Search Tokens for Findings

You can use the search tokens in the Findings tab to refine your search results. We have broadly classified the asset and vulnerability/misconfiguration search tokens in the Findings tab. Click each token to learn more about it.

Vulnerability/Misconfiguration | Asset

Vulnerability/Misconguration Tokens

Use these tokens to define search criteria for vulnerabilities and misconfigurations.

finding.customNumber1finding.customNumber1

Provide a numeric value to search for findings with a specific value or within a range of values.

Example

Show findings with customNumber1 equal to 80
finding.customNumber1: 80

finding.customNumber2finding.customNumber2

Provide a numeric value to search for findings with a specific value or within a range of values.

Example

Show findings with customNumber2 greater than 80
finding.customNumber2> 80

 

finding.customNumber3finding.customNumber3

Provide a numeric value to search for findings with a specific value or within a range of values.

Example

Show findings with customNumber3 greater than 500.
finding.customNumber3> 500

finding.customNumber4finding.customNumber4

Provide a numeric value to search for findings with a specific value or within a range of values.

Example

Show findings with customNumber1 equal to 800.
finding.customNumber4: 1800

finding.customNumber5finding.customNumber5

Provide a numeric value to search for findings with a specific value or within a range of values.

Example

Show findings with customNumber1 equal to 2500
finding.customNumber5: 2500

finding.applicationURLfinding.applicationURL

Use a text value to search findings discovered on a certain application URL. 

Example

Show findings with the specified application URL
finding.applicationURL:http://funkytown.vuln.qa.qualys.com/cassium/xss/

finding.cveIdfinding.cveId

Use a text value to search for findings based on the CVE ID of the vulnerability.

Examples

Show findings with the specified CVE ID

finding.cveId:CVE-2020-27814

finding.cvss2Basefinding.cvss2Base

Provide a numeric value (0.0 to 10.0) to find vulnerabilities with a specific CVSS 2.0 Base score.

Examples Find vulnerabilities with CVSS 2.0 Base score of 7.5

finding.cvss2Base: 7.5

finding.cvss2Temporalfinding.cvss2Temporal

Provide a numeric value (0.0 to 10.0) to find vulnerabilities with a specific CVSS 2.0 Temporal score.

Examples

Find vulnerabilities with CVSS 2.0 Temporal score of 6.5

finding.cvss2Temporal: 6.5

finding.cvss3Basefinding.cvss3Base

Provide a numeric value (0.0 to 10.0) to find vulnerabilities with a specific CVSS 3.0 Base score.

Examples

Find vulnerabilities with CVSS 3.0 Base score of 9.1

finding.cvss3Base: 9.1

finding.cvss3Temporalfinding.cvss3Temporal

Provide a numeric value (0.0 to 10.0) to find vulnerabilities with a specific CVSS 3.0 Temporal score.

Examples Find vulnerabilities with CVSS 3.0 Temporal score of 8.3

finding.cvss3Temporal: 8.3

finding.descriptionfinding.description

Use quotes or backticks within values to help you find the finding with matching description. After the colon, enter the description.

Examples

Show any findings related to this description: 

finding.description: "Remote Code Execution"

Show any findings that contain "Remote" or "Code" in description:

finding.description: "Remote Code"

Show any findings that match the exact value "Remote Code": 

finding.description: `Remote Code`

finding.detectionAgefinding.detectionAge

Select the number of days from the range (00..30, 31..60, 61..90, 91..180,180..+) since the vulnerability was first detected (by a scanner or cloud agent) on the asset till the current date. The age is calculated irrespective of the vulnerability status.

Example

Show findings that were detected in the last 30 days.

finding.detectionAge:[00..30]

finding.disabledfinding.disabled

Select (True, False) to find vulnerabilities that are disabled or enabled in the vendor system.

Example

Show vulnerabilities that are disabled.

finding.disabled: true

finding.discoveryTypefinding.discoveryType

Select a discovery type (Remote or Authenticated) to search findings having this discovery type. Select from names in the drop-down menu.

Example

Show findings with Remote discovery type:

finiding.discoveryType:REMOTE 

finding.firstFoundfinding.firstFound

Use the date range or specific date to define when findings were first found.

Examples

Show findings first found within certain dates:

finding.firstFound:[2015-10-21 .. 2016-01-15] 

Show findings first found starting 2016-01-01, ending 1 month ago:

finding.firstFound:[2016-01-01 .. now-1M] 

Show findings first found starting 2 weeks ago, ending 1 second ago:

finding.firstFound:[now-2w .. now-1s] 

Show findings first found on a certain date:

finding.firstFound:'2016-01-11' 

Show findings first found within a certain number of days:

finding.firstFound:[91..180] 

finding.epssScorefinding.epssScore

Use an integer value to help you search findings based on a EPSS score.

Example

Show findings related to EPSS score

finding.epssScore: 0.7088

finding.idfinding.id

Use an integer value to help you search findings based on a rule ID.

Example

Show findings related to this rule ID

finding.id: 7088

finding.ignoredfinding.ignored

Select (True, False) to find vulnerabilities that are marked as ignored or not ignored.

Example

Show vulnerabilities that are not marked as ignored.

finding.ignored: false

finding.instancefinding.instance

Use a text value to search findings discovered on a certain instance.

Example

Show findings with the specified instance
finding.instance:oracle

finding.lastFixedfinding.lastFixed

Use a date range or specific date to define when findings were last fixed.

Examples

Show findings last fixed within certain dates:

finding.lastFixed:[2015-10-21 ... 2016-01-15] 

Show findings last fixed starting 2016-01-01, ending 1 month ago:

finding.lastFixed:[2016-01-01 ... now-1M] 

Show findings last fixed starting 2 weeks ago, ending 1 second ago:

finding.lastFixed:[now-2w ... now-1s] 

Show findings last fixed on a certain date:

finding.lastFixed:'2016-01-11' 

Show findings last fixed within a certain number of days:

finding.lastFixed:[91..180] 

finding.lastFoundfinding.lastFound

Use the date range or specific date to define when findings were last found.

Examples

Show findings last found within certain dates:

finding.lastFound:[2015-10-21 ... 2016-01-15] 

Show findings last found starting 2016-01-01, ending 1 month ago:

finding.lastFound:[2016-01-01 ... now-1M] 

Show findings last found starting 2 weeks ago, ending 1 second ago:

finding.lastFound:[now-2w ... now-1s] 

Show findings last found on a certain date:

finding.lastFound:'2016-01-11' 

Show findings last found within a certain number of days:

finding.lastFound:[91..180] 

finding.owaspTopTenNamefinding.owaspTopTenName

Use this token to search for vulnerabilities of a specific OWASP Top Ten name type. Choose the name from the drop-down menu.

Example

Search vulnerabilities that are impacted by Injection.

finding.owaspTopTenname: "Injection"

 

finding.policyNamefinding.policyName

Use this token to search for misconfigurations related to a given policy name.

Example

Search misconfigurations that are associated with "CIS Benchmark".

finding.policyName: "CIS Benchmark"

finding.portfinding.port

Use an integer value to help you search findings discovered on a specific port.

Example

Show findings discovered on this port

finding.port:443

finding.protocolfinding.protocol

Use a text value (UDP or TCP) to define the port protocol.

Example

Show findings discovered on TCP protocol

finding.protocol:TCP

 

finding.qdsfinding.qds

Use an integer value (0-100) to help you find vulnerabilities based on specific detection score. After the colon, enter the value.

Examples

Show vulnerabilities with detection score 80:

finding.qds:80

Show vulnerabilities with detection score greater than 80:

finding.qds: > 80

finding.reopenedfinding.reopened

Use the date range or specific date to define when findings were reopened.

Examples

Show findings reopened within certain dates:

finding.reopened:[2015-10-21 ... 2016-01-15] 

Show findings reopened starting 2016-01-01, ending 1 month ago:

finding.reopened:[2016-01-01 ... now-1M] 

Show findings reopened starting 2 weeks ago, ending 1 second ago:

finding.reopened:[now-2w ... now-1s] 

Show findings reopened on a certain date:

finding.reopened:'2016-01-11' 

Show findings reopened within a certain number of days:

finding.reopened:[91..180] 

finding.riskFactor.exploitCodeMaturityfinding.riskFactor.exploitCodeMaturity

Select from the drop-down menu (poc, weaponized) to find vulnerabilities based on the maturity level of their exploit code.

Example

Show vulnerabilities with Functional exploit code maturity

finding.riskFactor.exploitCodeMaturity: poc

finding.riskFactor.threatActorNamefinding.riskFactor.threatActorName

Provide a string value to find vulnerabilities associated with a specific threat actor or group.

Example

Find vulnerabilities associated with the threat actor "APT29"

finding.riskFactor.threatActorName: APT29

finding.riskFactor.cisaKnownExploitsfinding.riskFactor.cisaKnownExploits

Select (True, False) to find vulnerabilities that are or are not listed in CISA's Known Exploited Vulnerabilities Catalog.

Example

Show vulnerabilities listed in CISA's Known Exploited Vulnerabilities Catalog

finding.riskFactor.cisaKnownExploits: true

finding.riskFactor.rtifinding.riskFactor.rti

Use the token value from drop down menu to find vulnerabilities based on the Real-time Threat Indicators. Available tokens are Exploit_Public, Active_Attacks, Easy_Exploit, Remote_Code_Execution, Privilege_Escalation, or Predicted_High_Risk.

Example

Show findings related to Easy_Exploit

finding.riskFactor.rti: Easy_Exploit

finding.riskFactor.malwareNamefinding.riskFactor.malwareName

Provide a string value to find vulnerabilities associated with a specific malware.

Example

Find vulnerabilities associated with the "WannaCry" malware

finding.riskFactor.malwareName: WannaCry

finding.ruleNamefinding.ruleName

Use a text value ##### for findings related to the rule name.

Example

Show findings with rule name
finding.ruleName: "find epss score"

finding.severityfinding.severity

Use an integer value to view the severity level set by Qualys to search findings. The severity level ranges between 1-5. Select from values in the drop-down menu.

Example

Show findings with severity set by Qualys as 5:

finding.severity: 3

finding.sourceIdfinding.sourceId

Use a text value to search for findings based on the ID used by the source vendor.

Examples

Show findings with the specified source ID

finding.sourceId:500034

finding.statusfinding.status

Select a status (for example, Active, Fixed, New, or Reopened) to search findings with certain statuses. Select from names in the drop-down menu. If you select the status as Fixed, the list will only show vulnerabilities that have been fixed in the last 365 days.

Example

Show vulnerabilities with Fixed status:

finding.status: Fixed

finding.subTypefinding.subType

Select a finding type (Vulnerability, Misconfiguration, Malware, Compliance) to find findings of this type. Select from names in the drop-down menu.

Example

Show findings with this type.

finding.SubType: Vulnerability

finding.tags.namefinding.tags.name

Use a text value to search for findings based on tagnames.

Example

Show findings with the specified tagname.

findings.tags.name: Wiz

finding.technologyCategoryfinding.technologyCategory

Use this token to search for misconfigurations related  to a given technology category.

Example

Search misconfigurations that are associated with "Linux / Server".

finding.technologyCategory: "Linux/Server"

finding.technologyNamefinding.technologyName

Use this token to search for misconfigurations related to a given technology name.

Example

Search misconfigurations that are associated with "Red Hat Enterprise Linux Server ".

finding.technologyName: "Red Hat Linux Server"

 

finding.titlefinding.title

Use quotes or backticks within values to help you find the title. 

After the colon, enter the title. 

Examples

Show any findings related to this title. 

finding.title: 'Remote Code Execution

Show any findings that contain "Remote" or "Code" in title: 

finding.title: "Remote Code"

Show any findings that match exact value "Remote Code" :

finding.title: `Remote Code`

finding.ttrfinding.ttr

Use the number of days to determine the findings based on the Total and First Found time to remediate. The token accepts range input as number of days. You can also customize the range input.

Examples

Show vulnerabilities findings based on total and first found calculation
finding.ttr:[61..90]

Use custom query to see the vulnerabilities findings based on total and first found calculation
finding.ttr:[0..90]

finding.typeDetectedfinding.typeDetected

Select a detection type (Confirmed, Potential, or Information) to search for findings of this type. Select from names in the drop-down menu.

Example

finding.typeDetected: confirmed

finding.vendorFindingIdfinding.vendorFindingId

Use a text value to search findings with the specified source finding ID. - external id. It is the unique ID of an instance of the finding.

Example

Show finding with this source finding id.

finding.vendorFindingId:9d7ef6e4-baed-47ba-99ec-a78a801f1e19 

finding.vendorNamefinding.vendorName

Select a detection source (Wiz, Qualys, Microsoft) to search findings from the specified source. Select from names in the drop-down menu. 

Example

Show findings with this source.

finding.vendorName: Qualys

finding.vendorProductNamefinding.vendorProductName

Select a detection source's product name (for example, Nessus) to search findings with the product name of the detection source. Select from names in the drop-down menu.

Example

Show findings with the product name:

finding.vendorProductName:Nessus 

finding.vendorUrlfinding.vendorUrl

Use quotes or backticks within values to help you find the finding with matching url.\

Examples

Show any findings related to this url:

finding.vendorUrl:https://app.wiz.io 

Show any findings that contain "app" or "wiz" in url.

finding.vendorUrl:"app wiz" 

Show any findings that match exact value.

finding.vendorUrl:`https://app.wiz.io/explorer/vulnerability-findings#5e95ff50-5490-514e-87f7-11e56f3230ff` 

Asset Tokens

The following asset tokens will list all the assets mentioned in the QQL. 

Asset Inventory and Passive SensorAWS EC2Microsoft AzureGoogle Cloud PlatformOracle Cloud Infrastructure | IBM Cloud | Alibaba | Passive Sensor Only

asset.assetIDasset.assetID

Use an integer value to help you find certain Qualys asset IDs (UUIDs), assigned by an agent or a scanner appliance when Agentless Tracking is used.

Examples

  • Show this asset ID:
    asset.assetID: 2918869
  • Show the asset IDs within this range:
    asset.assetID: [3546997..12945655]
  • Show the 2 listed asset IDs:
    asset.assetID: [3546997,12945655]

 

asset.criticalityScoreasset.criticalityScore

Use an integer value (1-5) to help you find assets based on specific criticality score. After the colon, enter the value.

Examples

  • Show assets with a criticality score of 5:
    asset.criticalityScore:5
  • Show assets with a criticality score of 2:
    asset.criticalityScore:2

 

asset.nameasset.name

Use quotes or backticks within values to find the asset with specified asset name. After the colon, enter the value.

Examples

  • Show assets related to the given name:
    asset.name: QK2K12QP3-65-53
  • Show assets that contain parts of the given name:
    asset.name:"QK2K12QP3-65-53"
  • Show assets that match exactly match the given name:
    asset.name:`QK2K12QP3-65-53`

asset.operatingSystemasset.operatingSystem

Use quotes or backticks within the values to find assets based on the operating system. After the colon, enter the value.

Examples

  • Show assets with the given OS name:
    asset.operatingSystem: Windows 20212
  • Show assets that contain the components of the given OS name:
    asset.operatingSystem: "Windows 20212"
  • Show assets that exactly match the given OS name:
    asset.operatingSystem:`Windows 2012`

 

accounts.usernameaccounts.username

Use a text value ##### to help you find an account username you are looking for.

Example

  • Show findings with username administrator:
    accounts.username: "administrator"

asset.truRiskasset.truRisk

Use an integer value (0-1000) to find assets based on a specific risk score. After the colon, enter the value.

Examples

  • Show assets with TruRisk score 60:
    asset.truRisk: 60
  • Show assets with TruRisk score 25:
    asset.trurisk: 25

 

hardware.categoryhardware.category

Use quotes and backticks within the values to find assets with specified hardware category. After the colon, enter the value.

Examples

  • Show all assets that include a part of the specified hardware category value:
    hardware.category: "Computer/Server"
  • Show all assets that match exactly match the specified hardware category value:
    hardware.category: `Computer/Server`

inventory.sourceinventory.source

Use text value ##### to find assets from the specified Qualys source. Select values from the drop-down.

Examples

  • Show all assets from cloud agents:
    inventory.source: Cloud Agent
  • Show all assets from passive sensor:
    inventory.source: Passive Sensor

openPorts.portopenPorts.port

Use an integer value to find assets with the specified open port. After the colon, enter the value.

Example

  • Show all assets with open port 80:
    openPorts.port: 80

 

tags.nametags.name

Use a text value to find assets with the specified tag. After the colon, enter the value.

Example

  • Show all assets with the tag name Oracle-Tags:
    tags.name: Oracle-Tags

 

Asset Inventory and Passive Sensor

accounts.usernameaccounts.username

Use a text value ##### to help you find an account username you are looking for.

Example

  • Show findings with username administrator:
    accounts.username: "administrator"

agent.activations.keyagent.activations.key

Use a text value ##### to define the agent activation key you're interested in.

