (port: 80 AND protocol: TCP)

Example: Find assets that have Windows Time service that is running

service: (name: Windows Time AND status: running)