Example
Find assets with this activation status.
activated: True
Example
Find assets that are activated within certain dates.
activationDate: [2020-10-05 .. 2020-10-10]
Find assets activated on specific date.
activationDate: '2020-10-05'
agentService.httpStatusagentService.httpStatus
Example
Find Linux assets with this http status.
agentService.httpStatus: null
agentService.osStatusagentService.osStatus
The OS Status value can be used to detect if the audit channel is locked or busy. Note that this agent status may get overwritten by a later status sent to platform by agent and hence the audit channel related error may not remain always visible.
Example
Find Linux assets with this OS status.
agentService.osStatus: "Q_AuditChannelBusy"
or agentService.osStatus: "Q_AuditConfigLockError";
Select the token values from: Q_AuditNotPresent, Q_AuditInImmutableStat, Q_NeverTaskRuleExists, Q_SELinuxPackagesMissing
Examples
Find Linux assets with this OS status where the audit service is not in the running state.
agentservice.osStatus: Q_AuditNotPresent
Find the Linux assets whit the OS status where the SELinux packages are missing.
agentservice.osStatus: Q_SELinuxPackagesMissing
Find the Linux assets with the OS status where no FIM events will be generated.
agentservice.osStatus: Q_NeverTaskRuleExists
Find Linux assets with this OS status.
agentService.osStatus: "Q_AuditChannelBusy" or agentService.osStatus: "Q_AuditConfigLockError"
agentService.osStatus: Q_AuditChannelBusy
Audit channel is busy and fimc cannot access it
Example,
The audit channel busy error will occur if dispatcher=0 and auditd is already running (and hence, consuming the kernel's audit channel)
agentService.osStatus Q_AuditConfigLockError
Audit config is lock in environment.
Example,
Immutable and ConfigLockError should be the same. One being used by the old fimc (<v4.0) and the new one is probably added in 5.9
The OS Status value can be used to detect if the audit channel is locked or busy.
Note: This agent status may get overwritten by a later status sent to platform by agent and
hence the audit channel related error may not remain always visible.
For FIM prerequisite checks failed for Linux platform, you can use the following query.
agentService.osStatus:`Q_AuditNotPresent` or agentService.osStatus:`Q_AuditInImmutableState` or agentService.osStatus:`Q_NeverTaskRuleExists` or agentService.osStatus:`Q_SELinuxPackagesMissing`
agentService.statusagentService.status
Example
Find assets with this agent service status.
agentService.status: FIM_DRIVER_LOADED
agentService.statusCodeagentService.statusCode
Example
Find assets with this agent service code.
agentService.statusCode: 2001
agentService.updatedDateagentService.updatedDate
Example
Find assets with agent updated within certain dates.
agentService.updatedDate: [2020-10-05 .. 2020-10-10]
Find assets with this agent update date.
agentService.updatedDate: '2020-10-05'
Example
Show assets with this agent UUID.
agentUuid: "0c16f8b0-9f3b-4fcf-a7d6-730017b1a4d3"
Example
Show assets with this agent version.
agentVersion: 2.2.0
Example
Show assets with this agent ID.
assetId: 43227
Example
Show assets with this asset type.
assetType: HOST
Example
Find assets created within certain dates.
created: [2020-10-05 .. 2020-10-10]
Find assets created on this date.
created: '2020-10-05'
Example
Find assets with this netbios name.
netbiosName: null
Example
Find assets with this EC2 region.
ec2.region: "US East (N. Virginia)"
Example
Find assets with this EC2 instance ID.
ec2.instanceId: i-1234567890abcdef0
Example
Find assets with this EC2 hostname.
ec2.hostname: abc.qualys.com
ec2.availabilityZoneec2.availabilityZone
Example
Find assets with this EC2 availability zone of assets.
ec2.availabilityZone: us-east-1a
interfaces.macAddressinterfaces.macAddress
Example
Show the asset with this MAC address.
interfaces.macAddress: "00:0a:95:9d:68:16"
interfaces.addressinterfaces.address
Example
Find assets with this interfaces address.
interfaces.address: "10.115.106.169"
interfaces.hostnameinterfaces.hostname
Example
Find assets with this hostname.
interfaces.hostname: "WIN10-122.WORKGROUP"
interfaces.interfaceNameinterfaces.interfaceName
Example
Find assets with this interface name.
interfaces.interfaceName: "Intel(R) 82574L
Gigabit Network Connection"
lastLoggedOnUserlastLoggedOnUser
Example
Find assets with this last logged in user.
lastLoggedOnUser: "qualys_hs"
Use a date range or specific date to find assets based on the last check-in.
Example
Find assets with last check in within a specific date range.
lastCheckedIn: [2020-01-01 .. 2020-01-10]
Find assets with last check in starting 2019-11-01, ending 1 month ago.
lastCheckedIn: [2019-11-01 .. now-1M]
Find assets with last check in starting 2 weeks ago, ending 1 second ago.
lastCheckedIn: [now-2w .. now-1s]
Find assets with last check in on a specific date.
lastCheckedIn: '2020-02-11'
Find assets with last check in before (older than) last 30 days.
lastCheckedIn: <now-30d
Note: In this case, we recommend not to use the NOT operator in your range search to form a query like NOT lastCheckedIn:[now-30d .. now-2s].
Find assets with last check in within last 30 days excluding day 30.
lastCheckedIn: >now-30d
Find assets with last check in within last 30 days including day 30.
lastCheckedIn: >=now-30d
Find assets with last check in which is older than last 30 days excluding day 30.
lastCheckedIn: <now-30d
Find assets with last check in which is older than last 30 days including day 30
lastCheckedIn: <=now-30d
manifest.statusmanifest.status
Example
Find assets with this manifest status.
manifest.status: FIM_ACTIVATION_REQUEST_RECEIVED
Example
Find assets with this manifest ID.
manifest.id: 920e5b2f-546a-444f-b5e5-f13931597df9
manifest.updatedDatemanifest.updatedDate
Example
Find assets with manifest updated within certain dates.
manifest.updatedDate: [2020-10-05 .. 2020-10-10]
Find assets with this manifest update date.
manifest.updatedDate: '2020-10-05'
Example
Show any asset related to name.
name: localhost
Show any asset that contain parts of name.
name: "localhost"
Show asset that match exact name.
name: `localhost`
Example
Find assets booted within certain dates.
system.boot: [2020-10-05 ... 2020-10-10]
Find assets with this last boot date.
system.boot: '2020-10-05'
Example
Show approved incidents in patching category
agentService.status: `FIMC_RUNNING` and
operatingSystem: `linux`
Example
Show incidents that were not pre-approved
agentService.status: `FIMC_RUNNING` not
operatingSystem: `linux`
Example
Show incidents with one of these categories
agentService.status: `FIMC_RUNNING` or
operatingSystem: `linux`