Example

Show assets with agents activated using this key

agent.activations.key: "057cc48a-8d84-48eb-add4-97a605d0567d"

agent.activations.statusagent.activations.status

Select the agent activation status (ACTIVE, INACTIVE, UNSUPPORTED) you're interested in. Select from names in the drop-down menu.

Example

Show assets with active agents

agent.activations.status: ACTIVE

agent.agentIDagent.agentID

Use a text value ##### to help you find systems with a Qualys agent ID of interest.

Example

Show findings with this agent ID

asset.agentID:"0fc8e682-e9cc-4e7d-b92a-0c905d81ec74"

agent.configurationProfileagent.configurationProfile

Use values within quotes or backticks to help you find the agent configuration profile you're looking for. Quotes can be used when the value has more than one word.

Examples

Show any findings related to profile name

agent.configurationProfile: Initial Profile

Show any findings that contain parts of the name

agent.configurationProfile: "Initial Profile"

Show any findings that match exact value

agent.configurationProfile: `Initial Profile`

agent.connectedFromagent.connectedFrom

Use a text value ##### to define the external IP address a cloud agent connected from.

Example

Show findings for an external IP address that an agent connected from

agent.connectedFrom: 10.0.100.11

agent.lastActivityagent.lastActivity

Use a date range or specific date to define when last agent activity occurred.

Examples

Show last agent activity within certain dates

agent.lastActivity:[2019-01-01 ... 2019-01-15]

Show last agent activity starting 2019-01-15, ending 1 month ago

agent.lastActivity:[2019-01-15 ... now-1M]

Show last agent activity starting 2 weeks ago, ending 1 second ago

agent.lastActivity:[now-2w ... now-1s]

Show last agent activity on a specific date

agent.lastActivity:'2019-03-18'

Show last agent activity within last 30 days excluding day 30.

agent.lastActivity>now-30d

Note: We recommend not to use the NOT operator in your range search to form query like NOT agent.lastActivity:[now-30d..now-2s].  See "QQL Best Practices" topic in the Unified Dashboard Online Help.

Show last agent activity within last 30 days including day 30.

agent.lastActivity>=now-30d

Show last agent activity which is older than last 30 days excluding day 30.

agent.lastActivity<now-30d

Show last agent activity which is older than last 30 days including day 30.

agent.lastActivity<=now-30d

agent.lastInventoryagent.lastInventory

Use a date range or specific date to define when last inventory scan was performed.

Examples

Show last inventory scan within certain dates

agent.lastInventory:[2019-01-01 ... 2019-01-15]

Show last inventory scan starting 2019-01-15, ending 1 month ago

agent.lastInventory:[2019-01-15 ... now-1M]

Show last inventory scan starting 2 weeks ago, ending 1 second ago

agent.lastInventory:[now-2w ... now-1s]

Show last inventory scan on a specific date

agent.lastInventory:'2019-03-18'

Show last inventory scan  within last 30 days excluding day 30.

agent.lastInventory>now-30d

Note: We recommend not to use the NOT operator in your range search to form query like NOT agent.lastInventory:[now-30d..now-2s].  See "QQL Best Practices" topic in the Unified Dashboard Online Help.

Show last inventory scan within last 30 days including day 30.

agent.lastInventory>=now-30d

Show last inventory scan which is older than last 30 days excluding day 30.

agent.lastInventory<now-30d

Show last inventory scan which is older than last 30 days including day 30.

agent.lastInventory<=now-30d

agent.versionagent.version

Use a text value ##### to help you find agents with certain version number.

Example

Show agents of this version

asset.version:1.3.2.0

agent.swCAIdealCandidateagent.swCAIdealCandidate

Use the value to find assets on which at least one of the software components from Ruby, Node.js, Go, Rust, PHP, Python, Java Platform, Standard Edition (Java SE) is identified. The supported values are ‘true’ and ‘false’.

Example

Show assets on which at least one of the software components is identified

agent.swCAIdealCandidate:true

agent.errorStatusagent.errorStatus

Use the values true | false to define agents with or without error status.

Example

Show agents with error status

agent.errorStatus: "true"

agent.statusagent.status

Select the agent status (ACTIVE or INACTIVE) you're interested in.

Example

Show assets with active agents

agent.status: ACTIVE

agent.platformagent.platform

Use a text value ##### to find assets on Windows or Linux platforms.

Example

Show assets on windows platform

agent.platform: Windows

agent.isPassiveSensoragent.isPassiveSensor

Select the value to view assets for which the cloud agent acts as a passive sensor. The supported values are true and false.

Select true to view assets for which the cloud agent acts as a passive sensor.

Examples

Show findings to view assets for which the cloud agent acts as a passive sensor.

agent.isPassiveSensor:true

Show findings to view assets for which the cloud agent doesn't act as a passive sensor.

agent.isPassiveSensor:false

asset.hostingCategory1asset.hostingCategory1

Use a value to filter your assets based on the hosting category. The supported values are CDN, Cloud, OnPrem, and ThirdParty.

Example

Show findings with hosting catagory CDN

asset.hostingCategory1:"CDN"

asset.biosAssetTagasset.biosAssetTag

Use values within quotes or backticks to help you find assets with a certain BIOS asset tag.

Examples

Show any findings that contain this BIOS asset tag

asset.biosAssetTag:113632

Show any findings that contain parts of BIOS asset tag

asset.biosAssetTag:"113632"

Show any findings that match exact value

asset.biosAssetTag:`113632`

asset.biosDescriptionasset.biosDescription

Use values within quotes or backticks to help you find the BIOS description you're looking for.

Examples

Show any findings that contain parts of description

asset.biosDescription:"American Megatrends Inc."

Show any findings that match exact value "American Megatrends Inc."

asset.biosDescription:`American Megatrends Inc.`

asset.biosSerialNumberasset.biosSerialNumber

Use a text value ##### to help you find assets with a certain BIOS Serial Number

Example

Show findings with this BIOS Serial Number

asset.biosSerialNumber:C02S50JDFVH8

asset.cpuCountasset.cpuCount

Use an integer value ##### to help you find assets with some number of CPUs.

Example

Show assets that have 2 CPUs

asset.cpuCount:2

asset.createdasset.created

Use a date range or specific date to define when assets were created.

Note: The same token is used to find the certificates for the specified asset creation date, but the token syntax is different. See all token examples.

Examples

Show assets created within certain dates

asset.created:[2019-01-01 ... 2019-01-15]

Show assets created starting 2019-01-15, ending 1 month ago

asset.created:[2019-01-15 ... now-1M]

Show assets created starting 2 weeks ago, ending 1 second ago

asset.created:[now-2w ... now-1s]

Show assets created on a specific date

asset.created:'2019-03-18'

Show assets created  within last 30 days excluding day 30.

asset.created>now-30d

Note: We recommend not to use the NOT operator in your range search to form query like NOT asset.created:now-30d..now-2s.  See "QQL Best Practices" topic in the Unified Dashboard Online Help.

Show assets created within last 30 days including day 30.

asset.created>=now-30d

Show assets created older than last 30 days excluding day 30.

asset.created<now-30d

Show last inventoryassets created older than last 30 days including day 30.

asset.created<=now-30d

Find the certificates for the specified asset creation date

Examples for Certificate Token

Show assets created within certain dates

asset:(created: [2023-01-01 ... 2024-01-15])

Show assets created starting 2019-01-15, ending 1 month ago

asset:(created: [2019-01-15... now-1M])

Show assets created starting 2 weeks ago, ending 1 second ago

asset:(created: [now-2w ... now-1s])

Show assets created on a specific date

asset:(created: `2024-01-18`)

asset.biosHardwareUUIDasset.biosHardwareUUID

Use a text value ##### to help you find assets with a certain bios hardware UUID

Example

Show findings with this bios hardware UUID

asset.biosHardwareUUID:152FBCC6-641B-5661-9E68-DEF35D8C4B51

asset.hostIDasset.hostID

Use an integer value ##### to help you find the asset with a certain Qualys host ID (UUID), assigned by an agent or a scanner appliance when Agentless Tracking is used.

Example

Show assets having this host ID

asset.hostID:43954857

asset.lastBootasset.lastBoot

Use a date range or specific date to define when assets were last booted.

Examples

Show assets last booted within certain dates

asset.lastBoot:[2019-01-01 ... 2019-01-15]

Show assets last booted starting 2019-01-15, ending 1 month ago

asset.lastBoot:[2019-01-15 ... now-1M]

Show assets last booted starting 2 weeks ago, ending 1 second ago

asset.lastBoot:[now-2w ... now-1s]

Show assets last booted on a specific date

asset.lastBoot:'2019-03-18'

asset.lastLoggedOnUserasset.lastLoggedOnUser

Use a text value ##### to help you find assets last logged into by a user of interest.

Examples

Show assets with last logon by user asmith

asset.lastLoggedOnUser:asmith

asset.lastUpdatedasset.lastUpdated

Use a date range or specific date to find when assets were last updated.

Note: The same token is used to find the certificates for the specified asset last updated date, but the token syntax is different. See all token examples.

Examples

Show assets last updated within certain dates

asset.lastUpdated:[2019-01-01 ... 2019-01-15]

Show assets last updated starting 2019-01-15, ending 1 month ago

asset.lastUpdated:[2019-01-15... now-1M]

Show assets last updated starting 2 hours ago, ending 1 second ago

asset.lastUpdated:[now-2h ... now-1s]

Show assets last updated starting 4 hours ago, ending 1 hour ago

asset.lastUpdated:[now-4h ... now-1h]

Show assets last updated starting 2 weeks ago, ending 1 second ago

asset.lastUpdated:[now-2w ... now-1s]

Show assets last updated on a specific date

asset.lastUpdated:'2019-03-18'

Show assets updated within last 30 days excluding day 30.

asset.lastUpdated>now-30d

Note: We recommend not to use the NOT operator in your range search to form query like NOT asset.lastUpdated:[now-30d..now-2s].  See "QQL Best Practices" topic in the Unified Dashboard Online Help.

Show assets updated within last 30 days including day 30.

asset.lastUpdated>= now-30d

Show assets updated older than last 30 days excluding day 30.

asset.lastUpdated<now-30d

Show assets updated older than last 30 days including day 30.

asset.lastUpdated<=now-30d

Find the certificates for the specified asset creation date

Examples for Certificate Token

Show certificates for assets last updated within certain dates

asset:(lastUpdated: [2019-01-01 ... 2019-01-15])

Show certificates for assets last updated starting 2019-01-15, ending 1 month ago

asset:(lastUpdated: [2019-01-15... now-1M])

Show certificates for assets last updated starting 2 weeks ago, ending 1 second ago

asset:(lastUpdated: [now-2w ... now-1s])

Show certificates for assets last updated on a specific date

asset:(lastUpdated: `2024-01-18`)

asset.netbiosNameasset.netbiosName

Use a text value ##### to find the asset NetBIOS name you are interested in.

Examples

Show the asset with this name

asset.netbiosName:ACMENVT7

asset.timezoneasset.timezone

Use a text value ##### in quotes to find assets with a certain timezone set.

Example

Show assets with this timezone

asset.timezone:"-08:00"

asset.totalMemoryasset.totalMemory

Use an integer value ##### to find assets with a certain total system memory (MB).

Example

Show findings with total system memory greater than 900 MB

asset.totalMemory>900

Show findings with total system memory greater than or equal to 900 MB

asset.totalMemory>=900

Show findings with total system memory less than 300 MB

asset.totalMemory<300

Show findings with total system memory less than or equal to 300 MB

asset.totalMemory<=300

asset.trackingMethodasset.trackingMethod

Find assets with certain tracking method (ACTIVE_DIRECTORY, BMC_HELIX, DNSNAME, EASM, GCP_INSTANCE_ID, ICS_OCA, INSTANCE_ID, IP, NETBIOS, NONE, OCA, ORACLE, PASSIVE_SENSOR, QAGENT, SEM, SERVICE_NOW, THIRD_PARTY, VIRTUAL_MACHINE_ID, and WEBHOOK). Select from values in the drop-down menu.

Example

Find assets with this tracking method

asset.trackingMethod: QAGENT

asset.domainRoleasset.domainRole

Use values within quotes or backticks to help you find the assets with certain domain role (Standalone Workstation, Member Workstation, Standalone Server, Member Server, Backup Domain Controller, and Primary Domain Controller). Select from values in the drop-down menu.

Examples

Show any findings that contain parts of name

asset.domainRole:"Member Ser"

Show any findings that match exact value "Member Server"

asset.domainRole:`Member Server`

asset.typeasset.type

Find assets of a certain type (SCANNER and HOST). Select from the asset types in the drop-down menu.

Example

Find assets of type host

asset.type: `HOST`

asset.lastLocationasset.lastLocation

Use a text value ##### to find assets based on last location.

Example

Show assets with last location as Redwood City, California - United States

asset.lastLocation: 'Redwood City, California - United States'

Example

Show assets with last location with exact string

asset.lastLocation: `Redwood City, California - United States`

asset.lastLocation.continentasset.lastLocation.continent

Use a text value ##### to find assets based on continent of the last location.

Example

Show assets with last location continent as North America

asset.lastLocation.continent: North America

asset.lastLocation.countryasset.lastLocation.country

Use a text value ##### to find assets based on country of the last location.

Example

Show assets with last location country as United States

asset.lastLocation.country: United States

asset.lastLocation.stateasset.lastLocation.state

Use a text value ##### to find assets based on state of the last location.

Example

Show assets with last location state as California

asset.lastLocation.state: California

asset.lastLocation.cityasset.lastLocation.city

Use a text value ##### to find assets with city of the last location.

Example

Show assets with assigned location city as Miami

asset.lastLocation.city: Miami

asset.lastLocation.postalasset.lastLocation.postal

Use an integer value ##### to find the assets based on postal of the last location.

Example

Show assets with last location postal as 94065

asset.lastLocation.postal: 94065

asset.operationalStatusasset.operationalStatus

Use a text value ##### to find assets based on operational status.

Example

Show assets with operational status as Repair

asset.operationalStatus: Repair

asset.environmentasset.environment

Use a text value ##### to find assets based on environment.

Example

Show assets with environment as Production

asset.environment: Production

asset.ownedByasset.ownedBy

Use values within quotes or backticks to find assets owned by the specific user.

Examples

Show any findings that contain parts of name

asset.ownedBy:"Joey"

Show any findings that match exact value "Joey Bolick"

asset.ownedBy:`Joey Bolick`

asset.managedByasset.managedBy

Use values within quotes or backticks to find assets managed by the specific user.

Examples

Show any findings that contain parts of name

asset.managedBy:"Byron"

Show any findings that match exact value "Byron Fortuna"

asset.managedBy:`Byron Fortuna`

asset.supportedByasset.supportedBy

Use values within quotes or backticks to help you find assets supported by the specific user.

Examples

Show any findings that contain parts of name

asset.supportedBy:"John"

Show any findings that match exact value "John Doe"

asset.supportedBy:`John Doe`

asset.supportGroupasset.supportGroup

Use values within quotes or backticks to find assets with the specific support group.

Note: The same token is used to find the certificates for assets with the specified support group, but the token syntax is different. See all token examples.

Examples

Show any findings that contain parts of name

asset.supportGroup:"Compliance"

Show any findings that match exact value "Compliance Managers"

asset.supportGroup:`Compliance Managers`

Find the certificates for assets with the specified support group.

Examples for Certificate Token

Show any findings that contain parts of name

asset:(supportGroup:"Compliance")

Show any findings that match exact value "Compliance Managers"

asset:(supportGroup:`Compliance Managers`)

asset.org.nameasset.org.name

Use values within quotes or backticks to find the assets associated with the specific organization.

Note: The same token is used to find the certificates for assets with the specified org name, but the token syntax is different. See all token examples.

Examples

Show assets details that match the exact value of the organization name

asset.org.name: `Qualys, Inc.`

Show assets details that contain parts of the organization name

asset.org.name: "Qualys,"

Find tcertificates for assets with the specified org name

Examples for Certificate Token

Show assets details that match the exact value of the organization name

asset:(org.name: `Qualys, Inc.`)

Show assets details that contain parts of the organization name

asset:(org.name: "Qualys,")

asset.org.companyasset.org.company

Use a text value ##### to find assets associated with specific company.

Example

Show assets with company as Qualys

asset.org.company: Qualys

asset.org.departmentasset.org.department

Use a text value ##### to help you find assets associayed with specific department.

Example

Show assets with department as Development

asset.org.department: Development

asset.ispasset.isp

Use values within quotes or backticks to help you find the assets associated with the Internet Service Provider (ISP) name you are looking for.

Note: The same token is used to find the certificates for assets with the specified ISP, but the token syntax is different. See all token examples.

Examples

Show assets that match the exact ISP name

asset.isp: `amazon.com, Inc.`

Show assets that are with the parts of the ISP name

asset.isp: "amazon.com,"

Find the certificates for assets with the specified ISP

Examples for Certificate Token

Show certificates that match the exact ISP name

asset:(isp: `amazon.com, Inc.`)

Show certificates that are with the parts of the ISP name

asset:(isp: "amazon.com,")

asset.asnasset.asn

Use values within quotes or backticks to find the assets with the specific ASN value you are looking for.

