Search Tokens for Findings

You can use the search tokens in the Findings tab to refine your search results. We have broadly classified the asset and vulnerability/misconfiguration search tokens in the Findings tab. Click each token to learn more about it.

Vulnerability/Misconfiguration | Asset

Vulnerability/Misconguration Tokens

Use these tokens to define search criteria for vulnerabilities and misconfigurations.

finding.titlefinding.title

Use quotes or backticks within values to help you find the title. 

After the colon, enter the title. 

Examples

Show any findings related to this title. 

finding.title: 'Remote Code Execution

Show any findings that contain "Remote" or "Code" in title: 

finding.title: "Remote Code"

Show any findings that match exact value "Remote Code" :

finding.title: `Remote Code`

finding.descriptionfinding.description

Use quotes or backticks within values to help you find the finding with matching description. After the colon, enter the description.

Examples

Show any findings related to this description: 

finding.description: "Remote Code Execution"

Show any findings that contain "Remote" or "Code" in description:

finding.description: "Remote Code"

Show any findings that match the exact value "Remote Code": 

finding.description: `Remote Code`

finding.qdsfinding.qds

Use an integer value (0-100) to help you find vulnerabilities based on specific detection score. After the colon, enter the value.

Examples

Show vulnerabilities with detection score 80:

finding.qds:80

Show vulnerabilities with detection score greater than 80:

finding.qds: > 80

finding.subTypefinding.subType

Select a finding type (Vulnerability, Misconfiguration, Malware, Compliance) to find findings of this type. Select from names in the drop-down menu.

Example

Show findings with this type.

finding.SubType: Vulnerability

finding.typeDetectedfinding.typeDetected

Select a detection type (Confirmed, Potential, or Information) to search for findings of this type. Select from names in the drop-down menu.

Example

finding.typeDetected: confirmed

finding.sourceIdfinding.sourceId

Use a text value to search for findings based on the ID used by the source vendor.

Examples

Show findings with the specified source ID

finding.sourceId:500034

finding.vendorNamefinding.vendorName

Select a detection source (Wiz, Qualys, Microsoft) to search findings from the specified source. Select from names in the drop-down menu. 

Example

Show findings with this source.

finding.vendorName: Qualys

finding.severityfinding.severity

Use an integer value to view the severity level set by Qualys to search findings. The severity level ranges between 1-5. Select from values in the drop-down menu.

Example

Show findings with severity set by Qualys as 5:

finding.severity: 3

finding.statusfinding.status

Select a status (for example, Active, Fixed, New, or Reopened) to search findings with certain statuses. Select from names in the drop-down menu. If you select the status as Fixed, the list will only show vulnerabilities that have been fixed in the last 365 days.

Example

Show vulnerabilities with Fixed status:

finding.status: Fixed

finding.vendorProductNamefinding.vendorProductName

Select a detection source's product name (for example, Nessus) to search findings with the product name of the detection source. Select from names in the drop-down menu.

Example

Show findings with the product name:

finding.vendorProductName:Nessus 

finding.vendorFindingIdfinding.vendorFindingId

Use a text value to search findings with the specified source finding ID. - external id. It is the unique ID of an instance of the finding.

Example

Show finding with this source finding id.

finding.vendorFindingId:9d7ef6e4-baed-47ba-99ec-a78a801f1e19 

finding.vendorUrlfinding.vendorUrl

Use quotes or backticks within values to help you find the finding with matching url.\

Examples

Show any findings related to this url:

finding.vendorUrl:https://app.wiz.io 

Show any findings that contain "app" or "wiz" in url.

finding.vendorUrl:"app wiz" 

Show any findings that match exact value.

finding.vendorUrl:`https://app.wiz.io/explorer/vulnerability-findings#5e95ff50-5490-514e-87f7-11e56f3230ff` 

finding.discoveryTypefinding.discoveryType

Select a discovery type (Remote or Authenticated) to search findings having this discovery type. Select from names in the drop-down menu.

Example

Show findings with Remote discovery type:

finiding.discoveryType:REMOTE 

finding.firstFoundfinding.firstFound

Use the date range or specific date to define when findings were first found.

Examples

Show findings first found within certain dates:

finding.firstFound:[2015-10-21 ... 2016-01-15] 

Show findings first found starting 2016-01-01, ending 1 month ago:

finding.firstFound:[2016-01-01 ... now-1M] 

Show findings first found starting 2 weeks ago, ending 1 second ago:

finding.firstFound:[now-2w ... now-1s] 

Show findings first found on a certain date:

finding.firstFound:'2016-01-11' 

Show findings first found within a certain number of days:

finding.firstFound:[91..180] 

finding.lastFoundfinding.lastFound

Use the date range or specific date to define when findings were last found.

Examples

Show findings last found within certain dates:

finding.lastFound:[2015-10-21 ... 2016-01-15] 

Show findings last found starting 2016-01-01, ending 1 month ago:

finding.lastFound:[2016-01-01 ... now-1M] 

Show findings last found starting 2 weeks ago, ending 1 second ago:

finding.lastFound:[now-2w ... now-1s] 

Show findings last found on a certain date:

finding.lastFound:'2016-01-11' 

Show findings last found within a certain number of days:

finding.lastFound:[91..180] 

finding.reopenedfinding.reopened

Use the date range or specific date to define when findings were reopened.

