Search Tokens for Findings
You can use the search tokens in the Findings tab to refine your search results. We have broadly classified the asset and vulnerability | misconfiguration search tokens in the Findings tab. Click each token to learn more about it.
Vulnerability | Misconfiguration Tokens
Use these tokens to define search criteria for vulnerabilities and misconfigurations.
finding.accessVectorfinding.accessVector
Use the token value as an attack vector string to search the findings, such as the CVSS vector string that describes how the vulnerability can be exploited.
Example
Show findings associated with the attack vector.
finding.accessVector: AV:N/AC:L/Au:N/C:K/I:N/A:N
finding.applicationURLfinding.applicationURL
Use a text value to search findings discovered on a certain application URL.
Example
Show findings with the specified application URL
finding.applicationURL: http://funkytown.vuln.qa.qualys.com/cassium/xss/
finding.connectionIdfinding.connectionId
Show assets sourced from a specific connector created by the user
Example
Show assets for the following connector id:
finding.connectionId: 1278237
finding.connectionNamefinding.connectionName
Provide the connection name as a token value to search the findings discovered by the connector.
Example
Show any findings related to connection name
finding.connectionName: Wiz Vulnerability Connector
finding.connectionUuidfinding.connectionUuid
Provide the connection UUID as a token value to search the findings discovered by the connector.
Example
Show any findings related to connection UUID
finding.connectionUuid: 7cffe4c1-ae48-4465-b75a-43bd5db6088a
finding.criticalityfinding.criticality
Select a criticality CRITICAL, HIGH, MEDIUM, LOW, or NONE from drop-down menu, to find assets with vulnerabilities of this type. If a CVE does not have a CVSSv3 Base score, the CVSSv2 Base score takes priority.
The following list of criticality defines the QVSS Score from 0.0 to 10.0:
- None: 0.0
- Low: 0.1-3.9
- Medium: 4.0-6.9
- High: 7.0-8.9
- Critical: 9.0-10.0
Example
- Show vulnerabilities with HIGH criticality
finding.criticality: HIGH
finding.customNumber1finding.customNumber1
Provide a numeric value to search for findings with a specific value or within a range of values.
Note: To avail this feature, connect to your TAM or Qualys Support.
Example
Show findings with customNumber1 equal to 80
finding.customNumber1: 80
finding.customNumber2finding.customNumber2
Provide a numeric value to search for findings with a specific value or within a range of values.
Note: To avail this feature, connect to your TAM or Qualys Support.
Example
Show findings with customNumber2 greater than 80
finding.customNumber2> 80
finding.customNumber3finding.customNumber3
Provide a numeric value to search for findings with a specific value or within a range of values.
Note: To avail this feature, connect to your TAM or Qualys Support.
Example
Show findings with customNumber3 greater than 500.
finding.customNumber3> 500
finding.customNumber4finding.customNumber4
Provide a numeric value to search for findings with a specific value or within a range of values.
Note: To avail this feature, connect to your TAM or Qualys Support.
Example
Show findings with customNumber4 equal to 800.
finding.customNumber4: 1800
finding.customNumber5finding.customNumber5
Provide a numeric value to search for findings with a specific value or within a range of values.
Note: To avail this feature, connect to your TAM or Qualys Support.
Example
Show findings with customNumber equal to 2500
finding.customNumber5: 2500
Use a text value to search for findings based on the CVE ID of the vulnerability.
Example
Show findings with the specified CVE ID
finding.cveId: CVE-2020-27814
finding.cvePublishedDatefinding.cvePublishedDate
Search findings by specifying a date or date range corresponding to when CVE ID was published.
Examples
Show findings related to duration when CVE was published within certain dates
finding.cvePublishedDate: [2015-08-25 .. 2021-01-15]
Show findings related to duration when CVE was published starting 2024-01-01, ending 1 month ago
finding.cvePublishedDate: [2024-01-01 .. now-1M]
Show findings related to duration when CVE was published starting 2 weeks ago, ending 1 second ago
finding.cvePublishedDate: [now-2w .. now-1s]
Show findings related to duration when CVE was published on a certain date
finding.cvePublishedDate: '2025-01-11'
Show findings related to duration when CVE was published within a certain number of days
finding.cvePublishedDate: [91..180]
finding.cvss2BaseScorefinding.cvss2BaseScore
Provide a numeric value (0.0 to 10.0) to find vulnerabilities with a specific CVSS 2.0 Base score.
Example
Find vulnerabilities with CVSS 2.0 Base score of 7.5
finding.cvss2BaseScore: 7.5
finding.cvss2TemporalScorefinding.cvss2TemporalScore
Provide a numeric value (0.0 to 10.0) to find vulnerabilities with a specific CVSS 2.0 Temporal score.
Example
Find vulnerabilities with CVSS 2.0 Temporal score of 6.5
finding.cvss2TemporalScore: 6.5
finding.cvss3BaseScorefinding.cvss3BaseScore
Provide a numeric value (0.0 to 10.0) to find vulnerabilities with a specific CVSS 3.0 Base score.
Example
Find vulnerabilities with CVSS 3.0 Base score of 9.1
finding.cvss3BaseScore: 9.1
finding.cvss3TemporalScorefinding.cvss3TemporalScore
Provide a numeric value (0.0 to 10.0) to find vulnerabilities with a specific CVSS 3.0 Temporal score.
Example
Find vulnerabilities with CVSS 3.0 Temporal score of 8.3
finding.cvss3TemporalScore: 8.3
finding.descriptionfinding.description
Use quotes or backticks within values to help you find the finding with matching description.
Examples
Show any findings related to this description:
finding.description: "Remote Code Execution"
Show any findings that contain "Remote" or "Code" in description:
finding.description: "Remote Code"
Show any findings that match the exact value "Remote Code":
finding.description: `Remote Code`
finding.detectionAgefinding.detectionAge
Select the number of days from the range (00..30, 31..60, 61..90, 91..180,180..+) since the vulnerability was first detected (by a scanner or cloud agent) on the asset till the current date. The age is calculated irrespective of the vulnerability status.
Example
Show findings that were detected in the last 30 days.
finding.detectionAge: [00..30]
finding.detectionMethodfinding.detectionMethod
Use a text value to search findings based on method used to detect the findings.
Example
Show the findings based on the method used to detect the findings
finding.detectionMethod: Falcon sensor
finding.discoveryTypefinding.discoveryType
Select a discovery type as Remote | Authenticated to search findings having this discovery type. Select from names in the drop-down menu.
Example
Show findings with Remote discovery type:
finiding.discoveryType: REMOTE
finding.epssScore finding.epssScore
Use an integer value to help you search findings based on a EPSS score.
Example
Show findings related to EPSS score
finding.epssScore: 0.7088
finding.externalFindingIdfinding.externalFindingId
Use the token value as the ID from the external system or vulnerability scanner to search for findings.
Example
Show findings with the ID
finding.externalFindingId: 3113162
finding.firstFoundDate finding.firstFoundDate
Use the date range or specific date to define when findings were first found.
Examples
Show findings first found within certain dates:
finding.firstFoundDate: [2015-10-21 .. 2016-01-15]
Show findings first found starting 2016-01-01, ending 1 month ago:
finding.firstFoundDate: [2016-01-01 .. now-1M]
Show findings first found starting 2 weeks ago, ending 1 second ago:
finding.firstFoundDate: [now-2w .. now-1s]
Show findings first found on a certain date:
finding.firstFoundDate: '2016-01-11'
Show findings first found within a certain number of days:
finding.firstFoundDate: [91..180]
finding.ingestedDatefinding.ingestedDate
Search findings by specifying a date or date range corresponding to when they were ingested.
Example
Show any findings related to WASC category name
finding.ingestedDate: [2045-10-21 .. 2025-01-15]
finding.instancefinding.instance
Use a text value to search findings discovered on a certain instance.
Example
Show findings with the specified instance
finding.instance: oracle
finding.isExploitAvailablefinding.isExploitAvailable
Select TRUE | FALSE to seach vulnerabilities for which a public exploit is available.
Example
Show vulnerabilities for which a public exploit is available.
finding.isExploitAvailable: TRUE
finding.isFoundfinding.isFound
Use the values TRUE | FALSE to define vulnerabilities are detected or not on the assets.
Example
Show findings with vulnerabilities detected
finding.isFound: TRUE
finding.isIgnoredfinding.isIgnored
Select TRUE | FALSE to find vulnerabilities that are marked as ignored or not ignored.
Example
Show vulnerabilities that are not marked as ignored.
finding.isIgnored: FALSE
finding.isMitigatedfinding.isMitigated
Select TRUE or FALSE as token value to find vulnerabilities that can be mitigated.
Example
Show vulnerabilities that can be mitigated
finding.isMitigated: TRUE
finding.isPatchAvailablefinding.isPatchAvailable
Select TRUE | FALSE to find vulnerabilities for which patches are available.
Example
Show vulnerabilities for which patches are available
finding.isPatchAvailable: TRUE
finding.isQualysPatchablefinding.isQualysPatchable
Select TRUE | FALSE to find vulnerabilities that are patchable via Qualys.
Example
Show vulnerabilities that are patchable via Qualys
finding.isQualysPatchable: TRUE
finding.lastFixedDatefinding.lastFixedDate
Use a time range from drop-down options or specific date to define when findings were last fixed. The drop-down options are [0–3], [4–7], [8–15], [16–30], [31–60], [61–90], [91–180], [181–365], or [366+].
Examples
Show findings last fixed within certain dates:
finding.lastFixedDate: [2024-10-21 .. 2025-01-15]
Show findings last fixed starting 2016-01-01, ending 1 month ago:
finding.lastFixedDate: [2024-01-01 .. now-1M]
Show findings last fixed starting 2 weeks ago, ending 1 second ago:
finding.lastFixedDate: [now-2w .. now-1s]
Show findings last fixed on a certain date:
finding.lastFixedDate: '2025-01-11'
Show findings last fixed within a certain number of days:
finding.lastFixedDate: [91..180]
finding.lastFoundDatefinding.lastFoundDate
Use the date range or specific date to define when findings were last found.
Examples
Show findings last found within certain dates:
finding.lastFoundDate: [2015-10-21 .. 2016-01-15]
Show findings last found starting 2016-01-01, ending 1 month ago:
finding.lastFoundDate: [2016-01-01 .. now-1M]
Show findings last found starting 2 weeks ago, ending 1 second ago:
finding.lastFoundDate: [now-2w .. now-1s]
Show findings last found on a certain date:
finding.lastFoundDate: '2016-01-11'
Show findings last found within a certain number of days:
finding.lastFoundDate: [91..180]
finding.mitigated.methodfinding.mitigated.method
Use this token to filter and identify vulnerabilities based on the specific method used to mitigate them.
Example
Show vulnerabilities mitigated by applying risk-based mitigation actions through the TruRisk approach
finding.mitigated.method: TruRiskMitigate
finding.mitre.attack.subTechnique.idfinding.mitre.attack.subTechnique.id
Use the MITRE ATT&CK sub-technique ID as a token to search findings assocoated with MITRE ATT&CK.
Example
Show findings with sub-technique ID
finding.mitre.attack.subTechnique.id: T1112.002
finding.mitre.attack.subTechnique.namefinding.mitre.attack.subTechnique.name
Use the MITRE ATT&CK sub-technique name as a token to search findings assocoated with MITRE ATT&CK.
Example
Show findings with sub-technique name
finding.mitre.attack.subTechnique.name: Password Cracking
finding.mitre.attack.tactic.idfinding.mitre.attack.tactic.id
Use the MITRE ATT&CK tactic ID as a token to search findings assocoated with MITRE ATT&CK.
Example
Show findings with MITRE ATT&CK tactic ID
finding.mitre.attack.tactic.id: TA0041
finding.mitre.attack.tactic.namefinding.mitre.attack.tactic.name
Use the MITRE ATT&CK tactic name as a token to search findings assocoated with MITRE ATT&CK.
Example
Show the findings based on the method used to detect the findings
finding.mitre.attack.tactic.name: Impact
finding.mitre.attack.technique.idfinding.mitre.attack.technique.id
Use the MITRE ATT&CK technique ID name as a token to search findings assocoated with MITRE ATT&CK.
Example
Show findings with MITRE ATT&CK technique ID
finding.mitre.attack.technique.id: T1490
finding.mitre.attack.technique.namefinding.mitre.attack.technique.name
Use the MITRE ATT&CK technique name as a token to search findings assocoated with MITRE ATT&CK.
Example
Show findings with MITRE ATT&CK technique name
finding.mitre.attack.technique.name: Password Cracking
finding.owaspTopTenNamefinding.owaspTopTenName
Use this token to search for vulnerabilities of a specific OWASP Top Ten name type. Choose the name from the drop-down menu.
Example
Search vulnerabilities that are impacted by Injection .
finding.owaspTopTenname: Injection
finding.policyIdfinding.policyId
Use this token to search for misconfigurations related to a given policy ID.
Example
Search misconfigurations that are associated with the policy ID
finding.policyId: 31135
finding.policyNamefinding.policyName
Use this token to search for misconfigurations related to a given policy name
Example
Search misconfigurations that are associated with "CIS Benchmark".
finding.policyName: "CIS Benchmark"
Use an integer value to help you search findings discovered on a specific port.
Example
Show findings discovered on this port
finding.port: 443
finding.product.vendorIdfinding.product.vendorId
Use this token to search for vulnerabilities related to a given product vendor ID.
Example
Search vulnerabilities related to a given product vendor ID
finding.product.vendorId: 273410
finding.product.versionfinding.product.version
Use this token to search for vulnerabilities related to a given product version.
Example
Search vulnerabilities related to a given product version
finding.product.version: 1.14
finding.protocolfinding.protocol
Use a text value (UDP or TCP) to define the port protocol.
Example
Show findings discovered on TCP protocol
finding.protocol: TCP
Use an integer value (0-100) to help you find vulnerabilities based on a specific detection score.
Examples
Show vulnerabilities with detection score 80
finding.qds:80
Show vulnerabilities with detection score greater than 80
finding.qds> 80
Use an integer value to define the QID.
Example
Show findings with QID 90405
finding.qid: 90405
Note: The QID token shows all assets that have the specific QID. The exclude vulnerabilities filters are not applicable for the QID token.
Use an integer value (0-10) to help you find vulnerabilities based on specific detection score.
Examples
Show vulnerabilities with detection score 8:
finding.qvss: 8
Show vulnerabilities with detection score greater than 8:
finding.qvss > 8
finding.reopenedDatefinding.reopenedDate
Use the date range or specific date to define when findings were reopened.
Examples
Show findings reopened within certain dates:
finding.reopenedDate: [2015-10-21 .. 2016-01-15]
Show findings reopened starting 2016-01-01, ending 1 month ago:
finding.reopenedDate: [2016-01-01 .. now-1M]
Show findings reopened starting 2 weeks ago, ending 1 second ago:
finding.reopenedDate: [now-2w .. now-1s]
Show findings reopened on a certain date:
finding.reopenedDate: '2016-01-11'
Show findings reopened within a certain number of days:
finding.reopenedDate: [91..180]
finding.requiredPrivilegefinding.requiredPrivilege
Use the search token value as LOW, MEDIUM, or HIGH to find vulnerabilities based on the level of access or privileges required by an attacker to exploit them. This token derives its data from CVSS metrics.
Example
Shows findings where an attacker requires medium-level privileges to exploit the vulnerability.
finding.requiredPriviledge: MEDIUM
finding.riskAcceptance.createdDatefinding.riskAcceptance.createdDate
Use the date range or specific creation date of the risk acceptance rule to identify vulnerabilities that have been accepted as risk.
Examples
Show findings where vulnerabilities have been accepted within certain creation dates.
finding.riskAcceptance.createdDate: [2015-10-21 .. 2016-01-15]
Show vulnerabilities that have been accepted starting 2023-01-01, ending 1 month ago:
finding.riskAcceptance.createdDate: [202-01-01 .. now-1M]
finding.riskAcceptance.endDatefinding.riskAcceptance.endDate
Use the date range or specific end date of the risk acceptance rule to identify vulnerabilities that have been accepted as risk.
Example
Show findings where vulnerabilities have been accepted based on end date 2024-01-01, ending 1 month ago:
finding.riskAcceptance.endDate: [2016-01-01 .. now-1M]
finding.riskAcceptance.reasonTypefinding.riskAcceptance.reasonType
Select token value as the reason to identify vulnerabilities that have been accepted as risk.
Example
Show vulnerabilities that have been accepted based on the reason
finding.riskAcceptance.reasonType: Risk Accepted for QDS > 60
finding.riskAcceptance.ruleIdfinding.riskAcceptance.ruleId
Use the token value as the risk acceptance rule ID to identify vulnerabilities that have been accepted as risk.
Example
Show vulnerabilities that have been accepted.
finding.riskAcceptance.ruleId: 1001
finding.riskAcceptance.startDatefinding.riskAcceptance.startDate
Use the date range or specific start date of the risk acceptance rule to identify vulnerabilities that have been accepted as risk.
Examples
Show findings where vulnerabilities have been accepted within certain dates.
finding.finding.riskAcceptance.startDate: [2024-10-21 .. 2025-01-15]
Show findings where vulnerabilities have been accepted starting 2024-01-01, ending 1 month ago:
finding.riskAcceptance.startDate: [2024-01-01 .. now-1M]
finding.riskAcceptance.typefinding.riskAcceptance.type
Select token value as RISK_ACCEPTED or FALSE_POSITIVE to identify vulnerabilities that have been accepted as risk.
Example
Show vulnerabilities that have been accepted.
finding.riskAcceptance.type: RISK_ACCEPTED
finding.riskFactor.exploitCodeMaturityfinding.riskFactor.exploitCodeMaturity
Select from the drop-down menu (poc, weaponized) to find vulnerabilities based on the maturity level of their exploit code.
Example
Show vulnerabilities with Functional exploit code maturity
finding.riskFactor.exploitCodeMaturity: poc
finding.riskFactor.isCisaKnownExploitfinding.riskFactor.isCisaKnownExploit
Select TRUE | FALSE to find vulnerabilities that are or are not listed in CISA's Known Exploited Vulnerabilities Catalog.
Example
Show vulnerabilities listed in CISA's Known Exploited Vulnerabilities Catalog
finding.riskFactor.isCisaKnownExploit: TRUE
finding.riskFactor.malwareNamefinding.riskFactor.malwareName
Provide a string value to find vulnerabilities associated with a specific malware.
Example
Find vulnerabilities associated with the WannaCry malware
finding.riskFactor.malwareName: WannaCry
finding.riskFactor.rtifinding.riskFactor.rti
Use the token value from drop down menu to find vulnerabilities based on the Real-time Threat Indicators. Available tokens are Exploit_Public, Active_Attacks, Easy_Exploit, Remote_Code_Execution, Privilege_Escalation, or Predicted_High_Risk.
Example
Show findings related to Easy_Exploit
finding.riskFactor.rti: Easy_Exploit
finding.riskFactor.threatActorNamefinding.riskFactor.threatActorName
Provide a string value to find vulnerabilities associated with a specific threat actor or group.
Example
Find vulnerabilities associated with the threat actor "APT29"
finding.riskFactor.threatActorName: APT29
finding.riskFactor.trending finding.riskFactor.trending
Use this token to retrieve the list of QIDs that are trending within a specified time range. You can choose the required day range from the drop-down options: [0–3], [4–7], [8–15], [16–30], [31–60], [61–90], [91–180], [181–365], or [366+].
Example
Show trending vulnerabilities with its QIDs within certain number of days
finding.riskFactor.trending: [16..30]
finding.ruleNamefinding.ruleName
Use a text value ##### for findings related to the rule name.
Example
Show findings with rule name
finding.ruleName: find epss score
finding.severityfinding.severity
Use an integer value to view the severity level set by Qualys to search findings. The severity level ranges between 1-5. Select from values in the drop-down menu.
Example
Show findings with severity set by Qualys as
finding.severity: 3
finding.sourceIdfinding.sourceId
Use a text value to search for findings based on the ID used by the source vendor.
Examples
Show findings with the specified source ID
finding.sourceId:500034
Select a status (for example, Active, Fixed, New, or Reopened) to search findings with certain statuses. Select from names in the drop-down menu. If you select the status as Fixed, the list will only show vulnerabilities that have been fixed in the last 365 days.
Example
Show vulnerabilities with Fixed status:
finding.status: Fixed
finding.subTypefinding.subType
Select a finding based on subtype.
Example
Show findings with this type.
finding.SubType: EOL/EOS
finding.technologyCategoryfinding.technologyCategory
Use this token to search for vulnerabilities or misconfigurations related to a given technology category.
Example
Search misconfigurations that are associated with "Linux / Server"
finding.technologyCategory: "Linux/Server"
finding.technologyNamefinding.technologyName
Use this token to search for vulnerabilities or misconfigurations related to a given technology name.
Example
Search misconfigurations that are associated with " Red Hat Enterprise Linux Server"
finding.technologyName: "Red Hat Linux Server"
finding.technologyVendorfinding.technologyVendor
Use this token to search for vulnerabilities or misconfigurations related to a given technology vendor.
Example
Search misconfigurations that are associated with vendor
finding.technologyVendor: Wiz
finding.threatIntel.hasNoPatch finding.threatIntel.hasNoPatch
Use the values TRUE | FALSE to define real-time threats due to no patch available.
Examples
Show assets with threats due to no patch available
finding.threatIntel.hasNoPatch: TRUE
Show assets that don't have threats due to no patch available
finding.threatIntel.hasNoPatch: FALSE
finding.threatIntel.isActiveAttackfinding.threatIntel.isActiveAttack
Use the values TRUE | FALSE to define real-time threats due to active attacks.
Examples
Show assets with threats due to active attacks
finding.threatIntel.isActiveAttack: TRUE
Show assets that don't have threats due to active attacks
finding.threatIntel.isActiveAttack: FALSE
finding.threatIntel.isCisaKnownExploitedVulnfinding.threatIntel.isCisaKnownExploitedVuln
Use the values TRUE | FALSE to define real-time threats due to CISA Exploits.
Examples
Show assets with threats due to CISA exploit
finding.threatIntel.isCisaKnownExploitedVuln: TRUE
Show assets that don't have threats due to CISA exploit
finding.threatIntel.isCisaKnownExploitedVuln: FALSE
finding.threatIntel.isDenialOfServicefinding.threatIntel.isDenialOfService
Use the values TRUE| FALSE to define real-time threats due to denial of service.
Examples
- Show assets with threats due to denial of service
finding.threatIntel.isDenialOfService: TRUE - Show assets that don't have threats due to denial of service
finding.threatIntel.isDenialOfService: FALSE
finding.threatIntel.isEasyExploitfinding.threatIntel.isEasyExploit
Use the values TRUE | FALSE to define real-time threats due to easy exploit.
Examples
Show assets with threats due to easy exploit
finding.threatIntel.isEasyExploit: TRUE
Show assets that don't have threats due to easy exploit
finding.threatIntel.isEasyExploit: FALSE
finding.threatIntel.isExploitKitfinding.threatIntel.isExploitKit
Use the values TRUE | FALSE to define real-time threats due to exploit kit.
Examples
Show assets with threats due to exploit kit
finding.threatIntel.isExploitKit: TRUE
Show assets that don't have threats due to exploit kit
finding.threatIntel.isExploitKit: FALSE
finding.threatIntel.isHighDataLossfinding.threatIntel.isHighDataLoss
Use the values TRUE | FALSE to define real-time threats due to high data loss.
Examples
Show assets with threats due to high data loss
finding.threatIntel.isHighDataLoss: TRUE
Show assets that don't have threats due to high data loss
finding.threatIntel.isHighDataLoss: FALSE
finding.threatIntel.isHighLateralMovementfinding.threatIntel.isHighLateralMovement
Use the values TRUE | FALSE to define real-time threats due to high lateral movement.
Examples
Show assets with threats due to high lateral movement
finding.threatIntel.isHighLateralMovement: TRUE
Show assets that don't have threats due to high lateral movement
finding.threatIntel.isHighLateralMovement: FALSE
finding.threatIntel.isMalware finding.threatIntel.isMalware
Use the values TRUE | FALSE to define real-time threats due to malware.
Examples
Show assets with threats due to malware
finding.threatIntel.isMalware: TRUE
Show assets that don't have threats due to malware
finding.threatIntel.isMalware: FALSE
finding.threatIntel.isPredictedHighRisk finding.threatIntel.isPredictedHighRisk
Use the values TRUE | FALSE to define real-time threats due to predicted high risk.