Examples

Show assets that match the exact value of ASN

asset.asn: `AS8075`

Show assets that are with the parts of the ASN

asset.asn: "AS807"

asset.domainasset.domain

Use values within quotes or backticks to help you find the assets with their domain.

Note: The same token is used to find the certificates for assets with the specified domain, but the token syntax is different. See all token examples.

Examples

Show assets that match the exact value of the domain

asset.domain: `qualys.com`

Show assets that contain parts of the domain

asset.domain: "qualys."

Find the certificates for assets with the specified domain

Examples for Certificate Token

Show certificates for assets that match the exact value of the domain

asset:(domain: `qualys.com`)

Show certificates for assets that contain parts of the domain

asset:(domain: "qualys.")

asset.subdomainasset.subdomain

Use values within quotes or backticks to help you find assets using their subdomains.

Note: The same token is used to find the certificates for assets with the specified subdomain, but the token syntax is different. See all token examples.

Examples

Show assets that match the exact value of the subdomains

asset.subdomain: `doc.qualys.com`

Show assets that contain the parts of the subdomains

asset.subdomain: "doc.qualys."

Find certificates that match the exact value of the subdomains

asset:(subdomain: `doc.qualys.com`)

Find certificates that contain the parts of the subdomains

asset:(subdomain: "doc.qualys.")

asset.assignedLocation.nameasset.assignedLocation.name

Use values within quotes or backticks to find assets with name of the assigned location.

Examples

Show any findings that contain parts of name

asset.assignedLocation.name:"401 Biscayne St, Miami"

Show any findings that match exact value "401 Biscayne St, Miami FL"

asset.assignedLocation.name:`401 Biscayne St, Miami FL`

asset.assignedLocation.cityasset.assignedLocation.city

Use a text value ##### to find assets with city of the assigned location.

Example

Show assets with assigned location city as Miami

asset.assignedLocation.city: Miami

asset.assignedLocation.stateasset.assignedLocation.state

Use a text value ##### to find assets with state of the assigned location.

Example

Show assets with assigned location state as FL

asset.assignedLocation.state: FL

asset.assignedLocation.countryasset.assignedLocation.country

Use a text value ##### to find assets with country of the assigned location.

Example

Show assets with assigned location country as USA

asset.assignedLocation.country: USA

asset.hasMissingSoftwareasset.hasMissingSoftware

Use the values true | false to find assets missing software.

Example

Show asset that has a missing software

asset.hasMissingSoftware: "true"

asset.isContainerHostasset.isContainerHost

Use the values true | false to find assets hosting containers.

Example

Show assets that host containers

asset.isContainerHost: "true"

businessApp.namebusinessApp.name

Use values within quotes or backticks to define the business application name you're looking for.

Examples

Show any findings that contain parts of name

businessApp:(name:"HR")

Show any findings that match exact value "HR Intranet"

businessApp:(name:`HR Intranet`)

businessApp.idbusinessApp.id

Use a text value ##### to define business application using unique ID.

Example

Show findings with business app ID as APP007

businessApp:(id:APP007)

businessApp.operationalStatusbusinessApp.operationalStatus

Use a text value ##### to define business applications based on operational status.

Example

Show business applications with operational status as Installed

businessApp:(operationalStatus: Installed)

businessApp.businessCriticalitybusinessApp.businessCriticality

Use values within quotes or backticks to define the business application you are looking for.

Examples

Show any findings that contain parts of name

businessApp:(businessCriticality:"1 - most")

Show any findings that match exact value "1 - most critical"

businessApp:(businessCriticality:`1 - most critical`)

businessApp.environmentbusinessApp.environment

Use a text value ##### to define business application based on environment.

Example

Show assets with business application environment as Production

businessApp:(environment: Production)

businessApp.ownedBybusinessApp.ownedBy

Use values within quotes or backticks to define business applications owned by specific user.

Examples

Show any findings that contain parts of name

businessApp:(ownedBy:"Joey")

Show any findings that match exact value "Joey Bolick"

businessApp:(ownedBy:`Joey Bolick`)

businessApp.managedBybusinessApp.managedBy

Use values within quotes or backticks to define business applications managed by specific user.

Examples

Show any findings that contain parts of name

businessApp:(managedBy:"Byron")

Show any findings that match exact value "Byron Fortuna"

businessApp:(managedBy:`Byron Fortuna`)

businessApp.supportedBybusinessApp.supportedBy

Use values within quotes or backticks to define business applications supported by specifc user.

Examples

Show any findings that contain parts of name

businessApp:(supportedBy:"John")

Show any findings that match exact value "John Doe"

businessApp:(supportedBy:`John Doe`)

businessApp.supportGroupbusinessApp.supportGroup

Use a text value ##### to define business applications associated with specific support group.

Example

Show assets with business application support group as Security

businessApp:(supportGroup: Security)

qualysCorrelationIDqualysCorrelationID

Use a text value ##### to find assets with Qualys Correlation ID.

Examples

Show assets with this correlation ID

qualysCorrelationID: 0f1b031712682e27cca306e4a2a9e3144696ac099b08fcdf76ccb6f3647ec058

Show assets without any correlation ID

qualysCorrelationID: UNIDENTIFIED

Show all assets with correlation ID

qualysCorrelationID: *

caps.leadercaps.leader

Use a string value ##### to specify the agent uuid to find assets detected by the cap leader with the specified agent uuid. 

Example

Show assets detected by the following agent uuid.

caps.leader:ac49f3eb-e1ab-4947-9dc3-4bd2c3eea114

Show assets detected by the following agent uuid.

caps.leader:"ac49f3eb-e1ab-4947-9dc3-4bd2c3eea114"

Show assets detected by the following agent uuid.

caps.leader:`ac49f3eb-e1ab-4947-9dc3-4bd2c3eea114'

connectors.connector.nameconnectors.connector.name

Enter the connector name you are interested in by using a text value ##### to show findings detected by the specific connector.

Example

Show findings detected by connector name myec2

connectors.connector.name: myec2

connectors.connectorIdconnectors.connectorId

Enter the connector ID that is an integer value ##### to find assets sourced from a specific connector created by the user.

Note: This token is for the new feature, Third-Party Asset Identification, which is in the Beta phase. The feature is in early stage and only available on a request basis. Contact your Technical Account Manager (TAM) for more information.

Example

Show findings with this connector ID

connectors.connectorId:1278237

connectors.firstDiscoveredconnectors.firstDiscovered

Use a date range or specific date to define when connectors were first discovered.

Examples

Show connectors found within certain dates

connectors:(firstDiscovered: [2019-01-01 ... 2019-01-15])

Show connectors found starting 2019-01-15, ending 3 months ago

connectors:(firstDiscovered: [2019-01-15 ... now-3M])

Show connectors found starting 2 weeks ago, ending 1 second ago

connectors:(firstDiscovered: [now-2w ... now-1s])

Show connectors found on a specific date

connectors:(firstDiscovered:'2019-03-18')

Show connectors found within last 30 days excluding day 30.

connectors:(firstDiscovered>now-30d)

Note: We recommend not to use the NOT operator in your range search to form query like NOT connectors:(firstDiscovered:[now-30d..now-2s]).  See "QQL Best Practices" topic in the Unified Dashboard Online Help.

Show connectors discovered within last 30 days including day 30.

connectors:(firstDiscovered>= now-30d)

Show connectors dicovered older than last 30 days excluding day 30.

connectors:(firstDiscovered<now-30d)

Show  connectors found older than last 30 days including day 30.

connectors:(firstDiscovered<=now-30d)

connectors.lastDiscoveredconnectors.lastDiscovered

Use a date range or specific date to define when connectors were last discovered.

Examples

Show connectors last discovered within certain dates

connectors:(lastDiscovered: [2019-01-01 ... 2019-01-15])

Show connectors discovered starting 2019-01-15, ending 3 months ago

connectors:(lastDiscovered: [2019-01-15 ... now-3M])

Show connectors discovered starting 2 weeks ago, ending 1 second ago

connectors:(lastDiscovered: [now-2w ... now-1s])

Show connectors discovered on a specific date

connectors:(lastDiscovered:'2019-03-18')

Show connectors discovered within last 30 days excluding day 30.

connectors:(lastDiscovered>now-30d)

Note: We recommend not to use the NOT operator in your range search to form query like NOT connectors:(lastDiscovered:[now-30d..now-2s]).  See "QQL Best Practices" topic in the Unified Dashboard Online Help.

Show connectors discovered within last 30 days including day 30.

connectors:(lastDiscovered>= now-30d)

Show connectors dicovered older than last 30 days excluding day 30.

connectors:(lastDiscovered<now-30d)

Show  connectors found older than last 30 days including day 30.

connectors:(lastDiscovered<=now-30d)

customAttributes.connectorIdcustomAttributes.connectorId

Provide the value to identify your assets based on the connector Id. Enter the connector Id as 0, which is the default connector Id for connector 'Qualys'.

Example

Find assets for connector 'Qualys'

customAttributes:(connectorId:0)

customAttributes.keycustomAttributes.key

Provide the value to identify your assets based on the key entered as part of the custom attribute.

Example

Find assets with "Department" as part of the key name

customAttributes:(key:"Department")

The result includes assets with the 'Department' custom attribute key.

Note: If 'Department' is part of the key name, such as Department 1, Department A-C, or Department US, those assets are also included in the result.

customAttributes.valuecustomAttributes.value

Provide the value to identify your assets based on the value entered as part of the custom attribute.

Example

Find assets with "DEVOPS" as part of the key value

customAttributes:(value:"DEVOPS")

The result includes assets with the 'DEVOPS' custom attribute value.

Note: If 'DEVOPS' is part of the value name, such as DEVOPS CSAM, DEVOPS CA, or DEVOPS PM, those assets are also included in the result.

container.hasSensorcontainer.hasSensor

Use the values true | false to choose whether to show container hosts that have the Container Sensor installed.

Example

Show container hosts with container sensor installed.

container.hasSensor:"true"

container.noOfImagescontainer.noOfImages

Use an integer value ##### to find assets with some number of container images. The value is displayed only for VM scan or Agent scan (and not for sensors).

Example

Show findings with 5 container images

container.noOfImages:5

container.noOfContainerscontainer.noOfContainers

Use an integer value ##### to find assets with some number of containers. The value is displayed only for VM scan or Agent scan (and not for sensors).

Example

Show findings with 2 containers

container.noOfContainers:2

container.versioncontainer.version

Use a text value ##### to find containers with certain version number.

Example

Show containers of this version

container.version:1.6

container.productcontainer.product

Use a text value ##### to define the container product.

Examples

Show container product

container.product: CONTAINERD

Show container product

container.product: DOCKER

easm.tags.nameeasm.tags.name

Provide the value to filter assets based on tags discovered
through EASM.

Example

Find assets with "cloud" tag

easm.tags.name: cloud

hardwarehardware

Use values within quotes or backticks to help you find the hardware name you're looking for.

Examples

Show any findings that contain parts of name

hardware:"Dell Latitude e7470"

Show any findings that match exact value

hardware:`Dell Latitude e7470`

hardware.categoryhardware.category

Use values within quotes or backticks to help you find the hardware category you're looking for.

Examples

Show any findings that match exact value

hardware.category:Printers/Laser

hardware.category1hardware.category1

Use text value ##### to find assets with hardware category 1 value.

Example

If you are searching for assets that are laser printers, then category1 is Printers and category2 is Laser.

Show any findings that match exact value

hardware.category1:Printers

hardware.category2hardware.category2

Use text value ##### to find assets with hardware category 2 value.

Example

If you are searching for assets that are laser printers, then category1 is Printers and category2 is Laser.

Show any findings that match exact value

hardware.category2:Laser

hardware.lifecycle.gahardware.lifecycle.ga

Use a date range or specific date to define a hardware general availability date of interest.

Examples

Show findings with hardware GA date in this date range

hardware.lifecycle.ga:[2019-01-01 ... 2019-01-15]

Show findings with hardware GA date starting 2019-01-15, ending 1 month ago

hardware.lifecycle.ga:[2019-01-15 ... now-1M]

Show findings with hardware GA date starting 2 weeks ago, ending 1 second ago

hardware.lifecycle.ga:[now-2w ... now-1s]

Show findings with this hardware GA date

hardware.lifecycle.ga:'2019-03-18'

hardware.lifecycle.introhardware.lifecycle.intro

Use a date range or specific date to define a hardware introduction date of interest.

Examples

Show findings with hardware introduction date in this date range

hardware.lifecycle.intro:[2019-01-01 ... 2019-01-15]

Show findings with hardware introduction date starting 2019-01-15, ending 1 month ago

hardware.lifecycle.intro:[2019-01-15 ... now-1M]

Show findings with hardware introduction date starting 2 weeks ago, ending 1 second ago

hardware.lifecycle.intro:[now-2w ... now-1s]

Show findings with this hardware introduction date

hardware.lifecycle.intro:'2019-03-18'

hardware.lifecycle.eoshardware.lifecycle.eos

Use a date range or specific date to define a hardware End-of-Sale date of interest.

Examples

Show findings with hardware End-of-Sale date in this date range

hardware.lifecycle.eos:[2019-01-01 ... 2019-01-15]

Show findings with hardware End-of-Sale date starting 2019-01-15, ending 1 month ago

hardware.lifecycle.eos:[2019-01-15 ... now-1M]

Show findings with hardware End-of-Sale date starting 2 weeks ago, ending 1 second ago

hardware.lifecycle.eos:[now-2w ... now-1s]

Show findings with this hardware End-of-Sale date

hardware.lifecycle.eos:'2019-03-18'

hardware.lifecycle.obshardware.lifecycle.obs

Use a date range or specific date to define a hardware obsolete date of interest.

Examples

Show findings with hardware obsolete date in this date range

hardware.lifecycle.obs:[2019-01-01 ... 2019-01-15]

Show findings with hardware obsolete date starting 2019-01-15, ending 1 month ago

hardware.lifecycle.obs:[2019-01-15 ... now-1M]

Show findings with hardware obsolete date starting 2 weeks ago, ending 1 second ago

hardware.lifecycle.obs:[now-2w ... now-1s]

Show findings with this hardware obsolete date

hardware.lifecycle.obs:'2019-03-18'

hardware.lifecycle.stagehardware.lifecycle.stage

Use a text value ##### in quotes to define the hardware lifecycle stage (INTRO, GA, EOS, OBS).

Example

Show End-of-Sale hardware

hardware.lifecycle.stage:"EOS"

hardware.manufacturerhardware.manufacturer

Use values within quotes or backticks to find assets having a certain hardware manufacturer.

Example

Show any findings that match exact value "Dell"

hardware.manufacturer:`Dell`

hardware.modelhardware.model

Use values within quotes or backticks to find assets having a certain hardware model.

Example

Show any findings that match exact value "e7470"

hardware.model:`De7470`

hardware.producthardware.product

Use values within quotes or backticks to find assets having a certain hardware product.

Example

Show any findings that match exact value "Latitude"

hardware.product:`Latitude`

interfaces:(addressinterfaces:(address

Use values to define an IP address you are interested in.

Examples

Show the exact match of the IP address

interfaces:(address:`10.10.100.20`)

Show any findings that contain parts of the IP address

interfaces:(address:"10.10.100.2")

interfaces:(address: 10.10.100.2)

interfaces:(dnsAddressinterfaces:(dnsAddress

Use a text value ##### to define a DNS address you are interested in.

Example

Show the asset with DNS address 10.0.100.11

interfaces:(dnsAddress:10.0.100.11)

interfaces:(gatewayAddressinterfaces:(gatewayAddress

Use a text value ##### to find assets with a certain default gateway address.

Example

Show assets with this default gateway address

interfaces:(gatewayAddress:10.11.65.1)

interfaces:(hostnameinterfaces:(hostname

Use values within quotes or backticks to find the hostname you are looking for.

Examples

Show any findings related to name

interfaces:(hostname: xpsp2-jp-26-111)

Show any findings that contain parts of name

interfaces:(hostname: "xpsp2-jp-26-111")

Show any findings that match exact value "xpsp2-jp-26-111"

interfaces:(hostname: `xpsp2-jp-26-111`)

Show any findings related to name (we'll match super domains)

interfaces:(hostname: qcentos71sqp3.rdlab.acme.com)

Show any findings that match exact value "qcentos71sqp3.rdlab.acme.com"

interfaces:(hostname: `qcentos71sqp3.rdlab.acme.com`)

Show findings according to values entered in the square brackets.

Note: You can add multiple values in []. However, it's important to understand that partial values are not supported. You must enter the exact match value.

Example with correct syntax - interfaces:(hostname: [win7-181, bridge.vuln.qa.qualys.com])

Example with incorrect syntax - interfaces:(hostname: [win7, bridge.vuln.qa])

interfaces:(interfaceNameinterfaces:(interfaceName

Use a text value ##### to find a certain interface name.

