How to search
Click to view navigation pane

Home

Looking for listing of event fields? Click here

How to Search in FIM

Search by Field | String matching | Exact matching | Full Text Search | Suffix matching | Is Null Queries | Range searches | Date searches | Multiple values (In, Not In) | Boolean operators | Nested Queries | Suffix matching for Events tab | Prefix matching for Events tab

Search by Field

Enter the field name, then a colon, then your query. Nested fields are dot separated.

Examples:

openPorts.port: 80
accounts.username: administrator
operatingSystem: win*

String matching

Use single quotes or double quotes around your query to match a string. Your results will include any asset that contains the string.

Examples:

tags.name: "Cloud Agent"
operatingSystem: 'Microsoft Windows'
vulnerabilities.vulnerability.title: "Remote Code Execution Vulnerability"

Exact matching

Use backticks to exactly match a string. Your results will include any asset with the EXACT value returned.

Examples:

operatingSystem: `Windows 7 Ultimate Service Pack 1`
interfaces.hostname: `xpsp2-jp-26-111`

Full Text Search

Many asset fields containing text allow you to use full text search and advanced search capabilities.

Learn more >>

Examples:

Show any findings related to this title

vulnerabilities.vulnerability.title: Remote Code Execution

Show any findings that contain "Remote" or "Code" in title

vulnerabilities.vulnerability.title: "Remote Code"

Show any findings that match exact value "Remote Code"

vulnerabilities.vulnerability.title: `Remote Code`

Show any findings that match nested query. Both sub fields must match in order for an asset to be returned.

vulnerabilities.vulnerability: (title: `Remote Code` AND patchAvailable: "true")

Suffix matching

Suffix matching is supported when searching assets (on your Assets list) for the fields "name", "tags.name" and "netbiosName". Match asset values "ending in" a string you specify - using a string that starts with *. Matches are case insensitive.

Example: This query matches assets with an asset name ending in "53" like QK2K12QP3-65-53.

name:*53

Example: This query matches assets with tag names ending in "region east" like Region East, region east, Region EAST.

tags.name:*Region East

Suffix matching is also supported for the field "interfaces.hostname" but the syntax is different.

Example: These queries match assets with the hostname "T100.qualys.corp.com".

interfaces.hostname:com
interfaces.hostname:corp.com
interfaces.hostname:qualys.corp.com

Is Null Queries

Want to match an empty/null value for a field? You'll need to remove the colon and then write "is null". For example, quickly find assets where the OS has not been identified.

Examples:

operatingSystem is null
interfaces.macAddress is null
aws.ec2.accountId is null

Range searches

Ranges can be specified with the [lower .. upper] syntax using () and/or [] as follows. This is supported for numeric and date fields.

Examples:

Greater than or equal to 123 and less than or equal to 1234 - uses square brackets

elb.listener.loadBalancerPort:[123 .. 1234]

Greater than but not equal to 123 and less than but not equal to 1234 - uses parenthesis

elb.listener.loadBalancerPort:(123 .. 1234)

Greater than or equal to 123 and less than but not equal to 1234

elb.listener.loadBalancerPort:[123 .. 1234)

Greater than but not equal to 123 and less than or equal to 1234

elb.listener.loadBalancerPort:(123 .. 1234]

Greater than 123

elb.listener.loadBalancerPort > 123

Greater than or equal to 123

elb.listener.loadBalancerPort >= 123

Less than 1234

elb.listener.loadBalancerPort < 1234

Less than or equal to 1234

elb.listener.loadBalancerPort <= 1234

Between January 1st and April 1st 2018

updated: [2018-01-01 .. 2018-04-01]

Date searches

Use a date range [start date .. end date] or a specific date. Several date variables are also available.

Learn more >>

Examples:

updated: "2017-11-20"
updated <= "2017-11-20"
updated: ["2017-11-20" .. "2017-11-24"]
updated: [now-3d .. now-1s]

Multiple values (In, Not In)

Use to match values "In" or "Not In" fields. Available for all fields except analyzed fields (i.e. full text search fields).

Examples:

Find assets with at least one of these three CVE IDs:

vulnerabilities.vulnerability.cveIds:[CVE-2003-0818 , CVE-2002-0126 , CVE-1999-1058]

Find assets with vulnerabilities not first found on date: 2016-08-31 or 2016-09-12

NOT vulnerabilities.firstFound: ["2016-08-31","2016-09-12"]

In 2016 or 2015

vulnerabilities.firstFound:["2016","2015"]

In month of Aug or Sept

vulnerabilities.firstFound:["2016-08","2015-07"]

On one of these exact dates:

vulnerabilities.firstFound:["2016-08-31","2016-08-30"]

Analyzed fields (i.e. full text search fields) are not supported such as:

vulnerabilities.vulnerability.description
vulnerabilities.vulnerability.solution
vulnerabilities.vulnerability.consequence

Boolean Operators

Use keywords AND, OR, NOT to narrow or broaden your search.

Examples:

operatingSystem: windows OR operatingSystem: linux
(operatingSystem: windows OR operatingSystem: linux) AND (openPorts.port: 80 OR openPorts.port: 8080)
NOT operatingSystem: windows

Nested Queries

Use a single nested query, using parentheses, to include multiple fields in your query per examples below.

Learn more >>

Examples:

Find vulnerabilities that are patchable and are confirmed

vulnerabilities: (vulnerability.patchAvailable: "true" AND typeDetected: "Confirmed")

Find vulnerabilities that are patchable, have Easy Exploit RTI, and first found in the last 5 days:

vulnerabilities: (vulnerability.patchAvailable: "true" AND vulnerability.threatIntel.easyExploit: true AND firstFound > now-5d)

Find assets on port 80 and TCP

openPorts: (port: 80 AND protocol: TCP)

Find assets that have Windows Time service that is running

service: (name: Windows Time AND status: running)

Suffix matching for Events tab

Suffix matching is supported for searching events for the fields: asset.name, asset.netbiosName, asset.operatingSystem, actor.userID, actor.process, profile.name, profile.rule.name, registryKey.name, file.name. You can match event fields "ending in" a string you specify - using a string that starts with *.

Note: Matches are case insensitive.

Example: This query matches events with an asset name ending in "122", example - WIN10-122.

asset.name:*122

Example: This query matches events with file name ending in exe, example - Explorer.exe.

file.name:*.exe

Suffix based searches are applicable only for Events tab in FIM.

Prefix matching for Events tab

Prefix matching is supported for searching events using certain text fields such as: asset.name, asset.netbiosName, asset.operatingSystem, actor.userID, actor.process, profile.name, profile.rule.name, registryKey.name, file.name. You can match event values "starting with" a string you specify - using a string that ends with *.

Note: Matches are case sensitive.

Example: This query matches events with an asset name starting with "xp", example - xpsp2-jp-26-111.

asset.name:xp*

Example: This query matches events with file name starting with "Expl" example - Explorer.exe.

file.name:Expl*

Example: This query matches events with assets having operating system starting with "Lin", example - Linux 2.4-2.6.

asset.operatingSystem:Lin*

Note: Wildcards can only be used for prefix and suffix matching (as described above). Substring wildcards are not supported, that is, you cannot search for a string in the middle of another string.

Prefix based searches are applicable only for Events tab in FIM.