Example
Show assets with predicted high risk threat
finding.threatIntel.isPredictedHighRisk: TRUE
finding.threatIntel.isPrivilegeEscalation finding.threatIntel.isPrivilegeEscalation
Use the values TRUE | FALSE to define real-time threats due to privilege escalation risk.
Example
Show assets with privilege escalation threat
finding.threatIntel.isPrivilegeEscalation: TRUE
finding.threatIntel.isPublicExploit finding.threatIntel.isPublicExploit
Use the values TRUE | FALSE to define real-time threats due to public exploit.
Examples
Show assets with threats due to public exploit
finding.threatIntel.isPublicExploit: TRUE
Show assets that do not have threats due to public exploit
finding.threatIntel.isPublicExploit: FALSE
finding.threatIntel.isRansomwarefinding.threatIntel.isRansomware
Use the values TRUE | FALSE to define real-time threats due to ransomeware vulnerability.
Example
Show assets with ransomeware threat
finding.threatIntel.isRansomware: TRUE
finding.threatIntel.isRemoteCodeExecutionfinding.threatIntel.isRemoteCodeExecution
Use the values TRUE | FALSE to define real-time threats due to remote code execution risk.
Example
Show assets with remote code execution threat
finding.threatIntel.isRemoteCodeExecution: TRUE
finding.threatIntel.isUnauthenticatedExploitationfinding.threatIntel.isUnauthenticatedExploitation
Use the values TRUE | FALSE to define real-time threats due to unauthenticated exploitation risk.
Example
Show assets with unauthenticated exploitation threat
finding.threatIntel.isUnauthenticatedExploitation: TRUE
finding.threatIntel.isWormable finding.threatIntel.isWormable
Use the values TRUE | FALSE to define real-time wormable threats.
Example
Show assets with wormable threats
finding.threatIntel.isWormable: TRUE
finding.threatIntel.isZeroDay finding.threatIntel.isZeroDay
Use the values TRUE | FALSE to define real-time threats due to zero day exploit.
Examples
Show assets with threats due to zero day exploit
finding.threatIntel.isZeroDay: TRUE
Show assets that don't have threats due to zero day exploit
finding.threatIntel.isZeroDay: FALSE
finding.threatIntel.malwareName finding.threatIntel.malwareName
Use quotes or backticks within values to help you find the malware name. Quotes can be used when the value has more than one word.
Examples
Show any findings with this name
finding.threatIntel.malwareName: TROJ_PDFKA.DQ
Show any findings that match exact value
finding.threatIntel.malwareName: `TROJ_PDFKA.DQ`
Use quotes or backticks within values to help you find the title. After the colon, enter the title.
Examples
Show any findings related to this title.
finding.title: 'Remote Code Execution
Show any findings that contain "Remote" or "Code" in title:
finding.title: "Remote Code"
Show any findings that match exact value "Remote Code" :
finding.title: `Remote Code`
Use the number of days to determine the time taken to detect the vulnerability from the moment it was introduced. The token accepts range input as number of days. You can also customize the range input.
Example
Show vulnerabilities findings based on total and first found calculation
finding.ttd: [0..30]
Use the number of days to determine the findings based on the Total and First Found time to remediate. The token accepts range input as number of days. You can also customize the range input.
Examples
Show vulnerabilities findings based on total and first found calculation
finding.ttr: [61..90]
Use custom query to see the vulnerabilities findings based on total and first found calculation
finding.ttr: [0..90]
Select a type from Compliance, Malware, Misconfiguration, Vulnerability to search findings.
Example
Show findings with this type.
finding.type: Malware
finding.typeDetectedfinding.typeDetected
Select a detection type (Confirmed, Potential, or Information) to search for findings of this type. Select from names in the drop-down menu.
Example
Show vulnerabilities
finding.typeDetected: confirmed
finding.vendorFindingIdfinding.vendorFindingId
Use a text value to search findings with the specified source finding ID ( external id). It is the unique ID of an instance of the finding.
Example
Show finding with this source finding id.
finding.vendorFindingId: 9d7ef6e4-baed-47ba-99ec-a78a801f1e19
finding.vendorNamefinding.vendorName
Select a detection source (Wiz, Qualys, Microsoft) to search findings from the specified source. Select from names in the drop-down menu.
Example
Show findings with this source.
finding.vendorName: Qualys
finding.vendorProductNamefinding.vendorProductName
Select a detection source's product name (for example, VMDR ) to search findings with the product name of the detection source. Select from names in the drop-down menu.
Example
Show findings with the product name.
finding.vendorProductName: VMDR
finding.vendorUrlfinding.vendorUrl
Use quotes or backticks within values to help you find the finding with matching url.\
Examples
Show any findings related to this url:
finding.vendorUrl: https://app.wiz.io
Show any findings that contain "app" or "wiz" in url.
finding.vendorUrl: "app wiz"
Show any findings that match exact value.
finding.vendorUrl: `https://app.wiz.io/explorer/vulnerability-findings#5e95ff50-5490-514e-87f7-11e56f3230ff`
finding.wascInfoNamefinding.wascInfoName
Use this token to search findings by WASC category name associated with Qualys WAS QIDs for better vulnerability prioritization. The Web Application Security Consortium (WASC) is an international group that promotes web application security through best practices, standardized threat classifications, and industry collaboration.
Example
Show any findings related to WASC category name
finding.wascInfoName: WASC-16 Directory Indexing
Common Asset Tokens for ETM (CSAM) and ETM (Unified Asset Inventory) Enabled Account
asset.criticalityScoreasset.criticalityScore
Use an integer value (1-5) to help you find assets based on specific criticality score.
Examples
- Show assets with a criticality score of 5 :
asset.criticalityScore: 5 - Show assets with a criticality score of 2 :
asset.criticalityScore:2
asset.interface:(addressasset.interface:(address
Use a text value ##### to search findings based on IP address.
Examples
Show the exact match of the IP address
asset.interface:(address:`10.10.100.20`)
asset.interface:(address`2602:fdaa:60:9:0:0:a0e:2b43`)
Show any findings that contain parts of the IP address
asset.interface:(address:"10.10.100.2")
asset.interface:(address 10.10.100.2)
asset.interface:(address: "2602:fdaa:60:9:0:0:a0e:2b43")
asset.interface:(dnsAddressasset.interface:(dnsAddress
Use a text value ##### to define a DNS address to search the findings.
Example
Show the asset with DNS address 100.0.0.11
asset.interface:(dnsAddress100.0.0.11)
asset.interface:(gatewayAddressasset.interface:(gatewayAddress
Use a text value ##### to find assets with a certain default gateway address.
Example
Show assets with this default gateway address
asset.interface:(gatewayAddress10.11.65.1)
asset.interface:(hostnameasset.interface:(hostname
Use values within quotes or backticks to find the hostname you are looking for.
Examples
Show any findings related to name
asset.interface:(hostname: xpsp2-jp-26-111
Show any findings that contain parts of name
asset.interface:(hostname "xpsp2-jp-26-111")
Show any findings that match exact value "xpsp2-jp-26-111"
asset.interface:(hostname: `xpsp2-jp-26-111`)
Show any findings related to name (we'll match super domains)
asset.interface:(hostnameqcentos71sqp3.rdlab.acme.com)
Show any findings that match exact value "qcentos71sqp3.rdlab.acme.com"
asset.interface:(hostname: `qcentos71sqp3.rdlab.acme.com`)
Show findings according to values entered in the square brackets.
Note: You can add multiple values in []. However, it's important to understand that partial values are not supported. You must enter the exact match value.
Example with correct syntax - asset.interface:(hostname: [win7-181, bridge.vuln.qa.qualys.com])
Example with incorrect syntax - asset.interface:(hostname: [win7, bridge.vuln.qa])
asset.interface:(macAddressasset.interface:(macAddress
Use values within quotes to find a MAC address you are interested in.
Example
Show the asset with this MAC address
asset.interface:(macAddress:"00:50:56:A9:73:5A")
asset.interface:(manufacturerasset.interface:(manufacturer
Use values within quotes to find the interface hardware manufacturer.
Examples
Show the asset with interface hardware manufacturer
asset.interface.manufacturer:"Apple"
Show the asset with interface hardware manufacturer
asset.interface:(manufacturer:"Apple")
asset.interface:(nameasset.interface:(name
Use a text value ##### to find a certain interface name.
Example
Show the asset with name PRO/1000
asset.interface:(name:PRO/1000)
asset.interface:(netmaskasset.interface:(netmask
Use values to find the IP addresses from a particular class or range of IP addresses.
Example
Show the assets with the following netmask
asset.interface:(netmask:255.255.255.0)
asset.inventory.createdDateasset.inventory.createdDate
Use a date range or specific date to define when assets were created (i.e. when first scanned by a scanner appliance, or when agent was installed).
Examples
Show assets created within certain dates
asset.inventory.createdDate: [2019-01-01 .. 2019-01-15]
Show assets created starting 2019-01-15, ending 1 month ago
asset.inventory.createdDate: [2019-01-15 .. now-1M]
Show assets created starting 2 weeks ago, ending 1 second ago
asset.inventory.createdDate: [now-2w .. now-1s]
Show assets created on specific date
asset.inventory.createdDate: '2019-03-18'
Show assets createdwithin last 30 days excluding day 30.
asset.inventory.createdDate>now-30d)
Note: We recommend not to use the NOT operator in your range search to form query like NOT inventory.(created:[now-30d..now-2s]. See "QQL Best Practices" topic in the Unified Dashboard Online Help.
Show assets created within last 30 days including day 30.
asset.inventory.createdDate>=now-30d)
Show assets created older than last 30 days excluding day 30.
asset.inventory.createdDate<now-30d)
Show assets created older than last 30 days including day 30.
asset.inventory.createdDate<=now-30d
asset.inventory.sourceasset.inventory.source
Use a text value ##### to help you find assets from a certain Qualys source. (API, Active Directory, Appliance, Azure, BMC Helix, CAPS, CMDB, Cloud Agent, EASM, EC2, GCP, ICS OCA, IP Scanner, Malware Domain, Mobility Scanner, OCA, OCI, Passive Sensor, ServiceNow, WMWare vSphere, VMware ESXi, and Webhook) Select from values in the drop-down menu.
Examples
Show findings from cloud agents
asset.inventory.source: Cloud Agent
Show findings from Passive Sensor
asset.inventory.source: Passive Sensor
Use quotes or backticks within values to find the asset with specified asset name.
Examples
- Show assets related to the given name :
asset.name: QK2K12QP3-65-53 - Show assets that contain parts of the given name :
asset.name: "QK2K12QP3-65-53" - Show assets that match exactly match the given name :
asset.name: `QK2K12QP3-65-53`
businessApp.businessCriticalitybusinessApp.businessCriticality
Use values within quotes or backticks to define the business application.
Examples
Show any findings that contain parts of name
businessApp.businessCriticality:"1 - most"
Show any findings that match exact value "1 - most critical"
businessApp.businessCriticality:`1 - most critical`
businessApp.environmentbusinessApp.environment
Use a text value ##### to define business application based on environment.
Example
Show assets with business application environment as Production
businessApp.environment: Production
Use a text value ##### to define business application using unique ID.
Example
Show findings with business app ID as APP007
businessApp.id:APP007
businessApp.managedBybusinessApp.managedBy
Use values within quotes or backticks to define business applications managed by specific user.
Examples
Show any findings that contain parts of name
businessApp.managedBy:"Byron"
Show any findings that match exact value "Byron Fortuna"
businessApp.managedBy:`Byron Fortuna`
businessApp.namebusinessApp.name
Use values within quotes or backticks to define the business application name you're looking for.
Examples
Show any findings that contain parts of name
businessApp.name:"HR"
Show any findings that match exact value "HR Intranet"
businessApp.name:`HR Intranet`
businessApp.operationalStatusbusinessApp.operationalStatus
Use a text value ##### to define business applications based on operational status.
Example
Show business applications with operational status as Installed
businessApp.operationalStatus: Installed
businessApp.ownedBybusinessApp.ownedBy
Use values within quotes or backticks to define business applications owned by specific user.
Examples
Show any findings that contain parts of name
businessApp.ownedBy.username:"Joey"
Show any findings that match exact value "Joey Bolick"
businessApp.ownedBy:`Joey Bolick`
businessApp.supportedBybusinessApp.supportedBy
Use values within quotes or backticks to define business applications supported by specifc user.
Examples
Show any findings that contain parts of name
businessApp.supportedBy:"John"
Show any findings that match exact value "John Doe"
businessApp.supportedBy:`John Doe`
businessApp.supportGroupbusinessApp.supportGroup
Use a text value ##### to define business applications associated with specific support group.
Example
Show assets with business application support group as Security
businessApp.supportGroup: Security
Find assets synced from a certain cloud provider (AWS, AZURE, GCP). Select from names in the drop-down menu.
Example
Show assets synced from Amazon AWS
cloud.provider: "AWS"
connector.firstFoundDateconnector.firstFoundDate
Use a date range or specific date to define when connectors were first discovered.
Examples
Show connectors found within certain dates
connector.firstFoundDate: [2019-01-01 .. 2019-01-15]
Show connectors found starting 2019-01-15, ending 3 months ago
connector.firstFoundDate: [2019-01-15 .. now-3M]
Show connectors found starting 2 weeks ago, ending 1 second ago
connector.firstFoundDate: [now-2w .. now-1s]
Show connectors found on a specific date
connector.firstFoundDate:'2019-03-18'
Show connectors found within last 30 days excluding day 30.
connector.firstFoundDate>now-30d
Note: We recommend not to use the NOT operator in your range search to form query like NOT connector.firstFoundDate:[now-30d..now-2s]). See "QQL Best Practices" topic in the Unified Dashboard Online Help.
Show connectors discovered within last 30 days including day 30.
connector.firstFoundDate>=now-30d
Show connectors dicovered older than last 30 days excluding day 30.
connector.firstFoundDate<now-30d
Show connectors found older than last 30 days including day 30.
connector.firstFoundDate<=now-30d
Enter the connector ID that is an integer value ##### to find assets sourced from a specific connector created by the user.
Note: This token is for the new feature, Third-Party Asset Identification, which is in the Beta phase. The feature is in early stage and only available on a request basis. Contact your Technical Account Manager (TAM) for more information.
Example
Show findings with this connector ID
connector.id:1278237
connector.lastFoundDateconnector.lastFoundDate
Use a date range or specific date to define when connectors were last discovered.
Examples
Show connectors last discovered within certain dates
connector.lastFoundDate: [2019-01-01 .. 2019-01-15]
Show connectors discovered starting 2019-01-15, ending 3 months ago
connector.lastFoundDate: [2019-01-15 .. now-3M]
Show connectors discovered starting 2 weeks ago, ending 1 second ago
connector.lastFoundDate: [now-2w .. now-1s]
Show connectors discovered on a specific date
connector.lastFoundDate:'2019-03-18'
Show connectors discovered within last 30 days excluding day 30.
connector.lastFoundDate: >now-30d
Note: We recommend not to use the NOT operator in your range search to form query like NOT connector.lastFoundDate:[now-30d..now-2s]). See "QQL Best Practices" topic in the Unified Dashboard Online Help.
Show connectors discovered within last 30 days including day 30.
connector.lastFoundDate: >=now-30d
Show connectors dicovered older than last 30 days excluding day 30.
connector.lastFoundDate: <now-30d
Show connectors found older than last 30 days including day 30.
connector.lastFoundDate: <=now-30d
Enter the connector name you are interested in by using a text value ##### to show findings detected by the specific connector.
Example
Show findings detected by connector name snapshot based scanning
connector.name: snapshot based scanning
Show any findings that is exact match for connector name snapshot based scanning
connector.name: `snapshot based scanning`
Show any findings that contain components of the connector name snapshot based scanning
connector.name: "snapshot based scanning"
container.hasSensorcontainer.hasSensor
Use the values true | false to choose whether to show container hosts that have the Container Sensor installed.
Example
Show container hosts with container sensor installed.
container.hasSensor:"true"
container.noOfContainerscontainer.noOfContainers
Use an integer value ##### to find assets with some number of containers. The value is displayed only for VM scan or Agent scan (and not for sensors).
Example
Show findings with 2 containers
container.noOfContainers:2
container.noOfImagescontainer.noOfImages
Use an integer value ##### to find assets with some number of container images. The value is displayed only for VM scan or Agent scan (and not for sensors).
Example
Show findings with 5 container images
container.noOfImages:5
container.productcontainer.product
Use a text value ##### to define the container product.
Examples
Show container product
container.product: CONTAINERD
Show container product
container.product: DOCKER
container.versioncontainer.version
Use a text value ##### to find containers with certain version number.
Example
Show containers of this version
container.version:1.6
customAttributes.connectorIdcustomAttributes.connectorId
Provide the value to identify your assets based on the connector Id. Enter the connector Id as 0, which is the default connector Id for connector 'Qualys'.
Example
Find assets for connector 'Qualys'
customAttributes.connectorId:0
customAttributes.keycustomAttributes.key
Provide the value to identify your assets based on the key entered as part of the custom attribute.
Example
Find assets with "Department" as part of the key name
customAttributes.key:"Department"
The result includes assets with the 'Department' custom attribute key.
Note: If 'Department' is part of the key name, such as Department 1, Department A-C, or Department US, those assets are also included in the result.
customAttributes.valuecustomAttributes.value
Provide the value to identify your assets based on the value entered as part of the custom attribute.
Example
Find assets with "DEVOPS" as part of the key value
customAttributes.value:"DEVOPS"
The result includes assets with the 'DEVOPS' custom attribute value.
Note: If 'DEVOPS' is part of the value name, such as DEVOPS CSAM, DEVOPS CA, or DEVOPS PM, those assets are also included in the result.
missingSoftware.category1missingSoftware.category1
Use text value ##### to find the missing software category 1 value you are looking for.
Example
If you are searching for assets missing testing software, then category1 is Application Development and category2 is Testing.
Show any findings that match exact value
missingSoftware.category1:Application Development
missingSoftware.category2missingSoftware.category2
Use text value ##### to find the missing software category 2 value you are looking for.
Example
If you are searching for assets missing testing software, then category1 is Application Development and category2 is Testing.
Show any findings that match exact value
missingSoftware.category2:Testing
missingSoftware.detectionScoremissingSoftware.detectionScore
Use a text value ##### to show findings that match the missing software detection score.
Examples
Show findings with the the missing software detection score
missingSoftware.detectionScore: 50
Show findings with the missing software detection score
missingSoftware.detectionScore>50
Show findings with the missing software detection score
missingSoftware.detectionScore<50
Show findings with the missing software detection score
missingSoftware.detectionScore>=50
Show findings with the missing software detection score
missingSoftware.detectionScore<=50
missingSoftware.namemissingSoftware.name
Use values within quotes or backticks to help you find the missing software name you're looking for. Quotes can be used when the value has more than one word.
Examples
Show any findings with this name
missingSoftware.name: VMware Tools
Show any findings that contain parts of name
missingSoftware.name: "VMware Tools"
Show any findings that match exact value
missingSoftware.name: `VMware Tools`
Find assets with certain tag and missing software
finding.tags.name: `Cloud Agent` AND missingSoftware.name: `Cisco AnyConnect Secure Mobility Client` AND version: `3.1.12345`
missingSoftware.productmissingSoftware.product
Use a text value ##### to find a software without product name.
Example
Show findings with this exact product name
missingSoftware.product:Office
missingSoftware.publishermissingSoftware.publisher
Use a text value ##### to find a software without publisher.
Example
Show findings without this software publisher
missingSoftware.publisher:Microsoft
processor.coresPerSocketprocessor.coresPerSocket
Use the value to show the number of cores per socket.
Example
Show the number of cores per socket
processor.coresPerSocket:2
processor.multiThreadingStatus processor.multiThreadingStatus
Use the values ENABLED | DISABLED to define whether your processor is multi-threading enabled.
Example
Show multi-threading enabled processor
processor.multiThreadingStatus: "ENABLED"
Use values within quotes or backticks to help you find the full processor name you're looking for.
Examples
Show any findings that contain parts of name
processor.name:"iIntel Xwon® CPU ES-2673 v3"
Show any findings that match exact value
processor.name:`Intel Xwon® CPU ES-2673 v3`
processor.noOfCpuprocessor.noOfCpu
Use the value to show the number of logical CPUs.
Example
Show the logical CPUs
processor.noOfCpu:4
processor.noOfSocketsprocessor.noOfSockets
Use the value to show the number of sockets.
Example
Show number of sockets
processor.noOfSockets:2
processor.speedprocessor.speed
Use an integer value ##### to find assets with a certain processor speed (MHz).
Example
Show assets with this processor speed
processor.speed:2394
processor.threadsPerCoreprocessor.threadsPerCore
Use the value to show the number of threads per core.
Example
Show number of threads per core
processor.threadsPerCore:1
software:(architecturesoftware:(architecture
Use text value ##### to find the software architecture you are looking for, i.e 32-Bit or 64-Bit.
Example
Show any findings that match exact value
software:(architecture:32-Bit)
software:(categorysoftware:(category
Use values within quotes or backticks to help you find a software category.
Example
Show any findings that match exact value
software:(category:`Testing`)
software:(category1software:(category1
Use this token to filter assets by the software category 1.
Example
If you are searching for assets having testing software, then category1 is Application Development and category2 is Testing.
Show any findings that match exact value
software:(category1:Application Development)
software:(category2software:(category2
Use this token to filter assets by the software category 2.
Example
If you are searching for assets having testing software, then category1 is Application Development and category2 is Testing.
Show any findings that match exact value
software:(category2:Testing))
software:(componentsoftware:(component
Use a value Client, Server or " " (empty field) to identify the software component.
Example
Show findings with Client software component
software:(component:Client)
software:(discoverySourcessoftware:(discoverySources
Use a text value ##### to find software detected from a certain discovery source. (Active Directory, BMC Helix, CMDB, Cloud Agent, EASM, ICS OCA, IP Scanner, OCA, Passive Sensor, ServiceNow, Unknown, and Webhook) Select from values in the drop-down menu.
Example
Show findings from Passive Sensor
software:(discoverySources:CMDB)
software:(editionsoftware:(edition
Use text value ##### to find the software edition.
Example
Show any findings that match exact value
software:(edition: Professional)
software:(firstFoundDatesoftware:(firstFoundDate
Use a date range or specific date to define when software was first found.
Examples
Show assets with software first found within certain dates
software:(firstFoundDate:[2017-06-15 .. 2017-06-30])
Show assets with software first found starting 2017-06-22, ending 1 month ago
software:(firstFoundDate :[2017-06-22 .. now-1M])
Show assets with software first found starting 2 weeks ago, ending 1 second ago
software:(firstFoundDate: :[now-2w .. now-1s])
Show assets with software first found on specific date
software.firstFoundDate:'2017-06-14')
Show assets with software first found within last 30 days excluding day 30.
software:(firstFoundDate>now-30d)
Note: We recommend not to use the NOT operator in your range search to form query like NOT software:(firstFoundDate[now-30d..now-2s]). See "QQL Best Practices" topic in the Unified Dashboard Online Help.
Show assets with software first found within last 30 days including day 30.
software:(firstFoundDate>=now-30d)
Show assets with software first found which is older than last 30 days excluding day 30.
software:(firstFoundDate<now-30d)
Show assets with software first found which is older than last 30 days including day 30.
software:(firstFoundDate<=now-30d)
software:(installDatesoftware:(installDate
Use a date range or specific date to define when software was installed.
Examples
Show software installed within certain dates
software:(installDate[2019-01-01 .. 2019-01-15])
Show software installed starting 2019-01-15, ending 1 month ago
software:(installDate[2019-01-15 .. now-1M])
Show software installed starting 2 weeks ago, ending 1 second ago
software.installDate:[now-2w .. now-1s])
Show software installed on a specific date
software:(installDate'2019-03-18')
Show software installed within last 30 days excluding day 30.
software:(installDate>now-30d))
Note: We recommend not to use the NOT operator in your range search to form query like NOT sensor.lastPcScannerScanDate:[now-30d..now-2s]. See "QQL Best Practices" topic in the Unified Dashboard Online Help.
Show software installed within last 30 days including day 30.
software:(installDate>=now-30d))
Show last PC scan which are older than last 30 days excluding day 30.
software:(installDate<now-30d))
Show software installed which are older than last 30 days including day 30.
software:(installDate<=now-30d))
software:(lastUpdatedDatesoftware:(lastUpdatedDate
Use a date range or specific date to define when a software was last updated.