Example

Show the asset with name PRO/1000

interfaces:(interfaceName:PRO/1000)

interfaces:(macAddressinterfaces:(macAddress

Use values within quotes to find a MAC address you are interested in.

Example

Show the asset with this MAC address

interfaces:(macAddress:"00:50:56:A9:73:5A")

interfaces:(manufacturerinterfaces:(manufacturer

Use values within quotes to find the interface hardware manufacturer you are interested in.

Example

Show the asset with interface hardware manufacturer

interfaces:(manufacturer:"Apple")

interfaces:(netmaskinterfaces:(netmask

Use values to find the IP addresses from a particular class or range of IP addresses you are interested in.

Example

Show the assets with the following netmask

interfaces:(netmask:255.255.255.0)

inventory:(createdinventory:(created

Use a date range or specific date to define when assets were created (i.e. when first scanned by a scanner appliance, or when agent was installed).

Examples

Show assets created within certain dates

inventory:(created: [2019-01-01 ... 2019-01-15])

Show assets created starting 2019-01-15, ending 1 month ago

inventory:(created: [2019-01-15 ... now-1M])

Show assets created starting 2 weeks ago, ending 1 second ago

inventory:(created: [now-2w ... now-1s])

Show assets created on specific date

inventory:(created: '2019-03-18')

Show assets createdwithin last 30 days excluding day 30.

inventory:(created>now-30d)

Note: We recommend not to use the NOT operator in your range search to form query like NOT inventory.(created:[now-30d..now-2s].  See "QQL Best Practices" topic in the Unified Dashboard Online Help.

Show assets created within last 30 days including day 30.

inventory:(created>=now-30d)

Show assets created older than last 30 days excluding day 30.

inventory:(created<now-30d)

Show  assets created older than last 30 days including day 30.

inventory:(created<=now-30d)

inventory:(lastUpdatedinventory:(lastUpdated

Use a date range or specific date to define when assets were updated (i.e. when re-scanned by a scanner appliance, or when host data uploaded to the cloud platform by an agent).

Examples

Show assets updated within certain dates

inventory:(lastUpdated: [2019-01-01 ... 2019-01-15])

Show assets updated starting 2019-01-15, ending 3 months ago

inventory:(lastUpdated: [2019-01-15 ... now-3M])

Show assets updated starting 2 weeks ago, ending 1 second ago

inventory:(lastUpdated: [now-2w ... now-1s])

Show assets updated on a specific date

inventory:(lastUpdated:'2019-03-18')

Show assets updated within last 30 days excluding day 30.

inventory:(lastUpdated>now-30d)

Note: We recommend not to use the NOT operator in your range search to form query like NOT inventory:(lastUpdated:[now-30d..now-2s].  See "QQL Best Practices" topic in the Unified Dashboard Online Help.

Show assets updated within last 30 days including day 30.

inventory:(lastUpdated>=now-30d)

Show assets updated which is older than last 30 days excluding day 30.

inventory:(lastUpdated<now-30d)

Show assets updated which is older than last 30 days including day 30.

inventory:(lastUpdated<=now-30d)

missingSoftware.category1missingSoftware.category1

Use text value ##### to find the missing software category 1 value you are looking for.

Example

If you are searching for assets missing testing software, then category1 is Application Development and category2 is Testing.

Show any findings that match exact value

missingSoftware.category1:Application Development

missingSoftware.category2missingSoftware.category2

Use text value ##### to find the missing software category 2 value you are looking for.

Example

If you are searching for assets missing testing software, then category1 is Application Development and category2 is Testing.

Show any findings that match exact value

missingSoftware.category2:Testing

missingSoftware.publishermissingSoftware.publisher

Use a text value ##### to find a software without publisher.

Example

Show findings without this software publisher

missingSoftware.publisher:Microsoft

missingSoftware.detectionScoremissingSoftware.detectionScore

Use a text value ##### to show findings that match the missing software detection score.

Examples

Show findings with the the missing software detection score

missingSoftware.detectionScore: 50)

Show findings with the missing software detection score

missingSoftware.detectionScore>50)

Show findings with the missing software detection score

missingSoftware.detectionScore<50)

Show findings with the missing software detection score

missingSoftware.detectionScore>=50)

Show findings with the missing software detection score

missingSoftware.detectionScore<=50)

missingSoftware.productmissingSoftware.product

Use a text value ##### to find a software without product name.

Example

Show findings with this exact product name

missingSoftware.product:Office

missingSoftware.namemissingSoftware.name

Use values within quotes or backticks to help you find the missing software name you're looking for. Quotes can be used when the value has more than one word.

Examples

Show any findings with this name

missingSoftware.name: VMware Tools

Show any findings that contain parts of name

missingSoftware.name: "VMware Tools"

Show any findings that match exact value

missingSoftware.name: `VMware Tools`

Find assets with certain tag and missing software

tags.name: `Cloud Agent` AND missingSoftware.name: `Cisco AnyConnect Secure Mobility Client` AND version: `3.1.12345`

passiveSensor.idpassiveSensor.id

 

Use an integer value ##### to help you find assets sensed by a certain sensor ID.

Example

Show this sensor ID

passiveSensor.id:"003687557369:1654660042:3809075:704:1654660042:3809075:704"

passiveSensor.locationpassiveSensor.location

Use a text value ##### to help you find assets based on specific sensor location.

Examples

Show assets with sensor location (appliance location label) as SanJose1

passiveSensor.location:"SanJose1"

passiveSensor.namepassiveSensor.name

Use a text value ##### to help you find assets based on specific sensor name.

Examples

Show assets with sensor name as ITCorp-appliance

passiveSensor.name:"ITCorp-appliance"

inventory:(sourceinventory:(source

Use a text value ##### to help you find assets from a certain Qualys source. (API, Active Directory, Appliance, Azure, BMC Helix, CAPS, CMDB, Cloud Agent, EASM, EC2, GCP, ICS OCA, IP Scanner, Malware Domain, Mobility Scanner, OCA, OCI, Passive Sensor, ServiceNow, WMWare vSphere, VMware ESXi, and Webhook) Select from values in the drop-down menu.

Examples

Show findings from cloud agents

inventory:(source: Cloud Agent)

Show findings from Passive Sensor

inventory:(source: Passive Sensor)

openPorts:(descriptionopenPorts:(description

Use values within quotes or backticks to help you find the service description detected on an open port.

Examples

Show any findings with this description

openPorts:(description: Windows Remote Desktop)

Show any findings that contain parts of description

openPorts:(description: "Windows Remote Desktop")

Show any findings that match exact value "Windows Remote Desktop"

openPorts:(description: `Windows Remote Desktop`)

openPorts:(detectedServiceopenPorts:(detectedService

Use values within quotes or backticks to help you find the detected service you're looking for.

Examples

Show any findings with this service name

openPorts:(detectedService: win_remote_desktop)

Show any findings that contain parts of name

openPorts:(detectedService: "win_remote_desktop")

Show any findings that match exact value "win_remote_desktop"

openPorts:(detectedService: `win_remote_desktop`)

openPorts:(firstFoundopenPorts:(firstFound

Use a date range or specific date to define when open ports were first found.

Examples

Show open ports found within certain dates

openPorts:(firstFound: [2019-01-01 ... 2019-01-15])

Show open ports found starting 2019-01-15, ending 3 months ago

openPorts:(firstFound: [2019-01-15 ... now-3M])

Show open ports found starting 2 weeks ago, ending 1 second ago

openPorts:(firstFound: [now-2w ... now-1s])

Show open ports found on a specific date

openPorts:(firstFound:'2019-03-18')

Show open ports found within last 30 days excluding day 30.

openPorts:(firstFound>now-30d)

Note: We recommend not to use the NOT operator in your range search to form query like NOT openPorts:(firstFound:[now-30d..now-2s]).  See "QQL Best Practices" topic in the Unified Dashboard Online Help.

Show assets updated within last 30 days including day 30.

openPorts:(firstFound>= now-30d)

Show open ports found older than last 30 days excluding day 30.

aopenPorts:(firstFound<now-30d)

Show  open ports found older than last 30 days including day 30.

openPorts:(firstFound<=now-30d)

openPorts:(lastUpdatedopenPorts:(lastUpdated

Use a date range or specific date to define when open ports were last updated.

Examples

Show open ports last updated within certain dates

openPorts:(lastUpdated:[2019-01-01 ... 2019-01-15])

Show open ports last updated starting 2019-01-15, ending 1 month ago

openPorts:(lastUpdated:[2019-01-15 ... now-1M])

Show open ports last updated starting 2 weeks ago, ending 1 second ago

openPorts:(lastUpdated:[now-2w ... now-1s])

Show open ports last updated on a specific date

openPorts:(lastUpdated:'2019-03-18')

Show open ports found within last 30 days excluding day 30.

openPorts:(lastUpdated>now-30d)

Note: We recommend not to use the NOT operator in your range search to form query like NOT openPorts.(lastUpdated:[now-30d..now-2s]).  See "QQL Best Practices" topic in the Unified Dashboard Online Help.

Show assets updated within last 30 days including day 30.

openPorts:(lastUpdated>= now-30d)

Show open ports found older than last 30 days excluding day 30.

aopenPorts:(lastUpdated<now-30d)

Show  open ports found older than last 30 days including day 30.

openPorts:(lastUpdated<=now-30d)

openPorts:(portopenPorts:(port

Use an integer value ##### to help you find assets with some open port.

Example

Show assets with open port 80

openPorts:(port:80)

openPorts:(protocolopenPorts:(protocol

Use a text value ##### (UDP or TCP) to define the port protocol you're interested in.

Examples

Show findings found on TCP

openPorts:(protocol: TCP)

Show findings found on port 80 and TCP

openPorts:(port: 80 AND protocol: TCP)

openPorts:(detectionScoreopenPorts:(detectionScore

Filter the open ports based on the QDS score.

Examples

Show open ports based on the following QDS score

openPorts:(detectionScore: 80)

Show open ports based on the following QDS score

openPorts:(detectionScore>80)

Show open ports based on the following QDS score

openPorts:(detectionScore<80)

Show open ports based on the following QDS score

openPorts:(detectionScore>=80)

openPorts:(discoverySourcesopenPorts:(discoverySources

Use a text value ##### to find open ports detected from a certain discovery source. (Active Directory, BMC Helix, CMDB, Cloud Agent, EASM, ICS OCA, IP Scanner, OCA, Passive Sensor, ServiceNow, Unknown, and Webhook) Select from values in the drop-down menu.

Examples

Show findings from cloud agents

openPorts:(discoverySources: Cloud Agent)

Show findings from Passive Sensor

openPorts:(discoverySources: CMDB)

openPorts:(authorizationopenPorts:(authorization

Use the values Authorized, Unauthorized, or Needs Review to filter the ports.

Example

Show open ports that are marked Authorized

openPorts:(authorization: "Authorized")

operatingSystem.architectureoperatingSystem.architecture

Use text value ##### to  find the operating system architecture you are looking for, i.e. 32-Bit or 64-Bit.

Example

Show any findings that match exact value

operatingSystem.architecture:64-Bit

operatingSystem.categoryoperatingSystem.category

Use text value ##### to help you find the full operating system category name you're looking for, i.e. Windows, Unix, Linux, Mac and more.

Example

Show any findings that match exact value

operatingSystem.category:Windows/Embedded

operatingSystem.category1operatingSystem.category1

Use text value ##### to find the operating system category 1 value you're looking for.

Example

Show any findings that match exact value

If you are searching for assets with Windows Embedded operating system, then category1 is Windows and category2 is Embedded.

operatingSystem.category1:Windows

operatingSystem.category2operatingSystem.category2

Use values within quotes or backticks to find the operating system category 1 value you are looking for.

Example

If you are searching for assets with Windows Embedded operating system, then category1 is Windows and category2 is Embedded.

Show any findings that match exact value

operatingSystem.category2:Embedded

operatingSystem.editionoperatingSystem.edition

Use text value ##### to find the operating system edition you're looking for.

Example

Show any findings that match exact value

operatingSystem.edition:Enterprise

operatingSystem.installDateoperatingSystem.installDate

Use a date range or specific date to define an operating system install date of interest.

Examples

Show findings with operating system install date in this date range

operatingSystem.installDate:[2019-01-01 ... 2019-01-15]

Show findings with operating system install date starting 2019-01-15, ending 1 month ago

operatingSystem.installDate:[2019-01-15 ... now-1M]

Show findings with operating system install date starting 2 weeks ago, ending 1 second ago

operatingSystem.installDate:[now-2w ... now-1s]

Show findings with this operating system install date

operatingSystem.installDate:'2019-03-18'

Show findings with this operating system install date within last 30 days excluding day 30.

operatingSystem.installDate>now-30d

Note: We recommend not to use the NOT operator in your range search to form query like NOT operatingSystem.installDate:[now-30d..now-2s].  See "QQL Best Practices" topic in the Unified Dashboard Online Help.

Show findings with this operating system install date within last 30 days including day 30.

operatingSystem.installDate>= now-30d

Show findings with this operating system install date older than last 30 days excluding day 30.

operatingSystem.installDate<now-30d

Show  findings with this operating system install date older than last 30 days including day 30.

operatingSystem.installDate<=now-30d

operatingSystem.lifecycle.gaoperatingSystem.lifecycle.ga

Use a date range or specific date to define an OS general availability date of interest.

Examples

Show findings with OS GA date in this date range

operatingSystem.lifecycle.ga:[2019-01-01 ... 2019-01-15]

Show findings with OS GA date starting 2019-01-15, ending 1 month ago

operatingSystem.lifecycle.ga:[2019-01-15 ... now-1M]

Show findings with OS GA date starting 2 weeks ago, ending 1 second ago

operatingSystem.lifecycle.ga:[now-2w ... now-1s]

Show findings with this OS GA date

operatingSystem.lifecycle.ga:'2019-03-18'

operatingSystem.lifecycle.detectionScoreoperatingSystem.lifecycle.detectionScore

Use a text value ##### to show findings that match the specified operating system lifecycle detection score.

Examples

Show findings with the the operating system lifecycle detection score

operatingSystem.lifecycle.detectionScore: 20)

Show findings with the operating system lifecycle detection score

operatingSystem.lifecycle.detectionScore>20)

Show findings with the operating system lifecycle detection score

operatingSystem.lifecycle.detectionScore<20)

Show findings with the operating system lifecycle detection score

operatingSystem.lifecycle.detectionScore>=20)

Show findings with the operating system lifecycle detection score

operatingSystem.lifecycle.detectionScore<=20)

operatingSystem.lifecycle.eoloperatingSystem.lifecycle.eol

Use a date range or specific date to define an operating system End-of-Life date of interest.

Examples

Show findings with operating system End-of-Life date in this date range

operatingSystem.lifecycle.eol:[2019-01-01 ... 2019-01-15]

Show findings with operating system End-of-Life date starting 2019-01-15, ending 1 month ago

operatingSystem.lifecycle.eol:[2019-01-15 ... now-1M]

Show findings with operating system End-of-Life date starting 2 weeks ago, ending 1 second ago

operatingSystem.lifecycle.eol:[now-2w ... now-1s]

Show findings with this operating system End-of-Life date

operatingSystem.lifecycle.eol:'2019-03-18'

operatingSystem.lifecycle.eosoperatingSystem.lifecycle.eos

Use a date range or specific date to define an operating system End-of-Support date of interest.

Examples

Show findings with operating system End-of-Support date in this date range

operatingSystem.lifecycle.eos:[2019-01-01 ... 2019-01-15]

Show findings with operating system End-of-Support date starting 2019-01-15, ending 1 month ago

operatingSystem.lifecycle.eos:[2019-01-15 ... now-1M]

Show findings with operating system End-of-Support date starting 2 weeks ago, ending 1 second ago

operatingSystem.lifecycle.eos:[now-2w ... now-1s]

Show findings with this operating system End-of-Support date

operatingSystem.lifecycle.eos:'2019-03-18'

operatingSystem.lifecycle.stageoperatingSystem.lifecycle.stage

Use a text value ##### to define an OS lifecycle stage you're looking for, i.e. active, eol, obsolete.

Examples

Show findings having this OS lifecycle stage

operatingSystem.lifecycle.stage:eol

Show findings with OS category Windows and OS lifecycle stage "active"

operatingSystem:(category:Windows AND lifecycle.stage:eol)

operatingSystem.marketVersionoperatingSystem.marketVersion

Use text value ##### to find the operating system market version, e.g. Windows OS.

Example

Show any findings that match exact value

operatingSystem.marketVersion:7

operatingSystem.nameoperatingSystem.name

Use text value ##### to find the operating system brand name you're looking for, e.g. Windows OS.

Example

Show any findings that match exact value

operatingSystem.name:Windows 10

operatingSystem.publisheroperatingSystem.publisher

Use a text value ##### to define an operating system manufacturer you're looking for.

