Token Support for Reports APIs

Refer to the table below for details about the tokens supported in the Reports APIs.

Token/Description Example

Token/Description	Example
finding.cveId Use a text value to search for findings based on the CVE ID of the vulnerability.	`finding.cveId: CVE-2020-27814`
finding.cvss2Base Provide a numeric value (0.0 to 10.0) to find vulnerabilities with a specific CVSS 2.0 Base score.	`finding.cvss2Base: 7.5`
finding.cvss2Temporal Provide a numeric value (0.0 to 10.0) to find vulnerabilities with a specific CVSS 2.0 Temporal score.	`finding.cvss2Temporal: 6.5`
finding.cvss3Base Provide a numeric value (0.0 to 10.0) to find vulnerabilities with a specific CVSS 3.0 Base score.	`finding.cvss3Base: 9.1`
finding.cvss3Temporal Provide a numeric value (0.0 to 10.0) to find vulnerabilities with a specific CVSS 3.0 Temporal score.	`finding.cvss3Temporal:8.3`
finding.description Use quotes or backticks within values to help you find the finding with a matching description. After the colon, enter the description.	`finding.description: "Remote Code"`
finding.detectionAge Select the number of days from the range (00..30, 31..60, 61..90, 91..180,180..+) since the vulnerability was first detected (by a scanner or cloud agent) on the asset till the current date. The age is calculated irrespective of the vulnerability status.	`finding.detectionAge: [00..30]`
finding.disabled Select (True or False) to find vulnerabilities that are disabled or enabled in the vendor system.	`finding.disabled: true`
finding.epssScore Use an integer value to help you search findings based on an EPSS score.	`finding.epssScore: 0.7088`
finding.firstFound Use the date range or specific date to define when findings were first found.	`finding.firstFound:[2015-10-21 .. 2016-01-15]` `finding.firstFound:[2016-01-01 .. now-1M]`
finding.id Use an integer value to help you search findings based on a rule ID.	`finding.id: 7088`
finding.ignored Select (True or False) to find vulnerabilities that are marked as ignored or not ignored.	`finding.ignored: false`
finding.ingestedDate Search findings by specifying a date or date range corresponding to when they were ingested.	`finding.ingestedDate > 1735061707155`
finding.lastFixedDate Use a time range from drop-down options or specific date to define when findings were last fixed. The drop-down options are [0–3], [4–7], [8–15], [16–30], [31–60], [61–90], [91–180], [181–365], or [366+].	`finding.lastFixedDate:[2015-10-21..2016-01-15]` `finding.lastFixedDate:[2016-01-01..now-1M]`
finding.lastFoundDate Use the date range or specific date to define when findings were last found.	`finding.lastFoundDate:[2015-10-21..2016-01-15]` `finding.lastFoundDate:[2016-01-01..now-1M]`
finding.port Use an integer value to help search findings discovered on a specific port.	`finding.port: 443`
finding.protocol Use a text value (UDP or TCP) to define the port protocol.	`finding.protocol: TCP`
finding.qds Use an integer value (0-100) to help you find vulnerabilities based on a specific detection score.	`finding.qds: 80` `finding.qds > 80`
finding.qvss Use an integer value (0-10) to help you find vulnerabilities based on specific detection score.	`finding.qvss: 8` `finding.qvss > 8`
finding.reopenedDate Use the date range or specific date to define when findings were reopened	`finding.reopenedDate:[2015-10-21..2016-01-15]` `finding.reopenedDate:[2016-01-01..now-1M]`
finding.riskFactor.isCisaKnownExploit Select (True, False) to find vulnerabilities that are or are not listed in CISA's Known Exploited Vulnerabilities Catalog.	`finding.riskFactor.isCisaKnownExploit: true`
finding.riskFactor.exploitCodeMaturity Select from the drop-down menu (poc, weaponized) to find vulnerabilities based on the maturity level of their exploit code.	`finding.riskFactor.exploitCodeMaturity: poc`
finding.riskFactor.malwareName Provide a string value to find vulnerabilities associated with a specific malware.	`finding.riskFactor.malwareName: WannaCry`
finding.riskFactor.rti Use the token value from drop down menu to find vulnerabilities based on the Real-time Threat Indicators. Available tokens are Exploit_Public, Active_Attacks, Easy_Exploit, Remote_Code_Execution, Privilege_Escalation, or Predicted_High_Risk.	`finding.riskFactor.rti: Easy_Exploit`
finding.riskFactor.threatActorName Provide a string value to find vulnerabilities associated with a specific threat actor or group.	`finding.riskFactor.threatActorName: APT29`
finding.severity Use an integer value to view the severity level set by Qualys to search findings. The severity level ranges between 1-5. Select from values in the drop-down menu.	`finding.severity: 3`