Examples
Show software last updated within certain dates
software:(lastUpdatedDate:[2019-01-01 .. 2019-01-15])
Show software last updated starting 2019-01-15, ending 1 month ago
software:(lastUpdatedDate:[2019-01-15 .. now-1M])
Show software last updated starting 2 weeks ago, ending 1 second ago
software:(lastUpdatedDate:[now-2w .. now-1s])
Show software last updated on a specific date
software:(lastUpdatedDate:'2019-03-18')
Show software last updated within last 30 days excluding day 30.
software:(lastUpdatedDate>now-30d)
Note: We recommend not to use the NOT operator in your range search to form query like NOT software:(lastUpdatedDate[now-30d..now-2s]). See "QQL Best Practices" topic in the Unified Dashboard Online Help.
Show software last updated within last 30 days including day 30.
software:(lastUpdatedDate>=now-30d)
Show software last updated which is older than last 30 days excluding day 30.
software:(lastUpdatedDate<now-30d)
Show lsoftware last updated which is older than last 30 days including day 30.
software:(lastUpdatedDate<=now-30d)
Use values within quotes or backticks to help you find the software name. Quotes can be used when the value has more than one word.
Examples
Show any findings with this name
software:(name:VMware Tools)
Show any findings that contain parts of name
software:(name:"VMware Tools")
Show any findings that match exact value
software:(name:`VMware Tools`)
Find assets with certain tag and software installed
asset.tag.name: `Cloud Agent` AND software:(name`Cisco AnyConnect Secure Mobility Client` AND software.version: `3.1.12345`)
software:(hasRunningInstancesoftware:(hasRunningInstance
Use the values true | false to find whether software has a running instance.
Example
Show software that has a running instance
ssoftware:(hasRunningInstance "true")
software:(isPackagesoftware:(isPackage
Use the values true | false to define whether software is a package component.
Example
Show software that is a package component
software:(isPackage:"true")
software:(lifecycle.eolsoftware:(lifecycle.eol
Use a date range or specific date to define an software End-of-Life date of interest.
Examples
Show findings with software End-of-Life date in this date range
software:(lifecycle.eol:[2019-01-01 .. 2019-01-15])
Show findings with software End-of-Life date starting 2019-01-15, ending 1 month ago
software:(lifecycle.eol:[2019-01-15 .. now-1M])
Show findings with software End-of-Life date starting 2 weeks ago, ending 1 second ago
software:(lifecycle.eol:[now-2w .. now-1s])
Show findings with this software End-of-Life date
software:(lifecycle.eol:'2019-03-18')
software.isPackagesoftware.isPackage
Use the values true | false to define whether software is a package.
Example
Show software that is a package
software.isPackage: "true")
software:(isPCSupportedsoftware:(isPCSupported
Use the values true | false to define whether software is PC supported.
Example
Show software that is PC supported
software:(isPCSupported: "true")
software:(isRequiredsoftware:(isRequired
Use the values true | false to define whether software is a required.
Example
Show software that is required
software:(isRequired: "true")
software:(license.categorysoftware:(license.category
Use text value ##### to help you find a software license category, i.e. Open Source, Commercial.
Example
Show any findings that match exact value
software:(license.category:`Open Source`)
software:(license.subcategorysoftware:(license.subcategory
Use text value ##### to help you find a software license subcategory, i.e. GPL, Apache 2.0, BSD.
Example
Show any findings that match exact value
software:(license.subcategory:Apache 2.0)
software:(lifecycle.detectionScoresoftware:(lifecycle.detectionScore
Use a text value ##### to find the software product with the lifecycle detection score you are looking for.
Examples
Show the software product with the lifecycle detection score
software:(lifecycle.detectionScore: 80)
Show the software product with the lifecycle detection score
software:(lifecycle.detectionScore>80)
Show the software product with the lifecycle detection score
software:(lifecycle.detectionScore<80)
Show the software product with the lifecycle detection score
software:(lifecycle.detectionScore<=80)
Show the software product with the lifecycle detection score
software:(lifecycle.detectionScore>=80)
software:(lifecycle.eossoftware:(lifecycle.eos
Use a date range or specific date to define an software End-of-Support date of interest.
Examples
Show findings with software End-of-Support date in this date range
software:(lifecycle.eos:[2019-01-01 .. 2019-01-15])
Show findings with software End-of-Support date starting 2019-01-15, ending 1 month ago
software:(lifecycle.eos:[2019-01-15 .. now-1M])
Show findings with software End-of-Support date starting 2 weeks ago, ending 1 second ago
software:(lifecycle.eos:[now-2w .. now-1s])
Show findings with this software End-of-Support date
software:(lifecycle.eos:'2019-03-18')
software:(lifecycle.eolsoftware:(lifecycle.eol
Use a date range or specific date to define an software End-of-Life date of interest.
Examples
Show findings with software End-of-Life date in this date range
software:(lifecycle.eol:[2019-01-01 .. 2019-01-15])
Show findings with software End-of-Life date starting 2019-01-15, ending 1 month ago
software:(lifecycle.eol:[2019-01-15 .. now-1M])
Show findings with software End-of-Life date starting 2 weeks ago, ending 1 second ago
software:(lifecycle.eol:[now-2w .. now-1s])
Show findings with this software End-of-Life date
software.lifecycle.eol:'2019-03-18')
software:(lifecycle.gasoftware:(lifecycle.ga
Use a date range or specific date to define a software general availability date of interest.
Examples
Show findings with software GA date in this date range
software:(lifecycle.ga:[2019-01-01 .. 2019-01-15]
Show findings with woftware GA date starting 2019-01-15, ending 1 month ago
software:(lifecycle.ga:[2019-01-15 .. now-1M])
Show findings with software GA date starting 2 weeks ago, ending 1 second ago
software:(lifecycle.ga:[now-2w .. now-1s])
Show findings with this software GA date
software:(lifecycle.ga:'2019-03-18')
software:(lifecycle.stagesoftware:(lifecycle.stage
Use a text value ##### to define a software lifecycle stage you're looking for, i.e. active, eol, obsolete.
Examples
Show findings having this software lifecycle stage
software:(lifecycle.stage:eol
Show findings having software category Windows and software lifecycle stage "active"
software:(category:Windows AND software:(lifecycle.stage:eol)
software:(marketVersionsoftware:(marketVersion
Use text value ##### to help you find a software market version, e.g. Windows OS.
Example
Show any findings that match exact value
software:(marketVersion:7)
software:(productsoftware:(product
Use a text value ##### to define a software product name you're looking for.
Example
Show findings with this exact product name
software:(product:Office)
software:(publishersoftware:(publisher
Use a text value ##### to define a software manufacturer you are looking for.
Example
Show findings with this exact software publisher
software:(publisher:Microsoft)
software:(supportStagesoftware:(supportStage
Use a text value ##### to define the software support stage.
Example
Show software having premium support
software:(supportStage: Premier Support)
software:(versionsoftware:(version
Use a text value ##### to define the software version you're interested in.
Examples
Show findings with this exact software version
software:(version:16.0)
Show findings with software version greater than 16.0
software:(version>16.0)
Show findings with software version greater than or equal to 16.0
software:(version>=16.0)
Show findings with software version less than 16.0
software:(version<16.0)
Show findings with software version less than or equal to 16.0
software:(version<=16.0)
Show findings with software version within this version range
software:(version:[16.0 .. 20.0])
Use a text value ##### to define a software type of interest.
Example
Show findings having this software type
software:(type:Installer Package)
whoIs:(createdDate:whoIs:(createdDate:
Use a date range or specific date to find all the assets with the whoIs creation date.
Examples
Show assets with whoIs creation date within certain dates
whoIs:(createdDate: [2019-01-01 .. 2019-01-15])
Show assets with whoIs creation date starting 2019-01-15, ending 1 month ago
whoIs:(createdDate: [2019-01-15 .. now-1M])
Show assets with whoIs creation date starting 2 weeks ago, ending 1-second ago
whoIs:(createdDate: [now-2w .. now-1s])
Show assets with whoIs creation date last updated on a specific date
whoIs:(createdDate: `2022-06-04`)
Show assets with whoIs creation date within last 30 days excluding day 30.
whoIs:(createdDate>now-30d)
Note: We recommend not to use the NOT operator in your range search to form query like NOT software.lastUsedDate:[now-30d..now-2s]). See "QQL Best Practices" topic in the Unified Dashboard Online Help.
Show assets with whoIs creation date within last 30 days including day 30.
whoIs:(createdDate>=now-30d)
Show assets with whoIs creation date which is older than last 30 days excluding day 30.
whoIs:(createdDate<now-30d)
Show assets with whoIs creation date which is older than last 30 days including day 30.
whoIs:(createdDate<=now-30d)
whoIs:(expirationDatewhoIs:(expirationDate
Use this token to search assets by the domain registration expiration date from WHOIS data.
Example
Find domains expiring on a specific date
whoIs:(expirationDate:"2024-09-01"
whoIs.registrantEmailIdwhoIs.registrantEmailId
Use values within quotes or backticks to find all the assets using the registrant email id of domain or subdomain.
Examples
Show all the assets for which the exact registrant email id of the domain or subdomain matches
whoIs:(registrantEmailId: `[email protected]`)
Show all the assets for which the part of the registrant email id of the domain or subdomain matches
whoIs:(registrantEmailId: "[email protected]")
whoIs.registrantOrgwhoIs.registrantOrg
Use values within quotes or backticks to find all the assets using the registrant organization of domain or subdomain.
Examples
Show all the assets for which the exact registrant organization of domain/subdomain matches
whoIs:(registrantOrg: `Qualys, Inc`)
Show all the assets for which the part of the registrant organization of domain/subdomain matches
whoIs:(registrantOrg: "Qualys,")
whoIs:(registrantCountrywhoIs:(registrantCountry
Use this token to search assets by the registrant's country from the WHOIS record.
Example
Find domains registered in the United States.
whoIs:(registrantCountry:"US"
whoIs.registrarwhoIs.registrar
Use values within quotes or backticks to find all the assets using the registrar.
Examples
Show all the assets for which the exact registrar matches
whoIs:(registrar: `abc net`)
Show all assets for which the part of the registrar matches
whoIs:(registrar: "abc net")
Asset Tokens for ETM - Unified Asset Inventory Enabled Account
apiCollection.nameapiCollection.name
Use this token to filter domains by their registered domain name.
Example
Show API collections with this name.
apiCollection.name:S3Bucket01
apiCollection.sourceTypeapiCollection.sourceType
Use this token to filter API collections by their discovery source (Swagger, Postman, EASM, and so on).
Example
Show API collections discovered from this source type.
apiCollection.sourceType:Swagger
apiCollection.versionapiCollection.version
Use this token to filter API collections by their published version.
Example
Show API collections with this version identifier.
apiCollection.version:v2
apiEndpoint.pathapiEndpoint.path
Use this token to filter API endpoints by their path segment.
Example
Show API endpoints whose path matches this pattern.
apiEndpoint.path:"/v1/users"
apiEndpoint.protocolapiEndpoint.protocol
Use this token to filter endpoints by protocol (HTTP, HTTPS, gRPC).
Example
Use this token to filter endpoints by protocol (HTTP, HTTPS, gRPC).
apiEndpoint.protocol:"HTTPS"
apiEndpoint.urlapiEndpoint.url
Use this token to filter API endpoints by their full URL.
Example
Show API endpoints matching this full URL.
apiEndpoint.url:"//api.example.com/v1/users"
application.environmentapplication.environment
Use this token to filter applications by the environment they run in (for example, dev, test, staging, or production).
Example
Show applications running in the specified environment.
application.environment:production
application.supportedLanguagesapplication.supportedLanguages
Use this token to filter applications by the programming languages they support.
Example
Show applications that support the selected programming languages.
application.supportedLanguages:Python, JavaScript
application.baseUrlapplication.baseUrl
Use this token to filter applications by their primary base URL.
Example
Show applications hosted under the specified base URL.
application.baseUrl:https://api.example.com
application.securityConfig.isHttpsEnabledapplication.securityConfig.isHttpsEnabled
Use this token to filter applications that have HTTPS enabled.
Example
Show applications where HTTPS is enabled.
application.securityConfig.isHttpsEnabled:true
application.securityConfig.isAuthenticationEnabledapplication.securityConfig.isAuthenticationEnabled
Use this token to filter applications that require authentication.
Example
Show applications that have authentication enabled.
application.securityConfig.isAuthenticationEnabled:true
application.securityConfig.allowedOriginsapplication.securityConfig.allowedOrigins
Use this token to filter applications by the list of origins allowed for cross-origin requests.
Example
Show applications that allow cross-origin requests from this origin.
application.securityConfig.allowedOrigins:https://frontend.example.com
application.securityConfig.isCsrfProtectionEnabledapplication.securityConfig.isCsrfProtectionEnabled
Use this token to filter applications with CSRF protection enabled.
Example
Show applications with CSRF protection turned on.
application.securityConfig.isCsrfProtectionEnabled:true
application.securityConfig.isRateLimitingEnabledapplication.securityConfig.isRateLimitingEnabled
Use this token to filter applications where rate limiting is enforced.
Example
Show applications with rate limiting enabled.
application.securityConfig.isRateLimitingEnabled:true
application.oauthConfig.isEnabledapplication.oauthConfig.isEnabled
Use this token to filter applications based on whether a feature flag is enabled.
Example
Show applications where this feature flag is enabled.
application.oauthConfig.isEnabled:true
application.oauthConfig.providerapplication.oauthConfig.provider
Use this token to filter applications by the OAuth provider (for example, Google, Okta, GitHub).
Example
Show applications that use the specified OAuth provider.
application.oauthConfig.provider:Google
application.oauthConfig.clientIdapplication.oauthConfig.clientId
Use this token to filter applications by their OAuth client identifier.
Example
Show applications configured with the given OAuth client ID.
application.oauthConfig.clientId:client-12345
application.databaseConfig.dbTypeapplication.databaseConfig.dbType
Use this token to filter applications by the type of database they are configured to use.
Example
Show applications using the specified type of database.
application.databaseConfig.dbType:PostgreSQL
application.databaseConfig.hostapplication.databaseConfig.host
Use this token to filter applications by the hostname of their connected database.
Example
Show applications connected to a database hosted at this address.
application.databaseConfig.host:db.example.com
application.databaseConfig.portapplication.databaseConfig.port
Use this token to filter applications by the port number used for database connectivity.
Example
Show applications using this database port.
application.databaseConfig.port:5432
application.databaseConfig.databaseNameapplication.databaseConfig.databaseName
Use this token to filter applications by the configured database name.
Example
Show applications configured to use the specified database name.
application.databaseConfig.databaseName:appdb
application.databaseConfig.usernameapplication.databaseConfig.username
Use this token to filter applications by the username used to authenticate with the database.
Example
Show applications using this database username.
application.databaseConfig.username:appuser
application.featureFlag:(featureNameapplication.featureFlag:(featureName
Use this token to filter applications by the name of a feature flag.
Example
Show applications that include this feature flag.
application.featureFlag:(featureName:dark_mode)
application.featureFlag:(isEnabledapplication.featureFlag:(isEnabled
Use this token to filter applications based on whether a feature flag is enabled.
Example
Show applications where this feature flag is enabled.
application.featureFlag:(isEnabled:true)
application.nameapplication.name
Use this token to filter domains by their registered domain name.
Example
Show API collections with this name.
application.name:S3Bucket01
application.versionapplication.version
Use this token to filter API collections by their published version.
Example
Show API collections with this version identifier.
application.version:v2
application.artifactTypeapplication.artifactType
Use this token to filter applications by their artifact type (container, jar, binary, etc.).
Example
Show applications built using this artifact type.
application.artifactType:Container
asset.businessInfo.companyasset.businessInfo.company
Use this token to search assets by the company name associated with the asset's business information.
Example
Show assets by the company name associated with the asset's business information
asset.businessInfo.company:"Acme Corp"
asset.businessInfo.departmentasset.businessInfo.department
Use this token to search assets by the owning or responsible department recorded in the asset's business information.
Example
Show the assets owned by IT department
asset.businessInfo.department:"IT"
asset.businessInfo.environmentasset.businessInfo.environment
Use this token to search assets by business environment, such as Production, Staging, or Development.
Example
Show the assets by Production environment
asset.businessInfo.environment:Production
asset.businessInfo.managedBy.usernameasset.businessInfo.managedBy.username
Use this token to search assets by the username of the person or owner responsible for managing the asset.
Example
Show assets by the username of the person
asset.businessInfo.managedBy.username:jsmith
asset.businessInfo.operationalStatusasset.businessInfo.operationalStatus
Use this token to search assets by the operational Status value associated with the asset record in Unified Asset Inventory.
Example
Show the assets by the operational Status
asset.businessInfo.operationalStatus:"Active"
asset.businessInfo.ownedBy.usernameasset.businessInfo.ownedBy.username
Use this token to search assets by the username of the person or owner responsible for managing the asset.
Example
Show assets by the username of the person or owner responsible for managing the asset.
asset.businessInfo.ownedBy.username:"smith"
asset.businessInfo.supportGroupasset.businessInfo.supportGroup
Use this token to search assets by the support group responsible for handling incidents or requests related to the asset.
Example
Show the assets by the support group responsible for handling incidents
asset.businessInfo.supportGroup:"IT Ops L1"
Use this token to search assets by their primary class, such as Host, Application, Database, or Network Device.
Example
Show the assets by this class
asset.class:compute
asset.external.tag:(keyasset.external.tag:(key
Use this token to search assets by the name of an external tag synchronized from a third-party system.
Example
Find assets with a specific external tag key.
asset.external.tag:(key:"WEB-SRV-01")
asset.external.tag:(valueasset.external.tag:(value
Use this token to search assets by the value associated with an external tag from a third-party system.
Example
Show assets by the value associated with an external tag from a third-party system.
asset.external.tag:(value:"value"
asset.externalAssetIdasset.externalAssetId
Use this token to search assets by an external asset identifier coming from a CMDB or other external source.
Example
Show the assets by an external asset identifier coming from a CMDB
asset.externalAssetId:value
Use this token to filter assets by the number of CPUs installed on the system.
Example
Find assets with a specific number of CPUs.
asset.noOfCpu:8
asset.openPorts:(descriptionasset.openPorts:(description
Use values within quotes or backticks to help you find the service description detected on an open port.
Examples
Show any findings with this description
asset.openPorts:(description: Windows Remote Desktop)
Show any findings that contain parts of description
asset.openPorts:(description: "Windows Remote Desktop")
Show any findings that match exact value "Windows Remote Desktop"
asset.openPorts:(description: `Windows Remote Desktop`)
openPorts:(detectedServiceopenPorts:(detectedService
Use values within quotes or backticks to help you find the detected service you're looking for.
Examples
Show any findings with this service name
openPorts:(detectedService: win_remote_desktop)
Show any findings that contain parts of name
openPorts:(detectedService: "win_remote_desktop")
Show any findings that match exact value "win_remote_desktop"
openPorts:(detectedService: `win_remote_desktop`)
asset.openPorts:(detectionScoreasset.openPorts:(detectionScore
Filter the open ports based on the QDS score.
Examples
Show open ports based on the following QDS score
asset.openPorts:(detectionScore: 80)
Show open ports based on the following QDS score
asset.openPorts:(detectionScore>80)
Show open ports based on the following QDS score
asset.openPorts:(detectionScore<80)
Show open ports based on the following QDS score
asset.openPorts:(detectionScore>=80)
asset.openPorts:(discoverySourcesasset.openPorts:(discoverySources
Use a text value ##### to find open ports detected from a certain discovery source. (Active Directory, BMC Helix, CMDB, Cloud Agent, EASM, ICS OCA, IP Scanner, OCA, Passive Sensor, ServiceNow, Unknown, and Webhook) Select from values in the drop-down menu.
Examples
Show findings from cloud agents
asset.openPorts:(discoverySources Cloud Agent)
Show findings from Passive Sensor
asset.openPorts:(discoverySources CMDB)
asset.openPorts:(firstFoundDateasset.openPorts:(firstFoundDate
Use this token to filter assets by when an open port was first discovered.
Example
Show assets where firstFoundDate matches the specified value.
asset.openPorts:(firstFoundDate:2024-09-01)
asset.openPorts:(lastUpdatedDateasset.openPorts:(lastUpdatedDate
Use this token to filter assets by when information about the open port was last updated.
Example
Show assets where lastUpdatedDate matches the specified value.
asset.openPorts:(lastUpdatedDate:2025-09-01)
asset.openPorts:(port:(portasset.openPorts:(port:(port
Use an integer value ##### to find assets with the specified open port.
Example
Show all assets with open port 80
asset.openPorts:(port:(port80)
asset.openPorts:(protocolasset.openPorts:(protocol
Use a text value ##### (UDP or TCP) to define the port protocol you're interested in.
Examples
Show findings found on TCP
asset.openPorts:(protocol: TCP)
Show findings found on port 80 and TCP
asset.openPorts:(protocol: 80 AND protocol: TCP)
Use this token to search assets by their subclass, which provides a more granular type within the main asset class.
Example
Show the assets by the class
asset.subclass:Server
asset.tag.businessImpactasset.tag.businessImpact
Use this token to search assets by the business impact value associated with an asset tag (for example, High, Medium, Low).
Example
Show the assets by the business impact value associated with an asset tag
asset.tag.businessImpact:"High"
asset.updatedDateasset.updatedDate
Use this token to search assets by the date when the asset record was last updated in Unified Asset Inventory.
Example
asset.updatedDate:[2024-01-01 .. 2024-01-15]
Show assets last updated starting 2019-01-15, ending 1 month ago
asset.updatedDate:[2024-01-15.. now-1M]
Show assets last updated starting 2 hours ago, ending 1 second ago
asset.updatedDate:[now-2h .. now-1s]
Show assets last updated starting 4 hours ago, ending 1 hour ago
asset.updatedDate:[now-4h .. now-1h]
Show assets last updated starting 2 weeks ago, ending 1 second ago
asset.updatedDate:[now-2w .. now-1s]
Show assets last updated on a specific date
asset.updatedDate:'2025-03-18'
certificate:(dncertificate:(dn
Use this token to filter certificate by its full distinguished name (DN).
Example
Show certificates that have this subject identifier in the distinguished name.
certificate:(dn:ST=California)
certificate:(serialNumbercertificate:(serialNumber
Use this token to filter certificate by its serial number.
Example
Show the certificate that has this serial number
certificate:(serialNumber:"01ab8a210a7cf9955665c47fca758459ca78")
certificate:(issuer.countrycertificate:(issuer.country
Use this token to filter certificate by the country code mentioned in the issuer distinguished name.
Example
Show certificates that have this country in issuer DN
certificate:(issuer.country:`US`)
certificate:(issuer.namecertificate:(issuer.name
Use this token to filter certificates by the name of the issuing certificate authority.
Example
Show the certificates having this issuing authority name
certificate:(issuer.name:Symantec Class 3 EV SSL CA - G3)
certificate:(issuer.organizationcertificate:(issuer.organization
Use this token to filter certificate by the organization mentioned in the issuer distinguished name.
Example
sample
certificate:(issuer.organization:`Symantec Corporation`)
certificate:(issuer.organizationUnitcertificate:(issuer.organizationUnit
Use this token to filter certificate by the organizational unit mentioned in the issuer distinguished name.
Example
Show certificates that have this organization unit in issuer DN
certificate:(issuer.organizationUnit:`Symantec Trust Network`)
certificate:(issuerCategorycertificate:(issuerCategory
Use this token to filter certificate by the issuer category.
Example
Show DigiCert SHA2 Extended Validation Server CA certificates
certificate:(issuerCategory: DigiCert SHA2 Extended Validation Server CA)
certificate:(keySizecertificate:(keySize
Use this token to filter certificate by its key length in bits, such as 2048 or 4096.
Example
Show certificates that have 2048-bit keys
certificate:(keySize:2048)
certificate:(selfSignedcertificate:(selfSigned
Use this token to filter certificate based on whether the certificate is self-signed.
Example
Show certificates that are self-signed
certificate:(selfSigned:true)
certificate:(signatureAlgorithmcertificate:(signatureAlgorithm
Use this token to filter certificate by the signature algorithm used by the certificate.
Example
Show certificates that use this signature algorithm
certificate:(signatureAlgorithm:SHA256withRSA)
certificate:(subject.countrycertificate:(subject.country
Use this token to filter certificate by the country code mentioned in the subject distinguished name.