Example

Show findings with this exact software publisher

operatingSystem.publisher:Microsoft

operatingSystem.updateoperatingSystem.update

Use a text value ##### to define an OS update version of interest.

Example

Show findings with this exact OS update version

operatingSystem.update:SP2

operatingSystem.versionoperatingSystem.version

Use a text value ##### to define the OS version you're interested in.

Example

Show findings with this exact OS version

operatingSystem.version:16.1

processorsprocessors

Use values within quotes or backticks to help you find the full processor name you're looking for.

Examples

Show any findings that contain parts of name

processors:"iIntel Xwon® CPU ES-2673 v3"

Show any findings that match exact value

processors:`Intel Xwon® CPU ES-2673 v3`

processors.coresPerSocketprocessors.coresPerSocket

Use the value to show the number of cores per socket.

Example

Show the number of cores per socket

processors.coresPerSocket:2

processors.multithreadingStatus processors.multithreadingStatus

Use the values ENABLED | DISABLED to define whether your processor is multi-threading enabled.

Example

Show multi-threading enabled processor

processors.multithreadingStatus: "ENABLED"

processors.numberOfCpuprocessors.numberOfCpu

Use the value to show the number of logical CPUs.

Example

Show the logical CPUs

processors.numberOfCpu:4

processors.numberOfSocketsprocessors.numberOfSockets

Use the value to show the number of sockets.

Example

Show number of sockets

processors.numberOfSockets:2

processors.speedprocessors.speed

Use an integer value ##### to find assets with a certain processor speed (MHz).

Example

Show assets with this processor speed

processors.speed:2394

processors.threadsPerCoreprocessors.threadsPerCore

Use the value to show the number of threads per core.

Example

Show number of threads per core

processors.threadsPerCore:1

providerprovider

Find assets synced from a certain cloud provider (AWS, AZURE, GCP). Select from names in the drop-down menu.

Examples

Show assets synced from Amazon AWS

provider: "AWS"

sensors.activatedForModulessensors.activatedForModules

Select the name ##### of an activated module you're interested in. Select CERT, EDR, FIM, OCA, PC, PM, SCA, SwCA, VM, WAF, WAS, or XDR from the drop-down menu.

Examples

Show sensors activated for VM

sensors.activatedForModules: "VM"

Show sensors activated for VM and PC

sensors.activatedForModules: "VM" AND sensors.activatedForModules: "PC"

sensors.lastFullScansensors.lastFullScan

Use a date range or specific date to define when last full scan was performed.

Examples

Show last full scan within certain dates

sensors.lastFullScan:[2019-01-01 ... 2019-01-15]

Show last full scan starting 2019-01-15, ending 1 month ago

sensors.lastFullScan:[2019-01-15 ... now-1M]

Show last full scan starting 2 weeks ago, ending 1 second ago

sensors.lastFullScan:[now-2w ... now-1s]

Show last full scan on a specific date

sensors.lastFullScan:'2019-03-18'

Show last full scan within last 30 days excluding day 30.

sensors.lastFullScan>now-30d

Note: We recommend not to use the NOT operator in your range search to form query like NOT sensors.lastFullScan:[now-30d..now-2s]. See "QQL Best Practices" topic in the Unified Dashboard Online Help.

Show last full scan within last 30 days including day 30.

sensors.lastFullScan>=now-30d

Show last full scan which is older than last 30 days excluding day 30.

sensors.lastFullScan<now-30d

Show last full scan which is older than last 30 days including day 30.

sensors.lastFullScan<=now-30d

sensors.lastComplianceScansensors.lastComplianceScan

Use a date range or specific date to define when last compliance scan was performed.

Examples

Show last compliance scan within certain dates

sensors.lastComplianceScan:[2019-01-01 ... 2019-01-15]

Show last compliance scan starting 2019-01-15, ending 1 month ago

sensors.lastComplianceScan:[2019-01-15 ... now-1M]

Show last compliance scan starting 2 weeks ago, ending 1 second ago

sensors.lastComplianceScan:[now-2w ... now-1s]

Show last compliance scan on a specific date

sensors.lastComplianceScan:'2019-03-18'

Show last compliance scan within last 30 days excluding day 30.

sensors.lastComplianceScan>now-30d

Note: We recommend not to use the NOT operator in your range search to form query like NOT sensors.lastComplianceScan:[now-30d..now-2s].  See "QQL Best Practices" topic in the Unified Dashboard Online Help.

Show last compliance scan within last 30 days including day 30.

sensors.lastComplianceScan>=now-30d

Show last compliance scan which is older than last 30 days excluding day 30.

sensors.lastComplianceScan<now-30d

Show last compliance scan which is older than last 30 days including day 30.

sensors.lastComplianceScan<=now-30d

sensors.lastVmScansensors.lastVmScan

Use a date range or specific date to define when last VM scan was performed.

Examples

Show last VM scan within certain dates

sensors.lastVmScan:[2019-01-01 ... 2019-01-15]

Show last VM scan starting 2019-01-15, ending 1 month ago

sensors.lastVmScan:[2019-01-15 ... now-1M]

Show last VM scan starting 2 weeks ago, ending 1 second ago

sensors.lastVmScan:[now-2w ... now-1s]

Show last VM scan on a specific date

sensors.lastVmScan:`2019-03-18`

Show last VM Scan within last 30 days excluding day 30.

sensors.lastVmScan>now-30d

Note: We recommend not to use the NOT operator in your range search to form query like NOT sensors.lastVmScan:[now-30d..now-2s].  See "QQL Best Practices" topic in the Unified Dashboard Online Help.

Show last VM Scan within last 30 days including day 30.

sensors.lastVmScan>=now-30d

Show last VM Scan which is older than last 30 days excluding day 30.

sensors.lastVmScan<now-30d

Show last aVM Scan which is older than last 30 days including day 30.

sensors.lastVmScan<=now-30d

sensors.lastVmScanDateScannersensors.lastVmScanDateScanner

Use a date range or specific date to define when last VM scan was performed by scanner.

Examples

Show last VM scan within certain dates

sensors.lastVmScanDateScanner:[2019-01-01 ... 2019-01-15]

Show last VM scan starting 2019-01-15, ending 1 month ago

sensors.lastVmScanDateScanner:[2019-01-15 ... now-1M]

Show last VM scan starting 2 weeks ago, ending 1 second ago

sensors.lastVmScanDateScanner:[now-2w ... now-1s]

Show last VM scan on a specific date

sensors.lastVmScanDateScanner:'2019-03-18'

Show last agent activity within last 30 days excluding day 30.

sensors.lastVmScanDateScanner>now-30d

Note: We recommend not to use the NOT operator in your range search to form query like NOT sensors.lastVmScanDateScanner:[now-30d..now-2s].  See "QQL Best Practices" topic in the Unified Dashboard Online Help.

Show last VM Scan within last 30 days including day 30.

sensors.lastVmScanDateScanner>=now-30d

Show last VM Scan which is older than last 30 days excluding day 30.

sensors.lastVmScanDateScanner<now-30d

Show last VM Scan which is older than last 30 days including day 30.

sensors.lastVmScanDateScanner<=now-30d

sensors.lastVmScanDateAgentsensors.lastVmScanDateAgent

Use a date range or specific date to define when last VM scan was performed by agent.

Examples

Show last VM scan within certain dates

sensors.lastVmScanDateAgent:[2019-01-01 ... 2019-01-15]

Show last VM scan starting 2019-01-15, ending 1 month ago

sensors.lastVmScanDateAgent:[2019-01-15 ... now-1M]

Show last VM scan starting 2 weeks ago, ending 1 second ago

sensors.lastVmScanDateAgent:[now-2w ... now-1s]

Show last VM scan on a specific date

sensors.lastVmScanDateAgent:'2019-03-18'

Show last agent activity within last 30 days excluding day 30.

sensors.lastVmScanDateAgent>now-30d

Note: We recommend not to use the NOT operator in your range search to form query like NOT sensors.lastVmScanDateAgent:[now-30d..now-2s].  See "QQL Best Practices" topic in the Unified Dashboard Online Help.

Show last VM Scan within last 30 days including day 30.

sensors.lastVmScanDateAgent>=now-30d

Show last VM Scan which is older than last 30 days excluding day 30.

sensors.lastVmScanDateAgent<now-30d

Show last VM Scan which is older than last 30 days including day 30.

sensors.lastVmScanDateAgent<=now-30d

sensors.lastPcScanDateScannersensors.lastPcScanDateScanner

Use a date range or specific date to define when last PC scan was performed by scanner.

Examples

Show last PC scan within certain dates

sensors.lastPcScanDateScanner:[2019-01-01 ... 2019-01-15]

Show last PC scan starting 2019-01-15, ending 1 month ago

sensors.lastPcScanDateScanner:[2019-01-15 ... now-1M]

Show last PC scan starting 2 weeks ago, ending 1 second ago

sensors.lastPcScanDateScanner:[now-2w ... now-1s]

Show last PC scan on a specific date

sensors.lastPcScanDateScanner:'2019-03-18'

Show last PC scan within last 30 days excluding day 30.

sensors.lastPcScanDateScanner>now-30d

Note: We recommend not to use the NOT operator in your range search to form query like NOT sensors.lastPcScanDateScanner:[now-30d..now-2s].  See "QQL Best Practices" topic in the Unified Dashboard Online Help.

Show last PC scan within last 30 days including day 30.

sensors.lastPcScanDateScanner>=now-30d

Show last PC scan which is older than last 30 days excluding day 30.

sensors.lastPcScanDateScanner<now-30d

Show last PC scan which is older than last 30 days including day 30.

sensors.lastPcScanDateScanner<=now-30d

sensors.lastPcScanDateAgentsensors.lastPcScanDateAgent

Use a date range or specific date to define when last PC scan was performed by agent.

Examples

Show last PC scan within certain dates

sensors.lastPcScanDateAgent:[2019-01-01 ... 2019-01-15]

Show last PC scan starting 2019-01-15, ending 1 month ago

sensors.lastPcScanDateAgent:[2019-01-15 ... now-1M]

Show last PC scan starting 2 weeks ago, ending 1 second ago

sensors.lastPcScanDateAgent:[now-2w ... now-1s]

Show last PC scan on a specific date

sensors.lastPcScanDateAgent:'2019-03-18'

Show last PC scan within last 30 days excluding day 30.

sensors.lastPcScanDateAgent>now-30d

Note: We recommend not to use the NOT operator in your range search to form query like NOT sensors.lastPcScanDateScanner:[now-30d..now-2s].  See "QQL Best Practices" topic in the Unified Dashboard Online Help.

Show last PC scan within last 30 days including day 30.

sensors.lastPcScanDateAgent>=now-30d

Show last PC scan which is older than last 30 days excluding day 30.

sensors.lastPcScanDateAgent<now-30d

Show last PC scan which is older than last 30 days including day 30.

sensors.lastPcScanDateAgent<=now-30d

sensors.firstEasmScanDatesensors.firstEasmScanDate

Shows a list of externally exposed assets based on their first scan date.

Example

Show a list of externally exposed assets scanned for the first time on or after 2022-10-04

sensors.firstEasmScanDate >= '2022-10-04'

Show a list of externally exposed assets that are scanned for the first time before 2022-10-04

sensors.firstEasmScanDate <= '2022-10-04'

Show a list of externally exposed assets that are scanned for the first time after 2022-10-04

sensors.firstEasmScanDate > '2022-10-04'

Show a list of externally exposed assets that are scanned for the first time on 2022-10-04

sensors.lastEasmScanDatesensors.lastEasmScanDate

Shows a list of externally exposed assets based on their latest scan date.

Example

Show a list of externally exposed assets from the latest scan on or after 2022-10-04

sensors.lastEasmScanDate >= '2022-10-04'

Show a list of externally exposed assets from the latest scan before 2022-10-04

sensors.lastEasmScanDate <= '2022-10-04'

Show a list of externally exposed assets from the latest scan after 2022-10-04

sensors.lastEasmScanDate > '2022-10-04'

sensors.firstEasmVmScanDatesensors.firstEasmVmScanDate

Use a date range or specific date to find instances based on the first EASM VM scan date.

Examples

Show instances based on the first EASM VMscan date within certain dates

sensors.firstEasmVmScanDate:[2024-01-01 ... 2024-01-15]

Show instances based on the first EASM VMscan date starting 2024-01-15, ending 1 month ago

sensors.firstEasmVmScanDate:[2024-01-15... now-1M]

Show instances based on the first EASM VMscan date on a specific date

sensors.firstEasmVmScanDate:`2024-03-18`

Show instances basedon the first EASM VMscan date within last 30 days excluding day 30.

sensors.firstEasmVmScanDate>now-30d

Note: We recommend not to use the NOT operator in your range search to form query like NOT sensors.firstEasmVmScanDate:[now-30d..now-2s].  See "QQL Best Practices" topic in the Unified Dashboard Online Help.

Show instances based on the first EASM VMscan date within last 30 days including day 30.

sensors.firstEasmVmScanDate>=now-30d

Show instances based on the first EASM VMscan date which are older than last 30 days excluding day 30.

sensors.firstEasmVmScanDate<now-30d

Show instances basedon the first EASM VMscan date which are older than last 30 days including day 30.

sensors.firstEasmVmScanDate<=now-30d

sensors.lastEasmVmScanDatesensors.lastEasmVmScanDate

Use a date range or specific date to find instances based on the last EASM VM scan date.

Examples

Show instances based on the last EASM VM scan date within certain dates

sensors.lastEasmVmScanDate:[2024-01-01 ... 2024-01-15]

Show instances based on the last EASM VM scan date starting 2024-01-15, ending 1 month ago

sensors.lastEasmVmScanDate:[2024-01-15... now-1M]

Show instances based on the last EASM VM scan date on a specific date

sensors.lastEasmVmScanDate:`2024-03-18`

 

Show instances based on the last EASM VM scan date within last 30 days excluding day 30.

sensors.lastEasmVmScanDate>now-30d

Note: We recommend not to use the NOT operator in your range search to form query like NOT sensors.lastEasmVmScanDate:[now-30d..now-2s].  See "QQL Best Practices" topic in the Unified Dashboard Online Help.

Showinstances based on the last EASM VM scan date within last 30 days including day 30.

sensors.lastEasmVmScanDate>=now-30d

Show instances based on the last EASM VM scan date which are older than last 30 days excluding day 30.

sensors.lastEasmVmScanDate<now-30d

Show instances based on the last EASM VM scan date which are older than last 30 days including day 30.

sensors.lastEasmVmScanDate<=now-30d

sensors.pendingActivationForModulessensors.pendingActivationForModules

Select the name ##### of a module that's pending activation. Select from names in the drop-down menu.

Examples

Show sensors pending activation for VM

sensors.pendingActivationForModules: "VM"

Show sensors pending activation for VM and FIM

sensors.pendingActivationForModules: "VM" AND sensors.pendingActivationForModules: "FIM"

services.descriptionservices.description

Use values within quotes or backticks to find assets with a service description you are looking for.

Examples

Show any findings that contain parts of description

services:(description:"Certificate Propagation")

Show any findings that match exact value "Windows Event Log"

services:(description:`Certificate Propagation`)

services.nameservices.name

Use text value ##### within values to find assets with a service name you are looking for.

Example

Show any findings that match exact value

services:(name:CertPropSvc)

services.statusservices.status

Use text value ##### within values to find the service status you are looking for.

Example

Show any findings that match exact value

services:(status:RUNNING)

software:(architecturesoftware:(architecture

Use text value ##### to find the software architecture you are looking for, i.e 32-Bit or 64-Bit.

Example

Show any findings that match exact value

software:(architecture:64-Bit)

software:(categorysoftware:(category

Use values within quotes or backticks to help you find a software category.

Example

Show any findings that match exact value

software:(category:`Application Development/Testing`)

software:(isRequiredsoftware:(isRequired

Use the values true | false to define whether software is a required.

Example

Show software that is required

software:(isRequired: "true")

software:(category1software:(category1

Use text value ##### to find the software category 1 value you are looking for.

Example

If you are searching for assets having testing software, then category1 is Application Development and category2 is Testing.

Show any findings that match exact value

software:(category1:Application Development)

software:(category2software:(category2

Use text value ##### to find the software category 2 value you are looking for.

Example

If you are searching for assets having testing software, then category1 is Application Development and category2 is Testing.

Show any findings that match exact value

software:(category2:Testing)

software:(editionsoftware:(edition

Use text value ##### to find the software edition you're looking for.

Example

Show any findings that match exact value

software:(edition:Professional)

software:(installDatesoftware:(installDate

Use a date range or specific date to define when software was installed.

Examples

Show software installed within certain dates

software:(installDate:[2019-01-01 ... 2019-01-15])

Show software installed starting 2019-01-15, ending 1 month ago

software:(installDate:[2019-01-15 ... now-1M])

Show software installed starting 2 weeks ago, ending 1 second ago

software:(installDate:[now-2w ... now-1s])

Show software installed on a specific date

software:(installDate:'2019-03-18')

Show software installed within last 30 days excluding day 30.

software:(installDate>now-30d)

Note: We recommend not to use the NOT operator in your range search to form query like NOT sensors.lastPcScanDateScanner:[now-30d..now-2s]. See "QQL Best Practices" topic in the Unified Dashboard Online Help.