Examples

Show findings reopened within certain dates:

finding.reopened:[2015-10-21 ... 2016-01-15] 

Show findings reopened starting 2016-01-01, ending 1 month ago:

finding.reopened:[2016-01-01 ... now-1M] 

Show findings reopened starting 2 weeks ago, ending 1 second ago:

finding.reopened:[now-2w ... now-1s] 

Show findings reopened on a certain date:

finding.reopened:'2016-01-11' 

Show findings reopened within a certain number of days:

finding.reopened:[91..180] 

finding.lastFixedfinding.lastFixed

Use a date range or specific date to define when findings were last fixed.

Examples

Show findings last fixed within certain dates:

finding.lastFixed:[2015-10-21 ... 2016-01-15] 

Show findings last fixed starting 2016-01-01, ending 1 month ago:

finding.lastFixed:[2016-01-01 ... now-1M] 

Show findings last fixed starting 2 weeks ago, ending 1 second ago:

finding.lastFixed:[now-2w ... now-1s] 

Show findings last fixed on a certain date:

finding.lastFixed:'2016-01-11' 

Show findings last fixed within a certain number of days:

finding.lastFixed:[91..180] 

finding.portfinding.port

Use an integer value to help you search findings discovered on a specific port.

Example

Show findings discovered on this port

finding.port:443

finding.protocolfinding.protocol

Use a text value (UDP or TCP) to define the port protocol.

Example

Show findings discovered on TCP protocol

finding.protocol:TCP

 

finding.instancefinding.instance

Use a text value to search findings discovered on a certain instance.

Example

Show findings with the specified instance
finding.instance:oracle

finding.applicationURLfinding.applicationURL

Use a text value to search findings discovered on a certain application URL. 

Example

Show findings with the specified application URL
finding.applicationURL:http://funkytown.vuln.qa.qualys.com/cassium/xss/

finding.ttrfinding.ttr

Use the number of days to determine the findings based on the Total and First Found time to remediate. The token accepts range input as number of days. You can also customize the range input.

Examples

Show vulnerabilities findings based on total and first found calculation
finding.ttr:[61..90]

Use custom query to see the vulnerabilities findings based on total and first found calculation
finding.ttr:[0..90]

finding.tags.namefinding.tags.name

Use a text value to search for findings based on tagnames.

Example

Show findings with the specified tagname.

findings.tags.name: Wiz

finding.detectionAgefinding.detectionAge

Select the number of days from the range (00..30, 31..60, 61..90, 91..180,180..+) since the vulnerability was first detected (by a scanner or cloud agent) on the asset till the current date. The age is calculated irrespective of the vulnerability status.

Example

Show findings that were detected in the last 30 days.

finding.detectionAge:[00..30]

finding.riskFactor.exploitCodeMaturityfinding.riskFactor.exploitCodeMaturity

Select from the drop-down menu (poc, weaponized) to find vulnerabilities based on the maturity level of their exploit code.

Example

Show vulnerabilities with Functional exploit code maturity

finding.riskFactor.exploitCodeMaturity: poc

finding.riskFactor.threatActorNamefinding.riskFactor.threatActorName

Provide a string value to find vulnerabilities associated with a specific threat actor or group.

Example

Find vulnerabilities associated with the threat actor "APT29"

finding.riskFactor.threatActorName: APT29

finding.riskFactor.cisaKnownExploitsfinding.riskFactor.cisaKnownExploits

Select (True, False) to find vulnerabilities that are or are not listed in CISA's Known Exploited Vulnerabilities Catalog.

Example

Show vulnerabilities listed in CISA's Known Exploited Vulnerabilities Catalog

finding.riskFactor.cisaKnownExploits: true

finding.riskFactor.rtifinding.riskFactor.rti

Provide a numeric value to find vulnerabilities based on their Real-Time Intelligence (RTI) score.

Example

Find vulnerabilities with an RTI score of 8

finding.riskFactor.rti: 8

finding.riskFactor.malwareNamefinding.riskFactor.malwareName

Provide a string value to find vulnerabilities associated with a specific malware.

Example

Find vulnerabilities associated with the "WannaCry" malware

finding.riskFactor.malwareName: WannaCry

finding.cveIdfinding.cveId

Use a text value to search for findings based on the CVE ID of the vulnerability.

Examples

Show findings with the specified CVE ID

finding.cveId:CVE-2020-27814

finding.cvss2Basefinding.cvss2Base

Provide a numeric value (0.0 to 10.0) to find vulnerabilities with a specific CVSS 2.0 Base score.

Examples Find vulnerabilities with CVSS 2.0 Base score of 7.5

finding.cvss2Base: 7.5

finding.cvss2Temporalfinding.cvss2Temporal

Provide a numeric value (0.0 to 10.0) to find vulnerabilities with a specific CVSS 2.0 Temporal score.