Example
Show certificates that have this country in subject DN
certificate:(subject.country:US)
certificate:(subject.localitycertificate:(subject.locality
Use this token to filter certificates by the locality mentioned in the subject distinguished name.
Example
Show certificates that have this locality in subject DN
certificate:(subject.locality:Redwood City)
certificate:(subject.namecertificate:(subject.name
Use this token to filter certificates by their subject name.
Example
Show certificates with this name
certificate:(subject.name:www.qualys.com)
certificate:(subject.organizationcertificate:(subject.organization
Use this token to filter certificate by the organization mentioned in the subject distinguished name.
Example
Show certificates that have this organization in the subject DN
certificate:(subject.organization:Qualys, Inc.)
certificate:(subject.statecertificate:(subject.state
Use this token to filter certificate by the state mentioned in the subject distinguished name.
Example
Show certificates that have this state in subject DN
certificate:(subject.state:California)
certificate:(validFromDatecertificate:(validFromDate
Use this token to filter certificate by the date from which the certificate is valid.
Examples
Show certificates that are valid within certain dates
certificate:(validFromDate:[2018-06-15 .. 2018-06-30])
Show certificates that are valid on a specific date
certificate:(validFromDate:'2017-12-14')
certificate:(validToDatecertificate:(validToDate
Use this token to filter certificate by the date until which the certificate is valid.
Example
Show certificates that expire before 2022-01-20
certificate:(validToDate< "2022-01-20")
Show certificates that expire after 2020
certificate:(validToDate> "2020")
Show certificates that expire before March 2020 (yyyy-mm)
certificate:(validToDate< "2020-03")
Show certificates that expire between today and 2020-12-01
certificate:(validToDate:"[now..2020-12-01]")
cloud.accountIdcloud.accountId
Use this token to search cloud assets by the cloud account ID in the respective cloud provider.
Example
Show cloud assets by the cloud account ID i
cloud.accountId:123456789012
cloud.availabilityZone cloud.availabilityZone
Use this token to search cloud assets by their availability zone within the cloud provider.
Example
Show the cloud assets by their availability zone within the cloud provider.
cloud.availabilityZone :"us-east-1a"
Use this token to search cloud assets by the cloud region where they are hosted.
Example
Show cloud assets by the cloud region where they are hosted.
cloud.region:"us-east-1"
Use this token to search cloud assets by the tenant or subscription ID of the cloud account.
Example
Show cloud assets by the tenant ID
cloud.tenantId:00000000-0000-0000-0000-000000000000
cloud.resource.namecloud.resource.name
Use this token to filter domains by their registered domain name.
Example
Show API collections with this name.
cloud.resource.name:S3Bucket01
cloud.resource.providerTypecloud.resource.providerType
Use this token to filter cloud resources by cloud provider type (AWS, Azure, GCP, etc.).
Example
Show cloud resources associated with this provider type.
cloud.resource.providerType:AWS
cloud.resource.namecloud.resource.name
Use this token to filter domains by their registered domain name.
Example
Show API collections with this name.
cloud.resource.name:S3Bucket01
cloud.resource.providerTypecloud.resource.providerType
Use this token to filter cloud resources by cloud provider type (AWS, Azure, GCP, etc.).
Example
Show cloud resources associated with this provider type.
cloud.resource.providerType:AWS
compute.domainRolecompute.domainRole
Use values within quotes or backticks to help you find the assets with certain domain role (Standalone Workstation, Member Workstation, Standalone Server, Member Server, Backup Domain Controller, and Primary Domain Controller). Select from values in the drop-down menu.
Examples
Show any findings that contain parts of name
compute.domainRole:"Member Ser"
Show any findings that match exact value "Member Server"
compute.domainRole:`Member Server`
compute.domainRolecompute.domainRole
Use values within quotes or backticks to help you find the assets with certain domain role (Standalone Workstation, Member Workstation, Standalone Server, Member Server, Backup Domain Controller, and Primary Domain Controller). Select from values in the drop-down menu.
Examples
Show any findings that contain parts of name
compute.domainRole:"Member Ser"
Show any findings that match exact value "Member Server"
compute.domainRole:`Member Server`
compute.gpu.chipcompute.gpu.chip
Show results based on the specified GPU chip.
Note: The result you get after you enter the QQL search token depends on the tab on which you enter the QQL search token. The result will show the assets, software, potential web assets, open ports, and domains associated with the GPU assets.
Examples
Show the GPU assets with the specified substring or component of the GPU chip value.
compute.gpu.chip: "Eclipse"
Show the GPI assets based on the exact specified GPU chip value.
compute.gpu.chip: `Eclipse`
compute.gpu.isAIModelSupportedcompute.gpu.isAIModelSupported
Use this token to filter assets by whether the GPU supports AI/ML acceleration.
Example
Show assets where isAIModelSupported matches the specified value.
compute.gpu.isAIModelSupported:443
compute.gpu.manufacturercompute.gpu.manufacturer
Show results based on the specified GPU manufacturer.
Note: The result you get after you enter the QQL search token depends on the tab on which you enter the QQL search token. The result will show the assets, software, potential web assets, open ports, and domains associated with the GPU assets.
Examples
Show the GPU assets based on the specified substring or component of the GPU manufacturer value.
compute.gpu.manufacturer:."Matrox"
Show GPU assets based on the specified exact GPU manufacturer value.
compute.gpu.manufacturer: `Matrox`
compute.gpu.modelcompute.gpu.model
Show results based on the specified GPU model.
Note: The result you get after you enter the QQL search token depends on the tab on which you enter the QQL search token. The result will show the assets, software, potential web assets, open ports, and domains associated with the GPU assets.
Examples
Show GPU assets based on the substring or component of the specified GPU model value.
compute.gpu.model:."MGA"
Show GPU assets based on the specified exact GPU model value.
compute.gpu.model:.`MGA G200e`
compute.gpu.namecompute.gpu.name
Show results based on the specified GPU name.
Note: The result you get after you enter the QQL search token depends on the tab on which you enter the QQL search token. The result will show the assets, software, potential web assets, open ports, and domains associated with the GPU assets.
Examples
Show GPU assets based on the specified substring or component of the GPU name.
compute.gpu.name:."Matrox Electronics"
Show GPU assets based on the specified exact GPU name value.
compute.gpu.name: `Matrox Electronics Millennium G200 MGA G200e`
compute.gpu.tensorCorescompute.gpu.tensorCores
Show results based on the specified tensorCores value.
Note: The result you get after you enter the QQL search token depends on the tab on which you enter the QQL search token. The result will show the assets, software, potential web assets, open ports, and domains associated with the GPU assets.
Examples
Show GPU assets based on the specified substring or component of the tensorCores value.
compute.gpu.tensorCores:."12"
Show GPU assets based on the specified exact tensorCores value.
compute.gpu.tensorCores:.`123`
compute.isContainerHostcompute.isContainerHost
Use the values true | false to find assets hosting containers.
Example
Show assets that host containers
compute.isContainerHost: "true"
compute.isContainerHostcompute.isContainerHost
Use a date range or specific date to define when assets were last booted.
Examples
Show assets last booted within certain dates
compute.isContainerHost:[2019-01-01 .. 2019-01-15]
Show assets last booted starting 2019-01-15, ending 1 month ago
compute.isContainerHost:[2019-01-15.. now-1M]
Show assets last booted starting 2 weeks ago, ending 1 second ago
compute.isContainerHost:[now-2w .. now-1s]
Show assets last booted on a specific date
compute.isContainerHost:'2019-03-18'
compute.lastBootDatecompute.lastBootDate
Use a date range or specific date to define when assets were last booted.
Examples
Show assets last booted within certain dates
compute.lastBootDate:[2019-01-01 .. 2019-01-15]
Show assets last booted starting 2019-01-15, ending 1 month ago
compute.lastBootDate:[2019-01-15.. now-1M]
Show assets last booted starting 2 weeks ago, ending 1 second ago
compute.lastBootDate:[now-2w .. now-1s]
Show assets last booted on a specific date
compute.lastBootDate:'2019-03-18'
compute.lastLoggedOnUsercompute.lastLoggedOnUser
Use a text value ##### to help you find assets last logged into by a user of interest.
Examples
Show assets with last logon by user asmith
compute.lastLoggedOnUser:asmith
compute.service:(descriptioncompute.service:(description
Use values within quotes or backticks to find assets with a service description.
Examples
Show any findings that contain parts of description
compute.service:(description:"Certificate Propagation")
Show any findings that match exact value "Windows Event Log"
compute.service:(description:`Certificate Propagation`)
compute.service:(namecompute.service:(name
Use this token to filter assets by the service name running on the compute device.
Example
Show assets where name matches the specified value.
compute.service:(name:eth0)
compute.service:(statuscompute.service:(status
Use this token to filter assets by the current status of a service (for example, running or stopped).
Example
Show assets where status matches the specified value.
compute.service:(status:RUNNING)
compute.timezonecompute.timezone
Use a text value ##### in quotes to find assets with a certain timezone set.
Example
Show assets with this timezone
compute.timezone:"08:00"
compute.totalMemorycompute.totalMemory
Use an integer value ##### to find assets with a certain total system memory (MB).
Example
Show findings with total system memory greater than 900 MB
compute.totalMemory>900
Show findings with total system memory greater than or equal to 900 MB
compute.totalMemory>=900
Show findings with total system memory less than 300 MB
compute.totalMemory<300
Show findings with total system memory less than or equal to 300 MB
compute.totalMemory<=300
compute.vm.hostnamecompute.vm.hostname
Use this token to filter compute VMs by their hostname.
Example
Show assets where hostname matches the specified value
compute.vm.hostname: compute-node-01
Use this token to filter VMs by their unique VM identifier.
Example
Show assets where id matches the specified value.
compute.vm.id: i-a2dxxxxsxxxxxhdfax
compute.vm.imageIdcompute.vm.imageId
Use this token to filter VMs by their cloud image ID.
Example
Show assets where imageId matches the specified value
compute.vm.imageId: ubuntu_14_0405_64_20G_alibase_20170824.vhd
compute.vm.launchTimecompute.vm.launchTime
Use this token to filter VMs by their cloud launch time timestamp.
Example
Show assets where launchTime matches the specified value.
compute.vm.launchTime:[2017-06-15 .. 2017-06-30]
compute.vm.macAddresscompute.vm.macAddress
Use this token to filter VMs by the MAC address assigned to the VM.
Example
sample
compute.vm.macAddress:00:16:3E:XX:XX:9C
compute.vm.privateIpAddresscompute.vm.privateIpAddress
Use this token to filter VMs by their private IP address.
Example
Show assets where privateIpAddress matches the specified value
compute.vm.privateIpAddress:10.0.0.5
compute.vm.publicIpAddresscompute.vm.publicIpAddress
Use this token to filter VMs by their public IP address.
Example
Show assets where publicIpAddress matches the specified value
compute.vm.publicIpAddress:8.34.56.78
compute.vm.resourceGroupNamecompute.vm.resourceGroupName
Use this token to filter virtual machines by the resource group they belong to.
Example
sample
compute.vm.resourceGroupName:my-eastus-rg
compute.vm.statecompute.vm.state
Use this token to filter VMs by their current runtime state (running, stopped).
Example
Show assets where state matches the specified value.
compute.vm.state: RUNNING
compute.vm.subnetIdcompute.vm.subnetId
Use this token to filter virtual machines based on the subnet they are deployed in.
Example
Show assets where subnetId matches the specified value.
compute.vm.subnetId:10.0.1.15
compute.vm.typecompute.vm.type
Use this token to filter VMs by their instance type or family.
Example
Show assets where type matches the specified value.
compute.vm.type:Standard_D1
compute.vm.vpcIdcompute.vm.vpcId
Use this token to filter virtual machines by the VPC they are deployed in.
Example
sample
compute.vm.vpcId:vpc-0a1b2c3d4e5f67890
compute.volume:(freecompute.volume:(free
Use an integer value ##### to help you find assets with a certain free volume space (GB).
Examples
Show findings with free volume space greater than 90 GB
compute.volume:(free> 90)
Show findings with free volumespace greater than or equal to 90 GB
compute.volume:(free> = 90)
Show findings with free volumespace less than 30 GB
compute.volume:(free< 30)
Show findings with free volumespace less than or equal to 30 GB
compute.volume:(free<= 30)
compute.volume:(namecompute.volume:(name
Use an.integer value #####.to help you find assets with a certain volume name.
Example
Show findings with this volume name
compute.volume:(name:D)
compute.volume:(sizecompute.volume:(size
Use an integer value ##### to help you find assets with a certain volume size (GB).
Examples
Show findings with volume size greater than 90 GB
compute.volume:(size>90)
Show findings with volume size greater than or equal to 90 GB
compute.volume:(size>=90)
Show findings with volume size less than 30 GB
compute.volume:(size<30)
Show findings with volume size less than or equal to 30 GB
compute.volume:(size<=30)
container.instance.idcontainer.instance.id
Use this token to filter container by the unique identifier assigned to a container instance.
Example
Show container with the following instance ID
container.instance.id:container123
container.instance.image.namecontainer.instance.image.name
Use this token to filter container by the name of the container image used to create the instance.
Example
Show container with the following image name
container.instance.image.name:nginx
container.instance.image.tagcontainer.instance.image.tag
Use this token to filter containers by the tag associated with the container image.
Example
Show container with the following tag.
container.instance.image.tag:1.21.0
container.instance.image.registrycontainer.instance.image.registry
Use this token to filter container by the registry from which the container image was pulled.
Example
Show container with the following registry
container.instance.image.registry:docker.io
container.instance.image.digestcontainer.instance.image.digest
Use this token to filter container by the digest of the container image.
Example
Show container with the following digest value
container.instance.image.digest:sha256:abc123def456
container.instance.statecontainer.instance.state
Use this token to filter container by the runtime state of the container instance (for example, running or stopped).
Example
Show the container with the runtime state running.
container.instance.state:running
container.instance.networkNodecontainer.instance.networkNode
Use this token to filter containers by the node where the container instance is running.
Example
Show the container with the following network node
container.instance.networkNode:host-node-01
container.instance.environmentcontainer.instance.environment
Use this token to filter containers by environment variable values defined for the container instance.
Example
Show container with the following environment value.
container.instance.environment:production
container.instance.volume:(hostPathcontainer.instance.volume:(hostPath
Use this token to filter container by the system path of file on the host.
Example
Show container with the following file path
container.instance.volume:(hostPath:/var/lib/data)
container.instance.volume:(containerPathcontainer.instance.volume:(containerPath
Use this token to filter containers by the internal path exposed as a volume inside the container.
Example
Show container with the following container path
container.instance.volume:(containerPath:/app/data)
container.instance.portMapping:(hostPortcontainer.instance.portMapping:(hostPort
Use this token to filter container by the port exposed on the host.
Example
Show container with the following host port
container.instance.portMapping:(hostPort:8080)
container.instance.portMapping:(containerPortcontainer.instance.portMapping:(containerPort
Use this token to filter container by the port exposed inside the container.
Example
Show container with the following container port
container.instance.portMapping:(containerPort:80)
container.instance.portMapping:(protocolcontainer.instance.portMapping:(protocol
Use this token to filter container by the protocol (TCP/UDP) used by the port mapping.
Example
Show container with the following protocol
container.instance.portMapping:(protocol:TCP)
container.image.architecturecontainer.image.architecture
Use this token to filter container images by their CPU architecture.
Example
Show the container image that has the following architecture
container.image.architecture:`amd64`
container.image.createdDatecontainer.image.createdDate
Use this token to filter container images by the date the image was created.
Example
Show container image with the following image creation date
container.image.createdDate:2024-01-01
container.image.digestcontainer.image.digest
Use this token to filter container image by its digest value.
Example
Show container image with the following digest value
container.image.digest:`sha256:abc123def456`
container.image.layer:(commandcontainer.image.layer:(command
Use this token to filter the container image by the build command associated with the image layer.
Example
Show container image with the following build command
container.image.layer:(command:command:RUN apt-get update)
container.image.layer:(createdBycontainer.image.layer:(createdBy
Use this token to filter a container image by the command that produced an image layer during build.
Example
Show container image created by the following command
container.image.layer:(createdBy:docker build)
container.image.layer:(digestcontainer.image.layer:(digest
Use this token to filter a container image by its image layer digest.
Example
Show container image with the following image layer digest value
container.image.layer:(digest:sha256:abc123def456)
container.image.layer:(sizeInBytescontainer.image.layer:(sizeInBytes
Use this token to filter container image by the total size of the container image layer in bytes.
Example
Show container image with the following image layer size
container.image.layer:(sizeInBytes:204857600)
container.image.namecontainer.image.name
Use this token to filter container image by its name.
Example
Show container image with the following name.
container.image.name:`nginx`
container.image.registrycontainer.image.registry
Use this token to filter container image by the registry where the image is stored.
Example
Show container image with the following registry
container.image.registry:io
container.image.repositorycontainer.image.repository
Use this token to filter container image by the repository of the image.
Example
Show container image with the following image repository path
container.image.repository:library/nginx
container.image.sizeInBytescontainer.image.sizeInBytes
Use this token to filter container images by the total size of the container image in bytes.
Example
Show container image with the following image size
container.image.sizeInBytes:204857600
container.image.tag.namecontainer.image.tag.name
Use this token to filter a container image by its associated tag.
Example
Show container image with the following tag
container.image.tag.name:nginx
Use this token to filter the container by name
Example
sample
container.name:nginx-prod
Use this token to filter assets by the software component name.
Examples
Find the software components that include the following substring in the component name.
component.name: "index"
Find the software components for the following exact component name.
component.name:Apache
component.technologycomponent.technology
Use this token to filter assets by the software technology used by the component.
Example
sample
component.technology:Find the software components for the following exact technology
component.versioncomponent.version
Use this token to filter assets by the version of the software component.
Examples
Find the software components for the following exact version
component.version:`0.0.1`
Find the software components that include the following substring in the version
component.version:"0.0.1"
Use this token to filter domains by their registered domain name.
Example
Show API collections with this name.
domain.name:S3Bucket01
domain.subdomaindomain.subdomain
Use this token to filter domains by the subdomain portion (for example, api.example.com → api).
Example
Show domains containing the specified subdomain.
domain.subdomain:api
domain.documentTypedomain.documentType
Use this token to filter domains by the type of document or record where the domain was discovered.
Example
Show domains sourced from this document or discovery type.
domain.documentType:dns_record
domain.dns:(typedomain.dns:(type
Use this token to filter DNS records by DNS record type (A, AAAA, CNAME, TXT, MX, etc.).
Example
Show DNS records of the specified DNS type.
domain.dns:(type:A)
domain.dns:(sourcedomain.dns:(source
Use this token to filter DNS records based on the data collection source.
Example
Show DNS data found through the indicated discovery source.
domain.dns:(source:DNS_SCAN)
domain.dns:(updatedDatedomain.dns:(updatedDate
Use this token to filter DNS records by their last update timestamp.
Example
Show DNS records updated on this date.
domain.dns:(updatedDate:2024-09-10)
domain.dns:(valuedomain.dns:(value
Use this token to filter DNS entries by the record value.
Example
Show DNS entries whose value matches the specified string.
domain.dns:(value:192.168.1.10)
domain.whois:(createdDatedomain.whois:(createdDate
Use this token to filter domains by their WHOIS creation date.
Example
Show domains created on this WHOIS date.
domain.whois:(createdDate:2025-01-15
domain.whois:(expirationDatedomain.whois:(expirationDate
Use this token to filter domains by their WHOIS expiration date.
Example
Show domains that expire on the given date.
domain.whois:(expirationDate:2025-10-15)
domain.whois:(registrantCountrydomain.whois:(registrantCountry
Use this token to filter domains by the country of the registrant.
Example
Show domains registered in this country.
domain.whois:(registrantCountry:US
domain.whois:(registrantEmailIddomain.whois:(registrantEmailId
Use this token to filter domains by the registrant’s email address.
Example
Show domains registered using this email address.
domain.whois:(registrantEmailId:[email protected])
domain.whois:(registrantOrgdomain.whois:(registrantOrg
Use this token to filter domains by the registrant’s organization.
Example
Show domains registered under this organization.
domain.whois:(registrantOrg:Example Corp)
domain.whois:(registrardomain.whois:(registrar
Use this token to filter domains by the registrar responsible for managing the domain.
Example
Show domains managed by this registrar.
domain.whois:(registrar:GoDaddy.com, LLC)
Use this token to filter groups by their unique identifier.
Example
Show groups that match the specified unique group ID.
group.id:grp-1023
Use this token to filter groups by their internal system name.
Example
Show groups that have the specified internal name.
group.name:security-team
group.displayNamegroup.displayName
Use this token to filter groups by their readable or user-friendly display name.
Example
Show groups that match the given display name.
group.displayName:team
Use this token to filter groups by their classification type (for example, user group, admin group, or system group).
Example
Show groups that belong to the specified group type.
group.type:Admin Group
group.visibilitygroup.visibility
Use this token to filter groups based on their visibility setting (public, private, or restricted).
Example
Show groups based on their visibility level.
group.visibility:Private
group.descriptiongroup.description
Use this token to filter groups by the descriptive text associated with them.
Example
Show groups whose description contains the specified text.
group.description:Handles all security-related operations
Use this token to filter groups by the usernames of their assigned owners or administrators.
Example
Show groups owned by the specified user.
group.owners:jdoe
hardware.categoryhardware.category
Use this token to search assets by their main hardware category, such as Server, Workstation, or Network Device.
Examples
- Show all assets that include a part of the specified hardware category value
hardware.category: "Computer/Server" - Show all assets that match exactly match the specified hardware category value
hardware.category: `Computer/Server`
hardware.category1hardware.category1
Use this token to search assets by the first- or second-level hardware category classification.
Example
If you are searching for assets that are laser printers, then category1 is Printers and category2 is Laser.
Show any findings that match exact value
hardware.category1:Printers
hardware.category2hardware.category2
Use this token to search assets by the first- or second-level hardware category classification.
Example
If you are searching for assets that are laser printers, then category1 is Printers and category2 is Laser.
Show any findings that match exact value
hardware.category2:Laser
hardware.lifecycle.eoshardware.lifecycle.eos
Use this token to search assets by the hardware end-of-support (EOS) date defined by the vendor.
Examples
Show findings with hardware End-of-Sale date in this date range
hardware.lifecycle.eos:[2019-01-01 .. 2019-01-15]
Show findings with hardware End-of-Sale date starting 2019-01-15, ending 1 month ago
hardware.lifecycle.eos:[2019-01-15 .. now-1M]
Show findings with hardware End-of-Sale date starting 2 weeks ago, ending 1 second ago
hardware.lifecycle.eos:[now-2w .. now-1s]
Show findings with this hardware End-of-Sale date
hardware.lifecycle.eos:'2019-03-18'
hardware.lifecycle.gahardware.lifecycle.ga
Use this token to search assets by the general availability (GA) date when the product or OS version was released.
Examples
Show findings with hardware GA date in this date range
hardware.lifecycle.ga:[2019-01-01 .. 2019-01-15]
Show findings with hardware GA date starting 2019-01-15, ending 1 month ago
hardware.lifecycle.ga:[2019-01-15 .. now-1M]
Show findings with hardware GA date starting 2 weeks ago, ending 1 second ago
hardware.lifecycle.ga:[now-2w .. now-1s]
Show findings with this hardware GA date
hardware.lifecycle.ga:'2019-03-18'
hardware.lifecycle.introhardware.lifecycle.intro
Use this token to search assets by the hardware introduction date defined by the vendor.
Examples
Show findings with hardware introduction date in this date range
hardware.lifecycle.intro:[2019-01-01 .. 2019-01-15]
Show findings with hardware introduction date starting 2019-01-15, ending 1 month ago
hardware.lifecycle.intro:[2019-01-15 .. now-1M]
Show findings with hardware introduction date starting 2 weeks ago, ending 1 second ago
hardware.lifecycle.intro:[now-2w .. now-1s]
Show findings with this hardware introduction date
hardware.lifecycle.intro:'2019-03-18'
hardware.lifecycle.obshardware.lifecycle.obs
Use this token to search assets by the hardware obsolete (OBS) date defined by the vendor.