finding.sourceId Use a text value to search for findings based on the ID used by the source vendor.	`finding.sourceId: 500034`
finding.status Select a status (for example, Active, Fixed, New, or Reopened) to search findings with certain statuses. Select from names in the drop-down menu. If you select the status as Fixed, the list will only show vulnerabilities that have been fixed in the last 365 days.	`finding.status: Fixed`
finding.subType Use sub type as token to search findings.	`finding.SubType: EOL/EOS`
finding.title Use quotes or backticks within values to help you find the title. After the colon, enter the title.	`finding.title: 'Remote Code Execution` `finding.title: "Remote Code"`
finding.type Select a finding type (Vulnerability, Misconfiguration, Malware, Compliance) to search findings of this type. Select from names in the drop-down menu.	`finding. type: Compliance`
finding.typeDetected Select a detection type (Confirmed, Potential, or Information) to search for findings of this type. Select from names in the drop-down menu.	`finding.typeDetected: confirmed`
finding.vendorName Select a detection source (Wiz, Qualys, Microsoft) to search findings from the specified source. Select from names in the drop-down menu.	`finding.vendorName: Qualys`
finding.vendorProductName Select a detection source's product name to search findings with the product name of the detection source. Select from names in the drop-down menu	`finding.vendorProductName: Nessus`
asset.tag.name Use a text value to find assets with the specified tag.	`asset.tag.name: Oracle-Tags`
finding.customNumber1 Provide a numeric value to search for findings with a specific value or within a range of values.	`finding.customNumber1: 80` Note: To avail this feature, connect to your TAM or Qualys Support.
finding.customNumber2 Provide a numeric value to search for findings with a specific value or within a range of values.	`finding.customNumber2> 100` Note: To avail this feature, connect to your TAM or Qualys Support.
finding.customNumber3 Provide a numeric value to search for findings with a specific value or within a range of values.	`finding.customNumber3> 500` Note: To avail this feature, connect to your TAM or Qualys Support.
finding.customNumber4 Provide a numeric value to search for findings with a specific value or within a range of values.	`finding.customNumber4: 1800` Note: To avail this feature, connect to your TAM or Qualys Support.
finding.customNumber5 Provide a numeric value to search for findings with a specific value or within a range of values.	`finding.customNumber5: 2500` Note: To avail this feature, connect to your TAM or Qualys Support.
asset.id Use an integer value to help you find certain Qualys asset IDs (UUIDs), assigned by an agent or a scanner appliance when Agentless Tracking is used.	`asset.id: [3546997..12945655]`
asset.class Use this token to search assets by their primary class, such as Host, Application, Database, or Network Device. Note: The token is supported exclusively for UAI-enabled accounts.	`asset.class: compute`
asset.subclass Use this token to search assets by their subclass, which provides a more granular type within the main asset class. Note: The token is supported exclusively for UAI-enabled accounts.	`asset.subclass: Server`
asset.name Use quotes or backticks within values to find the asset with specified asset name. After the colon, enter the value.	`asset.name: QK2K12QP3-65-53`
asset.criticalityScore Use an integer value (1-5) to help you find assets based on specific criticality score. After the colon, enter the value.	`asset.criticalityScore:2`
asset.operatingSystem Use quotes or backticks within the values to find assets based on the operating system. After the colon, enter the value.	`asset.operatingSystem: Windows 20212`
asset.truRisk Use an integer value (0-1000) to find assets based on a specific risk score. After the colon, enter the value.	`asset.truRisk: 60`
asset.type Find assets of a certain type (SCANNER and HOST). Select from the asset types in the drop-down menu.	asset.type: `HOST`
finding.truConfirm.isApplicable Identify whether a TruConfirm assessment can be launched for the given CVE ID.	`finding.truConfirm.isApplicable: TRUE`
finding.truConfirm.status Select a TruConfirm status (for example, Exploitation Validated, Exploitation Ruled Out, Exploit Inconclusive, or Validation Available) to filter findings based on their TruConfirm assessment results.	`finding.truConfirm.status: Exploit Inconclusive`
finding.truConfirm.statusDate Identify when the TruConfirm status was last updated for a finding. This timestamp reflects the completion of a TruConfirm scan and the subsequent pipeline update for the associated CVE ID.	`finding.truConfirm.statusDate: [2025-01-01 .. 2025-01-15]`