Examples

Find vulnerabilities with CVSS 2.0 Temporal score of 6.5

finding.cvss2Temporal: 6.5

finding.cvss3Basefinding.cvss3Base

Provide a numeric value (0.0 to 10.0) to find vulnerabilities with a specific CVSS 3.0 Base score.

Examples

Find vulnerabilities with CVSS 3.0 Base score of 9.1

finding.cvss3Base: 9.1

finding.cvss3Temporalfinding.cvss3Temporal

Provide a numeric value (0.0 to 10.0) to find vulnerabilities with a specific CVSS 3.0 Temporal score.

Examples Find vulnerabilities with CVSS 3.0 Temporal score of 8.3

finding.cvss3Temporal: 8.3

finding.disabledfinding.disabled

Select (True, False) to find vulnerabilities that are disabled or enabled in the vendor system.

Example

Show vulnerabilities that are disabled.

finding.disabled: true

finding.ignoredfinding.ignored

Select (True, False) to find vulnerabilities that are marked as ignored or not ignored.

Example

Show vulnerabilities that are not marked as ignored.

finding.ignored: false

finding.technologyCategoryfinding.technologyCategory

Use this token to search for misconfigurations related  to a given technology category.

Example

Search misconfigurations that are associated with "Linux / Server".

finding.technologyCategory: "Linux/Server"

finding.technologyNamefinding.technologyName

Use this token to search for misconfigurations related to a given technology name.

Example

Search misconfigurations that are associated with "Red Hat Enterprise Linux Server ".

finding.technologyName: "Red Hat Linux Server"


finding.policyNamefinding.policyName

Use this token to search for misconfigurations related to a given policy name.

Example

Search misconfigurations that are associated with "CIS Benchmark".

finding.policyName: "CIS Benchmark"


finding.owaspTopTenNamefinding.owaspTopTenName

Use this token to search for vulnerabilities of a specific OWASP Top Ten name type. Choose the name from the drop-down menu.

Example

Search vulnerabilities that are impacted by Injection.

finding.owaspTopTenname: "Injection"


Asset Tokens

The following asset tokens will list all the assets mentioned in the QQL. 

asset.assetIDasset.assetID

Use an integer value to help you find certain Qualys asset IDs (UUIDs), assigned by an agent or a scanner appliance when Agentless Tracking is used.

Examples

  • Show this asset ID:
    asset.assetID: 2918869
  • Show the asset IDs within this range:
    asset.assetID: [3546997..12945655]
  • Show the 2 listed asset IDs:
    asset.assetID: [3546997,12945655]

 

asset.criticalityScoreasset.criticalityScore

Use an integer value (1-5) to help you find assets based on specific criticality score. After the colon, enter the value.

Examples

  • Show assets with a criticality score of 5:
    asset.criticalityScore:5
  • Show assets with a criticality score of 2:
    asset.criticalityScore:2

 

asset.nameasset.name

Use quotes or backticks within values to find the asset with specified asset name. After the colon, enter the value.

Examples

  • Show assets related to the given name:
    asset.name: QK2K12QP3-65-53
  • Show assets that contain parts of the given name:
    asset.name:"QK2K12QP3-65-53"
  • Show assets that match exactly match the given name:
    asset.name:`QK2K12QP3-65-53`


asset.operatingSystemasset.operatingSystem

Use quotes or backticks within the values to find assets based on the operating system. After the colon, enter the value.

Examples

  • Show assets with the given OS name:
    asset.operatingSystem: Windows 20212
  • Show assets that contain the components of the given OS name:
    asset.operatingSystem: "Windows 20212"
  • Show assets that exactly match the given OS name:
    asset.operatingSystem:`Windows 2012`

 

asset.truRiskasset.truRisk

Use an integer value (0-1000) to find assets based on a specific risk score. After the colon, enter the value.

Examples

  • Show assets with TruRisk score 60:
    asset.truRisk: 60
  • Show assets with TruRisk score 25:
    asset.trurisk: 25


tags.nametags.name

Use a text value to find assets with the specified tag. After the colon, enter the value.

Example

  • Show all assets with the tag name Oracle-Tags:
    tags.name: Oracle-Tags


openPorts.portopenPorts.port

Use an integer value to find assets with the specified open port. After the colon, enter the value.

Example

  • Show all assets with open port 80:
    openPorts.port: 80


inventory.sourceinventory.source

Use text value ##### to find assets from the specified Qualys source. Select values from the drop-down.

Examples

  • Show all assets from cloud agents:
    inventory.source: Cloud Agent
  • Show all assets from passive sensor:
    inventory.source: Passive Sensor


hardware.categoryhardware.category

Use quotes and backticks within the values to find assets with specified hardware category. After the colon, enter the value.

Examples

  • Show all assets that include a part of the specified hardware category value:
    hardware.category: "Computer/Server"
  • Show all assets that match exactly match the specified hardware category value:
    hardware.category: `Computer/Server`

accounts.usernameaccounts.username

Use a text value ##### to help you find an account username you are looking for.

Example

  • Show findings with username administrator:
    accounts.username: "administrator"

© 2024 Qualys, Inc. All rights reserved. Privacy Policy.