Examples
Show findings with hardware obsolete date in this date range
hardware.lifecycle.obs:[2019-01-01 .. 2019-01-15]
Show findings with hardware obsolete date starting 2019-01-15, ending 1 month ago
hardware.lifecycle.obs:[2019-01-15 .. now-1M]
Show findings with hardware obsolete date starting 2 weeks ago, ending 1 second ago
hardware.lifecycle.obs:[now-2w .. now-1s]
Show findings with this hardware obsolete date
hardware.lifecycle.obs:'2019-03-18'
hardware.lifecycle.obshardware.lifecycle.obs
Use this token to search assets by the hardware obsolete (OBS) date defined by the vendor.
Examples
Show findings with hardware obsolete date in this date range
hardware.lifecycle.obs:[2019-01-01 .. 2019-01-15]
Show findings with hardware obsolete date starting 2019-01-15, ending 1 month ago
hardware.lifecycle.obs:[2019-01-15 .. now-1M]
Show findings with hardware obsolete date starting 2 weeks ago, ending 1 second ago
hardware.lifecycle.obs:[now-2w .. now-1s]
Show findings with this hardware obsolete date
hardware.lifecycle.obs:'2019-03-18'
hardware.lifecycle.stagehardware.lifecycle.stage
Use this token to search assets by the current lifecycle stage, such as GA, Maintenance, EOS, or Obsolete. Select the token from the list.
Example
Show End-of-Sale hardware
hardware.lifecycle.stage:"EOS"
hardware.lifecycle.stagehardware.lifecycle.stage
Use this token to search assets by the current lifecycle stage, such as GA, Maintenance, EOS, or Obsolete. Select the token from the list.
Example
Show End-of-Sale hardware
hardware.lifecycle.stage:"EOS"
hardware.manufacturerhardware.manufacturer
Use this token to search assets by their hardware manufacturer, such as Dell, HP, or Cisco.
Example
Show any findings that match exact value "Dell"
hardware.manufacturer:`Dell`
hardware.manufacturerhardware.manufacturer
Use this token to search assets by their hardware manufacturer, such as Dell, HP, or Cisco.
Example
Show any findings that match exact value "Dell"
hardware.manufacturer:`Dell`
Use this token to search assets by their specific hardware model.
Example
Show any findings that match exact value "e7470"
hardware.model:`De7470`
Use this token to search assets by their specific hardware model.
Example
Show any findings that match exact value "e7470"
hardware.model:`De7470`
hardware.producthardware.product
Use this token to search assets by the hardware product line or family.
Example
Show any findings that match exact value "Latitude"
hardware.product:`Latitude`
hardware.producthardware.product
Use this token to search assets by the hardware product line or family.
Example
Show any findings that match exact value "Latitude"
hardware.product:`Latitude`
Use values within quotes or backticks to help you find the hardware name.
Examples
Show any findings that contain parts of name
hardware:"Dell Latitude e7470"
Show any findings that match exact value
hardware:`Dell Latitude e7470`
network.deviceTypenetwork.deviceType
Use this token to filter assets by the network device type (for example, router, switch, firewall).
Example
Show assets with the following device type
network.deviceType:Firewall
network.providernetwork.provider
Use this token to filter assets by the network or cloud service provider.
Example
Show assets with the following network provider
network.provider:AWS
network.serviceNamenetwork.serviceName
Use this token to filter assets by the name of the network service (for example, VPC networking).
Example
Show assets with the following service name
network.serviceName:VPC Networking
network.locationnetwork.location
Use this token to filter assets by the geographic network location.
Example
Show assets with the following network location
network.location:us-east-1
network.subnetIdnetwork.subnetId
Use this token to filter assets by the subnet ID associated with the network.
Example
Show assets with the following subnet ID
network.subnetId:subnet-12345
network.subnetNamenetwork.subnetName
Use this token to filter assets by the subnet name.
Example
Show assets with the following subnet name
network.subnetName:private-subnet-a
Use this token to filter assets by the virtual private cloud (VPC) identifier.
Example
Show assets with the following VPC ID
network.vpcId:vpc-67890
network.gatewayIdnetwork.gatewayId
Use this token to filter assets by the ID of the network gateway.
Example
Show assets with the following network gateway ID
network.gatewayId:igw-112233
network.gatewayNamenetwork.gatewayName
Use this token to filter assets by the name of the network gateway.
Example
Show assets with the following network gateway
network.gatewayName:internet-gateway
network.dnsServersnetwork.dnsServers
Use this token to filter assets by the DNS servers assigned to the network.
Example
Show assets with the following assigned DNS server
network.dnsServers:8.8.8.8
network.addressRangesnetwork.addressRanges
Use this token to filter assets by the CIDR-based address ranges configured for the network.
Example
Show assets with the following address range
network.addressRanges:10.0.0.0/24
network.isOpenToAllInternetnetwork.isOpenToAllInternet
Use this token to filter assets by whether the network is open to unrestricted internet access.
Example
Show assets with unrestricted internet access
network.isOpenToAllInternet:true
network.routeTableIdnetwork.routeTableId
Use this token to filter assets by the route table identifier.
Example
Show assets with the following route table ID
network.routeTableId:rtb-556677
network.interface:(idnetwork.interface:(id
Use this token to filter assets by the network interface ID.
Example
Show assets with the following network interface ID
network.interface:(id:eni-998877)
network.interface:(namenetwork.interface:(name
Use this token to filter assets by the name of a network interface.
Example
Show assets with the following network interface name
network.interface:(name:eth0)
network.interface:(macAddressnetwork.interface:(macAddress
Use this token to filter assets by the MAC address of a network interface.
Example
Show assets with the following network interface MAC address
network.interface:(macAddress:00:1A:2B:3C:4D:5E)
network.interface:(privateIpAddressnetwork.interface:(privateIpAddress
Use this token to filter assets by the private IPv4 address of a network interface.
Example
Show assets with the following private IPv4 address
network.interface:(privateIpAddress:10.0.0.15)
network.interface:(publicIpAddressnetwork.interface:(publicIpAddress
Use this token to filter assets by the public IPv4 address of a network interface.
Example
Show assets with the following public IPv4 address
network.interface:(publicIpAddress:54.12.34.56)
network.interface:(privateIpv6Addressnetwork.interface:(privateIpv6Address
Use this token to filter assets by the private IPv6 address of a network interface.
Example
Show assets with the following private IPv6 address
network.interface:(privateIpv6Address:fd00::1234)
network.interface:(publicIpv6Addressnetwork.interface:(publicIpv6Address
Use this token to filter assets by the public IPv6 address of a network interface.
Example
Show assets with the following public IPv6 address
network.interface:(publicIpv6Address:2001:db8::5678)
network.interface:(privateDnsNamenetwork.interface:(privateDnsName
Use this token to filter assets by the private DNS name of a network interface.
Example
Show assets with the following private DNS name
network.interface:(privateDnsName:ip-10-0-0-15.internal)
network.interface:(publicDnsNamenetwork.interface:(publicDnsName
Use this token to filter assets by the public DNS name of a network interface.
Example
Show assets with the following public DNS name
network.interface:(publicDnsName:ec2-54-12-34-56.compute.amazonaws.com)
software:(updatesoftware:(update
Use a text value ##### to define a software update version of interest.
Example
Show findings with this exact software update version
software:(update:16.0.1.2)
Show findings with software update version greater than 16.0.1.2
software:(update>16.0.1.2)
Show findings with software update version greater than or equal to 16.0.1.2
software:(update>=16.0.1.2)
Show findings with software update version less than 16.0.1.2
software:(update<16.0.1.2)
Show findings with software update version less than or equal to 16.0.1.2
software:(update<=16.0.1.2)
Show findings with software update version within this version range
software:(update:[16.0.1.2 .. 16.0.1.5])
repository.typerepository.type
Use this token to filter serverless functions by their type (for example, event-driven, scheduled, API-triggered).
Example
Show functions that match the specified serverless function type.
repository.type:event-driven
repository.ownerrepository.owner
Use this token to filter repositories by the user or team that owns them.
Example
Show repositories owned by this user or team.
repository.owner:dev-team
repository.visibilityrepository.visibility
Use this token to filter repositories by their visibility (public, private, or internal).
Example
Show repositories with the selected visibility level.
repository.visibility:private
repository.repoUrlrepository.repoUrl
Use this token to filter repositories by their source URL.
Example
Show repositories hosted at the specified URL.
repository.repoUrl:https://github.com/dev-team/myapp
repository.kindrepository.kind
Use this token to filter repositories by their category or purpose (for example, application code, configuration, or infrastructure).
Example
Show repositories belonging to this category.
repository.kind:application
Use this token to filter roles by their unique role identifier.
Example
Show roles that match the specified unique role ID.
role.id:role-204
Use this token to filter roles by their internal system name.
Example
Show roles that use the specified internal name.
role.name:security_admin
role.displayNamerole.displayName
Use this token to filter roles by their user-friendly display name.
Example
Show roles with the given display name.
role.displayName:Security Administrator
role.descriptionrole.description
Use this token to filter roles based on their descriptive text.
Example
Show roles whose description contains the specified phrase.
role.description:Manages security operations and configurations.
Use this token to filter roles by their type (for example, predefined role or custom role).
Example
Show roles that belong to the specified role type.
role.type:Custom
Use this token to filter roles by the scope they apply to (for example, global, subscription, or project-level).
Example
Show roles that apply to the specified scope level.
role.scope:Global
serverless.functionNameserverless.functionName
Use this token to filter serverless functions by their function name.
Example
Show serverless functions that match the given function name.
serverless.functionName:processData
serverless.runTimeserverless.runTime
Use this token to filter serverless functions by the runtime environment (for example, Python3.10, Node.js18, Java17).
Example
Show functions running on the specified runtime.
serverless.runTime:python3.10
serverless.handlerserverless.handler
Use this token to filter serverless functions by their configured handler entry point.
Example
Show functions that use this handler entry point.
serverless.handler:handler.main
serverless.memoryserverless.memory
Use this token to filter serverless functions by their allocated memory size.
Example
Show functions configured with this memory allocation.
serverless.memory:512
serverless.noOfCpuserverless.noOfCpu
Use this token to filter serverless functions by the amount of CPU resources assigned.
Example
Show functions assigned with the specified CPU amount.
serverless.noOfCpu:1
serverless.typeserverless.type
Use this token to filter serverless functions by their type (for example, event-driven, scheduled, API-triggered).
Example
Show functions that match the specified serverless function type.
serverless.type:event-driven
Use this token to filter assets by the type of storage (for example, block, file, or object storage).
Example
Show assets with the following storage type
storage.type:Block
storage.serviceNamestorage.serviceName
Use this token to filter assets by the storage service name, such as EBS, Azure Disk, or Google Persistent Disk.
Example
Show assets with the following service
storage.serviceName:EBS
storage.capacityGBstorage.capacityGB
Use this token to filter assets by the total capacity of the storage resource in gigabytes.
Example
Show assets with the following storage capacity
storage.capacityGB:500
storage.usedCapacityGBstorage.usedCapacityGB
Use this token to filter assets by the amount of used storage in gigabytes.
Example
Show assets that have used the following storage capacity
storage.usedCapacityGB:275
storage.encryption.enabledstorage.encryption.enabled
Use this token to filter assets by whether encryption is enabled for the storage.
Example
Show assets with storage encryption enabled
storage.encryption.enabled:true
storage.encryption.typestorage.encryption.type
Use this token to filter assets by the encryption type used, such as AES-256 or customer-managed keys.
Example
Show assets that has storage encrypted with the following encryption type
storage.encryption.type:AES-256
storage.encryption.keystorage.encryption.key
Use this token to filter assets by the encription key used to encrypt the storage.
Example
Show assets that has the following encryption key of the storage
storage.encryption.key:key-12345
storage.replicationstorage.replication
Use this token to filter assets by the replication setting, such as single-zone, multi-zone, or cross-region.
Example
Show assets with the following replication setting
storage.replication:Multi-Zone
Use this token to filter assets by the storage performance tier, such as standard, premium, or archive.
Example
Show assets with the following storage tier
storage.tier:Premium
storage.isSnapshotEnabledstorage.isSnapshotEnabled
Use this token to filter assets by whether snapshot capability is enabled for the storage.
Example
Show assets with snapshot capability enabled
storage.isSnapshotEnabled:true
storage.isBackupEnabledstorage.isBackupEnabled
Use this token to filter assets by whether backup protection for storage is enabled.
Example
Show assets backup protection is enabled
storage.isBackupEnabled:true
Use this token to filter users by their unique user identifier.
Example
Show user with the following ID
user.id:10293
Use this token to filter users by their login username.
Example
Show user with the following login username
user.username:jdoe
Use this token to filter users by their registered email address.
Example
Show user that has the following email ID
user.email:[email protected]
Use this token to filter users by their first name.
Example
Show users with the following first names
user.firstName:John
Use this token to filter users by their last name.
Example
Show users with the following last name
user.lastName:Doe
Use this token to filter users by their full display name.
Example
Show user with the following name
user.name:John Doe
Use this token to filter users by their registered phone number.
Example
Show user with the following phone number
user.phone:+1-555-1234
Use this token to filter users by their job title.
Example
Show users with the following job title
user.jobTitle:Security Analyst
user.isMfaActivateduser.isMfaActivated
Use this token to filter users based on whether multi-factor authentication (MFA) is activated.
Example
Show user with MFA activated.
user.isMfaActivated:true
user.lastSuccessfulLoginTimeuser.lastSuccessfulLoginTime
Use this token to filter users by the timestamp of their last successful login.
Example
Show the user with the following last successful login time
user.lastSuccessfulLoginTime:2024-11-15T10:30:00Z
user.passwordLastChangedTimeuser.passwordLastChangedTime
Use this token to filter users by when the user's password was last changed.
Example
Show users with the following last password change time
user.passwordLastChangedTime:2024-09-20T08:00:00Z
user.accountExpirationTimeuser.accountExpirationTime
Use this token to filter users by the date when the user account is scheduled to expire.
Example
Show users with the following account expiration time
user.accountExpirationTime:2025-12-31T23:59:59Z
user.failedPasswordAttemptCountuser.failedPasswordAttemptCount
Use this token to filter users by the number of failed password attempts.
Example
Show users who have the following failed count
user.failedPasswordAttemptCount:3
Use this token to filter users by their current account status (active, locked, disabled).
Example
Show users with an account status as active
user.status:Active
Use this token to filter users by their account type (standard user, admin, API user).
Example
Show users with the followng account type
user.type:Admin
user.currentAddress.cityuser.currentAddress.city
Use this token to filter users by the city in their current address.
Example
Show users with the following current city
user.currentAddress.city:New York
user.currentAddress.stateuser.currentAddress.state
Use this token to filter users by the state or region in their current address.
Example
Show users with the following current state
user.currentAddress.state:NY
user.currentAddress.countryuser.currentAddress.country
Use this token to filter users by the country in their current address.
Example
Show users with the following current country
user.currentAddress.country:US
Asset Tokens for ETM (CSAM) Asset Inventory
account.usernameaccount.username
Use atext value #####to help you find an account username.
Example
finding.riskAcceptance.startDateShow findings with username administrator
account.username: administrator
agent.firstScanDateagent.firstScanDate
Shows a list of assets based on their first scan date.
Examples
Show a list of assets scanned for the first time on or after 2022-10-04
agent.firstScanDate >= '2022-10-04'
Show a list of assets that are scanned for the first time before 2022-10-04
agent.firstScanDate<= '2022-10-04'
Show a list of assets that are scanned for the first time after 2022-10-04
agent.firstScanDate > '2022-10-04'
Show a list of assets that are scanned for the first time on 2022-10-04
>agent.firstScanDate '2022-10-04
agent.lastCheckedInDateagent.lastCheckedInDate
Use a date range or specific date to define when agents last checked in to the platform.
Examples
Show findings with last check in within a specific date range.
agent.lastCheckedInDate:[2024-01-01 .. 2020-01-10]
Show findings with last check in starting 2019-11-01, ending 1 month ago.
agent.lastCheckedInDate:[2024-11-01 .. now-1M]
Show findings with last check in starting 2 weeks ago, ending 1 second ago.
agent.lastCheckedInDate:[now-2w .. now-1s]
Show findings with last check in on a specific date
agent.lastCheckedInDate:'2024-02-11'
Show findings with last check in before (older than) last 30 days.
agent.lastCheckedInDate<now-30d
Note: In this case, we recommend not to use the NOT operator in your range search to form a query like NOT lastCheckedIn:[now-30d...now-2s]. See 'Say no to NO' section in the 'QQL Best Practices' topic in the Unified Dashboard online Help.
Show findings with last check in within last 30 days excluding day 30
agent.lastCheckedInDate>now-30d
Show findings with last check in within last 30 days including day 30
agent.lastCheckedInDate>=now-30d
Show findings with last check in which is older than last 30 days excluding day 30
agent.lastCheckedInDate<now-30d
Show findings with last check in which is older than last 30 days including day 30
agent.lastCheckedInDate<=now-30d
agent.lastScanDateagent.lastScanDate
.Shows a list of assets based on their last scan date.
Examples
.Show a list of assets scanned for the last time on or after 2022-10-04
agent.lastScanDate>= '2022-10-04'
.Show a list of assets that are scanned for the last time before 2022-10-04
agent.lastScanDate<= '2022-10-04'
Show a list of assets that are scanned for the last time after 2022-10-04
agent.lastScanDate> '2022-10-04')
Show a list of externally exposed assets that are scanned for the first time on 2022-10-04
agent.lastScanDate= '2022-10-04')
Use a text value ##### to help you find assets from a certain scan type. (API Based Scan, Azure VM Scan, Cloud Agent Deep Scan, Cloud Agent PC Scan, Cloud Agent SwCA Scan, Cloud Agent VM Scan, Cloud Perimeter Scan, EC2 VM Scan, GCP VM Scan, ML Authentication VM Scan, ML VM Scan, Snapshot Based Scan, Snapshot Based SwCA Scan, and Unknown Scan.)
Examples
Show Snapshot BasedScan findings
agent.scanType:Snapshot BasedScan
Show Cloud Agent PCScan findings
agent.scanType: Cloud Agent PCScan
Use an integer value to help you find certain Qualys asset IDs (UUIDs), assigned by an agent or a scanner appliance when Agentless Tracking is used .
Examples
- finding.riskAcceptance.startDateShow this asset ID:
asset.id: 2918869 - Show the asset IDs within this range:
asset.id: [3546997..12945655] - Show the 2 listed asset IDs :
asset.id: [3546997,12945655]
asset:(adDomain:asset:(adDomain:
Use Active Directory Domain name value within quotes or backticks to help you find the assets or findings.
Example
sample
asset:(adDomain:'qa.ispm.com')
asset.isIsolatedasset.isIsolated
Use the values TRUE | FALSE to find the isolated assets.
Examples
Show assets that are isolated.
asset.isIsolated: TRUE
Show assets that are not isolated.
asset.isIsolated: FALSE
asset.lastInventoryDateasset.lastInventoryDate
Use a date range or specific date to search assets with the last inventory date within that range.
Examples
Show assets with the last inventory date in this date range
asset.lastInventoryDate:[2025-01-01 ... 2019-01-23]
Show assets with last inventory date starting 2019-01-15, ending 1 month ago
asset.lastInventoryDate:[2025-01-15 ... now-1M]
Use a string value ##### to help you find the assets based on the LPAR ID.
Examples
Show assets that contain the parts of the LPAR ID6 LXAG-A72TL5-22
asset.lparID: "6 LXAG-A72TL"
Show assets that match the exact LPAR ID 6 LXAG-A72TL5-22
asset.lparID: `6 LXAG-A72TL`
Use a text value to find assets with the specified tag.
Example
Show all assets with the tag name Oracle-Tags
asset.tag.name: Oracle-Tags
Use an integer value (0-1000) to find assets based on a specific risk score.
Examples
- Show assets with TruRisk score 60
asset.truRisk: 60 - Show assets with TruRisk score 25
asset.trurisk: 25
Use value to filter web assets based on the IP, domain, subdomain, or URL used during Web Application creation.
Examples
Show the web application with the asset URL.
asset.url: https://172.31.28
Show the web application that matches exact with the asset URL.
asset.url: `https://172.31.28`
Show the web application that contain components the asset URL
asset.url: "https://10.100.200.60:12345/"
Show results based on the specified GPU chip.
Note: The result you get after you enter the QQL search token depends on the tab on which you enter the QQL search token. The result will show the assets, software, potential web assets, open ports, and domains associated with the GPU assets.
Examples
Show the GPU assets with the specified substring or component of the GPU chip value.
gpu.chip: "Eclipse"
Show the GPI assets based on the exact specified GPU chip value.
gpu.chip: `Eclipse`
gpu.manufacturergpu.manufacturer
Show results based on the specified GPU manufacturer.
Note: The result you get after you enter the QQL search token depends on the tab on which you enter the QQL search token. The result will show the assets, software, potential web assets, open ports, and domains associated with the GPU assets.
Examples
Show the GPU assets based on the specified substring or component of the GPU manufacturer value.
gpu.manufacturer:."Matrox"
Show GPU assets based on the specified exact GPU manufacturer value.
gpu.manufacturer: `Matrox`
Show results based on the specified GPU model.
Note: The result you get after you enter the QQL search token depends on the tab on which you enter the QQL search token. The result will show the assets, software, potential web assets, open ports, and domains associated with the GPU assets.
Examples
Show GPU assets based on the substring or component of the specified GPU model value.
gpu.model:."MGA"
Show GPU assets based on the specified exact GPU model value.
gpu.model:.`MGA G200e`
Show results based on the specified GPU name.
Note: The result you get after you enter the QQL search token depends on the tab on which you enter the QQL search token. The result will show the assets, software, potential web assets, open ports, and domains associated with the GPU assets.
Examples
Show GPU assets based on the specified substring or component of the GPU name.
gpu.name:."Matrox Electronics"
Show GPU assets based on the specified exact GPU name value.
gpu.name: `Matrox Electronics Millennium G200 MGA G200e`
gpu.tensorCoresgpu.tensorCores
Show results based on the specified tensorCores value.
Note: The result you get after you enter the QQL search token depends on the tab on which you enter the QQL search token. The result will show the assets, software, potential web assets, open ports, and domains associated with the GPU assets.
Examples
Show GPU assets based on the specified substring or component of the tensorCores value.
gpu.tensorCores:."12"
Show GPU assets based on the specified exact tensorCores value.
gpu.tensorCores:.`123`
inventory.sourceinventory.source
Use a text value ##### to find assets from the specified Qualys source. Select values from the drop-down.
Examples
- finding.riskAcceptance.startDateShow all assets from cloud agents
inventory.source: Cloud Agent - Show all assets from passive sensor
inventory.source: Passive Sensor
openPorts:(portopenPorts:(port
Use an integer value ##### to find assets with the specified open port.
Example
Show all assets with open port 80
openPorts:(port80)
Use an integer value ##### to help you find assets with a certain free volume space (GB).
Examples
Show findings with free volume space greater than 90 GB
volume.free> 90
Show findings with free volumespace greater than or equal to 90 GB
volume.free> = 90
Show findings with free volumespace less than 30 GB
volume.free< 30
Show findings with free volumespace less than or equal to 30 GB
volumes: free<= 30
Use an.integer value #####.to help you find assets with a certain volume name.
Example
Show findings with this volume name
volumes.name:D
Use an integer value ##### to help you find assets with a certain volume size (GB).
Examples
Show findings with volume size greater than 90 GB
volumes.size>90
Show findings with volume size greater than or equal to 90 GB
volumes.size>=90
Show findings with volume size less than 30 GB
volumes.size<30
Show findings with volume size less than or equal to 30 GB
volume.size<=30
The following asset tokens will list all the assets mentioned in the QQL.
Asset Inventory and Passive Sensor | AWS EC2 | Microsoft Azure | Google Cloud Platform | Oracle Cloud Infrastructure | IBM Cloud | Alibaba | Passive Sensor Only
Asset Inventory and Passive Sensor
account.username account.username
Use atext value #####to help you find an account username you are looking for.
Example
Show findings with username administrator
account.username: administrator
agent.activations.keyagent.activations.key
Use a text value ##### to define the agent activation key.
Example
Show assets with agents activated using this key
agent.activations.key: "057cc48a-8d84-48eb-add4-97a605d0567d"
agent.activations.statusagent.activations.status
Select the agent activation status (ACTIVE, INACTIVE, UNSUPPORTED) you're interested in. Select from names in the drop-down menu.
Example
Show assets with active agents
agent.activations.status: ACTIVE
agent.configurationProfileagent.configurationProfile
Use values within quotes or backticks to help you find the agent configuration profile you're looking for. Quotes can be used when the value has more than one word.