finding.cveId

Use a text value to search for findings based on the CVE ID of the vulnerability.

finding.cveId: CVE-2020-27814

finding.cvss2Base

Provide a numeric value (0.0 to 10.0) to find vulnerabilities with a specific CVSS 2.0 Base score.

finding.cvss2Base: 7.5

finding.cvss2Temporal

Provide a numeric value (0.0 to 10.0) to find vulnerabilities with a specific CVSS 2.0 Temporal score.

finding.cvss2Temporal: 6.5

finding.cvss3Base

Provide a numeric value (0.0 to 10.0) to find vulnerabilities with a specific CVSS 3.0 Base score.

finding.cvss3Base: 9.1

finding.cvss3Temporal

Provide a numeric value (0.0 to 10.0) to find vulnerabilities with a specific CVSS 3.0 Temporal score.

finding.cvss3Temporal:8.3

finding.description

Use quotes or backticks within values to help you find the finding with a matching description. After the colon, enter the description.

finding.description: "Remote Code"

finding.detectionAge

Select the number of days from the range (00..30, 31..60, 61..90, 91..180,180..+) since the vulnerability was first detected (by a scanner or cloud agent) on the asset till the current date. The age is calculated irrespective of the vulnerability status.

finding.detectionAge: [00..30]

finding.disabled

Select (True or False) to find vulnerabilities that are disabled or enabled in the vendor system.

finding.disabled: true

finding.epssScore

Use an integer value to help you search findings based on an EPSS score.

finding.epssScore: 0.7088

finding.firstFound

Use the date range or specific date to define when findings were first found.

finding.firstFound:[2015-10-21 .. 2016-01-15]
finding.firstFound:[2016-01-01 .. now-1M]

finding.id

Use an integer value to help you search findings based on a rule ID.

finding.id: 7088

finding.ignored

Select (True or False) to find vulnerabilities that are marked as ignored or not ignored.

finding.ignored: false

finding.ingestedDate

Search findings by specifying a date or date range corresponding to when they were ingested.

finding.ingestedDate > 1735061707155

finding.lastFixedDate

Use a time range from drop-down options or specific date to define when findings were last fixed. The drop-down options are [0–3], [4–7], [8–15], [16–30], [31–60], [61–90], [91–180], [181–365], or [366+].

finding.lastFixedDate:[2015-10-21..2016-01-15]
finding.lastFixedDate:[2016-01-01..now-1M]

finding.lastFoundDate

Use the date range or specific date to define when findings were last found.

finding.lastFoundDate:[2015-10-21..2016-01-15]
finding.lastFoundDate:[2016-01-01..now-1M]

finding.port

Use an integer value to help search findings discovered on a specific port.

finding.port: 443

finding.protocol

Use a text value (UDP or TCP) to define the port protocol.

finding.protocol: TCP

finding.qds

Use an integer value (0-100) to help you find vulnerabilities based on a specific detection score.

finding.qds: 80
finding.qds > 80

finding.qvss

Use an integer value (0-10) to help you find vulnerabilities based on specific detection score.

finding.qvss: 8
finding.qvss > 8

finding.reopenedDate

Use the date range or specific date to define when findings were reopened

finding.reopenedDate:[2015-10-21..2016-01-15]
finding.reopenedDate:[2016-01-01..now-1M]

finding.riskFactor.isCisaKnownExploit

Select (True, False) to find vulnerabilities that are or are not listed in CISA's Known Exploited Vulnerabilities Catalog.

finding.riskFactor.isCisaKnownExploit: true

finding.riskFactor.exploitCodeMaturity

Select from the drop-down menu (poc, weaponized) to find vulnerabilities based on the maturity level of their exploit code.

finding.riskFactor.exploitCodeMaturity: poc

finding.riskFactor.malwareName

Provide a string value to find vulnerabilities associated with a specific malware.

finding.riskFactor.malwareName: WannaCry

finding.riskFactor.rti

Use the token value from drop down menu to find vulnerabilities based on the Real-time Threat Indicators. Available tokens are Exploit_Public, Active_Attacks, Easy_Exploit, Remote_Code_Execution, Privilege_Escalation, or Predicted_High_Risk.

finding.riskFactor.rti: Easy_Exploit

finding.riskFactor.threatActorName

Provide a string value to find vulnerabilities associated with a specific threat actor or group.

finding.riskFactor.threatActorName: APT29

finding.severity

Use an integer value to view the severity level set by Qualys to search findings. The severity level ranges between 1-5. Select from values in the drop-down menu.

finding.severity: 3

finding.sourceId

Use a text value to search for findings based on the ID used by the source vendor.

finding.sourceId: 500034

finding.status

Select a status (for example, Active, Fixed, New, or Reopened) to search findings with certain statuses. Select from names in the drop-down menu. If you select the status as Fixed, the list will only show vulnerabilities that have been fixed in the last 365 days.

finding.status: Fixed

finding.subType

Use sub type as token to search findings.

finding.SubType: EOL/EOS

finding.title

Use quotes or backticks within values to help you find the title. After the colon, enter the title.

finding.title: 'Remote Code Execution
finding.title: "Remote Code"

finding.type

Select a finding type (Vulnerability, Misconfiguration, Malware, Compliance) to search findings of this type. Select from names in the drop-down menu.

finding. type: Compliance

finding.typeDetected

Select a detection type (Confirmed, Potential, or Information) to search for findings of this type. Select from names in the drop-down menu.

finding.typeDetected: confirmed

finding.vendorName

Select a detection source (Wiz, Qualys, Microsoft) to search findings from the specified source. Select from names in the drop-down menu.

finding.vendorName: Qualys

finding.vendorProductName

Select a detection source's product name to search findings with the product name of the detection source. Select from names in the drop-down menu

finding.vendorProductName: Nessus

asset.tag.name

Use a text value to find assets with the specified tag.

asset.tag.name: Oracle-Tags

finding.customNumber1

Provide a numeric value to search for findings with a specific value or within a range of values.

finding.customNumber1: 80