Show software installed within last 30 days including day 30.

software:(installDate>=now-30d)

Show last PC scan which are older than last 30 days excluding day 30.

software:(installDate<now-30d)

Show software installed which are older than last 30 days including day 30.

software:(installDate<=now-30d)

software.installPathsoftware.installPath

Use a text value ##### to define a software install path you are looking for.

Example

Show findings with this exact software install path

software:(installPath:C:\Program Files\)

software:(isPackagesoftware:(isPackage

Use the values true | false to define whether software is a package.

Example

Show software that is a package

software:(isPackage: "true")

software:(isPCSupportedsoftware:(isPCSupported

Use the values true | false to define whether software is PC supported.

Example

Show software that is PC supported

software:(isPCSupported: "true")

software:(hasRunningInstancesoftware:(hasRunningInstance

Use the values true | false to find whether software has a running instance.

Example

Show software that has a running instance

software:(hasRunningInstance: "true")

software:(isPackageComponentsoftware:(isPackageComponent

Use the values true | false to define whether software is a package component.

Example

Show software that is a package component

software:(isPackageComponent: "true")

software:(lastUpdatedsoftware:(lastUpdated

Use a date range or specific date to define when a software was last updated.

Examples

Show software last updated within certain dates

software:(lastUpdated:[2019-01-01 ... 2019-01-15])

Show software last updated starting 2019-01-15, ending 1 month ago

software:(lastUpdated:[2019-01-15 ... now-1M])

Show software last updated starting 2 weeks ago, ending 1 second ago

software:(lastUpdated:[now-2w ... now-1s])

Show software last updated on a specific date

software:(lastUpdated:'2019-03-18')

Show software last updated within last 30 days excluding day 30.

software:(lastUpdated>now-30d)

Note: We recommend not to use the NOT operator in your range search to form query like NOT software:(lastUpdated:[now-30d..now-2s]).  See "QQL Best Practices" topic in the Unified Dashboard Online Help.

Show software last updated within last 30 days including day 30.

software:(lastUpdated>=now-30d)

Show software last updated which is older than last 30 days excluding day 30.

software:(lastUpdated<now-30d)

Show lsoftware last updated which is older than last 30 days including day 30.

software:(lastUpdated<=now-30d)

software:(lastUseDatesoftware:(lastUseDate

Use a date range or specific date to define when a software was last used.

Note: This token is not supported for windows assets.

Examples

Show software last used within certain dates

software:(lastUseDate:[2019-01-01 ... 2019-01-15])

Show software last used starting 2019-01-15, ending 1 month ago

software:(lastUseDate:[2019-01-15 ... now-1M])

Show software last used starting 2 weeks ago, ending 1 second ago

software:(lastUseDate:[now-2w ... now-1s])

Show software last used on a specific date

software:(lastUseDate:'2019-03-18')

Show software last used within last 30 days excluding day 30.

software:(lastUseDate>now-30d)

Note: We recommend not to use the NOT operator in your range search to form query like NOT software:(lastUseDate:[now-30d..now-2s]).  See "QQL Best Practices" topic in the Unified Dashboard Online Help.

Show software last used within last 30 days including day 30.

software:(lastUseDate>=now-30d)

Show software last used which is older than last 30 days excluding day 30.

software:(lastUseDate<now-30d)

Show software last used which is older than last 30 days including day 30.

software:(lastUseDate<=now-30d)

software:(license.categorysoftware:(license.category

Use text value ##### to help you find a software license category, i.e. Open Source, Commercial.

Example

Show any findings that match exact value

software:(license.category:`Open Source`)

software:(license.subcategorysoftware:(license.subcategory

Use text value ##### to help you find a software license subcategory, i.e. GPL, Apache 2.0, BSD.

Example

Show any findings that match exact value

software:(license.subcategory:Apache 2.0)

software:(lifecycle.gasoftware:(lifecycle.ga

Use a date range or specific date to define a software general availability date of interest.

Examples

Show findings with software GA date in this date range

software:(lifecycle.ga:[2019-01-01 ... 2019-01-15])

Show findings with woftware GA date starting 2019-01-15, ending 1 month ago

software:(lifecycle.ga:[2019-01-15 ... now-1M])

Show findings with software GA date starting 2 weeks ago, ending 1 second ago

software:(lifecycle.ga:[now-2w ... now-1s])

Show findings with this software GA date

software:(lifecycle.ga:'2019-03-18')

software:(lifecycle.eolsoftware:(lifecycle.eol

Use a date range or specific date to define an software End-of-Life date of interest.

Examples

Show findings with software End-of-Life date in this date range

software:(lifecycle.eol:[2019-01-01 ... 2019-01-15])

Show findings with software End-of-Life date starting 2019-01-15, ending 1 month ago

software:(lifecycle.eol:[2019-01-15 ... now-1M])

Show findings with software End-of-Life date starting 2 weeks ago, ending 1 second ago

software:(lifecycle.eol:[now-2w ... now-1s])

Show findings with this software End-of-Life date

software:(lifecycle.eol:'2019-03-18')

software:(lifecycle.eossoftware:(lifecycle.eos

Use a date range or specific date to define an software End-of-Support date of interest.

Examples

Show findings with software End-of-Support date in this date range

software:(lifecycle.eos:[2019-01-01 ... 2019-01-15])

Show findings with software End-of-Support date starting 2019-01-15, ending 1 month ago

software:(lifecycle.eos:[2019-01-15 ... now-1M])

Show findings with software End-of-Support date starting 2 weeks ago, ending 1 second ago

software:(lifecycle.eos:[now-2w ... now-1s])

Show findings with this software End-of-Support date

software:(lifecycle.eos:'2019-03-18')

software:(lifecycle.stagesoftware:(lifecycle.stage

Use a text value ##### to define a software lifecycle stage you're looking for, i.e. active, eol, obsolete.

Examples

Show findings having this software lifecycle stage

software:(lifecycle.stage:eol)

Show findings having software category Windows and software lifecycle stage "active"

software:(category:Windows AND lifecycle.stage:eol)

software:(marketVersionsoftware:(marketVersion

Use text value ##### to help you find a software market version, e.g. Windows OS.

Example

Show any findings that match exact value

software:(marketVersion:7)

software:(namesoftware:(name

Use values within quotes or backticks to help you find the software name you're looking for. Quotes can be used when the value has more than one word.

Examples

Show any findings with this name

software:(name: VMware Tools)

Show any findings that contain parts of name

software:(name: "VMware Tools")

Show any findings that match exact value

software:(name: `VMware Tools`)

Find assets with certain tag and software installed

tags.name: `Cloud Agent` AND software: (name: `Cisco AnyConnect Secure Mobility Client` AND version: `3.1.12345`)

software:(productsoftware:(product

Use a text value ##### to define a software product name you're looking for.

Example

Show findings with this exact product name

software:(product:Office)

software:(authorizationsoftware:(authorization

Use text value ##### to help you find the installations of the software product with authorization you're looking for, i.e. Authorized, Unauthorized, or Needs Review.

Example

Show installations of the software that was marked as Authorized.

software:(authorization:`Authorized`)

Show installations of the software that was marked as Unauthorized.

software:(authorization:`Unauthorized`)

Show installations of the software that needs review.

software:(authorization:`Needs Review`)

software:(publishersoftware:(publisher

Use a text value ##### to define a software manufacturer you are looking for.

Example

Show findings with this exact software publisher

software:(publisher:Microsoft)

software:(supportStagesoftware:(supportStage

Use a text value ##### to define the software support stage.

Example

Show software having premium support

software:(supportStage: Premier Support)

software:(authorizationDetectionScoresoftware:(authorizationDetectionScore

Use a text value ##### to find the installations of the software product with the QDS you're looking for.

Example

Show the installations of the software product with the following QDS

software:(authorizationDetectionScore: 30)

software:(lifecycle.detectionScoresoftware:(lifecycle.detectionScore

Use a text value ##### to find the software product with the lifecycle detection score you are looking for.

Examples

Show the software product with the lifecycle detection score

software:(lifecycle.detectionScore: 80)

Show the software product with the lifecycle detection score

software:(lifecycle.detectionScore>80)

Show the software product with the lifecycle detection score

software:(lifecycle.detectionScore<80)

Show the software product with the lifecycle detection score

software:(lifecycle.detectionScore<=80)

Show the software product with the lifecycle detection score

software:(lifecycle.detectionScore>=80)

software.typesoftware.type

Use a text value ##### to define a software type of interest.

Example

Show findings having this software type

software:(type:Installer Package)

software:(updatesoftware:(update

Use a text value ##### to define a software update version of interest.

Example

Show findings with this exact software update version

software:(update:16.0.1.2)

Show findings with software update version greater than 16.0.1.2

software:(update>16.0.1.2)

Show findings with software update version greater than or equal to 16.0.1.2

software:(update>=16.0.1.2)

Show findings with software update version less than 16.0.1.2

software:(update<16.0.1.2)

Show findings with software update version less than or equal to 16.0.1.2

software:(update<=16.0.1.2)

Show findings with software update version within this version range

software:(update:[16.0.1.2 ... 16.0.1.5])

software:(versionsoftware:(version

Use a text value ##### to define the software version you're interested in.

Example

Show findings with this exact software version

software:(version:16.0)

Show findings with software version greater than 16.0

software:(version>16.0)

Show findings with software version greater than or equal to 16.0

software:(version>=16.0)

Show findings with software version less than 16.0

software:(version<16.0)

Show findings with software version less than or equal to 16.0

software:(version<=16.0)

Show findings with software version within this version range

software:(version:[16.0 ... 20.0])

software:(componentsoftware:(component

Use a value Client, Server or " " (empty field) to identify the software component.

Example

Show findings with Client software component

software:(component:Client)

software:(firstFoundsoftware:(firstFound

Use a date range or specific date to define when software was first found.

Examples

Show assets with software first found within certain dates

software:(firstFound: [2017-06-15 ... 2017-06-30])

Show assets with software first found starting 2017-06-22, ending 1 month ago

software:(firstFound: [2017-06-22 ... now-1M])

Show assets with software first found starting 2 weeks ago, ending 1 second ago

software:(firstFound: [now-2w ... now-1s])

Show assets with software first found on specific date

software:(firstFound:'2017-06-14') 

Show assets with software first found within last 30 days excluding day 30.

software:(firstFound>now-30d)

Note: We recommend not to use the NOT operator in your range search to form query like NOT software:(lastUseDate:[now-30d..now-2s]). See "QQL Best Practices" topic in the Unified Dashboard Online Help.

Show assets with software first found within last 30 days including day 30.

software:(firstFound>=now-30d)

Show assets with software first found which is older than last 30 days excluding day 30.

software:(firstFound<now-30d)

Show assets with software first found which is older than last 30 days including day 30.

software:(firstFound<=now-30d)

software:(discoverySourcessoftware:(discoverySources

Use a text value ##### to find software detected from a certain discovery source. (Active Directory, BMC Helix, CMDB, Cloud Agent, EASM, ICS OCA, IP Scanner, OCA, Passive Sensor, ServiceNow, Unknown, and Webhook) Select from values in the drop-down menu.

Examples

Show findings from cloud agents

software:(discoverySources: Cloud Agent)

Show findings from Passive Sensor

software:(discoverySources: CMDB)

whoIs.creationDatewhoIs.creationDate

Use a date range or specific date to find all the assets with the whoIs creation date.

Examples

Show assets with whoIs creation date within certain dates

whoIs:(creationDate: [2019-01-01 ... 2019-01-15])

Show assets with whoIs creation date starting 2019-01-15, ending 1 month ago

whoIs:(creationDate: [2019-01-15 ... now-1M])

Show assets with whoIs creation date starting 2 weeks ago, ending 1-second ago

whoIs:(creationDate: [now-2w ... now-1s])

Show assets with whoIs creation date last updated on a specific date

whoIs:(creationDate: `2022-06-04`)

 

Show assets with whoIs creation date within last 30 days excluding day 30.

whoIs:(creationDate>now-30d)

Note: We recommend not to use the NOT operator in your range search to form query like NOT software:(lastUseDate:[now-30d..now-2s]).  See "QQL Best Practices" topic in the Unified Dashboard Online Help.

Show assets with whoIs creation date within last 30 days including day 30.

whoIs:(creationDate>=now-30d)

Show assets with whoIs creation date which is older than last 30 days excluding day 30.

whoIs:(creationDate<now-30d)

Show assets with whoIs creation date which is older than last 30 days including day 30.

whoIs:(creationDate<=now-30d)

whoIs.registrantOrgwhoIs.registrantOrg

Use values within quotes or backticks to find all the assets using the registrant organization of domain or subdomain.

Examples

Show all the assets for which the exact registrant organization of domain/subdomain matches

whoIs:(registrantOrg: `Qualys, Inc`)

Show all the assets for which the part of the registrant organization of domain/subdomain matches

whoIs:(registrantOrg: "Qualys,")

whoIs.registrantEmailIdwhoIs.registrantEmailId

Use values within quotes or backticks to find all the assets using the registrant email id of domain or subdomain.

Examples

Show all the assets for which the exact registrant email id of the domain or subdomain matches

whoIs:(registrantEmailId: `66aab8e6ace-49101@contact.qualys.net`)

Show all the assets for which the part of the registrant email id of the domain or subdomain matches

whoIs:(registrantEmailId: "66aab8e6ace-49101@contact.qualys.net")

whoIs.registrarwhoIs.registrar

Use values within quotes or backticks to find all the assets using the registrar.

Examples

Show all the assets for which the exact registrar matches

whoIs:(registrar: `abc net`)

Show all assets for which the part of the registrar matches

whoIs:(registrar: "abc net")

vmManifestVersionvmManifestVersion

Use the manifest version to find host assets, where VM scan is performed using the specific manifest version.

Example

Show host assets, where VM scan is performed with the specified manifest version

vmManifestVersion: "VULNSIGS-VM-2.6.30.3-4"

pcManifestVersionpcManifestVersion

Use the manifest version to find host assets, where PC scan is performed using the specific manifest version.

Example

Show host assets, where PC scan is performed with the specified manifest version.

pcManifestVersion: "VULNSIGS-PC-2.6.40-5"

udcManifestVersionudcManifestVersion

Use the manifest version to find host assets, where UDC scan is performed using the specific manifest version.

Example

Show host assets, where UDC scan is performed with the specified manifest version

udcManifestVersion: "UDCVULNSIGS-1797"

middlewareManifestVersionmiddlewareManifestVersion

Use the manifest version to find host assets, where middleware scan is performed using the specific manifest version.

Example

Show host assets, where middleware scan is performed with the specified manifest version

middlewareManifestVersion: "VULNSIGS-2.5.526.2-1-MiddlewarePC-LINUX"

scaManifestVersionscaManifestVersion

Use the manifest version to find host assets, where SCA scan is performed using the specific manifest version.

Example

Show host assets, where SCA scan is performed with the specified manifest version

scaManifestVersion: "VULNSIGS-SCA-0.35.0.0-3"

AWS EC2

Use these tokens for searching your AWS EC2 assets.

- Your results may return Terminated instances. It's recommended you include aws.ec2instanceState in your query to reduce the number of results.

- The syntax is different when writing queries for tag rules than when searching assets in the Assets list. Be sure to follow the syntax tips in the drop-down when writing your query.

aws.ec2.accountIdaws.ec2.accountId

Use a text value ##### to find EC2 instances with a certain account ID.

Examples

Find EC2 instances that match this account ID

aws.ec2.accountId: 123456789012

Find EC2 instances with account ID starting "12345"

aws.ec2.accountId: 12345*

Find EC2 instances where account ID is null (remove the colon)

aws.ec2.accountId is null

aws.ec2.availabilityZoneaws.ec2.availabilityZone

Use a text value ##### to find EC2 instances by the availability zone in which the instance launched.

Example

Find EC2 instances in the us-east-1a availability zone

aws.ec2.availabilityZone: us-east-1a

aws.ec2.hasAgentaws.ec2.hasAgent

Use the values true | false to define whether the EC2 asset has a cloud agent.

Examples

Show findings with a cloud agent

aws.ec2.hasAgent: true

Show findings without a cloud agent

aws.ec2.hasAgent: false

aws.ec2.hostnameaws.ec2.hostname

Use a text value ##### to find the EC2 hostname you're looking for.

Examples

Find instances related to name

aws.ec2.hostname: abc.qualys.com

Find instances that match exact value

aws.ec2.hostname: `abc.qualys.com`

aws.ec2.imageIdaws.ec2.imageId

Use a text value ##### to find EC2 instances with a certain Image (AMI) ID.

Examples

Find instances related to the Image ID

aws.ec2.imageId: ami-2ea83347

Find instances that match exact value

aws.ec2.imageId: `ami-2ea83347`

aws.ec2.instanceIdaws.ec2.instanceId

Use a text value ##### to find EC2 instances by the instance ID.