Examples
Show any findings related to profile name
agent.configurationProfile: Initial Profile
Show any findings that contain parts of the name
agent.configurationProfile: "Initial Profile"
Show any findings that match exact value
agent.configurationProfile: `Initial Profile`
agent.connectedFromagent.connectedFrom
Use a text value ##### to define the external IP address a cloud agent connected from.
Example
Show findings for an external IP address that an agent connected from
agent.connectedFrom: 10.0.100.11
agent.errorStatusagent.errorStatus
Use the values true | false to define agents with or without error status.
Example
Show agents with error status
agent.errorStatus: "true"
Use a text value ##### to help you find systems with a Qualys agent ID of interest.
Example
Show findings with this agent ID
agent.id:"0fc8e682-e9cc-4e7d-b92a-0c905d81ec74"
agent.isPassiveSensoragent.isPassiveSensor
Select the value to view assets for which the cloud agent acts as a passive sensor. The supported values are true and false.
Select true to view assets for which the cloud agent acts as a passive sensor.
Examples
Show findings to view assets for which the cloud agent acts as a passive sensor.
agent.isPassiveSensor:true
Show findings to view assets for which the cloud agent doesn't act as a passive sensor.
agent.isPassiveSensor:false
agent.lastActivityDateagent.lastActivityDate
Use a date range or specific date to define when last agent activity occurred.
Examples
Show last agent activity within certain dates
agent.lastActivityDate:[2019-01-01 .. 2019-01-15]
Show last agent activity starting 2019-01-15, ending 1 month ago
agent.lastActivityDate: [2019-01-15 .. now-1M]
Show last agent activity starting 2 weeks ago, ending 1 second ago
agent.lastActivityDate:[now-2w .. now-1s]
Show last agent activity on a specific date
agent.lastActivityDate:'2019-03-18'
Show last agent activity within last 30 days excluding day 30.
agent.lastActivityDate>now-30dstrong>
Note: We recommend not to use the NOT operator in your range search to form query like NOT agent.lastActivityDate:[now-30d..now-2s]. See "QQL Best Practices" topic in the Unified Dashboard Online Help.
Show last agent activity within last 30 days including day 30.
agent.lastActivityDate>=now-30d
Show last agent activity which is older than last 30 days excluding day 30.
agent.lastActivityDate<now-30d
Show last agent activity which is older than last 30 days including day 30.
agent.lastActivityDate<=now-30d
agent.lastInventoryDateagent.lastInventoryDate
Use a date range or specific date to define when last inventory scan was performed.
Examples
Show last inventory scan within certain dates
agent.lastInventoryDate:[2019-01-01 .. 2019-01-15]
Show last inventory scan starting 2019-01-15, ending 1 month ago
agent.lastInventoryDate:[2019-01-15 .. now-1M]
Show last inventory scan starting 2 weeks ago, ending 1 second ago
agent.lastInventoryDate:[now-2w .. now-1s]
Show last inventory scan on a specific date
agent.lastInventoryDate:'2019-03-18'
Show last inventory scan within last 30 days excluding day 30.
agent.lastInventoryDate>now-30d
Note: We recommend not to use the NOT operator in your range search to form query like NOT agent.lastInventoryDate:[now-30d..now-2s]. See "QQL Best Practices" topic in the Unified Dashboard Online Help.
Show last inventory scan within last 30 days including day 30.
agent.lastInventoryDate>=now-30d
Show last inventory scan which is older than last 30 days excluding day 30.
agent.lastInventoryDate<now-30d
Show last inventory scan which is older than last 30 days including day 30.
agent.lastInventoryDate<=now-30d
Use a text value ##### to find assets on Windows or Linux platforms.
Example
Show assets on windows platform
agent.platform: Windows
agent.qualysCorrelationIdagent.qualysCorrelationId
Use a text value ##### to find assets with Qualys Correlation ID.
Examples
Show assets with this correlation ID
agent.qualysCorrelationId: 0f1b031712682e27cca306e4a2a9e3144696ac099b08fcdf76ccb6f3647ec058
Show assets without any correlation ID
agent.qualysCorrelationId: UNIDENTIFIED
Show all assets with correlation ID
agent.qualysCorrelationId: *
Select the agent status (ACTIVE or INACTIVE) you're interested in.
Example
Show assets with active agents
agent.status: ACTIVE
agent.swCAIdealCandidateagent.swCAIdealCandidate
Use the value to find assets on which at least one of the software components from Ruby, Node.js, Go, Rust, PHP, Python, Java Platform, Standard Edition (Java SE) is identified. The supported values are ‘true’ and ‘false’.
Example
Show assets on which at least one of the software components is identified
agent.swCAIdealCandidate:true
Use a text value ##### to help you find agents with certain version number.
Example
Show agents of this version
asset.version:1.3.2.0
Use values within quotes or backticks to find the assets with the specific ASN value you are looking for.
Examples
Show assets that match the exact value of ASN
asset.asn: `AS8075`
Show assets that are with the parts of the ASN
asset.asn: "AS807"
asset.assignedLocation.cityasset.assignedLocation.city
Use this token to search assets by the city value associated with the asset record in Unified Asset Inventory.
Example
Show assets with assigned location city as Miami
asset.assignedLocation.city:Miami
asset.assignedLocation.countryasset.assignedLocation.country
Use this token to search assets by the country value associated with the asset record in Unified Asset Inventory.
Example
Find assets assigned to a specific country.
asset.assignedLocation.country:"US"
asset.assignedLocation.nameasset.assignedLocation.name
Use this token to search assets by the name value associated with the asset record in Unified Asset Inventory.
Example
Find assets assigned to a specific location name.
asset.assignedLocation.name:"WEB-SRV-01"
asset.assignedLocation.stateasset.assignedLocation.state
Use this token to search assets by the state value associated with the asset record in Unified Asset Inventory.
Example
Find assets assigned to a specific state.
asset.assignedLocation.state:"CA"
Use an integer value ##### to help you find assets with some number of CPUs.
Example
Show assets that have 2 CPUs
asset.cpuCount:2
asset.createdDateasset.createdDate
Use a date range or specific date to define when assets were created.
Note: The same token is used to find the certificates for the specified asset creation date, but the token syntax is different. See all token examples.
Examples
Show assets created within certain dates
asset.createdDate:[2019-01-01 .. 2019-01-15]
Show assets created starting 2019-01-15, ending 1 month ago
asset.createdDate:[2019-01-15 .. now-1M]
Show assets created starting 2 weeks ago, ending 1 second ago
asset.createdDate:[now-2w .. now-1s]
Show assets created on a specific date
asset.createdDate:'2019-03-18'
Show assets created within last 30 days excluding day 30.
asset.createdDate>now-30d
Note: We recommend not to use the NOT operator in your range search to form query like NOT asset.createdDate:now-30d..now-2s. See "QQL Best Practices" topic in the Unified Dashboard Online Help.
Show assets created within last 30 days including day 30.
asset.createdDate>=now-30d
Show assets created older than last 30 days excluding day 30.
asset.createdDate<now-30d
Show last inventoryassets created older than last 30 days including day 30.
asset.createdDate<=now-30d
Find the certificates for the specified asset creation date
Examples for Certificate Token
Show assets created within certain dates
asset.createdDate: [2023-01-01 .. 2024-01-15]
Show assets created starting 2019-01-15, ending 1 month ago
asset.createdDate: [2019-01-15.. now-1M]
Show assets created starting 2 weeks ago, ending 1 second ago
asset.createdDate:[now-2w .. now-1s]
Show assets created on a specific date
asset.createdDate: `2024-01-18`
Use values within quotes or backticks to help you find the assets with their domain.
Note: The same token is used to find the certificates for assets with the specified domain, but the token syntax is different. See all token examples.
Examples
Show assets that match the exact value of the domain
asset.domain: `qualys.com`
Show assets that contain parts of the domain
asset.domain: "qualys."
Find the certificates for assets with the specified domain
Examples for Certificate Token
Show certificates for assets that match the exact value of the domain
asset.domain: `qualys.com`
Show certificates for assets that contain parts of the domain
asset.domain: "qualys."
asset.domainRoleasset.domainRole
Use values within quotes or backticks to help you find the assets with certain domain role (Standalone Workstation, Member Workstation, Standalone Server, Member Server, Backup Domain Controller, and Primary Domain Controller). Select from values in the drop-down menu.
Examples
Show any findings that contain parts of name
asset.domainRole:"Member Ser"
Show any findings that match exact value "Member Server"
asset.domainRole:`Member Server`
asset.environmentasset.environment
Use a text value ##### to find assets based on environment.
Example
Show assets with environment as Production
asset.environment: Production
asset.hasMissingSoftwareasset.hasMissingSoftware
Use the values true | false to find assets missing software.
Example
Show asset that has a missing software
asset.hasMissingSoftware: "true"
Use an integer value ##### to help you find the asset with a certain Qualys host ID (UUID), assigned by an agent or a scanner appliance when Agentless Tracking is used.
Example
Show assets having this host ID
asset.hostID:43954857
asset.hostingCategory1asset.hostingCategory1
Use a value to filter your assets based on the hosting category. The supported values are CDN, Cloud, OnPrem, and ThirdParty.
Example
Show findings with hosting catagory CDN
asset.hostingCategory1:"CDN"
asset.inventory.lastUpdatedDateasset.inventory.lastUpdatedDate
Use a date range or specific date to define when assets were updated (i.e. when re-scanned by a scanner appliance, or when host data uploaded to the cloud platform by an agent).
Examples
Show assets updated within certain dates
asset.inventory.lastUpdatedDate: [2019-01-01 .. 2019-01-15]
Show assets updated starting 2019-01-15, ending 3 months ago
asset.inventory.lastUpdatedDate: [2019-01-15 .. now-3M]
Show assets updated starting 2 weeks ago, ending 1 second ago
asset.inventory.lastUpdatedDate: [now-2w .. now-1s]
Show assets updated on a specific date
asset.inventory.lastUpdatedDate:'2019-03-18'
Show assets updated within last 30 days excluding day 30.
asset.inventory.lastUpdatedDate>now-30d)
Note: We recommend not to use the NOT operator in your range search to form query like NOT asset.inventory.lastUpdatedDate:[now-30d..now-2s]. See "QQL Best Practices" topic in the Unified Dashboard Online Help.
Show assets updated within last 30 days including day 30.
asset.inventory.lastUpdatedDate>=now-30d)
Show assets updated which is older than last 30 days excluding day 30.
asset.inventory.lastUpdatedDate<now-30d)
Show assets updated which is older than last 30 days including day 30.
asset.inventory.lastUpdatedDate<=now-30d)
asset.isContainerHostasset.isContainerHost
Use the values true | false to find assets hosting containers.
Example
Show assets that host containers
asset.isContainerHost: "true"
Use values within quotes or backticks to help you find the assets associated with the Internet Service Provider (ISP) name you are looking for.
Note: The same token is used to find the certificates for assets with the specified ISP, but the token syntax is different. See all token examples.
Examples
Show assets that match the exact ISP name
asset.isp: `amazon.com, Inc.`
Show assets that are with the parts of the ISP name
asset.isp: "amazon.com,"
Find the certificates for assets with the specified ISP
Examples for Certificate Token
Show certificates that match the exact ISP name
asset.isp: `amazon.com, Inc.`
Show certificates that are with the parts of the ISP name
asset.isp: "amazon.com,"
asset.lastBootDateasset.lastBootDate
Use a date range or specific date to define when assets were last booted.
Examples
Show assets last booted within certain dates
asset.lastBootDate:[2019-01-01 .. 2019-01-15]
Show assets last booted starting 2019-01-15, ending 1 month ago
asset.lastBootDate:[2019-01-15.. now-1M]
Show assets last booted starting 2 weeks ago, ending 1 second ago
asset.lastBootDate:[now-2w .. now-1s]
Show assets last booted on a specific date
asset.lastBootDate:'2019-03-18'
asset.lastLocation.cityasset.lastLocation.city
Use a text value ##### to find assets with city of the last location.
Example
Show assets with assigned location city as Miami
asset.lastLocation.city: Miami
asset.lastLocation.continentasset.lastLocation.continent
Use a text value ##### to find assets based on continent of the last location.
Example
Show assets with last location continent as North America
asset.lastLocation.continent: North America
asset.lastLocation.countryasset.lastLocation.country
Use a text value ##### to find assets based on country of the last location.
Example
Show assets with last location country as United States
asset.lastLocation.country: United States
asset.lastLocation.nameasset.lastLocation.name
Use a text value ##### to find assets based on last location.
Example
Show assets with last location as Redwood City, California - United States
asset.lastLocation.name: 'Redwood City, California - United States'
Example
Show assets with last location with exact string
asset.lastLocation.name: `Redwood City, California - United States`
asset.lastLocation.postalasset.lastLocation.postal
Use an integer value ##### to find the assets based on postal of the last location.
Example
Show assets with last location postal as 94065
asset.lastLocation.postal: 94065
asset.lastLocation.stateasset.lastLocation.state
Use a text value ##### to find assets based on state of the last location.
Example
Show assets with last location state as California
asset.lastLocation.state: California
asset.lastLoggedOnUserasset.lastLoggedOnUser
Use a text value ##### to help you find assets last logged into by a user of interest.
Examples
Show assets with last logon by user asmith
asset.lastLoggedOnUser:asmith
asset.lastUpdatedDateasset.lastUpdatedDate
Use a date range or specific date to find when assets were last updated.
Note: The same token is used to find the certificates for the specified asset last updated date, but the token syntax is different. See all token examples.
Examples
Show assets last updated within certain dates
asset.lastUpdatedDate:[2019-01-01 .. 2019-01-15]
Show assets last updated starting 2019-01-15, ending 1 month ago
asset.lastUpdatedDate:[2019-01-15.. now-1M]
Show assets last updated starting 2 hours ago, ending 1 second ago
asset.lastUpdatedDate:[now-2h .. now-1s]
Show assets last updated starting 4 hours ago, ending 1 hour ago
asset.lastUpdatedDate:[now-4h .. now-1h]
Show assets last updated starting 2 weeks ago, ending 1 second ago
asset.lastUpdatedDate:[now-2w .. now-1s]
Show assets last updated on a specific date
asset.lastUpdatedDate:'2019-03-18'
Show assets updated within last 30 days excluding day 30.
asset.lastUpdatedDate>now-30d
Note: We recommend not to use the NOT operator in your range search to form query like NOT asset.lastUpdatedDate:[now-30d..now-2s]. See "QQL Best Practices" topic in the Unified Dashboard Online Help.
Show assets updated within last 30 days including day 30.
asset.lastUpdatedDate:>=now-30d
Show assets updated older than last 30 days excluding day 30.
asset.lastUpdatedDate:<now-30d
Show assets updated older than last 30 days including day 30.
asset.lastUpdatedDate:<=now-30d
Find the certificates for the specified asset creation date
Examples for Certificate Token
Show certificates for assets last updated within certain dates
asset.lastUpdatedDate: [2019-01-01 .. 2019-01-15]
Show certificates for assets last updated starting 2019-01-15, ending 1 month ago
asset.lastUpdatedDate: [2019-01-15.. now-1M]
Show certificates for assets last updated starting 2 weeks ago, ending 1 second ago
asset.lastUpdatedDate: [now-2w .. now-1s]
Show certificates for assets last updated on a specific date
asset.lastUpdatedDate: `2024-01-18`
asset.managedBy.usernameasset.managedBy.username
Use values within quotes or backticks to find assets managed by the specific user.
Examples
Show any findings that contain parts of name
asset.managedBy.username:"Byron"
Show any findings that match exact value "Byron Fortuna"
asset.managedBy.username:`Byron Fortuna`
asset.middlewareManifestVersionasset.middlewareManifestVersion
Use the manifest version to find host assets, where middleware scan is performed using the specific manifest version.
Example
Show host assets, where middleware scan is performed with the specified manifest version
asset.middlewareManifestVersion: "VULNSIGS-2.5.526.2-1-MiddlewarePC-LINUX"
asset.netbiosNameasset.netbiosName
Use a text value ##### to find the asset NetBIOS name you are interested in.
Examples
Show the asset with this name
asset.netbiosName:ACMENVT7
asset.operationalStatusasset.operationalStatus
Use a text value ##### to find assets based on operational status.
Example
Show assets with operational status as Repair
asset.operationalStatus: Repair
asset.org.companyasset.org.company
Use a text value ##### to find assets associated with specific company.
Example
Show assets with company as Qualys
asset.org.company: Qualys
asset.org.departmentasset.org.department
Use a text value ##### to help you find assets associayed with specific department.
Example
Show assets with department as Development
asset.org.department: Development
Use values within quotes or backticks to find the assets associated with the specific organization.
Note: The same token is used to find the certificates for assets with the specified org name, but the token syntax is different. See all token examples.
Examples
Show assets details that match the exact value of the organization name
asset.org.name: `Qualys, Inc.`
Show assets details that contain parts of the organization name
asset.org.name: "Qualys,"
Find tcertificates for assets with the specified org name
Examples for Certificate Token
Show assets details that match the exact value of the organization name
asset.org.name: `Qualys, Inc.`
Show assets details that contain parts of the organization name
asset.org.name: "Qualys,"
asset.ownedBy.usernameasset.ownedBy.username
Use values within quotes or backticks to find assets owned by the specific user.
Examples
Show any findings that contain parts of name
asset.ownedBy.username:"Joey"
Show any findings that match exact value "Joey Bolick"
asset.ownedBy.username:`Joey Bolick`
asset.pcManifestVersionasset.pcManifestVersion
Use the manifest version to find host assets, where PC scan is performed using the specific manifest version.
Example
Show host assets, where PC scan is performed with the specified manifest version.
asset.pcManifestVersion: "VULNSIGS-PC-2.6.40-5"
asset.scaManifestVersionasset.scaManifestVersion
Use the manifest version to find host assets, where SCA scan is performed using the specific manifest version.
Example
Show host assets, where SCA scan is performed with the specified manifest version
asset.scaManifestVersion: "VULNSIGS-SCA-0.35.0.0-3"
asset.subdomainasset.subdomain
Use values within quotes or backticks to help you find assets using their subdomains.
Note: The same token is used to find the certificates for assets with the specified subdomain, but the token syntax is different. See all token examples.
Examples
Show assets that match the exact value of the subdomains
asset.subdomain: `doc.qualys.com`
Show assets that contain the parts of the subdomains
asset.subdomain: "doc.qualys."
Find certificates that match the exact value of the subdomains
asset.subdomain: `doc.qualys.com`
Find certificates that contain the parts of the subdomains
asset.subdomain: "doc.qualys."
asset.supportedBy.usernameasset.supportedBy.username
Use values within quotes or backticks to help you find assets supported by the specific user.
Examples
Show any findings that contain parts of name
asset.supportedBy.username:"John"
Show any findings that match exact value "John Doe"
asset.supportedBy.username:`John Doe`
asset.supportGroupasset.supportGroup
Use values within quotes or backticks to find assets with the specific support group.
Note: The same token is used to find the certificates for assets with the specified support group, but the token syntax is different. See all token examples.
Examples
Show any findings that contain parts of name
asset.supportGroup:"Compliance"
Show any findings that match exact value "Compliance Managers"
asset.supportGroup:`Compliance Managers`
Find the certificates for assets with the specified support group.
Examples for Certificate Token
Show any findings that contain parts of name
asset.supportGroup:"Compliance"
Show any findings that match exact value "Compliance Managers"
asset.supportGroup:`Compliance Managers`
Use a text value ##### in quotes to find assets with a certain timezone set.
Example
Show assets with this timezone
asset.timezone:"-08:00"
asset.totalMemoryasset.totalMemory
Use an integer value ##### to find assets with a certain total system memory (MB).
Example
Show findings with total system memory greater than 900 MB
asset.totalMemory>900
Show findings with total system memory greater than or equal to 900 MB
asset.totalMemory>=900
Show findings with total system memory less than 300 MB
asset.totalMemory<300
Show findings with total system memory less than or equal to 300 MB
asset.totalMemory<=300
asset.trackingMethodasset.trackingMethod
Find assets with certain tracking method (ACTIVE_DIRECTORY, BMC_HELIX, DNSNAME, EASM, GCP_INSTANCE_ID, ICS_OCA, INSTANCE_ID, IP, NETBIOS, NONE, OCA, ORACLE, PASSIVE_SENSOR, QAGENT, SEM, SERVICE_NOW, THIRD_PARTY, VIRTUAL_MACHINE_ID, and WEBHOOK). Select from values in the drop-down menu.
Example
Find assets with this tracking method
asset.trackingMethod: QAGENT
Find assets of a certain type (SCANNER and HOST). Select from the asset types in the drop-down menu.
Example
Find assets of type host
asset.type: `HOST`
asset.udcManifestVersionasset.udcManifestVersion
Use the manifest version to find host assets, where UDC scan is performed using the specific manifest version.
Example
Show host assets, where UDC scan is performed with the specified manifest version
asset.udcManifestVersion: "UDCVULNSIGS-1797"
asset.vmManifestVersionasset.vmManifestVersion
Use the manifest version to find host assets, where VM scan is performed using the specific manifest version.
Example
Show host assets, where VM scan is performed with the specified manifest version
asset.vmManifestVersion: "VULNSIGS-VM-2.6.30.3-4"
Use a string value ##### to specify the agent uuid to find assets detected by the cap leader with the specified agent uuid.
Example
Show assets detected by the following agent uuid.
caps.leader:ac49f3eb-e1ab-4947-9dc3-4bd2c3eea114
Show assets detected by the following agent uuid.
caps.leader:"ac49f3eb-e1ab-4947-9dc3-4bd2c3eea114"
Show assets detected by the following agent uuid.
caps.leader:`ac49f3eb-e1ab-4947-9dc3-4bd2c3eea114'
Provide the value to filter assets based on tag name
through EASM.
Example
Find assets with "cloud" tag
easm.tag.name: cloud
qualys.passiveSensor.idqualys.passiveSensor.id
Use an integer value ##### to help you find assets sensed by a certain sensor ID.
Example
Show this sensor ID
qualys.passiveSensor.id:"003687557369:1654660042:3809075:704:1654660042:3809075:704"
qualys.passiveSensor.locationqualys.passiveSensor.location
Use a text value ##### to help you find assets based on specific sensor location.
Examples
Show assets with sensor location (appliance location label) as SanJose1
qualys.passiveSensor.location:"SanJose1"
qualys.passiveSensor.namequalys.passiveSensor.name
Use a text value ##### to help you find assets based on specific sensor name.
Examples
Show assets with sensor name as ITCorp-appliance
qualys.passiveSensor.name:"ITCorp-appliance"
sensor.activatedForModulessensor.activatedForModules
Select the name ##### of an activated module you're interested in. Select CERT, EDR, FIM, OCA, PC, PM, SCA, SwCA, VM, WAF, WAS, or XDR from the drop-down menu.
Examples
Show sensors activated for VM
sensor.activatedForModules: "VM"
Show sensors activated for VM and PC
sensor.activatedForModules: "VM" AND sensor.activatedForModules: "PC"
sensor.firstEasmScanDatesensor.firstEasmScanDate
Shows a list of externally exposed assets based on their first scan date.
Examples
Show a list of externally exposed assets scanned for the first time on or after 2022-10-04
sensor.firstEasmScanDate >= '2022-10-04'
Show a list of externally exposed assets that are scanned for the first time before 2022-10-04
sensor.firstEasmScanDate <= '2022-10-04'
Show a list of externally exposed assets that are scanned for the first time after 2022-10-04
sensor.firstEasmScanDate > '2022-10-04'
Show a list of externally exposed assets that are scanned for the first time on 2022-10-04
sensor.firstEasmVmScanDatesensor.firstEasmVmScanDate
Use a date range or specific date to find instances based on the first EASM VM scan date.
Examples
Show instances based on the first EASM VMscan date within certain dates
sensor.firstEasmVmScanDate:[2024-01-01 .. 2024-01-15]
Show instances based on the first EASM VMscan date starting 2024-01-15, ending 1 month ago
sensor.firstEasmVmScanDate:[2024-01-15.. now-1M]
Show instances based on the first EASM VMscan date on a specific date
sensor.firstEasmVmScanDate:`2024-03-18`
Show instances basedon the first EASM VMscan date within last 30 days excluding day 30.
sensor.firstEasmVmScanDate>now-30d
Note: We recommend not to use the NOT operator in your range search to form query like NOT sensor.firstEasmVmScanDate:[now-30d..now-2s]. See "QQL Best Practices" topic in the Unified Dashboard Online Help.
Show instances based on the first EASM VMscan date within last 30 days including day 30.
sensor.firstEasmVmScanDate>=now-30d
Show instances based on the first EASM VMscan date which are older than last 30 days excluding day 30.
sensor.firstEasmVmScanDate<now-30d
Show instances basedon the first EASM VMscan date which are older than last 30 days including day 30.
sensor.firstEasmVmScanDate<=now-30d
sensor.lastComplianceScanDatesensor.lastComplianceScanDate
Use a date range or specific date to define when last compliance scan was performed.
Examples
Show last compliance scan within certain dates
sensor.lastComplianceScanDate:[2019-01-01 .. 2019-01-15]
Show last compliance scan starting 2019-01-15, ending 1 month ago
sensor.lastComplianceScanDate:[2019-01-15 .. now-1M]
Show last compliance scan starting 2 weeks ago, ending 1 second ago
sensor.lastComplianceScanDate:[now-2w .. now-1s]
Show last compliance scan on a specific date
sensor.lastComplianceScanDate:'2019-03-18'
Show last compliance scan within last 30 days excluding day 30.
sensor.lastComplianceScanDate>now-30d
Note: We recommend not to use the NOT operator in your range search to form query like NOT sensor.lastComplianceScanDate:[now-30d..now-2s]. See "QQL Best Practices" topic in the Unified Dashboard Online Help.
Show last compliance scan within last 30 days including day 30.
sensor.lastComplianceScanDate>=now-30d
Show last compliance scan which is older than last 30 days excluding day 30.
sensor.lastComplianceScanDate<now-30d
Show last compliance scan which is older than last 30 days including day 30.
sensor.lastComplianceScanDate<=now-30d
sensor.lastEasmScanDatesensor.lastEasmScanDate
Shows a list of externally exposed assets based on their latest scan date.
Examples
Show a list of externally exposed assets from the latest scan on or after 2022-10-04
sensor.lastEasmScanDate >= '2022-10-04'
Show a list of externally exposed assets from the latest scan before 2022-10-04
sensor.lastEasmScanDate <= '2022-10-04'
Show a list of externally exposed assets from the latest scan after 2022-10-04
sensor.lastEasmScanDate > '2022-10-04'
sensor.lastEasmVmScanDatesensor.lastEasmVmScanDate
Use a date range or specific date to find instances based on the last EASM VM scan date.
Examples
Show instances based on the last EASM VM scan date within certain dates
sensor.lastEasmVmScanDate:[2024-01-01 .. 2024-01-15]
Show instances based on the last EASM VM scan date starting 2024-01-15, ending 1 month ago
sensor.lastEasmVmScanDate:[2024-01-15.. now-1M]
Show instances based on the last EASM VM scan date on a specific date
sensor.lastEasmVmScanDate:`2024-03-18`
Show instances based on the last EASM VM scan date within last 30 days excluding day 30.
sensor.lastEasmVmScanDate>now-30d
Note: We recommend not to use the NOT operator in your range search to form query like NOT sensor.lastEasmVmScanDate:[now-30d..now-2s]. See "QQL Best Practices" topic in the Unified Dashboard Online Help.
Showinstances based on the last EASM VM scan date within last 30 days including day 30.
sensor.lastEasmVmScanDate>=now-30d
Show instances based on the last EASM VM scan date which are older than last 30 days excluding day 30.
sensor.lastEasmVmScanDate<now-30d
Show instances based on the last EASM VM scan date which are older than last 30 days including day 30.
sensor.lastEasmVmScanDate<=now-30d
sensor.lastFullScanDatesensor.lastFullScanDate
Use a date range or specific date to define when last full scan was performed.
Examples
Show last full scan within certain dates
sensor.lastFullScanDate:[2019-01-01 .. 2019-01-15]
Show last full scan starting 2019-01-15, ending 1 month ago
sensor.lastFullScanDate:[2019-01-15 .. now-1M]
Show last full scan starting 2 weeks ago, ending 1 second ago
sensor.lastFullScanDate:[now-2w .. now-1s]
Show last full scan on a specific date
sensor.lastFullScanDate:'2019-03-18'
Show last full scan within last 30 days excluding day 30.
sensor.lastFullScanDate>now-30d>
Note: We recommend not to use the NOT operator in your range search to form query like NOT sensor.lastFullScanDate:[now-30d..now-2s]. See "QQL Best Practices" topic in the Unified Dashboard Online Help.
Show last full scan within last 30 days including day 30.
sensor.lastFullScanDate>=now-30d
Show last full scan which is older than last 30 days excluding day 30.
sensor.lastFullScanDate<now-30d
Show last full scan which is older than last 30 days including day 30.
sensor.lastFullScanDate<=now-30d
sensor.lastPcAgentScanDatesensor.lastPcAgentScanDate
Use a date range or specific date to define when last PC scan was performed by agent.
Examples
Show last PC scan within certain dates
sensor.lastPcAgentScanDate:[2019-01-01 .. 2019-01-15]
Show last PC scan starting 2019-01-15, ending 1 month ago
sensor.lastPcAgentScanDate:[2019-01-15 .. now-1M]
Show last PC scan starting 2 weeks ago, ending 1 second ago
sensor.lastPcAgentScanDate:[now-2w .. now-1s]
Show last PC scan on a specific date
sensor.lastPcAgentScanDate:'2019-03-18'
Show last PC scan within last 30 days excluding day 30.
sensor.lastPcAgentScanDate>now-30d
Note: We recommend not to use the NOT operator in your range search to form query like NOT sensor.lastPcScannerScanDate:[now-30d..now-2s]. See "QQL Best Practices" topic in the Unified Dashboard Online Help.
Show last PC scan within last 30 days including day 30.
sensor.lastPcAgentScanDate>=now-30d
Show last PC scan which is older than last 30 days excluding day 30.
sensor.lastPcAgentScanDate<now-30d
Show last PC scan which is older than last 30 days including day 30.
sensor.lastPcScanDateAgent<=now-30d
sensor.lastPcScannerScanDatesensor.lastPcScannerScanDate
Use a date range or specific date to define when last PC scan was performed by scanner.
Examples
Show last PC scan within certain dates
sensor.lastPcScannerScanDate:[2019-01-01 .. 2019-01-15]
Show last PC scan starting 2019-01-15, ending 1 month ago
sensor.lastPcScannerScanDate:[2019-01-15 .. now-1M]
Show last PC scan starting 2 weeks ago, ending 1 second ago
sensor.lastPcScannerScanDate:[now-2w .. now-1s]
Show last PC scan on a specific date
sensor.lastPcScannerScanDate:'2019-03-18'
Show last PC scan within last 30 days excluding day 30.
sensor.lastPcScannerScanDate>now-30d
Note: We recommend not to use the NOT operator in your range search to form query like NOT sensor.lastPcScannerScanDate:[now-30d..now-2s]. See "QQL Best Practices" topic in the Unified Dashboard Online Help.
Show last PC scan within last 30 days including day 30.
sensor.lastPcScannerScanDate>=now-30d
Show last PC scan which is older than last 30 days excluding day 30.
sensor.lastPcScannerScanDate<now-30d
Show last PC scan which is older than last 30 days including day 30.
sensor.lastPcScannerScanDate<=now-30d
sensor.lastVmAgentScanDatesensor.lastVmAgentScanDate
Use a date range or specific date to define when last VM scan was performed by agent.
Examples
Show last VM scan within certain dates
sensor.lastVmAgentScanDate:[2019-01-01 .. 2019-01-15]
Show last VM scan starting 2019-01-15, ending 1 month ago
sensor.lastVmAgentScanDate:[2019-01-15 .. now-1M]
Show last VM scan starting 2 weeks ago, ending 1 second ago
sensor.lastVmAgentScanDate:[now-2w .. now-1s]
Show last VM scan on a specific date
sensor.lastVmAgentScanDate:'2019-03-18'
Show last agent activity within last 30 days excluding day 30.
sensor.lastVmAgentScanDate>now-30d
Note: We recommend not to use the NOT operator in your range search to form query like NOT sensor.lastVmAgentScanDate:[now-30d..now-2s]. See "QQL Best Practices" topic in the Unified Dashboard Online Help.
Show last VM Scan within last 30 days including day 30.
sensor.lastVmAgentScanDate>=now-30d
Show last VM Scan which is older than last 30 days excluding day 30.
sensor.lastVmAgentScanDate<now-30d
Show last VM Scan which is older than last 30 days including day 30.
sensor.lastVmAgentScanDate<=now-30d
sensor.lastVmScanDatesensor.lastVmScanDate
Use a date range or specific date to define when last VM scan was performed.
Examples
Show last VM scan within certain dates
sensor.lastVmScanDate:[2019-01-01 .. 2019-01-15]
Show last VM scan starting 2019-01-15, ending 1 month ago
sensor.lastVmScanDate:[2019-01-15 .. now-1M]
Show last VM scan starting 2 weeks ago, ending 1 second ago
sensor.lastVmScanDate:[now-2w .. now-1s]
Show last VM scan on a specific date
sensor.lastVmScanDate:`2019-03-18`
Show last VM Scan within last 30 days excluding day 30.
sensor.lastVmScanDate>now-30d
Note: We recommend not to use the NOT operator in your range search to form query like NOT sensor.lastVmScanDate:[now-30d..now-2s]. See "QQL Best Practices" topic in the Unified Dashboard Online Help.
Show last VM Scan within last 30 days including day 30.
sensor.lastVmScanDate>=now-30d
Show last VM Scan which is older than last 30 days excluding day 30.
sensor.lastVmScanDate<now-30d
Show last aVM Scan which is older than last 30 days including day 30.
sensor.lastVmScanDate<=now-30d
sensor.lastVmScannerScanDatesensor.lastVmScannerScanDate
Use a date range or specific date to define when last VM scan was performed by scanner.
Examples
Show last VM scan within certain dates
sensor.lastVmScannerScanDate:[2019-01-01 .. 2019-01-15]
Show last VM scan starting 2019-01-15, ending 1 month ago
sensor.lastVmScannerScanDate:[2019-01-15 .. now-1M]
Show last VM scan starting 2 weeks ago, ending 1 second ago
sensor.lastVmScannerScanDate:[now-2w .. now-1s]
Show last VM scan on a specific date
sensor.lastVmScannerScanDate:'2019-03-18'
Show last agent activity within last 30 days excluding day 30.
sensor.lastVmScannerScanDate>now-30d
Note: We recommend not to use the NOT operator in your range search to form query like NOT sensor.lastVmScannerScanDate:[now-30d..now-2s]. See "QQL Best Practices" topic in the Unified Dashboard Online Help.
Show last VM Scan within last 30 days including day 30.
sensor.lastVmScannerScanDate>=now-30d
Show last VM Scan which is older than last 30 days excluding day 30.
sensor.lastVmScannerScanDate<now-30d
Show last VM Scan which is older than last 30 days including day 30.
sensor.lastVmScannerScanDate<=now-30d
sensor.pendingActivationForModulessensor.pendingActivationForModules
Select the name ##### of a module that's pending activation. Select from names in the drop-down menu.
Examples
Show sensors pending activation for VM
sensor.pendingActivationForModules: "VM"
Show sensors pending activation for VM and FIM
sensor.pendingActivationForModules: "VM" AND sensor.pendingActivationForModules: "FIM"
service.descriptionservice.description
Use values within quotes or backticks to find assets with a service description.
Examples
Show any findings that contain parts of description
service.description:"Certificate Propagation"
Show any findings that match exact value "Windows Event Log"
service.description:`Certificate Propagation`
Use text value ##### within values to find assets with a service name.
Example
Show any findings that match exact value
service.name:CertPropSvc
Use text value ##### within values to find the service status.
Example
Show any findings that match exact value
service.status:RUNNING
software.architecturesoftware.architecture
Use text value ##### to find the software architecture you are looking for, i.e 32-Bit or 64-Bit.
Example
Show any findings that match exact value
software.architecture:64-Bit
software.hasRunningInstancesoftware.hasRunningInstance
Use the values true | false to find whether software has a running instance.
Example
Show software that has a running instance
software.hasRunningInstance: "true"
software.installPathsoftware.installPath
Use a text value ##### to define a software install path you are looking for.
Example
Show findings with this exact software install path
software.installPath:C:\Program Files\
software.lastUpdatedDatesoftware.lastUpdatedDate
Use a date range or specific date to define when a software was last updated.
Examples
Show software last updated within certain dates
software.lastUpdatedDate:[2019-01-01 .. 2019-01-15]
Show software last updated starting 2019-01-15, ending 1 month ago
software.lastUpdatedDate:[2019-01-15 .. now-1M]
Show software last updated starting 2 weeks ago, ending 1 second ago
software.lastUpdatedDate:[now-2w .. now-1s]
Show software last updated on a specific date
software.lastUpdatedDate:'2019-03-18'
Show software last updated within last 30 days excluding day 30.
software.lastUpdatedDate>now-30d
Note: We recommend not to use the NOT operator in your range search to form query like NOT software.lastUpdatedDate:[now-30d..now-2s]). See "QQL Best Practices" topic in the Unified Dashboard Online Help.
Show software last updated within last 30 days including day 30.
software.lastUpdatedDate>=now-30d
Show software last updated which is older than last 30 days excluding day 30.
software.lastUpdatedDate<now-30d
Show lsoftware last updated which is older than last 30 days including day 30.
software.lastUpdatedDate<=now-30d
software.lastUsedDatesoftware.lastUsedDate
Use a date range or specific date to define when a software was last used.
Note: This token is not supported for windows assets.
Examples
Show software last used within certain dates
software.lastUsedDatesoftware.lastUpdatedDate:[2019-01-01 .. 2019-01-15]
Show software last used starting 2019-01-15, ending 1 month ago
software.lastUsedDate:[2019-01-15 .. now-1M]
Show software last used starting 2 weeks ago, ending 1 second ago
software.lastUsedDate:[now-2w .. now-1s]
Show software last used on a specific date
software.lastUsedDate:'2019-03-18'
Show software last used within last 30 days excluding day 30.
software.lastUsedDate>now-30d
Note: We recommend not to use the NOT operator in your range search to form query like NOT software.lastUsedDate:[now-30d..now-2s]). See "QQL Best Practices" topic in the Unified Dashboard Online Help.
Show software last used within last 30 days including day 30.
software.lastUsedDate>=now-30d
Show software last used which is older than last 30 days excluding day 30.
software.lastUsedDate<now-30d
Show software last used which is older than last 30 days including day 30.
software.lastUsedDate<=now-30d
AWS EC2
aws.ec2.accountIdaws.ec2.accountId
Use a text value ##### to find EC2 instances with a certain account ID.
Examples
Find EC2 instances that match this account ID
aws.ec2.accountId: 123456789012
Find EC2 instances with account ID starting "12345"
aws.ec2.accountId: 12345*
Find EC2 instances where account ID is null (remove the colon)
aws.ec2.accountId is null
aws.ec2.availabilityZoneaws.ec2.availabilityZone
Use a text value ##### to find EC2 instances by the availability zone in which the instance launched.
Example
Find EC2 instances in the us-east-1a availability zone
aws.ec2.availabilityZone: us-east-1a
aws.ec2.hasAgentaws.ec2.hasAgent
Use the values true | false to define whether the EC2 asset has a cloud agent.
Examples
Show findings with a cloud agent
aws.ec2.hasAgent: true
Show findings without a cloud agent
aws.ec2.hasAgent: false
aws.ec2.hostnameaws.ec2.hostname
Use a text value ##### to find the EC2 hostname you're looking for.
Examples
Find instances related to name
aws.ec2.hostname: abc.qualys.com
Find instances that match exact value
aws.ec2.hostname: `abc.qualys.com`
aws.ec2.imageIdaws.ec2.imageId
Use a text value ##### to find EC2 instances with a certain Image (AMI) ID.
Examples
Find instances related to the Image ID
aws.ec2.imageId: ami-2ea83347
Find instances that match exact value
aws.ec2.imageId: `ami-2ea83347`
aws.ec2.instanceIdaws.ec2.instanceId
Use a text value ##### to find EC2 instances by the instance ID.
Example
Find EC2 instances with this ID
aws.ec2.instanceId: i-1234567890abcdef0
aws.ec2.instanceStateaws.ec2.instanceState
Select the name of the instance state (PENDING, RUNNING, TERMINATED, STOPPED, STOPPING, SHUTTING-DOWN) you're interested in. Select from names in the drop-down menu.
Example
Find running EC2 instances
aws.ec2.instanceState: RUNNING
aws.ec2.instanceTypeaws.ec2.instanceType
Select the type of instance you're interested in. Select from names in the drop-down menu.
Example
Find EC2 instances with instance type t2.micro
aws.ec2.instanceType: t2.micro
aws.ec2.isQualysScanneraws.ec2.isQualysScanner
Use the values true | false to define whether the EC2 asset is a Qualys scanner.
Examples
Show findings where assets are scanners
aws.ec2.isQualysScanner: true
Show findings where assets are not scanners
aws.ec2.isQualysScanner: false
aws.ec2.kernelIdaws.ec2.kernelId
Use a text value ##### to find EC2 instances by kernel ID (AKI).
Example
Find EC2 instances with this kernel ID
aws.ec2.kernelId: aki-70ab0c10
aws.ec2.launchDateaws.ec2.launchDate
Use a date range or specific date to define when the EC2 instance launched. Enter dates in yyyy-mm-dd format.
Examples
Find EC2 instances launched within certain dates
aws.ec2.launchDate: [2017-06-15 .. 2017-06-30]
Find EC2 instances launched on specific date
aws.ec2.launchDate:'2017-08-15'
aws.ec2.privateDNSaws.ec2.privateDNS
Use a text value ##### to define a private DNS address.
Example
Find the EC2 instance with this private DNS address
aws.ec2.privateDNS: ip-10-90-2-85.ec2.internal
aws.ec2.privateIpAddressaws.ec2.privateIpAddress
Use a text value ##### to define a private IPv4 address or range of IPs you're interested in.
Examples
Find EC2 instances with this private IP address
aws.ec2.privateIpAddress: 10.90.0.119
Find EC2 instances within this IP range
aws.ec2.privateIpAddress: [10.1.78.23 .. 10.100.78.235]
aws.ec2.publicDNSaws.ec2.publicDNS
Use a text value ##### to define a public DNS address you're interested in.
Example
Find the EC2 instance with this public DNS address
aws.ec2.publicDNS: ec2-52-70-141-154.compute-1.amazonaws.com
aws.ec2.publicIpAddressaws.ec2.publicIpAddress
Use a text value ##### to define a public IPv4 address or range of IPs.
Examples
Find EC2 instances with this public IP address
aws.ec2.publicIpAddress: 52.70.141.154
Find EC2 instances within this IP range
aws.ec2.publicIpAddress: [52.70.141.154 .. 52.70.141.164]
aws.ec2.region.codeaws.ec2.region.code
Select the code of the region you're interested in. Select from codes in the drop-down menu.
Example
Find EC2 instances in the us-east-1 region
aws.ec2.region.code: us-east-1
aws.ec2.region.nameaws.ec2.region.name
Select the name of the region you are interested in. Select from names in the drop-down menu.
Example
Find EC2 instances in the US East (N. Virginia) region
aws.ec2.region.name: US East (N. Virginia)
aws.ec2.spotInstanceaws.ec2.spotInstance
Use the values true | false to define whether your EC2 instance is a Spot instance.
Examples
Show EC2 Spot instances
aws.ec2.spotInstance: "true"
Show EC2 instances that are not Spot instances
aws.ec2.spotInstance: "false"
aws.ec2.subnetIdaws.ec2.subnetId
Use a text value ##### to find EC2 instances by the ID of the subnet in which the interface resides.
Example
Find EC2 instances with this subnet ID
aws.ec2.subnetId: subnet-bc02c0d4
Use a text value ##### to find EC2 instances by the ID of the VPC in which the interface resides.
Example
Find EC2 instances with this VPC ID
aws.ec2.vpcId: vpc-1e37cd76
Use a text value ##### to find EC2 instances with a certain AWS tag key/name (case insensitive).
Examples
Find EC2 instances with key "devops"
aws.tag:(key: devops)
Find EC2 instances with key starting "dev"
aws.tag:(key: dev*)
Find EC2 instances with key ending "ops"
aws.tag:(key: *ops)
Use a text value ##### to find EC2 instances with a certain AWS tag value (case insensitive).
Examples
Find EC2 instances with tag value "dailybuild"
aws.tag:(value: dailybuild)
Find EC2 instances with tag value starting "daily"
aws.tag:(value: daily*)
Find EC2 instances with tag value ending "build"
aws.tag:(value: *build)
Use these tokens for searching your AWS EC2 assets.
- Your results may return Terminated instances. It's recommended you include aws.ec2instanceState in your query to reduce the number of results.
- The syntax is different when writing queries for tag rules than when searching assets in the Assets list. Be sure to follow the syntax tips in the drop-down when writing your query.
Microsoft Azure
Use a text value ##### to find Azure instances with a certain tag name (case insensitive).
Examples
Find Azure instances with name "devops"
azure.tag.name: devops
Find Azure instances with name starting "dev"
azure.tag.name: dev*
Find Azure instances with name ending "ops"
azure.tags(name: *ops
azure.tag.valueazure.tag.value
Use a text value ##### to find Azure instances with a certain tag value (case insensitive).
Examples
Find Azure instances with tag value "dailybuild"
azure.tag.value: dailybuild
Find Azure instances with tag value starting "daily"
azure.tag.value: daily*
Find Azure instances with tag value ending "build"
azure.tag.value: *build
azure.vm.hasAgentazure.vm.hasAgent
Use the values true | false to define whether the Azure virtual machine you're looking for has a cloud agent installed on it.
Example
Find Azure instances with agents
azure.vm.hasAgent: "true"
azure.vm.imageOfferazure.vm.imageOffer
Use a text value ##### to define the image offer name (i.e. UbuntuServer or WindowsServer) for images deployed from the Azure image gallery.
Examples
Find Azure instances related to name
azure.vm.imageOffer: UbuntuServer
Find Azure instances that match exact value
azure.vm.imageOffer: `UbuntuServer`
azure.vm.imagePublisherazure.vm.imagePublisher
Use a text value ##### to define the name of the Azure virtual machine image publisher (i.e. Canonical or MicrosoftWindowsServer).
Examples
Find Azure instances related to name
azure.vm.imagePublisher: Canonical
Find Azure instances that match exact value
azure.vm.imagePublisher: `Canonical`
azure.vm.imageVersionazure.vm.imageVersion
Use a text value ##### to define the version of the Azure virtual machine image sku you are interested in.
Example
Find Azure instances with this sku version
azure.vm.imageVersion: 16.04.201708030
azure.vm.locationazure.vm.location
Use a text value ##### to define the region you're interested in.
Example
Find Azure instances in this location
azure.vm.location: westus
azure.vm.macAddressazure.vm.macAddress
Use a text value ##### to define the MAC address you're interested in.
Example
Find Azure instances with this MAC address
azure.vm.macAddress: '000D3A36DDED'
Use a text value ##### to find the Azure virtual machine name you're looking for.
Examples
Find Azure instances related to name
azure.vm.name: avset2
Find Azure instances that match exact value
azure.vm.name: `avset2`
azure.vm.platformazure.vm.platform
Use a text value ##### to define the operating system platform (Linux or Windows) of the Azure virtual machine.
Example
Find Azure instances on Windows platform
azure.vm.platform: Windows
azure.vm.privateIpAddressazure.vm.privateIpAddress
Use a text value ##### to define a private IPv4 address or range of IPs you're interested in.
Examples
Find Azure instances with this private IP
azure.vm.privateIpAddress: 10.1.2.5
Find Azure instances within this IP range
azure.vm.privateIpAddress: [10.1.2.5 .. 10.1.2.33]
azure.vm.publicIpAddressazure.vm.publicIpAddress
Use a text value ##### to define a public IPv4 address or range of IPs you're interested in.
Examples
Find Azure instances with this public IP
azure.vm.publicIpAddress: 13.126.125.189
Find Azure instances within this IP range
azure.vm.publicIpAddress: [13.126.125.180 .. 13.126.125.255]
azure.vm.resourceGroupNameazure.vm.resourceGroupName
Use a text value ##### to define the name of the resource group you're interested in.
Examples
Find Azure instances related to name
azure.vm.resourceGroupName: my-eastus-rg
Find Azure instances that match exact value
azure.vm.resourceGroupName: `my-eastus-rg`
Use a text value ##### to help you find Azure VM instances with a certain virtual machine size.