Example

Find EC2 instances with this ID

aws.ec2.instanceId: i-1234567890abcdef0

aws.ec2.instanceStateaws.ec2.instanceState

Select the name of the instance state (PENDING, RUNNING, TERMINATED, STOPPED, STOPPING, SHUTTING-DOWN) you're interested in. Select from names in the drop-down menu.

Example

Find running EC2 instances

aws.ec2.instanceState: RUNNING

aws.ec2.instanceTypeaws.ec2.instanceType

Select the type of instance you're interested in. Select from names in the drop-down menu.

Example

Find EC2 instances with instance type t2.micro

aws.ec2.instanceType: t2.micro

aws.ec2.isQualysScanneraws.ec2.isQualysScanner

Use the values true | false to define whether the EC2 asset is a Qualys scanner.

Examples

Show findings where assets are scanners

aws.ec2.isQualysScanner: true

Show findings where assets are not scanners

aws.ec2.isQualysScanner: false

aws.ec2.kernelIdaws.ec2.kernelId

Use a text value ##### to find EC2 instances by kernel ID (AKI).

Example

Find EC2 instances with this kernel ID

aws.ec2.kernelId: aki-70ab0c10

aws.ec2.launchDateaws.ec2.launchDate

Use a date range or specific date to define when the EC2 instance launched. Enter dates in yyyy-mm-dd format.

Examples

Find EC2 instances launched within certain dates

aws.ec2.launchDate: [2017-06-15 ... 2017-06-30]

Find EC2 instances launched on specific date

aws.ec2.launchDate:'2017-08-15'

aws.ec2.privateDNSaws.ec2.privateDNS

Use a text value ##### to define a private DNS address you're interested in.

Example

Find the EC2 instance with this private DNS address

aws.ec2.privateDNS: ip-10-90-2-85.ec2.internal

aws.ec2.privateIpAddressaws.ec2.privateIpAddress

Use a text value ##### to define a private IPv4 address or range of IPs you're interested in.

Examples

Find EC2 instances with this private IP address

aws.ec2.privateIpAddress: 10.90.0.119

Find EC2 instances within this IP range

aws.ec2.privateIpAddress: [10.1.78.23 ... 10.100.78.235]

aws.ec2.publicDNSaws.ec2.publicDNS

Use a text value ##### to define a public DNS address you're interested in.

Example

Find the EC2 instance with this public DNS address

aws.ec2.publicDNS: ec2-52-70-141-154.compute-1.amazonaws.com

aws.ec2.region.codeaws.ec2.region.code

Select the code of the region you're interested in. Select from codes in the drop-down menu.

Example

Find EC2 instances in the us-east-1 region

aws.ec2.region.code: us-east-1

aws.ec2.publicIpAddressaws.ec2.publicIpAddress

Use a text value ##### to define a public IPv4 address or range of IPs you are interested in.

Examples

Find EC2 instances with this public IP address

aws.ec2.publicIpAddress: 52.70.141.154

Find EC2 instances within this IP range

aws.ec2.publicIpAddress: [52.70.141.154 ... 52.70.141.164]

aws.ec2.region.nameaws.ec2.region.name

Select the name of the region you are interested in. Select from names in the drop-down menu.

Example

Find EC2 instances in the US East (N. Virginia) region

aws.ec2.region.name: US East (N. Virginia)

aws.ec2.spotInstanceaws.ec2.spotInstance

Use the values true | false to define whether your EC2 instance is a Spot instance.

Examples

Show EC2 Spot instances

aws.ec2.spotInstance: "true"

Show EC2 instances that are not Spot instances

aws.ec2.spotInstance: "false"

aws.ec2.subnetIdaws.ec2.subnetId

Use a text value ##### to find EC2 instances by the ID of the subnet in which the interface resides.

Example

Find EC2 instances with this subnet ID

aws.ec2.subnetId: subnet-bc02c0d4

aws.ec2.vpcIdaws.ec2.vpcId

Use a text value ##### to find EC2 instances by the ID of the VPC in which the interface resides.

Example

Find EC2 instances with this VPC ID

aws.ec2.vpcId: vpc-1e37cd76

aws.tags.keyaws.tags.key

Use a text value ##### to find EC2 instances with a certain AWS tag key/name (case insensitive).

Examples

Find EC2 instances with key "devops"

aws.tags(key: devops)

Find EC2 instances with key starting "dev"

aws.tags(key: dev*)

Find EC2 instances with key ending "ops"

aws.tags(key: *ops)

aws.tags.valueaws.tags.value

Use a text value ##### to find EC2 instances with a certain AWS tag value (case insensitive).

Examples

Find EC2 instances with tag value "dailybuild"

aws.tags(value: dailybuild)

Find EC2 instances with tag value starting "daily"

aws.tags(value: daily*)

Find EC2 instances with tag value ending "build"

aws.tags(value: *build)

Microsoft Azure

Use these tokens for searching Microsoft Azure assets.

azure.tags.nameazure.tags.name

Use a text value ##### to find Azure instances with a certain tag name (case insensitive).

Examples

Find Azure instances with name "devops"

azure.tags(name: devops)

Find Azure instances with name starting "dev"

azure:tags(name: dev*)

Find Azure instances with name ending "ops"

azure.tags(name: *ops)

azure.tags.valueazure.tags.value

Use a text value ##### to find Azure instances with a certain tag value (case insensitive).

Examples

Find Azure instances with tag value "dailybuild"

azure.tags(value: dailybuild)

Find Azure instances with tag value starting "daily"

azure.tags(value: daily*)

Find Azure instances with tag value ending "build"

azure.tags(value: *build)

azure.vm.imageOfferazure.vm.imageOffer

Use a text value ##### to define the image offer name (i.e. UbuntuServer or WindowsServer) for images deployed from the Azure image gallery.

Examples

Find Azure instances related to name

azure.vm.imageOffer: UbuntuServer

Find Azure instances that match exact value

azure.vm.imageOffer: `UbuntuServer`

azure.vm.imagePublisherazure.vm.imagePublisher

Use a text value ##### to define the name of the Azure virtual machine image publisher (i.e. Canonical or MicrosoftWindowsServer).

Examples

Find Azure instances related to name

azure.vm.imagePublisher: Canonical

Find Azure instances that match exact value

azure.vm.imagePublisher: `Canonical`

azure.vm.imageVersionazure.vm.imageVersion

Use a text value ##### to define the version of the Azure virtual machine image sku you are interested in.

Example

Find Azure instances with this sku version

azure.vm.imageVersion: 16.04.201708030

azure.vm.locationazure.vm.location

Use a text value ##### to define the region you're interested in.

Example

Find Azure instances in this location

azure.vm.location: westus

azure.vm.macAddressazure.vm.macAddress

Use a text value ##### to define the MAC address you're interested in.

Example

Find Azure instances with this MAC address

azure.vm.macAddress: '000D3A36DDED'

azure.vm.nameazure.vm.name

Use a text value ##### to find the Azure virtual machine name you're looking for.

Examples

Find Azure instances related to name

azure.vm.name: avset2

Find Azure instances that match exact value

azure.vm.name: `avset2`

azure.vm.platformazure.vm.platform

Use a text value ##### to define the operating system platform (Linux or Windows) of the Azure virtual machine.

Example

Find Azure instances on Windows platform

azure.vm.platform: Windows

azure.vm.privateIpAddressazure.vm.privateIpAddress

Use a text value ##### to define a private IPv4 address or range of IPs you're interested in.

Examples

Find Azure instances with this private IP

azure.vm.privateIpAddress: 10.1.2.5

Find Azure instances within this IP range

azure.vm.privateIpAddress: [10.1.2.5 ... 10.1.2.33]

azure.vm.publicIpAddressazure.vm.publicIpAddress

Use a text value ##### to define a public IPv4 address or range of IPs you're interested in.

Examples

Find Azure instances with this public IP

azure.vm.publicIpAddress: 13.126.125.189

Find Azure instances within this IP range

azure.vm.publicIpAddress: [13.126.125.180 ... 13.126.125.255]

azure.vm.virtualNetworkazure.vm.virtualNetwork

Use a text value ##### to define the operating system platform (Linux or Windows) of the Azure virtual machine.

Examples

Find Azure instances related to virtual network

azure.vm.virtualNetwork: cli-vnet

Find Azure instances that match exact value of virtual network

azure.vm.virtualNetwork: `cli-vnet`

azure.vm.resourceGroupNameazure.vm.resourceGroupName

Use a text value ##### to define the name of the resource group you're interested in.

Examples

Find Azure instances related to name

azure.vm.resourceGroupName: my-eastus-rg

Find Azure instances that match exact value

azure.vm.resourceGroupName: `my-eastus-rg`

azure.vm.sizeazure.vm.size

Use a text value ##### to help you find Azure VM instances with a certain virtual machine size.

Example

Find Azure instances with this size

azure.vm.size: Standard_D1

azure.vm.stateazure.vm.state

Select the name of the instance state (DEALLOCATED, DEALLOCATING, DELETED, RUNNING, STARTING, STOPPED, STOPPING) you're interested in. Select from names in the drop-down menu.

Example

Find running Azure instances

azure.vm.state: RUNNING

azure.vm.subnetazure.vm.subnet

Use a text value ##### to define the Azure virtual machine subnet you're interested in.

Example

Find Azure instances with this subnet

azure.vm.subnet: 10.1.2.0

azure.vm.subscriptionIdazure.vm.subscriptionId

Use a text value ##### to define the subscription ID of the Azure virtual machine subscription.

Example

Find Azure instances with this subscription ID

azure.vm.subscriptionId: fbb9ea64-abda-452e-adfa-83442409

azure.vm.vmIdazure.vm.vmId

Use a text value ##### to define the Azure virtual machine ID you're looking for.

Example

Find Azure instances with this ID

azure.vm.vmId: 13f56399-bd52-4150-9748-7190aae1ff21

azure.vm.hasAgentazure.vm.hasAgent

Use the values true | false to define whether the Azure virtual machine you're looking for has a cloud agent installed on it.

Example

Find Azure instances with agents

azure.vm.hasAgent: "true"

Google Cloud Platform

Use these tokens for searching Google Cloud Platform assets.

gcp.tagsgcp.tags

Use a text value ##### to find GCP instances with a certain tag key and value. Both are case insensitive.

Example

Find GCP instances with a tag key "abc" and value "xyz"

gcp.tags: (key:abc and value:xyz)

gcp.compute.hostnamegcp.compute.hostname

Use a text value ##### to define the hostname you are looking for.

Examples

Find GCP instances related to name

gcp.compute.hostname: instance-5.c.qvsa-dev.internal

Find GCP instances that match exact value

gcp.compute.hostname: `instance-5.c.qvsa-dev.internal`

gcp.compute.imageIdgcp.compute.imageId

Use a text value ##### to define the Google Compute image ID you are looking for.

Examples

Find GCP instances related to the Image ID

gcp.compute.imageId: projects/centos-cloud

Find GCP instances that match exact value

gcp.compute.imageId: `projects/centos-cloud/global/images/centos-6-v20191014`

gcp.compute.instanceIdgcp.compute.instanceId

Use a text value ##### to define the Google Compute instance ID you are looking for.

Example

Find GCP instances with this ID

gcp.compute.instanceId: 4392196237934605253

gcp.compute.macAddressgcp.compute.macAddress

Use a text value ##### to define the MAC address you are interested in.

Example

Find GCP instances with this MAC address

gcp.compute.macAddress: '000D3A36DDED'

gcp.compute.machineTypegcp.compute.machineType

Use a text value ##### to define the machine type of the virtual machine instance you are interested in.

Examples

Find GCP instances related to name

gcp.compute.machineType: n1-standard-1

Find GCP instances that match exact value

gcp.compute.machineType: `n1-standard-1`

gcp.compute.networkgcp.compute.network

Use a text value ##### to find GCP instances by the VPC network the instance belongs to.

Example

Find GCP instances with this network

gcp.compute.network: 000D3A36DDED

gcp.compute.privateIpAddressgcp.compute.privateIpAddress

Use a text value ##### to define a private IPv4 address or range of IPs you are interested in.

Examples

Find GCP instances with this private IP

gcp.compute.privateIpAddress: 10.240.0.7

Find GCP instances with this private IP range

gcp.compute.privateIpAddress: [10.240.0.7 ... 10.240.0.30]

gcp.compute.projectIdgcp.compute.projectId

Use a text value ##### to define the project ID assigned to the GCP Console project the instance belongs to.

Examples

Find GCP instances related to ID

gcp.compute.projectId: qvsa-dev

Find GCP instances that match exact value

gcp.compute.projectId: `qvsa-dev`

gcp.compute.projectNumbergcp.compute.projectNumber

Use an integer value ##### to define the project number assigned to the GCP Console project the instance belongs to.

Examples

Find GCP instances related to this number

gcp.compute.projectNumber: 1035365309337

Find GCP instances that match exact value

gcp.compute.projectNumber: `1035365309337`

gcp.compute.publicIpAddressgcp.compute.publicIpAddress

Use a text value ##### to define a public IPv4 address or range of IPs you are interested in.

Examples

Find GCP instances with this public IP

gcp.compute.publicIpAddress: 104.196.57.216

Find GCP instances within this IP range

gcp.compute.publicIpAddress: [104.196.57.216 ... 104.196.57.218]

gcp.compute.stategcp.compute.state

Type your drop-dowSelect the name of the instance state (PENDING, RUNNING, STOPPED, TERMINATED, STOPPING, SHUTTING_DOWN, DEALLOCATED) you're interested in. Select from names in the drop-down menu.

Example

Find running GCP instances

gcp.compute.state: RUNNING

gcp.compute.zonegcp.compute.zone

Use a text value ##### to define the zone of the GCP instance you are looking for.

Examples

Find GCP instances related to name

gcp.compute.zone: us-east1-d

Find GCP instances that match exact value

gcp.compute.zone: `us-east1-d`

gcp.compute.hasAgentgcp.compute.hasAgent

Use the values true | false to define whether the GCP instances you're looking for has a cloud agent installed on it.

Example

Find GCP instances with agents

gcp.compute.hasAgent: "true"

Oracle Cloud Infrastructure

Use these tokens for searching Oracle Cloud Infrastructure (OCI) assets.

oci.compute.availabilityDomainoci.compute.availabilityDomain

Use a text value ##### to search all assets with the specified available domain.

Example

Show all assets with the available domain Lhkx:US-ASHBURN-AD-1

oci.compute.availabilityDomain:"Lhkx:US-ASHBURN-AD-1"

oci.compute.canonicalRegionNameoci.compute.canonicalRegionName

Use a text value ##### to search all assets having the specified canonical region name.

Example

Show all assets with the canonical region name us-ashburn-1

oci.compute.canonicalRegionName:"us-ashburn-1"

oci.compute.compartmentIdoci.compute.compartmentId

Use a text value ##### to search all assets with the specified OCI compartment ID.

Example

Show assets with this OCI compartment ID

oci.compute.compartmentId:"ocid1.compartment.oc1..123452sjze35z6bkhvwjtzzgcp534zj4o75tgsizg3q36wl447jvfg6dq"

oci.compute.compartmentNameoci.compute.compartmentName

Use a text value ##### to search all assets with the specified OCI compartment name.

Example

Show assets with this OCI compartment name

oci.compute.compartmentName:"ocid1.compartment.abc"

oci.compute.displayNameoci.compute.displayName

Use a text value ##### to search all assets with the specified display name.

Example

Show assets with display name oracle 8.

oci.compute.displayName:"oracle 8"

oci.compute.faultDomainoci.compute.faultDomain

Use a text value ##### to search all assets with the specified fault domain.

Example

Show all assets with fault domain FAULT-DOMAIN-1

oci.compute.faultDomain:"FAULT-DOMAIN-1"

oci.compute.hasAgentoci.compute.hasAgent

Use the values true | false to list all assets that have cloud agents. Choose True to list all assets having cloud agents and choose False to list all assets that do not have cloud agents.

Example

Show all assets with having cloud agent installed

oci.compute.hasAgent:"true"

oci.compute.hostNameoci.compute.hostName

Use a text value ##### to search all assets with the specified host name.

Example

Show all findings with the host name oracle-8

oci.compute.hostName:"oracle-8"

oci.compute.imageIdoci.compute.imageId

Use a text value ##### to search all assets with the specified image ID.

Example

Show all assets with the  ocid1.image.oc1.iad.aaaaaaaaffp3cnkpfxibzrdkfnxbitkgxk7al33rrhpzhfnrhfv7ml2xdpyq image ID

oci.compute.imageId:"ocid1.image.oc1.iad.aaaaaaaaffp3cnkpfxibzrdkfnxbitkgxk7al33rrhpzhfnrhfv7ml2xdpyq"

oci.compute.isQualysScanneroci.compute.isQualysScanner

Use the values true | false to list all assets that are Qualys Scanner. Choose True to list all assets that are Qualys Scanner and choose False to list all assets that are not Qualys Scanner.