Example
Find Azure instances with this size
azure.vm.size: Standard_D1
Select the name of the instance state (DEALLOCATED, DEALLOCATING, DELETED, RUNNING, STARTING, STOPPED, STOPPING) you're interested in. Select from names in the drop-down menu.
Example
Find running Azure instances
azure.vm.state: RUNNING
azure.vm.subnetazure.vm.subnet
Use a text value ##### to define the Azure virtual machine subnet you're interested in.
Example
Find Azure instances with this subnet
azure.vm.subnet: 10.1.2.0
azure.vm.subscriptionIdazure.vm.subscriptionId
Use a text value ##### to define the subscription ID of the Azure virtual machine subscription.
Example
Find Azure instances with this subscription ID
azure.vm.subscriptionId: fbb9ea64-abda-452e-adfa-83442409
azure.vm.virtualNetworkazure.vm.virtualNetwork
Use a text value ##### to define the operating system platform (Linux or Windows) of the Azure virtual machine.
Examples
Find Azure instances related to virtual network
azure.vm.virtualNetwork: cli-vnet
Find Azure instances that match exact value of virtual network
azure.vm.virtualNetwork: `cli-vnet`
Use a text value ##### to define the Azure virtual machine ID you're looking for.
Example
Find Azure instances with this ID
azure.vm.vmId: 13f56399-bd52-4150-9748-7190aae1ff21
Use these tokens for searching Microsoft Azure assets.
Google Cloud Platform
gcp.compute.hasAgentgcp.compute.hasAgent
Use the values true | false to define whether the GCP instances you're looking for has a cloud agent installed on it.
Example
Find GCP instances with agents
gcp.compute.hasAgent: "true"
gcp.compute.hostnamegcp.compute.hostname
Use a text value ##### to define the hostname you are looking for.
Examples
Find GCP instances related to name
gcp.compute.hostname: instance-5.c.qvsa-dev.internal
Find GCP instances that match exact value
gcp.compute.hostname: `instance-5.c.qvsa-dev.internal`
gcp.compute.imageIdgcp.compute.imageId
Use a text value ##### to define the Google Compute image ID you are looking for.
Examples
Find GCP instances related to the Image ID
gcp.compute.imageId: projects/centos-cloud
Find GCP instances that match exact value
gcp.compute.imageId: `projects/centos-cloud/global/images/centos-6-v20191014`
gcp.compute.instanceIdgcp.compute.instanceId
Use a text value ##### to define the Google Compute instance ID you are looking for.
Example
Find GCP instances with this ID
gcp.compute.instanceId: 4392196237934605253
gcp.compute.macAddressgcp.compute.macAddress
Use a text value ##### to define the MAC address you are interested in.
Example
Find GCP instances with this MAC address
gcp.compute.macAddress: '000D3A36DDED'
gcp.compute.machineTypegcp.compute.machineType
Use a text value ##### to define the machine type of the virtual machine instance you are interested in.
Examples
Find GCP instances related to name
gcp.compute.machineType: n1-standard-1
Find GCP instances that match exact value
gcp.compute.machineType: `n1-standard-1`
gcp.compute.networkgcp.compute.network
Use a text value ##### to find GCP instances by the VPC network the instance belongs to.
Example
Find GCP instances with this network
gcp.compute.network: 000D3A36DDED
gcp.compute.privateIpAddressgcp.compute.privateIpAddress
Use a text value ##### to define a private IPv4 address or range of IPs you are interested in.
Examples
Find GCP instances with this private IP
gcp.compute.privateIpAddress: 10.240.0.7
Find GCP instances with this private IP range
gcp.compute.privateIpAddress: [10.240.0.7 .. 10.240.0.30]
gcp.compute.projectIdgcp.compute.projectId
Use a text value ##### to define the project ID assigned to the GCP Console project the instance belongs to.
Examples
Find GCP instances related to ID
gcp.compute.projectId: qvsa-dev
Find GCP instances that match exact value
gcp.compute.projectId: `qvsa-dev`
gcp.compute.projectNumbergcp.compute.projectNumber
Use an integer value ##### to define the project number assigned to the GCP Console project the instance belongs to.
Examples
Find GCP instances related to this number
gcp.compute.projectNumber: 1035365309337
Find GCP instances that match exact value
gcp.compute.projectNumber: `1035365309337`
gcp.compute.publicIpAddressgcp.compute.publicIpAddress
Use a text value ##### to define a public IPv4 address or range of IPs you are interested in.
Examples
Find GCP instances with this public IP
gcp.compute.publicIpAddress: 104.196.57.216
Find GCP instances within this IP range
gcp.compute.publicIpAddress: [104.196.57.216 .. 104.196.57.218]
gcp.compute.stategcp.compute.state
Type your drop-dowSelect the name of the instance state (PENDING, RUNNING, STOPPED, TERMINATED, STOPPING, SHUTTING_DOWN, DEALLOCATED) you're interested in. Select from names in the drop-down menu.
Example
Find running GCP instances
gcp.compute.state: RUNNING
gcp.compute.zonegcp.compute.zone
Use a text value ##### to define the zone of the GCP instance you are looking for.
Examples
Find GCP instances related to name
gcp.compute.zone: us-east1-d
Find GCP instances that match exact value
gcp.compute.zone: `us-east1-d`
Use these tokens for searching Google Cloud Platform assets.
Oracle Cloud Infrastructure
oci.compute.availabilityDomainoci.compute.availabilityDomain
Use a text value ##### to search all assets with the specified available domain.
Example
Show all assets with the available domain Lhkx:US-ASHBURN-AD-1
oci.compute.availabilityDomain:"Lhkx:US-ASHBURN-AD-1"
oci.compute.canonicalRegionNameoci.compute.canonicalRegionName
Use a text value ##### to search all assets having the specified canonical region name.
Example
Show all assets with the canonical region name us-ashburn-1
oci.compute.canonicalRegionName:"us-ashburn-1"
oci.compute.compartmentIdoci.compute.compartmentId
Use a text value ##### to search all assets with the specified OCI compartment ID.
Example
Show assets with this OCI compartment ID
oci.compute.compartmentId:"ocid1.compartment.oc1..123452sjze35z6bkhvwjtzzgcp534zj4o75tgsizg3q36wl447jvfg6dq"
oci.compute.compartmentNameoci.compute.compartmentName
Use a text value ##### to search all assets with the specified OCI compartment name.
Example
Show assets with this OCI compartment name
oci.compute.compartmentName:"ocid1.compartment.abc"
oci.compute.displayNameoci.compute.displayName
Use a text value ##### to search all assets with the specified display name.
Example
Show assets with display name oracle 8.
oci.compute.displayName:"oracle 8"
oci.compute.faultDomainoci.compute.faultDomain
Use a text value ##### to search all assets with the specified fault domain.
Example
Show all assets with fault domain FAULT-DOMAIN-1
oci.compute.faultDomain:"FAULT-DOMAIN-1"
oci.compute.hasAgentoci.compute.hasAgent
Use the values true | false to list all assets that have cloud agents. Choose True to list all assets having cloud agents and choose False to list all assets that do not have cloud agents.
Example
Show all assets with having cloud agent installed
oci.compute.hasAgent:"true"
oci.compute.hostNameoci.compute.hostName
Use a text value ##### to search all assets with the specified host name.
Example
Show all findings with the host name oracle-8
oci.compute.hostName:"oracle-8"
Use a text value ##### to search all assets with the specified OCI ID.
Example
Show assets with this OCI ID
oci.compute.id:"ocid1.compartment.oc1..1234567lbhcx2ajiagh57wrurvqs2ubd4ttaimgy22cxh3r6brpmmugq"
oci.compute.imageIdoci.compute.imageId
Use a text value ##### to search all assets with the specified image ID.
Example
Show all assets with the ocid1.image.oc1.iad.aaaaaaaaffp3cnkpfxibzrdkfnxbitkgxk7al33rrhpzhfnrhfv7ml2xdpyq image ID
oci.compute.imageId:"ocid1.image.oc1.iad.aaaaaaaaffp3cnkpfxibzrdkfnxbitkgxk7al33rrhpzhfnrhfv7ml2xdpyq"
oci.compute.isQualysScanneroci.compute.isQualysScanner
Use the values true | false to list all assets that are Qualys Scanner. Choose True to list all assets that are Qualys Scanner and choose False to list all assets that are not Qualys Scanner.
Example
Show all assets that are Qualys Scanner.
oci.compute.isQualysScanner:"true"
oci.compute.regionoci.compute.region
Use a text value ##### to search all assets in the specified region.
Example
Show all assets with the region us-east-1
oci.compute.region:"us-east-1"
oci.compute.regionKeyoci.compute.regionKey
Use a text value ##### to search all assets with the specified region key.
Example
Show all assets with the region key SYD
oci.compute.regionKey:"SYD"
oci.compute.regionRealmoci.compute.regionRealm
Use a text value ##### to search all groups with the specified region realm.
Example
Show all assets with the region realm OC1
oci.compute.regionRealm:"OC1"
oci.compute.shapeoci.compute.shape
Use a text value ##### to search all assets with the specified shape.
Example
Show all assets with the shape x5-2.36.512
oci.compute.shape:"x5-2.36.512"
oci.compute.stateoci.compute.state
Use a text value ##### to search all assets with specific compute state.
Example
Show all assets with the compute state Starting
oci.compute.state:STARTING
oci.compute.tenantIdoci.compute.tenantId
Use a text value ##### to search all assets with specific tenant ID.
Example
Show all assets with the specific tenant ID
oci.compute.tenantId:"ocid1.tenancy.oc1..aaaaaaaax2gwhq3hszjqhte5pgzijgyge6gvlsrqar6kxn7itwhk7keokamq"
oci.compute.tenantNameoci.compute.tenantName
Use a text value ##### to search all assets with specific tenant name.
Example
Show all assets with the specific tenant name
oci.compute.tenantName:"oraclecengg1"
oci.compute.timeCreatedoci.compute.timeCreated
Use a text value ##### to search all assets created at the specified time.
Example
Show findings with last check in within a specific date range.
oci.compute.timeCreated:[2020-01-01 .. 2020-01-10]
Show findings with last check in starting 2019-11-01, ending 1 month ago.
oci.compute.timeCreated:[2019-11-01 .. now-1M]
Show findings with last check in starting 2 weeks ago, ending 1 second ago.
Use a text value ##### to search all assets with the specified tag key.
Example
Show all assets with the tag key CreatedBy
oci.tag.key:CreatedBy
oci.tag.namespaceoci.tag.namespace
Use a text value ##### to search all assets with the specified namespace.
Example
Show all assets with the namespace Oracle-Tags
oci.tag.namespace:"Oracle-Tags"
Use a text value ##### to search all assets with specific tag type.
Example
Show all assets with the specific tag type
oci.tag.type:DEFINED
Use a text value ##### to search all assets with the specified tag value.
Example
Show all assets with the tag value 2021-02-09
oci.tag.value:"2021-02-09"
oci.vnic.macAddroci.vnic.macAddr
Use a text value ##### to search all assets with the specified MAC address.
Example
Show all assets with the MAC address 02:00:17:06:bd:b3
oci.vnic.macAddr:"02:00:17:06:bd:b3"
oci.vnic.nicIndexoci.vnic.nicIndex
Use a text value ##### to search all assets with the specified index.
Example
Show all assets with the index 1
oci.vnic.nicIndex:1
oci.vnic.privateIpoci.vnic.privateIp
Use a text value ##### to search all assets with the specified private IP.
Example
Show all assets with this private IP
oci.vnic.privateIp:10.0.0.222
oci.vnic.publicIpoci.vnic.publicIp
Use a text value ##### to search all assets with the specified public IP.
Example
Show all assets with this public IP
oci.vnic.publicIp:10.0.0.222
oci.vnic.subnetCidrBlockoci.vnic.subnetCidrBlock
Use a text value ##### to search all assets with the specified block.
Example
Show all assets with the block 10.0.0.0/24
oci.vnic.subnetCidrBlock:10.0.0.0/24
oci.vnic.subnetIdoci.vnic.subnetId
Use a text value ##### to find OCI instances by the ID of the subnet in which the interface resides.
Example
Find OCI instances with this subnet ID
oci.vnic.subnetId: "subnet-bc02c0d4"
oci.vnic.subnetNameoci.vnic.subnetName
Use a text value ##### to find OCI instances by the name of the subnet in which the interface resides.
Example
Find OCI instances with this subnet name
oci.vnic.subnetName: "subnet-abc"
Use a text value ##### to search all assets with the specified VCN ID.
Example
Show all assets with this VCN ID
oci.vnic.vcnId:"ocid1.vnic.oc1.iad.abuwcljt6cdjcuwhkce37madk4p6bd6ocjknilpwzai5rsyjejteiodyp22q"
oci.vnic.vcnNameoci.vnic.vcnName
Use a text value ##### to search all assets with the specified vcn name.
Example
Show all assets with this vcn name
oci.vnic.vcnName:"abc"
oci.vnic.virtualRouterIpoci.vnic.virtualRouterIp
Use a text value ##### to search all assets with the specified router IP.
Example
Show all assets with the router IP 10.0.0.1
oci.vnic.virtualRouterIp:10.0.0.1
oci.vnic.vlanTagoci.vnic.vlanTag
Use a text value ##### to search all assets with the specified vlan tag.
Example
Show all assets with the vlan tag 1
oci.vnic.vlanTag:1
oci.vnic.vnicIdoci.vnic.vnicId
Use a text value ##### to search all assets with the specified VNIC ID.
Example
Show all assets with the VNIC ID ocid1.vnic.oc1.iad.abuwcljt6cdjcuwhkce37madk4p6bd6ocjknilpwzai5rsyjejteiodyp22q
oci.vnic.vnicId:"ocid1.vnic.oc1.iad.abuwcljt6cdjcuwhkce37madk4p6bd6ocjknilpwzai5rsyjejteiodyp22q"
Use these tokens for searching Oracle Cloud Infrastructure (OCI) assets.
IBM Cloud
Use a text value ##### to find IBM instances with a certain tag name (case insensitive).
Examples
Find IBM instances with name "devops"
ibm.tag.name: devops
Find IBM instances with name starting "dev"
ibm.tag.name: dev*
Find IBM instances with name ending "ops"
ibm.tag.name: *ops
Use a text value ##### to find IBM instances with a certain tag value (case insensitive).
Examples
Find IBM instances with tag value "dailybuild"
ibm.tag.value: dailybuild
Find IBM instances with tag value starting "daily"
ibm.tag.value: daily*
Find IBM instances with tag value ending "build"
ibm.tag.value: *build
ibm.virtualServer.datacenterIdibm.virtualServer.datacenterId
Use a text value ##### to find IBM instances with datacenter ID .
Example
Find IBM instances with this datacenter ID
ibm.virtualServer.datacenterId: 1854895
ibm.virtualServer.deviceNameibm.virtualServer.deviceName
Use a text value ##### to find IBM instances with virtual server device name.
Examples
Find IBM instances related to name
ibm.virtualServer.deviceName: "virtualserver01.Qualys-Inc.cloud"
Find IBM instances that match exact value
ibm.virtualServer.deviceName: `virtualserver01.Qualys-Inc.cloud`
ibm.virtualServer.domainibm.virtualServer.domain
Use a text value ##### to search all assets with the specified virtual server domain.
Example
Show all assets with virtual server domain Qualys-Inc.cloud
ibm.virtualServer.domain:"Qualys-Inc.cloud"
ibm.virtualServer.idibm.virtualServer.id
Use a text value ##### to search all assets with the specified virtual server ID.
Example
Show all assets with the 8998892 virtual server ID
ibm.virtualServer.id:8998892
ibm.virtualServer.locationibm.virtualServer.location
Use a text value ##### to define the region you are interested in.
Example
Find IBM instances in this location
ibm.virtualServer.location: "westus"
ibm.virtualServer.privateIpAddressibm.virtualServer.privateIpAddress
Use a text value ##### to define a private IPv4 address or range of IPs you are interested in.
Examples
Find IBM instances with this private IP
ibm.virtualServer.privateIpAddress: 10.240.0.7
Find IBM instances with this private IP range
ibm.virtualServer.privateIpAddress: [10.240.0.7 .. 10.240.0.30]
ibm.virtualServer.privateVlanibm.virtualServer.privateVlan
Use a text value ##### to define a private Vlan you are interested in.
Example
Find the IBM instance with this private Vlan address
ibm.virtualServer.privateVlan: 3455
ibm.virtualServer.publicIpAddressibm.virtualServer.publicIpAddress
Use a text value ##### to define a public IPv4 address or range of IPs you are interested in.
Examples
Find IBM instances with this public IP
ibm.virtualServer.publicIpAddress: 10.240.0.7
Find IBM instances with this public IP range
ibm.virtualServer.publicIpAddress: [10.240.0.7 .. 10.240.0.30]
ibm.virtualServer.publicVlanibm.virtualServer.publicVlan
Use a text value ##### to define a public Vlan you are interested in.
Example
Find the IBM instance with this public Vlan address
ibm.virtualServer.publicVlan: 3455
ibm.virtualServer.stateibm.virtualServer.state
Use a text value ##### to search all assets with specific virtual server state.
Example
Show all assets with the virtual server state Starting
ibm.virtualServer.state: STARTING
Use these tokens for searching IBM Cloud assets.
Alibaba
alibaba.instance.accountIdalibaba.instance.accountId
Use a text value to define the instance id of the Alibaba cloud account
Examples
Find Alibaba instances with the following account ID
alibaba.instance.accountId: 123456789012
Find Alibaba instances with account ID starting "12345"
alibaba.instance.accountId: 12345*
alibaba.instance.dnsServeralibaba.instance.dnsServer
Use an integer value to define the Domain Name System (DNS) configurations of the instance.
Example
Find Alibaba instances of the following DNS
alibaba.instance.dnsServer: 100.xxx.x.xxx
alibaba.instance.hasAgentalibaba.instance.hasAgent
Use the boolean value, true | false to define whether the Alibaba instance has a cloud agent installed on it.
Example
Find Alibaba instances with agents
alibaba.instance.hasAgent: true
alibaba.instance.hostNamealibaba.instance.hostName
Use a text value to find Alibaba hostname.
Example
Find Alibaba instances related to name
alibaba.instance.hostName: abc.qualys.com
alibaba.instance.imageIdalibaba.instance.imageId
Use a text value to find the Id of the image used during the instance creation process.
Example
Find instances related to image id
alibaba.instance.imageId: ubuntu_14_0405_64_20G_alibase_20170824.vhd
alibaba.instance.instanceIdalibaba.instance.instanceId
Use a text value to define the Alibaba instance id.
Example
Find Alibaba instances with this instance ID
alibaba.instance.instanceId: i-a2dxxxxsxxxxxhdfax
alibaba.instance.instanceStatealibaba.instance.instanceState
Use a text value to define the state of the Alibaba instance. Some of the examples of the state of the instance are: MOVING, RUNNING, STARTED, STOPPED, STOPPING, and TERMINATED.
Example
Find Alibaba instances for the following state
alibaba.instance.instanceState: RUNNING
alibaba.instance.instanceTypealibaba.instance.instanceType
Use a text value to define the instance type.
Example
Find Alibaba instances with this instance type
alibaba.instance.instanceType: ecs.t5-lc1m1.small
alibaba.instance.interfaceIdalibaba.instance.interfaceId
Use a text value to define the identifier of the NIC.
Example
Find Alibaba instances of the following interface id
alibaba.instance.interfaceId: a2dxxxxaixxxtux572
alibaba.instance.macAddressalibaba.instance.macAddress
Use a text value to define the MAC address.
Example
Find Alibaba instances with this MAC address
alibaba.instance.macAddress: 00:16:3e:0f:XX:XX
alibaba.instance.networkTypealibaba.instance.networkType
Use the network type values to find the Alibaba cloud instances. The network type can be vpc or classic.
Example
Find Alibaba instances with this network type
alibaba.instance.networkType: vpc
alibaba.instance.privateIpAddressalibaba.instance.privateIpAddress
Use an integer value to define a private IPv4 address or range of IPs.
Example
Find Alibaba instances with the following private IP address
alibaba.instance.privateIpAddress: 192.168.XX.XX
alibaba.instance.publicIpAddressalibaba.instance.publicIpAddress
Use an integer value to define a public IPv4 address or range of IPs.
Example
Find Alibaba instances with the following public IP address
alibaba.instance.publicIpAddress: 149.xx.xx.xx
alibaba.instance.regionCodealibaba.instance.regionCode
Use a text value to find the alibaba cloud instances that belong to the region with specific code. Some of the examples of codes are ap-northeast-1, ap-south-1, nanjing, cn-chengdu, and eu-central-1.
Example
Find Alibaba instances for the following region code
alibaba.instance.regionCode: cn-chengdu
alibaba.instance.regionNamealibaba.instance.regionName
Use a text value to define the region name. Australia (Sydney), Beijing, China, Japan (Tokyo), India (Mumbai), and Philippines (Manila).
Example
Find Alibaba instances for the following region
alibaba.instance.regionName: US (Silicon Valley)
alibaba.instance.serialNumberalibaba.instance.serialNumber
Use a text value to define the serial number of the instance.
Example
Find Alibaba instances of the following serial number
alibaba.instance.serialNumber: 12trexxxxr-3xx-xxx-rtg4-xxxx6t45
alibaba.instance.vpcCidrBlockalibaba.instance.vpcCidrBlock
Use a text value to define the serial number of the instance.
Example
Find Alibaba instances of the following CIDR block
alibaba.instance.vpcCidrBlock: 172.xx.x.x/16
alibaba.instance.vpcIdalibaba.instance.vpcId
Use a text value to search all the Alibaba instances with the specified VPC ID.
Example
Show Alibaba instances with this VPC ID
alibaba.instance.vpcId: vpc-a2d6pxxxxvvdadd5yikj
alibaba.instance.vswitchCidrBlockalibaba.instance.vswitchCidrBlock
Use an integer value to define the CIDR block of the switch to which the Alibaba instance is connected.
Example
Find Alibaba instances of the following CIDR block of the switch
alibaba.instance.vswitchCidrBlock: 192.168.XX.XX/24
alibaba.instance.vswitchIdalibaba.instance.vswitchId
Use a text value to search all the Alibaba instances with the specified vswitchId.
Example
Show Alibaba instances with of the following switch ID
alibaba.instance.vswitchId: vsw-a2dxxxoxxxxsqx1mxxxdd
alibaba.instance.zoneIdalibaba.instance.zoneId
Use a text value to define the zone id.
Example
Find Alibaba instances of the following zone id
alibaba.instance.zoneId: cn-chengdu-a
Use these tokens for searching Alibaba assets.
Passive Sensor Only
hardware.typingConfidencehardware.typingConfidence
Use a text value ##### to define the hardware typing confidence you're looking for, i.e. HIGH, MEDIUM, LOW, UNIDENTIFIED.
Example
Show this hardware typing confidence
hardware.typingConfidence:HIGH
qualys.passiveSensor.idqualys.passiveSensor.id
Use an integer value ##### to find assets sensed by a certain sensor ID.
Example
Show this sensor ID
qualys.passiveSensor.id:"003687557369:1654660042:3809075:704:1654660042:3809075:704"
qualys.passiveSensor.lastUpdatedDatequalys.passiveSensor.lastUpdatedDate
Use a date range or specific date to define when passive sensors were last updated.
Examples
Show passive sensors last updated within certain dates
qualys.passiveSensor.lastUpdatedDate:[2019-01-01 .. 2019-01-15]
Show passive sensors last updated starting 2019-01-15, ending 1 month ago
qualys.passiveSensor.lastUpdatedDate:[2019-01-15 .. now-1M]
Show passive sensors last updated starting 2 weeks ago, ending 1 second ago
qualys.passiveSensor.lastUpdatedDate:[now-2w .. now-1s]
Show passive sensors last updated on a specific date
qualys.passiveSensor.lastUpdatedDate:`2019-03-18`
qualys.passiveSensor.locationqualys.passiveSensor.location
Use a text value ##### to find assets based on specific sensor location.
Examples
Show assets with sensor location (appliance location label) as SanJose1
qualys.passiveSensor.location:"SanJose1"
qualys.passiveSensor.namequalys.passiveSensor.name
Use a text value ##### to find assets based on specific sensor name.
Examples
Show assets with sensor name as ITCorp-appliance
qualys.passiveSensor.name:"ITCorp-appliance"