Example

Show all assets that are Qualys Scanner.

oci.compute.isQualysScanner:"true"

oci.compute.ociIdoci.compute.ociId

Use a text value ##### to search all assets with the specified OCI ID.

Example

Show assets with this OCI ID

oci.compute.ociId:"ocid1.compartment.oc1..1234567lbhcx2ajiagh57wrurvqs2ubd4ttaimgy22cxh3r6brpmmugq"

oci.compute.regionoci.compute.region

Use a text value ##### to search all assets in the specified region.

Example

Show all assets with the region us-east-1

oci.compute.region:"us-east-1"

oci.compute.regionKeyoci.compute.regionKey

Use a text value ##### to search all assets with the specified region key.

Example

Show all assets with the region key SYD

oci.compute.regionKey:"SYD"

oci.compute.regionRealmoci.compute.regionRealm

Use a text value ##### to search all groups with the specified region realm.

Example

Show all assets with the region realm OC1

oci.compute.regionRealm:"OC1"

oci.compute.shapeoci.compute.shape

Use a text value ##### to search all assets with the specified shape.

Example

Show all assets with the shape x5-2.36.512

oci.compute.shape:"x5-2.36.512"

oci.compute.stateoci.compute.state

Use a text value ##### to search all assets with specific compute state.

Example

Show all assets with the compute state Starting

oci.compute.state:STARTING

oci.compute.tenantIdoci.compute.tenantId

Use a text value ##### to search all assets with specific tenant ID.

Example

Show all assets with the specific tenant ID

oci.compute.tenantId:"ocid1.tenancy.oc1..aaaaaaaax2gwhq3hszjqhte5pgzijgyge6gvlsrqar6kxn7itwhk7keokamq"

oci.compute.tenantNameoci.compute.tenantName

Use a text value ##### to search all assets with specific tenant name.

Example

Show all assets with the specific tenant name

oci.compute.tenantName:"oraclecengg1"

oci.compute.timeCreatedoci.compute.timeCreated

Use a text value ##### to search all assets created at the specified time.

Example

Show findings with last check in within a specific date range.

oci.compute.timeCreated:[2020-01-01 ... 2020-01-10]

Show findings with last check in starting 2019-11-01, ending 1 month ago.

oci.compute.timeCreated:[2019-11-01 ... now-1M]

Show findings with last check in starting 2 weeks ago, ending 1 second ago.

oci.tags.keyoci.tags.key

Use a text value ##### to search all assets with the specified tag key.

Example

Show all assets with the tag key CreatedBy

oci.tags(key:CreatedBy)

oci.tags.namespaceoci.tags.namespace

Use a text value ##### to search all assets with the specified namespace.

Example

Show all assets with the namespace Oracle-Tags

oci.tags(namespace:"Oracle-Tags")

oci.tags.typeoci.tags.type

Use a text value ##### to search all assets with specific tag type.

Example

Show all assets with the specific tag type

oci.tags(type:DEFINED)

oci.tags.valueoci.tags.value

Use a text value ##### to search all assets with the specified tag value.

Example

Show all assets with the tag value 2021-02-09

oci.tags(value:"2021-02-09")

oci.vnic.macAddroci.vnic.macAddr

Use a text value ##### to search all assets with the specified MAC address.

Example

Show all assets with the MAC address 02:00:17:06:bd:b3

oci.vnic(macAddr:"02:00:17:06:bd:b3")

oci.vnic.nicIndexoci.vnic.nicIndex

Use a text value ##### to search all assets with the specified index.

Example

Show all assets with the index 1

oci.vnic(nicIndex:1)

oci.vnic.privateIpoci.vnic.privateIp

Use a text value ##### to search all assets with the specified private IP.

Example

Show all assets with this private IP

oci.vnic(privateIp:10.0.0.222)

oci.vnic.publicIpoci.vnic.publicIp

Use a text value ##### to search all assets with the specified public IP.

Example

Show all assets with this public IP

oci.vnic(publicIp:10.0.0.222)

oci.vnic.subnetCidrBlockoci.vnic.subnetCidrBlock

Use a text value ##### to search all assets with the specified block.

Example

Show all assets with the block 10.0.0.0/24

oci.vnic(subnetCidrBlock:10.0.0.0/24)

oci.vnic.subnetIdoci.vnic.subnetId

Use a text value ##### to find OCI instances by the ID of the subnet in which the interface resides.

Example

Find OCI instances with this subnet ID

oci.vnic(subnetId: "subnet-bc02c0d4")

oci.vnic.subnetNameoci.vnic.subnetName

Use a text value ##### to find OCI instances by the name of the subnet in which the interface resides.

Example

Find OCI instances with this subnet name

oci.vnic(subnetName: "subnet-abc")

oci.vnic.vcnIdoci.vnic.vcnId

Use a text value ##### to search all assets with the specified VCN ID.

Example

Show all assets with this VCN ID

oci.vnic(vcnId:"ocid1.vnic.oc1.iad.abuwcljt6cdjcuwhkce37madk4p6bd6ocjknilpwzai5rsyjejteiodyp22q")

oci.vnic.vcnNameoci.vnic.vcnName

Use a text value ##### to search all assets with the specified vcn name.

Example

Show all assets with this vcn name

oci.vnic(vcnName:"abc")

oci.vnic.virtualRouterIpoci.vnic.virtualRouterIp

Use a text value ##### to search all assets with the specified router IP.

Example

Show all assets with the router IP 10.0.0.1

oci.vnic(virtualRouterIp:10.0.0.1)

oci.vnic.vlanTagoci.vnic.vlanTag

Use a text value ##### to search all assets with the specified vlan tag.

Example

Show all assets with the vlan tag 1

oci.vnic(vlanTag:1)

oci.vnic.vnicIdoci.vnic.vnicId

Use a text value ##### to search all assets with the specified VNIC ID.

Example

Show all assets with the VNIC ID ocid1.vnic.oc1.iad.abuwcljt6cdjcuwhkce37madk4p6bd6ocjknilpwzai5rsyjejteiodyp22q

oci.vnic(vnicId:"ocid1.vnic.oc1.iad.abuwcljt6cdjcuwhkce37madk4p6bd6ocjknilpwzai5rsyjejteiodyp22q")

IBM Cloud

Use these tokens for searching IBM Cloud assets.

ibm.tags.nameibm.tags.name

Use a text value ##### to find IBM instances with a certain tag name (case insensitive).

Examples

Find IBM instances with name "devops"

ibm.tags(name: devops)

Find IBM instances with name starting "dev"

ibm:tags(name: dev*)

Find IBM instances with name ending "ops"

ibm.tags(name: *ops)

ibm.tags.valueibm.tags.value

Use a text value ##### to find IBM instances with a certain tag value (case insensitive).

Examples

Find IBM instances with tag value "dailybuild"

ibm.tags(value: dailybuild)

Find IBM instances with tag value starting "daily"

ibm.tags(value: daily*)

Find IBM instances with tag value ending "build"

ibm.tags(value: *build)

ibm.virtualServer.datacenterIdibm.virtualServer.datacenterId

Use a text value ##### to find IBM instances with datacenter ID .

Example

Find IBM instances with this datacenter ID

ibm.virtualServer.datacenterId: 1854895

ibm.virtualServer.deviceNameibm.virtualServer.deviceName

Use a text value ##### to find IBM instances with virtual server device name.

Examples

Find IBM instances related to name

ibm.virtualServer.deviceName: "virtualserver01.Qualys-Inc.cloud"

Find IBM instances that match exact value

ibm.virtualServer.deviceName: `virtualserver01.Qualys-Inc.cloud`

ibm.virtualServer.domainibm.virtualServer.domain

Use a text value ##### to search all assets with the specified virtual server domain.

Example

Show all assets with virtual server domain Qualys-Inc.cloud

ibm.virtualServer.domain:"Qualys-Inc.cloud"

ibm.virtualServer.idibm.virtualServer.id

Use a text value ##### to search all assets with the specified virtual server ID.

Example

Show all assets with the  8998892 virtual server ID

ibm.virtualServer.id:8998892

ibm.virtualServer.locationibm.virtualServer.location

Use a text value ##### to define the region you are interested in.

Example

Find IBM instances in this location

ibm.virtualServer.location: "westus"

ibm.virtualServer.privateIpAddressibm.virtualServer.privateIpAddress

Use a text value ##### to define a private IPv4 address or range of IPs you are interested in.

Examples

Find IBM instances with this private IP

ibm.virtualServer.privateIpAddress: 10.240.0.7

Find IBM instances with this private IP range

ibm.virtualServer.privateIpAddress: [10.240.0.7 ... 10.240.0.30]

ibm.virtualServer.privateVlanibm.virtualServer.privateVlan

Use a text value ##### to define a private Vlan you are interested in.

Example

Find the IBM instance with this private Vlan address

ibm.virtualServer.privateVlan: 3455

ibm.virtualServer.publicIpAddressibm.virtualServer.publicIpAddress

Use a text value ##### to define a public IPv4 address or range of IPs you are interested in.

Examples

Find IBM instances with this public IP

ibm.virtualServer.publicIpAddress: 10.240.0.7

Find IBM instances with this public IP range

ibm.virtualServer.publicIpAddress: [10.240.0.7 ... 10.240.0.30]

ibm.virtualServer.publicVlanibm.virtualServer.publicVlan

Use a text value ##### to define a public Vlan you are interested in.

Example

Find the IBM instance with this public Vlan address

ibm.virtualServer.publicVlan: 3455

ibm.virtualServer.stateibm.virtualServer.state

Use a text value ##### to search all assets with specific virtual server state.

Example

Show all assets with the virtual server state Starting

ibm.virtualServer.state:STARTING

Alibaba

Use these tokens for searching Alibaba assets.

alibaba.instance.accountIdalibaba.instance.accountId

Use a text value to define the instance id of the Alibaba cloud account.

Examples

Find Alibaba instances with the following account ID

alibaba.instance.accountId: 123456789012

Find Alibaba instances with account ID starting "12345"

alibaba.instance.accountId: 12345*

alibaba.instance.dnsServeralibaba.instance.dnsServer

Use an integer value to define the Domain Name System (DNS) configurations of the instance.

Example

Find Alibaba instances of the following DNS

alibaba.instance.dnsServer: 100.xxx.x.xxx

alibaba.instance.hasAgentalibaba.instance.hasAgent

Use the boolean value, true | false to define whether the Alibaba instance has a cloud agent installed on it.

Example

Find Alibaba instances with agents

alibaba.instance.hasAgent: true

alibaba.instance.hostNamealibaba.instance.hostName

Use a text value to find Alibaba hostname.

Example

Find Alibaba instances related to name

alibaba.instance.hostName: abc.qualys.com

alibaba.instance.imageIdalibaba.instance.imageId

Use a text value to find the Id of the image used during the instance creation process.

Example

Find instances related to image id

alibaba.instance.imageId: ubuntu_14_0405_64_20G_alibase_20170824.vhd

alibaba.instance.instanceIdalibaba.instance.instanceId

Use a text value to define the Alibaba instance id.

Example

Find Alibaba instances with this instance ID

alibaba.instance.instanceId: i-a2dxxxxsxxxxxhdfax

alibaba.instance.instanceTypealibaba.instance.instanceType

Use a text value to define the instance type.

Example

Find Alibaba instances with this instance type

alibaba.instance.instanceType: ecs.t5-lc1m1.small

alibaba.instance.interfaceIdalibaba.instance.interfaceId

Use a text value to define the identifier of the NIC.

Example

Find Alibaba instances of the following interface id

alibaba.instance.interfaceId: a2dxxxxaixxxtux572

alibaba.instance.instanceStatealibaba.instance.instanceState

Use a text value to define the state of the Alibaba instance. Some of the examples of the state of the instance are: MOVING, RUNNING, STARTED, STOPPED, STOPPING, and TERMINATED.

Example

Find Alibaba instances for the following state

alibaba.instance.instanceState: RUNNING

alibaba.instance.macAddressalibaba.instance.macAddress

Use a text value to define the MAC address.

Example

Find Alibaba instances with this MAC address

alibaba.instance.macAddress: 00:16:3e:0f:XX:XX

alibaba.instance.networkTypealibaba.instance.networkType

Use the network type values to find the Alibaba cloud instances. The network type can be vpc or classic.

Example

Find Alibaba instances with this network type

alibaba.instance.networkType: vpc

alibaba.instance.privateIpAddressalibaba.instance.privateIpAddress

Use an integer value to define a private IPv4 address or range of IPs.

Example

Find Alibaba instances with the following private IP address

alibaba.instance.privateIpAddress: 192.168.XX.XX

alibaba.instance.publicIpAddressalibaba.instance.publicIpAddress

Use an integer value to define a public IPv4 address or range of IPs.

Example

Find Alibaba instances with the following public IP address

alibaba.instance.publicIpAddress: 149.xx.xx.xx

alibaba.instance.region.codealibaba.instance.region.code

Use a text value to find the alibaba cloud instances that belong to the region with specific code. Some of the examples of codes are ap-northeast-1,  ap-south-1, nanjing, cn-chengdu, and eu-central-1.

Example

Find Alibaba instances for the following region code

alibaba.instance.region.code: cn-chengdu

alibaba.instance.region.namealibaba.instance.region.name

Use a text value to define the region name. Australia (Sydney), Beijing, China, Japan (Tokyo), India (Mumbai), and Philippines (Manila).

Example

Find Alibaba instances for the following region

alibaba.instance.region.name: US (Silicon Valley)

alibaba.instance.serialNumberalibaba.instance.serialNumber

Use a text value to define the serial number of the instance.

Example

Find Alibaba instances of the following serial number

alibaba.instance.serialNumber: 12trexxxxr-3xx-xxx-rtg4-xxxx6t45

alibaba.instance.vpcCidrBlockalibaba.instance.vpcCidrBlock

Use a text value to define the serial number of the instance.

Example

Find Alibaba instances of the following CIDR block

alibaba.instance.vpcCidrBlock: 172.xx.x.x/16

alibaba.instance.vpcIdalibaba.instance.vpcId

Use a text value to search all the Alibaba instances with the specified VPC ID.

Example

Show Alibaba instances with this VPC ID

alibaba.instance.vpcId: vpc-a2d6pxxxxvvdadd5yikj

alibaba.instance.vswitchIdalibaba.instance.vswitchId

Use a text value to search all the Alibaba instances with the specified vswitchId.

Example

Show Alibaba instances with of the following switch ID

alibaba.instance.vswitchId: vsw-a2dxxxoxxxxsqx1mxxxdd

alibaba.instance.vswitchCidrBlockalibaba.instance.vswitchCidrBlock

Use an integer value to define the CIDR block of the switch to which the Alibaba instance is connected.

Example

Find Alibaba instances of the following CIDR block of the switch

alibaba.instance.vswitchCidrBlock: 192.168.XX.XX/24

alibaba.instance.zoneIdalibaba.instance.zoneId

Use a text value to define the zone id.

Examples

Find Alibaba instances of the following zone id

alibaba.instance.zoneId: cn-chengdu-a

Passive Sensor Only

hardware.typingConfidencehardware.typingConfidence

Use a text value ##### to define the hardware typing confidence you're looking for, i.e. HIGH, MEDIUM, LOW, UNIDENTIFIED.

Example

Show this hardware typing confidence

hardware.typingConfidence:HIGH

passiveSensor.idpassiveSensor.id

Use an integer value ##### to find assets sensed by a certain sensor ID.

Example

Show this sensor ID

passiveSensor.id:"003687557369:1654660042:3809075:704:1654660042:3809075:704"

passiveSensor.locationpassiveSensor.location

Use a text value ##### to find assets based on specific sensor location.

Examples

Show assets with sensor location (appliance location label) as SanJose1

passiveSensor.location:"SanJose1"

passiveSensor.namepassiveSensor.name

Use a text value ##### to find assets based on specific sensor name.

Examples

Show assets with sensor name as ITCorp-appliance

passiveSensor.name:"ITCorp-appliance"

passiveSensor.lastUpdatedpassiveSensor.lastUpdated

Use a date range or specific date to define when passive sensors were last updated.

Examples

Show passive sensors last updated within certain dates

passiveSensor.lastUpdated:[2019-01-01 ... 2019-01-15]

Show passive sensors last updated starting 2019-01-15, ending 1 month ago

passiveSensor.lastUpdated:[2019-01-15 ... now-1M]

Show passive sensors last updated starting 2 weeks ago, ending 1 second ago

passiveSensor.lastUpdated:[now-2w ... now-1s]

Show passive sensors last updated on a specific date

passiveSensor.lastUpdated:`2019-03-18`

operatingSystem.typingConfidenceoperatingSystem.typingConfidence

Use a text value ##### to define the OS typing confidence you're interested in, i.e. HIGH, MEDIUM, LOW, UNIDENTIFIED.

Example

Show this OS typing confidence

operatingSystem.typingConfidence:MEDIUM